# p2s: p0f to Snort rule conversion utility
# (c) Copyright 2004, Stephen D. Reed <sdreed@verizon.net>
#
# Options used to generate this file:
#	Input Type:	[SYN]
#	Initial Sid:	[200000]
#	Revision:	[1]
#	Source Net:	[$HOME_NET]
#	Dest Net:	[any]
#	Generic Rules:	[included]

log tcp $HOME_NET any -> any any ( msg:"AIX-4.3"; length:44; fragbits:!D; ttl:<=64; flags:S; window:45046; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200001; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.2 and earlier"; length:44; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200002; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.3-5.2 (1)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss=512,nop,ws%2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200003; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.3-5.2 (2)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:32768; tcpopts:mss=512,nop,ws%2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200004; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.3-5.2 (3)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss=512,nop,ws%2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200005; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"AIX-5.3 ML1"; length:64; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200006; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (1)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:512; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200007; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (2)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200008; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (MkLinux) on Mac (1)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:2; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200009; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (MkLinux) on Mac (2)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:64; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200010; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (Google crawlbot)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss=1360,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200011; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (big boy)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S2; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200012; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.4.18 and newer"; length:60; fragbits:D; ttl:<=64; flags:S; window:S3; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200013; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.4/2.6"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200014; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.5 (sometimes 2.4) (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S3; tcpopts:mss,sack,time,nop,ws=1; classtype:os-fingerprint; priority:4; sid:200015; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.5/2.6 (sometimes 2.4) (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,sack,time,nop,ws=1; classtype:os-fingerprint; priority:4; sid:200016; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.2.20 and newer"; length:60; fragbits:D; ttl:<=64; flags:S; window:S20; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200017; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S22; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200018; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S11; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200019; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 in cluster"; length:48; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss=1460,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200020; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (late, uncommon)"; length:60; fragbits:D; ttl:<=64; flags:S; window:T4; tcpopts:mss=1412,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200021; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (local)"; length:60; fragbits:D; ttl:<=64; flags:S; window:32767; tcpopts:mss=16396,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200022; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (local)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S8; tcpopts:mss=3884,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200023; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (Opera?) (User Stack/Scanner)"; length:60; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200024; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (Opera?) (User Stack/Scanner)"; length:60; fragbits:D; ttl:<=64; flags:S; window:32767; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200025; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 w/o timestamps"; length:52; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,nop,nop,sack,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200026; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 w/o timestamps"; length:52; fragbits:D; ttl:<=64; flags:S; window:S22; tcpopts:mss,nop,nop,sack,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200027; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"FreeBSD-2.0-4.1"; length:44; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200028; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.4 (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200029; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.4 (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:1024; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200030; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.6-4.8 (no RFC1323)"; length:44; fragbits:D; ttl:<=64; flags:S; window:57344; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200031; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.6-4.8"; length:60; fragbits:D; ttl:<=64; flags:S; window:57344; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200032; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8-5.1 (or MacOS X 10.2-10.3)"; length:60; fragbits:D; ttl:<=64; flags:S; window:32768; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200033; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.7-5.1 (or MacOS X 10.2-10.3) (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200034; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.7-5.1 (or MacOS X 10.2-10.3) (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200035; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"FreeBSD-5.1-current (1)"; length:60; id:0; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200036; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"FreeBSD-5.1-current (2)"; length:60; id:0; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200037; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"FreeBSD-5.1-current (3)"; length:60; id:0; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200038; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.3"; length:60; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200039; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6 (Opera) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200040; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6"; length:60; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,ws=0,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200041; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6W-current (DF)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200042; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6X (DF)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200043; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.0-3.4"; length:64; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200044; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.3-3.4"; length:64; fragbits:D; ttl:<=64; flags:S; window:57344; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200045; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.0-3.4 (scrub)"; length:64; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200046; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.0-3.4 (Opera) (User Stack/Scanner)"; length:64; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200047; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Solaris-8 (RFC1323 on)"; length:64; fragbits:D; ttl:<=64; flags:S; window:S17; tcpopts:nop,ws=3,nop,nop,time=0,nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200048; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Solaris-8 (1)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S17; tcpopts:nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200049; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Solaris-2.5 to 7"; length:44; fragbits:D; ttl:<=255; flags:S; window:S17; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200050; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Solaris-2.6/7"; length:44; fragbits:D; ttl:<=255; flags:S; window:S6; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200051; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Solaris-8 (2)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S23; tcpopts:nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200052; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Solaris-9"; length:48; fragbits:D; ttl:<=64; flags:S; window:S34; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200053; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Solaris-7"; length:44; fragbits:D; ttl:<=255; flags:S; window:S44; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200054; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"SunOS-4.1.x"; length:44; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200055; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"IRIX-6.4"; length:44; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200056; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"IRIX-6.2-6.5"; length:44; fragbits:!D; ttl:<=60; flags:S; window:61440; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200057; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5 (RFC1323) (1)"; length:52; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss,nop,ws=2,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200058; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5 (RFC1323) (2)"; length:52; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss,nop,ws=3,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200059; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5.12-6.5.21 (1)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:61440; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200060; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5.12-6.5.21 (2)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200061; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Tru64-4.0 (or OS/2 Warp 4)"; length:48; fragbits:D; ttl:<=60; flags:S; window:32768; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200062; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Tru64-5.0 (or OpenVMS 7.x on Compaq 5.0 stack)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:32768; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200063; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Tru64-5.1 (no RFC1323) (or QNX 6)"; length:44; fragbits:!D; ttl:<=60; flags:S; window:8192; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200064; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Tru64-v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:61440; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200065; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"OpenVMS-7.2 (Multinet 4.3-4.4 stack)"; length:60; fragbits:D; ttl:<=64; flags:S; window:6144; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200066; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"MacOS-8.6 classic"; length:48; fragbits:D; ttl:<=255; flags:S; window:S2; tcpopts:mss,ws=0,eol; classtype:os-fingerprint; priority:4; sid:200067; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"MacOS-7.3-8.6 (OTTCP)"; length:48; fragbits:D; ttl:<=255; flags:S; window:16616; tcpopts:mss,ws=0,eol; classtype:os-fingerprint; priority:4; sid:200068; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"MacOS-8.1-8.6 (OTTCP)"; length:48; fragbits:D; ttl:<=255; flags:S; window:16616; tcpopts:mss,nop,nop,nop,eol; classtype:os-fingerprint; priority:4; sid:200069; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"MacOS-9.0-9.2"; length:48; fragbits:D; ttl:<=255; flags:S; window:32768; tcpopts:mss,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200070; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"MacOS-9.1 (1) (OT 2.7.4)"; length:48; fragbits:D; ttl:<=255; flags:S; window:32768; tcpopts:mss=1380,nop,nop,nop,nop; classtype:os-fingerprint; priority:4; sid:200071; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"MacOS-9.1 (2) (OT 2.7.4)"; length:48; fragbits:D; ttl:<=255; flags:S; window:65535; tcpopts:mss,nop,nop,nop,nop; classtype:os-fingerprint; priority:4; sid:200072; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"MacOS-X"; length:60; fragbits:!D; ttl:<=64; flags:S; window:32768; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200073; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-3.11 (Tucows)"; length:44; fragbits:D; ttl:<=32; flags:S; window:8192; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200074; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-95"; length:64; fragbits:D; ttl:<=64; flags:S; window:S44; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200075; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-95b"; length:64; fragbits:D; ttl:<=128; flags:S; window:8192; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200076; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (low TTL) (1)"; length:48; fragbits:D; ttl:<=32; flags:S; window:S44; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200077; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (low TTL) (2)"; length:48; fragbits:D; ttl:<=32; flags:S; window:8192; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200078; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (13)"; length:48; fragbits:D; ttl:<=64; flags:S; window:%8192; tcpopts:mss=536,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200079; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (15)"; length:48; fragbits:D; ttl:<=128; flags:S; window:%8192; tcpopts:mss=536,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200080; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (1)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200081; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (2)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S6; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200082; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (3"; length:48; fragbits:D; ttl:<=64; flags:S; window:S12; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200083; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (16)"; length:64; fragbits:D; ttl:<=64; flags:S; window:T30; tcpopts:mss=1460,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200084; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (4)"; length:48; fragbits:D; ttl:<=64; flags:S; window:32767; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200085; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (5)"; length:48; fragbits:D; ttl:<=64; flags:S; window:37300; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200086; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (RFC1323)"; length:52; fragbits:D; ttl:<=64; flags:S; window:46080; tcpopts:mss,nop,ws=3,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200087; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (no sack)"; length:44; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200088; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (6)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S16; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200089; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (7)"; length:64; fragbits:D; ttl:<=128; flags:S; window:S16; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200090; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (8)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S26; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200091; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (9)"; length:48; fragbits:D; ttl:<=128; flags:S; window:T30; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200092; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (10)"; length:52; fragbits:D; ttl:<=128; flags:S; window:32767; tcpopts:mss,nop,ws=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200093; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (11)"; length:48; fragbits:D; ttl:<=128; flags:S; window:60352; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200094; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (12)"; length:64; fragbits:D; ttl:<=128; flags:S; window:60352; tcpopts:mss,nop,ws=2,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200095; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 SP6a (1)"; length:44; fragbits:D; ttl:<=128; flags:S; window:T31; tcpopts:mss=1414; classtype:os-fingerprint; priority:4; sid:200096; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 SP6a (2)"; length:44; fragbits:D; ttl:<=128; flags:S; window:64512; tcpopts:mss=1414; classtype:os-fingerprint; priority:4; sid:200097; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 (older)"; length:44; fragbits:D; ttl:<=128; flags:S; window:8192; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200098; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP4, XP SP1"; length:48; fragbits:D; ttl:<=128; flags:S; window:65535; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200099; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP2+, XP SP1 (seldom 98 4.10.2222)"; length:48; fragbits:D; ttl:<=128; flags:S; window:%8192; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200100; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-SP3"; length:48; fragbits:D; ttl:<=128; flags:S; window:S20; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200101; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP4, XP SP 1 (2)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S45; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200102; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP4"; length:48; fragbits:D; ttl:<=128; flags:S; window:40320; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200103; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-XP, 2000 SP2+"; length:48; fragbits:D; ttl:<=128; flags:S; window:S6; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200104; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-XP SP1 (1)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S12; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200105; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-XP Pro SP1, 2000 SP3"; length:48; fragbits:D; ttl:<=128; flags:S; window:S44; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200106; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-XP SP1, 2000 SP3 (2)"; length:48; fragbits:D; ttl:<=128; flags:S; window:64512; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200107; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-XP SP1, 2000 SP4 (3)"; length:48; fragbits:D; ttl:<=128; flags:S; window:32767; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200108; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 via Cisco"; length:48; fragbits:D; ttl:<=128; flags:S; window:S52; tcpopts:mss=1260,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200109; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-XP bare-bone"; length:48; fragbits:D; ttl:<=128; flags:S; window:65520; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200110; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-2000 w/ZoneAlarm?"; length:52; fragbits:D; ttl:<=128; flags:S; window:16384; tcpopts:mss=536,nop,ws=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200111; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-.NET Enterprise Server"; length:40; fragbits:!D; ttl:<=255; flags:S; window:2048; classtype:os-fingerprint; priority:4; sid:200112; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while downloading (leak!) (User Stack/Scanner)"; length:48; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,nop,sack; quirks:nzup; classtype:os-fingerprint; priority:4; sid:200113; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"HP-UX-B.10.20 "; length:44; fragbits:D; ttl:<=64; flags:S; window:32768; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200114; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"HP-UX-11.00-11.11"; length:48; fragbits:D; ttl:<=64; flags:S; window:32768; tcpopts:mss,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200115; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"HP-UX-B.11.00 A (RFC1323)"; length:48; fragbits:!D; ttl:<=64; flags:S; window:0; tcpopts:mss,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200116; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"RISC OS-3.70-4.36 (inet 5.04)"; length:68; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss=1460,nop,ws=0,nop,nop,time,nop,nop,number=12; classtype:os-fingerprint; priority:4; sid:200117; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"RISC OS-3.70 inet 4.10"; length:44; fragbits:!D; ttl:<=32; flags:S; window:12288; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200118; rev:1; )
log tcp $HOME_NET any -> any any ( msg:".-RISC OS"; length:56; fragbits:D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1460,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200119; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"BSD/OS-3.1-4.3 (or MacOS X 10.2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1460,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200120; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"NewtonOS-2.1"; length:44; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1420; classtype:os-fingerprint; priority:4; sid:200121; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"NeXTSTEP-3.3"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S8; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200122; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"BeOS-5.0-5.1"; length:48; fragbits:!D; ttl:<=255; flags:S; window:1024; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200123; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"BeOS-5.0.x"; length:44; fragbits:!D; ttl:<=255; flags:S; window:12288; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200124; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"OS/400-V4R4/R5"; length:60; fragbits:D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1440,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200125; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"OS/400-V4R3/M0"; length:44; fragbits:!D; ttl:<=64; flags:S; window:8192; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200126; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"OS/400-V4R5 + CF67032"; length:60; fragbits:D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1440,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200127; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"OS/390-?"; length:44; fragbits:!D; ttl:<=64; ack:!=0; flags:S; window:28672; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200128; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"ULTRIX-4.5"; length:40; fragbits:!D; ttl:<=64; flags:S; window:16384; classtype:os-fingerprint; priority:4; sid:200129; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"QNX-demodisk"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S16; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200130; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Novell-NetWare 5.0"; length:44; fragbits:D; ttl:<=128; flags:S; window:16384; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200131; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Novell-IntranetWare 4.11"; length:44; fragbits:D; ttl:<=128; flags:S; window:6144; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200132; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Novell-Netware 6 SP3"; length:52; fragbits:D; ttl:<=128; flags:S; window:6144; tcpopts:mss,ws=0,nop,sack,nop,nop; classtype:os-fingerprint; priority:4; sid:200133; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"SCO-UnixWare 7.1"; length:60; fragbits:D; ttl:<=64; flags:S; window:S3; tcpopts:mss=1460,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200134; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"SCO-OpenServer 5.0"; length:44; fragbits:D; ttl:<=64; flags:S; window:S23; tcpopts:mss=1380; classtype:os-fingerprint; priority:4; sid:200135; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"DOS-Arachne via WATTCP/1.05"; length:44; fragbits:!D; ttl:<=255; flags:S; window:2048; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200136; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"OS/2-4"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S56; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200137; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"TOPS-20-version 7"; length:44; fragbits:!D; ttl:<=64; ack:!=0; flags:S; window:0; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200138; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"AMIGA-3.9 BB2 with Miami stack"; length:56; fragbits:D; ttl:<=64; flags:S; window:S32; tcpopts:mss,nop,nop,sack,nop,nop,number=12; classtype:os-fingerprint; priority:4; sid:200139; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Checkpoint-(unknown 1) (Generic)"; length:44; fragbits:D; ttl:<=64; flags:S; window:S12; tcpopts:mss=1460; classtype:os-fingerprint; priority:5; sid:200140; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Checkpoint-(unknown 2) (Generic)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S12; tcpopts:nop,nop,sack,mss=1460; classtype:os-fingerprint; priority:5; sid:200141; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"ExtremeWare-4.x"; length:44; fragbits:!D; ttl:<=32; flags:S; window:4096; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200142; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Clavister-firewall 7.x"; length:52; fragbits:!D; ttl:<=64; flags:S; window:60352; tcpopts:mss=1460,nop,ws=2,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200143; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Nokia-IPSO w/Checkpoint NG FP3"; length:68; fragbits:!D; ttl:<=64; flags:S; window:S32; tcpopts:mss=512,nop,ws=0,nop,nop,time,nop,nop,number=12; classtype:os-fingerprint; priority:4; sid:200144; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"FortiNet-FortiGate 50"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:ws=0,nop,sack,time,mss=1460; classtype:os-fingerprint; priority:4; sid:200145; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Cisco-7200, Catalyst 3500, et"; length:44; id:0; fragbits:!D; ttl:<=255; flags:S; window:4128; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200146; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Cisco-12008"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S8; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200147; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Alteon-ACEswitch"; length:64; fragbits:D; ttl:<=128; flags:S; window:60352; tcpopts:mss=1460,nop,ws=2,nop,nop,time,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200148; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Nortel-Contivity Client"; length:44; fragbits:D; ttl:<=128; flags:S; window:64512; tcpopts:mss=1370; classtype:os-fingerprint; priority:4; sid:200149; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"NetCache-5.2"; length:64; fragbits:D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1460,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200150; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"NetCache-5.3"; length:64; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss=1460,nop,nop,sack,nop,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200151; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"NetCache-5.3-5.5"; length:64; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss=1460,nop,nop,sack,nop,ws,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200152; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"NetCache-4.1"; length:64; fragbits:D; ttl:<=64; flags:S; window:20480; tcpopts:mss=1460,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200153; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"NetCache-Data OnTap 5.x"; length:64; fragbits:D; ttl:<=64; flags:S; window:32850; tcpopts:nop,ws=1,nop,nop,time,nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200154; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"CacheFlow-CacheOS ?"; length:60; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss=1460,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200155; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"CacheFlow-CacheOS 1.1"; length:60; fragbits:!D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1380,nop,nop,nop,nop,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200156; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Cisco-Content Engine"; length:48; fragbits:!D; ttl:<=64; flags:S; window:S4; tcpopts:mss=1460,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200157; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Dell-PowerApp cache (Linux-based)"; length:40; fragbits:!D; ttl:<=128; flags:S; window:27085; classtype:os-fingerprint; priority:4; sid:200158; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Inktomi-crawler"; length:48; fragbits:D; ttl:<=255; flags:S; window:65535; tcpopts:nop,ws=1,mss=1460; classtype:os-fingerprint; priority:4; sid:200159; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"LookSmart-ZyBorg"; length:60; fragbits:D; ttl:<=255; flags:S; window:S1; tcpopts:mss=1460,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200160; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Proxyblocker-(what's this?)"; length:40; fragbits:!D; ttl:<=255; flags:S; window:16384; classtype:os-fingerprint; priority:4; sid:200161; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"PalmOS-Tungsten C"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S9; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200162; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"PalmOS-3/4"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S5; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200163; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"PalmOS-3.5"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S4; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200164; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"PalmOS-3.5.3 (Handera)"; length:44; fragbits:!D; ttl:<=255; flags:S; window:2948; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200165; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"SymbianOS-7"; length:64; fragbits:D; ttl:<=64; flags:S; window:S23; tcpopts:nop,ws=1,nop,nop,time,nop,nop,sack,mss=1460; classtype:os-fingerprint; priority:4; sid:200166; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"SymbianOS-6048 (on Nokia 7650?)"; length:44; fragbits:!D; ttl:<=255; flags:S; window:8192; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200167; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"SymbianOS-(on Nokia 9210?)"; length:44; fragbits:!D; ttl:<=255; flags:S; window:8192; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200168; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Zaurus-3.10"; length:60; fragbits:D; ttl:<=64; flags:S; window:5840; tcpopts:mss=1452,sack,time,nop,ws=1; classtype:os-fingerprint; priority:4; sid:200169; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"PocketPC-2002"; length:64; fragbits:D; ttl:<=128; flags:S; window:32768; tcpopts:mss=1460,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200170; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Contiki-1.1-rc0"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S1; tcpopts:mss=346; classtype:os-fingerprint; priority:4; sid:200171; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Sega-Dreamcast Dreamkey 3.0"; length:44; fragbits:!D; ttl:<=128; flags:S; window:4096; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200172; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Sega-Dreamcast HKT-3020 (browser disc 51027)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:T5; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200173; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Sony-Playstation 2 (SOCOM?)"; length:44; fragbits:D; ttl:<=64; flags:S; window:S22; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200174; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"AXIS-Printer Server 5600 v5.64"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S12; tcpopts:mss=1452; classtype:os-fingerprint; priority:4; sid:200175; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (1) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:1024; classtype:os-fingerprint; priority:4; sid:200176; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (2) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:2048; classtype:os-fingerprint; priority:4; sid:200177; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (3) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:3072; classtype:os-fingerprint; priority:4; sid:200178; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (4) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:4096; classtype:os-fingerprint; priority:4; sid:200179; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (1) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:1024; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200180; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (2) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:2048; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200181; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (3) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:3072; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200182; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (4) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200183; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (1) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:1024; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200184; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (2) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:2048; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200185; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (3) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:3072; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200186; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (4) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200187; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"p0f-sendsyn utility (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:S; window:12345; classtype:os-fingerprint; priority:4; sid:200188; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Mysterious-port scanner (?) (Generic) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=128; ack:!=0; flags:S; window:56922; classtype:os-fingerprint; priority:5; sid:200189; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Mysterious-NAT device (2nd tstamp) (Generic) (User Stack/Scanner)"; length:60; fragbits:D; ttl:<=64; flags:S; window:5792; tcpopts:mss=1460,sack,time,nop,ws=0; classtype:os-fingerprint; priority:5; sid:200190; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (RFC1323 no tstamp) (Generic)"; length:52; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,ws=0,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200191; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (RFC1323) (Generic)"; length:64; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200192; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-XP (RFC1323, w+) (Generic)"; length:64; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,ws,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200193; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-98 (Generic)"; length:48; fragbits:D; ttl:<=128; flags:S; tcpopts:mss=536,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200194; rev:1; )
log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (Generic)"; length:48; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200195; rev:1; )