# signatures
# Copyright (c) M. Ulikowski <elceef@itsec.pl>
# This file is part of NATDet

# Entry format:
# WWWWW:TTT:D:LL:OSGENRE

# WWWWW - Window size, higly OS dependent (0-65535)
#   TTT - Initial Time-To-Live (32, 64, 128 or 255)
#     D - Don't fragment flag (1 - set, 0 - not set)
#    LL - Overall SYN packet size (<=64; 0 - irrevelant)


32767:064:1:60:Linux 2.4/2.6
16396:064:1:60:Linux 2.4/2.6
05840:064:1:60:Linux 2.4/2.6
05840:064:0:60:Linux 2.4/2.6
05840:064:1:52:Linux 2.4/2.6
05792:064:1:60:Linux 2.4/2.6
05792:064:0:60:Linux 2.4/2.6

05752:064:1:60:Linux 2.4
08100:064:1:60:Linux 2.4
05808:064:1:60:Linux 2.4
04848:064:1:60:Linux 2.4
05760:064:1:60:Linux 2.4
04812:064:1:60:Linux 2.4
06432:064:1:60:Linux 2.4
07504:064:1:60:Linux 2.4
08576:064:1:60:Linux 2.4
05592:064:1:60:Linux 2.4

31072:064:1:60:Linux 2.2
15536:064:1:60:Linux 2.2
15536:064:0:60:Linux 2.2
32320:064:1:60:Linux 2.2
32476:064:1:60:Linux 2.2
32476:064:0:60:Linux 2.2
32476:064:1:52:Linux 2.2
32200:064:1:60:Linux 2.2
32200:064:1:52:Linux 2.2
32120:064:1:60:Linux 2.2
31944:064:1:60:Linux 2.2
31944:064:1:52:Linux 2.2
31064:064:1:60:Linux 2.2
16160:064:1:60:Linux 2.2
15532:064:1:60:Linux 2.2
15532:064:0:60:Linux 2.2

32736:064:0:44:Linux 2.0
57407:064:0:44:Linux 2.0
16384:064:0:44:Linux 2.0
16352:064:0:44:Linux 2.0
00512:064:0:44:Linux 2.0

32768:064:1:60:FreeBSD
65535:064:1:60:FreeBSD
65535:064:1:44:FreeBSD
65535:064:0:44:FreeBSD
32900:064:1:60:FreeBSD
32899:064:0:60:FreeBSD
57400:064:1:60:FreeBSD
57400:064:1:44:FreeBSD
57344:064:1:60:FreeBSD
57344:064:1:44:FreeBSD
57344:064:0:44:FreeBSD
33600:064:1:60:FreeBSD
65535:064:0:60:FreeBSD
16944:064:1:60:FreeBSD
16944:064:1:44:FreeBSD
01024:064:1:44:FreeBSD
01024:064:1:60:FreeBSD
17520:064:1:44:FreeBSD
17520:064:0:44:FreeBSD
17520:064:0:52:FreeBSD
17376:064:1:44:FreeBSD
16384:064:1:44:FreeBSD
16430:064:1:44:FreeBSD


57344:064:1:64:OpenBSD
16445:064:1:64:OpenBSD
16384:064:1:64:OpenBSD
16384:064:0:64:OpenBSD
16384:064:1:60:OpenBSD


32768:064:0:60:NetBSD
16384:064:0:60:NetBSD


25200:128:1:48:Windows NT
16944:128:1:64:Windows NT
16944:128:1:48:Windows NT
08160:128:1:48:Windows NT
65535:128:1:48:Windows NT
65535:128:0:48:Windows NT
32767:128:1:48:Windows NT
64512:128:1:48:Windows NT
64512:128:0:48:Windows NT
64512:128:0:44:Windows NT
64240:128:1:64:Windows NT
64240:128:1:48:Windows NT
62944:128:1:52:Windows NT
65340:128:1:48:Windows NT
65280:128:1:48:Windows NT
64240:128:0:48:Windows NT
64800:128:1:48:Windows NT
08472:128:1:44:Windows NT

16384:128:1:48:Windows NT/9x
16384:128:0:48:Windows NT/9x
32768:128:1:48:Windows NT/9x
32768:128:0:48:Windows NT/9x

08192:128:1:48:Windows 9x/NT
08192:128:0:48:Windows 9x/NT

16430:128:1:60:Windows 9x
32801:128:0:48:Windows 9x
08576:128:0:48:Windows 9x
08192:032:1:48:Windows 9x
08192:064:1:48:Windows 9x
32767:128:1:52:Windows 9x
60352:128:1:64:Windows 9x
60352:128:1:48:Windows 9x
08760:128:1:44:Windows 9x
08760:128:1:48:Windows 9x
08472:128:1:52:Windows 9x
08472:128:1:40:Windows 9x
32801:032:1:64:Windows 9x


06144:128:1:44:Novell
06144:128:0:44:Novell
06144:128:0:48:Novell
06144:128:1:52:Novell
32768:128:1:44:Novell


08760:255:1:44:Solaris
01412:255:1:60:Solaris
00536:255:1:44:Solaris
00265:255:1:60:Solaris
25200:064:1:64:Solaris
25200:064:1:48:Solaris
25000:064:1:64:Solaris
25000:064:1:48:Solaris
24656:064:1:44:Solaris
24794:064:1:64:Solaris
24794:064:1:48:Solaris
24820:064:1:48:Solaris
24616:064:0:60:Solaris
24616:064:0:56:Solaris
24616:064:0:52:Solaris
32850:064:1:64:Solaris


32768:064:1:44:HP-UX
32768:064:1:48:HP-UX
32768:064:1:64:HP-UX


49152:064:0:44:IRIX
49152:064:0:48:IRIX
49152:064:0:52:IRIX
49152:064:0:64:IRIX
61440:064:0:44:IRIX
61440:064:0:48:IRIX


32768:255:1:48:MacOS
65535:064:1:58:MacOS
65535:064:1:52:MacOS
65535:064:1:40:MacOS


# NMap signatures are reported as Unknown
# Every TCP scan would cause fake warning
01024:064:0:40:Unknown
01024:064:0:60:Unknown
02048:064:0:40:Unknown
02048:064:0:60:Unknown
03072:064:0:40:Unknown
03072:064:0:60:Unknown
04096:064:0:40:Unknown
04096:064:0:60:Unknown


# covered signatures (less popular systems)
#32768:064:1:60:HP-UX (or FreeBSD)
#16384:064:0:60:QNX (or NetBSD)


# hardware routers and other stuff
08192:128:0:44:Linksys
05840:255:0:44:D-Link
04128:255:0:44:Cisco

