lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 4 Sep 2003 23:21:45 +0200
From: "Thor Larholm" <thor@...x.com>
To: "Andreas Gietl" <a.gietl@...dmin.de>, "thetic" <thetic_1900@...mail.com>,
   "Michal Zalewski" <lcamtuf@...ttot.org>, <honeypots@...urityfocus.com>,
   <pen-test@...urityfocus.com>, <focus-ids@...urityfocus.com>,
   <sectools@...urityfocus.com>
Cc: <incidents@...urityfocus.com>, <bugtraq@...urityfocus.com>,
   <full-disclosure@...sys.com>
Subject: Re: Re: [tool] the new p0f 2.0.1 is now out


Well, there will have to be SOME packets entering your network, they will just
be indistinguishable from regular traffic. If you wanted to detect a passive OS
fingerprinting, you might want to test derivations from ordinary patterns of
regular traffic, such as a user constantly requesting the same HTTP ressource or
constantly trying to send the same ICMP packets.

You won't be able to detect a pOf scan with some static ruleset, but from the
patternbreaking actions of a user trying to generate lots and lots of legitimate
traffic. This would likely become easier if pOf was used as part of some larger
toolset.



Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

----- Original Message ----- 
From: "Andreas Gietl" <a.gietl@...dmin.de>
Sent: Thursday, September 04, 2003 9:43 PM
Subject: Re: [Full-Disclosure] Re: [tool] the new p0f 2.0.1 is now out


> On Thursday 04 September 2003 20:19, thetic wrote:
>
> it i a passive scan-tool! you can't detect the scans because there are no
> packets going to you network.
>
> > Question concerning the the POF, how can we setup a IDS to detect a POF
> > scan.
> >
> > umer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ