lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20030816110052.A39162-100000@dekadens.ghettot.org>
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: p0f 2 beta now out - fingerprint data needed

Hello again,

P0f is a passive OS fingerprinting tool that gathers useful information
about visitors / attackers without triggering any suspicious traffic. In
addition to accurately and precisely fingerprinting a remote OS based on a
large number of metrics, p0f can also determine link types, distances and
uptimes of those hosts - all without sending a single packet. As such, p0f
is a useful addition to a firewall / IDS / server setup.

Version 1.8 of p0f, maintained by William Stearns, became quite popular,
but also had a number of flaws and shortcomings of my initial
proof-of-concept code written back in 2000.

The beta release of p0f 2, a complete rewrite of the original v1 code, is
now available http://lcamtuf.coredump.cx/p0f-beta.tgz . This is not a
final release, and is intended for testing only. It is fully functional,
but due to a number of major design changes, I had to drop the original
fingerprint database, and there is a very small version shipped with this
code.

This is also the reason for announcing this beta release - I need your
contributions. Fingerprint additions and accuracy reports are badly
needed.

It should run on Linux and *BSD, is not yet ported to Solaris - although
it's just a matter of adding several libs to the Makefile. Some of the old
v1 auxilinary features, such as MySQL connectivity, Logcheck integration
or reporting scripts, are not yet ported.

Main changes:

  - Major performance improvements to make it more suitable
    to be run on high-throughput devices,

  - New modulo or "don't care" comparisons for certain TCP/IP
    parameters to make it easier to come up with universal
    signatures for systems that change them at will with
    no pattern,

  - Media type is now determined for a remote party by checking
    MSS against a known-MTU database. P0f now reports if the
    remote party is hooked up to ethernet or some other medium
    on systems for which it makes sense,

  - Flag layout and count is now examined. P0f 1 simply checked
    for flag presence, p0f 2 can tell a system with
    NOP-NOP-MSS-NOP from a system with MSS-NOP,

  - Generic last-chance signatures to detect OS groups,

  - Better fingerprint file structure,

  - Some other improvements, including a minor option parsing
    glitch...

Thanks for your feedback.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-08-16 11:00 --

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ