| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030904193544.08C966ADF2@mail.freebox.mine.nu> From: dan at lockedbox.net (Daniel Bartlett) Subject: Re: [tool] the new p0f 2.0.1 is now out Ummm "P0f v2 is a versatile passive OS fingerprinting tool" Note the word passive? ie. it watches packets rather than actively sends them. Or did i get that completely wrong. Daniel. On 9/4/2003, "thetic" <thetic_1900@...mail.com> wrote: >Question concerning the the POF, how can we setup a IDS to detect a POF >scan. > >umer > > >----- Original Message ----- >From: "Michal Zalewski" <lcamtuf@...ttot.org> >To: <honeypots@...urityfocus.com>; <pen-test@...urityfocus.com>; ><focus-ids@...urityfocus.com>; <sectools@...urityfocus.com> >Cc: <incidents@...urityfocus.com>; <bugtraq@...urityfocus.com>; ><full-disclosure@...sys.com> >Sent: Wednesday, September 03, 2003 12:21 PM >Subject: [tool] the new p0f 2.0.1 is now out > > >> >> I am proud to announce the new stable version of p0f, 2.0.1, a complete >> rewrite of the original open-source tool released back in 2000, and a >> major step for the utility. >> >> I apologize for posting to all the forums, and leave it to the moderators >> to accept or drop this post - but I believe the tool is probably of some >> interest to the IDS / honeypot / pen-test / general ITSec audiences, and >> more appropriate forums are largely defunct. >> >> ------------ >> What is p0f? >> ------------ >> >> P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify >> the system on machines that connect to your box, machines you connect >> to, and even machines that merely go thru or near your box. All this >> even if the device is behind a fascist packet firewall. >> >> P0f will also detect what the remote system is hooked up to (be it >> Ethernet, DSL, OC3, or avian carriers), how far it is located, what's >> its uptime, and will often detect NAT, firewall presence, and even >> the name of the other guy's ISP - all this without sending a single >> packet. >> >> What do you need it for? >> ------------------------ >> >> P0f is quite useful for gathering all kinds of profiling information >> about your users, customers or attackers (IDS, honeypot, firewall), >> tech espionage (laugh...), active or passive policy enforcement >> (restricting access for certain systems or otherwise handling them >> differently), content optimization, pen-testing, thru-firewall >> fingerprinting... plus all the tasks active fingerprinting is suitable >> for. And, of course, it has a high coolness factor, even if you are >> not a sysadmin. >> >> ----------- >> What's new? >> ----------- >> >> Almost everything. Please upgrade and encourage your vendor to >> update his packages. P0f v2 is far superior to the old code >> and its clones (such as the Ettercap passive OS fingerprinting >> functionality, based on the p0f v1 concepts). It is faster, >> more secure, reliable, precise, accurate, feature-loaded >> (including easy service integration). It also introduces many >> new metrics, some of them "invented" for p0f v2. >> >> NEW CORE CHECKS: >> >> - Option layout and count check, >> - EOL presence and trailing data [*], >> - Unrecognized options handling (TTCP, etc), >> - WSS to MSS/MTU correlation checks [*], >> - Zero timestamp check, >> - Non-zero ACK in initial SYN [*], >> - Non-zero "unused" TCP fields [*], >> - Non-zero urgent pointer in SYN [*], >> - Non-zero second timestamp [*], >> - Zero IP ID in initial packet, >> - Unusual auxilinary flags, >> - Data payload in control packets [*], >> - Non-empty IP options. >> >> [*] Metrics "invented" for p0f, as far as I know. Other metrics >> were discussed before, although usually not implemented anywhere. >> >> IMPROVEMENTS: >> >> - Major performance improvements - no more runtime signature parsing, >> added BPF pre-filtering, signature hash lookups - to make p0f >suitable >> for high-throughput devices, >> >> - Modulo and wildcard operators for certain TCP/IP parameters to make >> it easier to come up with generic last chance signatures for >> systems that tweak settings notoriously (think Windows), >> >> - Auto-detection of DF-zeroing firewalls, >> >> - Auto-detection of MSS-tweaking NAT and router devices, >> >> - Media type detection based on MSS, with a database of common >> link types, >> >> - Origin network detection based on unusual ToS / precedence bits, >> >> - Ability to detect and skip ECN option when examining flags, >> >> - Better fingerprint file structure and contents - all fingerprints >> are rigorously reviewed before being added. >> >> - Generic last-chance signatures to cover general OS characteristics, >> >> - Query mode to enable easy integration with third party software - >> p0f caches recent fingerprints and answer queries for src-dst >> combinations on a local stream socket in a easy to parse >> form, >> >> - Usability features: greppable output option, daemon mode, host >> name resolution option, promiscuous mode switch, built-in signature >> collision detector, ToS reporting, etc, >> >> - "Officially unsupported" SYN+ACK fingerprinting mode for silent >> identifications of systems you connect to the usual way (web >> browser, MTA), >> >> - Fixed WSCALE handling in general, and WSS passing on little-endian, >> many other bug-fixes and improvements of the packet parser >> (including some sanity checks). >> >> -------------------- >> Download, demo, etc. >> -------------------- >> >> P0f home page is: >> http://lcamtuf.coredump.cx/p0f.shtml >> >> Download: >> http://lcamtuf.coredump.cx/p0f.tgz >> >> Contribute / see it in action: >> http://lcamtuf.coredump.cx/p0f-help/ >> >> P0f is believed to run fine on Windows, Linux, FreeBSD, NetBSD, >> OpenBSD, MacOS X, Solaris and AIX. >> >> Please consider contributing to the project if you liked it. >> >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists