Question concerning the the POF, how can we setup a IDS to detect a POF scan. umer ----- Original Message ----- From: "Michal Zalewski" <lcamtufat_private> To: <honeypotsat_private>; <pen-testat_private>; <focus-idsat_private>; <sectoolsat_private> Cc: <incidentsat_private>; <bugtraqat_private>; <full-disclosureat_private> Sent: Wednesday, September 03, 2003 12:21 PM Subject: [tool] the new p0f 2.0.1 is now out > > I am proud to announce the new stable version of p0f, 2.0.1, a complete > rewrite of the original open-source tool released back in 2000, and a > major step for the utility. > > I apologize for posting to all the forums, and leave it to the moderators > to accept or drop this post - but I believe the tool is probably of some > interest to the IDS / honeypot / pen-test / general ITSec audiences, and > more appropriate forums are largely defunct. > > ------------ > What is p0f? > ------------ > > P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify > the system on machines that connect to your box, machines you connect > to, and even machines that merely go thru or near your box. All this > even if the device is behind a fascist packet firewall. > > P0f will also detect what the remote system is hooked up to (be it > Ethernet, DSL, OC3, or avian carriers), how far it is located, what's > its uptime, and will often detect NAT, firewall presence, and even > the name of the other guy's ISP - all this without sending a single > packet. > > What do you need it for? > ------------------------ > > P0f is quite useful for gathering all kinds of profiling information > about your users, customers or attackers (IDS, honeypot, firewall), > tech espionage (laugh...), active or passive policy enforcement > (restricting access for certain systems or otherwise handling them > differently), content optimization, pen-testing, thru-firewall > fingerprinting... plus all the tasks active fingerprinting is suitable > for. And, of course, it has a high coolness factor, even if you are > not a sysadmin. > > ----------- > What's new? > ----------- > > Almost everything. Please upgrade and encourage your vendor to > update his packages. P0f v2 is far superior to the old code > and its clones (such as the Ettercap passive OS fingerprinting > functionality, based on the p0f v1 concepts). It is faster, > more secure, reliable, precise, accurate, feature-loaded > (including easy service integration). It also introduces many > new metrics, some of them "invented" for p0f v2. > > NEW CORE CHECKS: > > - Option layout and count check, > - EOL presence and trailing data [*], > - Unrecognized options handling (TTCP, etc), > - WSS to MSS/MTU correlation checks [*], > - Zero timestamp check, > - Non-zero ACK in initial SYN [*], > - Non-zero "unused" TCP fields [*], > - Non-zero urgent pointer in SYN [*], > - Non-zero second timestamp [*], > - Zero IP ID in initial packet, > - Unusual auxilinary flags, > - Data payload in control packets [*], > - Non-empty IP options. > > [*] Metrics "invented" for p0f, as far as I know. Other metrics > were discussed before, although usually not implemented anywhere. > > IMPROVEMENTS: > > - Major performance improvements - no more runtime signature parsing, > added BPF pre-filtering, signature hash lookups - to make p0f suitable > for high-throughput devices, > > - Modulo and wildcard operators for certain TCP/IP parameters to make > it easier to come up with generic last chance signatures for > systems that tweak settings notoriously (think Windows), > > - Auto-detection of DF-zeroing firewalls, > > - Auto-detection of MSS-tweaking NAT and router devices, > > - Media type detection based on MSS, with a database of common > link types, > > - Origin network detection based on unusual ToS / precedence bits, > > - Ability to detect and skip ECN option when examining flags, > > - Better fingerprint file structure and contents - all fingerprints > are rigorously reviewed before being added. > > - Generic last-chance signatures to cover general OS characteristics, > > - Query mode to enable easy integration with third party software - > p0f caches recent fingerprints and answer queries for src-dst > combinations on a local stream socket in a easy to parse > form, > > - Usability features: greppable output option, daemon mode, host > name resolution option, promiscuous mode switch, built-in signature > collision detector, ToS reporting, etc, > > - "Officially unsupported" SYN+ACK fingerprinting mode for silent > identifications of systems you connect to the usual way (web > browser, MTA), > > - Fixed WSCALE handling in general, and WSS passing on little-endian, > many other bug-fixes and improvements of the packet parser > (including some sanity checks). > > -------------------- > Download, demo, etc. > -------------------- > > P0f home page is: > http://lcamtuf.coredump.cx/p0f.shtml > > Download: > http://lcamtuf.coredump.cx/p0f.tgz > > Contribute / see it in action: > http://lcamtuf.coredump.cx/p0f-help/ > > P0f is believed to run fine on Windows, Linux, FreeBSD, NetBSD, > OpenBSD, MacOS X, Solaris and AIX. > > Please consider contributing to the project if you liked it. > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Thu Sep 04 2003 - 12:15:54 PDT