On Thursday 04 September 2003 20:19, thetic wrote: it i a passive scan-tool! you can't detect the scans because there are no packets going to you network. > Question concerning the the POF, how can we setup a IDS to detect a POF > scan. > > umer > > > ----- Original Message ----- > From: "Michal Zalewski" <lcamtufat_private> > To: <honeypotsat_private>; <pen-testat_private>; > <focus-idsat_private>; <sectoolsat_private> > Cc: <incidentsat_private>; <bugtraqat_private>; > <full-disclosureat_private> > Sent: Wednesday, September 03, 2003 12:21 PM > Subject: [tool] the new p0f 2.0.1 is now out > > > I am proud to announce the new stable version of p0f, 2.0.1, a complete > > rewrite of the original open-source tool released back in 2000, and a > > major step for the utility. > > > > I apologize for posting to all the forums, and leave it to the moderators > > to accept or drop this post - but I believe the tool is probably of some > > interest to the IDS / honeypot / pen-test / general ITSec audiences, and > > more appropriate forums are largely defunct. > > > > ------------ > > What is p0f? > > ------------ > > > > P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify > > the system on machines that connect to your box, machines you connect > > to, and even machines that merely go thru or near your box. All this > > even if the device is behind a fascist packet firewall. > > > > P0f will also detect what the remote system is hooked up to (be it > > Ethernet, DSL, OC3, or avian carriers), how far it is located, what's > > its uptime, and will often detect NAT, firewall presence, and even > > the name of the other guy's ISP - all this without sending a single > > packet. > > > > What do you need it for? > > ------------------------ > > > > P0f is quite useful for gathering all kinds of profiling information > > about your users, customers or attackers (IDS, honeypot, firewall), > > tech espionage (laugh...), active or passive policy enforcement > > (restricting access for certain systems or otherwise handling them > > differently), content optimization, pen-testing, thru-firewall > > fingerprinting... plus all the tasks active fingerprinting is suitable > > for. And, of course, it has a high coolness factor, even if you are > > not a sysadmin. > > > > ----------- > > What's new? > > ----------- > > > > Almost everything. Please upgrade and encourage your vendor to > > update his packages. P0f v2 is far superior to the old code > > and its clones (such as the Ettercap passive OS fingerprinting > > functionality, based on the p0f v1 concepts). It is faster, > > more secure, reliable, precise, accurate, feature-loaded > > (including easy service integration). It also introduces many > > new metrics, some of them "invented" for p0f v2. > > > > NEW CORE CHECKS: > > > > - Option layout and count check, > > - EOL presence and trailing data [*], > > - Unrecognized options handling (TTCP, etc), > > - WSS to MSS/MTU correlation checks [*], > > - Zero timestamp check, > > - Non-zero ACK in initial SYN [*], > > - Non-zero "unused" TCP fields [*], > > - Non-zero urgent pointer in SYN [*], > > - Non-zero second timestamp [*], > > - Zero IP ID in initial packet, > > - Unusual auxilinary flags, > > - Data payload in control packets [*], > > - Non-empty IP options. > > > > [*] Metrics "invented" for p0f, as far as I know. Other metrics > > were discussed before, although usually not implemented anywhere. > > > > IMPROVEMENTS: > > > > - Major performance improvements - no more runtime signature parsing, > > added BPF pre-filtering, signature hash lookups - to make p0f > > suitable > > > for high-throughput devices, > > > > - Modulo and wildcard operators for certain TCP/IP parameters to make > > it easier to come up with generic last chance signatures for > > systems that tweak settings notoriously (think Windows), > > > > - Auto-detection of DF-zeroing firewalls, > > > > - Auto-detection of MSS-tweaking NAT and router devices, > > > > - Media type detection based on MSS, with a database of common > > link types, > > > > - Origin network detection based on unusual ToS / precedence bits, > > > > - Ability to detect and skip ECN option when examining flags, > > > > - Better fingerprint file structure and contents - all fingerprints > > are rigorously reviewed before being added. > > > > - Generic last-chance signatures to cover general OS characteristics, > > > > - Query mode to enable easy integration with third party software - > > p0f caches recent fingerprints and answer queries for src-dst > > combinations on a local stream socket in a easy to parse > > form, > > > > - Usability features: greppable output option, daemon mode, host > > name resolution option, promiscuous mode switch, built-in signature > > collision detector, ToS reporting, etc, > > > > - "Officially unsupported" SYN+ACK fingerprinting mode for silent > > identifications of systems you connect to the usual way (web > > browser, MTA), > > > > - Fixed WSCALE handling in general, and WSS passing on little-endian, > > many other bug-fixes and improvements of the packet parser > > (including some sanity checks). > > > > -------------------- > > Download, demo, etc. > > -------------------- > > > > P0f home page is: > > http://lcamtuf.coredump.cx/p0f.shtml > > > > Download: > > http://lcamtuf.coredump.cx/p0f.tgz > > > > Contribute / see it in action: > > http://lcamtuf.coredump.cx/p0f-help/ > > > > P0f is believed to run fine on Windows, Linux, FreeBSD, NetBSD, > > OpenBSD, MacOS X, Solaris and AIX. > > > > Please consider contributing to the project if you liked it. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- e-admin internet gmbh Andreas Gietl tel +49 941 3810884 Ludwig-Thoma-Strasse 35 fax +49 (0)1805/39160 - 29104 93051 Regensburg mobil +49 171 6070008 PGP/GPG-Key unter http://www.e-admin.de/gpg.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Thu Sep 04 2003 - 13:41:49 PDT