Well, there will have to be SOME packets entering your network, they will just be indistinguishable from regular traffic. If you wanted to detect a passive OS fingerprinting, you might want to test derivations from ordinary patterns of regular traffic, such as a user constantly requesting the same HTTP ressource or constantly trying to send the same ICMP packets. You won't be able to detect a pOf scan with some static ruleset, but from the patternbreaking actions of a user trying to generate lots and lots of legitimate traffic. This would likely become easier if pOf was used as part of some larger toolset. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ----- Original Message ----- From: "Andreas Gietl" <a.gietl@e-admin.de> Sent: Thursday, September 04, 2003 9:43 PM Subject: Re: [Full-Disclosure] Re: [tool] the new p0f 2.0.1 is now out > On Thursday 04 September 2003 20:19, thetic wrote: > > it i a passive scan-tool! you can't detect the scans because there are no > packets going to you network. > > > Question concerning the the POF, how can we setup a IDS to detect a POF > > scan. > > > > umer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Thu Sep 04 2003 - 15:06:05 PDT