Ummm "P0f v2 is a versatile passive OS fingerprinting tool" Note the word passive? ie. it watches packets rather than actively sends them.
Or did i get that completely wrong. Daniel. On 9/4/2003, "thetic" <[EMAIL PROTECTED]> wrote: >Question concerning the the POF, how can we setup a IDS to detect a POF >scan. > >umer > > >----- Original Message ----- >From: "Michal Zalewski" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; ><[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> >Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; ><[EMAIL PROTECTED]> >Sent: Wednesday, September 03, 2003 12:21 PM >Subject: [tool] the new p0f 2.0.1 is now out > > >> >> I am proud to announce the new stable version of p0f, 2.0.1, a complete >> rewrite of the original open-source tool released back in 2000, and a >> major step for the utility. >> >> I apologize for posting to all the forums, and leave it to the moderators >> to accept or drop this post - but I believe the tool is probably of some >> interest to the IDS / honeypot / pen-test / general ITSec audiences, and >> more appropriate forums are largely defunct. >> >> ------------ >> What is p0f? >> ------------ >> >> P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify >> the system on machines that connect to your box, machines you connect >> to, and even machines that merely go thru or near your box. All this >> even if the device is behind a fascist packet firewall. >> >> P0f will also detect what the remote system is hooked up to (be it >> Ethernet, DSL, OC3, or avian carriers), how far it is located, what's >> its uptime, and will often detect NAT, firewall presence, and even >> the name of the other guy's ISP - all this without sending a single >> packet. >> >> What do you need it for? >> ------------------------ >> >> P0f is quite useful for gathering all kinds of profiling information >> about your users, customers or attackers (IDS, honeypot, firewall), >> tech espionage (laugh...), active or passive policy enforcement >> (restricting access for certain systems or otherwise handling them >> differently), content optimization, pen-testing, thru-firewall >> fingerprinting... plus all the tasks active fingerprinting is suitable >> for. And, of course, it has a high coolness factor, even if you are >> not a sysadmin. >> >> ----------- >> What's new? >> ----------- >> >> Almost everything. Please upgrade and encourage your vendor to >> update his packages. P0f v2 is far superior to the old code >> and its clones (such as the Ettercap passive OS fingerprinting >> functionality, based on the p0f v1 concepts). It is faster, >> more secure, reliable, precise, accurate, feature-loaded >> (including easy service integration). It also introduces many >> new metrics, some of them "invented" for p0f v2. >> >> NEW CORE CHECKS: >> >> - Option layout and count check, >> - EOL presence and trailing data [*], >> - Unrecognized options handling (TTCP, etc), >> - WSS to MSS/MTU correlation checks [*], >> - Zero timestamp check, >> - Non-zero ACK in initial SYN [*], >> - Non-zero "unused" TCP fields [*], >> - Non-zero urgent pointer in SYN [*], >> - Non-zero second timestamp [*], >> - Zero IP ID in initial packet, >> - Unusual auxilinary flags, >> - Data payload in control packets [*], >> - Non-empty IP options. >> >> [*] Metrics "invented" for p0f, as far as I know. Other metrics >> were discussed before, although usually not implemented anywhere. >> >> IMPROVEMENTS: >> >> - Major performance improvements - no more runtime signature parsing, >> added BPF pre-filtering, signature hash lookups - to make p0f >suitable >> for high-throughput devices, >> >> - Modulo and wildcard operators for certain TCP/IP parameters to make >> it easier to come up with generic last chance signatures for >> systems that tweak settings notoriously (think Windows), >> >> - Auto-detection of DF-zeroing firewalls, >> >> - Auto-detection of MSS-tweaking NAT and router devices, >> >> - Media type detection based on MSS, with a database of common >> link types, >> >> - Origin network detection based on unusual ToS / precedence bits, >> >> - Ability to detect and skip ECN option when examining flags, >> >> - Better fingerprint file structure and contents - all fingerprints >> are rigorously reviewed before being added. >> >> - Generic last-chance signatures to cover general OS characteristics, >> >> - Query mode to enable easy integration with third party software - >> p0f caches recent fingerprints and answer queries for src-dst >> combinations on a local stream socket in a easy to parse >> form, >> >> - Usability features: greppable output option, daemon mode, host >> name resolution option, promiscuous mode switch, built-in signature >> collision detector, ToS reporting, etc, >> >> - "Officially unsupported" SYN+ACK fingerprinting mode for silent >> identifications of systems you connect to the usual way (web >> browser, MTA), >> >> - Fixed WSCALE handling in general, and WSS passing on little-endian, >> many other bug-fixes and improvements of the packet parser >> (including some sanity checks). >> >> -------------------- >> Download, demo, etc. >> -------------------- >> >> P0f home page is: >> http://lcamtuf.coredump.cx/p0f.shtml >> >> Download: >> http://lcamtuf.coredump.cx/p0f.tgz >> >> Contribute / see it in action: >> http://lcamtuf.coredump.cx/p0f-help/ >> >> P0f is believed to run fine on Windows, Linux, FreeBSD, NetBSD, >> OpenBSD, MacOS X, Solaris and AIX. >> >> Please consider contributing to the project if you liked it. >> >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
