[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] p0f 2 beta now out - fingerprint data needed

To: honeypots@securityfocus.com
Subject: [Full-Disclosure] p0f 2 beta now out - fingerprint data needed
From: Michal Zalewski <lcamtuf@ghettot.org>
Date: Sat, 16 Aug 2003 11:19:46 +0200 (CEST)


Hello again,

P0f is a passive OS fingerprinting tool that gathers useful information
about visitors / attackers without triggering any suspicious traffic. In
addition to accurately and precisely fingerprinting a remote OS based on a
large number of metrics, p0f can also determine link types, distances and
uptimes of those hosts - all without sending a single packet. As such, p0f
is a useful addition to a firewall / IDS / server setup.

Version 1.8 of p0f, maintained by William Stearns, became quite popular,
but also had a number of flaws and shortcomings of my initial
proof-of-concept code written back in 2000.

The beta release of p0f 2, a complete rewrite of the original v1 code, is
now available http://lcamtuf.coredump.cx/p0f-beta.tgz . This is not a
final release, and is intended for testing only. It is fully functional,
but due to a number of major design changes, I had to drop the original
fingerprint database, and there is a very small version shipped with this
code.

This is also the reason for announcing this beta release - I need your
contributions. Fingerprint additions and accuracy reports are badly
needed.

It should run on Linux and *BSD, is not yet ported to Solaris - although
it's just a matter of adding several libs to the Makefile. Some of the old
v1 auxilinary features, such as MySQL connectivity, Logcheck integration
or reporting scripts, are not yet ported.

Main changes:

  - Major performance improvements to make it more suitable
    to be run on high-throughput devices,

  - New modulo or "don't care" comparisons for certain TCP/IP
    parameters to make it easier to come up with universal
    signatures for systems that change them at will with
    no pattern,

  - Media type is now determined for a remote party by checking
    MSS against a known-MTU database. P0f now reports if the
    remote party is hooked up to ethernet or some other medium
    on systems for which it makes sense,

  - Flag layout and count is now examined. P0f 1 simply checked
    for flag presence, p0f 2 can tell a system with
    NOP-NOP-MSS-NOP from a system with MSS-NOP,

  - Generic last-chance signatures to detect OS groups,

  - Better fingerprint file structure,

  - Some other improvements, including a minor option parsing
    glitch...

Thanks for your feedback.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-08-16 11:00 --

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- [Full-Disclosure] Re: p0f 2 beta now out - fingerprint data needed
  - From: Michal Zalewski <lcamtuf@ghettot.org>

Prev by Date: [Full-Disclosure] FIXED: HOON & shellcode (again)
Next by Date: Re: [Full-Disclosure] Loss of windowsupdate.com breaks SUS?
Prev by thread: [Full-Disclosure] FIXED: HOON & shellcode (again)
Next by thread: [Full-Disclosure] Re: p0f 2 beta now out - fingerprint data needed
Index(es):
- Date
- Thread