Re: Passive OS Fingerprinting was Cisco CTR etc

From: David W. Goodrum (dgoodrum_at_nfr.com)
Date: 11/25/03

  • Next message: Joel M Snyder: "Re: NeVO Scan Application review"
    Date: Tue, 25 Nov 2003 11:49:28 -0500
    To: "Andy Cuff [Talisker]" <talisker@securitywizardry.com>
    
    

    In your list are you including commercial products that passively
    fingerprint Operating Systems? If so, NFR's been passively
    fingerprinting Operating Systems since the release of 3.2 early this
    year (we're now on 4.0). In 3.2, it was primarily used for
    fragmentation re-assembly purposes, but in 4.0 it's also used for user
    information purposes as well, and is included in all tcp based alerts.
    Of course, NFR is not specifically a passive fingerprinting tool, but
    it's an example of how passive fingerprinting is used in real world
    scenarios.

    -dave

    Andy Cuff [Talisker] wrote:

    >Hey Mark,
    >LTNS ! I was under the impression that anti-sniff was (thinking of a polite
    >word) prone to false positives. Furthermore, I'd be tempted to deploy a
    >passive OS fingerprinting tool on a Data In Nothing Out (DINO) tap, this
    >would make the detection of the pf tool even more difficult through such
    >measures.
    >
    >I think most IDS vendors are developing such technology (with one almost
    >definite exception) But as usual Ron and Marty are ahead of the drag curve.
    >I think it's really s3xy but as my wife will testify I'm sad and I need a
    >life ;o)
    >So s3xy that I have included a page detailing them all at
    >http://www.securitywizardry.com/osfp.htm
    >
    >P0f
    >Ettercap
    >ARCHAEOPTERYX
    >RNA
    >NEVO
    >Prelude
    >pfprintd
    >Disco
    >There was one that was a predecessor I think to P0f but it is no longer
    >supported so I left it out
    >
    >cheers Mark
    >Are you anywhere near DC 11/12 Dec for a beer?
    >-andy cuff
    >Talisker Security Tools Directory
    >http://www.securitywizardry.com
    >----- Original Message -----
    >From: "Teicher, Mark (Mark)" <teicher@avaya.com>
    >To: "Ron Gula" <rgula@tenablesecurity.com>; <focus-ids@securityfocus.com>
    >Sent: Thursday, November 20, 2003 7:49 PM
    >Subject: RE: NeVO Scan Application was RE: Cisco CTR
    >
    >
    >
    >
    >>Ron,
    >>
    >>Didn't @Stake produce AntiSniff to detect passive type monitoring
    >>applications ??
    >>
    >>
    >>
    >>/mark
    >>
    >>-----Original Message-----
    >>From: Ron Gula [mailto:rgula@tenablesecurity.com]
    >>Sent: Thursday, November 20, 2003 12:45 PM
    >>To: Teicher, Mark (Mark); focus-ids@securityfocus.com
    >>Subject: Re: NeVO Scan Application was RE: Cisco CTR
    >>
    >>
    >>Woah ... no-one should be able to detect NeVO or RNA (or a NIDS) just by
    >>sitting there. You need to do real complex things invoking timing and
    >>other checks to find hosts that are passively listening.
    >>
    >>Desktop agents like Sygate will see scans from Nessus, Nmap, pings, etc.
    >>but they will have a hard time detecting passive analysis of their
    >>network traffic.
    >>
    >>Ron
    >>
    >>
    >>
    >>At 12:27 PM 11/20/2003 -0700, Teicher, Mark (Mark) wrote:
    >>
    >>
    >>>Ron,
    >>>
    >>>Interesting, another lightweight and inexpensive monitoring/scanning
    >>>software ?? Wondering if the Enterprise/Desktop firewall products can
    >>>detect NeVO scans as they can nmap scans. It will be very interesting
    >>>to see how Desktop firewalls in the corporate environment stand up to
    >>>NeVO scans..
    >>>
    >>>Something to try in the lab against all those Enterprise/Desktop
    >>>Firewall products.. :)
    >>>
    >>>/mark
    >>>
    >>>-----Original Message-----
    >>>From: Ron Gula [mailto:rgula@tenablesecurity.com]
    >>>Sent: Thursday, November 20, 2003 7:38 AM
    >>>To: focus-ids@securityfocus.com
    >>>Subject: Re: Cisco CTR
    >>>
    >>>
    >>>At 04:54 AM 11/20/2003 -0700, Mark Teicher wrote:
    >>>
    >>>
    >>>>Just curious on how NeVO compares to Intrusec Expose ??
    >>>>
    >>>>
    >>>I have not seen Expose recently, but my thought was that it was a
    >>>continuous low-volume active scan that could launch other vulnerability
    >>>
    >>>
    >>>scanners when change was detected. NeVO does the same sort of thing,
    >>>but passively through network packet/session monitoring. Besides
    >>>looking for change in the network, it also looks for the vulnerability.
    >>>
    >>>
    >>>NeVO needs to wait for a packet to be sent before it sees a host, port,
    >>>
    >>>
    >>>client, server or vulnerability. If folks deploy NeVO with a Lightning
    >>>Console, they can launch distributed Nessus scans if they see a system
    >>>or a vulnerability data that they would like to follow up with an
    >>>active scan.
    >>>
    >>>Ron Gula
    >>>Tenable Network Security
    >>>http://www.tenablesecurity.com
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>-----------------------------------------------------------------------
    >>>-
    >>>---
    >>>-----------------------------------------------------------------------
    >>>
    >>>
    >>-
    >>
    >>
    >>>---
    >>>
    >>>
    >>--------------------------------------------------------------------------
    >>
    >>
    >-
    >
    >
    >>--------------------------------------------------------------------------
    >>
    >>
    >-
    >
    >
    >>
    >>
    >
    >
    >---------------------------------------------------------------------------
    >---------------------------------------------------------------------------
    >
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Joel M Snyder: "Re: NeVO Scan Application review"