[Discussion] OS Fingerprinting

David Dagon dagon at cc.gatech.edu
Fri Dec 19 20:38:09 UTC 2008


On Fri, Dec 19, 2008 at 03:22:59PM -0500, Matt Jonkman wrote:
> I use it with spamassassin and it *seems* to make a big difference
> there. I haven't pulled exact stats, but the idea that mail from a
> windows box is more likely to be spam is surely valid.
> 
> Have to look into how far it does ID windows versions. Even if we can
> just get server os vs workstation os that'd be pretty interesting I think.
> 
> Anyone used it much lately?

Since this thread is "for the whiteboard", I'll describe the pony I'd
like for xmas:

 -- your tool should allow me to hook a p0f module, or my own DSO that
    performs immediate classifications. (These classifications could
    then trigger more than logging; e.g., firewall-like match rules,
    e.g., "drop if win95", etc.)

    The callback is immediate.

 -- the tool should also allow me to hook a DSO that does active
    probing.  p0f does not catch them all, and so I might want to
    initiate some active probes of an IP witnessed in flows (e.g.,
    some pen testers jiggle 137/139/445 to get a version string).

    Let's put aside the dos-enabling potential for a moment, for
    purposes of this example.  Say instead I might want to consult a
    database about the flow pairs, and wait out a SELECT, or a dnsbl
    rtt.  Whatever; after my probes/additional inquiry complete, I may
    have further classifications to report, and more firewall
    behaviors to trigger.

    Here, the callback is not immediate, but assync.

I.e., there are quick-and-dirty OS fingerprinting techniques that one
can use via a pluggable module.  There are also some active
measurements or correlations that can do a better job of
fingerprinting--allow these as well.  These would be invoked at the
operator's own risk.

But if you permit an async update on flow classifications, you will
create the API that permits new innovations, instead of merely
integrating existing opensource technologies.

So that's my pony; hopefully others want it as well.

-- 
David Dagon              /"\                          "When cryptography
dagon at cc.gatech.edu      \ /  ASCII RIBBON CAMPAIGN    is outlawed, bayl
Ph.D. Student             X     AGAINST HTML MAIL      bhgynjf jvyy unir
Georgia Inst. of Tech.   / \                           cevinpl."



More information about the Discussion mailing list