[Discussion] OS Fingerprinting
Matt Jonkman
jonkman at jonkmans.com
Sun Dec 21 18:29:57 UTC 2008
David Dagon wrote:
>
> Since this thread is "for the whiteboard", I'll describe the pony I'd
> like for xmas:
>
> -- your tool should allow me to hook a p0f module, or my own DSO that
> performs immediate classifications. (These classifications could
> then trigger more than logging; e.g., firewall-like match rules,
> e.g., "drop if win95", etc.)
>
> The callback is immediate.
>
I like this a lot. I am very anxious to have a rule syntax option of
something like p0f:checkif,iswin95.
Keeping an internal db of known OS's shouldn't be tough. And it'd be
very interesting to get alerts when an OS changes.
> -- the tool should also allow me to hook a DSO that does active
> probing. p0f does not catch them all, and so I might want to
> initiate some active probes of an IP witnessed in flows (e.g.,
> some pen testers jiggle 137/139/445 to get a version string).
Dangers there, but interesting. We'd have to make sure the actual
knowledge of what OS's are being seen is valuable enough for the
overhead of going to see what they are. But well worth it. I think PADS
has been mentioned in the thread already. The tech exists to do so for sure.
>
> Let's put aside the dos-enabling potential for a moment, for
> purposes of this example. Say instead I might want to consult a
> database about the flow pairs, and wait out a SELECT, or a dnsbl
> rtt. Whatever; after my probes/additional inquiry complete, I may
> have further classifications to report, and more firewall
> behaviors to trigger.
>
> Here, the callback is not immediate, but assync.
>
> I.e., there are quick-and-dirty OS fingerprinting techniques that one
> can use via a pluggable module. There are also some active
> measurements or correlations that can do a better job of
> fingerprinting--allow these as well. These would be invoked at the
> operator's own risk.
>
> But if you permit an async update on flow classifications, you will
> create the API that permits new innovations, instead of merely
> integrating existing opensource technologies.
>
> So that's my pony; hopefully others want it as well.
>
I think you've got something here for sure. Summarizing this into the wiki.
Which by the way, the current list is at:
http://doc.emergingthreats.net/bin/view/Main/EngineFeatures
Thanks all!
Matt
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list