[Discussion] OS Fingerprinting
Matt Jonkman
jonkman at jonkmans.com
Mon Dec 22 15:00:17 UTC 2008
Interesting idea, to compare user-agent strings to the p0f output.
In normal user workstations an altered UA is very suspicious. An alert
saying that the workstation just sent a linux or mac UA would be good.
Or even if it changed language. A lot of malware that runs through the
sandnet uses a normal looking windows UA, but it's russian. Or they'll
use an Opera string with a russian tag.
But overall, just the fact that the US has changed is very interesting,
especially in a user net.
Matt
Victor Julien wrote:
> Jack Pepper wrote:
>> Quoting Matt Jonkman <jonkman at jonkmans.com>:
>>
>>> I use it with spamassassin and it *seems* to make a big difference
>>> there. I haven't pulled exact stats, but the idea that mail from a
>>> windows box is more likely to be spam is surely valid.
>>>
>>> Have to look into how far it does ID windows versions. Even if we can
>>> just get server os vs workstation os that'd be pretty interesting I think.
>>>
>>> Anyone used it much lately?
>> I still use it at the "Genre" level and it works predictably. I
>> categorize things into "Windows", "Linux", "Unix" (aix+sun), "BSD",
>> and "MAC" and it seems to work well enough ( ~ 80% ? ) to feed data
>> into my "poor-man's RNA".
>>
>> I don't think the fine grained accuracy is reliable for service-patch
>> level detection, but p0f works ok at the genre level. I did rewrite
>> the socket listener and caching part of it, but the fingerprinting
>> part works well enough as-is.
>
> I wonder if it's useful to look at stuff like User-Agent headers and
> HTTP server signatures as well to determine the OS. It's easy to spoof
> of course, but p0f isn't perfect either.
>
> Could be interesting for cases where p0f and other methods give
> different results. Shouldn't happen all that often in normal traffic.
>
> (although I have one example in my own daily usage, the Webmail plugin
> for Mozilla Thunderbird that I use to read hotmail uses a Mac OS X
> user-agent on my Ubuntu box)
>
> Cheers,
> Victor
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list