[Discussion] OS Fingerprinting

• Previous message (by thread): [Discussion] OS Fingerprinting
• Next message (by thread): [Discussion] OS Fingerprinting
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Interesting idea, to compare user-agent strings to the p0f output.

In normal user workstations an altered UA is very suspicious. An alert
saying that the workstation just sent a linux or mac UA would be good.
Or even if it changed language. A lot of malware that runs through the
sandnet uses a normal looking windows UA, but it's russian. Or they'll
use an Opera string with a russian tag.

But overall, just the fact that the US has changed is very interesting,
especially in a user net.

Matt

Victor Julien wrote:
> Jack Pepper wrote:
>> Quoting Matt Jonkman <jonkman at jonkmans.com>:
>>
>>> I use it with spamassassin and it *seems* to make a big difference
>>> there. I haven't pulled exact stats, but the idea that mail from a
>>> windows box is more likely to be spam is surely valid.
>>>
>>> Have to look into how far it does ID windows versions. Even if we can
>>> just get server os vs workstation os that'd be pretty interesting I think.
>>>
>>> Anyone used it much lately?
>> I still use it at the "Genre" level and it works predictably.  I  
>> categorize things into "Windows", "Linux", "Unix" (aix+sun), "BSD",  
>> and "MAC" and it seems to work well enough ( ~ 80% ? ) to feed data  
>> into my "poor-man's RNA".
>>
>> I don't think the fine grained accuracy is reliable for service-patch  
>> level detection, but p0f works ok at the genre level.  I did rewrite  
>> the socket listener and caching part of it, but the fingerprinting  
>> part works well enough as-is.
> 
> I wonder if it's useful to look at stuff like User-Agent headers and
> HTTP server signatures as well to determine the OS. It's easy to spoof
> of course, but p0f isn't perfect either.
> 
> Could be interesting for cases where p0f and other methods give
> different results. Shouldn't happen all that often in normal traffic.
> 
> (although I have one example in my own daily usage, the Webmail plugin
> for Mozilla Thunderbird that I use to read hotmail uses a Mac OS X
> user-agent on my Ubuntu box)
> 
> Cheers,
> Victor
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

• Previous message (by thread): [Discussion] OS Fingerprinting
• Next message (by thread): [Discussion] OS Fingerprinting
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]