Full Disclosure mailing list archives
Re: Re: [tool] the new p0f 2.0.1 is now out
From: "Thor Larholm" <thor () pivx com>
Date: Thu, 4 Sep 2003 23:21:45 +0200
Well, there will have to be SOME packets entering your network, they will just be indistinguishable from regular traffic. If you wanted to detect a passive OS fingerprinting, you might want to test derivations from ordinary patterns of regular traffic, such as a user constantly requesting the same HTTP ressource or constantly trying to send the same ICMP packets. You won't be able to detect a pOf scan with some static ruleset, but from the patternbreaking actions of a user trying to generate lots and lots of legitimate traffic. This would likely become easier if pOf was used as part of some larger toolset. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ----- Original Message ----- From: "Andreas Gietl" <a.gietl () e-admin de> Sent: Thursday, September 04, 2003 9:43 PM Subject: Re: [Full-disclosure] Re: [tool] the new p0f 2.0.1 is now out
On Thursday 04 September 2003 20:19, thetic wrote: it i a passive scan-tool! you can't detect the scans because there are no packets going to you network.Question concerning the the POF, how can we setup a IDS to detect a POF scan. umer
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [tool] the new p0f 2.0.1 is now out Michal Zalewski (Sep 03)
- Re: [tool] the new p0f 2.0.1 is now out thetic (Sep 04)
- Re: [tool] the new p0f 2.0.1 is now out Daniel Bartlett (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out Andreas Gietl (Sep 04)
- RE: Re: [tool] the new p0f 2.0.1 is now out Matt Barrie (Sep 04)
- RE: Re: [tool] the new p0f 2.0.1 is now out Michal Zalewski (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out simon (www.snosoft.com) (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out SPAM (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out Thor Larholm (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out Robert Jaroszuk (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out morning_wood (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out Michal Zalewski (Sep 05)
- Re: [tool] the new p0f 2.0.1 is now out thetic (Sep 04)
- <Possible follow-ups>
- RE: Re: [tool] the new p0f 2.0.1 is now out Parker, Jeff (MSE) (Sep 04)
- RE: Re: [tool] the new p0f 2.0.1 is now out Michal Zalewski (Sep 04)
- Re: [tool] the new p0f 2.0.1 is now out Peter van den Heuvel (Sep 04)
- Re: [tool] the new p0f 2.0.1 is now out Ron DuFresne (Sep 07)