RE: Passive OS Fingerprinting was Cisco CTR etc

["Teicher, Mark (Mark)" <teicher () avaya com>]

Not quite sure if they are ahead of the curve or just taking advertising
a feature many people didn't realize was a possibility of the various
Enterprise Management Systems available.  Cabletron Spectrum had a
network mapping feature based on ttl's a long time ago.  Very few people
even deployed Cabletron Spectrum.  The other was ANMS (Automatic Network
Monitoring System) a bash, perl, ksh scripting network architecture that
is still or was used by many large telecommunications carriers.  

A most recent attempt at network mapping was the 3-d mapping option in
Cybercop 5.0

Although not as nifty as the comet tail network mapping RNA offers.  :)

I will be in the southeast quadrant of the country that week.  

/m

-----Original Message-----
From: Andy Cuff [Talisker] [mailto:talisker () securitywizardry com] 
Sent: Saturday, November 22, 2003 3:10 AM
To: Teicher, Mark (Mark); Ron Gula; focus-ids () securityfocus com
Subject: Re: Passive OS Fingerprinting was Cisco CTR etc


Hey Mark,
LTNS ! I was under the impression that anti-sniff was (thinking of a
polite
word) prone to false positives. Furthermore, I'd be tempted to deploy a
passive OS fingerprinting tool on a Data In Nothing Out (DINO) tap, this
would make the detection of the pf  tool even more difficult through
such measures.

I think most IDS vendors are developing such technology (with one almost
definite exception) But as usual Ron and Marty are ahead of the drag
curve. I think it's really s3xy but as my wife will testify I'm sad and
I need a life ;o) So s3xy that I have included a page detailing them all
at http://www.securitywizardry.com/osfp.htm

P0f
Ettercap
ARCHAEOPTERYX
RNA
NEVO
Prelude
pfprintd
Disco
There was one that was a predecessor I think to P0f but it is no longer
supported so I left it out

cheers Mark
Are you anywhere near DC 11/12 Dec for a beer?
-andy cuff
Talisker Security Tools Directory http://www.securitywizardry.com
----- Original Message ----- 
From: "Teicher, Mark (Mark)" <teicher () avaya com>
To: "Ron Gula" <rgula () tenablesecurity com>;
<focus-ids () securityfocus com>
Sent: Thursday, November 20, 2003 7:49 PM
Subject: RE: NeVO Scan Application was RE: Cisco CTR


> Ron,
>
> Didn't @Stake produce AntiSniff to detect passive type monitoring 
> applications ??
>
>
>
> /mark
>
> -----Original Message-----
> From: Ron Gula [mailto:rgula () tenablesecurity com]
> Sent: Thursday, November 20, 2003 12:45 PM
> To: Teicher, Mark (Mark); focus-ids () securityfocus com
> Subject: Re: NeVO Scan Application was RE: Cisco CTR
>
>
> Woah ... no-one should be able to detect NeVO or RNA (or a NIDS) just 
> by sitting there. You need to do real complex things invoking timing 
> and other checks to find hosts that are passively listening.
>
> Desktop agents like Sygate will see scans from Nessus, Nmap, pings, 
> etc. but they will have a hard time detecting passive analysis of 
> their network traffic.
>
> Ron
>
>
>
> At 12:27 PM 11/20/2003 -0700, Teicher, Mark (Mark) wrote:
> > Ron,
> >
> > Interesting, another lightweight and inexpensive monitoring/scanning 
> > software ??  Wondering if the Enterprise/Desktop firewall products 
> > can detect NeVO scans as they can nmap scans. It will be very 
> > interesting to see how Desktop firewalls in the corporate environment

> > stand up to NeVO scans..
> >
> > Something to try in the lab against all those Enterprise/Desktop 
> > Firewall products.. :)
> >
> > /mark
> >
> > -----Original Message-----
> > From: Ron Gula [mailto:rgula () tenablesecurity com]
> > Sent: Thursday, November 20, 2003 7:38 AM
> > To: focus-ids () securityfocus com
> > Subject: Re: Cisco CTR
> >
> >
> > At 04:54 AM 11/20/2003 -0700, Mark Teicher wrote:
> > > Just curious on how NeVO compares to Intrusec Expose ??
> >
> > I have not seen Expose recently, but my thought was that it was a 
> > continuous low-volume active scan that could launch other 
> > vulnerability
>
> > scanners when change was detected. NeVO does the same sort of thing, 
> > but passively through network packet/session monitoring. Besides 
> > looking for change in the network, it also looks for the 
> > vulnerability.
>
> > NeVO needs to wait for a packet to be sent before it sees a host, 
> > port,
>
> > client, server or vulnerability. If folks deploy NeVO with a 
> > Lightning Console, they can launch distributed Nessus scans if they 
> > see a system or a vulnerability data that they would like to follow 
> > up with an active scan.
> >
> > Ron Gula
> > Tenable Network Security
> > http://www.tenablesecurity.com
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > --
> > -
> > ---
>
> -----------------------------------------------------------------------
> -
> > ---
>
>
> ----------------------------------------------------------------------
> ----
-
> ----------------------------------------------------------------------
> ----
-
>


---------------------------------------------------------------------------
---------------------------------------------------------------------------