Full Disclosure mailing list archives
p0f 2 beta now out - fingerprint data needed
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Sat, 16 Aug 2003 11:19:46 +0200 (CEST)
Hello again, P0f is a passive OS fingerprinting tool that gathers useful information about visitors / attackers without triggering any suspicious traffic. In addition to accurately and precisely fingerprinting a remote OS based on a large number of metrics, p0f can also determine link types, distances and uptimes of those hosts - all without sending a single packet. As such, p0f is a useful addition to a firewall / IDS / server setup. Version 1.8 of p0f, maintained by William Stearns, became quite popular, but also had a number of flaws and shortcomings of my initial proof-of-concept code written back in 2000. The beta release of p0f 2, a complete rewrite of the original v1 code, is now available http://lcamtuf.coredump.cx/p0f-beta.tgz . This is not a final release, and is intended for testing only. It is fully functional, but due to a number of major design changes, I had to drop the original fingerprint database, and there is a very small version shipped with this code. This is also the reason for announcing this beta release - I need your contributions. Fingerprint additions and accuracy reports are badly needed. It should run on Linux and *BSD, is not yet ported to Solaris - although it's just a matter of adding several libs to the Makefile. Some of the old v1 auxilinary features, such as MySQL connectivity, Logcheck integration or reporting scripts, are not yet ported. Main changes: - Major performance improvements to make it more suitable to be run on high-throughput devices, - New modulo or "don't care" comparisons for certain TCP/IP parameters to make it easier to come up with universal signatures for systems that change them at will with no pattern, - Media type is now determined for a remote party by checking MSS against a known-MTU database. P0f now reports if the remote party is hooked up to ethernet or some other medium on systems for which it makes sense, - Flag layout and count is now examined. P0f 1 simply checked for flag presence, p0f 2 can tell a system with NOP-NOP-MSS-NOP from a system with MSS-NOP, - Generic last-chance signatures to detect OS groups, - Better fingerprint file structure, - Some other improvements, including a minor option parsing glitch... Thanks for your feedback. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-08-16 11:00 -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- p0f 2 beta now out - fingerprint data needed Michal Zalewski (Aug 16)
- Re: p0f 2 beta now out - fingerprint data needed Michal Zalewski (Aug 17)