Re: Passive Fingerprinting

[Franck Veysset <franck.veysset () rd francetelecom com>]

Even if it's true that you can tune your kernel parameters in order to
make your Unix system looks like a win machine, making this change could
be really hard (there's much more to do than tuning TTL). I don't think
that passive OSFP can solve all problem,  but it can probably give you a
good start to learn on your ennemy.

By collecting different facts, including information on what they have
done (or try) onto your honeypot, chance are that you will better
analyse the situation. We are not otalking about judgment, but more
learning from them.

just my 0.02 euro

-Franck


Gonzalez, Albert wrote:
> I believe that passive fingerprinting is very useful, I just don't see how
> useful it is to judge attackers skills based on their
> OS. The paper on Passive Fingerprinting[1] states the current limitation,
> and im sure there are others. If i go ahead and 
> change my default values in the kernel, how will you be able to judge me if
> I make all the characteristics look like a windows
> 95 machine? If you're running honeypots, you should judge them by what they
> did on your machine, and even then you shouldn't
> judge them. I don't see the worthwhile of this project... 
>
> Cheers!
>
>
> [1] - http://project.honeynet.org/papers/finger/
>
> These views are strickly my own, and not that of my employer.
>
> ---
> Alberto Gonzalez 
> EDS - Global Security Operations Center 
> Security and Privacy Professional Services 



--
Franck VEYSSET  - France Telecom R&D/DTL/SSR
mailto: franck.veysset () rd francetelecom com