[Intrusions] [LOGS] Summary of large-scale portscanning detects
Ben Nelson
lists at venom600.org
Fri Sep 17 16:22:14 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Barry Fitzgerald wrote:
| Jason "JC" Monroe wrote:
|
|>
|>
|> Since you are so kind as to send these reports every day would you
|> consider taking another step and potentially identify the remote
|> operating system making use of passive analysis (p0f, etc...) and
|> providing that info in another column of your report?
|>
|>
|>
| I can think of a number of reasons why he wouldn't want to do this.
|
| First, since these are firewall logs that would be a counter-scan.
| Second, if the attacker were looking for a response, it could be
| detected by the attacker and might bring interest to the network.
| Third, if the system sending the p0f scan were the firewall itself, it
| could expose information about the firewall.
p0f is a _passive_ scanner, meaning it doesn't send anything to the
destination host as you imply. It just listens on the wire and makes
host determinations based on known network fingerprints of different
OS's. p0f is actually a really neat tool and the attacker needs know
nothing about it's existence.
- --Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBSw823cL8qXKvzcwRAnLLAJ4kaSJwPfk2bQQRUzng5nfSCvbc1ACgi7W+
9C1oNgLL0P2cK/dWyu2JfBs=
=YAle
-----END PGP SIGNATURE-----
More information about the Intrusions
mailing list