[Intrusions] [LOGS] Summary of large-scale portscanning detects
Barry Fitzgerald
bkfsec at sdf.lonestar.org
Fri Sep 17 16:37:03 GMT 2004
Ben Nelson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Barry Fitzgerald wrote:
> | Jason "JC" Monroe wrote:
> |
> |>
> |>
> |> Since you are so kind as to send these reports every day would you
> |> consider taking another step and potentially identify the remote
> |> operating system making use of passive analysis (p0f, etc...) and
> |> providing that info in another column of your report?
> |>
> |>
> |>
> | I can think of a number of reasons why he wouldn't want to do this.
> |
> | First, since these are firewall logs that would be a counter-scan.
> | Second, if the attacker were looking for a response, it could be
> | detected by the attacker and might bring interest to the network.
> | Third, if the system sending the p0f scan were the firewall itself, it
> | could expose information about the firewall.
>
> p0f is a _passive_ scanner, meaning it doesn't send anything to the
> destination host as you imply. It just listens on the wire and makes
> host determinations based on known network fingerprints of different
> OS's. p0f is actually a really neat tool and the attacker needs know
> nothing about it's existence.
>
Sorry about that. I still question how useful the information is.
-Barry
More information about the Intrusions
mailing list