IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Passive OS Fingerprinting was Cisco CTR etc

From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Sun, 23 Nov 2003 12:47:24 -0700
Andy,

Let's get back to the topic.  I still have yet to figure out what the
difference between RNA and NeVO is ?? 

/mark

-----Original Message-----
From: Andy Cuff [Talisker] [mailto:lists () securitywizardry com] 
Sent: Sunday, November 23, 2003 10:21 AM
To: Teicher, Mark (Mark); Ron Gula; focus-ids () securityfocus com
Subject: Re: Passive OS Fingerprinting was Cisco CTR etc


Mark,
Between you and I (& the rest of the list) I used CyberCop a few years
back and cut off an entire network.  Not, as you'd imagine, through
testing for DOS vulnerabilities but the shear weight of the traffic.
Learned a lot that day!  Also prompted me to create the distributed
scanners page.

 If I remember correctly many of the Cybercop scans contain the word
"cybercop" in the data of the packet allowing easy detection.  I'm
trying to think of an IDS that doesn't detect it and can't

take care
-andy
shame about the beer!

Talisker Security Tools Directory http://www.securitywizardry.com
----- Original Message ----- 
From: "Teicher, Mark (Mark)" <teicher () avaya com>
To: "Andy Cuff [Talisker]" <lists () securitywizardry com>; "Ron Gula"
<rgula () tenablesecurity com>; <focus-ids () securityfocus com>
Sent: Sunday, November 23, 2003 1:53 PM
Subject: RE: Passive OS Fingerprinting was Cisco CTR etc



Andy,

Yes, it if one got it to network map properly after a scan. The issue 
with CyberCop Scanner 5.0, that is VERY VERY NOISY. It left little 
tidbits all over the network that a network scan was being conducted. 
Some network based ids and firewalls would pick up some of the 
CyberCop fingerprints but not all.  Even the Sn0rt signature only 
picks one or two CyberCop fingerprints.

To answer your question, yes CyberCop used active fingerprinting

/mark

-----Original Message-----
From: Andy Cuff [Talisker] [mailto:lists () securitywizardry com]
Sent: Sunday, November 23, 2003 6:49 AM
To: Teicher, Mark (Mark); Ron Gula; focus-ids () securityfocus com
Cc: Seanor, Joseph (Joe)
Subject: Re: Passive OS Fingerprinting was Cisco CTR etc


Mark,
Correct me if I'm wrong but didn't Cybercop use active fingerprinting 
to generate the 3D model not passive?

-andy
Talisker Security Tools Directory http://www.securitywizardry.com
----- Original Message -----
From: "Teicher, Mark (Mark)" <teicher () avaya com>
To: "Andy Cuff [Talisker]" <talisker () securitywizardry com>; "Ron Gula"
<rgula () tenablesecurity com>; <focus-ids () securityfocus com>
Cc: "Seanor, Joseph (Joe)" <jseanor () avaya com>
Sent: Sunday, November 23, 2003 1:13 PM
Subject: RE: Passive OS Fingerprinting was Cisco CTR etc


Not quite sure if they are ahead of the curve or just taking 
advertising a feature many people didn't realize was a possibility of 
the various Enterprise Management Systems available.  Cabletron 
Spectrum had a network mapping feature based on ttl's a long time ago.



Very few people even deployed Cabletron Spectrum.  The other was ANMS 
(Automatic Network Monitoring System) a bash, perl, ksh scripting 
network architecture that is still or was used by many large 
telecommunications carriers.

A most recent attempt at network mapping was the 3-d mapping option in



Cybercop 5.0

Although not as nifty as the comet tail network mapping RNA offers.  
:)

I will be in the southeast quadrant of the country that week.

/m

-----Original Message-----
From: Andy Cuff [Talisker] [mailto:talisker () securitywizardry com]
Sent: Saturday, November 22, 2003 3:10 AM
To: Teicher, Mark (Mark); Ron Gula; focus-ids () securityfocus com
Subject: Re: Passive OS Fingerprinting was Cisco CTR etc


Hey Mark,
LTNS ! I was under the impression that anti-sniff was (thinking of a 
polite
word) prone to false positives. Furthermore, I'd be tempted to deploy 
a passive OS fingerprinting tool on a Data In Nothing Out (DINO) tap, 
this would make the detection of the pf  tool even more difficult 
through such measures.

I think most IDS vendors are developing such technology (with one 
almost definite exception) But as usual Ron and Marty are ahead of the



drag curve. I think it's really s3xy but as my wife will testify I'm 
sad and I need a life ;o) So s3xy that I have included a page 
detailing them all at http://www.securitywizardry.com/osfp.htm

P0f
Ettercap
ARCHAEOPTERYX
RNA
NEVO
Prelude
pfprintd
Disco
There was one that was a predecessor I think to P0f but it is no 
longer supported so I left it out

cheers Mark
Are you anywhere near DC 11/12 Dec for a beer?
-andy cuff
Talisker Security Tools Directory http://www.securitywizardry.com
----- Original Message -----
From: "Teicher, Mark (Mark)" <teicher () avaya com>
To: "Ron Gula" <rgula () tenablesecurity com>;
<focus-ids () securityfocus com>
Sent: Thursday, November 20, 2003 7:49 PM
Subject: RE: NeVO Scan Application was RE: Cisco CTR



Ron,

Didn't @Stake produce AntiSniff to detect passive type monitoring 
applications ??



/mark

-----Original Message-----
From: Ron Gula [mailto:rgula () tenablesecurity com]
Sent: Thursday, November 20, 2003 12:45 PM
To: Teicher, Mark (Mark); focus-ids () securityfocus com
Subject: Re: NeVO Scan Application was RE: Cisco CTR


Woah ... no-one should be able to detect NeVO or RNA (or a NIDS) 
just by sitting there. You need to do real complex things invoking 
timing and other checks to find hosts that are passively listening.

Desktop agents like Sygate will see scans from Nessus, Nmap, pings, 
etc. but they will have a hard time detecting passive analysis of 
their network traffic.

Ron



At 12:27 PM 11/20/2003 -0700, Teicher, Mark (Mark) wrote:

Ron,

Interesting, another lightweight and inexpensive 
monitoring/scanning software ??  Wondering if the 
Enterprise/Desktop firewall products can detect NeVO scans as they 
can nmap scans. It will be very interesting to see how Desktop 
firewalls in the corporate environment



stand up to NeVO scans..

Something to try in the lab against all those Enterprise/Desktop 
Firewall products.. :)

/mark

-----Original Message-----
From: Ron Gula [mailto:rgula () tenablesecurity com]
Sent: Thursday, November 20, 2003 7:38 AM
To: focus-ids () securityfocus com
Subject: Re: Cisco CTR


At 04:54 AM 11/20/2003 -0700, Mark Teicher wrote:

Just curious on how NeVO compares to Intrusec Expose ??


I have not seen Expose recently, but my thought was that it was a 
continuous low-volume active scan that could launch other 
vulnerability



scanners when change was detected. NeVO does the same sort of 
thing, but passively through network packet/session monitoring. 
Besides looking for change in the network, it also looks for the 
vulnerability.



NeVO needs to wait for a packet to be sent before it sees a host, 
port,



client, server or vulnerability. If folks deploy NeVO with a 
Lightning Console, they can launch distributed Nessus scans if they



see a system or a vulnerability data that they would like to follow



up with an active scan.

Ron Gula
Tenable Network Security
http://www.tenablesecurity.com





-------------------------------------------------------------------
--
--
-
---


---------------------------------------------------------------------
--
-

---



--------------------------------------------------------------------
--
----

-

--------------------------------------------------------------------
--
----

-









---------------------------------------------------------------------------
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: