OpenBSD‘s stateful packet filter, PF, has recently added passive OS fingerprinting capabilities. This new functionality allows one to design packet filtering policy based around the source operating system. It is based on Michal Zalewski’s p0f. The functionality was also added to tcpdump.
If someone accesses your web server you could possibly determine if they have an un-patched version of Windows and redirect them to windowsupdate. You may also quarantine email sent from a windows computer to help stop email worms.
I can’t wait to try it.
It’s a great tool….if used for the right purpose.
“You may also quarantine email sent from a windows computer to help stop email worms.”
You then won’t be able to receive email from 99% of the population.
i dount it – the final SMTP connection is most likely to have been made to your OpenBSD machine from a UNIX-like box running sendmail or similar.
this new feature will not read the email headers to determine the OS originating box. it will tell you that the last box which makes the connection to you is a windows/non-windows box.
t
“You then won’t be able to receive email from 99% of the population.”
You’re nuts if you think 99% of mail servers run windows.
I reckon if I ran this & killed all mail coming from windows PC’s my inbox would be a happier place.
Got to try openbsd out. I have been meaning to.
It’s not the Windows SMTP boxes (MTA’s) that are the problem, but the Windows SMTP clients.
imagine that, windows SMTP boxes that actually add viruses to any emails that they relay… that would be a concept!
i’ve used p0f alot and it’s fingerprints are not very good.
It shouldn’t be used for redirecting as you said. The only thing i can think of is for your private lan. you can set it to identify all your systems by putting your own TTL’s,etc in the config file. thats the only way to be reasonably sure your system should use the values as trusted.
Many of these values i’ve changed in /proc on linux so don’t think its good as an ACL.
Many of these values i’ve changed in /proc on linux so don’t think its good as an ACL.
So? You really think folks are interested in filtering based on your SYN signature? Not bloody likely. The most popular use of this feature will be to block Windows hosts [inbound|outbound] during periods of heavy worm propogation. These types of hosts are matched very accurately using p0f.
Duh.
-fp
Any OS you have the source code to (Linux, BSD, AtheOS, OpenBE, etc) can cloak itself to appear as an unknown OS, or even fake it’s signature to appear to be what it is not. It’s not difficult to make OpenBSD to look like Debian Linux or RedHat Linux to look like FreeBSD, for examples.
Take OS fingerprinting results with a grain of salt.
“The most popular use of this feature will be to block Windows hosts [inbound|outbound] during periods of heavy worm propogation.”
So I’d rather have the ACL on my PF check for 8 different values than just blocking port 135 (or a signature in the worm with string matching)? Contrary to what you think about p0f being ‘very accurate’ for windows machines you’re very wrong, there is so much software that screws up these values you can never tell, check out the .config file sometime and look at how many different fingerprints are for the same OS versions. This is a hacker tool to give an outsider and IDEA of what its running not something you want to use as a defensive tool.
You say nobody should be concerned with MY syn signature but if thier PF is using it in anyway on a deny/allow basis they should be VERY concerned because most OS’s can change things like that without even a kernel compile. Its the equivilant of spoofing any host the firewall wants and receiving a ACK/SYN back.
this is about as useful as websites that detect what OS you’re using and act like retards if it’s not IE. only… on the OS level. anyone know what possible use this could have?
i’m seriously open to ideas 8)
nothing will likely be 100% bulletproof and for most people, missing one of boss’ email is bad
after 9/11, somebody touted 97% accuracy on airport
security systems based on facial recognition and that
means 500 false positive alerts EVERY day at
Boston airport – do you have the ball to clear the
airport one each and every one of those “alert” ?
Famous CooCaChoo quotes. My favorite OSNews poster. Don’t let those ATTBI trolls keep you down man!
http://www.osnews.com/comment.php?news_id=3718#107138
then grab your wallet and buy the bloody commercial solution that is apparently superior or would that actuallt require moving out of your parents basement, get a job and actually be responsible for something once in your misserable and pathetic little life.
http://www.osnews.com/comment.php?news_id=4242#132108
Submitt stories from Kuro5hin? I might as well post the latest issue of the North Korean Daily times relating to the “great leaders” attitude to the west.
http://www.osnews.com/comment.php?news_id=3568#100464
The reason why a large number of people don’t realise is because the majority of people are moronic simpletons.
http://www.osnews.com/comment.php?news_id=3984
As for Word, are you joking? are you really that stupid?
Why are you such a clueless moron.
Please, someone buy this lady a clue
where have you been? hiding under a rock?
By another clue lady (jeepers, two clue orders within one post, must be a record).
I really couldn’t believe someone would be as stupid Ana O´Neemus unless they were a troll.
http://www.osnews.com/comment.php?news_id=4258#132898
I can’t believe people actually believe that Rotor is a full implementation of .NET. Are people here THAT stupid?
http://www.osnews.com/comment.php?news_id=3718&offset=45&rows=60#10…
Blame the idiot who made the first post and some how tried to relate it to X.
http://www.osnews.com/comment.php?news_id=3833#113181
Nothing is worse than a company b*astardising a great design for the yuppy generation who have more dollars than sense or style.
http://www.osnews.com/comment.php?news_id=3727#107900
what the hell do you think is going to run on the server which these applications will need to interact with? think about that sunshine before making such stupid remarks.
Confronted with his wrongness:
http://www.osnews.com/comment.php?news_id=3487#98039
Oh, your[sic] such a guru. A genius amongst the unwashed masses, how could I ever question such wisdom
http://www.osnews.com/moderation.php?news_id=4225#131574
it says they live with their mum and dad. When they get out into the big band world I beat they won’t be able to afford broadband let alone dial up on a wage from KFC as the garbage changer and table cleaner.