Honeypots mailing list archives
Re: Passive Fingerprinting
From: Franck Veysset <franck.veysset () rd francetelecom com>
Date: Thu, 16 Jan 2003 16:56:24 +0100
Even if it's true that you can tune your kernel parameters in order to make your Unix system looks like a win machine, making this change could be really hard (there's much more to do than tuning TTL). I don't think that passive OSFP can solve all problem, but it can probably give you a good start to learn on your ennemy. By collecting different facts, including information on what they have done (or try) onto your honeypot, chance are that you will better analyse the situation. We are not otalking about judgment, but more learning from them. just my 0.02 euro -Franck Gonzalez, Albert wrote:
I believe that passive fingerprinting is very useful, I just don't see how useful it is to judge attackers skills based on their OS. The paper on Passive Fingerprinting[1] states the current limitation,and im sure there are others. If i go ahead and change my default values in the kernel, how will you be able to judge me ifI make all the characteristics look like a windows 95 machine? If you're running honeypots, you should judge them by what they did on your machine, and even then you shouldn'tjudge them. I don't see the worthwhile of this project...Cheers! [1] - http://project.honeynet.org/papers/finger/ These views are strickly my own, and not that of my employer. ---Alberto Gonzalez EDS - Global Security Operations Center Security and Privacy Professional Services
-- Franck VEYSSET - France Telecom R&D/DTL/SSR mailto: franck.veysset () rd francetelecom com
Current thread:
- Passive Fingerprinting Gonzalez, Albert (Jan 16)
- Re: Passive Fingerprinting Franck Veysset (Jan 16)