|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: usual iploggers miss some variable stealth scans
Subject: Re: usual iploggers miss some variable stealth scans
From: Oliver Friedrichs (OFriedrichs
SECURITY-FOCUS.COM)
Date: Wed Jan 19 2000 - 13:36:01 CST
- Next message: Alec Kosky: "connlogd update"
- Previous message: Andrew Griffiths: "SubSeven 2.1a (trojan)"
- Maybe in reply to: vecna: "usual iploggers miss some variable stealth scans"
- Next in thread: Ralf Laue: "Re: usual iploggers miss some variable stealth scans"
- Next in thread: Andrea Gho: "Re: usual iploggers miss some variable stealth scans"
- Maybe reply: Oliver Friedrichs: "Re: usual iploggers miss some variable stealth scans"
- Reply: Ralf Laue: "Re: usual iploggers miss some variable stealth scans"
- Reply: antirez: "Re: usual iploggers miss some variable stealth scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> [ snip - note that it is often exactly bugs in the
> is-this-an-existing-
> connection lookup that os detection code exploits. ]
You'd be suprised at how untrue this is (the "often" part). While much
of whats publically available may do this, there are many other
variables in a stack unrelated to TCP state that can be used to identify
an OS - and are also virtually impossible for someone to fix. Virtually
every commercial and free OS supports different IP otions, and will
handle them in different ways. It would be virtually impossible to get
every vendor to synchronize what they support. TCP options give you
even more variety. CyberCop Scanner 5.5 uses a variety of these methods
to identify the target OS.. Anthony Osbourne can probably comment more
on this.. I don't believe any of this is proprietary, since you can see
it with a sniffer anyways - and the arachNIDS database at whitehats.com
detects this.
- Oliver
securityfocus.com
- Next message: Alec Kosky: "connlogd update"
- Previous message: Andrew Griffiths: "SubSeven 2.1a (trojan)"
- Maybe in reply to: vecna: "usual iploggers miss some variable stealth scans"
- Next in thread: Ralf Laue: "Re: usual iploggers miss some variable stealth scans"
- Next in thread: Andrea Gho: "Re: usual iploggers miss some variable stealth scans"
- Maybe reply: Oliver Friedrichs: "Re: usual iploggers miss some variable stealth scans"
- Reply: Ralf Laue: "Re: usual iploggers miss some variable stealth scans"
- Reply: antirez: "Re: usual iploggers miss some variable stealth scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Thu Jan 20 2000 - 17:36:54 CST