Abstract
With more widespread use of tools (such as fragrouter and fragroute [11]) that exploit differences in common operating systems to evade IDS detection, it has become more important for IDS sensors to accurately represent the variety of end hosts’ network stacks. The approach described in this paper uses the passively detected OS fingerprint of the end host in an attempt to correctly resolve ambiguities between different network stack implementations. Additionally, a new technique is described to increase the confidence level of a fingerprint match by looking more extensively at TCP connection negotiations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Shankar, U.: Active Mapping: Resisting NIDS Evasion Without Altering Traffic (2003), http://www.cs.berkeley.edu/~ushankar/research/active/activemap.pdf
Spitzner, L.: Know Your Enemy: Passive Fingerprinting, Identifying remote hosts, without them knowing, http://project.honeynet.org/papers/finger/
Ptacek, T.H., Newsham, T.N.: Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection. Secure Networks, Inc. (1998), http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps
Handley, M., Paxson, V.: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In: Proc. 10th USENIX Security Symposium (2001), http://www.icir.org/vern/papers/norm-usenix-sec-01-html/norm.html
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks (1999)
Fyodor: The Art of Port Scanning
Fyodor: Remote OS detection via TCP/IP Stack FingerPrinting, http://www.insecure.org/nmap/nmap-fingerprinting-article.html
Smart, M., Malan, G., Jahanian, F.: Defeating TCP/IP Stack Fingerprinting. In: Proc. 9th USENIX Security Symposium (2000)
Berrueta, D.B.: A practical approach for defeating Nmap OS-Fingerprinting, http://voodoo.somoslopeor.com/papers/nmap.html
Arkin, O., Yarochkin, F.: Xprobe v2.0, A Fuzzy Approach to Remote Active Operating System Fingerprinting, http://www.sys-security.com/archive/papers/Xprobe2.pdf
Song, D.: fragroute, http://www.monkey.org/dugsong/fragroute/
Savage. queso, http://www.apostols.org/projects.html
Michal Zalewski, M., Stearns, W.: p0f, http://www.stearns.org/p0f/
Ornaghi, A., Valleri, M.: ettercap, http://ettercap.sourceforge.net/
Vandoorselaere, Y., et al.: prelude-ids, http://www.prelude-ids.org/
Postel, J.: Internet Protocol, RFC 791 (September 1981)
Postel, J.: Transmission Control Protocol, RFC 793 (September 1981)
Jacobson, V., Braden, R., Borman, D.: TCP Extensions for High Performance, RFC 1323 (May 1992)
Griffin, J.L.: Testing Protocol Implementation Robustness. In: 29th Annual International Symposium on Fault-Tolerant Computing, June 15-18 (1999)
Paxson, V.: Automated Packet Trace Analysis of TCP Implementations SIGCOMM (1997)
Padhye, J., Floyd, S.: Identifying the TCP Behavior of Web Servers. ICSI Technical Report 01-002 (2000)
Comer, D.E.: Probing TCP Implementations. Usenix Summer (1994)
McCanne, S., Leres, C., Jacobson, V.: libpcap (1994), http://www.tcpdump.org/
Veysset, F., Courtay, O., Heen, O.: New Tool and Technique For Remote Operating System Fingerprinting Intranode Research Team (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Taleck, G. (2003). Ambiguity Resolution via Passive OS Fingerprinting. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-540-45248-5_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40878-9
Online ISBN: 978-3-540-45248-5
eBook Packages: Springer Book Archive