On Mon, Aug 28, 2006 at 04:03:56PM -0400, Daniel Ouellet wrote:
> Stuart Henderson wrote:
> >On 2006/08/28 15:26, Daniel Ouellet wrote:
> >>I have a list of 46K computers that from the logs are all the same OS,
> >>patch, etc and I want to get the OSFP of it to see what it might be and
> >>if that's the only connection with that specific signature.
> >
> >If you log the traffic with pflogd, you can read the logfiles
> >with tcpdump -o which will lookup from /etc/pf.os to guess the
> >OS type.
>
> Thanks. I got a good suggestion that look like might do the job. Will
> know latter:
>
> sudo tcpdump -o -lvvvnr /var/log/pflog 'tcp[13] &0x12 = 2'
>
> I need first to increase the "snap len" for pflogd and then enter all
> these IP's in a table and start logging.
>
> Not sure if the results will be any use, but without doing it, I will
> never know.
>
> Last, as for the signature that may be different on the same computer if
> control by a webbot, is that possible? I guess not as the TCP stack
> isn't changed, but anyone know for sure? I am curious on that part.
This is definitely possible. It's not likely; most webbots are kept
small for ease of distribution and for being harder to find. However,
once you gain access to raw sockets, you can do pretty much whatever you
want - therefore, an OpenBSD machine could do quite a good job of
impersonating a Win2k box, and so on.
All in all, though, I don't see why an attacker would go through all
this trouble.
However, *if* he did, you might have some interesting tricks to play on
him. Many scanners [1], for instance, will not send a SYN twice - and
(almost?) all TCP/IP stacks will. Dropping the first SYN from a new IP
can be done easily with pf, and while the impact on legitimate users
would be significant with interactive services (it adds ~ 1 sec to the
loading time of your front page), it might be worth the trade-off.
Hmm, greylisting IP connections...
Joachim
[1] But a DDoS tool is not a scanner.
