On 06/10/2010 11:31 PM, Ralf Hildebrandt wrote:
I heard that there are firewalls/security appliances that supposedly
can distinguish "somebody using telnet" from "a machine speaking SMTP".
I must admit, it sounds feasible (timing between keystrokes etc.), but
little useful.
Anyway. Is there such a thing? Does anybody use such a thing?
There are IDSen (Intrusion Detection Systems) that can fingerprint the
client on the actual TCP delays between actions, yes.
They exist both in software (snort) and hardware (cisco et al).
However, then blocking the offender is step two - or combined into an
IPS (Intrusion Prevention System) - and that's usually configurable.
When in doubt, ask the network people at the site you suspect this of
(presuming they are willing to help you, of course).
Using an IDS or similar sniffer to fingerprint OSen and client software
of services is fun (if you're a network nerd :)), but it doesn't mean
people take any action on the data.
The risk of false positives is obvious, and I doubt many network-savvy
people would implement this sort of thing willy-nilly - especially since
telnet remains a very good SMTP debug tool!
J.
