Wednesday, December 24, 2008

EDHCPFingerprint

Jeff from Enterasys has been working with me and Erik (author of NetworkMiner) on tweaks to the dhcp schema. A lot of it was changes they wanted to see done to help extend it out. I was just the middle man since I own the file! :)

These changes will come in quite useful, in different ways, to all of us and I'm glad they were made. Hopefully we've finished for now with the latest change being done earlier this morning.

In the near future, hopefully I'll start leveraging the new info included in it better. Just need time!

Anyway, check out EDHCPFingerprint if you get a chance.

Wednesday, December 17, 2008

Updated Software

NetworkMiner -
Ok, been spending a lot of time trying to crash NetworkMiner for the author. Found a nice little bug he had going and a quite a few crashes. All of those are fixed in 0.87 which was recently released. If you are using NetworkMiner I highly recommend updating to the latest version to fix the nasty little bug earlier versions had on saving files.

Satori -
also been spending a lot of time with Erik, author of NetworkMiner, and Jeff (from a private company) on updating the dhcp.xml file schema. Jeff had a lot of good recommendations and has provided a few new fingerprints. Between the 3 of us we updated the schema to a very good 1.0 version I think. I may do an overhaul of it a year or two down the road to add some other functionality into it, but we'll see. Anyway, the new version allows us to group Devices much nicer than before. For Satori it will give me the ability to group Devices across fingerprinting files (dhcp, icmp, tcp) since all 3 have been updated to the new format. Not sure when I'll add the functionality to utilize it, but it is updated along with the removal of a lot of old information in the dhcp.xml file that came from the packetfence.org project. It was nice to have at one point, but since they do not track if it is a dhcp inform/discover/request packet, it doesn't do me any good anymore, so it was removed, along with some other fingerprints I got from files around the same time and did not get everything I needed!

Always looking for new fingerprints. And on that note, I setup an account dhcpfingerprints [AT] gmail.com specifically for fingerprints, originally for dhcp ones (since that is how most people keep finding out about Satori), but will probably use it for all fingerprints.