Friday, January 27, 2012


It was posted to the fingerbank discussion list in the past week on the Alpha version of NetSlueth. I'd tagged it to go back and look at, and unlike most of the time I tag things for follow up I did it in less than 6 months!

I guess it was just 2 days ago, wow, not sure I've ever gotten back that quick.

Anyway, partial info from the list:
"I basically used tshark for low level processing, allowing me to focus on the logic of the analysis. It needs ALOT more work, including improving my sloppy coding skills. It requires a full installation of Wireshark and .Net Framework or later on the machine. I'm going to make it fully mono compatible shortly."

By using tshark he took a lot of the headache out of coding underlying pieces that I've dealt with in Satori. Anyway, I ran some initial pcap files I had around through it and it seemed to do quite nicely on identifying the OS running on them. I didn't have any luck with a live capture, but I didn't dig around very long on trying to figure out why either!

I need to dig into it more and see what all protocols they are utilizing, but if you need another little tool, this one may be worth looking at!

Thursday, January 12, 2012

Fingerprint Editor 1.00.08

Jeff recompiled his fingerprint editor for us with the latest .xml files from my fingerprint database!

Tuesday, January 10, 2012

p0f v3

And I though MZ gave up on p0f after no updates to v2 in years. I guess I'm proven wrong....

== What's new ==

Version 3 is a complete rewrite, bringing you much improved SYN and SYN+ACK fingerprinting capabilities, auto-calibrated uptime measurements, completely redone databases and signatures, new API design, IPv6 support (who knows, maybe it even works?), stateful traffic inspection with thorough cross-correlation of collected data, application-level fingerprinting modules (for HTTP now, more to come),
and a lot more.


On my list to test in the near future and provide some new fingerprints. Assuming time permits and how well it works (I have no doubts well, but...), I will look at what it is doing and see if I can incorporate new stuff/ideas into a newer tcp plugin for Satori.