passive host characterization

[Carter Bullard]

Gentle people,
There are about a 100 topics for discussion regarding flow data, and I
would like to get some ideas/comments/reactions/opinions on better
host characterization.  Now that we have database support and
flow data labeling, it would be nice if we could add things like,
"I think this is a Mac", and then have something check that it was
a Mac the last time we looked.  Anomaly detection at its finest ;o)

Most OS fingerprinting today is done from packet header peculiarities
and responses from specific challenges.  This type of characterization
strategy has a few drawbacks:  1) its a pattern matching strategy, which
has its limitations and 2) many times it involves active methods, where
you have to challenge the machine to get it to tell you what it is,  
which
has another set of limitations, especially when you deal with historical
data and you can't go back in time to probe the machine to tell you
what it was.   There is nothing wrong with these strategies, but there
should be other things we can do.

If you look at a lot of argus data, you probably know  that most  
machines
give away what they are, or rather what they do and how they do it, by
accessing specific machines (license servers, update servers),  
requesting
specific DNS lookups, broadcasting availability of resources, or use
specific protocol types, like routing protocols, etc....

Game machines are easy to see, routers, Mac's, Windows machines,
etc ...., all seem to do basically different things when they come up.

I have a TiVo in my office, and I know its a TiVo because its always
wanting to connect to the mothership to participate in the various TiVo
services.  Argus data, with ralabel() adding the DNS domain name
for the destination address to the flow record, tells me that the src IP
address (which is DHCP'd) is the TiVo.   (don't really need the DNS
name, but it helps to explain the example).

Now that Nero LiquidTV allows you to turn a PC into a TiVo,
it would be interesting to know if I could discriminate that behavior
from a real TiVo.

When you consider OS virtualization and the need to understand what
is going on in your network, this type of problem can be generalized
into an interesting problem.

I'm thinking that developing a compendium of host behaviors, especially
boot behaviors, would have some benefit, and I'm wondering if there is
interest in talking about it, and possibly doing it.

Argus currently captures a few of the packet peculiarities that are  
used in
contemporary OS identification, but it is not trying to specifically  
do this.
I'm interested in understanding what we can do to add this feature to  
argus,
and  I'm very interested in going after the behavioral aspects of  
network
traffic, to do a better job.

What do you think?

Carter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090520/a00f61b5/attachment.bin>