10:08 AM - p0f
p0f is a program that analyzes incoming ip traffic and tells you important information about the request including an OS fingerprint.
Its quite neat. I have it installed on the freebsd server and my windows xp box here. It uses the bpf in freebsd to read the inbound traffic. It does not make a connection to the host, but rather uses the information available from the packets the host sends.
Basically its like running nmap -sS -O on a host except you don't know the ports they have open.
I don't think i will leave p0f up all the time, but it might be nice to have if i think i'm under attack.
For example, here is the output from some guy infected with one of those worms:
216.94.201.209:2686 - Windows 2000 SP4, XP SP1 (2)
-> 216.93.162.119:135 (distance 9, link: ethernet/modem)
216.94.201.209:2688 - Windows 2000 SP4, XP SP1 (2)
-> 216.93.162.120:135 (distance 10, link: ethernet/modem)
216.94.201.209:2686 - Windows 2000 SP4, XP SP1 (2)
-> 216.93.162.119:135 (distance 9, link: ethernet/modem)
Here is an example of output from my macintosh:
64.109.110.62:49500 - FreeBSD 4.8-5.1 (or MacOS X 10.2-10.3) (up: 5375 hrs)
-> 216.93.162.119:80 (distance 16, link: sometimes DSL (4))
Of course its wrong on the uptime.. i booted the mac up 4 hours ago.
location: Home