Queso Scan
advICE :Intrusions : 2000321

Summary

The "Queso" fingerprinting system sends odd TCP packets at the target in order to figure out what the operating system is.

Details

Queso uses a specific style of TCP fingerprinting. It sends packets that are not covered by the protocol specification. This doesn't hurt the target, but since these packets aren't standardized, everybody responds differently. By recording the responses and matching them up with a database, the fingerprinting tool is able to figure out what the operating system is.

Knowing the operating system of a potential victim is the first step in breaking in. It allows the intruder to concentrate on using only those exploits that the system may be vulnerable to. For example, it would be useless attempting Microsoft Windows exploits against a Macintosh.

Trigger

This alert triggers when packets are seen that are similar to those packets generated by Queso. Specifically, it triggers on FIN, SYN|FIN, and PSH packets without an ACK bit. All packets in a TCP stream except the first one should have the ACK bit set. In addition, including both a SYN and a FIN together in the same packet is not normal.

parametric information port The TCP destination port flags The TCP flags from the offending frame. The flags are: S (SYN), F (FIN), R (RESET), P (PUSH), A (ACK), U (URGENT), 4 (low-order unused bit), 8 (high-order unused bit) options The TCP options from the offending frame. The options are displayed as "option-value", separated by commas. No-ops are not displayed

 
Version appeared: 3.0