Passive Aggressive!

Here are a nice tool for doing 'passive fingerprinting' and remote os identifying. I tried to dl it but had no luck so I can't tell anything more about the tool more then what the article below tells.

I guess that IntrusIDS can have some problem to detect scans who not exists!?


Black hats use 'passive fingerprinting' to identify your operating system without you knowing it. But the technique is useful for white hats too.
By Jon Lasser, Jan 30 2002 10:02AM PT, Source: Security Focus.

On January 21st, a new version of an interesting program called p0f was released. p0f is a tool designed for passive OS fingerprinting, identifying an operating system by examining packets being passed over the local network, without sending any packets designed to elicit a response. It's a fascinating area of research, and it may solve the ethical and legal problems associated with active fingerprinting.

In active OS fingerprinting, the program sends a number of oddly-formed packets to the target system and looks at the response to those packets. Each system will respond differently to at least some of these strange or broken packets, and the "fingerprint" of these responses can be used to guess the operating system.

Active OS fingerprinting is a technique that has been around since at least 1997, though Queso, the first program to do a thorough job of fingerprinting, was apparently released in August of 1998. (That's as far back as their ChangeLog runs, at any rate.)

Today, the port-scanning tool Nmap has supplanted Queso as the OS fingerprinting tool of choice. And Fyodor, Nmap's author, had written an excellent paper about active OS fingerprinting that covers the technical details.

The full article can be viewed here.