Is the DHCP fingerprint legal? #9
Comments
|
Interesting. That one does look off for sure. I'll check it out next
week. I should still have the raw info for it.
…On Mon, Dec 28, 2020, 12:28 AM ChenJhua ***@***.***> wrote:
https://github.com/xnih/satori/blob/fba207cc9b674a87858fed62ef8679f67a23a23c/fingerprints/dhcp.xml#L4312
The DHCP fingerprint is too long, I don't know if it is legal? And how can
I verify the fingerprint of the device
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#9>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAYEREQKDXADBPUTB54IBE3SXAXSNANCNFSM4VLVBYQQ>
.
|
Ok, looking forward to your reply, thank you very much |
|
So I can verify that is the fingerprint that Satori has been generating for a printer on my network for a year or so. I'll try to get a pcap of it as well this week and verify that there isn't a bug in satori's parsing code that is adding extra 0's there, but right now it looks like that is what the printer is actually spitting out! |
|
Thank you very much! Look forward to your pcap. |
|
Thanks for identifying this issue I finally had a chance to grab the pcap of it. Looking at wireshark there is no FF value to mark the end of the options, it is just 53, 55, 0 .... 0 and shows the packet is "broken". I'll look to see if I can figure a way in Satori to address this, but short term I'll be removing this fingerprint since it is inaccurate. |
|
Thank you for your reply.Expect betters satori. |
satori/fingerprints/dhcp.xml
Line 4312 in fba207c
The DHCP fingerprint is too long, I don't know if it is legal? And how can I verify the fingerprint of the device
The text was updated successfully, but these errors were encountered: