fl0p is a passive L7 flow fingerprinter that examines TCP/UDP/ICMP packet sequences.
It can also can peek into cryptographic tunnels, can tell human beings and robots apart, and performs a couple of other infosec-related tricks.
This approach differs from the techniques used by most other passive sniffers and mappers, and is advantageous in several interesting ways:
- General flow behavior remains largely unchanged regardless of whether cryptographic tunnels or other obfuscation techniques are used. As such, backdoors or firewall evasion techniques that for example use SSL on port 443, can be told apart from browser traffic, and further investigated.
- General insight into legitimate encrypted sessions can be gained; for example, it is possible to remotely tell successful and failed SSH authentication attempts apart, and react accordingly.
- Human actions can be told apart from automated efforts: it is possible to ignore SMTP client programs, but single out humans manually interacting with the server on port 25; similarly, automated SSH login attempts can be told apart from human actions.