Snort mailing list archives

Re: Snort, Queso and iptables

From: John Sage <jsage () finchhaven com>
Date: Wed, 10 Oct 2001 06:49:51 -0700

Juergen:

This may help, see:

http://project.honeynet.org/scans/arch/scan5.txt

To quote:

"QUESTION
--------
1.  What is the purpose of these packets?

ANSWER
------
Its the OS Fingerprinting Tool, Queso"


Also see:

http://www.linux.org/apps/AppId_2014.html

"Queso identifies operating systems via the TCP packet signature ratherthan banners, daemon versions, etc. The current config file lists over80 OS's and versions. It can detect Linux Kernel versions and TCPresponses from devices such as routers, terminal servers, printers, etc."



What's kernel.org doing spitting these out?

Maybe they have a project doing OS inventory; maybe the source IP isforged...



HTH..

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


Juergen Fiedler wrote:

Hello,

Just about every other day, snort reports a 'Possible Queso
Fingerprint attempt' from a machine at kernel.org (most frequently
mirrors.kernel.org). This is puzzling to me for several reasons:

With whitehats.com being down, I was unable to determine what a Queso
Fingerprint is. Looks like some probe of my auth port, but I have no
idea what it is actually trying to do.

I believe that the people at kernel.org are good and righteous. Why
would they try to probe my auth port.

Port 113 should be hidden behind my iptables firewall. In fact, I
tried to connect to this port from the outside and was unsuccessful.
Does snort actually analyze packets before they hit iptables? That
seems somewhat weird.

Could anyone please shed some light on one or more of my questions?

Thanks in advance,
Juergen




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort, Queso and iptables Juergen Fiedler (Oct 09)
- Re: Snort, Queso and iptables John Sage (Oct 10)
- <Possible follow-ups>
- RE: Snort, Queso and iptables Graeme Fowler (Oct 10)