Snort mailing list archives
os fingerprinting again
From: "Raber" <raber () woda-sodowa ath cx>
Date: Wed, 10 Dec 2003 13:11:50 +0100
hi. Well i think this was studied over and over but i wasn't able to find good way for snort to do passive OS fingerprinting. Done some searching and come to modified version of snort 1.8 by Burak on http://www.dayioglu.net/projects/snort18-burak-hacked.tgz wich is preprocessor/detection plugin pair build on p0f program, and the other one i found is by "kanai" i think and is on http://www4.bi g.or.jp/~kanai/unix/snort wich is detection plugin based on p0f too (page is in japanese). They both work fine, but for me have some flaws, both log to file only (this file grows very fast) and "kanai" plugin doesn't maintain cache of detected OS's (wich means it adds an os description to its logfile for every SYN packet, and for it is a detection plugin you have to bulid a rule to feed packets to it - this might slow snort down). The Burak plugins in contrary bulids a cache of detected OS-IP pairs and keeps them in memory (looks like author planned to build in some "flushing" to clear the cache when it gets full), it has detection plugin to go with it so to get results one have add a rule to feed packets to it - the file log grows as fast as with "kanai" plugin. Building snort with either plugin causes serious instability of my snort, it dies after some 10-15 minutes. I'd like to have some OS detection in a snort box, using p0f seems sensible (it gives good results) but i wonder where to put a code that would do it. One can extend a database output plugin to build a table of IP/OS pairs and then use them with acid to report OS, this seem good idea but would slow database output and it should check if IP/OS pair is in database already to avoid having double entries wich with growing table would become slower and slower. The other approach i thought of is logging to file with detection plugin the postprocessing the log file with perl/php and feeding the results to database for acid. For last maybe using cgi to query p0f running in daemon mode for IP/OS pairs from acid directly (but p0f needs src/dst ports as well to handle the query, so we must know the src/dst port for SYN packet that p0f analysed wich might not be the packet that raised alert in snort) Well i sure hope somone will answer this, cause maybe i haven't found the right existing solution for this problem sorry for my english, i'm not native Thanks Piotr Haber ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- os fingerprinting again Raber (Dec 11)