Snort mailing list archives
Re: How to detect OS with Snort?
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 16 May 2012 09:17:05 -0400
On May 8, 2012, at 7:06 PM, Kevin Ross wrote:
I take it this is due to a policy enforcement in which windows is not allowed? p0f may be a more useful tool to run for this to passively try and fingerprint the OS as it passes. If you are trying to do it via user agent something like this may work: alert tcp $HOME_NET any -> any any (msg:"WINDOWS User Agent Detected"; flow:established,to_server; content:"Windows"; nocase; http_header; pcre:"/User\x2DAgent\x3A\x20[^\r\n]*Windows/Hi"; classtype:policy-violation; sid:149881; rev:1;)
User Agents can be spoofed. Easily. Trivially.
I don't think snort is the best for this though. If it is actual attacks you are better off looking at detecting attacks from existing sigs that are out there. If you don't mind me asking so we can understand what you are trying to get to: why is it you want to detect Windows machines on your network? If it is enforcement I would look at making the case for other tools such as packetfence http://www.packetfence.org/home.html but I will try and think of something if you let me know what you hope to achieve with this so I understand what you need to look at.
In OpenSource land, p0f is the best tool to go about detecting OSes. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
On 8 May 2012 14:26, Borja Luaces <borja.luaces () gmail com> wrote: Good afternoon, First of all I have to say that I am new to Snort. I am trying to create an alert rule to detect the OS but everytime I try it it seems not to work. The rule looks like the following one: alert tcp any any -> any any (content:"Windows NT";msg:"Microsoft OS detected";) Any help? Thanks for your time -- Borja Luaces Altares Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Fwd: How to detect OS with Snort?, (continued)
- Re: Fwd: How to detect OS with Snort? Jason Haar (May 08)
- Re: Fwd: How to detect OS with Snort? waldo kitty (May 08)
- Re: Fwd: How to detect OS with Snort? Borja Luaces (May 08)
- Re: Fwd: How to detect OS with Snort? Kevin Ross (May 09)
- Re: Fwd: How to detect OS with Snort? Borja Luaces (May 09)
- Re: Fwd: How to detect OS with Snort? Peter Bates (May 09)
- Re: Fwd: How to detect OS with Snort? Paul Schmehl (May 09)
- Re: Fwd: How to detect OS with Snort? Borja Luaces (May 09)
- Re: Fwd: How to detect OS with Snort? Kevin Ross (May 09)
- Re: How to detect OS with Snort? Joel Esler (May 16)
- Re: How to detect OS with Snort? Olaf Schreck (May 16)
- Re: How to detect OS with Snort? Jason Haar (May 17)
- Re: How to detect OS with Snort? Borja Luaces (May 17)