Snort mailing list archives
Re: Snort OS Fingerprint Scan Detectino
From: Y M <snort () outlook com>
Date: Fri, 4 Nov 2016 17:49:11 +0000
There are a couple of things to note. - Is sfportscan preprocessor enabled and tweaked? This can help identify a scan, not necessarily a fingerprint scan. - The rules that are enabled, which may alert on certain scan techniques or scan return results. - IMHO, detecting scans is the result of collective alerts and detections against a specific host. It's not as simple as one rule identifies a fingerprint scan. Look for alerts (see point 2 above) collectively against your hosts. - Look at the fingerprint scan documentation, it usually lists the techniques used to perform the scan. You can tailor your rules to the techniques in coordination with your protected environment. YM On Fri, Nov 4, 2016 at 6:09 AM +0300, "yasir al-ibrahem" <alibrahem.yasir () gmail com<mailto:alibrahem.yasir () gmail com>> wrote: Hello, I'm using NMAP to detect the OS type and version of another machine that hosts snort. Snort is able to detect the ICMP tests, but that doesn't clearly indicate that an OS fingerprinting attack is taking place. I'm wondering if snort has such a specific alert. and if there's any specific configuration for OS fingerprint detection. Appreciate your help. Regards, Yasir Saad Al-Ibrahem +1-312-428-0301
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort OS Fingerprint Scan Detectino yasir al-ibrahem (Nov 03)
- Re: Snort OS Fingerprint Scan Detectino wkitty42 (Nov 04)
- Re: Snort OS Fingerprint Scan Detectino Y M (Nov 04)
- Re: Snort OS Fingerprint Scan Detectino yasir al-ibrahem (Nov 04)
- Re: Snort OS Fingerprint Scan Detectino Marcin Dulak (Nov 05)
- Re: Snort OS Fingerprint Scan Detectino yasir al-ibrahem (Nov 08)
- Re: Snort OS Fingerprint Scan Detectino Russ (Nov 09)
- Re: Snort OS Fingerprint Scan Detectino yasir al-ibrahem (Nov 04)