Snort mailing list archives
Passive OS fingerprinting with snort!
From: "Joseph Gresham Jr." <joe () onshore com>
Date: Wed, 16 Jul 2003 04:49:47 -0500
I recently went to a sourcefire seminar and got to learn about the IMS (http://www.sourcefire.com/products/IMS_datasheet_0403.pdf).
During this seminar we were shown the interface and it's abilities (via a projector). While listening and watching I was making comparisons to the GNU homebrew systems I deal with. These consist of snort/snortcenterRC1/acid and mysql. The major ability I found the IMS system to have that my systems lacked was passive OS fingerprinting and rule tuning based on the information obtained. This approach should drastically reduce FP's but also blinds you to large scans or some DOS's (another rant).
I found a couple tools that do passive os fingerprinting; Siphon: http://siphon.datanerds.net/ p0f: http://www.stearns.org/p0f/ originaly written by Michal Zalewski http://lcamtuf.coredump.cx/p0f is my choice due to it's support for output to mysql and the tcpdump style filtering capabilities. Anyway it works like a charm and I havent gotten one false ID from it yet! I had a problem getting it to play nicely with snort on a stealthed interface, but this was resolved by starting p0f first then starting snort with the -p switch. Even with p0f filtering traffic from only one network snort picks up all traffic!
p0f nicely outputs to 2 tables calles os and pool. These are unique to each other and unique in comparison to the snort schema! I am a php nothing but I am determined to get the same robust functionality as the IMS out of my homebrew system!
Enjoy! ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Passive OS fingerprinting with snort! Joseph Gresham Jr. (Jul 16)
- <Possible follow-ups>
- RE: Passive OS fingerprinting with snort! Williams Jon (Jul 16)