Snort mailing list archives
RE: Passive OS fingerprinting with snort!
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Wed, 16 Jul 2003 08:43:23 -0500
We've been testing p0f on our sensors for a few weeks here and have come across a couple of caveats, so I figured I'd share them since you brought up the subject :-) First, the DB logging of p0f logs one entry into the pool table for every packet that p0f is able to determine an OS for. So, if you've got a busy system with a lot of TCP SYNs coming out of it, like a HTTP proxy, that's doing something on the order of 20 connections/second, you'll get something on the order of 20 log entries/second in the p0f database. To deal with that, I've got a script that goes through, currently once per hour, identifies each unique IP address and the MAX timestamp and then deletes all entries that are older than that. Without that housekeeping, I'd rapidly run out of space. Second, since I'm monitoring some fairly busy segments (i.e. 100 mbit ethernet running about 60% utilized sustained during normal load levels on some), p0f can be a CPU hog doing somewhere around 75% CPU utilization on a dual 2.4 ghz Pentium IV running FreeBSD. Between that and snort, the load level got such that my systems management stuff started failing (i.e. I was getting paged for down boxes) even though the box was still up. I still see value in using p0f, though. I've written a down-n-dirty CGI to query the DB, and that's been useful. Right now, my thought is that I'd like to figure out how to get my traffic to go to both my sensors _and_ to a seperate p0f box/farm for analysis. Hope this helps. Jon -----Original Message----- From: Joseph Gresham Jr. [mailto:joe () onshore com] Sent: Wednesday, July 16, 2003 4:50 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Passive OS fingerprinting with snort! I recently went to a sourcefire seminar and got to learn about the IMS (http://www.sourcefire.com/products/IMS_datasheet_0403.pdf). During this seminar we were shown the interface and it's abilities (via a projector). While listening and watching I was making comparisons to the GNU homebrew systems I deal with. These consist of snort/snortcenterRC1/acid and mysql. The major ability I found the IMS system to have that my systems lacked was passive OS fingerprinting and rule tuning based on the information obtained. This approach should drastically reduce FP's but also blinds you to large scans or some DOS's (another rant). I found a couple tools that do passive os fingerprinting; Siphon: http://siphon.datanerds.net/ p0f: http://www.stearns.org/p0f/ originaly written by Michal Zalewski http://lcamtuf.coredump.cx/ p0f is my choice due to it's support for output to mysql and the tcpdump style filtering capabilities. Anyway it works like a charm and I havent gotten one false ID from it yet! I had a problem getting it to play nicely with snort on a stealthed interface, but this was resolved by starting p0f first then starting snort with the -p switch. Even with p0f filtering traffic from only one network snort picks up all traffic! p0f nicely outputs to 2 tables calles os and pool. These are unique to each other and unique in comparison to the snort schema! I am a php nothing but I am determined to get the same robust functionality as the IMS out of my homebrew system! Enjoy! ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Passive OS fingerprinting with snort! Joseph Gresham Jr. (Jul 16)
- <Possible follow-ups>
- RE: Passive OS fingerprinting with snort! Williams Jon (Jul 16)