Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: How to detect OS with Snort?

From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 08 May 2012 22:09:35 -0400
On 5/8/2012 15:25, Borja Luaces wrote:


Firstly, thanks.

i know that Nmap is a better tool but the fact is that the rule is to detect
specific attacks from windows OS. The company I work for does not allow me to
install anything else. I have to do it with snort this is why I am trying that
rule but it seems not to work.


what does it matter what OS an attack originates from? detect the atack and 
drop, alert or block as necessary... what i saw your rule doing appeared to be 
only detecting possible user agents in http headers but those are faked all the 
time with valid ones appearing along with invalid ones... i can tell you that 
they are coming from all different OS' no matter what OS the UA says it is... 
witness forum spammer's tools and infiltration techniques...


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: