Re: How to detect OS with Snort?

[Kevin Ross <kevross33 () googlemail com>]

I take it this is due to a policy enforcement in which windows is not
allowed? p0f may be a more useful tool to run for this to passively try and
fingerprint the OS as it passes. If you are trying to do it via user agent
something like this may work:

alert tcp $HOME_NET any -> any any (msg:"WINDOWS User Agent Detected";
flow:established,to_server; content:"Windows"; nocase; http_header;
pcre:"/User\x2DAgent\x3A\x20[^\r\n]*Windows/Hi";
classtype:policy-violation; sid:149881; rev:1;)

I don't think snort is the best for this though. If it is actual attacks
you are better off looking at detecting attacks from existing sigs that are
out there.

If you don't mind me asking so we can understand what you are trying to get
to: why is it you want to detect Windows machines on your network? If it is
enforcement I would look at making the case for other tools such as
packetfence http://www.packetfence.org/home.html but I will try and think
of something if you let me know what you hope to achieve with this so I
understand what you need to look at.

Kindest Regards,
Kevin Ross


On 8 May 2012 14:26, Borja Luaces <borja.luaces () gmail com> wrote:

> Good afternoon,
>
> First of all I have to say that I am new to Snort.
>
> I am trying to create an alert rule to detect the OS but everytime I try
> it it seems not to work.
>
> The rule looks like the following one:
>
> alert tcp any any -> any any (content:"Windows NT";msg:"Microsoft OS
> detected";)
>
> Any help?
>
> Thanks for your time
>
> --
> Borja Luaces Altares
> Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!