Re: Snort OS Fingerprint Scan Detectino

[Y M <snort () outlook com>]

There are a couple of things to note.

- Is sfportscan preprocessor enabled and tweaked? This can help identify a scan, not necessarily a fingerprint scan.
- The rules that are enabled, which may alert on certain scan techniques or scan return results.
- IMHO, detecting scans is the result of collective alerts and detections against a specific host. It's not as simple 
as one rule identifies a fingerprint scan. Look for alerts (see point 2 above) collectively against your hosts.
- Look at the fingerprint scan documentation, it usually lists the techniques used to perform the scan. You can tailor 
your rules to the techniques in coordination with your protected environment.

YM





On Fri, Nov 4, 2016 at 6:09 AM +0300, "yasir al-ibrahem" <alibrahem.yasir () gmail com<mailto:alibrahem.yasir () gmail 
com>> wrote:

Hello,

I'm using NMAP to detect the OS type and version of another machine that hosts snort.

Snort is able to detect the ICMP tests, but that doesn't clearly indicate that an OS fingerprinting attack is taking 
place.

I'm wondering if snort has such a specific alert. and if there's any specific configuration for OS fingerprint 
detection.

Appreciate your help.

Regards,
Yasir Saad Al-Ibrahem
+1-312-428-0301

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!