[Snort-devel] Passive Host

Burak DAYIOGLU dayioglu at ...287...
Mon Jul 23 01:57:00 EDT 2001


Hello,
I've had been working on the same issue:

a. I have finished a passive OS fingerprinting plugin based on p0f.

b. I have created a rule keyword (affectedos) and the implementing
plugin.

c. With the help of Max Vision, I have tagged ALL snort rules (a few
weeks ago) with the affectedos rule option as well.

d. Max also has extended the ArachNIDS database to include affectedos
fields for my testing purposes. The field will become a standard
ArachNIDS feature as soon as the plugins are integrated into Snort.

It seems to be working in three different places. I have suggested
improving it and integrating into Snort for some time to no avail. :(

Anyone interested can downloaded it as a 1.8-beta-extended tarball from
ftp://larva.cc.metu.edu.tr/pub/snort18-burak-hacked.tgz

thank you,
-bd

Dragos Ruiu wrote:
> 
> <fnord>splay tree<fnord>
> 
> On Fri, 20 Jul 2001, anonpoet wrote:
> > I'll finish a working patch some time this weekend.  Right now it's
> > doing a linear search through the list.  I'm going to put it in a sorted
> > list and doing a binary search through it.  There's probably a faster
> > way.  I've got it torn apart right now because I'm adding $IIS_SERVERS
> > and $APACHE_SERVERS to it.
> >
> > jason
> > jason at ...506...
> >
> > On 20 Jul 2001 11:32:37 -0700, Dragos Ruiu wrote:
> > > Interesting... esp since my new defragger will do target based reassembly.
> > > Please send me a copy iof that patch...
> > >
> > > How are you storing the host list data?
> > >
> > > cheers,
> > > --dr
> > >
> > > On Fri, 20 Jul 2001, anonpoet wrote:
> > > > I'm about half way through writing an extention that allows IP lists to
> > > > be changed at runtime.  I'm trying to add some targeted IDS ability to
> > > > snort.  So you will be able to write rules like:
> > > >
> > > > alert tcp any <> $WINDOWS_BOXEN any
> > > >
> > > > and have the values of $WINDOWS_BOXEN be modified by a passive host
> > > > identification module at runtime.
> > > >
> > > > I'll probably finish up a prototype this weekend or next.  Is anyone
> > > > else interested and what features would you like put in?
> > > >
> > > >
> > > > Jason Larsen
> > > > jason at ...506...
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel at lists.sourceforge.net
> > > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > > --
> > > Dragos Ruiu <dr at ...9...>   dursec.com ltd. / kyx.net - we're from the future
> > > gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
> > >
> > >
> >
> >
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> --
> Dragos Ruiu <dr at ...9...>   dursec.com ltd. / kyx.net - we're from the future
> gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list