[Snort-devel] Passive Host

Martin Roesch roesch at ...402...
Mon Jul 23 09:41:33 EDT 2001


Burak DAYIOGLU wrote:
> 
> Hello,
> I've had been working on the same issue:
> 
> a. I have finished a passive OS fingerprinting plugin based on p0f.
> 
> b. I have created a rule keyword (affectedos) and the implementing
> plugin.
> 
> c. With the help of Max Vision, I have tagged ALL snort rules (a few
> weeks ago) with the affectedos rule option as well.
> 
> d. Max also has extended the ArachNIDS database to include affectedos
> fields for my testing purposes. The field will become a standard
> ArachNIDS feature as soon as the plugins are integrated into Snort.
> 
> It seems to be working in three different places. I have suggested
> improving it and integrating into Snort for some time to no avail. :(

Hey Burak, I intend to integrate it into Snort as soon as I can get the
1.8 relase stable and get 1.8.1 out the door.  If all goes well, this
may be as early as next week.  Sorry for the delay, but as with
Linus/Linux, Marty doesn't scale. ;)

> Anyone interested can downloaded it as a 1.8-beta-extended tarball from
> ftp://larva.cc.metu.edu.tr/pub/snort18-burak-hacked.tgz
> 
> thank you,
> -bd
> 
> Dragos Ruiu wrote:
> >
> > <fnord>splay tree<fnord>
> >
> > On Fri, 20 Jul 2001, anonpoet wrote:
> > > I'll finish a working patch some time this weekend.  Right now it's
> > > doing a linear search through the list.  I'm going to put it in a sorted
> > > list and doing a binary search through it.  There's probably a faster
> > > way.  I've got it torn apart right now because I'm adding $IIS_SERVERS
> > > and $APACHE_SERVERS to it.
> > >
> > > jason
> > > jason at ...506...
> > >
> > > On 20 Jul 2001 11:32:37 -0700, Dragos Ruiu wrote:
> > > > Interesting... esp since my new defragger will do target based reassembly.
> > > > Please send me a copy iof that patch...
> > > >
> > > > How are you storing the host list data?
> > > >
> > > > cheers,
> > > > --dr
> > > >
> > > > On Fri, 20 Jul 2001, anonpoet wrote:
> > > > > I'm about half way through writing an extention that allows IP lists to
> > > > > be changed at runtime.  I'm trying to add some targeted IDS ability to
> > > > > snort.  So you will be able to write rules like:
> > > > >
> > > > > alert tcp any <> $WINDOWS_BOXEN any
> > > > >
> > > > > and have the values of $WINDOWS_BOXEN be modified by a passive host
> > > > > identification module at runtime.
> > > > >
> > > > > I'll probably finish up a prototype this weekend or next.  Is anyone
> > > > > else interested and what features would you like put in?
> > > > >
> > > > >
> > > > > Jason Larsen
> > > > > jason at ...506...
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Snort-devel mailing list
> > > > > Snort-devel at lists.sourceforge.net
> > > > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > > > --
> > > > Dragos Ruiu <dr at ...9...>   dursec.com ltd. / kyx.net - we're from the future
> > > > gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
> > > >
> > > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > --
> > Dragos Ruiu <dr at ...9...>   dursec.com ltd. / kyx.net - we're from the future
> > gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list