[Snort-devel] Passive Host

anonpoet jason at ...506...
Mon Jul 23 11:42:47 EDT 2001


I posted some code a few months ago that I've been using.  This is
basically
a variant I've finally integrated into the rules language.  I should be
done in 
the next few days.  I've updated the P0f database a little.

Jason
jason at ...506...



On 23 Jul 2001 08:57:00 +0300, Burak DAYIOGLU wrote:
> Hello,
> I've had been working on the same issue:
> 
> a. I have finished a passive OS fingerprinting plugin based on p0f.
> 
> b. I have created a rule keyword (affectedos) and the implementing
> plugin.
> 
> c. With the help of Max Vision, I have tagged ALL snort rules (a few
> weeks ago) with the affectedos rule option as well.
> 
> d. Max also has extended the ArachNIDS database to include affectedos
> fields for my testing purposes. The field will become a standard
> ArachNIDS feature as soon as the plugins are integrated into Snort.
> 
> It seems to be working in three different places. I have suggested
> improving it and integrating into Snort for some time to no avail. :(
> 
> Anyone interested can downloaded it as a 1.8-beta-extended tarball from
> ftp://larva.cc.metu.edu.tr/pub/snort18-burak-hacked.tgz
> 
> thank you,
> -bd
> 
> Dragos Ruiu wrote:
> > 
> > <fnord>splay tree<fnord>
> > 
> > On Fri, 20 Jul 2001, anonpoet wrote:
> > > I'll finish a working patch some time this weekend.  Right now it's
> > > doing a linear search through the list.  I'm going to put it in a sorted
> > > list and doing a binary search through it.  There's probably a faster
> > > way.  I've got it torn apart right now because I'm adding $IIS_SERVERS
> > > and $APACHE_SERVERS to it.
> > >
> > > jason
> > > jason at ...506...
> > >
> > > On 20 Jul 2001 11:32:37 -0700, Dragos Ruiu wrote:
> > > > Interesting... esp since my new defragger will do target based reassembly.
> > > > Please send me a copy iof that patch...
> > > >
> > > > How are you storing the host list data?
> > > >
> > > > cheers,
> > > > --dr
> > > >
> > > > On Fri, 20 Jul 2001, anonpoet wrote:
> > > > > I'm about half way through writing an extention that allows IP lists to
> > > > > be changed at runtime.  I'm trying to add some targeted IDS ability to
> > > > > snort.  So you will be able to write rules like:
> > > > >
> > > > > alert tcp any <> $WINDOWS_BOXEN any
> > > > >
> > > > > and have the values of $WINDOWS_BOXEN be modified by a passive host
> > > > > identification module at runtime.
> > > > >
> > > > > I'll probably finish up a prototype this weekend or next.  Is anyone
> > > > > else interested and what features would you like put in?
> > > > >
> > > > >
> > > > > Jason Larsen
> > > > > jason at ...506...
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Snort-devel mailing list
> > > > > Snort-devel at lists.sourceforge.net
> > > > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > > > --
> > > > Dragos Ruiu <dr at ...9...>   dursec.com ltd. / kyx.net - we're from the future
> > > > gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
> > > >
> > > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > --
> > Dragos Ruiu <dr at ...9...>   dursec.com ltd. / kyx.net - we're from the future
> > gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel






More information about the Snort-devel mailing list