[Snort-devel] Passive mapper

Burak DAYIOGLU dayioglu at ...287...
Tue May 28 00:08:01 EDT 2002


Hello,
I was out of town so this is a late answer. :)

I have implemented passive operating system detection as a preprocessor
plugin among with a processor plugin to handle attack and destination os
mismatches. According to my experiences, the plugin suite resulted in some
12% decrease in the total number of alerts. I believe that such "target 
based"
prior knowledge significantly increases the NIDS's efficiency. A service map
among with an inventory of the installed network service software would go
much better than my first attempt with os mismatch detection.

You can check http://www.dayioglu.net/publications/thesis.pdf and
http://www.dayioglu.net/publications/iscis2001.pdf .

-- 
Burak DAYIOGLU
Phone: +90 312 2103379      Fax: +90 312 2103333
http://www.dayioglu.net        ICQ UIN: 72276975






More information about the Snort-devel mailing list