[Snort-devel] Passive mapper
dayioglu at ...287...
Tue May 28 00:08:01 EDT 2002
I was out of town so this is a late answer. :)
I have implemented passive operating system detection as a preprocessor
plugin among with a processor plugin to handle attack and destination os
mismatches. According to my experiences, the plugin suite resulted in some
12% decrease in the total number of alerts. I believe that such "target
prior knowledge significantly increases the NIDS's efficiency. A service map
among with an inventory of the installed network service software would go
much better than my first attempt with os mismatch detection.
You can check http://www.dayioglu.net/publications/thesis.pdf and
Phone: +90 312 2103379 Fax: +90 312 2103333
http://www.dayioglu.net ICQ UIN: 72276975
More information about the Snort-devel