[Snort-users] Snort, Queso and iptables

John Sage jsage at ...2022...
Wed Oct 10 06:51:16 EDT 2001


Juergen:

This may help, see:

http://project.honeynet.org/scans/arch/scan5.txt

To quote:

"QUESTION
--------
1.  What is the purpose of these packets?

ANSWER
------
Its the OS Fingerprinting Tool, Queso"


Also see:

http://www.linux.org/apps/AppId_2014.html

"Queso identifies operating systems via the TCP packet signature rather 
than banners, daemon versions, etc. The current config file lists over 
80 OS's and versions. It can detect Linux Kernel versions and TCP 
responses from devices such as routers, terminal servers, printers, etc."


What's kernel.org doing spitting these out?

Maybe they have a project doing OS inventory; maybe the source IP is 
forged...


HTH..

- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."


Juergen Fiedler wrote:

> Hello,
> 
> Just about every other day, snort reports a 'Possible Queso
> Fingerprint attempt' from a machine at kernel.org (most frequently
> mirrors.kernel.org). This is puzzling to me for several reasons:
> 
> With whitehats.com being down, I was unable to determine what a Queso
> Fingerprint is. Looks like some probe of my auth port, but I have no
> idea what it is actually trying to do.
> 
> I believe that the people at kernel.org are good and righteous. Why
> would they try to probe my auth port.
> 
> Port 113 should be hidden behind my iptables firewall. In fact, I
> tried to connect to this port from the outside and was unsuccessful.
> Does snort actually analyze packets before they hit iptables? That
> seems somewhat weird.
> 
> Could anyone please shed some light on one or more of my questions?
> 
> Thanks in advance,
> Juergen






More information about the Snort-users mailing list