[Snort-users] Passive OS Detection

Joshua Wright Joshua.Wright at ...2031...
Tue Sep 18 07:29:09 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Has anyone given any thought to adding passive OS detection as a
reporting option - either through Snort directly, or perhaps as an
option in ACID?

Lance Spitzner wrote a paper called "Know Your Enemy: Passive
Fingerprinting - IDing remote hosts, without them knowing" in which
he describes a scenario where we watch TTL, Window Size, DF bit and
TOS to make a guess as to the remote OS type.
(http://project.honeynet.org/papers/finger/).

I find myself manually looking up information in ACID to make the
remote OS determination from time to time, and think it would be
another nice-to-have to add to the TODO list.  A proof-of-concept
perl tool is available at
http://project.honeynet.org/papers/finger/passfing.tar.gz.

Thoughts?

- -Joshua Wright
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright at ...2031... 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FD A5 12 FC F3 91 37 40 E0 AE BD B6 8F E2 FC 0A D4 4B 4A
73



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO6daD4/i/ArUS0pzEQIJswCgoYYB8V06ivV0TcCGTff4rlZdftsAoNVw
nEqmE6uxCmiAlHsrHW0/qOlN
=AkNP
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list