[Snort-users] os fingerprinting again
raber at ...10735...
Thu Dec 11 01:10:00 EST 2003
Well i think this was studied over and over but i wasn't able to find good
way for snort to do passive OS fingerprinting.
Done some searching and come to modified version of snort 1.8 by Burak on
http://www.dayioglu.net/projects/snort18-burak-hacked.tgz wich is
preprocessor/detection plugin pair build on p0f program, and the other one i
found is by "kanai" i think and is on http://www4.bi
g.or.jp/~kanai/unix/snort wich is detection plugin based on p0f too (page is
They both work fine, but for me have some flaws, both log to file only (this
file grows very fast) and "kanai" plugin doesn't maintain cache of detected
OS's (wich means it adds an os description to its logfile for every SYN
packet, and for it is a detection plugin you have to bulid a rule to feed
packets to it - this might slow snort down).
The Burak plugins in contrary bulids a cache of detected OS-IP pairs and
keeps them in memory (looks like author planned to build in some "flushing"
to clear the cache when it gets full), it has detection plugin to go with it
so to get results one have add a rule to feed packets to it - the file log
grows as fast as with "kanai" plugin.
Building snort with either plugin causes serious instability of my snort, it
dies after some 10-15 minutes.
I'd like to have some OS detection in a snort box, using p0f seems sensible
(it gives good results) but i wonder where to put a code that would do it.
One can extend a database output plugin to build a table of IP/OS pairs and
then use them with acid to report OS, this seem good idea but would slow
database output and it should check if IP/OS pair is in database already to
avoid having double entries wich with growing table would become slower and
The other approach i thought of is logging to file with detection plugin the
postprocessing the log file with perl/php and feeding the results to
database for acid.
For last maybe using cgi to query p0f running in daemon mode for IP/OS
pairs from acid directly (but p0f needs src/dst ports as well to handle the
query, so we must know the src/dst port for SYN packet that p0f analysed
wich might not be the packet that raised alert in snort)
Well i sure hope somone will answer this, cause maybe i haven't found the
right existing solution for this problem
sorry for my english, i'm not native
Thanks Piotr Haber
More information about the Snort-users