[Snort-users] Passive OS fingerprinting with snort!
Joseph Gresham Jr.
joe at ...7531...
Wed Jul 16 02:47:12 EDT 2003
I recently went to a sourcefire seminar and got to learn about the IMS
During this seminar we were shown the interface and it's abilities (via
a projector). While listening and watching I was making comparisons to
the GNU homebrew systems I deal with. These consist of
snort/snortcenterRC1/acid and mysql. The major ability I found the IMS
system to have that my systems lacked was passive OS fingerprinting and
rule tuning based on the information obtained. This approach should
drastically reduce FP's but also blinds you to large scans or some DOS's
I found a couple tools that do passive os fingerprinting;
originaly written by Michal Zalewski http://lcamtuf.coredump.cx/
p0f is my choice due to it's support for output to mysql and the tcpdump
style filtering capabilities. Anyway it works like a charm and I havent
gotten one false ID from it yet! I had a problem getting it to play
nicely with snort on a stealthed interface, but this was resolved by
starting p0f first then starting snort with the -p switch. Even with
p0f filtering traffic from only one network snort picks up all traffic!
p0f nicely outputs to 2 tables calles os and pool. These are unique to
each other and unique in comparison to the snort schema! I am a php
nothing but I am determined to get the same robust functionality as the
IMS out of my homebrew system!
More information about the Snort-users