[Snort-users] Passive OS fingerprinting with snort!

Joseph Gresham Jr. joe at ...7531...
Wed Jul 16 02:47:12 EDT 2003

I recently went to a sourcefire seminar and got to learn about the IMS 

During this seminar we were shown the interface and it's abilities (via 
a projector).  While listening and watching I was making comparisons to 
the GNU homebrew systems I deal with.  These consist of 
snort/snortcenterRC1/acid and mysql.  The major ability I found the IMS 
system to have that my systems lacked was passive OS fingerprinting and 
rule tuning based on the information obtained.  This approach should 
drastically reduce FP's but also blinds you to large scans or some DOS's 
(another rant). 

I found a couple tools that do passive os fingerprinting;
Siphon: http://siphon.datanerds.net/
p0f: http://www.stearns.org/p0f/
originaly written by Michal Zalewski http://lcamtuf.coredump.cx/

p0f is my choice due to it's support for output to mysql and the tcpdump 
style filtering capabilities.  Anyway it works like a charm and I havent 
gotten one false ID from it yet!  I had a problem getting it to play 
nicely with snort on a stealthed interface, but this was resolved by 
starting p0f first then starting snort with the -p switch.  Even with 
p0f filtering traffic from only one network snort picks up all traffic!

p0f nicely outputs to 2 tables calles os and pool.  These are unique to 
each other and unique in comparison to the snort schema!  I am a php 
nothing but I am determined to get the same robust functionality as the 
IMS out of my homebrew system! 


More information about the Snort-users mailing list