[Snort-users] Passive OS fingerprinting with snort!

Williams Jon WilliamsJonathan at ...2134...
Wed Jul 16 06:44:03 EDT 2003

We've been testing p0f on our sensors for a few weeks here and have come
across a couple of caveats, so I figured I'd share them since you brought up
the subject :-)

First, the DB logging of p0f logs one entry into the pool table for every
packet that p0f is able to determine an OS for.  So, if you've got a busy
system with a lot of TCP SYNs coming out of it, like a HTTP proxy, that's
doing something on the order of 20 connections/second, you'll get something
on the order of 20 log entries/second in the p0f database.  To deal with
that, I've got a script that goes through, currently once per hour,
identifies each unique IP address and the MAX timestamp and then deletes all
entries that are older than that.  Without that housekeeping, I'd rapidly
run out of space.

Second, since I'm monitoring some fairly busy segments (i.e. 100 mbit
ethernet running about 60% utilized sustained during normal load levels on
some), p0f can be a CPU hog doing somewhere around 75% CPU utilization on a
dual 2.4 ghz Pentium IV running FreeBSD.  Between that and snort, the load
level got such that my systems management stuff started failing (i.e. I was
getting paged for down boxes) even though the box was still up.

I still see value in using p0f, though.  I've written a down-n-dirty CGI to
query the DB, and that's been useful.  Right now, my thought is that I'd
like to figure out how to get my traffic to go to both my sensors _and_ to a
seperate p0f box/farm for analysis.

Hope this helps.


-----Original Message-----
From: Joseph Gresham Jr. [mailto:joe at ...7531...]
Sent: Wednesday, July 16, 2003 4:50 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Passive OS fingerprinting with snort!

I recently went to a sourcefire seminar and got to learn about the IMS 

During this seminar we were shown the interface and it's abilities (via 
a projector).  While listening and watching I was making comparisons to 
the GNU homebrew systems I deal with.  These consist of 
snort/snortcenterRC1/acid and mysql.  The major ability I found the IMS 
system to have that my systems lacked was passive OS fingerprinting and 
rule tuning based on the information obtained.  This approach should 
drastically reduce FP's but also blinds you to large scans or some DOS's 
(another rant). 

I found a couple tools that do passive os fingerprinting;
Siphon: http://siphon.datanerds.net/
p0f: http://www.stearns.org/p0f/
originaly written by Michal Zalewski http://lcamtuf.coredump.cx/

p0f is my choice due to it's support for output to mysql and the tcpdump 
style filtering capabilities.  Anyway it works like a charm and I havent 
gotten one false ID from it yet!  I had a problem getting it to play 
nicely with snort on a stealthed interface, but this was resolved by 
starting p0f first then starting snort with the -p switch.  Even with 
p0f filtering traffic from only one network snort picks up all traffic!

p0f nicely outputs to 2 tables calles os and pool.  These are unique to 
each other and unique in comparison to the snort schema!  I am a php 
nothing but I am determined to get the same robust functionality as the 
IMS out of my homebrew system! 


This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list