[Snort-users] Passive OS fingerprinting with snort!
WilliamsJonathan at ...2134...
Wed Jul 16 06:44:03 EDT 2003
We've been testing p0f on our sensors for a few weeks here and have come
across a couple of caveats, so I figured I'd share them since you brought up
the subject :-)
First, the DB logging of p0f logs one entry into the pool table for every
packet that p0f is able to determine an OS for. So, if you've got a busy
system with a lot of TCP SYNs coming out of it, like a HTTP proxy, that's
doing something on the order of 20 connections/second, you'll get something
on the order of 20 log entries/second in the p0f database. To deal with
that, I've got a script that goes through, currently once per hour,
identifies each unique IP address and the MAX timestamp and then deletes all
entries that are older than that. Without that housekeeping, I'd rapidly
run out of space.
Second, since I'm monitoring some fairly busy segments (i.e. 100 mbit
ethernet running about 60% utilized sustained during normal load levels on
some), p0f can be a CPU hog doing somewhere around 75% CPU utilization on a
dual 2.4 ghz Pentium IV running FreeBSD. Between that and snort, the load
level got such that my systems management stuff started failing (i.e. I was
getting paged for down boxes) even though the box was still up.
I still see value in using p0f, though. I've written a down-n-dirty CGI to
query the DB, and that's been useful. Right now, my thought is that I'd
like to figure out how to get my traffic to go to both my sensors _and_ to a
seperate p0f box/farm for analysis.
Hope this helps.
From: Joseph Gresham Jr. [mailto:joe at ...7531...]
Sent: Wednesday, July 16, 2003 4:50 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Passive OS fingerprinting with snort!
I recently went to a sourcefire seminar and got to learn about the IMS
During this seminar we were shown the interface and it's abilities (via
a projector). While listening and watching I was making comparisons to
the GNU homebrew systems I deal with. These consist of
snort/snortcenterRC1/acid and mysql. The major ability I found the IMS
system to have that my systems lacked was passive OS fingerprinting and
rule tuning based on the information obtained. This approach should
drastically reduce FP's but also blinds you to large scans or some DOS's
I found a couple tools that do passive os fingerprinting;
originaly written by Michal Zalewski http://lcamtuf.coredump.cx/
p0f is my choice due to it's support for output to mysql and the tcpdump
style filtering capabilities. Anyway it works like a charm and I havent
gotten one false ID from it yet! I had a problem getting it to play
nicely with snort on a stealthed interface, but this was resolved by
starting p0f first then starting snort with the -p switch. Even with
p0f filtering traffic from only one network snort picks up all traffic!
p0f nicely outputs to 2 tables calles os and pool. These are unique to
each other and unique in comparison to the snort schema! I am a php
nothing but I am determined to get the same robust functionality as the
IMS out of my homebrew system!
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users