[Snort-users] Snort!(fp): Fingerprinting with Snort!

Stephen Reed sdreed at ...3147...
Wed Jul 14 12:08:10 EDT 2004

Snort!(fp): Real-Time Passive Network Fingerprinting with Snort!

Snort!(fp) extends the capability of the Snort! intrusion detection 
open-source product to include OS and network daemon fingerprinting.

Thus, with a properly configure Snort! environment (including the fp
extension), you would be able to determine, given an IDS alert:
(1) What operating system the (alert) source/destination system is running
(2) What network services/daemons the (alert) source/destination 
system is running

Snort!(fp) is based on the following tools:

IDS:			Snort! (needs to be patched) (v2.1.2)
DB:			MySQL (no modifications except to tables)
HTTPD:			Apache (no modifications needed)
Interface:		ACID (needs to be patched)
OS Fingerprinting:	p0f (p2s utility converts to Snort!syntax)
Service Fingerprinting:	native Snort! rules

Both Snort! and ACID have been extended to support fingerprinting functions. The ACID database schema has also been modified to support fingerprinting. 

More information, downloads and documentation are available at my website:


More information about the Snort-users mailing list