[Snort-users] Correlate between Snort and p0f
lawrence.waterhouse at ...11827...
Wed Oct 6 12:13:13 EDT 2004
I would like to know if snort give enough information=E2=80=99s to allow =
me to make a guess of the source/destination Operating system?
I got a table in my mysql database with a list of OS fingerprints. This =
table was generated using the p0f.fp file available with p0f 1.8.3 =
Here the database schema with field=E2=80=99s descriptions:
CREATE TABLE `p0f` (
`os_id` int(11) NOT NULL auto_increment,
`os_name` text, # os_name - Operating system name
`win` int(11) default NULL, # win - window size
`ttl` int(11) default NULL, # ttt - time to live
`mss` int(11) default NULL, # mss - maximum segment size
`df` int(11) default NULL, # df - don't fragment flag (0=3Dunset, =
`wscale` int(11) default NULL, # wscale - window scaling (-1=3Dnot =
`sok` int(11) default NULL, # sok - sackOK flag (0=3Dunset, 1=3Dset)
`nop` int(11) default NULL, # nop - nop flag (0=3Dunset, 1=3Dset)
`size` int(11) default NULL, # size - packet size (-1 =3D irrevelant)
PRIMARY KEY (`os_id`)
Anyone can help me determine which p0f field match which field in the =
[snort] =E2=86=92 [p0f]
Ip_idr/ip_ttl =E2=86=92 ttl
This is the only match I have made so far =E2=80=A6 I believe most match =
should be in the =E2=80=98iphdr=E2=80=99 and =E2=80=98opt=E2=80=99 =
tables. I know they are some snort-mods to make this match automatically =
but I would like to do it by hand using my p0f database, if =
that=E2=80=99s possible of course !
Help would be very appreciated, on-list or off-list.
Thanks a lot!
ps: excuse my imperfect English, this is not my main language=E2=80=A6
ps2: some of you using opensource viewed may see some garbage in my =
mail, this is due to the fact that I use gpopper to have a pop access to =
my gmail account :)
More information about the Snort-users