[Snort-users] Correlate between Snort and p0f
lawrence.waterhouse at ...11827...
Wed Oct 6 12:45:08 EDT 2004
I would like to know if snort give enough information's to allow me to
make a guess of the source/destination Operating system?
I got a table in my mysql database with a list of OS fingerprints.
This table was generated using the p0f.fp file available with p0f
Here the database schema with field's descriptions:
CREATE TABLE `p0f` (
`os_id` int(11) NOT NULL auto_increment,
`os_name` text, # os_name - Operating system name
`win` int(11) default NULL, # win - window size
`ttl` int(11) default NULL, # ttt - time to live
`mss` int(11) default NULL, # mss - maximum segment size
`df` int(11) default NULL, # df - don't fragment flag (0=unset, 1=set)
`wscale` int(11) default NULL, # wscale - window scaling (-1=not
`sok` int(11) default NULL, # sok - sackOK flag (0=unset, 1=set)
`nop` int(11) default NULL, # nop - nop flag (0=unset, 1=set)
`size` int(11) default NULL, # size - packet size (-1 = irrevelant)
PRIMARY KEY (`os_id`)
Anyone can help me determine which p0f field match which field in the
[snort] → [p0f]
Ip_idr/ip_ttl → ttl
This is the only match I have made so far … I believe most match
should be in the 'iphdr' and 'opt' tables. I know they are some
snort-mods to make this match automatically but I would like to do it
by hand using my p0f database, if that's possible of course !
Help would be very appreciated, on-list or off-list.
Thanks a lot!
ps: excuse my imperfect English, this is not my main language…
ps2: some of you using opensource viewed may see some garbage in my
mail, this is due to the fact that I use gpopper to have a pop access
to my gmail account :)
More information about the Snort-users