[Snort-users] Correlate between Snort and p0f

Lawrence Waterhouse lawrence.waterhouse at ...11827...
Wed Oct 6 12:45:08 EDT 2004

Hello everyone,

I would like to know if snort give enough information's to allow me to
make a guess of the source/destination Operating system?

I got a table in my mysql database with a list of OS fingerprints.
This table was generated using the p0f.fp file available with p0f
1.8.3 (http://lcamtuf.coredump.cx/p0f/old/p0f-1.8.3.tgz).

Here the database schema with field's descriptions:

  `os_id` int(11) NOT NULL auto_increment,
  `os_name` text,				# os_name - Operating system name
  `win` int(11) default NULL,		# win - window size
  `ttl` int(11) default NULL,		# ttt  - time to live
  `mss` int(11) default NULL,		# mss - maximum segment size
  `df` int(11) default NULL,		# df - don't fragment flag  (0=unset, 1=set)
  `wscale` int(11) default NULL,	# wscale - window scaling (-1=not
present, other=value)
  `sok` int(11) default NULL,		# sok - sackOK flag (0=unset, 1=set)
  `nop` int(11) default NULL,		# nop  - nop flag (0=unset, 1=set)
  `size` int(11) default NULL,	# size - packet size (-1 = irrevelant)
  PRIMARY KEY  (`os_id`)

Anyone can help me determine which p0f field match which field in the
snort database?

For example
[snort]		→	[p0f]
Ip_idr/ip_ttl	→	ttl

This is the only match I have made so far … I believe most match
should be in the 'iphdr' and 'opt' tables. I know they are some
snort-mods to make this match automatically but I would like to do it
by hand using my p0f database, if that's possible of course !

Help would be very appreciated, on-list or off-list.

Thanks a lot!

ps: excuse my imperfect English, this is not my main language…

ps2: some of you using opensource viewed may see some garbage in my
mail, this is due to the fact that I use gpopper to have a pop access
to my gmail account :)

L. Waterhouse

More information about the Snort-users mailing list