[Snort-users] Correlate between Snort and p0f

Lawrence Waterhouse lawrence.waterhouse at ...11827...
Wed Sep 22 13:47:01 EDT 2004


Hello everyone,

I would like to know if snort give enough information=E2=80=99s to allow =
me to make a guess of the source/destination Operating system?

I got a table in my mysql database with a list of OS fingerprints. This =
table was generated using the p0f.fp file available with p0f 1.8.3 =
(http://lcamtuf.coredump.cx/p0f/old/p0f-1.8.3.tgz).

Here the database schema with field=E2=80=99s descriptions:

CREATE TABLE `p0f` (
  `os_id` int(11) NOT NULL auto_increment,
  `os_name` text,				# os_name - Operating system name
  `win` int(11) default NULL,		# win - window size
  `ttl` int(11) default NULL,		# ttt  - time to live
  `mss` int(11) default NULL,		# mss - maximum segment size
  `df` int(11) default NULL,		# df - don't fragment flag  (0=3Dunset, =
1=3Dset)
  `wscale` int(11) default NULL,	# wscale - window scaling (-1=3Dnot =
present, other=3Dvalue)
  `sok` int(11) default NULL,		# sok - sackOK flag (0=3Dunset, 1=3Dset)
  `nop` int(11) default NULL,		# nop  - nop flag (0=3Dunset, 1=3Dset)
  `size` int(11) default NULL,	# size - packet size (-1 =3D irrevelant)
  PRIMARY KEY  (`os_id`)
) TYPE=3DMyISAM;

Anyone can help me determine which p0f field match which field in the =
snort database?

For example
[snort]		=E2=86=92	[p0f]
Ip_idr/ip_ttl	=E2=86=92	ttl

This is the only match I have made so far =E2=80=A6 I believe most match =
should be in the =E2=80=98iphdr=E2=80=99 and =E2=80=98opt=E2=80=99 =
tables. I know they are some snort-mods to make this match automatically =
but I would like to do it by hand using my p0f database, if =
that=E2=80=99s possible of course !

Help would be very appreciated, on-list or off-list.

Thanks a lot!

ps: excuse my imperfect English, this is not my main language=E2=80=A6

L. Waterhouse




More information about the Snort-users mailing list