[Snort-users] How to detect OS with Snort?

JJC cummingsj at ...11827...
Tue May 8 10:26:47 EDT 2012


or p0f

On Tue, May 8, 2012 at 8:13 AM, Nick Moore <nmoore at ...1935...> wrote:
> Borja,
>
> In truth, a better tool for detecting operating systems is NMAP
> (http://nmap.org/download.html). Snort is more for intrusion detection and
> network sniffing.
>
> Nick
>
> On Tue, May 8, 2012 at 8:26 AM, Borja Luaces <borja.luaces at ...11827...> wrote:
>>
>> Good afternoon,
>>
>> First of all I have to say that I am new to Snort.
>>
>> I am trying to create an alert rule to detect the OS but everytime I try
>> it it seems not to work.
>>
>> The rule looks like the following one:
>>
>> alert tcp any any -> any any (content:"Windows NT";msg:"Microsoft OS
>> detected";)
>>
>> Any help?
>>
>> Thanks for your time
>>
>> --
>> Borja Luaces Altares
>> Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>
>
>
>
> --
> Nick Moore, SFCE, CISSP, CISA
> Sr. Systems Engineer
> Voice 708-336-9041
> Email nick.moore at ...1935...
> IM    nickgmoore (Yahoo)
>        nickgmoore38 (AIM)
>
>     ,,_
>    o"  )~   Sourcefire - The Creators of Snort
>     ''''
>
> www.sourcefire.com         www.snort.org     www.immunet.com
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list