[Snort-users] Fwd: How to detect OS with Snort?
wkitty42 at ...14940...
Tue May 8 22:09:35 EDT 2012
On 5/8/2012 15:25, Borja Luaces wrote:
> Firstly, thanks.
> i know that Nmap is a better tool but the fact is that the rule is to detect
> specific attacks from windows OS. The company I work for does not allow me to
> install anything else. I have to do it with snort this is why I am trying that
> rule but it seems not to work.
what does it matter what OS an attack originates from? detect the atack and
drop, alert or block as necessary... what i saw your rule doing appeared to be
only detecting possible user agents in http headers but those are faked all the
time with valid ones appearing along with invalid ones... i can tell you that
they are coming from all different OS' no matter what OS the UA says it is...
witness forum spammer's tools and infiltration techniques...
More information about the Snort-users