[Snort-users] How to detect OS with Snort?

Jason Haar Jason_Haar at ...15306...
Thu May 17 05:47:54 EDT 2012


On 17/05/12 04:02, Olaf Schreck wrote:
>> In OpenSource land, p0f is the best tool to go about detecting OSes.
> Or OpenBSDs pf firewall which has this functionality built in.

...except I wouldn't trust either to make blocking decisions. I've used
p0f for years and even though it's very useful, it still gets a lot of
packets wrong - eg Windows systems declared as Linux - and 3 packets
later being Windows. Great metadata - but I wouldn't block/alert on it

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list