[Snort-users] How to detect OS with Snort?

Borja Luaces borja.luaces at ...11827...
Thu May 17 06:54:18 EDT 2012


Hello all,

The problem is that I can NOT install anything in the snort system.

I can ONLY use snort rules.

I am making tests with the preproccesor http_inspect.

On Thu, May 17, 2012 at 11:47 AM, Jason Haar <Jason_Haar at ...15306...> wrote:

> On 17/05/12 04:02, Olaf Schreck wrote:
> >> In OpenSource land, p0f is the best tool to go about detecting OSes.
> > Or OpenBSDs pf firewall which has this functionality built in.
>
> ...except I wouldn't trust either to make blocking decisions. I've used
> p0f for years and even though it's very useful, it still gets a lot of
> packets wrong - eg Windows systems declared as Linux - and 3 packets
> later being Windows. Great metadata - but I wouldn't block/alert on it
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Borja Luaces Altares
Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120517/b186becb/attachment.html>


More information about the Snort-users mailing list