[Snort-users] Snort OS Fingerprint Scan Detectino

Y M snort at ...15979...
Fri Nov 4 13:49:11 EDT 2016

There are a couple of things to note.

- Is sfportscan preprocessor enabled and tweaked? This can help identify a scan, not necessarily a fingerprint scan.
- The rules that are enabled, which may alert on certain scan techniques or scan return results.
- IMHO, detecting scans is the result of collective alerts and detections against a specific host. It's not as simple as one rule identifies a fingerprint scan. Look for alerts (see point 2 above) collectively against your hosts.
- Look at the fingerprint scan documentation, it usually lists the techniques used to perform the scan. You can tailor your rules to the techniques in coordination with your protected environment.


On Fri, Nov 4, 2016 at 6:09 AM +0300, "yasir al-ibrahem" <alibrahem.yasir at ...843.....11827...<mailto:alibrahem.yasir at ...11827...>> wrote:


I'm using NMAP to detect the OS type and version of another machine that hosts snort.

Snort is able to detect the ICMP tests, but that doesn't clearly indicate that an OS fingerprinting attack is taking place.

I'm wondering if snort has such a specific alert. and if there's any specific configuration for OS fingerprint detection.

Appreciate your help.

Yasir Saad Al-Ibrahem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161104/9032c643/attachment.html>

More information about the Snort-users mailing list