|
|
P0F in Snort?: msg#00154security.ids.snort.bleedingsnort
Stray thought: ANyone ever seen or thought about integrating p0f into snort? P0f is an OS detection tool that's uncannily accurate by tcp behavior, totally passive. What if we were to have p0f just feed it's thoughts about a client to a flowbit, we'd be able to query that flowbit to get the p0f reading on whether a source or dest is a certain OS? Like flowbits:isnotset,p0f.src.is.WinXPSP2; That'd allow us a lot of possibilities in eliminating false positives, or attacks to machines that are not relevant. Or blocking inbound email from XP boxes (likely bots) More I think about it, more possibilities come to mind. Any coders interested in looking into that? Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: New sig for unknown bot: 00154, Matt Jonkman |
|---|---|
| Next by Date: | Re: [Listeningpost] Mem and CPU usage: 00154, Matt Jonkman |
| Previous by Thread: | Rule Submit: Centrality IP Phone (PA-168 Chipset) Session Hijackingi: 00154, Blake Hartstein |
| Next by Thread: | RE: P0F in Snort?: 00154, Michael Scheidell |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |