logo       

P0F in Snort?: msg#00154

security.ids.snort.bleedingsnort

Subject: P0F in Snort?

Stray thought: ANyone ever seen or thought about integrating p0f into
snort? P0f is an OS detection tool that's uncannily accurate by tcp
behavior, totally passive.

What if we were to have p0f just feed it's thoughts about a client to a
flowbit, we'd be able to query that flowbit to get the p0f reading on
whether a source or dest is a certain OS? Like

flowbits:isnotset,p0f.src.is.WinXPSP2;

That'd allow us a lot of possibilities in eliminating false positives,
or attacks to machines that are not relevant. Or blocking inbound email
from XP boxes (likely bots)

More I think about it, more possibilities come to mind.

Any coders interested in looking into that?

Matt


--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc


<Prev in Thread] Current Thread [Next in Thread>
Google Custom Search

News | FAQ | advertise