Re: P0F in Snort?

The only problem I can think of off the top of my head is that certain 
firewalls (openbsd comes to mind) do packet normalization which defeats 
p0f. So if someone was going to work on this I would suggest taking p0f 
information with a grain of salt.

-Blake

Matt Jonkman wrote:
> Stray thought: ANyone ever seen or thought about integrating p0f into
> snort? P0f is an OS detection tool that's uncannily accurate by tcp
> behavior, totally passive.
>
> What if we were to have p0f just feed it's thoughts about a client to a
> flowbit, we'd be able to query that flowbit to get the p0f reading on
> whether a source or dest is a certain OS? Like
>
> flowbits:isnotset,p0f.src.is.WinXPSP2;
>
> That'd allow us a lot of possibilities in eliminating false positives,
> or attacks to machines that are not relevant. Or blocking inbound email
> from XP boxes (likely bots)
>
> More I think about it, more possibilities come to mind.
>
> Any coders interested in looking into that?
>
> Matt

--
Blake Matheny
bmatheny-YBzcoN68hchIf6P1QZMOBw@xxxxxxxxxxxxxxxx
http://mobocracy.net