Re: P0F in Snort?

That's true, but in cases where we're just looking to like ID winxp
systems that are sending mail, if the traffic has been altered we'll
just not block. But the vast majority we would detect and be able to block.

It wouldn't certainly be a 100% thing. We'd have to write sigs with that
in mind. But it'd be useful I think.

MAtt

Blake Matheny wrote:
> The only problem I can think of off the top of my head is that certain
> firewalls (openbsd comes to mind) do packet normalization which defeats
> p0f. So if someone was going to work on this I would suggest taking p0f
> information with a grain of salt.
> 
> -Blake
> 
> Matt Jonkman wrote:
>> Stray thought: ANyone ever seen or thought about integrating p0f into
>> snort? P0f is an OS detection tool that's uncannily accurate by tcp
>> behavior, totally passive.
>>
>> What if we were to have p0f just feed it's thoughts about a client to a
>> flowbit, we'd be able to query that flowbit to get the p0f reading on
>> whether a source or dest is a certain OS? Like
>>
>> flowbits:isnotset,p0f.src.is.WinXPSP2;
>>
>> That'd allow us a lot of possibilities in eliminating false positives,
>> or attacks to machines that are not relevant. Or blocking inbound email
>> from XP boxes (likely bots)
>>
>> More I think about it, more possibilities come to mind.
>>
>> Any coders interested in looking into that?
>>
>> Matt
>>
>>
> 

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc