|
|
Re: P0F in Snort?: msg#00161security.ids.snort.bleedingsnort
Pof in snort: I can write a working POC plugin in a day. Help me with some design decisions: Option 1: POF runs in a standalone mode writing output to a database output. We should restrict it to the RFC1918 addresses, because our DMZ servers will be approached by multiple remote hosts with the same public address. Or we could just "Null-Out" any addresses that give conflicting results. Then the snort plug-in will do an OS lookup, similar to Matt's suggestion: pof: src,is.XP; or pof: dest,is.xnix; Option 2: POF runs as a preproccessor ? Hmm, I don't like that because POF needs to capture multiple packets to make a good decision. Option 3: ?? Help me out here. jp ------------------------------------------------- Email solutions, MS Exchange alternatives and extrication, security services, systems integration. Contact: services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: P0F in Snort?: 00161, Matt Jonkman |
|---|---|
| Next by Date: | RE: P0F in Snort?: 00161, Matt Jonkman |
| Previous by Thread: | Re: P0F in Snort?i: 00161, Matt Jonkman |
| Next by Thread: | Re: P0F in Snort?: 00161, Bamm Visscher |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |