RE: P0F in Snort?

Will reply to this when I get to my laptop. But was wondering wen you're going 
public on the autoshun feeds. Eager to see that go.

-----Original Message-----
From: "Jack Pepper" <pepperjack-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx>
To: bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
Sent: 1/27/07 07:21 PM
Subject: Re: [Bleeding-sigs] P0F in Snort?


Pof in snort:  I can write a working POC plugin in a day.  Help me  
with some design decisions:

Option 1:
   POF runs in a standalone mode writing output to a database output.   
We should restrict it to the RFC1918 addresses, because our DMZ  
servers will be approached by multiple remote hosts with the same  
public address.  Or we could just "Null-Out" any addresses that give  
conflicting results.

   Then the snort plug-in will do an OS lookup, similar to Matt's suggestion:
          pof: src,is.XP;
    or
          pof: dest,is.xnix;

Option 2:
   POF runs as a preproccessor ?  Hmm, I don't like that because POF  
needs to capture multiple packets to make a good decision.

Option 3:
   ??

Help me out here.

jp



-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs