Re: P0F in Snort?

I don't think this would be a problem. This should be a target based
thing and you control the targets (it'd be devices on $HOME_NET).  The
OS of the attacking system isn't all that useful.

Bammkkkk


On 1/27/07, Blake Matheny <bmatheny-YBzcoN68hchIf6P1QZMOBw@xxxxxxxxxxxxxxxx> 
wrote:
> The only problem I can think of off the top of my head is that certain
> firewalls (openbsd comes to mind) do packet normalization which defeats
> p0f. So if someone was going to work on this I would suggest taking p0f
> information with a grain of salt.
>
> -Blake
>
> Matt Jonkman wrote:
> > Stray thought: ANyone ever seen or thought about integrating p0f into
> > snort? P0f is an OS detection tool that's uncannily accurate by tcp
> > behavior, totally passive.
> >
> > What if we were to have p0f just feed it's thoughts about a client to a
> > flowbit, we'd be able to query that flowbit to get the p0f reading on
> > whether a source or dest is a certain OS? Like
> >
> > flowbits:isnotset,p0f.src.is.WinXPSP2;
> >
> > That'd allow us a lot of possibilities in eliminating false positives,
> > or attacks to machines that are not relevant. Or blocking inbound email
> > from XP boxes (likely bots)
> >
> > More I think about it, more possibilities come to mind.
> >
> > Any coders interested in looking into that?
> >
> > Matt
> >
> >
>
> --
> Blake Matheny
> bmatheny-YBzcoN68hchIf6P1QZMOBw@xxxxxxxxxxxxxxxx
> http://mobocracy.net
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs


--
sguil - The Analyst Console for NSM
http://sguil.sf.net