Re: P0F in Snort?

Devil's advocate here. Another thing to keep in mind is that
SourceFire owns a number of patents in regards to RNA technology. They
are also being sued by a company over some of the capability within
RNA.  Just wanted to bring that up since this is a "dirty" space to
play in right now.

Bammkkkk


On 1/27/07, Jack Pepper <pepperjack-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx> 
wrote:
> Pof in snort:  I can write a working POC plugin in a day.  Help me
> with some design decisions:
>
> Option 1:
>    POF runs in a standalone mode writing output to a database output.
> We should restrict it to the RFC1918 addresses, because our DMZ
> servers will be approached by multiple remote hosts with the same
> public address.  Or we could just "Null-Out" any addresses that give
> conflicting results.
>
>    Then the snort plug-in will do an OS lookup, similar to Matt's suggestion:
>           pof: src,is.XP;
>     or
>           pof: dest,is.xnix;
>
> Option 2:
>    POF runs as a preproccessor ?  Hmm, I don't like that because POF
> needs to capture multiple packets to make a good decision.
>
> Option 3:
>    ??
>
> Help me out here.
>
> jp
>
>
>
> -------------------------------------------------
> Email solutions, MS Exchange alternatives and extrication,
> security services, systems integration.
> Contact:    services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx
>
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs


--
sguil - The Analyst Console for NSM
http://sguil.sf.net