Re: P0F in Snort?

As a p0f lover, I guess I'll chime in here.  I think that an external
p0f process that wrote to a DB for lookups would be the most
extensible for doing things like writing custom reports on what OS's
are attacking, etc., and possibly feeding into other apps.  However, I
think that even the small task of doing a SELECT from the database
would be an unacceptable performance loss.  I think that
realistically, a preprocessor would be the only way to go.  As I
understand it, the new stream5 API should have all the tools we need
to write a multi-packet p0f preprocessor.  Also, I don't think that
the online database lookups would be worth it, I would suggest simply
updating the p0f sigs with the Bleeding sigs (or some other method of
incremental mass updates).

I suppose that the other option would be to convert p0f sigs _into_
Bleeding sigs and just run them as normal noalert rules.  That would
make setting flowbits a lot easier, but that is a LOT of sigs.  You
could, however, pick and choose some.  So Matt's example of XP sending
mail would work if you just wrote a sig that detects XP and then the
follow up to alert when the XP flowbit is set.

I think that running p0f along with Netflow stats, etc., is a very
necessary part of the network forensics toolkit.  I also recommend
something like urlsnarf (or a backend connection to your web
cache/nanny) to create an easy-to-lookup repository of what web events
occurred in relation to your Snort alerts.

--Martin

On 1/29/07, Matt Jonkman 
<jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx> wrote:
> Michael Scheidell wrote:
> >>
> > My anti-spam engine already uses p0f ;-) given to us via amavisd-new.
> >
> > Interesting all the companies that still use windows server 2000 service
> > pack 2 ...
>
> :)
>
> Can you tell what the rate of spam is from non-server OSs? Like XP, NT
> workstation, Me, etc?  If there is a high rate there, then that's some
> validation that there's possibility here.
>
> Matt
>
> >
> >
> > -----------------------------------------------------------------
> > This email has been scanned and certified safe by SpammerTrap(tm)
> > For Information please see http://www.spammertrap.com
> > -----------------------------------------------------------------
> >
> > _______________________________________________
> > Bleeding-sigs mailing list
> > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Bleeding Edge Threats
> 765-429-0398
> 765-807-3060 fax
> http://www.bleedingthreats.net
> --------------------------------------------
>
> PGP: http://www.bleedingthreats.com/mattjonkman.asc
>
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs