logo       

Re: P0F in Snort?: msg#00177

security.ids.snort.bleedingsnort

Subject: Re: P0F in Snort?

Jack Pepper wrote:
>
> Pof in snort: I can write a working POC plugin in a day. Help me with
> some design decisions:
>
> Option 1:
> POF runs in a standalone mode writing output to a database output. We
> should restrict it to the RFC1918 addresses, because our DMZ servers
> will be approached by multiple remote hosts with the same public
> address. Or we could just "Null-Out" any addresses that give
> conflicting results.
>
> Then the snort plug-in will do an OS lookup, similar to Matt's
> suggestion:
> pof: src,is.XP;
> or
> pof: dest,is.xnix;
>
> Option 2:
> POF runs as a preproccessor ? Hmm, I don't like that because POF
> needs to capture multiple packets to make a good decision.

>From other comments, it sounds like this may be the best way to go. If
making a preproc is easier now, it'd likely be most efficient.
Especially since we have to see multiple packets.

We do also have to keep i mind that there will need to be cases where
the OS isn't known or wasn't identifiable. So maybe the above cases
would be like

p0f: src_isXP, or src_is_unknown;

This will require logic. Also the ability to generalize, like is any
form of windows, is a server version of windows, maybe even
was_patched_this_decade. :)

Matt


>
> Option 3:
> ??
>
> Help me out here.
>
> jp
>
>
>
> -------------------------------------------------
> Email solutions, MS Exchange alternatives and extrication,
> security services, systems integration.
> Contact: services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx
>
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc


<Prev in Thread] Current Thread [Next in Thread>
Google Custom Search

News | FAQ | advertise