|
|
Choosing A Webhost: |
Re: P0F in Snort?: msg#00177security.ids.snort.bleedingsnort
Jack Pepper wrote: > > Pof in snort: I can write a working POC plugin in a day. Help me with > some design decisions: > > Option 1: > POF runs in a standalone mode writing output to a database output. We > should restrict it to the RFC1918 addresses, because our DMZ servers > will be approached by multiple remote hosts with the same public > address. Or we could just "Null-Out" any addresses that give > conflicting results. > > Then the snort plug-in will do an OS lookup, similar to Matt's > suggestion: > pof: src,is.XP; > or > pof: dest,is.xnix; > > Option 2: > POF runs as a preproccessor ? Hmm, I don't like that because POF > needs to capture multiple packets to make a good decision. >From other comments, it sounds like this may be the best way to go. If making a preproc is easier now, it'd likely be most efficient. Especially since we have to see multiple packets. We do also have to keep i mind that there will need to be cases where the OS isn't known or wasn't identifiable. So maybe the above cases would be like p0f: src_isXP, or src_is_unknown; This will require logic. Also the ability to generalize, like is any form of windows, is a server version of windows, maybe even was_patched_this_decade. :) Matt > > Option 3: > ?? > > Help me out here. > > jp > > > > ------------------------------------------------- > Email solutions, MS Exchange alternatives and extrication, > security services, systems integration. > Contact: services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc
|
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: P0F in Snort?, Mike Guiterman |
|---|---|
| Next by Date: | Re: P0F in Snort?, Matt Jonkman |
| Previous by Thread: | Re: P0F in Snort?, Matt Jonkman |
| Next by Thread: | Re: P0F in Snort?, Jack Pepper |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
Free MagazinesCisco NewsReceive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business. subscribe Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field. subscribe The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business. subscribe Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company. subscribe Total Telecom Total Telecom is "The Economist of the communications industry". subscribe |