Re: P0F in Snort?

Jack Pepper wrote:
> 
> Pof in snort:  I can write a working POC plugin in a day.  Help me with
> some design decisions:
> 
> Option 1:
>   POF runs in a standalone mode writing output to a database output.  We
> should restrict it to the RFC1918 addresses, because our DMZ servers
> will be approached by multiple remote hosts with the same public
> address.  Or we could just "Null-Out" any addresses that give
> conflicting results.
> 
>   Then the snort plug-in will do an OS lookup, similar to Matt's
> suggestion:
>          pof: src,is.XP;
>    or
>          pof: dest,is.xnix;
> 
> Option 2:
>   POF runs as a preproccessor ?  Hmm, I don't like that because POF
> needs to capture multiple packets to make a good decision.

>From other comments, it sounds like this may be the best way to go. If
making a preproc is easier now, it'd likely be most efficient.
Especially since we have to see multiple packets.

We do also have to keep i mind that there will need to be cases where
the OS isn't known or wasn't identifiable. So maybe the above cases
would be like

p0f: src_isXP, or src_is_unknown;

This will require logic. Also the ability to generalize, like is any
form of windows, is a server version of windows, maybe even
was_patched_this_decade. :)

Matt


> 
> Option 3:
>   ??
> 
> Help me out here.
> 
> jp
> 
> 
> 
> -------------------------------------------------
> Email solutions, MS Exchange alternatives and extrication,
> security services, systems integration.
> Contact:    services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx
> 
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc