Re: P0F in Snort?

Quoting Matt Jonkman 
<jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>:


> We do also have to keep i mind that there will need to be cases where
> the OS isn't known or wasn't identifiable. So maybe the above cases
> would be like
>
> p0f: src_isXP, or src_is_unknown;
>
> This will require logic. Also the ability to generalize, like is any
> form of windows, is a server version of windows, maybe even
> was_patched_this_decade. :)

What I did in my POC was map the 33 unique fingerprints of p0f onto  
generalized OS types.  I ended up with a smaller number (maybe 15? I  
am not in front of that computer right now) of different "ostypes":  
Windows, Linux, Solaris, Xnix.  It is not a one to one mapping, but  
that's ok.  Then I added an "unknown" entry.

On the setting of attributes, I concluded that there is no reason to  
ever have an "and" function in the rule sets:  "is linux and is  
solaris".  Nope.  So the attribute field wound up looking like this  
with multiple fields being "or"d together:

 ostype: src,winxp2000,unk;

or

 ostype: dest,solaris,linux;

or

 ostype: dest,xnix, cisco;

You get the idea.  The src and dest keywords are required, and only  
one is allowed.

jp

-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx