logo       
<prev   next>

Re: P0F in Snort?: msg#00189

security.ids.snort.bleedingsnort

Subject: Re: P0F in Snort?

Very cool. You have it doing a db lookup to p0f? Or a preproc?

Matt

Jack Pepper wrote:
> Quoting Matt Jonkman
> <jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>:
>
>
>> We do also have to keep i mind that there will need to be cases where
>> the OS isn't known or wasn't identifiable. So maybe the above cases
>> would be like
>>
>> p0f: src_isXP, or src_is_unknown;
>>
>> This will require logic. Also the ability to generalize, like is any
>> form of windows, is a server version of windows, maybe even
>> was_patched_this_decade. :)
>
> What I did in my POC was map the 33 unique fingerprints of p0f onto
> generalized OS types. I ended up with a smaller number (maybe 15? I am
> not in front of that computer right now) of different "ostypes":
> Windows, Linux, Solaris, Xnix. It is not a one to one mapping, but
> that's ok. Then I added an "unknown" entry.
>
> On the setting of attributes, I concluded that there is no reason to
> ever have an "and" function in the rule sets: "is linux and is
> solaris". Nope. So the attribute field wound up looking like this with
> multiple fields being "or"d together:
>
> ostype: src,winxp2000,unk;
>
> or
>
> ostype: dest,solaris,linux;
>
> or
>
> ostype: dest,xnix, cisco;
>
> You get the idea. The src and dest keywords are required, and only one
> is allowed.
>
> jp
>
> -------------------------------------------------
> Email solutions, MS Exchange alternatives and extrication,
> security services, systems integration.
> Contact: services-MMNQ1ylbVXZN8Ch2cx6nig@xxxxxxxxxxxxxxxx
>
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  IDS Policy Manager v2.0.2 Released: 00189, Matt Jonkman
Next by Date:  Re: Stormy P2P bot Sigs -- may be SKYPE ?: 00189, Matt Jonkman
Previous by Thread:  Re: P0F in Snort?i: 00189, Jack Pepper
Next by Thread:  Re: P0F in Snort?: 00189, Jack Pepper
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
News | FAQ | advertise