Snort mailing list archives
Passive OS Detection
From: Joshua Wright <Joshua.Wright () jwu edu>
Date: Tue, 18 Sep 2001 10:28:30 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Has anyone given any thought to adding passive OS detection as a reporting option - either through Snort directly, or perhaps as an option in ACID? Lance Spitzner wrote a paper called "Know Your Enemy: Passive Fingerprinting - IDing remote hosts, without them knowing" in which he describes a scenario where we watch TTL, Window Size, DF bit and TOS to make a guess as to the remote OS type. (http://project.honeynet.org/papers/finger/). I find myself manually looking up information in ACID to make the remote OS determination from time to time, and think it would be another nice-to-have to add to the TODO list. A proof-of-concept perl tool is available at http://project.honeynet.org/papers/finger/passfing.tar.gz. Thoughts? - -Joshua Wright Team Leader, Networks and Systems Johnson & Wales University Joshua.Wright () jwu edu pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73 fingerprint: FD A5 12 FC F3 91 37 40 E0 AE BD B6 8F E2 FC 0A D4 4B 4A 73 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO6daD4/i/ArUS0pzEQIJswCgoYYB8V06ivV0TcCGTff4rlZdftsAoNVw nEqmE6uxCmiAlHsrHW0/qOlN =AkNP -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Passive OS Detection Joshua Wright (Sep 18)
- RE: Passive OS Detection Jyri Hovila (Sep 18)