Snort mailing list archives

Re: How to detect OS with Snort?

From: Borja Luaces <borja.luaces () gmail com>
Date: Thu, 17 May 2012 12:54:18 +0200

Hello all,

The problem is that I can NOT install anything in the snort system.

I can ONLY use snort rules.

I am making tests with the preproccesor http_inspect.

On Thu, May 17, 2012 at 11:47 AM, Jason Haar <Jason_Haar () trimble com> wrote:

On 17/05/12 04:02, Olaf Schreck wrote:

In OpenSource land, p0f is the best tool to go about detecting OSes.

Or OpenBSDs pf firewall which has this functionality built in.


...except I wouldn't trust either to make blocking decisions. I've used
p0f for years and even though it's very useful, it still gets a lot of
packets wrong - eg Windows systems declared as Linux - and 3 packets
later being Windows. Great metadata - but I wouldn't block/alert on it

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




-- 
Borja Luaces Altares
Administrador/Analista de Sistemas (MCSE Security,C|EH & CSSA)

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Fwd: How to detect OS with Snort?, (continued)
- - - Re: Fwd: How to detect OS with Snort? Kevin Ross (May 09)
    - Re: Fwd: How to detect OS with Snort? Borja Luaces (May 09)
    - Re: Fwd: How to detect OS with Snort? Peter Bates (May 09)
    - Re: Fwd: How to detect OS with Snort? Paul Schmehl (May 09)
    - Re: Fwd: How to detect OS with Snort? Borja Luaces (May 09)
    - Re: Fwd: How to detect OS with Snort? Kevin Ross (May 09)
- Re: How to detect OS with Snort? Kevin Ross (May 09)
  - Re: How to detect OS with Snort? Joel Esler (May 16)
    - Re: How to detect OS with Snort? Olaf Schreck (May 16)
    - Re: How to detect OS with Snort? Jason Haar (May 17)
    - Re: How to detect OS with Snort? Borja Luaces (May 17)