[prads-users] [Snort-users] Hogger 0.1.3 released

[Edward Bjarte Fjellskål]

Andy Berryman wrote:
> So if I let it run for a while and say DHCP gives a new host the same IP that prads already has in the asset-log, does prads delete the old info and start new with the new host? 
> 
> 
> Say I have a windows XP machine with 192.168.1.10 and then tomorrow DHCP gives that IP to a linux machine. How does prads handle that? 
> 
> Thanks,
> Andy 

Hi Andy,

I have been off on holidays, but back now :)

./prads just prints out asset info as it sees it on the wire
(to /tmp/prads-asset.log)

So ./prads has no relation to what is running where and when kinda.

The thought is to have some outside logic to interpret the info
gathered from prads.

What prads2snort.pl and prads-asset-report.pl tries to do though,
is to filter out when a host changes OS. It does this atm. looking
for the last SYN seen from the host, and uses info 12 hours back
from that point, and onward in time, to decide by the info it then
has, what OS it is. The seems to fit OK in my environment and tests.
More input from users is appreciated :) on how to really do this, or
do it better.

So, in your example, ./prads will see the windows traffic, and
log it like that, and when you change to Linux, it will see that
and log it like that :)
If your machines sends SYNs:
prads2snort.pl will see the syn from windows the first day, and
the secound day, it will see the syn from Linux. If we are lucky
there are 12hours between the SYNs, and the second run of prads2snort.pl
will give you the right OS.

Hope this helps, and any feedback is wellcome :)

E