[prads-users] How do I submit that prads is labeling OS's wrong?
Edward Bjarte Fjellskål
edward.fjellskal at redpill-linpro.com
Fri May 21 12:17:44 CEST 2010
Andy Berryman wrote:
> I have attached the logs. I can provide more if needed. Seems every single one is wrong.
Taking a quick look at your files, I can quickly say this:
read the doc/README.stream5 and frag3 in the snort source tar file.
Windows 7 is not defined there so we need to ask Sourcefire/Snort Team
where that would go :)
Second, for frag policy there seems just to be one options for all
Windows versions (Windows).
Also, I dont have any Windows 7 machines, and I havent personally
collected any W7 signatures. If you can confirm that you have a fresh
installed, not tampered-with-tcp-stack, windows 7, The PRADS project
would love to see some SYN and SYNACK sigs contributions :)
Also SYNs and ACKS from ws2k3-64bit-standard and verify that the
32-enterprize is the correct SYN signature, I can update the info
to add ws2k3-e in it.
$ cat ws2k3-32bit-enterprise.log |grep SYN,
1.1.1.1,0,20,6,SYN,[65535:128:1:48:M1380,N,N,S:.:Windows:2000 SP4, XP
SP1+:link:GPRS, T1, FreeS/WAN],0,1274314005
It matches the sig in etc/tcp-syn.fp:
65535:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP1+
We might make the info like: Windows:2000 SP4, XP SP1+, 2003 E
Though normaly 2003 and Vista are more alike, I dont have access to
Windows hosts, to verify :(
>>They all show as XP.
In the host_attribute.xml file, what I have been aiming at, is to
get the frag3 and stream5 arguments right.
In frag3, Windows (95/98/NT4/W2K/XP) will use the same policy
In stream5,
windows - Windows 98, NT, 2000, XP (and others not specifically listed
below)
win2003 - Windows 2003 Server
vista - Windows Vista
Got to run,
E
More information about the prads-users
mailing list