Hi, as I get more involved in my system's security, I start to look at everything that can be done to prevent breaches from the outside, and one of the most important and oldest tricks I can remember to breack into a system is to do an OS fingerprint, that would tell you what you're dealing with and hou to deal with it.
Now the only firewall I remember that was capable of preventing an OS fingerprint was the Sigate firewall, which we all know was bought by Symantec and ... wel... dissapeared.
Is there any way to add rules to the IDS system or create a packet filtering rule or set of rules in SPF to do exactly that?? I mena prevent an OS fingerprint??
The reason I'm asking is because the more I read the more techniques I find to do that and I'm no expert as to create rules myself with that kind of expertee

There are snort rules available (google for them) that can do this, but they are particularly catered to detect NMAP being used. The problem is that if a user knows a particular port that is not being filtered, such as a webserver, then they can typically query that port to find more information, such as IIS running on the machine, etc.

Its not just a particular "packet" of information that you can query for, however that being said, I urge you to try to use NMAP to scan your machine to see if in fact the OS fingerprinting is turned off. By default, NMAP will ping your machine, and if its not replying, it will halt the test. If you do test with NMAP, make sure to turn that feature off as SPF will/should block the ping attempt.

Here are just a few you can add:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "SCAN NMAP -sO"; dsize: 0; ip_proto: 21; reference:arachnids,162; classtype: attempted-recon; sid: 2000536; rev:3; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "SCAN NMAP -sS"; fragbits: !D; dsize: 0; flags: S,12; ack: 0; window: 2048; reference:arachnids,162; classtype: attempted-recon; sid: 2000537; rev:3; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "SCAN NMAP -sA (1)"; fragbits: !D; dsize: 0; flags: A,12; window: 1024; reference:arachnids,162; classtype: attempted-recon; sid: 2000538; rev:4; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "SCAN NMAP -sA (2)"; fragbits: !D; dsize: 0; flags: A,12; window: 3072; reference:arachnids,162; classtype: attempted-recon; sid: 2000540; rev:4; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "SCAN NMAP -f -sF"; fragbits: !M; dsize: 0; flags: F,12; ack: 0; window: 2048; reference:arachnids,162; classtype: attempted-recon; sid: 2000543; rev:3; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "SCAN NMAP -f -sN"; fragbits: !M; dsize: 0; flags: 0,12; ack: 0; window: 2048; reference:arachnids,162; classtype: attempted-recon; sid: 2000544; rev:3; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "SCAN NMAP -f -sS"; fragbits: !M; dsize: 0; flags: S,12; ack: 0; window: 2048; reference:arachnids,162; classtype: attempted-recon; sid: 2000545; rev:3; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "SCAN NMAP -f -sX"; fragbits: !M; dsize: 0; flags: FPU,12; ack: 0; window: 2048; reference:arachnids,162; classtype: attempted-recon; sid: 2000546; rev:3; )

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; stateless; flags:SFPU; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:2;)

Hi, I'll add the rules but.. tell me where!!! (jajaja)
And how exactly do I use NMAP, like I said I'm still learning and there are a few tools I don't quite understand yet.
Thanks in advance!

You can go to C:\Program Files\Sunbelt Software\Personal Firewall\Config\IDSRules and edit any one of the .rlk files that you wish. Just copy and paste it into one of the rlk files and restart SPF. In fact, I think you can even use sunbelt.rlk and just add them there.

As far as NMAP goes, its a GUI based tool but does require some basic TCP/IP knowledge to use. If you are familiar with Linux, you can download a livecd called BackTrak 2 and run NMAP from there. Otherwise, its off to Google you go to learn how to use NMAP.

If you dont know Linux, then you can download the Windows version of NMAP, though I have personally never used it. You can get it from http://download.insecure.org/nmap/dist/nmap-4.20-setup.exe

Got it. Thanks.