[Bro] Bro scripts

Justin Azoff JAzoff at uamail.albany.edu
Fri Oct 29 06:12:40 PDT 2010


On Thu, Oct 28, 2010 at 11:23:03PM -0400, Seth Hall wrote:
> I think your point about NAT gets to a more general point of what
> techniques could we use to detect NAT?

Using user-agents for this is tricky.  I've written some code to analyze
the output of your http-user-agents.log in splunk, and found that the
best thing to look at is the architecture and os, and ignore the
browser itself.

the script I use is here:

http://github.com/JustinAzoff/splunk-scripts/blob/master/ua2os.py

it's for use in splunk, but it's 90% regexes, stuff like this:

os_mapping = (
    ('Windows .. 5.1', 'Windows XP'),
    ('Windows .. 5.2', 'Windows XP'),
    ('Windows NT 6.0', 'Windows Vista'),
    ('Windows 6.0', 'Windows Server 2008'),
    ('Windows NT 6.1', 'Windows 7'),
    ('OS X 10.5', 'MAC OS X 10.5.x'),
    ('Darwin', 'MAC OS X other'),
    ...
    ('Android', 'Android'),
    ('Linux ', 'Linux'),
    ('Windows', 'Windows - Other'),
    ('iPad', 'ipad'),
    ('iPod', 'ipod'),
    ('iPhone', 'iphone'),
)

arch_mapping = (
    ('Windows .. 5.2', 'x64'),
    ('x64', 'x64'),
    ...
    ('iPad', 'ipad'),
    ('iPod', 'ipod'),
    ('iPhone', 'iphone'),
    ('Intel', 'Intel'),
)

It is not uncommon to have one machine using multiple browsers, but rare
for it to indentify as both Vista and Windows 7, or both i386 and x64, or
Windows XP and Mac OS X 10.5.

Also, some user-agents can immediately identify NAT: iOS and android
devices do not have ethernet interfaces, so if one of these devices is
found on a non-wireless subnet it indicates the presense of a rogue access
point.

-- 
-- Justin Azoff
-- Network Security & Performance Analyst



More information about the Bro mailing list