[Bro] p0f OS fingerprinting question

Gary Faulkner gary at doit.wisc.edu
Wed Jan 29 11:41:47 PST 2014

You can disregard my last post. After re-reading some of the examples on 
the ryesecurity blog, stepping through some of the pre-packaged bro 
scripts, and lots of experimentation I'm most of the way to finishing my 
first bro script and logging the results where I want. Thanks again for 
the help.

On 1/28/2014 5:11 PM, Gary Faulkner wrote:
> On 1/27/2014 9:15 AM, Seth Hall wrote:
>> Basically the new version of p0f is something you could implement as 
>> a Bro script because he's just grabbing user-agent strings and stuff. 
> I've never really written a Bro script outside of some of the examples 
> from Bro Exchange, but would something like the below event be a valid 
> starting point? For reference I started by looking at 
> /bro/share/bro/policy/protocols/http/software.bro which already 
> appeared to be looking at browser user agents and just started 
> experimenting. Also, for learning purposes I'm OK with this not being 
> the most reliable data. I also tried the p0f example on some pcaps to 
> see what it could find after updating to a more recent fingerprint 
> file. My next steps might be to try figuring out how to send the 
> output to a custom log file, say "alleged_os.log".

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6257 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140129/901cfd87/attachment.bin 

More information about the Bro mailing list