[Bro] Sanity check - Grabbing platform tokens from browser user agents (was p0f)

Justin Azoff JAzoff at albany.edu
Fri Jan 31 16:12:42 PST 2014


On Wed, Jan 29, 2014 at 05:35:46PM -0600, Gary Faulkner wrote:
> event http_header(c: connection, is_orig: bool, name: string, value: string)
> {
>     local platform = "Unknown OS";	
>     if ( is_orig )
>         {
> 	if ( name == "USER-AGENT" && /Windows NT 5.1/ in value )
> 		{
> 		platform = "Windows XP";
> 		}
>         else if ( name == "USER-AGENT" && /Windows NT 6.0/ in value )
>                 {
> 		platform = "Windows Vista";
>                 }
>         else if ( name == "USER-AGENT" && /Windows NT 6.1/ in value )
>                 {
>                 platform = "Windows 7";
>                 }
..

Modifying the http_header event handler as follows will increase performance:

event http_header(c: connection, is_orig: bool, name: string, value: string)
{
    if(!is_orig || name != "USER-AGENT")
        return;
    if(/Windows NT 5.1/ in value)
        platform = "Windows XP";
    else if ...

FWIW, I used to do this kind of thing outside of bro using splunk:

https://github.com/JustinAzoff/splunk-scripts/blob/master/ua2os.py

One thing you may want to do is rather than use the http_header event
use

event log_software(rec: Info)
{
    ...
}

which will be raised every time a new software version is seen.  The
software framework is already pulling most of the info out that you
might need, so you can piggy back on the work that it is doing.

-- 
-- Justin Azoff



More information about the Bro mailing list