[Bro] TCP options of a SYN packet
michalpurzynski1 at gmail.com
Wed Dec 2 15:44:21 PST 2015
Indeed. Modern OS literally scream their versions over the network. Personally I find Bro's software detection capability to determine applications and libraries used on devices I cannot login to. Think IoT.
Doing OS recognition per packet, based on IP options has always been a poor idea. Prone to false positives, difficult to update and does not scale.
> On 02 Dec 2015, at 22:26, Vlad Grigorescu <vladg at illinois.edu> wrote:
> Bro has p0f support built-in. See:
> That being said, the original p0f fingerprints are very out of date, and
> it's possible that Bro will stop supporting p0f in the future. I did
> some research on the fingerprints with the Windows XP end of life, and
> ended up leveraging some of Bro's other capabilities to write a much
> better detection:
> Generally, I think the interest is in moving up the stack and performing
> this kind of fingerprinting at a higher, more reliable, layer.
> Thomas Tan <thomastan81 at gmail.com> writes:
>> Dear Seth,
>> Actually, I am writing a module using the outputs from Bro to detect
>> Operating Systems running on remote host machines. I need to get the
>> fingerprints of these OS for classification. I want to know if there is any
>> means to obtain p0f-like OS fingerprints.
>> Best regards,
>>> On 2 December 2015 at 17:34, Seth Hall <seth at icir.org> wrote:
>>>> On Dec 2, 2015, at 10:41 AM, Thomas Tan <thomastan81 at gmail.com> wrote:
>>>> It cannot get TCP options and the order of the options down from a SYN
>>> It sounds like you might want to write your own plugin but it might even
>>> be possible that that’s not enough and you’d have to add a feature to Bro’s
>>> core to generate an event only for SYN packets. (although you generally
>>> have to be very careful about even generating an event for a single packet).
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>> Bro mailing list
>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
More information about the Bro