[Bro] TCP options of a SYN packet

Michal Purzynski michalpurzynski1 at gmail.com
Wed Dec 2 15:44:21 PST 2015

Indeed. Modern OS literally scream their versions over the network. Personally I find Bro's software detection capability to determine applications and libraries used on devices I cannot login to. Think IoT.

Doing OS recognition per packet, based on IP options has always been a poor idea. Prone to false positives, difficult to update and does not scale.

> On 02 Dec 2015, at 22:26, Vlad Grigorescu <vladg at illinois.edu> wrote:
> Thomas,
> Bro has p0f support built-in. See:
> https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html#id-OS_version_found
> That being said, the original p0f fingerprints are very out of date, and
> it's possible that Bro will stop supporting p0f in the future. I did
> some research on the fingerprints with the Windows XP end of life, and
> ended up leveraging some of Bro's other capabilities to write a much
> better detection:
> https://github.com/bro/bro/blob/master/scripts/policy/frameworks/software/windows-version-detection.bro
> Generally, I think the interest is in moving up the stack and performing
> this kind of fingerprinting at a higher, more reliable, layer.
>  --Vlad
> Thomas Tan <thomastan81 at gmail.com> writes:
>> Dear Seth,
>> Actually, I am writing a module using the outputs from Bro to detect
>> Operating Systems running on remote host machines. I need to get the
>> fingerprints of these OS for classification. I want to know if there is any
>> means to obtain p0f-like OS fingerprints.
>> Best regards,
>> Thomas
>>> On 2 December 2015 at 17:34, Seth Hall <seth at icir.org> wrote:
>>>> On Dec 2, 2015, at 10:41 AM, Thomas Tan <thomastan81 at gmail.com> wrote:
>>>> It cannot get TCP options and the order of the options down from a SYN
>>> packet.
>>> It sounds like you might want to write your own plugin but it might even
>>> be possible that that’s not enough and you’d have to add a feature to Bro’s
>>> core to generate an event only for SYN packets. (although you generally
>>> have to be very careful about even generating an event for a single packet).
>>>  .Seth
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro.org/
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list