[Bro] OS Fingerprinting

Thomas Tan thomastan81 at gmail.com
Tue Oct 20 04:00:48 PDT 2015


Hi All,

I am writing an extension of Operating System Fingerprinting for Bro, and
want to use the OS signatures generated (NOT the p0f fingerprint file) by
Bro in my component for classification.

According to my best knowledge, the following two events can help collect
almost all the fields of an OS signature.

1) event tcp_option (c:connection, is_orig:bool, opt:count, optlen:count)
2) event connection_SYN_packet(c:connection, pkt:SYN_packet)

However, they are two separate events, and extra efforts is required to
construct an accurate OS signature.

Just wondering if there is an event that can do it at one go?

Thank you in advance.

Best regards,

Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151020/4ce8e0d5/attachment.html 


More information about the Bro mailing list