[Bro] Any thoughts on "Microsoft-CryptoAPI/10.0" user-agent?

fatema bannatwala fatema.bannatwala at gmail.com
Tue Feb 21 07:01:55 PST 2017


Thanks Seth, Mike and Keith for the confirmation, will update the script to
log it as win10 system! :)

Regards,
Fatema.

On Tue, Feb 21, 2017 at 9:41 AM, Mike Patterson <mike.patterson at uwaterloo.ca
> wrote:

>
> > On Feb 21, 2017, at 09:26, Seth Hall <seth at icir.org> wrote:
> >
> >
> >> On Feb 21, 2017, at 8:40 AM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >>
> >> I am trying to figure out what Windows operating system version have
> >> the user agent "Microsoft-CryptoAPI/10.0" when it accesses Microsoft
> Certificate Revocation List (CRL).
> >>
> >> I am seeing good amount of these in software.log, where it ends up
> being "Unknown CryptoAPI Version" as the windows-version-detection.bro
> script doesn't have a mapping for that CryptoAPI.
> >
> > I suspect this is Windows 10.  Can someone out there validate that
> suspicion so we can add that to the windows version detection script?
>
> I have Win10 down for CryptoAPI 6.4, along with Server 2016, but my notes
> there are pretty old (like, Win10 GA timeframe).
>
> I'm now seeing CryptoAPI 10.0 as well, confirmed on several hosts as being
> Win10. Maybe there's a difference between editions? I can't easily find out
> what versions ours are.
>
>
> >  .Set
>
> +h? ;)
>
> Mike
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170221/f9fadb54/attachment.html 


More information about the Bro mailing list