[Bro-Dev] [JIRA] (BIT-1286) Add policy script for Windows version detection via CryptoAPI HTTP Traffic

Aashish Sharma asharma at lbl.gov
Mon Nov 3 11:05:56 PST 2014


This is a very neat policy for sure!!

On Mon, Nov 03, 2014 at 12:56:07PM -0600, grigorescu (JIRA) wrote:
> 
>     [ https://bro-tracker.atlassian.net/browse/BIT-1286?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18702#comment-18702 ] 
> 
> grigorescu commented on BIT-1286:
> ---------------------------------
> 
> Forgot to mention the branch :-). It's in topic/vladg/cryptoapi
> 
> > Add policy script for Windows version detection via CryptoAPI HTTP Traffic
> > --------------------------------------------------------------------------
> >
> >                 Key: BIT-1286
> >                 URL: https://bro-tracker.atlassian.net/browse/BIT-1286
> >             Project: Bro Issue Tracker
> >          Issue Type: New Feature
> >          Components: Bro
> >    Affects Versions: git/master
> >            Reporter: grigorescu
> >
> > Windows systems access a Microsoft Certificate Revocation List (CRL) periodically. The user agent for these requests reveals which version of Crypt32.dll installed on the system, which can uniquely identify the version of Windows that's running.
> > This branch adds a Software framework policy script will log the version of Windows that was identified.
> 
> 
> 
> --
> This message was sent by Atlassian JIRA
> (v6.4-OD-09-005#64005)
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

-- 
Aashish Sharma	(asharma at lbl.gov) 				 
Cyber Security, 
Lawrence Berkeley National Laboratory  
http://go.lbl.gov/pgp-aashish 
Office: (510)-495-2680  Cell: (510)-612-7971
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20141103/1af739bb/attachment.bin 


More information about the bro-dev mailing list