[Bro] Bro scripts

Martin Holste mcholste at gmail.com
Fri Oct 29 06:53:03 PDT 2010 

Thanks for sharing that.  Obviously in a corporate environment (or any
in which desktops are managed) most user agents will appear the same
because they are all running the same browser version.  However, I
have seen that for guest wireless and other public access points, the
amount of plugins, .NET versions, etc. makes the UA's fairly unique,
so off the bat your mileage will vary depending on the client class.
Using the detected OS would certainly be more accurate, but the
chances of an attacker having the same OS as the victim are pretty
good, so you'll obviously have to deal with a lot of false negatives.
Maybe concatenating the p0f signature with the user agent is the best
way to get a pseudo machine ID.

On Fri, Oct 29, 2010 at 8:12 AM, Justin Azoff <JAzoff at uamail.albany.edu> wrote:
> On Thu, Oct 28, 2010 at 11:23:03PM -0400, Seth Hall wrote:
>> I think your point about NAT gets to a more general point of what
>> techniques could we use to detect NAT?
>
> Using user-agents for this is tricky.  I've written some code to analyze
> the output of your http-user-agents.log in splunk, and found that the
> best thing to look at is the architecture and os, and ignore the
> browser itself.
>
> the script I use is here:
>
> http://github.com/JustinAzoff/splunk-scripts/blob/master/ua2os.py
>
> it's for use in splunk, but it's 90% regexes, stuff like this:
>
> os_mapping = (
>    ('Windows .. 5.1', 'Windows XP'),
>    ('Windows .. 5.2', 'Windows XP'),
>    ('Windows NT 6.0', 'Windows Vista'),
>    ('Windows 6.0', 'Windows Server 2008'),
>    ('Windows NT 6.1', 'Windows 7'),
>    ('OS X 10.5', 'MAC OS X 10.5.x'),
>    ('Darwin', 'MAC OS X other'),
>    ...
>    ('Android', 'Android'),
>    ('Linux ', 'Linux'),
>    ('Windows', 'Windows - Other'),
>    ('iPad', 'ipad'),
>    ('iPod', 'ipod'),
>    ('iPhone', 'iphone'),
> )
>
> arch_mapping = (
>    ('Windows .. 5.2', 'x64'),
>    ('x64', 'x64'),
>    ...
>    ('iPad', 'ipad'),
>    ('iPod', 'ipod'),
>    ('iPhone', 'iphone'),
>    ('Intel', 'Intel'),
> )
>
> It is not uncommon to have one machine using multiple browsers, but rare
> for it to indentify as both Vista and Windows 7, or both i386 and x64, or
> Windows XP and Mac OS X 10.5.
>
> Also, some user-agents can immediately identify NAT: iOS and android
> devices do not have ethernet interfaces, so if one of these devices is
> found on a non-wireless subnet it indicates the presense of a rogue access
> point.
>
> --
> -- Justin Azoff
> -- Network Security & Performance Analyst
>

More information about the Bro mailing list