[Bro] p0f OS fingerprinting question
Gary Faulkner
gary at doit.wisc.edu
Wed Jan 29 11:41:47 PST 2014
You can disregard my last post. After re-reading some of the examples on
the ryesecurity blog, stepping through some of the pre-packaged bro
scripts, and lots of experimentation I'm most of the way to finishing my
first bro script and logging the results where I want. Thanks again for
the help.
On 1/28/2014 5:11 PM, Gary Faulkner wrote:
> On 1/27/2014 9:15 AM, Seth Hall wrote:
>> Basically the new version of p0f is something you could implement as
>> a Bro script because he's just grabbing user-agent strings and stuff.
> I've never really written a Bro script outside of some of the examples
> from Bro Exchange, but would something like the below event be a valid
> starting point? For reference I started by looking at
> /bro/share/bro/policy/protocols/http/software.bro which already
> appeared to be looking at browser user agents and just started
> experimenting. Also, for learning purposes I'm OK with this not being
> the most reliable data. I also tried the p0f example on some pcaps to
> see what it could find after updating to a more recent fingerprint
> file. My next steps might be to try figuring out how to send the
> output to a custom log file, say "alleged_os.log".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6257 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140129/901cfd87/attachment.bin
More information about the Bro
mailing list