[Bro] Sanity check - Grabbing platform tokens from browser user agents (was p0f)

Gary Faulkner gary at doit.wisc.edu
Wed Jan 29 15:35:46 PST 2014 

After being asked if Bro could be used to gather passive intelligence on 
OS usage I started investigating places to try to identify OS. I 
initially was looking into p0f and Seth showed me a way to invoke the 
existing p0f fingerprinting functionality within Bro, but also suggested 
a slew of other data sources to look at. I wasn't terribly excited with 
the p0f fingerprint output, and while browser user agents may not be the 
best data source, I decided to start by looking at platform tokens and 
reporting on those instead of the p0f data. This is my first-ish bro 
script and it is by no means a complete script (it only matches a 
handful of Windows OS). I'm wondering if folks see anything in the 
attached that would misbehave badly if used on live traffic instead of 
pcaps?

Regards,

-- 
Gary Faulkner

-------------- next part --------------
module BrowserPlatform;

export
{
    redef enum Log::ID += { LOG };

    type Info: record {
        ts:                 time    &log &optional;
        uid:                string  &log &optional;
        host:               addr    &log &optional;
        platform_token:     string  &log &optional;
        unparsed_version:   string  &log &optional;
    };

    # A set of seen IP + OS combinations. Used to prevent logging the same combo repeatedly.   
    global seen_browser_platforms: set[string] &create_expire=1day &synchronized &redef;	
}

event bro_init() &priority=5
    {
    Log::create_stream(BrowserPlatform::LOG,[$columns=Info]);
    }

event http_header(c: connection, is_orig: bool, name: string, value: string)
{
    local platform = "Unknown OS";	
    if ( is_orig )
        {
	if ( name == "USER-AGENT" && /Windows NT 5.1/ in value )
		{
		platform = "Windows XP";
		}
        else if ( name == "USER-AGENT" && /Windows NT 6.0/ in value )
                {
		platform = "Windows Vista";
                }
        else if ( name == "USER-AGENT" && /Windows NT 6.1/ in value )
                {
                platform = "Windows 7";
                }
        else if ( name == "USER-AGENT" && /Windows NT 6.2/ in value )
                {
                platform = "Windows 8";
                }
        else if ( name == "USER-AGENT" && /Windows NT 6.3/ in value )
                {
                platform = "Windows 8.1";
                }
	}
    local saw = cat(c$id$orig_h,platform); #There is probably a less ugly way to do this than cat, but it seems to work
    if ( platform != "Unknown OS" && saw !in seen_browser_platforms )
	{	
	local rec: BrowserPlatform::Info = [$ts=network_time(), $uid=c$uid, $host=c$id$orig_h, $platform_token=platform, $unparsed_version=value];
	Log::write(BrowserPlatform::LOG, rec);
	add seen_browser_platforms[saw];
	}
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6257 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140129/6a5b0762/attachment.bin

More information about the Bro mailing list