[Bro] Sanity check - Grabbing platform tokens from browser user agents (was p0f)

Gary Faulkner gary at doit.wisc.edu
Fri Jan 31 20:56:37 PST 2014 

Thanks for the suggestions, that cleans that bit up quite nicely. I 
actually started by trying to deconstruct the various software.bro 
scripts and work my way backwards through the framework to see what was 
doing what. I'm still trying to navigate my way through that code, but I 
agree that it would make more sense to leverage it directly than create 
a derivative just to pull out a specific bit of the data. I'm not 
currently running Splunk in any production sense, but that is pretty 
much what I'm trying to do in Bro. Thanks for sharing it!

Regards,
Gary

On 1/31/2014 6:12 PM, Justin Azoff wrote:
>
> On Wed, Jan 29, 2014 at 05:35:46PM -0600, Gary Faulkner wrote:
>> event http_header(c: connection, is_orig: bool, name: string, value: string)
>> {
>>      local platform = "Unknown OS";	
>>      if ( is_orig )
>>          {
>> 	if ( name == "USER-AGENT" && /Windows NT 5.1/ in value )
>> 		{
>> 		platform = "Windows XP";
>> 		}
>>          else if ( name == "USER-AGENT" && /Windows NT 6.0/ in value )
>>                  {
>> 		platform = "Windows Vista";
>>                  }
>>          else if ( name == "USER-AGENT" && /Windows NT 6.1/ in value )
>>                  {
>>                  platform = "Windows 7";
>>                  }
> ..
>
> Modifying the http_header event handler as follows will increase performance:
>
> event http_header(c: connection, is_orig: bool, name: string, value: string)
> {
>      if(!is_orig || name != "USER-AGENT")
>          return;
>      if(/Windows NT 5.1/ in value)
>          platform = "Windows XP";
>      else if ...
>
> FWIW, I used to do this kind of thing outside of bro using splunk:
>
> https://github.com/JustinAzoff/splunk-scripts/blob/master/ua2os.py
>
> One thing you may want to do is rather than use the http_header event
> use
>
> event log_software(rec: Info)
> {
>      ...
> }
>
> which will be raised every time a new software version is seen.  The
> software framework is already pulling most of the info out that you
> might need, so you can piggy back on the work that it is doing.
>

-- 
Gary Faulkner
UW Madison
Office of Campus Information Security

More information about the Bro mailing list