[Bro] Options for detecting Windows XP

Warren Raquel wraquel at illinois.edu
Wed Mar 5 08:15:53 PST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Yes, I'm using this to detect XP. In general we're looking for
anything that is running 'Windows NT 5.2' or earlier. Caveats include:

1. We're finding a number of apps fake their User Agent to mimic
Windows NT 5.x leading to some false positives. So far, two chinese
app, an AVG update checker, and something called 360safe (still
looking into that one)
2. This only works for systems actually browsing outbound.
3. We have seen one weird case of a browser being noted in
software.log but not seeing corresponding traffic in http in/outbound.
Not sure what that's about.

- -Warren

On 3/5/14, 9:28 AM, Slagell, Adam J wrote:
> That might detect clients connecting to your web servers, too.
> 
>> On Mar 5, 2014, at 9:10 AM, "Seth Hall" <seth at icir.org> wrote:
>> 
>> 
>> Probably the easiest way would be to search your software.log for
>> Browsers that indicate they're running on Windows XP.
> 
> _______________________________________________ Bro mailing list 
> bro at bro-ids.org 
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 

- -- 
Warren Raquel <wraquel at illinois.edu>
Head of Operational Security and Incident Response
National Center for Supercomputing Applications
+1 (217) 333-2876
PGP Fingerprint:
F88E 960B 6193 A3ED 0BB2
45C7 7DF9 57DB 6DCF 34C1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)

iQIcBAEBCgAGBQJTF025AAoJEPt3KtDQKrSQgqEP/jp9gUMlQNeH3MGuu7K7uIjm
+f9PrAPmQVTA6BUPG/EoiQN3GECAtg1/2XAXPE+LepG99M1qCsZJtUIz2izdyRkd
DFnbtDAqkwhCE0yGn8QrpLPy9I46xcCMDZBlO/wsJbmrvZCt8ikw3pl6Q3TxGXGZ
Hy5LO84SaWxj3dRdQdNRqJ843pxdOi8pAdzDWWaa3T/UgX/ExLZkOU5SUQbsqLm/
1rptEpiXd+4o64UTro5+fml7Bd7E4RL34iEztlXvC3DyaQMNr6viLjqrXY6YOAdA
0uylS8lICjdyrk7JHaUbeIIeR8qb3zbMY+RS2ldWa38pdvcVCtmfEzvxvmB/FRR+
DxuUgAlpzoRWisKeSQHLnWvvUnuLB9bhPuuda8XKpesOXvgfMKxGgeERlV3osU4Z
cCGXwnwRoOrYdwrg9okdyZERBB0hkcKKjPCWmaAY1NkYUXZReuc6ycFXfmWja+BY
CRN9J2h9Zk3nxpsND6J4hFtKP5gcFMCWom8uXufw1x+0oSIB68b88WbO639NYwVx
gFM7Mb0EtP83l5k4SIg+vaN09+BMeLcSf1v+9R0Ws11CynTqWOP4J4rjT3E5vQd7
CMDui7bfyzuUG1XJsPzEk/Id5tc3HCR3H8XGLQ3J3048NZ57BQ0h1EsEcKS3GCJC
5wGUKTRYT7yvYoIlS4uf
=E24Y
-----END PGP SIGNATURE-----

More information about the Bro mailing list