[Bro] Options for detecting Windows XP
Donaldson, John
donaldson8 at llnl.gov
Wed Mar 5 11:43:54 PST 2014
Another quick and dirty method of identifying XP (and some older) hosts is to look at the source ports being used for TCP/UDP. Without messing around in the registry, XP uses source ports in the range 1025-5000, but most other modern OSes use ports > 10000.
v/r John Donaldson
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of
> Warren Raquel
> Sent: Wednesday, March 05, 2014 8:16 AM
> To: bro at bro.org
> Subject: Re: [Bro] Options for detecting Windows XP
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Yes, I'm using this to detect XP. In general we're looking for anything that is
> running 'Windows NT 5.2' or earlier. Caveats include:
>
> 1. We're finding a number of apps fake their User Agent to mimic Windows
> NT 5.x leading to some false positives. So far, two chinese app, an AVG
> update checker, and something called 360safe (still looking into that one) 2.
> This only works for systems actually browsing outbound.
> 3. We have seen one weird case of a browser being noted in software.log
> but not seeing corresponding traffic in http in/outbound.
> Not sure what that's about.
>
> - -Warren
>
> On 3/5/14, 9:28 AM, Slagell, Adam J wrote:
> > That might detect clients connecting to your web servers, too.
> >
> >> On Mar 5, 2014, at 9:10 AM, "Seth Hall" <seth at icir.org> wrote:
> >>
> >>
> >> Probably the easiest way would be to search your software.log for
> >> Browsers that indicate they're running on Windows XP.
> >
> > _______________________________________________ Bro mailing
> list
> > bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
>
> - --
> Warren Raquel <wraquel at illinois.edu>
> Head of Operational Security and Incident Response National Center for
> Supercomputing Applications
> +1 (217) 333-2876
> PGP Fingerprint:
> F88E 960B 6193 A3ED 0BB2
> 45C7 7DF9 57DB 6DCF 34C1
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>
> iQIcBAEBCgAGBQJTF025AAoJEPt3KtDQKrSQgqEP/jp9gUMlQNeH3MGuu7K7u
> Ijm
> +f9PrAPmQVTA6BUPG/EoiQN3GECAtg1/2XAXPE+LepG99M1qCsZJtUIz2izdyR
> kd
> DFnbtDAqkwhCE0yGn8QrpLPy9I46xcCMDZBlO/wsJbmrvZCt8ikw3pl6Q3TxGX
> GZ
> Hy5LO84SaWxj3dRdQdNRqJ843pxdOi8pAdzDWWaa3T/UgX/ExLZkOU5SUQbs
> qLm/
> 1rptEpiXd+4o64UTro5+fml7Bd7E4RL34iEztlXvC3DyaQMNr6viLjqrXY6YOAdA
> 0uylS8lICjdyrk7JHaUbeIIeR8qb3zbMY+RS2ldWa38pdvcVCtmfEzvxvmB/FRR+
> DxuUgAlpzoRWisKeSQHLnWvvUnuLB9bhPuuda8XKpesOXvgfMKxGgeERlV3o
> sU4Z
> cCGXwnwRoOrYdwrg9okdyZERBB0hkcKKjPCWmaAY1NkYUXZReuc6ycFXfmW
> ja+BY
> CRN9J2h9Zk3nxpsND6J4hFtKP5gcFMCWom8uXufw1x+0oSIB68b88WbO639N
> YwVx
> gFM7Mb0EtP83l5k4SIg+vaN09+BMeLcSf1v+9R0Ws11CynTqWOP4J4rjT3E5vQ
> d7
> CMDui7bfyzuUG1XJsPzEk/Id5tc3HCR3H8XGLQ3J3048NZ57BQ0h1EsEcKS3GCJ
> C
> 5wGUKTRYT7yvYoIlS4uf
> =E24Y
> -----END PGP SIGNATURE-----
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list