[Bro] Options for detecting Windows XP
Michal Purzynski
michal at rsbac.org
Wed Mar 5 12:30:08 PST 2014
On 3/5/14, 8:43 PM, Donaldson, John wrote:
> Another quick and dirty method of identifying XP (and some older) hosts is to look at the source ports being used for TCP/UDP. Without messing around in the registry, XP uses source ports in the range 1025-5000, but most other modern OSes use ports > 10000.
>
>
Basically just download the new-est P0F and look how does it detect XP
and think how to implement it in Bro. Add a system level broadcasted OS
version like headers (yes, there will be false positives - so what?) and
you should be good to go.
More information about the Bro
mailing list