[Bro] TCP options of a SYN packet
Vlad Grigorescu
vladg at illinois.edu
Wed Dec 2 13:26:51 PST 2015
Thomas,
Bro has p0f support built-in. See:
https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html#id-OS_version_found
That being said, the original p0f fingerprints are very out of date, and
it's possible that Bro will stop supporting p0f in the future. I did
some research on the fingerprints with the Windows XP end of life, and
ended up leveraging some of Bro's other capabilities to write a much
better detection:
https://github.com/bro/bro/blob/master/scripts/policy/frameworks/software/windows-version-detection.bro
Generally, I think the interest is in moving up the stack and performing
this kind of fingerprinting at a higher, more reliable, layer.
--Vlad
Thomas Tan <thomastan81 at gmail.com> writes:
> Dear Seth,
>
> Actually, I am writing a module using the outputs from Bro to detect
> Operating Systems running on remote host machines. I need to get the
> fingerprints of these OS for classification. I want to know if there is any
> means to obtain p0f-like OS fingerprints.
>
> Best regards,
>
> Thomas
>
> On 2 December 2015 at 17:34, Seth Hall <seth at icir.org> wrote:
>
>>
>> > On Dec 2, 2015, at 10:41 AM, Thomas Tan <thomastan81 at gmail.com> wrote:
>> >
>> > It cannot get TCP options and the order of the options down from a SYN
>> packet.
>>
>> It sounds like you might want to write your own plugin but it might even
>> be possible that that’s not enough and you’d have to add a feature to Bro’s
>> core to generate an event only for SYN packets. (although you generally
>> have to be very careful about even generating an event for a single packet).
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151202/e944453b/attachment.bin
More information about the Bro
mailing list