[Bro] TCP options of a SYN packet

Thomas Tan thomastan81 at gmail.com
Wed Dec 2 14:29:33 PST 2015 

Hi Vlad,

Thanks for your reply.

I am aware of the support of p0f in Bro. You are right. The original p0f v2
fingerprints are out-dated. In my work, I am not using the p0f v2
fingerprints but collecting OS fingerprints from network connections
initiated by remote machines. A multi-class classifier will be applied to
assign these OS fingerprints to their respective OS types.

Best regards,

Thomas

On 2 December 2015 at 22:26, Vlad Grigorescu <vladg at illinois.edu> wrote:

> Thomas,
>
> Bro has p0f support built-in. See:
>
> https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html#id-OS_version_found
>
> That being said, the original p0f fingerprints are very out of date, and
> it's possible that Bro will stop supporting p0f in the future. I did
> some research on the fingerprints with the Windows XP end of life, and
> ended up leveraging some of Bro's other capabilities to write a much
> better detection:
>
> https://github.com/bro/bro/blob/master/scripts/policy/frameworks/software/windows-version-detection.bro
>
> Generally, I think the interest is in moving up the stack and performing
> this kind of fingerprinting at a higher, more reliable, layer.
>
>   --Vlad
>
> Thomas Tan <thomastan81 at gmail.com> writes:
>
> > Dear Seth,
> >
> > Actually, I am writing a module using the outputs from Bro to detect
> > Operating Systems running on remote host machines. I need to get the
> > fingerprints of these OS for classification. I want to know if there is
> any
> > means to obtain p0f-like OS fingerprints.
> >
> > Best regards,
> >
> > Thomas
> >
> > On 2 December 2015 at 17:34, Seth Hall <seth at icir.org> wrote:
> >
> >>
> >> > On Dec 2, 2015, at 10:41 AM, Thomas Tan <thomastan81 at gmail.com>
> wrote:
> >> >
> >> >  It cannot get TCP options and the order of the options down from a
> SYN
> >> packet.
> >>
> >> It sounds like you might want to write your own plugin but it might even
> >> be possible that that’s not enough and you’d have to add a feature to
> Bro’s
> >> core to generate an event only for SYN packets. (although you generally
> >> have to be very careful about even generating an event for a single
> packet).
> >>
> >>   .Seth
> >>
> >> --
> >> Seth Hall
> >> International Computer Science Institute
> >> (Bro) because everyone has a network
> >> http://www.bro.org/
> >>
> >>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151202/85caf8dd/attachment.html

More information about the Bro mailing list