[Bro] TCP options of a SYN packet

James Swaro james.swaro at gmail.com
Wed Dec 2 20:49:58 PST 2015 

I'm sorry I didn't see this earlier. I'm curious. Why is the order of the
options important? Are you searching for OS specific behavior?

James Swaro



On Wed, Dec 2, 2015 at 4:29 PM, Thomas Tan <thomastan81 at gmail.com> wrote:

> Hi Vlad,
>
> Thanks for your reply.
>
> I am aware of the support of p0f in Bro. You are right. The original p0f
> v2 fingerprints are out-dated. In my work, I am not using the p0f v2
> fingerprints but collecting OS fingerprints from network connections
> initiated by remote machines. A multi-class classifier will be applied to
> assign these OS fingerprints to their respective OS types.
>
> Best regards,
>
> Thomas
>
> On 2 December 2015 at 22:26, Vlad Grigorescu <vladg at illinois.edu> wrote:
>
>> Thomas,
>>
>> Bro has p0f support built-in. See:
>>
>> https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html#id-OS_version_found
>>
>> That being said, the original p0f fingerprints are very out of date, and
>> it's possible that Bro will stop supporting p0f in the future. I did
>> some research on the fingerprints with the Windows XP end of life, and
>> ended up leveraging some of Bro's other capabilities to write a much
>> better detection:
>>
>> https://github.com/bro/bro/blob/master/scripts/policy/frameworks/software/windows-version-detection.bro
>>
>> Generally, I think the interest is in moving up the stack and performing
>> this kind of fingerprinting at a higher, more reliable, layer.
>>
>>   --Vlad
>>
>> Thomas Tan <thomastan81 at gmail.com> writes:
>>
>> > Dear Seth,
>> >
>> > Actually, I am writing a module using the outputs from Bro to detect
>> > Operating Systems running on remote host machines. I need to get the
>> > fingerprints of these OS for classification. I want to know if there is
>> any
>> > means to obtain p0f-like OS fingerprints.
>> >
>> > Best regards,
>> >
>> > Thomas
>> >
>> > On 2 December 2015 at 17:34, Seth Hall <seth at icir.org> wrote:
>> >
>> >>
>> >> > On Dec 2, 2015, at 10:41 AM, Thomas Tan <thomastan81 at gmail.com>
>> wrote:
>> >> >
>> >> >  It cannot get TCP options and the order of the options down from a
>> SYN
>> >> packet.
>> >>
>> >> It sounds like you might want to write your own plugin but it might
>> even
>> >> be possible that that’s not enough and you’d have to add a feature to
>> Bro’s
>> >> core to generate an event only for SYN packets. (although you generally
>> >> have to be very careful about even generating an event for a single
>> packet).
>> >>
>> >>   .Seth
>> >>
>> >> --
>> >> Seth Hall
>> >> International Computer Science Institute
>> >> (Bro) because everyone has a network
>> >> http://www.bro.org/
>> >>
>> >>
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151202/c9f4db12/attachment.html

More information about the Bro mailing list