[Bro] TCP options of a SYN packet

Daniel Guerra daniel.guerra69 at gmail.com
Wed Dec 2 23:40:43 PST 2015 

Hi Thomas,

Tcp options and specific the option-timestamp is very important for device detection of
linux-like kernels. P0f is really outdated and unuseable for mobile devices. We did some
research on detecting devices behind a NAT router. Mac and windows can be followed by
taking a look at source port behaviour (windows can be done with the ip-id field). But if
you have a linux machine is behaves with random ports (see linux kernel source). The
tcp-options ts uses the time since the device is up. So if you do a capture_ts - (tcp_ts*factor)
you get a “constant” number per device. The factor depends on the kernel source. 
I’ll have a look at the code, Thomas, I’ll get back later.

Regards,

Daniel 
> On 03 Dec 2015, at 05:49, James Swaro <james.swaro at gmail.com> wrote:
> 
> I'm sorry I didn't see this earlier. I'm curious. Why is the order of the options important? Are you searching for OS specific behavior? 
> 
> James Swaro
> 
> 
> 
> On Wed, Dec 2, 2015 at 4:29 PM, Thomas Tan <thomastan81 at gmail.com <mailto:thomastan81 at gmail.com>> wrote:
> Hi Vlad,
> 
> Thanks for your reply.
> 
> I am aware of the support of p0f in Bro. You are right. The original p0f v2 fingerprints are out-dated. In my work, I am not using the p0f v2 fingerprints but collecting OS fingerprints from network connections initiated by remote machines. A multi-class classifier will be applied to assign these OS fingerprints to their respective OS types. 
> 
> Best regards,
> 
> Thomas
> 
> On 2 December 2015 at 22:26, Vlad Grigorescu <vladg at illinois.edu <mailto:vladg at illinois.edu>> wrote:
> Thomas,
> 
> Bro has p0f support built-in. See:
> https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html#id-OS_version_found <https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html#id-OS_version_found>
> 
> That being said, the original p0f fingerprints are very out of date, and
> it's possible that Bro will stop supporting p0f in the future. I did
> some research on the fingerprints with the Windows XP end of life, and
> ended up leveraging some of Bro's other capabilities to write a much
> better detection:
> https://github.com/bro/bro/blob/master/scripts/policy/frameworks/software/windows-version-detection.bro <https://github.com/bro/bro/blob/master/scripts/policy/frameworks/software/windows-version-detection.bro>
> 
> Generally, I think the interest is in moving up the stack and performing
> this kind of fingerprinting at a higher, more reliable, layer.
> 
>   --Vlad
> 
> Thomas Tan <thomastan81 at gmail.com <mailto:thomastan81 at gmail.com>> writes:
> 
> > Dear Seth,
> >
> > Actually, I am writing a module using the outputs from Bro to detect
> > Operating Systems running on remote host machines. I need to get the
> > fingerprints of these OS for classification. I want to know if there is any
> > means to obtain p0f-like OS fingerprints.
> >
> > Best regards,
> >
> > Thomas
> >
> > On 2 December 2015 at 17:34, Seth Hall <seth at icir.org <mailto:seth at icir.org>> wrote:
> >
> >>
> >> > On Dec 2, 2015, at 10:41 AM, Thomas Tan <thomastan81 at gmail.com <mailto:thomastan81 at gmail.com>> wrote:
> >> >
> >> >  It cannot get TCP options and the order of the options down from a SYN
> >> packet.
> >>
> >> It sounds like you might want to write your own plugin but it might even
> >> be possible that that’s not enough and you’d have to add a feature to Bro’s
> >> core to generate an event only for SYN packets. (although you generally
> >> have to be very careful about even generating an event for a single packet).
> >>
> >>   .Seth
> >>
> >> --
> >> Seth Hall
> >> International Computer Science Institute
> >> (Bro) because everyone has a network
> >> http://www.bro.org/ <http://www.bro.org/>
> >>
> >>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org <mailto:bro at bro-ids.org>
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org <mailto:bro at bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151203/c142f204/attachment-0001.html

More information about the Bro mailing list