[Zeek] OS fingerprinting Status
Federico Foschini
undicizeri at gmail.com
Tue Aug 27 01:33:18 PDT 2019
Hello,
Is there a way to fingerprinting operating systems in zeek?
I have done some testing using *OS_version_found* event
https://docs.zeek.org/en/stable/scripts/base/bif/event.bif.bro.html#id-OS_version_found
and by modify this old script:
https://github.com/ewust/telex/blob/master/telex-station/station/bro-1.5.1/policy/OS-fingerprint.bro
But without much success.
I stumpled upon the (WIP) release notes from Zeek 3.1.0 and read the
following:
- Removed p0f (passive OS fingerprinting) support. The version of
p0f shipped with zeek was ancient, probably did not give
any reliable support anymore and did not offer a clear
upgrade path. The ``OS_version_found`` event as well as the
``generate_OS_version_event`` configuration option were removed.
So I'm assuming my apprach it will be a failure.
Is there another way to get OS information? Are there some zeek scripts
that offer this functionality?
--
Federico Foschini.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190827/334eb9ce/attachment.html
More information about the Zeek
mailing list