[Zeek] OS fingerprinting Status
Vlad Grigorescu
vlad at es.net
Tue Aug 27 07:01:36 PDT 2019
Hi,
Yes, the p0f method has been retired since it was unreliable and, frankly,
wasn't taking advantage of Zeek's feature set.
There are some scripts that offer similar functionality, but which should
be much more reliable, for example:
https://github.com/zeek/zeek/blob/master/scripts/policy/frameworks/software/windows-version-detection.zeek
https://github.com/fatemabw/bro-scripts/blob/master/iPhone-detection.bro
https://github.com/fatemabw/bro-scripts/blob/master/Mac-version-detection.bro
--Vlad
On Tue, Aug 27, 2019 at 8:35 AM Federico Foschini <undicizeri at gmail.com>
wrote:
> Hello,
> Is there a way to fingerprinting operating systems in zeek?
> I have done some testing using *OS_version_found* event
>
> https://docs.zeek.org/en/stable/scripts/base/bif/event.bif.bro.html#id-OS_version_found
> and by modify this old script:
>
> https://github.com/ewust/telex/blob/master/telex-station/station/bro-1.5.1/policy/OS-fingerprint.bro
> But without much success.
>
> I stumpled upon the (WIP) release notes from Zeek 3.1.0 and read the
> following:
>
> - Removed p0f (passive OS fingerprinting) support. The version of
> p0f shipped with zeek was ancient, probably did not give
> any reliable support anymore and did not offer a clear
> upgrade path. The ``OS_version_found`` event as well as the
> ``generate_OS_version_event`` configuration option were removed.
>
> So I'm assuming my apprach it will be a failure.
> Is there another way to get OS information? Are there some zeek scripts
> that offer this functionality?
> --
> Federico Foschini.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190827/d23c2173/attachment.html
More information about the Zeek
mailing list