Options for detecting Windows XP

With the upcoming EOL for XP I would like to track down as many of
these as I can. Is the info already available somewhere? If not, is
there a knob I can turn to help find them?

Thanks.

Probably the easiest way would be to search your software.log for Browsers that indicate they're running on Windows XP.

  .Seth

That might detect clients connecting to your web servers, too.

By default it only logs software in your local networks. :slight_smile:

  .Seth

Not Bro related, but depending on your network speeds you could play with p0f.

Yes, I'm using this to detect XP. In general we're looking for
anything that is running 'Windows NT 5.2' or earlier. Caveats include:

1. We're finding a number of apps fake their User Agent to mimic
Windows NT 5.x leading to some false positives. So far, two chinese
app, an AVG update checker, and something called 360safe (still
looking into that one)
2. This only works for systems actually browsing outbound.
3. We have seen one weird case of a browser being noted in
software.log but not seeing corresponding traffic in http in/outbound.
Not sure what that's about.

- -Warren

That might detect clients connecting to your web servers, too.

Probably the easiest way would be to search your software.log for
Browsers that indicate they're running on Windows XP.

_______________________________________________ Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

- --
Warren Raquel <wraquel@illinois.edu>
Head of Operational Security and Incident Response
National Center for Supercomputing Applications
+1 (217) 333-2876
PGP Fingerprint:
F88E 960B 6193 A3ED 0BB2
45C7 7DF9 57DB 6DCF 34C1

Another quick and dirty method of identifying XP (and some older) hosts is to look at the source ports being used for TCP/UDP. Without messing around in the registry, XP uses source ports in the range 1025-5000, but most other modern OSes use ports > 10000.

v/r John Donaldson

Basically just download the new-est P0F and look how does it detect XP and think how to implement it in Bro. Add a system level broadcasted OS version like headers (yes, there will be false positives - so what?) and you should be good to go.