OS fingerprinting Status

Federico_Foschini · August 27, 2019, 8:33am

Hello,
Is there a way to fingerprinting operating systems in zeek?
I have done some testing using OS_version_found event

https://docs.zeek.org/en/stable/scripts/base/bif/event.bif.bro.html#id-OS_version_found
and by modify this old script:
https://github.com/ewust/telex/blob/master/telex-station/station/bro-1.5.1/policy/OS-fingerprint.bro

But without much success.

I stumpled upon the (WIP) release notes from Zeek 3.1.0 and read the following:

Removed p0f (passive OS fingerprinting) support. The version of
p0f shipped with zeek was ancient, probably did not give
any reliable support anymore and did not offer a clear
upgrade path. The OS_version_found event as well as the
generate_OS_version_event configuration option were removed.

So I’m assuming my apprach it will be a failure.
Is there another way to get OS information? Are there some zeek scripts that offer this functionality?

Vlad_Grigorescu · August 27, 2019, 2:01pm

Hi,

Yes, the p0f method has been retired since it was unreliable and, frankly, wasn’t taking advantage of Zeek’s feature set.

There are some scripts that offer similar functionality, but which should be much more reliable, for example:

https://github.com/zeek/zeek/blob/master/scripts/policy/frameworks/software/windows-version-detection.zeek
https://github.com/fatemabw/bro-scripts/blob/master/iPhone-detection.bro
https://github.com/fatemabw/bro-scripts/blob/master/Mac-version-detection.bro

–Vlad

Topic		Replies	Views
OS fingerprinting - p0f signature update Zeek	1	75	May 6, 2022
OS Fingerprinting Zeek	2	182	May 6, 2022
State of p0f support Zeek	6	233	May 6, 2022
p0f OS fingerprinting question Zeek	4	79	May 6, 2022
OS Fingerprinting Zeek	1	101	May 6, 2022

OS fingerprinting Status

Related Topics