I am writing an extension of Operating System Fingerprinting for Bro, and want to use the OS signatures generated (NOT the p0f fingerprint file) by Bro in my component for classification.
According to my best knowledge, the following two events can help collect almost all the fields of an OS signature.
- event tcp_option (c:connection, is_orig:bool, opt:count, optlen:count)
- event connection_SYN_packet(c:connection, pkt:SYN_packet)
However, they are two separate events, and extra efforts is required to construct an accurate OS signature.
Just wondering if there is an event that can do it at one go?
Thank you in advance.