Hello, I was asked by a supervisor if we at my company were logging OS Fingerprinting.?
Checked logs for various “operating”, “system”, “os” “windows”, “ATTACK” without luck.
I see there is this policy:
/opt/bro/share/bro/policy/frameworks/signatures/detect-windows-shells.sig
Can you help us answer the question on whether OS Fingerprinting is being logged and which log would I look in? Also, what would I look for?
We are running the following:
zeek version 4.0.3
bro version 2.5
Also, if not present, how would we enable? Looking to see ANY os hitting our network.
Hi Charles,
Can you help us answer the question on whether OS Fingerprinting is being logged and which log would I look in? Also, what would I look for?
The closest Zeek has to offer for this is its software framework, which logs software version information it can discern in the traffic. Look for software.log in your resulting set of logs. The value of that framework depends on the version detectors hooked into it, and we unfortunately don't have a whole lot of those. Consider this example:
https://docs.zeek.org/en/master/scripts/policy/frameworks/software/windows-version-detection.zeek.html
The script you flagged is more of a one-off, but you are correct in that it will detect these specific shells (via the signature.log, as this detection is driven by signatures only).
Also take a look at the Zeek package repository, for example via these queries:
https://packages.zeek.org/packages?q=fingerprint
https://packages.zeek.org/packages?q=software
Best,
Christian