Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Tweak the PE OS versions based on real-world traffic.

Browse source
This commit is contained in:
Vlad Grigorescu 2015-04-20 12:49:42 -04:00
parent 928f870f58
commit d0e4d17f31
2 changed files with 27 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

28
scripts/base/files/pe/consts.bro
View file

@ -127,15 +127,31 @@ export {
} &default=function(i: count):string { return fmt("unknown-%d", i); }; } &default=function(i: count):string { return fmt("unknown-%d", i); };
const os_versions: table[count, count] of string = { const os_versions: table[count, count] of string = {
[6,2] = "Windows 8", [10,0] = "Windows 10",
[6,1] = "Windows 7", [6,4] = "Windows 10 Technical Preview",
[6,0] = "Windows Vista", [6,3] = "Windows 8.1 or Server 2012 R2",
[5,2] = "Windows XP 64-Bit Edition", [6,2] = "Windows 8 or Server 2012",
[6,1] = "Windows 7 or Server 2008 R2",
[6,0] = "Windows Vista or Server 2008",
[5,2] = "Windows XP x64 or Server 2003",
[5,1] = "Windows XP", [5,1] = "Windows XP",
[5,0] = "Windows 2000", [5,0] = "Windows 2000",
[4,90] = "Windows Me", [4,90] = "Windows Me",
[4,1] = "Windows 98", [4,10] = "Windows 98",
[4,0] = "Windows NT 4.0", [4,0] = "Windows 95 or NT 4.0",
[3,51] = "Windows NT 3.51",
[3,50] = "Windows NT 3.5",
[3,2] = "Windows 3.2",
[3,11] = "Windows for Workgroups 3.11",
[3,10] = "Windows 3.1 or NT 3.1",
[3,0] = "Windows 3.0",
[2,11] = "Windows 2.11",
[2,10] = "Windows 2.10",
[2,0] = "Windows 2.0",
[1,4] = "Windows 1.04",
[1,3] = "Windows 1.03",
[1,1] = "Windows 1.01",
[1,0] = "Windows 1.0",
} &default=function(i: count, j: count):string { return fmt("unknown-%d.%d", i, j); }; } &default=function(i: count, j: count):string { return fmt("unknown-%d.%d", i, j); };
const section_descs: table[string] of string = { const section_descs: table[string] of string = {

10
testing/btest/Baseline/scripts.base.files.pe.basic/pe.log
View file

@ -3,11 +3,11 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path pe #path pe
#open 2015-04-20-00-26-40 #open 2015-04-20-16-48-55
#fields ts id machine compile_ts os subsystem is_exe is_64bit uses_aslr uses_dep uses_code_integrity uses_seh has_import_table has_export_table has_cert_table has_debug_data section_names #fields ts id machine compile_ts os subsystem is_exe is_64bit uses_aslr uses_dep uses_code_integrity uses_seh has_import_table has_export_table has_cert_table has_debug_data section_names
#types time string string time string string bool bool bool bool bool bool bool bool bool bool vector[string] #types time string string time string string bool bool bool bool bool bool bool bool bool bool vector[string]
1429466342.201366 Fz2N9x4SAxQiSnI6mk unknown-475 0.000000 - - F T F F F T - - - - - 1429466342.201366 Fz2N9x4SAxQiSnI6mk unknown-475 0.000000 - - F T F F F T - - - - -
1429466342.278998 F5fc4q3zhJHmYSvm8a I386 1402852568.000000 Windows NT 4.0 WINDOWS_GUI T F F F F T T T F F .text,.Ddata,.data,.rsrc 1429466342.278998 F5fc4q3zhJHmYSvm8a I386 1402852568.000000 Windows 95 or NT 4.0 WINDOWS_GUI T F F F F T T T F F .text,.Ddata,.data,.rsrc
1429466342.225653 Fzysjj1zfjAcgWgm22 I386 1171692517.000000 Windows XP 64-Bit Edition WINDOWS_GUI T F F F F T T F F T .text,.data,.rsrc 1429466342.225653 Fzysjj1zfjAcgWgm22 I386 1171692517.000000 Windows XP x64 or Server 2003 WINDOWS_GUI T F F F F T T F F T .text,.data,.rsrc
1429466342.250474 FOuWFKf04xcHH4ck I386 1210911433.000000 Windows NT 4.0 WINDOWS_CUI T F F F F T T F T T .text,.rdata,.data,.rsrc 1429466342.250474 FOuWFKf04xcHH4ck I386 1210911433.000000 Windows 95 or NT 4.0 WINDOWS_CUI T F F F F T T F T T .text,.rdata,.data,.rsrc
#close 2015-04-20-00-26-41 #close 2015-04-20-16-48-55