OS fingerprinting not working



  • I'm trying to use the OS fingerprinting feature on 2.3.2 to try and block all windows XP machines from communicating out to the internet from our LAN.

    I tried setting up a block rule for TCP and OS as "Windows XP" to a single host which is a windows 2008 r2 machine. This appears to block the traffic from it even though it is not the OS I want to block. Switched to "windows XP SP3" as the OS to block and it allows the traffic through for the 2008 machine.

    I then got a windows XP machines with sp3 on and tried to block that but the same settings as "windows XP SP3" don't actually block this machine.

    You can imagine why I want to do this after wannaCry.


  • Rebel Alliance Global Moderator

    "You can imagine why I want to do this after wannaCry."

    No not really… I would wondering why you would be running XP at all..



  • We have lots of developers that spin up old virtual machines of XP on their local machines that are pre-configured with lots of data or they are running very old version of our product they still have to support. I thought blocking all external network access for these machines forces them onto newer windows version.

    Either than or finding someway for DHCP to not assign them addresses if they are XP machines.


  • Rebel Alliance Global Moderator

    If they spin them up on their local machine, they could just nat the connection to the internet - so how exactly would you stop them?  Who says they are not doing that now.. Most host VM software defaults to nat mode..



  • Currently they don't appear to be doing NAT as they are getting addresses assigned by DHCP.

    So am I doing something wrong with setting up Os fingerprinting or is it juts a bit unreliable ?

    any other suggestions to block these machines ?


  • Rebel Alliance Global Moderator

    "2.3.2 to try and block all windows XP"

    For starters I would get current..  2.3.4 is current.. Or go to one of the 2.4 snapshots.