[Bro] p0f v3 signature definitions

Vlad Grigorescu vladg at cmu.edu
Wed Feb 6 14:12:01 PST 2013

I tried dropping the v3 sigs into Bro's existing p0f mechanism, and it was *really* unhappy - I believe it would just quickly segfault. I even tried only importing the SYN-only sigs. I don't think the new format is backwards compatible with the old format, and would need some work to support.


On Feb 6, 2013, at 5:01 PM, Seth Hall <seth at icir.org>

> On Feb 6, 2013, at 4:34 PM, James Swaro <james.swaro at gmail.com> wrote:
>> Quick question about OS fingerprinting:
>> Will the OS fingerprinting code in bro be updated to use the new fingerprint definitions given in the latest version of p0f(3.06b)? 
> It depends on what you mean by that. :)
> I tend to upgrade the signatures when there are new releases, but we only support the original SYN packet mechanism (and not the newer SYN/ACK mechanism) so not all of the signatures will do anything directly.  We do certainly accept patches if you feel up for updating the p0f code!
>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list