[Bro] p0f v3 signature definitions
vladg at cmu.edu
Wed Feb 6 14:12:01 PST 2013
I tried dropping the v3 sigs into Bro's existing p0f mechanism, and it was *really* unhappy - I believe it would just quickly segfault. I even tried only importing the SYN-only sigs. I don't think the new format is backwards compatible with the old format, and would need some work to support.
On Feb 6, 2013, at 5:01 PM, Seth Hall <seth at icir.org>
> On Feb 6, 2013, at 4:34 PM, James Swaro <james.swaro at gmail.com> wrote:
>> Quick question about OS fingerprinting:
>> Will the OS fingerprinting code in bro be updated to use the new fingerprint definitions given in the latest version of p0f(3.06b)?
> It depends on what you mean by that. :)
> I tend to upgrade the signatures when there are new releases, but we only support the original SYN packet mechanism (and not the newer SYN/ACK mechanism) so not all of the signatures will do anything directly. We do certainly accept patches if you feel up for updating the p0f code!
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> Bro mailing list
> bro at bro-ids.org
More information about the Bro