[Bro] p0f OS fingerprinting question

Seth Hall seth at icir.org
Mon Jan 27 07:15:45 PST 2014

On Jan 23, 2014, at 5:25 PM, Gary Faulkner <gary at doit.wisc.edu> wrote:

> at least very out of date due to a 6 year p0f development hiatus.

Yep.  It's in Bro still though.  If you write a script that handles this event:

	event OS_version_found(c: connection, host: addr, OS: OS_version)
		print cat("p0f reported - ", OS);

you will be getting the output from p0f.

>  With p0f having been rewritten in 2012 are there there any plans for updating Bro to support the newer version?

Nope, I don't think anyone plans on updating it.  The author of p0f stopped trying to fingerprint TCP stacks (mostly) and started using other deeper packet sniffing. :)  Basically the new version of p0f is something you could implement as a Bro script because he's just grabbing user-agent strings and stuff.  The problem is that it's really hard to blindly trust user-agent strings because of NAT'ed addressed and people giving fake user-agent strings.  

I'm hoping eventually in Bro to write a script that takes lots of measurements (p0f, user-agents, software update mechanisms touches, exposed services) to get a profile for a machine to decide if it's a particular type of host.  For instance, imagine that one of your windows xp machines gets identified as such by p0f (in Bro), then identifies that it's windows xp in a browser user-agent, then reaches out for windows updates and identifies that it's version of windows is some version of XP (i can't remember if this is visible for Windows system updates or not).

Anyway, this approach is replicable for many other operating systems too, it just takes time and the Bro scripts to support it.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140127/dcbfac31/attachment.bin 

More information about the Bro mailing list