[Bro] Any plans to use p0f V3 signature?

김희철 hckim at narusec.com
Tue Sep 15 22:51:00 PDT 2015


I have been using p0f -v1.8.3 fingerprints
<https://tools.netsa.cert.org/confluence/display/tt/p0f+fingerprints> but
having some issue
bro is printing out couple of OS from same IP

module osfound;

redef generate_OS_version_event: set[subnet]={,
export {

    redef enum Log::ID += { LOG };

    type Info: record {
        ts:       time &log;
        uid:      string &log;
        srcip:    addr &log;
        ostype:      string &log &optional;

event bro_init()
    Log::create_stream(osfound::LOG, [$columns = Info]);

event OS_version_found(c:connection, host:addr, OS:OS_version)
   local log: Info;
   log = [$ts = c$start_time, $uid = c$uid, $srcip = host, $ostype =

   Log::write(osfound::LOG, log);


1442380383.955525 CKYeuj3FmWKkSkvqja 192.168.0.xx [genre=iOS, detail=3.x,
4.2, dist=0, match_type=direct_inference]

1442380384.611330 CMVD6fzeHEGS4Q7el 192.168.0.xx [genre=UNKNOWN, detail=,
dist=0, match_type=direct_inference]

1442380805.630824 CBytoWhjC7bBWFlKj 192.168.0.aa [genre=Windows,
detail=Vista SP0/SP2, 7 SP0+, 2008 SP0, dist=0, match_type=direct_inference]

1442380811.907225 COmECC4qM5njKIsncb 192.168.0.aa [genre=Windows,
detail=2000 SP2+, XP SP1+ (seldom 98), Vista SP1, 7 SP1, 2008 SP2, dist=0,

So I test p0f - v3, so far I did not have this issue.( just p0f -i eth1 -a

am I having this issue because of my bro script ?

if not do you have any plans to use p0f - v3 (or fingerprints

Hichul Kim 김희철 선임 연구원

Naru Security  (주)나루씨큐리티
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150916/882cb0b3/attachment.html 

More information about the Bro mailing list