[Bro] Any plans to use p0f V3 signature?
johanna at icir.org
Fri Sep 18 10:25:16 PDT 2015
On Wed, Sep 16, 2015 at 02:51:00PM +0900, 김희철 wrote:
> I have been using p0f -v1.8.3 fingerprints
> <https://tools.netsa.cert.org/confluence/display/tt/p0f+fingerprints> but
> having some issue
> bro is printing out couple of OS from same IP
These signatures are quite out of date by now - so I guess it is not
really to be too unexpected that they do not really give you good results
That being said - just to ask the obvious question - there is no chance
someone is using virtual machines or a NAT gateway there?
> So I test p0f - v3, so far I did not have this issue.( just p0f -i eth1 -a
> am I having this issue because of my bro script ?
> if not do you have any plans to use p0f - v3 (or fingerprints
p0f v3 is quite different from the earlier versions and uses information
from e.g. HTTP headers for its operating system determination. One could
probably try to re-implement something similar using Bro scripts -- there
already are scripts that track information about hosts (like software.log)
that could be used towards this end.
As far as I am aware, no one currently has plans to add p0f v3 support to
More information about the Bro