[Bro] Any plans to use p0f V3 signature?

Johanna Amann johanna at icir.org
Fri Sep 18 10:25:16 PDT 2015


On Wed, Sep 16, 2015 at 02:51:00PM +0900, 김희철 wrote:
> Hi
> 
> I have been using p0f -v1.8.3 fingerprints
> <https://tools.netsa.cert.org/confluence/display/tt/p0f+fingerprints> but
> having some issue
> bro is printing out couple of OS from same IP
> 
These signatures are quite out of date by now - so I guess it is not
really to be too unexpected that they do not really give you good results
anymore.

That being said - just to ask the obvious question - there is no chance
someone is using virtual machines or a NAT gateway there?

> So I test p0f - v3, so far I did not have this issue.( just p0f -i eth1 -a
> os.log)
> 
> am I having this issue because of my bro script ?

Probably no...

> if not do you have any plans to use p0f - v3 (or fingerprints
> <https://tools.netsa.cert.org/confluence/display/tt/p0f+fingerprints>)?

p0f v3 is quite different from the earlier versions and uses information
from e.g. HTTP headers for its operating system determination. One could
probably try to re-implement something similar using Bro scripts -- there
already are scripts that track information about hosts (like software.log)
that could be used towards this end.

As far as I am aware, no one currently has plans to add p0f v3 support to
Bro.

Johanna


More information about the Bro mailing list