[Bro] p0f v3 signature definitions
Vlad Grigorescu
vladg at cmu.edu
Wed Feb 6 14:12:01 PST 2013
I tried dropping the v3 sigs into Bro's existing p0f mechanism, and it was *really* unhappy - I believe it would just quickly segfault. I even tried only importing the SYN-only sigs. I don't think the new format is backwards compatible with the old format, and would need some work to support.
--Vlad
On Feb 6, 2013, at 5:01 PM, Seth Hall <seth at icir.org>
wrote:
>
> On Feb 6, 2013, at 4:34 PM, James Swaro <james.swaro at gmail.com> wrote:
>
>> Quick question about OS fingerprinting:
>>
>> Will the OS fingerprinting code in bro be updated to use the new fingerprint definitions given in the latest version of p0f(3.06b)?
>
> It depends on what you mean by that. :)
>
> I tend to upgrade the signatures when there are new releases, but we only support the original SYN packet mechanism (and not the newer SYN/ACK mechanism) so not all of the signatures will do anything directly. We do certainly accept patches if you feel up for updating the p0f code!
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list