[Bro] Updated p0f Fingerprints
Knick, Scott E CTR USARMY RCERT-EUR (US)
scott.e.knick.ctr at mail.mil
Wed May 7 06:02:05 PDT 2014
Just thought I'd pass on this extremely useful info: If you're interested in using the passive OS fingerprinting capability of Bro (via the OS_version_found event, for example), then you'll need a version of the fingerprint file far more up-to-date than the one shipped with Bro. As it turns out, the awesome people at Carnegie Mellon have updated it (so it can be used with their yaf tool):
https://tools.netsa.cert.org/confluence/display/tt/p0f+fingerprints
I've tested the updated p0f.fp file with Bro and it works like a champ.
--
Scott Knick
More information about the Bro
mailing list