[Bro] Updated p0f Fingerprints
Yardley, Tim
yardley at illinois.edu
Wed May 7 07:26:41 PDT 2014
Scott,
I'm not sure what the history is behind the p0f incorporation in bro, but it might be worth looking into updating to p0f 3.x as the inspection level is much more interesting (allowing one to inspect not just the layer 4 info, but all the way up through the application stack). I'd imagine that change could be straightforward, but I didn't look into it.
The last update to dsniff/p0f2.py I made brought in the last 2006 signatures (v 2.0.8, with a couple more updates beyond that), but I never bothered implementing p0f3. The signature format changed dramatically due to the complete rewrite, so they aren't backwards compatible. There are some other older experimental signatures that sit in the dsniff repo as well.
https://code.google.com/p/dsniff/source/browse/trunk/#trunk%2Fshare
I'm not sure what CMU used to update their signatures for p0f2, but they would still have less power in identification than using p0f3. If p0f3 interests you, there have been some public forks that added a bit more:
https://github.com/p0f/p0f/network
Other things that might interest you using p0f3 include patches like this:
https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/
Again, depends on what you are doing though.
Tim
--
Tim Yardley
Assistant Director, Testbed Services
Information Trust Institute, University of Illinois
yardley at illinois.edu
On May 7, 2014, at 8:02 AM, Knick, Scott E CTR USARMY RCERT-EUR (US) <scott.e.knick.ctr at mail.mil> wrote:
> Just thought I'd pass on this extremely useful info: If you're interested in using the passive OS fingerprinting capability of Bro (via the OS_version_found event, for example), then you'll need a version of the fingerprint file far more up-to-date than the one shipped with Bro. As it turns out, the awesome people at Carnegie Mellon have updated it (so it can be used with their yaf tool):
>
> https://tools.netsa.cert.org/confluence/display/tt/p0f+fingerprints
>
> I've tested the updated p0f.fp file with Bro and it works like a champ.
>
> --
> Scott Knick
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list