[Zeek] State of p0f support
Michał Purzyński
michalpurzynski1 at gmail.com
Mon Jun 17 15:05:18 PDT 2019
There is so much data in various logs, like software.log, http.log, SSL,
DNS, known_*, x509 and even in the conn.log that recognizing the OS is most
of the time trivial. I would rather invest into correlation and build a
scoring engine that logs a verdict "based on A, B and C I think this is a
Windows 10"
On Mon, Jun 17, 2019 at 1:55 PM Robin Sommer <robin at corelight.com> wrote:
> Looking for some input here.
>
> Zeek has provided support for passive OS fingerprinting for a long
> time through p0f. However, we are using using a very outdated version
> of the p0f engine, and the signature set is likewise stale (last
> update from 2011!).
>
> Unfortunately p0f has changed quite a bit in meantime, so that it's
> not easy to upgrade. While we'd certainly be happy to do that if
> anybody wanted to work on it, for now we are considering to remove the
> old engine that's currently shipping with Zeek because it doesn't seem
> to provide much value anymore.
>
> Please chime in if that would be a problem for you. Is anybody still
> relying on the p0f support in Zeek as it is today?
>
> Thanks,
>
> Robin
>
>
> --
> Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190617/3f89f3bf/attachment.html
More information about the Zeek
mailing list