Any plans to use p0f V3 signature?

Zeek
1

Hi

I have been using p0f -v1.8.3 fingerprints but having some issue
bro is printing out couple of OS from same IP

module osfound;

redef generate_OS_version_event: set[subnet]={172.16.0.0/16, 192.168.0.0/16};
export {

redef enum Log::ID += { LOG };

type Info: record {

ts: time &log;
uid: string &log;
srcip: addr &log;
ostype: string &log &optional;
};
}

event bro_init()

{
Log::create_stream(osfound::LOG, [$columns = Info]);
}

event OS_version_found(c:connection, host:addr, OS:OS_version)
{
local log: Info;
log = [$ts = c$start_time, $uid = c$uid, $srcip = host, $ostype = fmt("%s",OS)];

Log::write(osfound::LOG, log);

}

2

Hi

I have been using p0f -v1.8.3 fingerprints
<https://tools.netsa.cert.org/confluence/display/tt/p0f+fingerprints&gt; but
having some issue
bro is printing out couple of OS from same IP

These signatures are quite out of date by now - so I guess it is not
really to be too unexpected that they do not really give you good results
anymore.

That being said - just to ask the obvious question - there is no chance
someone is using virtual machines or a NAT gateway there?

So I test p0f - v3, so far I did not have this issue.( just p0f -i eth1 -a
os.log)

am I having this issue because of my bro script ?

Probably no...

if not do you have any plans to use p0f - v3 (or fingerprints
<https://tools.netsa.cert.org/confluence/display/tt/p0f+fingerprints&gt;\)?

p0f v3 is quite different from the earlier versions and uses information
from e.g. HTTP headers for its operating system determination. One could
probably try to re-implement something similar using Bro scripts -- there
already are scripts that track information about hosts (like software.log)
that could be used towards this end.

As far as I am aware, no one currently has plans to add p0f v3 support to
Bro.

Johanna