OS fingerprinting Status

Is there a way to fingerprinting operating systems in zeek?
I have done some testing using OS_version_found event

and by modify this old script:

But without much success.

I stumpled upon the (WIP) release notes from Zeek 3.1.0 and read the following:

  • Removed p0f (passive OS fingerprinting) support. The version of
    p0f shipped with zeek was ancient, probably did not give
    any reliable support anymore and did not offer a clear
    upgrade path. The OS_version_found event as well as the
    generate_OS_version_event configuration option were removed.

So I’m assuming my apprach it will be a failure.
Is there another way to get OS information? Are there some zeek scripts that offer this functionality?


Yes, the p0f method has been retired since it was unreliable and, frankly, wasn’t taking advantage of Zeek’s feature set.

There are some scripts that offer similar functionality, but which should be much more reliable, for example: