p0f v3 signature definitions

Quick question about OS fingerprinting:

Will the OS fingerprinting code in bro be updated to use the new fingerprint definitions given in the latest version of p0f(3.06b)?


It depends on what you mean by that. :slight_smile:

I tend to upgrade the signatures when there are new releases, but we only support the original SYN packet mechanism (and not the newer SYN/ACK mechanism) so not all of the signatures will do anything directly. We do certainly accept patches if you feel up for updating the p0f code!


I tried dropping the v3 sigs into Bro's existing p0f mechanism, and it was *really* unhappy - I believe it would just quickly segfault. I even tried only importing the SYN-only sigs. I don't think the new format is backwards compatible with the old format, and would need some work to support.