Updated p0f Fingerprints

Just thought I'd pass on this extremely useful info: If you're interested in using the passive OS fingerprinting capability of Bro (via the OS_version_found event, for example), then you'll need a version of the fingerprint file far more up-to-date than the one shipped with Bro. As it turns out, the awesome people at Carnegie Mellon have updated it (so it can be used with their yaf tool):

https://tools.netsa.cert.org/confluence/display/tt/p0f+fingerprints

I've tested the updated p0f.fp file with Bro and it works like a champ.

Scott,

I'm not sure what the history is behind the p0f incorporation in bro, but it might be worth looking into updating to p0f 3.x as the inspection level is much more interesting (allowing one to inspect not just the layer 4 info, but all the way up through the application stack). I'd imagine that change could be straightforward, but I didn't look into it.

The last update to dsniff/p0f2.py I made brought in the last 2006 signatures (v 2.0.8, with a couple more updates beyond that), but I never bothered implementing p0f3. The signature format changed dramatically due to the complete rewrite, so they aren't backwards compatible. There are some other older experimental signatures that sit in the dsniff repo as well.
https://code.google.com/p/dsniff/source/browse/trunk/#trunk%2Fshare

I'm not sure what CMU used to update their signatures for p0f2, but they would still have less power in identification than using p0f3. If p0f3 interests you, there have been some public forks that added a bit more:
https://github.com/p0f/p0f/network

Other things that might interest you using p0f3 include patches like this:
https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/

Again, depends on what you are doing though.

Tim