Hi,
Yes, the p0f method has been retired since it was unreliable and, frankly,
wasn't taking advantage of Zeek's feature set.
There are some scripts that offer similar functionality, but which should
be much more reliable, for example:
https://github.com/zeek/zeek/blob/master/scripts/policy/frameworks/software…
https://github.com/fatemabw/bro-scripts/blob/master/iPhone-detection.bro
https://github.com/fatemabw/bro-scripts/blob/master/Mac-version-detection.b…
--Vlad
On Tue, Aug 27, 2019 at 8:35 AM Federico Foschini <undicizeri(a)gmail.com>
wrote:
Hello,
Is there a way to fingerprinting operating systems in zeek?
I have done some testing using *OS_version_found* event
https://docs.zeek.org/en/stable/scripts/base/bif/event.bif.bro.html#id-OS_v…
and by modify this old script:
https://github.com/ewust/telex/blob/master/telex-station/station/bro-1.5.1/…
But without much success.
I stumpled upon the (WIP) release notes from Zeek 3.1.0 and read the
following:
- Removed p0f (passive OS fingerprinting) support. The version of
p0f shipped with zeek was ancient, probably did not give
any reliable support anymore and did not offer a clear
upgrade path. The ``OS_version_found`` event as well as the
``generate_OS_version_event`` configuration option were removed.
So I'm assuming my apprach it will be a failure.
Is there another way to get OS information? Are there some zeek scripts
that offer this functionality?
--
Federico Foschini.
_______________________________________________
Zeek mailing list
zeek(a)zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek