Active P0f Inside Kernel
github.comIs this p0f or the later p0f3?
Does anybody have an p0f3 fingerprint files later than those that Zalewski put in the distribution? They're 3+ years out of date at this point,
No, it's not full implementation. The main difference between this and Zalewski implementation is using direct mapping data between kernel space and userspace. Zalewski implementation uses pcap for capturing packets. If you have huge workloads you can try this https://gist.github.com/xpahos/4bc215aa5fe237161bc076f247643... to try multithreaded capturing packets(https://github.com/the-tcpdump-group/libpcap/pull/674).
My implementation creates a hash map between kernel space and userspace where eBPF(kernel space, directly from sk_buff) code stores parsed data in this map. After accepting a connection in userspace application could check this hash map and get data from kernel space to userspace. So it's possible to add p0f extra data to request headers directly inside load balancer/web server and pass it to underlying levels.
> Does anybody have an p0f3 fingerprint files later than those that Zalewski put in the distribution? They're 3+ years out of date at this point,
I don't know. Another team uses fingerprinting to check if it's a robot.
Hope someone will find this code useful in his project. This is a proof-of-concept, full code can't be published.
I thought the typing was ageing out. Can this still reliably detect client platform/architecture?
We use fingerprinting to detect unusual activity from clients. I think for platform detection it will be better to check JavaScript + User-agent + fingerprint.