
Active P0f Inside Kernel - vasilia
https://github.com/xpahos/p0f_ebpf
======
bediger4000
Is this p0f or the later p0f3?

Does anybody have an p0f3 fingerprint files later than those that Zalewski put
in the distribution? They're 3+ years out of date at this point,

~~~
vasilia
No, it's not full implementation. The main difference between this and
Zalewski implementation is using direct mapping data between kernel space and
userspace. Zalewski implementation uses pcap for capturing packets. If you
have huge workloads you can try this
[https://gist.github.com/xpahos/4bc215aa5fe237161bc076f247643...](https://gist.github.com/xpahos/4bc215aa5fe237161bc076f24764304f)
to try multithreaded capturing packets([https://github.com/the-tcpdump-
group/libpcap/pull/674](https://github.com/the-tcpdump-
group/libpcap/pull/674)).

My implementation creates a hash map between kernel space and userspace where
eBPF(kernel space, directly from sk_buff) code stores parsed data in this map.
After accepting a connection in userspace application could check this hash
map and get data from kernel space to userspace. So it's possible to add p0f
extra data to request headers directly inside load balancer/web server and
pass it to underlying levels.

> Does anybody have an p0f3 fingerprint files later than those that Zalewski
> put in the distribution? They're 3+ years out of date at this point,

I don't know. Another team uses fingerprinting to check if it's a robot.

------
vasilia
Hope someone will find this code useful in his project. This is a proof-of-
concept, full code can't be published.

------
ggm
I thought the typing was ageing out. Can this still reliably detect client
platform/architecture?

~~~
vasilia
We use fingerprinting to detect unusual activity from clients. I think for
platform detection it will be better to check JavaScript + User-agent +
fingerprint.

