On 2023/07/04 09:48, Solène Rapenne wrote: > On Tue, 2023-07-04 at 03:39 +0000, Lee, Jonathan D wrote: > > [cid:cd2efd41-42cb-4d83-9173-521bbb8f4539@namprd04.prod.outlook.com] > > > > Hello fellow software developers, > > > > I have noticed that p0f database files are not being updated. Many > > new operating systems fingerprints are missing within the pf.os > > database file that your software uses. I have added a section in > > pf.os for Docker containers see the below diff checker output. Yes > > this is unorthadox for the diff file again it is only a blank area > > for new OS entries and it helps bring to lite that containers can > > also be fingerprinted. The docx that is attached helps to showcase > > the Kali penetration software running inside of a docker container. > > The container was spun up and spun down and also deleted. I have > > fingerprinted this docker container with the program p0f. I noticed > > that p0f is used with pfSense and is used with access control lists > > for source address OS see attached photos. Again for this to function > > correctly it needs the database updated and new catagories like many > > of the mainstream containers. We can fingerprint them like other OS > > systems. > > > > It seems you are using PFSense, which is based on FreeBSD. > You are on the OpenBSD mailing list. > > Even if we update our fingerprint database to add docker like you > suggest, this won't reflect in the product you are using.
If somebody is able to send working TCP SYN signatures for the old version of p0f that's used in PF (note that the separate p0f program has changed quite a lot in the meantime and uses a different database format), that don't cause problems with false detection, they could be added. But there's no value in adding an empty placeholder section. I'm a bit unsure whether this is going to be possible though (in particular that they can be reliably identified separate to the container's base OS).
