Hello, the empty section yes, I agree would still need to be populated. Thanks for adding some fresh visibility to this problem as I noticed OpenBSD has p0f as well as FreeBSD the FreeBSD is being used as an example with PfSense.
The p0f database is starting to show its age. I am just researching a way to compartmentalize containers because their abilities to perform data marshaling over the host's NIC. Furthermore, there is many different vendors of containers from bsdJAILs to Kerbenets and many others. My goal for the original email is just visibility for the need to develop software or improve the older fingerprinting software that way it can fingerprint and detect container signatures. The concrete example of Kali's bleeding edge docker container is shown for more understanding on the movement of this sector. On Jul 4, 2023, at 1:22 AM, Stuart Henderson <s...@spacehopper.org> wrote: On 2023/07/04 09:48, Solène Rapenne wrote: On Tue, 2023-07-04 at 03:39 +0000, Lee, Jonathan D wrote: [cid:cd2efd41-42cb-4d83-9173-521bbb8f4539@namprd04.prod.outlook.com] Hello fellow software developers, I have noticed that p0f database files are not being updated. Many new operating systems fingerprints are missing within the pf.os database file that your software uses. I have added a section in pf.os for Docker containers see the below diff checker output. Yes this is unorthadox for the diff file again it is only a blank area for new OS entries and it helps bring to lite that containers can also be fingerprinted. The docx that is attached helps to showcase the Kali penetration software running inside of a docker container. The container was spun up and spun down and also deleted. I have fingerprinted this docker container with the program p0f. I noticed that p0f is used with pfSense and is used with access control lists for source address OS see attached photos. Again for this to function correctly it needs the database updated and new catagories like many of the mainstream containers. We can fingerprint them like other OS systems. It seems you are using PFSense, which is based on FreeBSD. You are on the OpenBSD mailing list. Even if we update our fingerprint database to add docker like you suggest, this won't reflect in the product you are using. If somebody is able to send working TCP SYN signatures for the old version of p0f that's used in PF (note that the separate p0f program has changed quite a lot in the meantime and uses a different database format), that don't cause problems with false detection, they could be added. But there's no value in adding an empty placeholder section. I'm a bit unsure whether this is going to be possible though (in particular that they can be reliably identified separate to the container's base OS).
