Question on p0f v3.06b
2013-10-01 by Jim Klimov
Hello all
I know this may be a wrong place to ask, but please bear with me :)
I am trying to add p0f (passive fingerprinting) to an SMTP relay
so as to discriminate more against "PC" sources. However, I stumbled
at very slow behaviour of p0f -- it does eventually make up its mind
about the remote host's OS, but some half-a-minute to a minute after
the connection has come and gone. This makes it quite not useful for
fingerprinting a remote host (unless that info survives in the cache
until the second attempt - which may be too late to set the "delay").
I am not sure if DNS plays any role in this, but it also happens
with well-known hosts ("neighbors" in LAN, etc.)
Also, this relay is in a VirtualBox VM with Solaris hosted on a
Windows server (and no, that can not be currently redesigned).
A similar setup on ESXi, with a slightly newer Solaris release and
the same p0f/libpcap binaries, does work in "real-time"...
Did anyone encounter this? Any suggestions?
Thanks,
//Jim