On Tue, Dec 18, 2007 at 04:47:52PM +0100, Mark Martinec wrote:
> Ken,
> > I've also implemented Passive OS Fingerprinting using the instructions
> > written by Mark and have been pleased with P0Fs contributions.
> > It seems to me that P0F would be more valuable if it could discern
> > between a desktop OS and a server. On my system anyway, P0F appears to
> > lump Windows 2000, Windows XP and Windows Server 2003 all together. Is
> > it possible for P0F to distinguish between Windows XP and Windows Server
> > 2003 IP stacks? That would be very helpful.
My understanding is that the TCP stacks in these two releases are
functionally pretty much identical - there's enough similar or shared
code in these two OS releases that there just isn't any packet
formatting difference for p0f to go on.
> > ... I don't have a clue what all of the numbers following "UNKNOWN" mean.
>
> This will need to be directed to the author/maintainer of p0f.
> Amavisd is just a messanger here, copying whatever comes out of p0f.
>
> > Also, I noticed SPAM slipping by originating from The Bat! and that P0F
> > did not recognize the IP stack signatrure. I don't know much about The
> > Bat! except that it is frequently used to send mass e-mailings. What OS
> > does The Bat! run under? Does it include it's own IP stack? If a P0F
> > signature can be developed for Thhe Bat!, I would think that would be
> > helpful too.
>
> Don't know. Perhaps somebody else can answer.
My understanding is that a lot of spamware forges MUA signatures for
The Bat! (I don't know why that MUA in particular.) I'm told that if
you look closely into the formatting of certain message headers, it
generally becomes apparent that they could not actually be coming from
that MUA. (That could be the basis for some SA rules in itself, but I
don't know enough to put them together.)
The UNKNOWN signatures *may* indicate that the connections are coming
through NATted router connections, firewalls, etc. which change the
signature of the packets around enough so that p0f can't recognize the
OS.
-- Clifton
--
Clifton Royston -- [EMAIL PROTECTED] / [EMAIL PROTECTED]
President - I and I Computing * http://www.iandicomputing.com/
Custom programming, network design, systems and network consulting services
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
