Mark Martinec wrote:
The accuracy of botnet can be greatly enhanced it is when tamed down by p0f
results (passive operating system fingerprinting).
This is my experience as well. My Botnet scores looks like this
currently:
header BOTNET eval:botnet()
score BOTNET 2.0
meta BOTNET_WINDOWS (BOTNET && __OS_WINDOWS)
score BOTNET_WINDOWS 1.0
header __OS_WINDOWS p0fIP2OS =~ /Windows/i
The X-Amavis-OS-Fingerprint header field can be inserted by
p0f+p0fanalyzer+amavisd
(which I use), or by p0f+p0fanalyzer + p0f pluging for SA by Vincent Li
Another alternative is my stuff at:
<http://whatever.frukt.org/p0fstats.text.shtml>
The stuff there uses UDP to send p0f info from the system running
p0f (probably the firewall) to a collecting system that stores it
in a database.
It includes a perl module and a SpamAssassin plugin that can get
info from the database, as well as some graph stuff.
The SpamAssassin module is fairly new (about a year old), but the
basic send/collect/store system has been in use for years here
(though it has been modified and changed along the way).
I have no idea wether my stuff is better, worse or just different
than the stuff you mentioned above.
Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
