You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jonas Eckerman <jo...@frukt.org> on 2007/06/25 16:35:06 UTC
Botnet + p0f (was: Botnet Score)
Mark Martinec wrote:
> The accuracy of botnet can be greatly enhanced it is when tamed down by p0f
> results (passive operating system fingerprinting).
This is my experience as well. My Botnet scores looks like this
currently:
header BOTNET eval:botnet()
score BOTNET 2.0
meta BOTNET_WINDOWS (BOTNET && __OS_WINDOWS)
score BOTNET_WINDOWS 1.0
header __OS_WINDOWS p0fIP2OS =~ /Windows/i
> The X-Amavis-OS-Fingerprint header field can be inserted by p0f+p0fanalyzer+amavisd
> (which I use), or by p0f+p0fanalyzer + p0f pluging for SA by Vincent Li
Another alternative is my stuff at:
<http://whatever.frukt.org/p0fstats.text.shtml>
The stuff there uses UDP to send p0f info from the system running
p0f (probably the firewall) to a collecting system that stores it
in a database.
It includes a perl module and a SpamAssassin plugin that can get
info from the database, as well as some graph stuff.
The SpamAssassin module is fairly new (about a year old), but the
basic send/collect/store system has been in use for years here
(though it has been modified and changed along the way).
I have no idea wether my stuff is better, worse or just different
than the stuff you mentioned above.
Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
Re: Botnet + p0f (was: Botnet Score)
Posted by Vincent Li <vl...@vcn.bc.ca>.
On Mon, 25 Jun 2007, Jonas Eckerman wrote:
> Mark Martinec wrote:
>
>> The accuracy of botnet can be greatly enhanced it is when tamed down by
>> p0f
>> results (passive operating system fingerprinting).
>
> This is my experience as well. My Botnet scores looks like this currently:
>
> header BOTNET eval:botnet()
> score BOTNET 2.0
> meta BOTNET_WINDOWS (BOTNET && __OS_WINDOWS)
> score BOTNET_WINDOWS 1.0
> header __OS_WINDOWS p0fIP2OS =~ /Windows/i
>
>> The X-Amavis-OS-Fingerprint header field can be inserted by
>> p0f+p0fanalyzer+amavisd
>> (which I use), or by p0f+p0fanalyzer + p0f pluging for SA by Vincent Li
>
> Another alternative is my stuff at:
> <http://whatever.frukt.org/p0fstats.text.shtml>
>
> The stuff there uses UDP to send p0f info from the system running p0f
> (probably the firewall) to a collecting system that stores it in a database.
>
> It includes a perl module and a SpamAssassin plugin that can get info from
> the database, as well as some graph stuff.
>
> The SpamAssassin module is fairly new (about a year old), but the basic
> send/collect/store system has been in use for years here (though it has been
> modified and changed along the way).
>
> I have no idea wether my stuff is better, worse or just different than the
> stuff you mentioned above.
The p0f+p0fanalyzer+p0f plugin for SA is the same idea as yours, Mark
Martinec's p0f-analyzer.pl script listen over udp and store fingerprint information
in memory instead of database. my SA plugin simply extract the first untrusted relay ip
and send query to p0f-analyzer.pl to collect the fingerprint information and add a metadata
X-P0f-OS-Fingerprint.
I have another SA plugin which send query to p0f unix socket, in this
case, p0f-analyzer.pl is not needed, the drawback is SA has to run on MX
host and the plugin has to do extra work to deal with machine endianess.
http://bl0g.blogdns.com/spamassassin/p0f.tar
the p0f-ppc.pm works on Linux PPC distritution,p0f-x86.pm works on Linux
X86 distribution.
>
> Regards
> /Jonas
> --
> Jonas Eckerman, FSDB & Fruktträdet
> http: //whatever.frukt.org/
> http: //www.fsdb.org/
> http: //www.frukt.org/
>
>
>
> !DSPAM:3363,467fd31d318231401698275!
>
Vincent Li
http://bl0g.blogdns.com