[Discussion] OS Fingerprinting

Matt Jonkman jonkman at jonkmans.com
Fri Dec 19 20:22:59 UTC 2008


I use it with spamassassin and it *seems* to make a big difference
there. I haven't pulled exact stats, but the idea that mail from a
windows box is more likely to be spam is surely valid.

Have to look into how far it does ID windows versions. Even if we can
just get server os vs workstation os that'd be pretty interesting I think.

Anyone used it much lately?

matt

Michael Scheidell wrote:
> 
> 
> Matt Jonkman wrote:
>> Decula in IRC had two great ideas. One was to use something like p0f to
>> do live OS fingerprinting.
>>
>> That could be very useful for eliminating false positives and
>> identifying unusual behavior (ie a windows box running a telnet server, etc)
>>
>> Adding this to the wiki, anyone have thoughts to add to that?
>>
>> Matt
>>   
> p0f can't tell the difference between a windows XP workstation and
> windows 2000 server (last I remember).
> I had used it for 'zombie' detection in our anti-spam system, but the
> incremental assistance wasn't worth the cpu (it took a little cpu.)
> 
> 
> -- 
> Michael Scheidell, CTO
> Phone: 561-999-5000, x 1259
>> *| *SECNAP Network Security Corporation
> 
>     * Certified SNORT Integrator
>     * King of Spam Filters, SC Magazine 2008
>     * Information Security Award 2008, Info Security Products Guide
>     * CRN Magazine Top 40 Emerging Security Vendors
> 
> 
> ------------------------------------------------------------------------
> 
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see www.secnap.com/products/spammertrap/
> <http://www.secnap.com/products/spammertrap/>
> 
> ------------------------------------------------------------------------
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Discussion mailing list