[Discussion] OS Fingerprinting
Victor Julien
lists at inliniac.net
Mon Dec 22 13:02:59 UTC 2008
Jack Pepper wrote:
> Quoting Matt Jonkman <jonkman at jonkmans.com>:
>
>> I use it with spamassassin and it *seems* to make a big difference
>> there. I haven't pulled exact stats, but the idea that mail from a
>> windows box is more likely to be spam is surely valid.
>>
>> Have to look into how far it does ID windows versions. Even if we can
>> just get server os vs workstation os that'd be pretty interesting I think.
>>
>> Anyone used it much lately?
>
> I still use it at the "Genre" level and it works predictably. I
> categorize things into "Windows", "Linux", "Unix" (aix+sun), "BSD",
> and "MAC" and it seems to work well enough ( ~ 80% ? ) to feed data
> into my "poor-man's RNA".
>
> I don't think the fine grained accuracy is reliable for service-patch
> level detection, but p0f works ok at the genre level. I did rewrite
> the socket listener and caching part of it, but the fingerprinting
> part works well enough as-is.
I wonder if it's useful to look at stuff like User-Agent headers and
HTTP server signatures as well to determine the OS. It's easy to spoof
of course, but p0f isn't perfect either.
Could be interesting for cases where p0f and other methods give
different results. Shouldn't happen all that often in normal traffic.
(although I have one example in my own daily usage, the Webmail plugin
for Mozilla Thunderbird that I use to read hotmail uses a Mac OS X
user-agent on my Ubuntu box)
Cheers,
Victor
More information about the Discussion
mailing list