Re: Botnet + p0f (was: Botnet Score)

Mon, 25 Jun 2007 14:42:21 -0700 

On Mon, 25 Jun 2007, Jonas Eckerman wrote:


Mark Martinec wrote:


 The accuracy of botnet can be greatly enhanced it is when tamed down by
 p0f
 results (passive operating system fingerprinting).


This is my experience as well. My Botnet scores looks like this currently:

header          BOTNET                  eval:botnet()
score           BOTNET                  2.0
meta            BOTNET_WINDOWS          (BOTNET && __OS_WINDOWS)
score           BOTNET_WINDOWS          1.0
header          __OS_WINDOWS            p0fIP2OS =~ /Windows/i


 The X-Amavis-OS-Fingerprint header field can be inserted by
 p0f+p0fanalyzer+amavisd
 (which I use), or by p0f+p0fanalyzer + p0f pluging for SA by Vincent Li


Another alternative is my stuff at:
<http://whatever.frukt.org/p0fstats.text.shtml>
The stuff there uses UDP to send p0f info from the system running p0f (probably the firewall) to a collecting system that stores it in a database.
It includes a perl module and a SpamAssassin plugin that can get info from the database, as well as some graph stuff.
The SpamAssassin module is fairly new (about a year old), but the basic send/collect/store system has been in use for years here (though it has been modified and changed along the way).
I have no idea wether my stuff is better, worse or just different than the stuff you mentioned above.
The p0f+p0fanalyzer+p0f plugin for SA is the same idea as yours, Mark Martinec's p0f-analyzer.pl script listen over udp and store fingerprint information in memory instead of database. my SA plugin simply extract the first untrusted relay ip 
and send query to p0f-analyzer.pl to collect the fingerprint information and 
add a metadata
X-P0f-OS-Fingerprint.
I have another SA plugin which send query to p0f unix socket, in this case, p0f-analyzer.pl is not needed, the drawback is SA has to run on MX host and the plugin has to do extra work to deal with machine endianess. 

http://bl0g.blogdns.com/spamassassin/p0f.tar
the p0f-ppc.pm works on Linux PPC distritution,p0f-x86.pm works on Linux X86 distribution. 



Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http: //whatever.frukt.org/
http: //www.fsdb.org/
http: //www.frukt.org/



!DSPAM:3363,467fd31d318231401698275!



Vincent Li
http://bl0g.blogdns.com

Reply via email to