McDonald, Dan wrote:
I'm using amavisd-new and p0f with BOTNET.pl, and some Windows XP
machines are not being caught.
Here are my rules:
header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /^Windows XP(?![^(]*\b2000 SP)/
score L_P0F_WXP 2.3
header L_P0F_W X-Amavis-OS-Fingerprint =~ /^Windows(?! XP)/
score L_P0F_W 1.0
header L_P0F_UNKN X-Amavis-OS-Fingerprint =~ /^UNKNOWN/
score L_P0F_UNKN 0.8
header L_P0F_Unix X-Amavis-OS-Fingerprint =~
/^((Free|Open|Net)BSD|Solaris|HP-UX|Tru64)/
score L_P0F_Unix -1.0
header L_P0F_Linux X-Amavis-OS-Fingerprint =~ /^Linux/
score L_P0F_Linux -0.1
I had a message with the following header:
X-Amavis-OS-Fingerprint: Windows XP SP1+, 2000 SP3 (NAT!), (distance 20,
link: unknown-1490), [83.11.64.39]
It doesn't appear to match either the L_P0F_WXP or the L_P0F_W rule:
[EMAIL PROTECTED] ~]$ grep -P '/^Windows(?! XP)/' Download/foo.eml
[EMAIL PROTECTED] ~]$ grep -P '/^Windows XP(?![^(]*\b2000 SP)/' Download/foo.eml
Well, that much should be obvious. Both rules are explicitly designed to
NOT match that.. The big question is, why?
The ?! is a forward look-ahead that prevents matching. So, the first rule:
/^Windows(?! XP)/
Will match anything that's windows that's not XP.
The second rule:
/^Windows XP(?![^(]*\b2000 SP)/
Will match anything starting with "Windows XP", but it can't have "2000
SP" before a (.
You could easily write a rule for it:
header L_P0F_WXP2KUNSURE X-Amavis-OS-Fingerprint =~ /^Windows XP[^(]*\b2000
SP/
Which will match any of the headers with both XP and 2000 in it.
Does anyone have rules that catch this?
