> > header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /^Windows XP(?![^(]*\b2000 > > SP)/ score L_P0F_WXP 2.3 > > header L_P0F_W X-Amavis-OS-Fingerprint =~ /^Windows(?! XP)/ > > score L_P0F_W 1.0 [...]
Matt Kettler wrote: > Well, that much should be obvious. > Both rules are explicitly designed to NOT match that.. > The big question is, why? That is intentional. Some corporate sites use a Microsoft's mailer, and it sometimes appears to p0f as 'Windows XP, 2000 SP' or similar. There would be too many false positives to treat it the same as versions of Windows XP that majority of users run at home, so the rule tries to be selective on Windows XP only, erring on the safe side. > The ?! is a forward look-ahead that prevents matching. > So, the first rule: /^Windows(?! XP)/ > Will match anything that's windows that's not XP. That second rule is excluding XP because plain Windows XP was already covered by the first rule, and it would not be appropriate to score it twice. Mark
