Daniel J McDonald wrote:
I too found botnet to be a great source of FP. By combining it with p0f it's moderately useful.
I just found one reason for FPs in the Botnet plugin. It doesn't make a difference between timeouts (and other DNS errors) and negative answers. So if your DNS server/proxy is overloaded (or slow for some other reason), you'll get FPs
Since 15 minutes ago, I'm running a slightly modified version of the plugin that tries to avoid this. In a while I'll send a patch to the author.
Apart from this the plugin seems to work fine here with a score of +2 (with an extra +1 if p0f says it's a Windows system).
Regards /Jonas -- Jonas Eckerman, FSDB & Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
