On 05/01/2011 8:38 PM, RW wrote:
Aside from BOTNET_WIN the p0f rules are low-scoring and add-up to zero.
Since BOTNETS are 100% Windows it doesn't seem unreasonable to use p0f
in a metarule. However, you might want to look into this inconsistency:
You are right about the overlapping and one rule saying it's Windows XP,
and the other says it's not.
However, as for botnets, there are a number of Linux botnets nowadays as
well. Remember Psyb0t from 2009? So while you can argue Windows is 90%+,
it's not alone :)
Regards,
Lawrence
