Combining p0f with BOTNET is indended to *reduce* the high number of false positives that BOTNET alone produces, *at least* for the non-windows machines. The windows hosts are left alone and are not protected by p0f from BOTNET FP.
If someone is scoring p0f in combination with BOTNET differently, that is not advisable or intended. Btw, the BOTNET plugin also produces a FP hit for any IPv6 connection, regardless of its rDNS. If someone is interested in a quick hack patch, I can post it. Mark
