On Thu, 8 Mar 2007, Michael Monnerie wrote: ; On Dienstag, 6. M?rz 2007 13:40 Justin Mason wrote: ; > X-Syn-Print: win=64240 mss=1460 sackOK ; ; Sounds very interesting, I'm willing to test it. Headers are always ; nice, making it easy readable.
I somehow missed the original post about this but I'm very interested too. I already pass p0f (http://lcamtuf.coredump.cx/p0f.shtml) metrics to SA as headers so that Bayes can use them. Hop count is a metric which seems a good indicator as well. p0f guesses at the distance of the remote host based on the TTL in the packet and the guessed source OS. I put the hop count range (e.g. 10-15) into the header for Bayes to use. Some very rough stats based on the last 60 days messages (p0f_dist is the hop count reported by p0f).... mysql> select avg(spam_score) from log where p0f_dist >= 10; +-----------------+ | avg(spam_score) | +-----------------+ | 7.00293 | +-----------------+ 1 row in set (6.47 sec) mysql> select avg(spam_score) from log where p0f_dist > 2 and p0f_dist < 10; +-----------------+ | avg(spam_score) | +-----------------+ | 3.73930 | +-----------------+ 1 row in set (6.28 sec) A.
