On Fri, 9 Mar 2007, Michael Monnerie wrote:
; On Freitag, 9. M?rz 2007 00:18 Andy Fiddaman wrote:
; > I somehow missed the original post about this but I'm very interested
; > too. I already pass p0f (http://lcamtuf.coredump.cx/p0f.shtml)
; > metrics to SA as headers so that Bayes can use them.
;
; Could you provide that script? Doesn't look like it's in the
; distribution of p0f?
It's part of a custom milter which I can't distribute. However this is the
basic approach which doesn't seem too different in concept to yours and is
fairly straightforward.
- I've got p0f running in cache mode, that is it watches for all incoming
Syn packets to port 25 and records the TCP signature internally;
- The milter sends a query to p0f over a unix domain socket from its
connect callback (it knows the local and remote addresses and ports from
the arguments to the callback and the Sendmail {client_addr},
{daemon_port} and {if_addr} macros.)
- When the milter sends the message to SpamAssassin (spamd) it adds
headers like:
X-p0f-OS: Windows XP SP1+, 2000 SP3
X-p0f-Hops: 15-20
p0f is doing the work of guessing the remote OS and deriving a hop count,
plus working out if it is likely that address translation is being used
and what type of connection is likely to be in use (based primarily on
MTU). The downside I can see if that I don't have access to
the same raw information that you do, I might look at modifying
p0f to also return the raw signature it detected then I'll have
the best of both worlds.
Rather than just rely on Bayes, I do plan to write some custom header
rules for SA once I get time to do a proper analysis of the results
I've got.
HTH.
Andy
