Re: postscreen - passive OS fingerprinting

[Wietse Venema]

Tomoyuki Murakami:
> On Mon, 10 Sep 2012 09:26:23 -0400 (EDT), Wietse Venema 
> <wie...@porcupine.org> wrote:
> > Tomoyuki Murakami:
> >> Developers,
> >>
> >> There are some sort of Passive OS Fingerprinting implements,
> >> pof v3 (http://lcamtuf.coredump.cx/p0f3/) is one of that, and
> >> do light-weight, very quick response in my environment.
> >> I don't know the detail history of this app, there is
> >> a simple API for utilize information of the other-end OSes.
> >
> > First, I am pleased to read code that is well written. Thank you.
> you're welcome. thank you for reply.
> 
> > Fundamental critique:
> >
> > - There are many legitimate MTAs running on Microsoft systems,
> > including MTAs from vendors other than Microsoft. It would be a
> > mistake to veto connections because a site runs a Microsoft OS.
> > Postscreen is the wrong place to use methods that suffer from a
> > non-negligible false positive rate.
> 
> I generally agree with, but it's efficiency is?worth
> consideration in my litte bit wild, spam-hating environment.
> It might not be an everyone's solution.

I'm thinking about extending postscreen with an event-driven plug-in
interface to send out a query in parallel with the Pregreet and
DNSBL tests (this would make the response time less critical).

This interface would use a simplified version of the policy delegation
protocol.

Example postscreen query:
    query_id=uniquestring
    address_family=ipv4 (or ipv6)
    protocol=tcp
    local_address=1.2.3.4
    local_port=25
    remote_address=5.4.3.2
    remote_port=6666

Example plug-in reply:
    query_id=uniquestring
    action=pass (or drop, enforce, ignore)
    ttl=600     (time in seconds if "pass", otherwise ignored)

As with Pregreet and DNSBL, postscreen would not block waiting for
a reply. If the plug-in is down or too slow, postscreen just uses 
a default action (I recommend "pass") and TTL (I recommend a few
minutes) to avoid hammering on a dead plug-in.

This would waste a few machine cycles, but it would provide a way
to make postscreen work with p0f or other things that we haven't
thought of yet.

        Wietse