I'm using amavisd-new and p0f with BOTNET.pl, and some Windows XP machines are not being caught. Here are my rules: header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /^Windows XP(?![^(]*\b2000 SP)/ score L_P0F_WXP 2.3 header L_P0F_W X-Amavis-OS-Fingerprint =~ /^Windows(?! XP)/ score L_P0F_W 1.0 header L_P0F_UNKN X-Amavis-OS-Fingerprint =~ /^UNKNOWN/ score L_P0F_UNKN 0.8 header L_P0F_Unix X-Amavis-OS-Fingerprint =~ /^((Free|Open|Net)BSD|Solaris|HP-UX|Tru64)/ score L_P0F_Unix -1.0 header L_P0F_Linux X-Amavis-OS-Fingerprint =~ /^Linux/ score L_P0F_Linux -0.1
I had a message with the following header:
X-Amavis-OS-Fingerprint: Windows XP SP1+, 2000 SP3 (NAT!), (distance 20,
link: unknown-1490), [83.11.64.39]
It doesn't appear to match either the L_P0F_WXP or the L_P0F_W rule:
[EMAIL PROTECTED] ~]$ grep -P '/^Windows(?! XP)/' Download/foo.eml
[EMAIL PROTECTED] ~]$ grep -P '/^Windows XP(?![^(]*\b2000 SP)/'
Download/foo.eml
Does anyone have rules that catch this?
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
signature.asc
Description: This is a digitally signed message part
