Nmap Development mailing list archives
RE: Other useless OS detection tests?
From: "Thomas Tavaris J (Tavaris)" <tjthomas () LGSInnovations com>
Date: Fri, 13 Mar 2009 09:10:11 -0400
My colleague and I wrote a paper for WOOT 07 (Part of USENIX 07) evaluating the quality of tests found in Nmap. We developed a method based on the mathematical notion of information gain to evaluate the quality of fingerprinting tests and their associated probes. In the paper we provided an analysis that includes ranking the tests overall, ranking the tests within families of operating systems, evaluating the variability of similar tests across differing probes, and discussing the implications of these analyses on fingerprinting in practice. L. Greenwald and T. Thomas, "Toward Undetected Operating System Fingerprinting," Proceedings of the First USENIX Workshop on Offensive Technologies (WOOT '07), Boston, MA, August 6, 2007. Granted this was on an earlier version of Nmap so I reran our code recently on the signature database of Nmap 4.76 and the results were similar. (have not published these yet) Best Regards, --- Tavaris Thomas, Ph.D. Member of Technical Staff Government Communication Labs LGS Bell Labs Innovations (973) 437-9789 office (973) 437-9959 fax tjthomas () lgsinnovations com -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of David Fifield Sent: Thursday, March 12, 2009 6:13 PM To: nmap-dev () insecure org Subject: Other useless OS detection tests? On Thu, Mar 12, 2009 at 03:33:36PM -0600, David Fifield wrote:
Fyodor noticed that every single reference fingerprint in nmap-os-db that had a result of the IE.DLI test had the value S.
I read in the TODO:
o Are there other "useless" tests in nmap-os-db? It is worth
checking, IMHO.
I wrote a script to measure how much each OS detection test varies in
nmap-os-db. It ranks each test by the number of distinct values it takes
on. The results are attached. You can ignore the *.R tests; they only
take on two values so they can't get very diverse.
The only potentially "useless" tests are IE.DLI, IE.SI, and U1.RUL. As
you can see, IE.DLI and IE.SI only ever take on one value, and U1.RUL
was 0 only 1 time out of 1658.
IE.DLI=S 1656
IE.SI=S 1655
U1.RUL=G 1657
U1.RUL=0 1
http://nmap.org/book/osdetect-methods.html#osdetect-dl
http://nmap.org/book/osdetect-methods.html#osdetect-si
http://nmap.org/book/osdetect-methods.html#osdetect-ruck
David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Current thread:
- IE.DLI OS detection test David Fifield (Mar 12)
- Re: IE.DLI OS detection test Brandon Enright (Mar 12)
- Re: IE.DLI OS detection test ithilgore (Mar 12)
- Other useless OS detection tests? David Fifield (Mar 12)
- RE: Other useless OS detection tests? Thomas Tavaris J (Tavaris) (Mar 13)
- Re: Other useless OS detection tests? Fyodor (Mar 13)
- Re: Other useless OS detection tests? David Fifield (Mar 27)
- RE: Other useless OS detection tests? Thomas Tavaris J (Tavaris) (Mar 13)
- Re: IE.DLI OS detection test Brandon Enright (Mar 12)