Re: Match Points Question

[Fyodor <fyodor () insecure org>]

On Thu, May 03, 2007 at 03:25:50PM -0400, Thomas Tavaris J (Tavaris) wrote:
> Near the top of the "nmap-os-db" file, the Match Point values for the
> various probing tests are listed. Could anyone tell how these values
> were assigned? Which criteria were used in choosing them? Were any
> formal methods used? I am studying the effectiveness of various
> combinations of probing tests wanted to further understand the OS
> matching algorithm. Thanks!

Hi Thomas.  I chose them initially, and have been tweaking the values
a bit based on what seems to work well.  When I integrate OS
fingerprint submissions, I sometimes tweak those values based on which
tests seem to be least reliable.  For example, the values of SEQ.SP
and SEQ.ISR are low because it is very common that a system may just
be a timing outlyer (or it may be high latency on the network or the
like) and fall outside the ranges given in the fingerprint.
Similarly, U1.TOS is low because some networks seem to mess with the
TOS value.  Also, tests which are repeated many times have lower
individual point values.  For example, the initial TTL ("T") test is
only 15 points each because there are 11 of those tests and they will
often either all match or all not match.  If they were all 100 points
each, then a system which has just changed its default TTL would have
almost no chance of matching.

If you have ideas for improving the MatchPoint values, we're certainly
interested in hearing them!

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org