Nmap Development mailing list archives
Re: Match Points Question
From: Fyodor <fyodor () insecure org>
Date: Thu, 3 May 2007 15:11:43 -0700
On Thu, May 03, 2007 at 03:25:50PM -0400, Thomas Tavaris J (Tavaris) wrote:
Near the top of the "nmap-os-db" file, the Match Point values for the various probing tests are listed. Could anyone tell how these values were assigned? Which criteria were used in choosing them? Were any formal methods used? I am studying the effectiveness of various combinations of probing tests wanted to further understand the OS matching algorithm. Thanks!
Hi Thomas. I chose them initially, and have been tweaking the values a bit based on what seems to work well. When I integrate OS fingerprint submissions, I sometimes tweak those values based on which tests seem to be least reliable. For example, the values of SEQ.SP and SEQ.ISR are low because it is very common that a system may just be a timing outlyer (or it may be high latency on the network or the like) and fall outside the ranges given in the fingerprint. Similarly, U1.TOS is low because some networks seem to mess with the TOS value. Also, tests which are repeated many times have lower individual point values. For example, the initial TTL ("T") test is only 15 points each because there are 11 of those tests and they will often either all match or all not match. If they were all 100 points each, then a system which has just changed its default TTL would have almost no chance of matching. If you have ideas for improving the MatchPoint values, we're certainly interested in hearing them! Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Match Points Question Thomas Tavaris J (Tavaris) (May 03)
- Re: Match Points Question Fyodor (May 03)