Re: TCP_WINDOW and TCP_MSS correlation as feature

[Daniel Miller <bonsaiviking () gmail com>]

Alex,

Thanks, this looks good! I think, though, that we can simply use either
MISSING or UNKNOWN (both of which become -1 in the feature vector) for the
(very unlikely) case where MSS is 0. We only have one fingerprint in our
whole IPv4 database that has a MSS of 0, "Fingerprint Dell EqualLogic
PeerStorage PS100E NAS device (NetBSD 1.6.2)". This would eliminate the
need to include numpy in vectorize.py and float.h in FPEngine.cc.

I am not sure what you are seeing to cause such a high novelty with
scanme.nmap.org. My scans are coming back with 5.49. Can you provide the
fingerprint you are getting?

I will commit this with these changes pending our discussion later today.

Dan

On Mon, May 11, 2015 at 12:59 PM, Alexandru Geana <alex () alegen net> wrote:

> Hello devs,
>
> During one IRC discussion, an idea was brought up to use the correlation
> between TCP_WINDOW and TCP_MSS as a feature for the IPv6 logistic
> regression model. Attached to this email I am sending two patches, one
> for the nmap codebase and another for the ipv6tests folder which adds
> this new feature.
>
> While testing on scanme.nmap.org, I noticed that the novelty threshold
> was too low (nmap had the top result with novelty at around 20.8), so
> I set the FP_NOVELTY_THRESHOLD to 25.
>
> Let me know what you think and if you find any problems with it.
>
> Best regards,
> Alexandru Geana
> alegen.net
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/