Re: How about sometimes showing an OS fingerprint even if there's a match?

[David Fifield <david () bamsoftware com>]

On Thu, Oct 29, 2015 at 05:09:50PM -0500, Daniel Miller wrote:
> On Thu, Oct 29, 2015 at 3:49 PM, David Fifield <[1]david () bamsoftware com>
> wrote:
>
>     What about if we print a submission fingerprint with a low probability
>     (like 0.1%) even when there is a match? Then we might get more
>     fingerprints and corrections for our existing classes. We would add a
>     special marker to these fingerprints, because people might be tempted to
>     just fill in whatever Nmap already guessed.
>
>
>
> This is what I was thinking. Since a match is based on a high probability (>90)
> and low novelty (<15) maybe we could set some different criteria for printing a
> submission print; we could collect the number of prints in the matched group
> and prompt if it is below a certain threshold (5 to 10). We could prompt
> submission for matches with a higher novelty, too, to get more natural
> variation in the reference prints. Thoughts on these ideas?

That's a good idea. My intuition says it would be better to prompt
uniformly, without regard to the quality of the match. Otherwise we only
get submissions that are slightly on the borderline, even when those
might not be the usual case. I think we already suffer from that problem
a bit in the current database. In a sense the database is composed
mostly of "hard cases": things that Nmap got wrong in the past. Whereas
it might be better to have the prevalence of hard cases match their
prevalence in reality.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/