Heya,
I've made a small Perl script being an interface to p0f, an OS
fingerprinting tool. It listens on an Unix Domain Socket and sends back
senders' OS versions.
It's available for download at <
http://tehran.lain.pl/stuff/p0fexim.pl>
Sample usage:
acl_check_connect:
warn set acl_c14 = ${readsocket{/var/run/p0fexim/sock}{\
$sender_host_address $sender_host_port $interface_address\
$interface_port}{10s}{\n}{}}
!condition = ${if eq{}{$acl_c14}}
log_message = p0f: $acl_c14
accept
The value (empty if no version is reported) can be used for adding
headers for scoring with SA and even something I'm doing, extremely
rude, unfair and biased:
acl_check_rcpt:
[...]
# past accepting mail from authenticated hosts
# Holy RFC states that a host must wait 5 minutes for a RCPT reply.
# Looks like a good way to sort the flock!
warn condition = ${if match{$acl_c14}{Windows}}
log_message = Delaying a Microsoft Windows zombie for 3 minutes
delay = 180s
Requires p0f 2.0.8. Setup details are included in script's comments.
p0f itself is available at <
http://lcamtuf.coredump.cx/p0f.shtml>
Enjoy!
--
Unix stuff :: http://tehran.lain.pl
Yet Another RBL :: http://rbl.lain.pl
