[exim] passive OS fingerprinting in Exim

Góra strony
Delete this message
Reply to this message
Autor: Stanislaw Halik
Data:  
Dla: exim-users
Temat: [exim] passive OS fingerprinting in Exim
Heya,

I've made a small Perl script being an interface to p0f, an OS
fingerprinting tool. It listens on an Unix Domain Socket and sends back
senders' OS versions.

It's available for download at <http://tehran.lain.pl/stuff/p0fexim.pl>

Sample usage:

    acl_check_connect:
      warn    set acl_c14   = ${readsocket{/var/run/p0fexim/sock}{\
        $sender_host_address $sender_host_port $interface_address\
        $interface_port}{10s}{\n}{}}
              !condition    = ${if eq{}{$acl_c14}}
              log_message   = p0f: $acl_c14
     accept


The value (empty if no version is reported) can be used for adding
headers for scoring with SA and even something I'm doing, extremely
rude, unfair and biased:

    acl_check_rcpt:
    [...]
    # past accepting mail from authenticated hosts


    # Holy RFC states that a host must wait 5 minutes for a RCPT reply.
    # Looks like a good way to sort the flock!
       warn condition   = ${if match{$acl_c14}{Windows}}
            log_message = Delaying a Microsoft Windows zombie for 3 minutes
            delay       = 180s


Requires p0f 2.0.8. Setup details are included in script's comments.

p0f itself is available at <http://lcamtuf.coredump.cx/p0f.shtml>

Enjoy!

-- 
Unix stuff      :: http://tehran.lain.pl
Yet Another RBL :: http://rbl.lain.pl