p0f permet de déterminer (avec une assez bonne précision) l’OS d’une machine distante et ce de manière passive (pas à la manière de NMAP).

Comment lancer p0f pour analyser les paquets à destination du port 25 et ne faisant pas partie du lan/vpn/…. ?

p0ffilter=”( not src 127.0.0.1 and not src net 192.168.0.0/16″

for oneip in `/sbin/ifconfig 2>/dev/null | grep -v 127.0.0.1 | grep ‘inet adr’ | sed -e ‘s/.*adr://’ -e ‘s/ .*//’`; do
p0ffilter=”$p0ffilter and not src host $oneip”
done

p0ffilter=”$p0ffilter ) and tcp dst port 25″

killall p0f
killall p0f-analyzer

nohup /usr/sbin/p0f -i any -l “$p0ffilter” 2>&1 | nohup /usr/sbin/p0f-analyzer 2345 >/dev/null &

Ce script (assez sale il est vrai) permet de lancer p0f.

Une fois p0f lancé il est possible d’interroger p0f-analyzer en UDP sur le port 2345

Il faut ensuite modifier /etc/amavis/conf.d/50-user
on ajoutera:
$os_fingerprint_method = ‘p0f:127.0.0.1:2345′;

on relance ensuite amavis (/etc/init.d/amavisd restart)

Il faut ensuite créer /etc/spamassassin/p0f.cf contenant:

header P0F_WIN311 X-p0f-OS =~ /^Windows 3.11/
score P0F_WIN311 3.0
describe P0F_WIN311 Client is running Windows 3.11

header P0F_WIN95 X-p0f-OS =~ /^Windows 95/
score P0F_WIN95 3.0
describe P0F_WIN95 Client is running Windows 95

header P0F_WIN98 X-p0f-OS =~ /^Windows 98/
score P0F_WIN98 3.0
describe P0F_WIN98 Client is running Windows 98

header P0F_WINME X-p0f-OS =~ /^Windows ME/
score P0F_WINME 3.0
describe P0F_WINME Client is running Windows ME

header P0F_WINNT X-p0f-OS =~ /^Windows NT/
score P0F_WINNT 0.5
describe P0F_WINNT Client is running Windows NT

header P0F_WIN2K X-p0f-OS =~ /^Windows 2000(?!.*XP)/
score P0F_WIN2K 1.5
describe P0F_WIN2K Client is running Windows 2000

header P0F_WINXP X-p0f-OS =~ /^Windows XP(?!.*2000)/
score P0F_WINXP 2.5
describe P0F_WINXP Client is running Windows XP

header P0F_WINXP2K X-p0f-OS =~ /^Windows (XP.+2000|2000.+XP)/
score P0F_WINXP2K 1.5
describe P0F_WINXP2K Client is running Windows 2000 or XP

header P0F_WIN2K3 X-p0f-OS =~ /^Windows 2003/
score P0F_WIN2K3 0.2
describe P0F_WIN2K3 Client is running Windows 2003

header P0F_WINNET X-p0f-OS =~ /^Windows \.NET/
score P0F_WINNET 0.2
describe P0F_WINNET Client is running Windows .NET Enterprise Server

header P0F_WINCE X-p0f-OS =~ /^Windows CE/
score P0F_WINCE 0.1
describe P0F_WINCE Client is running Windows CE

header P0F_WINVISTA X-p0f-OS =~ /^Windows Vista/
score P0F_WINVISTA 2.5
describe P0F_WINVISTA Client is running Windows Vista

header P0F_MACOS X-p0f-OS =~ /^MacOS/
score P0F_MACOS 0.1
describe P0F_MACOS Client is running Mac OS

header P0F_FREEBSD X-p0f-OS =~ /^FreeBSD/
score P0F_FREEBSD -0.1
describe P0F_FREEBSD Client is running FreeBSD

header P0F_OPENBSD X-p0f-OS =~ /^OpenBSD/
score P0F_OPENBSD -1.0
describe P0F_OPENBSD Client is running OpenBSD

header P0F_NETBSD X-p0f-OS =~ /^NetBSD/
score P0F_NETBSD -1.0
describe P0F_NETBSD Client is running NetBSD

header P0F_SOLARIS X-p0f-OS =~ /^Solaris/
score P0F_SOLARIS -1.0
describe P0F_SOLARIS Client is running Solaris

header P0F_HPUX X-p0f-OS =~ /^HP-UX/
score P0F_HPUX -1.0
describe P0F_HPUX Client is running HP-UX

header P0F_TRU64 X-p0f-OS =~ /^Tru64/
score P0F_TRU64 -1.0
describe P0F_TRU64 Client is running Tru64

header P0F_AIX X-p0f-OS =~ /^AIX/
score P0F_AIX -1.0
describe P0F_AIX Client is running AIX

header P0F_LINUX X-p0f-OS =~ /^Linux/
score P0F_LINUX -0.5
describe P0F_LINUX Client is running Linux

header P0F_SUNOS X-p0f-OS =~ /^SunOS/
score P0F_SUNOS -1.0
describe P0F_SUNOS Client is running SunOS

header P0F_IRIX X-p0f-OS =~ /^IRIX/
score P0F_IRIX -1.0
describe P0F_IRIX Client is running IRIX

header P0F_OPENVMS X-p0f-OS =~ /^OpenVMS/
score P0F_OPENVMS -1.0
describe P0F_OPENVMS Client is running OpenVMS

header P0F_RISCOS X-p0f-OS =~ /^RISC OS/
score P0F_RISCOS -1.0
describe P0F_RISCOS Client is running RISC OS

header P0F_BSD X-p0f-OS =~ /^BSD/
score P0F_BSD -1.0
describe P0F_BSD Client is running BSD/OS

header P0F_NEWTON X-p0f-OS =~ /^NewtonOS/
score P0F_NEWTON 0.1
describe P0F_NEWTON Client is running NewtonOS

header P0F_NEXT X-p0f-OS =~ /^NeXTSTEP/
score P0F_NEXT -1.0
describe P0F_NEXT Client is running NeXTSTEP

header P0F_BEOS X-p0f-OS =~ /^BeOS/
score P0F_BEOS -1.0
describe P0F_BEOS Client is running BeOS

header P0F_OS400 X-p0f-OS =~ /^OS\/400/
score P0F_OS400 -1.0
describe P0F_OS400 Client is running OS/400

header P0F_ULTRIX X-p0f-OS =~ /^ULTRIX/
score P0F_ULTRIX -1.0
describe P0F_ULTRIX Client is running ULTRIX

header P0F_QNX X-p0f-OS =~ /^QNX/
score P0F_QNX -1.0
describe P0F_QNX Client is running QNX

header P0F_NETWARE X-p0f-OS =~ /^Novell NetWare/
score P0F_NETWARE 2.0
describe P0F_NETWARE Client is running NetWare

header P0F_INTRANETWARE X-p0f-OS =~ /^Novell IntranetWare/
score P0F_INTRANETWARE 2.0
describe P0F_INTRANETWARE Client is running IntranetWare

header P0F_BORDERMGR X-p0f-OS =~ /^Novell BorderManager/
score P0F_BORDERMGR 2.0
describe P0F_BORDERMGR Client is running BorderManager

header P0F_SCO X-p0f-OS =~ /^SCO/
score P0F_SCO -1.0
describe P0F_SCO Client is running SCO

header P0F_DOS X-p0f-OS =~ /^DOS/
score P0F_DOS 3.0
describe P0F_DOS Client is running DOS

header P0F_OS2 X-p0f-OS =~ /^OS\/2/
score P0F_OS2 2.0
describe P0F_OS2 Client is running OS/2

header P0F_TOPS20 X-p0f-OS =~ /^TOPS-20/
score P0F_TOPS20 -1.0
describe P0F_TOPS20 Client is running TOPS-20

header P0F_AMIGA X-p0f-OS =~ /^AMIGA/
score P0F_AMIGA 1.0
describe P0F_AMIGA Client is running AMIGAOS

header P0F_MINIX X-p0f-OS =~ /Minix/
score P0F_MINIX -1.0
describe P0F_MINIX Client is running Minix

header P0F_PLAN9 X-p0f-OS =~ /^Plan9/
score P0F_PLAN9 -1.0
describe P0F_PLAN9 Client is running Plan9

header P0F_FREEMINT X-p0f-OS =~ /^FreeMiNT/
score P0F_FREEMINT 1.0
describe P0F_FREEMINT Client is running FreeMiNT

header P0F_NETCACHE X-p0f-OS =~ /^NetCache/
score P0F_NETCACHE -0.1
describe P0F_NETCACHE Client is running NetCache

header P0F_CACHEFLOW X-p0f-OS =~ /^CacheFlow/
score P0F_CACHEFLOW -0.1
describe P0F_CACHEFLOW Client is running CacheFlow

header P0F_POWERAPP X-p0f-OS =~ /^Dell PowerApp/
score P0F_POWERAPP -0.1
describe P0F_POWERAPP Client is running PowerApp

header P0F_PALMOS X-p0f-OS =~ /^PalmOS/
score P0F_PALMOS 0.1
describe P0F_PALMOS Client is running PalmOS

header P0F_SYMBIANOS X-p0f-OS =~ /^SymbianOS/
score P0F_SYMBIANOS 0.1
describe P0F_SYMBIANOS Client is running SymbianOS

header P0F_ZAURUS X-p0f-OS =~ /^Zaurus/
score P0F_ZAURUS 0.1
describe P0F_ZAURUS Client is running Zaurus

header P0F_POCKETPC X-p0f-OS =~ /^PocketPC/
score P0F_POCKETPC 0.1
describe P0F_POCKETPC Client is running PocketPC

header P0F_CONTIKI X-p0f-OS =~ /^Contiki/
score P0F_CONTIKI 0.1
describe P0F_CONTIKI Client is running Contiki

header P0F_PLAYSTATION X-p0f-OS =~ /^Sony Playstation/
score P0F_PLAYSTATION 3.0
describe P0F_PLAYSTATION Client is running Sony Playstation

header P0F_DREAMCAST X-p0f-OS =~ /^Sega Dreamcast/
score P0F_DREAMCAST 3.0
describe P0F_DREAMCAST Client is running Sega Dreamcast

header P0F_UNKNOWN X-p0f-OS =~ /^UNKNOWN/
score P0F_UNKNOWN 0.8
describe P0F_UNKNOWN Client OS is unknown

redémarrons spamassassin (/etc/init.d/spamassassin restart)

Si tout va bien l’entete X-Amavis-OS-Fingerprint: apparait dans les mails.

Spamassassin peut donc “scorer” les mails en fonction de cet entete.

! Attention ! Il faut une version >= 2.4.3 de amavisd