How about sometimes showing an OS fingerprint even if there's a match?

[David Fifield <david () bamsoftware com>]

On Thu, Oct 29, 2015 at 09:27:23AM -0500, Daniel Miller wrote:
> As David pointed out in his talk at AISec [1], the IPv6 OS fingerprint engine
> doesn't get nearly as many submissions. Since April, we received only 9
> fingerprint submissions! There are a few reasons this could be:
>
> * People aren't scanning IPv6 systems. Even if you don't have IPv6 setup on
> your network, you can often talk IPv6 to your LAN neighbors. Try using some of
> the targets-ipv6-multicast-* NSE scripts to discover interesting things!
>
> * There are relatively fewer IPv6 stacks out there. Every printer, switch, or
> lightbulb out there speaks IPv4, so we get lots of interesting submissions, but
> IPv6 submissions are pretty much all for the major desktop and server OSs.
>
> * The IPv6 engine is good at classifying things it hasn't seen before. This
> means that Nmap is less likely to print a fingerprint and request submission,
> even when something is different about the print that would cause a mismatch
> under the IPv4 system. We should investigate printing a submission prompt even
> when there's a good match if the novelty factor is on the high end.

What about if we print a submission fingerprint with a low probability
(like 0.1%) even when there is a match? Then we might get more
fingerprints and corrections for our existing classes. We would add a
special marker to these fingerprints, because people might be tempted to
just fill in whatever Nmap already guessed.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/