Nmap Development mailing list archives
Re: FP_NOVELTY_THRESHOLD used in IPv6 OS detection
From: David Fifield <david () bamsoftware com>
Date: Tue, 17 Feb 2015 07:42:21 -0800
On Tue, Feb 17, 2015 at 10:32:55AM +0100, Alexandru Geana wrote:
Hello nmap devs, I am currently in the process of exploring how nmap does OS probing and detection over IPv6. I have a pretty good understanding of the underlying concepts, but there is still one thing I don`t get. The novelty detection feature has a threshold which is set to 15 as explained in [1] and also visible in FPEngine.h [2]. How was this value calculated/chosen?
It was just trial and error with our library of IPv6 samples. We get new submissions from time to time, and we tried to set the threshold so that the submissions that were truly different were detected as such. You can find some information in the comment above the novelty_of function in FPEngine.cc. David Fifield _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- FP_NOVELTY_THRESHOLD used in IPv6 OS detection Alexandru Geana (Feb 17)
- Re: FP_NOVELTY_THRESHOLD used in IPv6 OS detection David Fifield (Feb 17)