anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(prober/osfp): P0fV2Provider + factory dispatch

Browse Source 
- decnet/prober/osfp/p0f/provider.py: P0fV2Provider loads the four
  vendored .fp files into per-context signature lists (syn / synack /
  rst / stray) and matches via highest-specificity score across the
  relevant list. Also auto-picks up p0f-decnet.fp if present (GPL-3.0
  additions land there later, empty for now).
- decnet/prober/osfp/factory.py: get_provider / get_all_providers /
  reset_cache, mirrors decnet/geoip/factory exactly. Env-dispatched
  via DECNET_OSFP_PROVIDERS (default "p0f-v2"). Reserved names
  "nmap-osdb" (pending Fyodor's grant) and "decnet-observed" (our
  future curated DB) raise NotImplementedError — visible on the
  factory surface so a typo doesn't silently fall through.
- decnet/prober/osfp/__init__.py now re-exports the public API so
  callers use `from decnet.prober.osfp import get_provider` without
  reaching into submodules (upholds the provider-subpackage rule).

15 new provider+factory tests covering:
- All four DB contexts load (262/61/46/6 sigs per inventory).
- Known-good Linux 2.6 SYN + Linux 2.2 SYN-ACK match end-to-end.
- Unknown observations / contexts return None, not raise.
- Factory memoises, env override honoured, unsupported names raise.
- Reserved names raise NotImplementedError (not silent None).

`sniffer_rollup` wiring lands in the next commit.
This commit is contained in:
anti
2026-04-24 11:50:46 -04:00
parent 41ff6b4b03
commit 8a430bf725
4 changed files with 394 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
decnet/prober/osfp/__init__.py
View File

@@ -1,12 +1,27 @@
"""Passive + active OS fingerprinting providers.
Consumed by the profiler's `sniffer_rollup` (and, longer-term, by a
dedicated prober pass). Each provider implements `base.Provider`: given a
dict of observed TCP/IP quirks (window, wscale, mss, options signature,
TTL, etc.), return a best-match OS label with confidence.
dedicated prober pass). Each provider implements `base.Provider`: given
a dict of observed TCP/IP quirks (window, wscale, mss, options
signature, TTL, etc.), return a best-match OS label with confidence.
Layout mirrors `decnet/geoip/` and `decnet/bus/`: `base.py` defines the
protocol, `factory.py` is the only sanctioned accessor, and each concrete
source (p0f, eventually nmap-osdb / our own curated DB) lives in its own
subpackage. Don't import concrete provider classes directly.
protocol, `factory.py` is the only sanctioned accessor, and each
concrete source (p0f today, nmap-osdb / DECNET-observed later) lives in
its own subpackage. Don't import concrete provider classes directly
use :func:`factory.get_provider` or :func:`factory.get_all_providers`.
"""
from decnet.prober.osfp.base import OsMatch, Provider
from decnet.prober.osfp.factory import (
get_all_providers,
get_provider,
reset_cache,
)
__all__ = [
"OsMatch",
"Provider",
"get_all_providers",
"get_provider",
"reset_cache",
]