Fix all ruff lint errors across decnet/, templates/, and tests/

CLAUDE.md

@@ -54,3 +54,4 @@ DECNET is a honeypot/deception network framework. It deploys fake machines (call
 - NEVER pass broken code to the user.
     - Broken means: not running, not passing 100% tests, etc.
 - After tests pass with 100%, always git commit your changes.
+- NEVER add "Co-Authored-By" or any Claude attribution lines to git commit messages.

NOTES.md

@@ -51,3 +51,63 @@ docker network create -d macvlan \
 #### Issues
 
 This initial test doesn't seem to be working. Might be that I'm using WSL, so I downloaded a Ubuntu 22.04 Server ISO. I'll try the MACVLAN network on it. Now, if that doesn't work, I don't see how the 802.1q would work, at least on _my network_. Perhaps if I had a switch I could make it work, but currently I don't have one :c
+
+---
+
+# TODO
+
+## Core / Hardening
+
+- [ ] **Attacker fingerprinting** — Beyond IP logging: capture TLS JA3/JA4 hashes, TCP window sizes, User-Agent strings, SSH client banners, and tool signatures (nmap, masscan, Metasploit, Cobalt Strike). Build attacker profiles across sessions.
+- [ ] **Canary tokens** — Embed canary URLs, fake AWS keys, fake API tokens, and honeydocs (PDF/DOCX with phone-home URLs) into decky filesystems. Fire an alert the moment one is used.
+- [ ] **Tarpit mode** — Slow down attackers by making services respond extremely slowly (e.g., SSH that takes 60s to reject, HTTP that drip-feeds bytes). Wastes attacker time and resources.
+- [ ] **Dynamic decky mutation** — Deckies that change their exposed services or OS fingerprint over time to confuse port-scan caching and appear more "alive."
+- [ ] **Credential harvesting DB** — Every username/password attempt across all services lands in a queryable database. Expose via CLI (`decnet creds`) and flag reuse across deckies.
+- [ ] **Session recording** — Full session capture for SSH/Telnet (keystroke logs, commands run, files downloaded). Cowrie already does this — surface it better in the CLI and correlation engine.
+- [ ] **Payload capture** — Store every file uploaded or command executed by an attacker. Hash and auto-submit to VirusTotal or a local sandbox.
+
+## Detection & Intelligence
+
+- [ ] **Real-time alerting** — Webhook/Slack/Telegram notifications when an attacker hits a decky for the first time, crosses N deckies (lateral movement), or uses a known bad IP.
+- [ ] **Threat intel enrichment** — Auto-lookup attacker IPs against AbuseIPDB, Shodan, GreyNoise, and AlienVault OTX. Tag known scanners vs. targeted attackers.
+- [ ] **Attack campaign clustering** — Group attacker sessions by tooling signatures, timing patterns, and credential sets. Identify coordinated campaigns hitting multiple deckies.
+- [ ] **GeoIP mapping** — Attacker origin on a world map. Correlate with ASN data to identify cloud exit nodes, VPNs, and Tor exits.
+- [ ] **TTPs tagging** — Map observed attacker behaviors to MITRE ATT&CK techniques automatically. Tag events in the correlation engine.
+- [ ] **Honeypot interaction scoring** — Score attackers on a scale: casual scanner vs. persistent targeted attacker, based on depth of interaction and commands run.
+
+## Dashboard & Visibility
+
+- [ ] **Web dashboard** — Real-time web UI showing live decky status, attacker activity, traversal graphs, and credential stats. Could be a simple FastAPI + HTMX or a full React app.
+- [ ] **Pre-built Kibana/Grafana dashboards** — Ship dashboard JSON exports out of the box so ELK/Grafana deployments are plug-and-play.
+- [ ] **CLI live feed** — `decnet watch` command: tail all decky logs in a unified, colored terminal stream (like `docker-compose logs -f` but prettier).
+- [ ] **Traversal graph export** — Export attacker traversal graphs as DOT/Graphviz or JSON for visualization in external tools.
+- [ ] **Daily digest** — Automated daily summary email/report: new attackers, top credentials tried, most-hit services.
+
+## Deployment & Infrastructure
+
+- [ ] **SWARM / multihost mode** — Full Ansible-based orchestration for deploying deckies across N real hosts.
+- [ ] **Terraform/Pulumi provider** — Spin up cloud-hosted deckies on AWS/GCP/Azure with one command. Useful for internet-facing honeynets.
+- [ ] **Auto-scaling** — When attack traffic increases, automatically spawn more deckies to absorb and log more activity.
+- [ ] **Kubernetes deployment mode** — Run deckies as Kubernetes pods for environments already running k8s.
+- [ ] **Proxmox/libvirt backend** — Full VM-based deckies instead of containers, for even more realistic OS fingerprints and behavior. Docker for speed; VMs for realism.
+- [ ] **Raspberry Pi / ARM support** — Low-cost physical honeynets using RPis. Validate ARM image builds.
+- [ ] **Decky health monitoring** — Watchdog that auto-restarts crashed deckies and alerts if a service goes dark.
+
+## Services & Realism
+
+- [ ] **HTTPS/TLS support** — HTTP honeypot with a self-signed or Let's Encrypt cert. Many real-world services use HTTPS; plain HTTP stands out.
+- [ ] **Fake Active Directory** — A convincing fake AD/LDAP with fake users, groups, and GPOs. Attacker tools like BloodHound should get juicy (fake) data.
+- [ ] **Fake file shares** — SMB/NFS shares pre-populated with enticing but fake files: "passwords.xlsx", "vpn_config.ovpn", "backup_keys.tar.gz". All instrumented to detect access.
+- [ ] **Realistic web apps** — HTTP honeypot serving convincing fake apps: a fake WordPress, a fake phpMyAdmin, a fake Grafana login — all logging every interaction.
+- [ ] **OT/ICS profiles** — Expand Conpot support: Modbus, DNP3, BACnet, EtherNet/IP. Convincing industrial control system decoys.
+- [ ] **Printer/IoT archetypes** — Expand existing printer/camera archetypes with actual service emulation (IPP, ONVIF, WS-Discovery).
+- [ ] **Service interaction depth** — Some services currently just log the connection. Deepen interaction: fake MySQL that accepts queries and returns realistic fake data, fake Redis that stores and retrieves dummy keys.
+
+## Developer Experience
+
+- [ ] **Plugin SDK docs** — Full documentation and an example plugin for adding custom services. Lower the barrier for community contributions.
+- [ ] **Integration tests** — Full deploy/teardown cycle tests against a real Docker daemon (not just unit tests).
+- [ ] **Per-service tests** — Each of the 29 service implementations deserves its own test coverage.
+- [ ] **CI/CD pipeline** — GitHub/Gitea Actions: run tests on push, lint, build Docker images, publish releases.
+- [ ] **Config validation CLI** — `decnet validate my.ini` to dry-check an INI config before deploying.
+- [ ] **Config generator wizard** — `decnet wizard` interactive prompt to generate an INI config without writing one by hand.

decnet.loggy

@@ -0,0 +1,67 @@
+<134>1 2026-04-04T16:47:35.043011+00:00 decky-webmail imap - startup - IMAP server starting as decky-webmail
+<134>1 2026-04-04T16:47:35.060440+00:00 decky-webmail pop3 - startup - POP3 server starting as decky-webmail
+<134>1 2026-04-04T16:47:35.069115+00:00 decky-webmail smtp - startup - SMTP server starting as decky-webmail
+<134>1 2026-04-04T16:47:35.104201+00:00 decky-webmail http - startup - HTTP server starting as decky-webmail
+<134>1 2026-04-04T16:51:01.411046+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="59680"]
+<134>1 2026-04-04T16:51:01.411027+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="33466"]
+<134>1 2026-04-04T16:51:01.411091+00:00 decky-webmail imap - connect [decnet@55555 src="192.168.1.5" src_port="33398"]
+<134>1 2026-04-04T16:51:01.413563+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:51:07.417871+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="GET / HTTP/1.0"]
+<134>1 2026-04-04T16:51:07.417871+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd=""]
+<134>1 2026-04-04T16:51:07.418218+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd=""]
+<134>1 2026-04-04T16:51:07.418109+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{}" body=""]
+<134>1 2026-04-04T16:51:12.424301+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:51:12.424128+00:00 decky-webmail imap - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:51:12.424685+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="58716"]
+<134>1 2026-04-04T16:51:12.424685+00:00 decky-webmail imap - connect [decnet@55555 src="192.168.1.5" src_port="46678"]
+<134>1 2026-04-04T16:51:12.424779+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="OPTIONS / HTTP/1.0"]
+<134>1 2026-04-04T16:51:12.424823+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd=""]
+<134>1 2026-04-04T16:51:17.429409+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:51:17.429409+00:00 decky-webmail imap - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:51:17.432110+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{}" body=""]
+<134>1 2026-04-04T16:51:17.432422+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/nmaplowercheck1775321477" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Host': '192.168.1.110'}" body=""]
+<134>1 2026-04-04T16:51:17.432595+00:00 decky-webmail http - request [decnet@55555 method="POST" path="/sdk" remote_addr="192.168.1.5" headers="{'Content-Length': '441', 'Connection': 'close', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Host': '192.168.1.110'}" body="<soap:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Header><operationID>00000001-00000001</operationID></soap:Header><soap:Body><RetrieveServiceContent xmlns=\"urn:internalvim25\"><_this xsi:type=\"ManagedObjectReference\" type=\"ServiceInstance\">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>"]
+<134>1 2026-04-04T16:51:17.433666+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/NmapUpperCheck1775321477" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Host': '192.168.1.110'}" body=""]
+<134>1 2026-04-04T16:51:17.434139+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/Nmap/folder/check1775321477" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Host': '192.168.1.110'}" body=""]
+<134>1 2026-04-04T16:51:17.434777+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{}" body=""]
+<134>1 2026-04-04T16:51:17.435105+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110'}" body=""]
+<134>1 2026-04-04T16:51:34.749385+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="54390"]
+<134>1 2026-04-04T16:51:38.893217+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:51:39.760749+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="42478"]
+<134>1 2026-04-04T16:51:42.659137+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:51:43.383093+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="42490"]
+<134>1 2026-04-04T16:51:48.805111+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:52:08.494180+00:00 decky-webmail smtp - connect [decnet@55555 src="192.168.1.5" src_port="47606"]
+<134>1 2026-04-04T16:52:08.494275+00:00 decky-webmail imap - connect [decnet@55555 src="192.168.1.5" src_port="47248"]
+<134>1 2026-04-04T16:52:08.494198+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="52232"]
+<134>1 2026-04-04T16:52:08.496668+00:00 decky-webmail smtp - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:52:14.500480+00:00 decky-webmail imap - command [decnet@55555 src="192.168.1.5" cmd="GET / HTTP/1.0"]
+<134>1 2026-04-04T16:52:14.500457+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd=""]
+<134>1 2026-04-04T16:52:14.500787+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd=""]
+<134>1 2026-04-04T16:52:14.500713+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{}" body=""]
+<134>1 2026-04-04T16:52:19.505408+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:52:19.505542+00:00 decky-webmail imap - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:52:19.505859+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="55298"]
+<134>1 2026-04-04T16:52:19.505871+00:00 decky-webmail imap - connect [decnet@55555 src="192.168.1.5" src_port="53678"]
+<134>1 2026-04-04T16:52:19.505962+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="OPTIONS / HTTP/1.0"]
+<134>1 2026-04-04T16:52:19.506002+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd=""]
+<134>1 2026-04-04T16:52:24.511171+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:52:24.511202+00:00 decky-webmail imap - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:52:24.514169+00:00 decky-webmail http - request [decnet@55555 method="POST" path="/sdk" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'Content-Length': '441', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Host': '192.168.1.110'}" body="<soap:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Header><operationID>00000001-00000001</operationID></soap:Header><soap:Body><RetrieveServiceContent xmlns=\"urn:internalvim25\"><_this xsi:type=\"ManagedObjectReference\" type=\"ServiceInstance\">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>"]
+<134>1 2026-04-04T16:52:24.514312+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{}" body=""]
+<134>1 2026-04-04T16:52:24.514488+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/nmaplowercheck1775321544" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Host': '192.168.1.110'}" body=""]
+<134>1 2026-04-04T16:52:24.515528+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/NmapUpperCheck1775321544" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Host': '192.168.1.110'}" body=""]
+<134>1 2026-04-04T16:52:24.515980+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/Nmap/folder/check1775321544" remote_addr="192.168.1.5" headers="{'Connection': 'close', 'User-Agent': 'Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)', 'Host': '192.168.1.110'}" body=""]
+<134>1 2026-04-04T16:52:24.516620+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{}" body=""]
+<134>1 2026-04-04T16:52:24.516968+00:00 decky-webmail http - request [decnet@55555 method="GET" path="/" remote_addr="192.168.1.5" headers="{'Host': '192.168.1.110'}" body=""]
+<134>1 2026-04-04T16:52:35.439785+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="49670"]
+<134>1 2026-04-04T16:52:37.076291+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="HELO"]
+<134>1 2026-04-04T16:52:42.932280+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="ehlo admi"]
+<134>1 2026-04-04T16:52:45.465570+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="asd"]
+<134>1 2026-04-04T16:52:46.486189+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="dasj"]
+<134>1 2026-04-04T16:52:46.956036+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="'"]
+<134>1 2026-04-04T16:52:48.801830+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="<><>"]
+<134>1 2026-04-04T16:52:49.394539+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]
+<134>1 2026-04-04T16:52:58.849990+00:00 decky-webmail pop3 - connect [decnet@55555 src="192.168.1.5" src_port="45614"]
+<134>1 2026-04-04T16:53:02.461472+00:00 decky-webmail pop3 - command [decnet@55555 src="192.168.1.5" cmd="hola los cabros como están"]
+<134>1 2026-04-04T16:53:30.334307+00:00 decky-webmail pop3 - disconnect [decnet@55555 src="192.168.1.5"]

decnet/correlation/engine.py

@@ -22,7 +22,6 @@ Usage
 
 from __future__ import annotations
 
-import json
 from collections import defaultdict
 from pathlib import Path
 

decnet/correlation/parser.py

@@ -17,7 +17,7 @@ The attacker IP may appear under several field names depending on service:
 from __future__ import annotations
 
 import re
-from dataclasses import dataclass, field
+from dataclasses import dataclass
 from datetime import datetime
 
 # RFC 5424 line structure

decnet/deployer.py

@@ -14,11 +14,8 @@ from decnet.config import DecnetConfig, clear_state, load_state, save_state
 from decnet.composer import write_compose
 from decnet.network import (
     MACVLAN_NETWORK_NAME,
-    allocate_ips,
     create_ipvlan_network,
     create_macvlan_network,
-    detect_interface,
-    detect_subnet,
     get_host_ip,
     ips_to_range,
     remove_macvlan_network,

decnet/logging/file_handler.py

@@ -1,4 +1,3 @@
-from __future__ import annotations
 """
 Rotating file handler for DECNET syslog output.
 
@@ -7,6 +6,8 @@ Path is controlled by the DECNET_LOG_FILE environment variable
 (default: /var/log/decnet/decnet.log).
 """
 
+from __future__ import annotations
+
 import logging
 import logging.handlers
 import os

decnet/logging/syslog_formatter.py

@@ -1,4 +1,3 @@
-from __future__ import annotations
 """
 RFC 5424 syslog formatter for DECNET.
 
@@ -9,6 +8,8 @@ Facility: local0 (16)
 PEN for structured data: decnet@55555
 """
 
+from __future__ import annotations
+
 from datetime import datetime, timezone
 from typing import Any
 

decnet/network.py

@@ -8,10 +8,7 @@ Handles:
   - IP allocation (sequential, skipping reserved addresses)
 """
 
-import ipaddress
 import os
-import shutil
-import socket
 import subprocess
 from ipaddress import IPv4Address, IPv4Interface, IPv4Network
 

templates/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/docker_api/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/docker_api/server.py

@@ -8,8 +8,6 @@ but fake data. Logs all requests as JSON.
 
 import json
 import os
-import socket
-from datetime import datetime, timezone
 
 from flask import Flask, request
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog

templates/elasticsearch/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/elasticsearch/server.py

@@ -7,8 +7,6 @@ as JSON. Designed to attract automated scanners and credential stuffers.
 
 import json
 import os
-import socket
-from datetime import datetime, timezone
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 

templates/ftp/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/ftp/server.py

@@ -5,13 +5,10 @@ Accepts any credentials, logs all commands and file requests,
 forwards events as JSON to LOG_TARGET if set.
 """
 
-import json
 import os
-import socket
 import sys
-from datetime import datetime, timezone
 
-from twisted.internet import defer, protocol, reactor
+from twisted.internet import defer, reactor
 from twisted.protocols.ftp import FTP, FTPFactory
 from twisted.python import log as twisted_log
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog

templates/http/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/http/server.py

@@ -7,8 +7,6 @@ and responds with configurable pages. Forwards events as JSON to LOG_TARGET if s
 
 import json
 import os
-import socket
-from datetime import datetime, timezone
 from pathlib import Path
 
 from flask import Flask, request, send_from_directory

templates/imap/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/imap/server.py

@@ -6,10 +6,7 @@ AUTHENTICATE), then returns a NO response. Logs all commands as JSON.
 """
 
 import asyncio
-import json
 import os
-import socket
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "mailserver")

templates/k8s/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/k8s/server.py

@@ -8,8 +8,6 @@ Responds to recon endpoints (/version, /api, /apis, /api/v1/namespaces,
 
 import json
 import os
-import socket
-from datetime import datetime, timezone
 
 from flask import Flask, request
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog

templates/ldap/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/ldap/server.py

@@ -6,10 +6,7 @@ invalidCredentials error. Logs all interactions as JSON.
 """
 
 import asyncio
-import json
 import os
-import socket
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "ldapserver")

templates/llmnr/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/llmnr/server.py

@@ -7,11 +7,8 @@ Logs every packet with source IP and decoded query name where possible.
 """
 
 import asyncio
-import json
 import os
-import socket
 import struct
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "lan-host")

templates/mongodb/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/mongodb/server.py

@@ -7,11 +7,8 @@ received messages as JSON.
 """
 
 import asyncio
-import json
 import os
-import socket
 import struct
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "mongodb")

templates/mqtt/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/mqtt/server.py

@@ -7,11 +7,8 @@ interactions as JSON.
 """
 
 import asyncio
-import json
 import os
-import socket
 import struct
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "mqtt-broker")
@@ -48,11 +45,13 @@ def _parse_connect(payload: bytes):
     # Protocol level (1 byte)
     if pos >= len(payload):
         return {}, pos
-    _proto_level = payload[pos]; pos += 1
+    _proto_level = payload[pos]
+    pos += 1
     # Connect flags (1 byte)
     if pos >= len(payload):
         return {}, pos
-    flags = payload[pos]; pos += 1
+    flags = payload[pos]
+    pos += 1
     # Keep alive (2 bytes)
     pos += 2
     # Client ID

templates/mssql/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/mssql/server.py

@@ -6,11 +6,8 @@ a login failed error. Logs auth attempts as JSON.
 """
 
 import asyncio
-import json
 import os
-import socket
 import struct
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "dbserver")

templates/mysql/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/mysql/server.py

@@ -7,11 +7,8 @@ attempts as JSON.
 """
 
 import asyncio
-import json
 import os
-import socket
 import struct
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME     = os.environ.get("NODE_NAME", "dbserver")

templates/pop3/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/pop3/server.py

@@ -7,10 +7,7 @@ to LOG_TARGET if set.
 """
 
 import asyncio
-import json
 import os
-import socket
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "mailserver")

templates/postgres/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/postgres/server.py

@@ -7,11 +7,8 @@ returns an error. Logs all interactions as JSON.
 """
 
 import asyncio
-import json
 import os
-import socket
 import struct
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "pgserver")

templates/rdp/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/rdp/server.py

@@ -6,11 +6,8 @@ in the initial RDP negotiation request. Forwards events as JSON to
 LOG_TARGET if set.
 """
 
-import json
 import os
-import socket
 import sys
-from datetime import datetime, timezone
 
 from twisted.internet import protocol, reactor
 from twisted.python import log as twisted_log

templates/redis/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/redis/server.py

@@ -6,10 +6,7 @@ KEYS, and arbitrary commands. Logs every command and argument as JSON.
 """
 
 import asyncio
-import json
 import os
-import socket
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME    = os.environ.get("NODE_NAME", "cache-server")

templates/sip/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/sip/server.py

@@ -6,11 +6,8 @@ Authorization header and call metadata, then responds with 401 Unauthorized.
 """
 
 import asyncio
-import json
 import os
 import re
-import socket
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "pbx")

templates/smb/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/smb/server.py

@@ -4,10 +4,7 @@ Minimal SMB server using Impacket's SimpleSMBServer.
 Logs all connection attempts, optionally forwarding them as JSON to LOG_TARGET.
 """
 
-import json
 import os
-import socket
-from datetime import datetime, timezone
 
 from impacket import smbserver
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog

templates/smtp/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/smtp/server.py

@@ -5,10 +5,7 @@ Logs EHLO/AUTH/MAIL FROM/RCPT TO attempts as JSON, then denies auth.
 """
 
 import asyncio
-import json
 import os
-import socket
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME   = os.environ.get("NODE_NAME", "mailserver")

templates/snmp/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/snmp/server.py

@@ -7,11 +7,8 @@ Logs all requests as JSON.
 """
 
 import asyncio
-import json
 import os
-import socket
 import struct
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "switch")
@@ -94,35 +91,46 @@ def _ber_tlv(tag: int, value: bytes) -> bytes:
 def _parse_snmp(data: bytes):
     """Return (version, community, request_id, oids) or raise."""
     pos = 0
-    assert data[pos] == 0x30; pos += 1
+    assert data[pos] == 0x30
+    pos += 1
     _, pos = _read_ber_length(data, pos)
     # version
-    assert data[pos] == 0x02; pos += 1
+    assert data[pos] == 0x02
+    pos += 1
     v_len, pos = _read_ber_length(data, pos)
-    version = int.from_bytes(data[pos:pos + v_len], "big"); pos += v_len
+    version = int.from_bytes(data[pos:pos + v_len], "big")
+    pos += v_len
     # community
-    assert data[pos] == 0x04; pos += 1
+    assert data[pos] == 0x04
+    pos += 1
     c_len, pos = _read_ber_length(data, pos)
-    community = data[pos:pos + c_len].decode(errors="replace"); pos += c_len
+    community = data[pos:pos + c_len].decode(errors="replace")
+    pos += c_len
     # PDU type (0xa0 = GetRequest, 0xa1 = GetNextRequest)
-    pdu_type = data[pos]; pos += 1
+    pos += 1
     _, pos = _read_ber_length(data, pos)
     # request-id
-    assert data[pos] == 0x02; pos += 1
+    assert data[pos] == 0x02
+    pos += 1
     r_len, pos = _read_ber_length(data, pos)
-    request_id = int.from_bytes(data[pos:pos + r_len], "big"); pos += r_len
+    request_id = int.from_bytes(data[pos:pos + r_len], "big")
+    pos += r_len
     pos += 4  # skip error-status and error-index
     # varbind list
-    assert data[pos] == 0x30; pos += 1
+    assert data[pos] == 0x30
+    pos += 1
     vbl_len, pos = _read_ber_length(data, pos)
     end = pos + vbl_len
     oids = []
     while pos < end:
-        assert data[pos] == 0x30; pos += 1
+        assert data[pos] == 0x30
+        pos += 1
         vb_len, pos = _read_ber_length(data, pos)
-        assert data[pos] == 0x06; pos += 1
+        assert data[pos] == 0x06
+        pos += 1
         oid_len, pos = _read_ber_length(data, pos)
-        oid = _decode_oid(data[pos:pos + oid_len]); pos += oid_len
+        oid = _decode_oid(data[pos:pos + oid_len])
+        pos += oid_len
         oids.append(oid)
         pos += vb_len - oid_len - 2  # skip value
     return version, community, request_id, oids

templates/tftp/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/tftp/server.py

@@ -6,11 +6,8 @@ then responds with an error packet. Logs all requests as JSON.
 """
 
 import asyncio
-import json
 import os
-import socket
 import struct
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "tftpserver")

templates/vnc/decnet_logging.py

@@ -1,5 +1,4 @@
 #!/usr/bin/env python3
-from __future__ import annotations
 """
 Shared RFC 5424 syslog helper for DECNET service templates.
 

templates/vnc/server.py

@@ -7,10 +7,7 @@ failed". Logs the raw response for offline cracking.
 """
 
 import asyncio
-import json
 import os
-import socket
-from datetime import datetime, timezone
 from decnet_logging import syslog_line, write_syslog_file, forward_syslog
 
 NODE_NAME = os.environ.get("NODE_NAME", "desktop")

test.nmap

@@ -0,0 +1,236 @@
+# Nmap 7.92 scan initiated Sat Apr  4 05:27:23 2026 as: nmap -sS -sV -oN test.nmap 192.168.1.110-119
+Nmap scan report for 192.168.1.110
+Host is up (0.000010s latency).
+Not shown: 996 closed tcp ports (reset)
+PORT    STATE SERVICE VERSION
+25/tcp  open  smtp    Postfix smtpd
+80/tcp  open  http    Apache httpd 2.4.54 ((Debian))
+110/tcp open  pop3
+143/tcp open  imap
+2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port110-TCP:V=7.92%I=7%D=4/4%Time=69D0CB72%P=x86_64-redhat-linux-gnu%r(
+SF:NULL,25,"\+OK\x20decky-webmail\x20POP3\x20server\x20ready\r\n")%r(Gener
+SF:icLines,51,"\+OK\x20decky-webmail\x20POP3\x20server\x20ready\r\n-ERR\x2
+SF:0Unknown\x20command\r\n-ERR\x20Unknown\x20command\r\n")%r(HTTPOptions,5
+SF:1,"\+OK\x20decky-webmail\x20POP3\x20server\x20ready\r\n-ERR\x20Unknown\
+SF:x20command\r\n-ERR\x20Unknown\x20command\r\n");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port143-TCP:V=7.92%I=7%D=4/4%Time=69D0CB72%P=x86_64-redhat-linux-gnu%r(
+SF:NULL,2E,"\*\x20OK\x20\[decky-webmail\]\x20IMAP4rev1\x20Service\x20Ready
+SF:\r\n")%r(GetRequest,4E,"\*\x20OK\x20\[decky-webmail\]\x20IMAP4rev1\x20S
+SF:ervice\x20Ready\r\nGET\x20BAD\x20Command\x20not\x20recognized\r\n")%r(G
+SF:enericLines,2E,"\*\x20OK\x20\[decky-webmail\]\x20IMAP4rev1\x20Service\x
+SF:20Ready\r\n");
+MAC Address: 92:2A:C1:19:C1:D0 (Unknown)
+Service Info: Host:  decky-webmail
+
+Nmap scan report for 192.168.1.111
+Host is up (0.000011s latency).
+Not shown: 998 closed tcp ports (reset)
+PORT    STATE SERVICE      VERSION
+21/tcp  open  ftp          vsftpd (before 2.0.8) or WU-FTPD
+445/tcp open  microsoft-ds
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port445-TCP:V=7.92%I=7%D=4/4%Time=69D0CB77%P=x86_64-redhat-linux-gnu%r(
+SF:SMBProgNeg,51,"\0\0\0M\xffSMBr\0\0\0\0\x80\0\xc0\0\0\0\0\0\0\0\0\0\0\0\
+SF:0\0\0@\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\xfa\0\0\0\0\x01\0\0\0\
+SF:0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\x08\x08\0\x11\"3DUfw\x88");
+MAC Address: 92:2A:C1:19:C1:D0 (Unknown)
+Service Info: Host: Twisted
+
+Nmap scan report for 192.168.1.112
+Host is up (0.0000080s latency).
+Not shown: 999 closed tcp ports (reset)
+PORT     STATE SERVICE VERSION
+3306/tcp open  mysql   MySQL 5.7.38-log
+MAC Address: 92:2A:C1:19:C1:D0 (Unknown)
+
+Nmap scan report for 192.168.1.113
+Host is up (0.0000090s latency).
+Not shown: 998 closed tcp ports (reset)
+PORT     STATE SERVICE     VERSION
+5432/tcp open  postgresql?
+9200/tcp open  wap-wsp?
+2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port5432-TCP:V=7.92%I=7%D=4/4%Time=69D0CB81%P=x86_64-redhat-linux-gnu%r
+SF:(SMBProgNeg,D,"R\0\0\0\x0c\0\0\0\x05\xde\xad\xbe\xef")%r(Kerberos,D,"R\
+SF:0\0\0\x0c\0\0\0\x05\xde\xad\xbe\xef");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port9200-TCP:V=7.92%I=7%D=4/4%Time=69D0CB72%P=x86_64-redhat-linux-gnu%r
+SF:(GetRequest,295,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20elasticsearch\x20
+SF:\r\nDate:\x20Sat,\x2004\x20Apr\x202026\x2008:27:30\x20GMT\r\nContent-Ty
+SF:pe:\x20application/json;\x20charset=UTF-8\r\nContent-Length:\x20479\r\n
+SF:X-elastic-product:\x20Elasticsearch\r\n\r\n{\"name\":\x20\"decky-dbsrv0
+SF:2\",\x20\"cluster_name\":\x20\"elasticsearch\",\x20\"cluster_uuid\":\x2
+SF:0\"xC3Pr9abTq2mNkOeLvXwYA\",\x20\"version\":\x20{\"number\":\x20\"7\.17
+SF:\.9\",\x20\"build_flavor\":\x20\"default\",\x20\"build_type\":\x20\"doc
+SF:ker\",\x20\"build_hash\":\x20\"ef48222227ee6b9e70e502f0f0daa52435ee634d
+SF:\",\x20\"build_date\":\x20\"2023-01-31T05:34:43\.305517834Z\",\x20\"bui
+SF:ld_snapshot\":\x20false,\x20\"lucene_version\":\x20\"8\.11\.1\",\x20\"m
+SF:inimum_wire_compatibility_version\":\x20\"6\.8\.0\",\x20\"minimum_index
+SF:_compatibility_version\":\x20\"6\.0\.0-beta1\"},\x20\"tagline\":\x20\"Y
+SF:ou\x20Know,\x20for\x20Search\"}")%r(HTTPOptions,223,"HTTP/1\.0\x20501\x
+SF:20Unsupported\x20method\x20\('OPTIONS'\)\r\nServer:\x20elasticsearch\x2
+SF:0\r\nDate:\x20Sat,\x2004\x20Apr\x202026\x2008:27:30\x20GMT\r\nConnectio
+SF:n:\x20close\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Leng
+SF:th:\x20360\r\n\r\n<!DOCTYPE\x20HTML>\n<html\x20lang=\"en\">\n\x20\x20\x
+SF:20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20charset=\"utf-8\
+SF:">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\
+SF:x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x2
+SF:0\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p
+SF:>Error\x20code:\x20501</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:
+SF:\x20Unsupported\x20method\x20\('OPTIONS'\)\.</p>\n\x20\x20\x20\x20\x20\
+SF:x20\x20\x20<p>Error\x20code\x20explanation:\x20501\x20-\x20Server\x20do
+SF:es\x20not\x20support\x20this\x20operation\.</p>\n\x20\x20\x20\x20</body
+SF:>\n</html>\n")%r(RTSPRequest,16C,"<!DOCTYPE\x20HTML>\n<html\x20lang=\"e
+SF:n\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20
+SF:charset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\x20res
+SF:ponse</title>\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x2
+SF:0\x20\x20\x20\x20\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x
+SF:20\x20\x20\x20<p>Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x2
+SF:0\x20<p>Message:\x20Bad\x20request\x20version\x20\('RTSP/1\.0'\)\.</p>\
+SF:n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code\x20explanation:\x2040
+SF:0\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>
+SF:\n\x20\x20\x20\x20</body>\n</html>\n");
+MAC Address: 92:2A:C1:19:C1:D0 (Unknown)
+
+Nmap scan report for 192.168.1.114
+Host is up (0.000010s latency).
+Not shown: 997 closed tcp ports (reset)
+PORT     STATE SERVICE       VERSION
+445/tcp  open  microsoft-ds
+1433/tcp open  ms-sql-s?
+3389/tcp open  ms-wbt-server xrdp
+2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port445-TCP:V=7.92%I=7%D=4/4%Time=69D0CB77%P=x86_64-redhat-linux-gnu%r(
+SF:SMBProgNeg,51,"\0\0\0M\xffSMBr\0\0\0\0\x80\0\xc0\0\0\0\0\0\0\0\0\0\0\0\
+SF:0\0\0@\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\xfa\0\0\0\0\x01\0\0\0\
+SF:0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\x08\x08\0\x11\"3DUfw\x88");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port1433-TCP:V=7.92%I=7%D=4/4%Time=69D0CB77%P=x86_64-redhat-linux-gnu%r
+SF:(ms-sql-s,29,"\x04\x01\0\+\0\0\x01\0\0\0\x1a\0\x06\x01\0\x20\0\x01\x02\
+SF:0!\0\x01\x03\0\"\0\x04\xff\x10\0\x03\xe8\0\0\x02\0\0\0\0\x01");
+MAC Address: 92:2A:C1:19:C1:D0 (Unknown)
+
+Nmap scan report for 192.168.1.115
+Host is up (0.000010s latency).
+All 1000 scanned ports on 192.168.1.115 are in ignored states.
+Not shown: 1000 closed tcp ports (reset)
+MAC Address: 92:2A:C1:19:C1:D0 (Unknown)
+
+Nmap scan report for 192.168.1.116
+Host is up (0.000010s latency).
+Not shown: 999 closed tcp ports (reset)
+PORT    STATE SERVICE VERSION
+389/tcp open  ldap    Cisco LDAP server
+MAC Address: 92:2A:C1:19:C1:D0 (Unknown)
+
+Nmap scan report for 192.168.1.117
+Host is up (0.000010s latency).
+Not shown: 998 closed tcp ports (reset)
+PORT     STATE SERVICE      VERSION
+2121/tcp open  ccproxy-ftp?
+8800/tcp open  sunwebadmin?
+2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port2121-TCP:V=7.92%I=7%D=4/4%Time=69D0CB72%P=x86_64-redhat-linux-gnu%r
+SF:(NULL,17,"200\x20FTP\x20server\x20ready\.\r\n")%r(GenericLines,3A,"200\
+SF:x20FTP\x20server\x20ready\.\r\n500\x20Command\x20'\\r\\n'\x20not\x20und
+SF:erstood\r\n")%r(GetRequest,39,"200\x20FTP\x20server\x20ready\.\r\n500\x
+SF:20Command\x20'GET'\x20not\x20understood\r\n")%r(HTTPOptions,3D,"200\x20
+SF:FTP\x20server\x20ready\.\r\n500\x20Command\x20'OPTIONS'\x20not\x20under
+SF:stood\r\n")%r(RTSPRequest,3D,"200\x20FTP\x20server\x20ready\.\r\n500\x2
+SF:0Command\x20'OPTIONS'\x20not\x20understood\r\n")%r(RPCCheck,32,"200\x20
+SF:FTP\x20server\x20ready\.\r\n501\x20can't\x20decode\x20command\.\r\n")%r
+SF:(DNSVersionBindReqTCP,95,"200\x20FTP\x20server\x20ready\.\r\n500\x20Com
+SF:mand\x20'\\x00\\x1e\\x00\\x06\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\
+SF:x00\\x00\\x07VERSION\\x04BIND\\x00\\x00\\x10\\x00\\x03'\x20not\x20under
+SF:stood\r\n")%r(DNSStatusRequestTCP,6E,"200\x20FTP\x20server\x20ready\.\r
+SF:\n500\x20Command\x20'\\x00\\x0c\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00
+SF:\\x00\\x00\\x00\\x00'\x20not\x20understood\r\n")%r(Help,152,"200\x20FTP
+SF:\x20server\x20ready\.\r\n214-The\x20following\x20commands\x20are\x20rec
+SF:ognized:\r\n\x20'ABOR'\x20'ALLO'\x20'APPE'\x20'CDUP'\x20'CWD'\x20\x20'D
+SF:ELE'\x20'HELP'\x20'LIST'\r\n\x20'MDTM'\x20'MKD'\x20\x20'MODE'\x20'NLST'
+SF:\x20'NOOP'\x20'PASS'\x20'PASV'\x20'PORT'\r\n\x20'PWD'\x20\x20'QUIT'\x20
+SF:'REIN'\x20'REST'\x20'RETR'\x20'RMD'\x20\x20'RNFR'\x20'RNTO'\r\n\x20'SIT
+SF:E'\x20'SIZE'\x20'STAT'\x20'STOR'\x20'STOU'\x20'STRU'\x20'SYST'\x20'TYPE
+SF:'\r\n\x20'USER'\r\n214\x20Help\x20command\x20successful\.\r\n")%r(SSLSe
+SF:ssionReq,32,"200\x20FTP\x20server\x20ready\.\r\n501\x20can't\x20decode\
+SF:x20command\.\r\n")%r(TerminalServerCookie,32,"200\x20FTP\x20server\x20r
+SF:eady\.\r\n501\x20can't\x20decode\x20command\.\r\n")%r(TLSSessionReq,32,
+SF:"200\x20FTP\x20server\x20ready\.\r\n501\x20can't\x20decode\x20command\.
+SF:\r\n")%r(Kerberos,32,"200\x20FTP\x20server\x20ready\.\r\n501\x20can't\x
+SF:20decode\x20command\.\r\n")%r(SMBProgNeg,32,"200\x20FTP\x20server\x20re
+SF:ady\.\r\n501\x20can't\x20decode\x20command\.\r\n")%r(X11Probe,63,"200\x
+SF:20FTP\x20server\x20ready\.\r\n500\x20Command\x20'L\\x00\\x0b\\x00\\x00\
+SF:\x00\\x00\\x00\\x00\\x00\\x00\\x00'\x20not\x20understood\r\n");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port8800-TCP:V=7.92%I=7%D=4/4%Time=69D0CB72%P=x86_64-redhat-linux-gnu%r
+SF:(GetRequest,7E,"HTTP/1\.1\x20302\x20Found\r\nDate:\x20Sat,\x2004\x20Apr
+SF:\x202026\x2008:27:09\x20GMT\r\nContent-Type:\x20text/html\r\nLocation:\
+SF:x20/index\.html\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,9B,"HTT
+SF:P/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2004\x20Apr\x202026\x2008:27:09\x
+SF:20GMT\r\nAllow:\x20GET,HEAD,POST,OPTIONS,TRACE\r\nContent-Length:\x200\
+SF:r\nConnection:\x20close\r\nContent-Type:\x20text/html\r\n\r\n")%r(FourO
+SF:hFourRequest,13C,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Sat,\x20
+SF:04\x20Apr\x202026\x2008:27:09\x20GMT\r\nContent-Length:\x20232\r\n\r\n<
+SF:HTML>\n\n\x20\x20\x20\x20<HEAD>\n\x20\x20\x20\x20\x20\x20\x20\x20<TITLE
+SF:>Not\x20found\x20-\x20Siemens,\x20SIMATIC,\x20S7-200</TITLE>\n\x20\x20\
+SF:x20\x20</HEAD>\n\n\x20\x20\x20\x20<BODY>\n\x20\x20\x20\x20\x20\x20\x20\
+SF:x20<h2>CP\x20443-1\x20EX40</h2>\n\x20\x20\x20\x20\x20\x20\x20\x20<hr>\n
+SF:\x20\x20\x20\x20\x20\x20\x20\x20&nbsp;<br>\n\x20\x20\x20\x20\x20\x20\x2
+SF:0\x20This\x20resource\x20could\x20not\x20be\x20found\.<br>\n\x20\x20\x2
+SF:0\x20</BODY>\n\n</HTML>");
+MAC Address: 92:2A:C1:19:C1:D0 (Unknown)
+
+Nmap scan report for 192.168.1.118
+Host is up (0.0000080s latency).
+Not shown: 999 closed tcp ports (reset)
+PORT     STATE SERVICE VERSION
+5060/tcp open  sip     (SIP end point; Status: 401 Unauthorized)
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port5060-TCP:V=7.92%I=7%D=4/4%Time=69D0CB7E%P=x86_64-redhat-linux-gnu%r
+SF:(SIPOptions,F0,"SIP/2\.0\x20401\x20Unauthorized\r\nVia:\x20SIP/2\.0/TCP
+SF:\x20nm;branch=foo\r\nFrom:\x20<sip:nm@nm>;tag=root\r\nTo:\x20<sip:nm2@n
+SF:m2>\r\nCall-ID:\x2050000\r\nCSeq:\x2042\x20OPTIONS\r\nWWW-Authenticate:
+SF:\x20Digest\x20realm=\"decky-voip\",\x20nonce=\"decnet0000\",\x20algorit
+SF:hm=MD5\r\nContent-Length:\x200\r\n\r\n");
+MAC Address: 92:2A:C1:19:C1:D0 (Unknown)
+
+Nmap scan report for 192.168.1.119
+Host is up (0.000011s latency).
+Not shown: 998 closed tcp ports (reset)
+PORT     STATE SERVICE VERSION
+23/tcp   open  telnet?
+5900/tcp open  vnc     VNC (protocol 3.8)
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port23-TCP:V=7.92%I=7%D=4/4%Time=69D0CB72%P=x86_64-redhat-linux-gnu%r(N
+SF:ULL,7,"login:\x20")%r(GenericLines,2C,"login:\x20\xff\xfb\x01Password:\
+SF:x20\nLogin\x20incorrect\nlogin:\x20")%r(tn3270,16,"login:\x20\xff\xfe\x
+SF:18\xff\xfe\x19\xff\xfc\x19\xff\xfe\0\xff\xfc\0")%r(GetRequest,2C,"login
+SF::\x20\xff\xfb\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20")%r(HTTP
+SF:Options,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogin\x20incorrect\nlo
+SF:gin:\x20")%r(RTSPRequest,2C,"login:\x20\xff\xfb\x01Password:\x20\nLogin
+SF:\x20incorrect\nlogin:\x20")%r(RPCCheck,7,"login:\x20")%r(DNSVersionBind
+SF:ReqTCP,7,"login:\x20")%r(DNSStatusRequestTCP,7,"login:\x20")%r(Help,14,
+SF:"login:\x20\xff\xfb\x01Password:\x20")%r(SSLSessionReq,14,"login:\x20\x
+SF:ff\xfb\x01Password:\x20")%r(TerminalServerCookie,14,"login:\x20\xff\xfb
+SF:\x01Password:\x20")%r(Kerberos,14,"login:\x20\xff\xfb\x01Password:\x20"
+SF:)%r(X11Probe,7,"login:\x20")%r(FourOhFourRequest,2C,"login:\x20\xff\xfb
+SF:\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20")%r(LPDString,14,"log
+SF:in:\x20\xff\xfb\x01Password:\x20")%r(LDAPSearchReq,2C,"login:\x20\xff\x
+SF:fb\x01Password:\x20\nLogin\x20incorrect\nlogin:\x20")%r(LDAPBindReq,7,"
+SF:login:\x20")%r(SIPOptions,BE,"login:\x20\xff\xfb\x01Password:\x20\nLogi
+SF:n\x20incorrect\nlogin:\x20Password:\x20\nLogin\x20incorrect\nlogin:\x20
+SF:Password:\x20\nLogin\x20incorrect\nlogin:\x20Password:\x20\nLogin\x20in
+SF:correct\nlogin:\x20Password:\x20\nLogin\x20incorrect\nlogin:\x20Passwor
+SF:d:\x20")%r(LANDesk-RC,7,"login:\x20")%r(TerminalServer,7,"login:\x20")%
+SF:r(NotesRPC,7,"login:\x20")%r(JavaRMI,7,"login:\x20")%r(WMSRequest,7,"lo
+SF:gin:\x20")%r(afp,7,"login:\x20")%r(giop,7,"login:\x20");
+MAC Address: 92:2A:C1:19:C1:D0 (Unknown)
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Apr  4 05:30:01 2026 -- 10 IP addresses (10 hosts up) scanned in 157.69 seconds

tests/test_archetypes.py

@@ -15,7 +15,7 @@ from decnet.archetypes import (
     get_archetype,
     random_archetype,
 )
-from decnet.ini_loader import load_ini, DeckySpec
+from decnet.ini_loader import load_ini
 from decnet.distros import DISTROS
 
 

tests/test_cli_service_pool.py

@@ -3,7 +3,6 @@ Tests for the CLI service pool — verifies that --randomize-services draws
 from all registered services, not just the original hardcoded 5.
 """
 
-import pytest
 from decnet.cli import _all_service_names, _build_deckies
 from decnet.services.registry import all_services
 

tests/test_correlation.py

@@ -11,10 +11,8 @@ from __future__ import annotations
 
 import json
 import re
-from datetime import datetime, timezone
-from pathlib import Path
+from datetime import datetime
 
-import pytest
 
 from decnet.correlation.parser import LogEvent, parse_line
 from decnet.correlation.graph import AttackerTraversal, TraversalHop

tests/test_ini_loader.py

@@ -6,7 +6,7 @@ and per-service config propagation.
 import pytest
 import textwrap
 from pathlib import Path
-from decnet.ini_loader import load_ini, IniConfig
+from decnet.ini_loader import load_ini
 
 
 def _write_ini(tmp_path: Path, content: str) -> Path:

tests/test_log_file_mount.py

@@ -2,7 +2,6 @@
 
 from pathlib import Path
 
-import pytest
 
 from decnet.composer import _CONTAINER_LOG_DIR, _resolve_log_file, generate_compose
 from decnet.config import DeckyConfig, DecnetConfig

tests/test_network.py

@@ -2,7 +2,7 @@
 Tests for decnet.network utility functions.
 """
 
-from unittest.mock import MagicMock, call, patch
+from unittest.mock import MagicMock, patch
 
 import pytest
 
@@ -16,7 +16,6 @@ from decnet.network import (
     setup_host_ipvlan,
     setup_host_macvlan,
     teardown_host_ipvlan,
-    teardown_host_macvlan,
 )
 
 

tests/test_os_fingerprint.py

@@ -11,7 +11,7 @@ Covers:
 
 import pytest
 
-from decnet.archetypes import ARCHETYPES, all_archetypes
+from decnet.archetypes import ARCHETYPES
 from decnet.composer import generate_compose
 from decnet.config import DeckyConfig, DecnetConfig
 from decnet.os_fingerprint import OS_SYSCTLS, all_os_families, get_os_sysctls

tests/test_real_ssh.py

@@ -2,8 +2,6 @@
 Tests for the RealSSHService plugin and the deaddeck archetype.
 """
 
-import pytest
-from pathlib import Path
 
 from decnet.services.registry import all_services, get_service
 from decnet.archetypes import get_archetype

tests/test_syslog_formatter.py

@@ -3,7 +3,6 @@
 import re
 from datetime import datetime, timezone
 
-import pytest
 
 from decnet.logging.syslog_formatter import (
     SEVERITY_ERROR,

webmail

@@ -0,0 +1,29 @@
+# Nmap 7.92 scan initiated Sat Apr  4 13:52:08 2026 as: nmap -sS -sV -oN webmail 192.168.1.110
+Nmap scan report for 192.168.1.110
+Host is up (0.000010s latency).
+Not shown: 996 closed tcp ports (reset)
+PORT    STATE SERVICE VERSION
+25/tcp  open  smtp    Postfix smtpd
+80/tcp  open  http    Apache httpd 2.4.54 ((Debian))
+110/tcp open  pop3
+143/tcp open  imap
+2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port110-TCP:V=7.92%I=7%D=4/4%Time=69D141BE%P=x86_64-redhat-linux-gnu%r(
+SF:NULL,25,"\+OK\x20decky-webmail\x20POP3\x20server\x20ready\r\n")%r(Gener
+SF:icLines,51,"\+OK\x20decky-webmail\x20POP3\x20server\x20ready\r\n-ERR\x2
+SF:0Unknown\x20command\r\n-ERR\x20Unknown\x20command\r\n")%r(HTTPOptions,5
+SF:1,"\+OK\x20decky-webmail\x20POP3\x20server\x20ready\r\n-ERR\x20Unknown\
+SF:x20command\r\n-ERR\x20Unknown\x20command\r\n");
+==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
+SF-Port143-TCP:V=7.92%I=7%D=4/4%Time=69D141BE%P=x86_64-redhat-linux-gnu%r(
+SF:NULL,2E,"\*\x20OK\x20\[decky-webmail\]\x20IMAP4rev1\x20Service\x20Ready
+SF:\r\n")%r(GetRequest,4E,"\*\x20OK\x20\[decky-webmail\]\x20IMAP4rev1\x20S
+SF:ervice\x20Ready\r\nGET\x20BAD\x20Command\x20not\x20recognized\r\n")%r(G
+SF:enericLines,2E,"\*\x20OK\x20\[decky-webmail\]\x20IMAP4rev1\x20Service\x
+SF:20Ready\r\n");
+MAC Address: 1A:2C:33:F9:51:0A (Unknown)
+Service Info: Host:  decky-webmail
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Apr  4 13:52:24 2026 -- 1 IP address (1 host up) scanned in 16.41 seconds

windows1

@@ -0,0 +1,54 @@
+# Nmap 7.92 scan initiated Sat Apr  4 13:35:16 2026 as: nmap -sS -sV -A -O -oN windows1 192.168.1.2
+Nmap scan report for 192.168.1.2
+Host is up (0.000049s latency).
+Not shown: 997 closed tcp ports (reset)
+PORT     STATE SERVICE       VERSION
+389/tcp  open  ldap          Cisco LDAP server
+445/tcp  open  microsoft-ds
+| fingerprint-strings: 
+|   SMBProgNeg: 
+|     SMBr
+|_    "3DUfw
+3389/tcp open  ms-wbt-server xrdp
+1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+SF-Port445-TCP:V=7.92%I=7%D=4/4%Time=69D13DD0%P=x86_64-redhat-linux-gnu%r(
+SF:SMBProgNeg,51,"\0\0\0M\xffSMBr\0\0\0\0\x80\0\xc0\0\0\0\0\0\0\0\0\0\0\0\
+SF:0\0\0@\x06\0\0\x01\0\x11\x07\0\x03\x01\0\x01\0\0\xfa\0\0\0\0\x01\0\0\0\
+SF:0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\x08\x08\0\x11\"3DUfw\x88");
+MAC Address: 6E:ED:78:84:44:93 (Unknown)
+No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
+TCP/IP fingerprint:
+OS:SCAN(V=7.92%E=4%D=4/4%OT=389%CT=1%CU=43132%PV=Y%DS=1%DC=D%G=Y%M=6EED78%T
+OS:M=69D13E1C%P=x86_64-redhat-linux-gnu)SEQ(SP=101%GCD=1%ISR=104%TI=Z%CI=Z%
+OS:II=I%TS=A)SEQ(SP=101%GCD=1%ISR=104%TI=Z%CI=Z%TS=A)OPS(O1=M5B4ST11NWA%O2=
+OS:M5B4ST11NWA%O3=M5B4NNT11NWA%O4=M5B4ST11NWA%O5=M5B4ST11NWA%O6=M5B4ST11)WI
+OS:N(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=80%W=FA
+OS:F0%O=M5B4NNSNWA%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3
+OS:(R=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=
+OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=
+OS:Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%R
+OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=S)
+
+Network Distance: 1 hop
+
+Host script results:
+| smb2-time: 
+|   date: 2026-04-04T16:35:39
+|_  start_date: 2026-04-04T16:35:39
+| smb-security-mode: 
+|   account_used: guest
+|   authentication_level: user
+|   challenge_response: supported
+|_  message_signing: disabled (dangerous, but default)
+| smb2-security-mode: 
+|   2.0.2: 
+|_    Message signing enabled but not required
+|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
+|_clock-skew: mean: -77660d20h17m50s, deviation: 109829d00h30m38s, median: -155321d16h35m40s
+
+TRACEROUTE
+HOP RTT     ADDRESS
+1   0.05 ms 192.168.1.2
+
+OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Sat Apr  4 13:36:44 2026 -- 1 IP address (1 host up) scanned in 87.61 seconds