DECNET

anti/DECNET

Fork 0

Commit Graph

Author	SHA1	Message	Date
anti	f2b3393669	chore: relicense to AGPL-3.0-or-later and add SPDX headers Replaces LICENSE (GPLv3 -> AGPLv3) and prepends `SPDX-License-Identifier: AGPL-3.0-or-later` to every source file across decnet/, decnet_web/, tests/, scripts/, and tools/. Rationale: closes the GPLv3 ASP loophole so any party operating a modified DECNET as a network service must offer their modified source. Personal copyright (Samuel Paschuan) + inbound=outbound contributions make a future unilateral relicense infeasible. - LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt) - COPYRIGHT: project copyright notice - tools/add_spdx_headers.py: idempotent header injector (shebang- and PEP 263-aware) Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh). No behavior change; comments only.	2026-05-22 21:04:16 -04:00
anti	ca39552692	feat(ua): classify User-Agent into scanner/cli/library/bot/nonstandard Every http_useragent bounty now carries a `category` label plus an optional tool name and a signals list. The main analytic win is the `nonstandard` bucket — UAs like "FUCKYOU/1.0" or custom one-off scanner labels that don't match any known pattern, which today silently blend into the generic fingerprint list. Buckets (priority order): - scanner: nmap, nuclei, sqlmap, gobuster, nikto, masscan, zgrab, ffuf, wpscan, katana, burp, acunetix, nessus, openvas, arachni, whatweb, wappalyzer, etc. - cli: curl, wget, httpie, xh, fetch. - library: python-requests, aiohttp, httpx, urllib, Go stdlib, Java, okhttp, Apache HttpClient, axios, node-fetch, got, undici, PHP, Guzzle, Ruby stdlib, Faraday, .NET, PostmanRuntime, Insomnia, etc. - bot: anything containing bot / crawler / spider / slurp / monitor (catches Googlebot, bingbot, Baiduspider — many of which ship a Mozilla/5.0 prefix, so the bot check runs BEFORE the browser regex). - browser: Mozilla/5.0-prefixed UAs that aren't bots. - nonstandard: anything else. The interesting bucket. - empty: literal empty User-Agent header. Side signals computed regardless of category: suspicious_short (<8 chars), suspicious_long (>512 chars), nonprintable (control chars), injection_like (SQLi / XSS / path-traversal / Log4Shell markers). A sqlmap UA with a literal SQL-injection payload embedded fires category=scanner + injection_like — the combination tells the analyst the tool is being operated manually vs. on default config. Classification is deterministic (same UA string → same tuple) so add_bounty's payload-hash dedup continues to collapse repeat rows. UI renderer upgraded from FpGeneric to a dedicated FpUserAgent that colours the category tag by risk (scanner=alert-red, nonstandard=warn-yellow, browser=accent-green, etc.) and renders each signal as its own chip. Makes the interesting rows pop in the fingerprints panel. Also fixed: the ingester was using `_headers.get("User-Agent") or _headers.get("user-agent")`, which short-circuits away empty-string UAs. An explicit empty UA is itself a signal (real clients always send something) — now captured.	2026-04-24 18:17:18 -04:00

Author

SHA1

Message

Date

anti

f2b3393669

chore: relicense to AGPL-3.0-or-later and add SPDX headers

Replaces LICENSE (GPLv3 -> AGPLv3) and prepends
`SPDX-License-Identifier: AGPL-3.0-or-later` to every source file
across decnet/, decnet_web/, tests/, scripts/, and tools/.

Rationale: closes the GPLv3 ASP loophole so any party operating a
modified DECNET as a network service must offer their modified
source. Personal copyright (Samuel Paschuan) + inbound=outbound
contributions make a future unilateral relicense infeasible.

- LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt)
- COPYRIGHT: project copyright notice
- tools/add_spdx_headers.py: idempotent header injector
  (shebang- and PEP 263-aware)

Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh).
No behavior change; comments only.

2026-05-22 21:04:16 -04:00

anti

ca39552692

feat(ua): classify User-Agent into scanner/cli/library/bot/nonstandard

Every http_useragent bounty now carries a `category` label plus an
optional tool name and a signals list. The main analytic win is the
`nonstandard` bucket — UAs like "FUCKYOU/1.0" or custom one-off
scanner labels that don't match any known pattern, which today
silently blend into the generic fingerprint list.

Buckets (priority order):

- scanner: nmap, nuclei, sqlmap, gobuster, nikto, masscan, zgrab,
  ffuf, wpscan, katana, burp, acunetix, nessus, openvas, arachni,
  whatweb, wappalyzer, etc.
- cli:  curl, wget, httpie, xh, fetch.
- library: python-requests, aiohttp, httpx, urllib, Go stdlib, Java,
  okhttp, Apache HttpClient, axios, node-fetch, got, undici, PHP,
  Guzzle, Ruby stdlib, Faraday, .NET, PostmanRuntime, Insomnia, etc.
- bot:  anything containing bot / crawler / spider / slurp / monitor
  (catches Googlebot, bingbot, Baiduspider — many of which ship a
  Mozilla/5.0 prefix, so the bot check runs BEFORE the browser
  regex).
- browser: Mozilla/5.0-prefixed UAs that aren't bots.
- nonstandard: anything else. The interesting bucket.
- empty: literal empty User-Agent header.

Side signals computed regardless of category: suspicious_short (<8
chars), suspicious_long (>512 chars), nonprintable (control chars),
injection_like (SQLi / XSS / path-traversal / Log4Shell markers).
A sqlmap UA with a literal SQL-injection payload embedded fires
category=scanner + injection_like — the combination tells the
analyst the tool is being operated manually vs. on default config.

Classification is deterministic (same UA string → same tuple) so
add_bounty's payload-hash dedup continues to collapse repeat rows.

UI renderer upgraded from FpGeneric to a dedicated FpUserAgent that
colours the category tag by risk (scanner=alert-red,
nonstandard=warn-yellow, browser=accent-green, etc.) and renders
each signal as its own chip. Makes the interesting rows pop in the
fingerprints panel.

Also fixed: the ingester was using `_headers.get("User-Agent") or
_headers.get("user-agent")`, which short-circuits away empty-string
UAs. An explicit empty UA is itself a signal (real clients always
send something) — now captured.

2026-04-24 18:17:18 -04:00

2 Commits