DECNET

anti/DECNET

Fork 0

Commit Graph

Author	SHA1	Message	Date
anti	ec1079e78b	feat(profiler): wire p0f-v2 matcher into sniffer_rollup priority chain The ~30-signature hand-rolled p0f-lite table in decnet/sniffer/p0f.py misses most real-world attackers (yesterday's SLOW SCAN being a textbook case — 9 hours of events, 19 hits, os_guess = NULL). The 375-sig vendored p0f v2 DB was already there; this commit actually calls it. New resolution chain in sniffer_rollup: 1. Enabled OS-fingerprint providers (p0f-v2 default, via DECNET_OSFP_PROVIDERS) tried in declared order. Provider with highest-confidence match across all enabled sources wins. 2. Modal os_guess label from the sniffer's hand-rolled p0f.py. Kept as fallback because v2's DB predates post-2006 kernels. 3. TTL bucket (linux / windows / embedded). Coarse but never wrong. Wiring details: - _match_via_osfp_providers: never raises — factory / provider failures collapse to None and the chain falls through to the old modal-label / TTL path. A corrupt .fp file or misconfigured DECNET_OSFP_PROVIDERS must never wedge a profile rebuild. - tcp_fp_context tracks whether the LATEST tcp_fp snapshot came from a passive SYN ('syn' → p0f.fp) or an active prober probe ('synack' → p0fa.fp). Routes to the right sig list. - initial-TTL normalisation via decnet.sniffer.p0f.initial_ttl. Observation's TTL may be N hops below the OS's initial; v2 signatures match on the canonical bucket. Soft-field semantics on Signature.score(): df and total_len are now skip-checked when the observation is missing them. Sniffer doesn't currently emit either SD field; a literal-constraint sig shouldn't hard-reject a match solely because of upstream incompleteness. Hard fields (window, ttl, options_sig, quirks) still hard-reject on absent/mismatched input — those are the real discriminators. Promote df / total_len back to hard the moment the sniffer starts emitting them. +2 integration tests on TestSnifferRollup, +2 soft-field tests on test_signature. Full regression: 166 tests across tests/prober/osfp + tests/profiler all green.	2026-04-24 11:56:50 -04:00
anti	8a430bf725	feat(prober/osfp): P0fV2Provider + factory dispatch - decnet/prober/osfp/p0f/provider.py: P0fV2Provider loads the four vendored .fp files into per-context signature lists (syn / synack / rst / stray) and matches via highest-specificity score across the relevant list. Also auto-picks up p0f-decnet.fp if present (GPL-3.0 additions land there later, empty for now). - decnet/prober/osfp/factory.py: get_provider / get_all_providers / reset_cache, mirrors decnet/geoip/factory exactly. Env-dispatched via DECNET_OSFP_PROVIDERS (default "p0f-v2"). Reserved names "nmap-osdb" (pending Fyodor's grant) and "decnet-observed" (our future curated DB) raise NotImplementedError — visible on the factory surface so a typo doesn't silently fall through. - decnet/prober/osfp/__init__.py now re-exports the public API so callers use `from decnet.prober.osfp import get_provider` without reaching into submodules (upholds the provider-subpackage rule). 15 new provider+factory tests covering: - All four DB contexts load (262/61/46/6 sigs per inventory). - Known-good Linux 2.6 SYN + Linux 2.2 SYN-ACK match end-to-end. - Unknown observations / contexts return None, not raise. - Factory memoises, env override honoured, unsupported names raise. - Reserved names raise NotImplementedError (not silent None). `sniffer_rollup` wiring lands in the next commit.	2026-04-24 11:50:46 -04:00
anti	41ff6b4b03	feat(prober/osfp): p0f v2 .fp parser + Signature scoring First code layer of the OS-fingerprinting work on top of yesterday's vendored p0f v2 database. Three new modules, all pure (no I/O outside of the parser's file read): - decnet/prober/osfp/base.py — Provider protocol + OsMatch dataclass matching the established Provider convention in decnet/geoip and decnet/bus. Docstring spells out the never-raise invariant: malformed input returns None, so a single bad event can't wedge a whole attacker-profile rebuild. - decnet/prober/osfp/p0f/signature.py — Signature dataclass + three predicate helpers (WindowSpec / IntSpec / OptionToken) encoding the p0f v2 DSL's wildcard / modulo / MSS-multiple / MTU-multiple semantics. Scoring is our extension on top of upstream p0f's first-match-wins policy: each signature carries a precomputed specificity in [0, 1] so the factory can pick the most-specific match when multiple signatures fire against one observation. - decnet/prober/osfp/p0f/format.py — .fp line parser. Every shipped field variant from the DSL spec at the top of p0f.fp is covered (Snn / Tnn / %nnn / * for window; T0 vs T; -/@/* os-genre prefixes; quirks as concatenated single-letter flags; '.' sentinels for no-options / no-quirks). Malformed lines log a warning and skip instead of aborting the whole file — 1 bad row must not cost the other 374. 20 parser tests + 14 scoring tests. Full vendored-DB smoke tests confirm all 375 signatures parse round-trip (262 SYN + 61 SYN-ACK + 46 RST + 6 stray) and every computed specificity lands in [0, 1].	2026-04-24 11:47:54 -04:00

Author

SHA1

Message

Date

anti

ec1079e78b

feat(profiler): wire p0f-v2 matcher into sniffer_rollup priority chain

The ~30-signature hand-rolled p0f-lite table in decnet/sniffer/p0f.py
misses most real-world attackers (yesterday's SLOW SCAN being a
textbook case — 9 hours of events, 19 hits, os_guess = NULL). The
375-sig vendored p0f v2 DB was already there; this commit actually
calls it.

New resolution chain in sniffer_rollup:

  1. Enabled OS-fingerprint providers (p0f-v2 default, via
     DECNET_OSFP_PROVIDERS) tried in declared order. Provider with
     highest-confidence match across all enabled sources wins.
  2. Modal os_guess label from the sniffer's hand-rolled p0f.py.
     Kept as fallback because v2's DB predates post-2006 kernels.
  3. TTL bucket (linux / windows / embedded). Coarse but never wrong.

Wiring details:

- _match_via_osfp_providers: never raises — factory / provider
  failures collapse to None and the chain falls through to the
  old modal-label / TTL path. A corrupt .fp file or misconfigured
  DECNET_OSFP_PROVIDERS must never wedge a profile rebuild.
- tcp_fp_context tracks whether the LATEST tcp_fp snapshot came
  from a passive SYN ('syn' → p0f.fp) or an active prober probe
  ('synack' → p0fa.fp). Routes to the right sig list.
- initial-TTL normalisation via decnet.sniffer.p0f.initial_ttl.
  Observation's TTL may be N hops below the OS's initial; v2
  signatures match on the canonical bucket.

Soft-field semantics on Signature.score(): df and total_len are now
skip-checked when the observation is missing them. Sniffer doesn't
currently emit either SD field; a literal-constraint sig
shouldn't hard-reject a match solely because of upstream
incompleteness. Hard fields (window, ttl, options_sig, quirks)
still hard-reject on absent/mismatched input — those are the real
discriminators. Promote df / total_len back to hard the moment the
sniffer starts emitting them.

+2 integration tests on TestSnifferRollup, +2 soft-field tests on
test_signature. Full regression: 166 tests across tests/prober/osfp
+ tests/profiler all green.

2026-04-24 11:56:50 -04:00

anti

8a430bf725

feat(prober/osfp): P0fV2Provider + factory dispatch

- decnet/prober/osfp/p0f/provider.py: P0fV2Provider loads the four
  vendored .fp files into per-context signature lists (syn / synack /
  rst / stray) and matches via highest-specificity score across the
  relevant list. Also auto-picks up p0f-decnet.fp if present (GPL-3.0
  additions land there later, empty for now).
- decnet/prober/osfp/factory.py: get_provider / get_all_providers /
  reset_cache, mirrors decnet/geoip/factory exactly. Env-dispatched
  via DECNET_OSFP_PROVIDERS (default "p0f-v2"). Reserved names
  "nmap-osdb" (pending Fyodor's grant) and "decnet-observed" (our
  future curated DB) raise NotImplementedError — visible on the
  factory surface so a typo doesn't silently fall through.
- decnet/prober/osfp/__init__.py now re-exports the public API so
  callers use `from decnet.prober.osfp import get_provider` without
  reaching into submodules (upholds the provider-subpackage rule).

15 new provider+factory tests covering:
- All four DB contexts load (262/61/46/6 sigs per inventory).
- Known-good Linux 2.6 SYN + Linux 2.2 SYN-ACK match end-to-end.
- Unknown observations / contexts return None, not raise.
- Factory memoises, env override honoured, unsupported names raise.
- Reserved names raise NotImplementedError (not silent None).

`sniffer_rollup` wiring lands in the next commit.

2026-04-24 11:50:46 -04:00

anti

41ff6b4b03

feat(prober/osfp): p0f v2 .fp parser + Signature scoring

First code layer of the OS-fingerprinting work on top of yesterday's
vendored p0f v2 database. Three new modules, all pure (no I/O outside
of the parser's file read):

- decnet/prober/osfp/base.py — Provider protocol + OsMatch dataclass
  matching the established Provider convention in decnet/geoip and
  decnet/bus. Docstring spells out the never-raise invariant: malformed
  input returns None, so a single bad event can't wedge a whole
  attacker-profile rebuild.

- decnet/prober/osfp/p0f/signature.py — Signature dataclass + three
  predicate helpers (WindowSpec / IntSpec / OptionToken) encoding the
  p0f v2 DSL's wildcard / modulo / MSS-multiple / MTU-multiple
  semantics. Scoring is our extension on top of upstream p0f's
  first-match-wins policy: each signature carries a precomputed
  specificity in [0, 1] so the factory can pick the most-specific
  match when multiple signatures fire against one observation.

- decnet/prober/osfp/p0f/format.py — .fp line parser. Every shipped
  field variant from the DSL spec at the top of p0f.fp is covered
  (Snn / Tnn / %nnn / * for window; T0 vs T; -/@/* os-genre prefixes;
  quirks as concatenated single-letter flags; '.' sentinels for
  no-options / no-quirks). Malformed lines log a warning and skip
  instead of aborting the whole file — 1 bad row must not cost the
  other 374.

20 parser tests + 14 scoring tests. Full vendored-DB smoke tests
confirm all 375 signatures parse round-trip (262 SYN + 61 SYN-ACK +
46 RST + 6 stray) and every computed specificity lands in [0, 1].

2026-04-24 11:47:54 -04:00

3 Commits