anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dev
DECNET/decnet/prober/osfp/p0f/data/README.md
anti 620e1f5b1d feat(prober): vendor p0f v2 TCP/IP fingerprint database (LGPL-2.1 → GPLv3 via §3) 
Ships the p0f v2.0.8 signature database for passive + active OS
fingerprinting. 375 total signatures across four probe contexts:

- p0f.fp  (262 sigs) — passive SYN fingerprints
- p0fa.fp ( 61 sigs) — SYN-ACK response, for active probes
- p0fr.fp ( 46 sigs) — RST response quirks
- p0fo.fp (  6 sigs) — "stray" packet fingerprints

Replaces reliance on the 10-signature hand-rolled p0f-lite table in
decnet/sniffer/p0f.py for any match job the upstream DB covers.
Keeping the hand-rolled table as a fallback for modern kernels the
v2 DB pre-dates — v2 froze in 2006 so post-Win10 / post-Linux-3.x
kernels won't match against upstream directly. DECNET-authored
additions will go in a sibling p0f-decnet.fp under GPLv3 (not yet
committed; added as the ingester observes real honeypot traffic).

Provenance (full chain in data/README.md):

- Source: Debian snapshot of p0f_2.0.8.orig.tar.gz
- SHA1 matches Debian-recorded 7b4d5b2f24af4b5a299979134bc7f6d7b1eaf875
- Files byte-identical to upstream tarball (verified by hash)

License chain:

- Upstream: LGPL-2.1 (doc/COPYING preserved verbatim as
  data/LICENSE.p0f-upstream, Michal Zalewski's copyright intact).
- DECNET uses the LGPL-2.1 §3 explicit permission to convert to any
  version of the GPL. These files, as consumed in DECNET, are
  effectively GPL-3.0. Chain documented in data/README.md so an
  auditor sees the full reasoning.
- LGPL-2.1 → GPL-3.0 §3 conversion is a settled compat path; same
  mechanism the kernel uses for LGPL userland glue and many other
  projects apply daily.

Rejected path — nmap-os-db under NPSL — because NPSL adds
restrictions GPLv3 §7 prohibits us from accepting. An email is out
to Fyodor requesting an open-source-author exception grant, but we
don't block on it: p0f v2 is a genuine accuracy improvement in
its own right, and adding nmap-osdb later (if granted) plugs into
the same provider interface with zero refactor.

Directory layout mirrors the established provider-subpackage pattern
(see decnet/geoip/, decnet/bus/) per the feedback_provider_
subpackages memory: base + factory + impl/ subpackages, no flat
files. Parser + matcher + factory wiring land in the next commit
sequence.
2026-04-24 11:39:33 -04:00

73 lines
3.3 KiB
Markdown
Raw Permalink Blame History

# p0f v2 fingerprint database (vendored)
This directory contains the p0f v2.0.8 TCP/IP fingerprint database as
published by Michal Zalewski in 2006, vendored here so DECNET's prober
and profiler can do passive / active OS fingerprinting without a runtime
network fetch.
## What's in here
| File | Purpose | Sigs |
|-----------------------|-----------------------------------------------|------|
| `p0f.fp` | SYN fingerprints (passive, incoming) | 262 |
| `p0fa.fp` | SYN-ACK fingerprints (active probe responses) | 61 |
| `p0fr.fp` | RST+ fingerprints (reset-response quirks) | 46 |
| `p0fo.fp` | "stray" fingerprints | 6 |
| `LICENSE.p0f-upstream`| Verbatim LGPL-2.1 text from upstream | — |
## Provenance
**Authoritative source:** Debian snapshot archive, `p0f_2.0.8.orig.tar.gz`.
- Archive URL: `https://snapshot.debian.org/archive/debian-archive/20120328T092752Z/debian/pool/main/p/p0f/p0f_2.0.8.orig.tar.gz`
- SHA-1 (upstream-recorded by Debian): `7b4d5b2f24af4b5a299979134bc7f6d7b1eaf875`
Files in this directory are byte-identical copies of the corresponding
files inside `p0f_2.0.8.orig.tar.gz::p0f/{doc/COPYING, *.fp}`.
## License + DECNET-side licensing stance
Upstream files are licensed under the **GNU Lesser General Public
License, version 2.1** (see `LICENSE.p0f-upstream` — verbatim copy of
upstream's `doc/COPYING`). Attribution belongs to Michal Zalewski and
the named contributors in the original upstream `CREDITS` file.
DECNET is licensed under **GPL-3.0-or-later**. LGPL-2.1 §3 explicitly
permits converting an LGPL-2.1 work to any version of the GPL at the
recipient's choice. DECNET exercises that conversion for the vendored
files: when consumed as part of DECNET they are effectively under
GPL-3.0. The upstream LGPL-2.1 notice is preserved so:
- Recipients of DECNET see the full chain (original LGPL-2.1 → §3
conversion → GPL-3.0), and
- Anyone who wants to use these signatures under LGPL-2.1 terms
(e.g. in an unrelated library) can still do so by pulling the files
directly from upstream.
## Modifications to upstream
**None.** The four `.fp` files in this directory are verbatim copies.
Any DECNET-authored additions go into a sibling file (`p0f-decnet.fp`,
currently absent) under GPL-3.0, loaded by the same parser. Keeping
upstream untouched means:
1. Syncing future upstream changes is a one-step file replacement.
2. Attribution is unambiguous: entries in `p0f*.fp` here are Michal's,
entries in `p0f-decnet.fp` are DECNET's.
3. If we ever want to contribute signatures back to upstream, it's a
one-file diff.
## Refreshing upstream
```
curl -O https://snapshot.debian.org/archive/debian-archive/20120328T092752Z/debian/pool/main/p/p0f/p0f_2.0.8.orig.tar.gz
echo "7b4d5b2f24af4b5a299979134bc7f6d7b1eaf875 p0f_2.0.8.orig.tar.gz" | sha1sum -c
tar xzf p0f_2.0.8.orig.tar.gz
cp p0f/p0f.fp p0f/p0fa.fp p0f/p0fr.fp p0f/p0fo.fp decnet/prober/osfp/p0f/data/
cp p0f/doc/COPYING decnet/prober/osfp/p0f/data/LICENSE.p0f-upstream
```
p0f v2 is no longer actively maintained upstream (last release 2006),
so refreshes are effectively N/A — but the procedure is recorded for
the case where a mirror we trust publishes a signed rebuild.
Reference in New Issue View Git Blame Copy Permalink