anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
620e1f5b1deafb63c7f8593ae1494505617506fc
DECNET/decnet/prober/osfp/p0f/data/README.md
anti 620e1f5b1d feat(prober): vendor p0f v2 TCP/IP fingerprint database (LGPL-2.1 → GPLv3 via §3) 
Ships the p0f v2.0.8 signature database for passive + active OS
fingerprinting. 375 total signatures across four probe contexts:

- p0f.fp  (262 sigs) — passive SYN fingerprints
- p0fa.fp ( 61 sigs) — SYN-ACK response, for active probes
- p0fr.fp ( 46 sigs) — RST response quirks
- p0fo.fp (  6 sigs) — "stray" packet fingerprints

Replaces reliance on the 10-signature hand-rolled p0f-lite table in
decnet/sniffer/p0f.py for any match job the upstream DB covers.
Keeping the hand-rolled table as a fallback for modern kernels the
v2 DB pre-dates — v2 froze in 2006 so post-Win10 / post-Linux-3.x
kernels won't match against upstream directly. DECNET-authored
additions will go in a sibling p0f-decnet.fp under GPLv3 (not yet
committed; added as the ingester observes real honeypot traffic).

Provenance (full chain in data/README.md):

- Source: Debian snapshot of p0f_2.0.8.orig.tar.gz
- SHA1 matches Debian-recorded 7b4d5b2f24af4b5a299979134bc7f6d7b1eaf875
- Files byte-identical to upstream tarball (verified by hash)

License chain:

- Upstream: LGPL-2.1 (doc/COPYING preserved verbatim as
  data/LICENSE.p0f-upstream, Michal Zalewski's copyright intact).
- DECNET uses the LGPL-2.1 §3 explicit permission to convert to any
  version of the GPL. These files, as consumed in DECNET, are
  effectively GPL-3.0. Chain documented in data/README.md so an
  auditor sees the full reasoning.
- LGPL-2.1 → GPL-3.0 §3 conversion is a settled compat path; same
  mechanism the kernel uses for LGPL userland glue and many other
  projects apply daily.

Rejected path — nmap-os-db under NPSL — because NPSL adds
restrictions GPLv3 §7 prohibits us from accepting. An email is out
to Fyodor requesting an open-source-author exception grant, but we
don't block on it: p0f v2 is a genuine accuracy improvement in
its own right, and adding nmap-osdb later (if granted) plugs into
the same provider interface with zero refactor.

Directory layout mirrors the established provider-subpackage pattern
(see decnet/geoip/, decnet/bus/) per the feedback_provider_
subpackages memory: base + factory + impl/ subpackages, no flat
files. Parser + matcher + factory wiring land in the next commit
sequence.
2026-04-24 11:39:33 -04:00

3.3 KiB
Raw Blame History

p0f v2 fingerprint database (vendored)

This directory contains the p0f v2.0.8 TCP/IP fingerprint database as published by Michal Zalewski in 2006, vendored here so DECNET's prober and profiler can do passive / active OS fingerprinting without a runtime network fetch.

What's in here

File Purpose Sigs
p0f.fp SYN fingerprints (passive, incoming) 262
p0fa.fp SYN-ACK fingerprints (active probe responses) 61
p0fr.fp RST+ fingerprints (reset-response quirks) 46
p0fo.fp "stray" fingerprints 6
LICENSE.p0f-upstream Verbatim LGPL-2.1 text from upstream

Provenance

Authoritative source: Debian snapshot archive, p0f_2.0.8.orig.tar.gz.

  • Archive URL: https://snapshot.debian.org/archive/debian-archive/20120328T092752Z/debian/pool/main/p/p0f/p0f_2.0.8.orig.tar.gz
  • SHA-1 (upstream-recorded by Debian): 7b4d5b2f24af4b5a299979134bc7f6d7b1eaf875

Files in this directory are byte-identical copies of the corresponding files inside p0f_2.0.8.orig.tar.gz::p0f/{doc/COPYING, *.fp}.

License + DECNET-side licensing stance

Upstream files are licensed under the GNU Lesser General Public License, version 2.1 (see LICENSE.p0f-upstream — verbatim copy of upstream's doc/COPYING). Attribution belongs to Michal Zalewski and the named contributors in the original upstream CREDITS file.

DECNET is licensed under GPL-3.0-or-later. LGPL-2.1 §3 explicitly permits converting an LGPL-2.1 work to any version of the GPL at the recipient's choice. DECNET exercises that conversion for the vendored files: when consumed as part of DECNET they are effectively under GPL-3.0. The upstream LGPL-2.1 notice is preserved so:

  • Recipients of DECNET see the full chain (original LGPL-2.1 → §3 conversion → GPL-3.0), and
  • Anyone who wants to use these signatures under LGPL-2.1 terms (e.g. in an unrelated library) can still do so by pulling the files directly from upstream.

Modifications to upstream

None. The four .fp files in this directory are verbatim copies. Any DECNET-authored additions go into a sibling file (p0f-decnet.fp, currently absent) under GPL-3.0, loaded by the same parser. Keeping upstream untouched means:

  1. Syncing future upstream changes is a one-step file replacement.
  2. Attribution is unambiguous: entries in p0f*.fp here are Michal's, entries in p0f-decnet.fp are DECNET's.
  3. If we ever want to contribute signatures back to upstream, it's a one-file diff.

Refreshing upstream

curl -O https://snapshot.debian.org/archive/debian-archive/20120328T092752Z/debian/pool/main/p/p0f/p0f_2.0.8.orig.tar.gz
echo "7b4d5b2f24af4b5a299979134bc7f6d7b1eaf875  p0f_2.0.8.orig.tar.gz" | sha1sum -c
tar xzf p0f_2.0.8.orig.tar.gz
cp p0f/p0f.fp p0f/p0fa.fp p0f/p0fr.fp p0f/p0fo.fp decnet/prober/osfp/p0f/data/
cp p0f/doc/COPYING decnet/prober/osfp/p0f/data/LICENSE.p0f-upstream

p0f v2 is no longer actively maintained upstream (last release 2006), so refreshes are effectively N/A — but the procedure is recorded for the case where a mirror we trust publishes a signed rebuild.

Reference in New Issue View Git Blame Copy Permalink