anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
620e1f5b1deafb63c7f8593ae1494505617506fc
DECNET/decnet/prober/osfp/p0f/data/p0fo.fp
anti 620e1f5b1d feat(prober): vendor p0f v2 TCP/IP fingerprint database (LGPL-2.1 → GPLv3 via §3) 
Ships the p0f v2.0.8 signature database for passive + active OS
fingerprinting. 375 total signatures across four probe contexts:

- p0f.fp  (262 sigs) — passive SYN fingerprints
- p0fa.fp ( 61 sigs) — SYN-ACK response, for active probes
- p0fr.fp ( 46 sigs) — RST response quirks
- p0fo.fp (  6 sigs) — "stray" packet fingerprints

Replaces reliance on the 10-signature hand-rolled p0f-lite table in
decnet/sniffer/p0f.py for any match job the upstream DB covers.
Keeping the hand-rolled table as a fallback for modern kernels the
v2 DB pre-dates — v2 froze in 2006 so post-Win10 / post-Linux-3.x
kernels won't match against upstream directly. DECNET-authored
additions will go in a sibling p0f-decnet.fp under GPLv3 (not yet
committed; added as the ingester observes real honeypot traffic).

Provenance (full chain in data/README.md):

- Source: Debian snapshot of p0f_2.0.8.orig.tar.gz
- SHA1 matches Debian-recorded 7b4d5b2f24af4b5a299979134bc7f6d7b1eaf875
- Files byte-identical to upstream tarball (verified by hash)

License chain:

- Upstream: LGPL-2.1 (doc/COPYING preserved verbatim as
  data/LICENSE.p0f-upstream, Michal Zalewski's copyright intact).
- DECNET uses the LGPL-2.1 §3 explicit permission to convert to any
  version of the GPL. These files, as consumed in DECNET, are
  effectively GPL-3.0. Chain documented in data/README.md so an
  auditor sees the full reasoning.
- LGPL-2.1 → GPL-3.0 §3 conversion is a settled compat path; same
  mechanism the kernel uses for LGPL userland glue and many other
  projects apply daily.

Rejected path — nmap-os-db under NPSL — because NPSL adds
restrictions GPLv3 §7 prohibits us from accepting. An email is out
to Fyodor requesting an open-source-author exception grant, but we
don't block on it: p0f v2 is a genuine accuracy improvement in
its own right, and adding nmap-osdb later (if granted) plugs into
the same provider interface with zero refactor.

Directory layout mirrors the established provider-subpackage pattern
(see decnet/geoip/, decnet/bus/) per the feedback_provider_
subpackages memory: base + factory + impl/ subpackages, no flat
files. Parser + matcher + factory wiring land in the next commit
sequence.
2026-04-24 11:39:33 -04:00

49 lines
2.1 KiB
GLSL
Raw Blame History

#
# p0f - stray ACK signatures
# --------------------------
#
# .-------------------------------------------------------------------------.
# | The purpose of this file is to cover signatures for stray ACK packets |
# | (established session data). This mode of operation is enabled with -O |
# | option and is HIGHLY EXPERIMENTAL. Please refer to p0f.fp for more |
# | information on the metrics used and for a guide on adding new entries |
# | to this file. This database is looking for a caring maintainer. |
# `-------------------------------------------------------------------------'
#
# (C) Copyright 2000-2006 by Michal Zalewski <lcamtuf@coredump.cx>
#
# Submit all additions to the authors. Read p0f.fp before adding any
# signatures. Run p0f -O -C after making any modifications. This file is
# NOT compatible with SYN, SYN+ACK or RST+ modes. Use only with -O option.
#
# IMPORTANT INFORMATION ABOUT THE INTERDEPENDENCY OF SYNs AND ACKs
# ----------------------------------------------------------------
#
# Some systems would have different ACK fingerprints depending on the initial
# SYN or SYN+ACK received from the other party. More specifically, RFC1323,
# RFC2018 and RFC1644 extensions sometimes show up only if the other party had
# them enabled. Hence, the reliability of ACK fingerprints may be affected.
#
# IMPORTANT INFORMATION ABOUT DIFFERENCES IN COMPARISON TO p0f.fp:
# ----------------------------------------------------------------
#
# - Packet size MUST be wildcarded. ACK packets, by their nature, have
# variable sizes, depending on the amount of data carried as a payload.
#
# - Similarly, 'D' quirk is not checked for, and is not allowed in signatures
# in this file. A good number of ACK packets have payloads.
#
# - PUSH flag is excluded from 'F' quirk checks in this mode.
#
# - 'A' quirk is not a bug; all AC packets should have it set; also,
# 'T' quirk is not an anomaly; its absence on systems with T option is.
#
32767:64:1:*:N,N,T:AT:Linux:2.4.2x (local?)
*:64:1:*:.:A:Linux:2.4.2x
32736:64:0:*:.:A:Linux:2.0.3x
57600:64:1:*:N,N,T:AT:FreeBSD:4.8
%12:128:1:*:.:A:Windows:XP
S44:128:1:*:.:A:Windows:XP
Reference in New Issue View Git Blame Copy Permalink