anti
916b21b652
Replace _jarm_phase / _hassh_phase / _tcpfp_phase boilerplate (3×~50
lines of identical port-iteration logic) with a metaclass-registered ABC.
Adding a new port-iterating active probe is now one class + three methods.
- decnet/prober/base.py: ActiveProbeMeta auto-registers subclasses by
probe_name; ActiveProbe ABC enforces run/syslog_fields/publish_payload
with env-driven DECNET_PROBE_PORTS_<NAME> port override.
- decnet/prober/probes/{jarm,hassh,tcpfp}.py: concrete probe classes.
- decnet/prober/worker.py: single _run_probe driver replaces the three
phase functions; _probe_cycle iterates ActiveProbeMeta.all(); drops
the ports=/ssh_ports=/tcpfp_ports= kwargs from prober_worker.
- IPv6 leak and TLS cert capture stay as special cases (different call
shapes; intentionally outside the registry).
- tests/prober/test_active_probe_registry.py: registry contents, sort
order, priority-10 override, ABC contract per probe class.
- tests/prober/test_run_probe_driver.py: dedup, success, None-skip,
exception, rotation, publish paths for _run_probe.
- tests/prober/test_prober_worker.py: updated patch targets and
_probe_cycle call sites; port control via monkeypatch.setattr.
51 lines
1.8 KiB
Python
51 lines
1.8 KiB
Python
from __future__ import annotations
|
|
|
|
from typing import Any
|
|
|
|
from decnet.prober.base import ActiveProbe
|
|
from decnet.prober.tcpfp import tcp_fingerprint
|
|
from decnet.telemetry import traced as _traced
|
|
|
|
DEFAULT_PORTS: list[int] = [22, 80, 443, 8080, 8443, 445, 3389]
|
|
|
|
|
|
class TcpfpProbe(ActiveProbe):
|
|
probe_name = "tcpfp"
|
|
default_ports = DEFAULT_PORTS
|
|
event_type = "tcpfp_fingerprint"
|
|
rotation_type = "tcpfp"
|
|
rotation_hash_key = "tcpfp_hash"
|
|
priority = 100
|
|
|
|
@_traced("prober.tcpfp_probe")
|
|
def run(self, ip: str, port: int, timeout: float) -> dict[str, Any] | None:
|
|
return tcp_fingerprint(ip, port, timeout=timeout)
|
|
|
|
def syslog_fields(self, ip: str, port: int, result: dict[str, Any]) -> tuple[dict[str, Any], str]:
|
|
fields = {
|
|
"tcpfp_hash": result["tcpfp_hash"],
|
|
"tcpfp_raw": result["tcpfp_raw"],
|
|
"ttl": str(result["ttl"]),
|
|
"window_size": str(result["window_size"]),
|
|
"df_bit": str(result["df_bit"]),
|
|
"mss": str(result["mss"]),
|
|
"window_scale": str(result["window_scale"]),
|
|
"sack_ok": str(result["sack_ok"]),
|
|
"timestamp": str(result["timestamp"]),
|
|
"options_order": result["options_order"],
|
|
"tos": str(result["tos"]),
|
|
"dscp": str(result["dscp"]),
|
|
"ecn": str(result["ecn"]),
|
|
"server_isn": str(result["server_isn"]),
|
|
}
|
|
return fields, f"TCPFP {ip}:{port} = {result['tcpfp_hash']}"
|
|
|
|
def publish_payload(self, ip: str, port: int, result: dict[str, Any]) -> dict[str, Any]:
|
|
return {
|
|
"attacker_ip": ip,
|
|
"port": port,
|
|
"tcpfp_hash": result["tcpfp_hash"],
|
|
"ttl": result["ttl"],
|
|
"mss": result["mss"],
|
|
}
|