Adds Michael / DeFlockJoplin's high-precision detection method on top of
the NitekryDPaul baseline: a Flock camera is flagged when it transmits a
Probe Request (type=0 subtype=4) with a wildcard SSID IE (tag 0 len 0)
AND its addr2 matches the OUI list. Drive-test in Joplin: 11/12 cameras
caught with only 2 false positives.
- New AlertType ALERT_WILDCARD_PROBE, emitted as detection_method
'wifi_wildcard_probe' (high-precision class)
- Wildcard-probe hits suppress the addr2 broad alert for the same frame
to prevent double counting; non-probe OUI matches still emit as
'wifi_oui_addr2'
- IE parser returns tri-state (1=wildcard / 0=directed / -1=no SSID IE),
with FCS-trailer retry only on the -1 no-IE case
- addr1 receiver-side sleeper-catch and the optional addr3 + SSID paths
are unchanged — wildcard is purely additive
- 31st OUI 82:6b:f2 added to target_ouis[] and to the dataset doc; it's
the OUI of the 12th camera in Michael's drive-test that the original
30 didn't catch
- README explains the wildcard-probe method, credits Michael with a link
to github.com/DeflockJoplin/flock-you, and bumps Acknowledgments
Source: https://github.com/DeflockJoplin/flock-you
30 Flock Safety infrastructure OUIs identified by @NitekryDPaul via
2.4 GHz promiscuous-mode analysis, including the addr1-receiver
detection technique that catches Flock STAs during burst-sleep
duty cycles. Full credit and methodology in the new file.
Colonel Panic