librex 0.0.68 → 0.0.70

data/lib/rex/parser/ci_nokogiri.rb

@@ -4,190 +4,190 @@ require "rex/parser/nokogiri_doc_mixin"
 require 'msf/core'
 
 module Rex
-	module Parser
-
-		# If Nokogiri is available, define the document class.
-		load_nokogiri && class CIDocument < Nokogiri::XML::SAX::Document
-
-		include NokogiriDocMixin
-
-		attr_reader :text
-
-		def initialize(*args)
-			super(*args)
-			@state[:has_text] = true
-		end
-
-		# Triggered every time a new element is encountered. We keep state
-		# ourselves with the @state variable, turning things on when we
-		# get here (and turning things off when we exit in end_element()).
-		def start_element(name=nil,attrs=[])
-			attrs = normalize_attrs(attrs)
-			block = @block
-
-			r = { :e => name }
-			attrs.each { |pair| r[pair[0]] = pair[1] }
-
-			if @state[:path]
-				@state[:path].push r
-			end
-
-			case name
-			when "entity"
-				@state[:path] = [ r ]
-				record_device(r)
-			when "property"
-				return if not @state[:address]
-				return if not @state[:props]
-				@state[:props] << [ r["type"], r["key"]]
-			end
-		end
-
-		# When we exit a tag, this is triggered.
-		def end_element(name=nil)
-			block = @block
-			case name
-			when "entity" # Wrap it up
-				if @state[:address]
-					host_object = report_host &block
-					report_services(host_object)
-					report_vulns(host_object)
-				end
-				# Reset the state once we close a host
-				@report_data = {:wspace => @args[:wspace]}
-				@state[:root] = {}
-			when "property"
-				if @state[:props]
-					@text.strip! if @text
-					process_property
-					@state[:props].pop
-				end
-			end
-			@state[:path].pop
-			@text = nil
-		end
-
-		def record_device(info)
-			if info["class"] and info["class"] == "host" and info["name"]
-				address = info["name"].to_s.gsub(/^.*\//, '')
-				return if address !~ /^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/
-				@state[:address] = address
-				@state[:props]   = []
-			end
-		end
-
-		def process_property
-			return if not @state[:props]
-			return if not @state[:props].length > 0
-			@state[:root] ||= {}
-			@cobj = @state[:root]
-			property_parser(0)
-		end
-
-		def property_parser(idx)
-			return if not @state[:props][idx]
-			case @state[:props][idx][0]
-			when "container", "ports", "entity", "properties"
-				@cobj[ @state[:props][idx][1] ] ||= {}
-				@cobj = @cobj[ @state[:props][idx][1] ]
-			else
-				@cobj[ state[:props][idx][1] ] = @text
-			end
-			property_parser(idx + 1)
-		end
-
-		def report_host(&block)
-			@report_data = {
-				:ports  => [:ignore],
-				:state  => Msf::HostState::Alive,
-				:host   => @state[:address]
-			}
-
-			if @state[:root]["dns names"] and @state[:root]["dns names"].keys.length > 0
-				@report_data[:name] = @state[:root]["dns names"].keys.first
-			end
-
-			if host_is_okay
-				@report_data.delete(:ports)
-
-				db.emit(:address, @report_data[:host],&block) if block
-				host_object = db_report(:host, @report_data.merge(
-					:workspace => @args[:wspace] ) )
-				if host_object
-					db.report_import_note(host_object.workspace, host_object)
-				end
-				host_object
-			end
-		end
-
-		def report_services(host_object)
-			return unless host_object.kind_of? ::Mdm::Host
-
-			snames = {}
-			( @state[:root]["services"] || {} ).each_pair do |sname, sinfo|
-				sinfo.each_pair do |pinfo,pdata|
-					snames[pinfo] = sname.dup
-				end
-			end
-
-			reported = []
-			if @state[:root]["tcp_ports"]
-				@state[:root]["tcp_ports"].each_pair do |pn, ps|
-					ps = "open" if ps == "listen"
-					svc = { :port => pn.to_i, :state => ps, :proto => 'tcp'}
-					if @state[:root]["Banners"] and @state[:root]["Banners"][pn.to_s]
-						svc[:info] = @state[:root]["Banners"][pn.to_s]
-					end
-					svc[:name] = snames["#{pn}-tcp"] if snames["#{pn}-tcp"]
-					reported << db_report(:service, svc.merge(:host => host_object))
-				end
-			end
-
-			if @state[:root]["udp_ports"]
-				@state[:root]["udp_ports"].each_pair do |pn, ps|
-					ps = "open" if ps == "listen"
-					svc = { :port => pn.to_i, :state => ps, :proto => 'udp'}
-					svc[:name] = snames["#{pn}-udp"] if snames["#{pn}-tcp"]
-					reported << db_report(:service, svc.merge(:host => host_object))
-				end
-			end
-
-			( @state[:root]["services"] || {} ).each_pair do |sname, sinfo|
-				sinfo.each_pair do |pinfo,pdata|
-					sport,sproto = pinfo.split("-")
-					db_report(:note, {
-						:host => host_object,
-						:port => sport.to_i,
-						:proto => sproto,
-						:ntype => "ci.#{sname}.fingerprint",
-						:data => pdata
-					})
-				end
-			end
-
-			reported
-		end
-
-		def report_vulns(host_object)
-			vuln_count = 0
-			block = @block
-			return unless host_object.kind_of? ::Mdm::Host
-			return unless @state[:root]["Vulnerabilities"]
-			@state[:root]["Vulnerabilities"].each_pair do |cve, vinfo|
-				vinfo.each_pair do |vname, vdesc|
-					data = {
-						:workspace => host_object.workspace,
-						:host => host_object,
-						:name => vname,
-						:info => vdesc,
-						:refs => [ cve ]
-					}
-					db_report(:vuln, data)
-				end
-			end
-		end
-
-	end
+  module Parser
+
+    # If Nokogiri is available, define the document class.
+    load_nokogiri && class CIDocument < Nokogiri::XML::SAX::Document
+
+    include NokogiriDocMixin
+
+    attr_reader :text
+
+    def initialize(*args)
+      super(*args)
+      @state[:has_text] = true
+    end
+
+    # Triggered every time a new element is encountered. We keep state
+    # ourselves with the @state variable, turning things on when we
+    # get here (and turning things off when we exit in end_element()).
+    def start_element(name=nil,attrs=[])
+      attrs = normalize_attrs(attrs)
+      block = @block
+
+      r = { :e => name }
+      attrs.each { |pair| r[pair[0]] = pair[1] }
+
+      if @state[:path]
+        @state[:path].push r
+      end
+
+      case name
+      when "entity"
+        @state[:path] = [ r ]
+        record_device(r)
+      when "property"
+        return if not @state[:address]
+        return if not @state[:props]
+        @state[:props] << [ r["type"], r["key"]]
+      end
+    end
+
+    # When we exit a tag, this is triggered.
+    def end_element(name=nil)
+      block = @block
+      case name
+      when "entity" # Wrap it up
+        if @state[:address]
+          host_object = report_host &block
+          report_services(host_object)
+          report_vulns(host_object)
+        end
+        # Reset the state once we close a host
+        @report_data = {:wspace => @args[:wspace]}
+        @state[:root] = {}
+      when "property"
+        if @state[:props]
+          @text.strip! if @text
+          process_property
+          @state[:props].pop
+        end
+      end
+      @state[:path].pop
+      @text = nil
+    end
+
+    def record_device(info)
+      if info["class"] and info["class"] == "host" and info["name"]
+        address = info["name"].to_s.gsub(/^.*\//, '')
+        return if address !~ /^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/
+        @state[:address] = address
+        @state[:props]   = []
+      end
+    end
+
+    def process_property
+      return if not @state[:props]
+      return if not @state[:props].length > 0
+      @state[:root] ||= {}
+      @cobj = @state[:root]
+      property_parser(0)
+    end
+
+    def property_parser(idx)
+      return if not @state[:props][idx]
+      case @state[:props][idx][0]
+      when "container", "ports", "entity", "properties"
+        @cobj[ @state[:props][idx][1] ] ||= {}
+        @cobj = @cobj[ @state[:props][idx][1] ]
+      else
+        @cobj[ state[:props][idx][1] ] = @text
+      end
+      property_parser(idx + 1)
+    end
+
+    def report_host(&block)
+      @report_data = {
+        :ports  => [:ignore],
+        :state  => Msf::HostState::Alive,
+        :host   => @state[:address]
+      }
+
+      if @state[:root]["dns names"] and @state[:root]["dns names"].keys.length > 0
+        @report_data[:name] = @state[:root]["dns names"].keys.first
+      end
+
+      if host_is_okay
+        @report_data.delete(:ports)
+
+        db.emit(:address, @report_data[:host],&block) if block
+        host_object = db_report(:host, @report_data.merge(
+          :workspace => @args[:wspace] ) )
+        if host_object
+          db.report_import_note(host_object.workspace, host_object)
+        end
+        host_object
+      end
+    end
+
+    def report_services(host_object)
+      return unless host_object.kind_of? ::Mdm::Host
+
+      snames = {}
+      ( @state[:root]["services"] || {} ).each_pair do |sname, sinfo|
+        sinfo.each_pair do |pinfo,pdata|
+          snames[pinfo] = sname.dup
+        end
+      end
+
+      reported = []
+      if @state[:root]["tcp_ports"]
+        @state[:root]["tcp_ports"].each_pair do |pn, ps|
+          ps = "open" if ps == "listen"
+          svc = { :port => pn.to_i, :state => ps, :proto => 'tcp'}
+          if @state[:root]["Banners"] and @state[:root]["Banners"][pn.to_s]
+            svc[:info] = @state[:root]["Banners"][pn.to_s]
+          end
+          svc[:name] = snames["#{pn}-tcp"] if snames["#{pn}-tcp"]
+          reported << db_report(:service, svc.merge(:host => host_object))
+        end
+      end
+
+      if @state[:root]["udp_ports"]
+        @state[:root]["udp_ports"].each_pair do |pn, ps|
+          ps = "open" if ps == "listen"
+          svc = { :port => pn.to_i, :state => ps, :proto => 'udp'}
+          svc[:name] = snames["#{pn}-udp"] if snames["#{pn}-tcp"]
+          reported << db_report(:service, svc.merge(:host => host_object))
+        end
+      end
+
+      ( @state[:root]["services"] || {} ).each_pair do |sname, sinfo|
+        sinfo.each_pair do |pinfo,pdata|
+          sport,sproto = pinfo.split("-")
+          db_report(:note, {
+            :host => host_object,
+            :port => sport.to_i,
+            :proto => sproto,
+            :ntype => "ci.#{sname}.fingerprint",
+            :data => pdata
+          })
+        end
+      end
+
+      reported
+    end
+
+    def report_vulns(host_object)
+      vuln_count = 0
+      block = @block
+      return unless host_object.kind_of? ::Mdm::Host
+      return unless @state[:root]["Vulnerabilities"]
+      @state[:root]["Vulnerabilities"].each_pair do |cve, vinfo|
+        vinfo.each_pair do |vname, vdesc|
+          data = {
+            :workspace => host_object.workspace,
+            :host => host_object,
+            :name => vname,
+            :info => vdesc,
+            :refs => [ cve ]
+          }
+          db_report(:vuln, data)
+        end
+      end
+    end
+
+  end
 end
 end
 

data/lib/rex/parser/foundstone_nokogiri.rb

@@ -2,339 +2,340 @@
 require "rex/parser/nokogiri_doc_mixin"
 
 module Rex
-	module Parser
-
-		# If Nokogiri is available, define Template document class.
-		load_nokogiri && class FoundstoneDocument < Nokogiri::XML::SAX::Document
-
-		include NokogiriDocMixin
-
-		def start_document
-			@report_type_ok = true # Optimistic
-		end
-
-		# Triggered every time a new element is encountered. We keep state
-		# ourselves with the @state variable, turning things on when we
-		# get here (and turning things off when we exit in end_element()).
-		def start_element(name=nil,attrs=[])
-			attrs = normalize_attrs(attrs)
-			block = @block
-			return unless @report_type_ok
-			@state[:current_tag][name] = true
-			case name
-			when "ReportInfo"
-				check_for_correct_report_type(attrs,&block)
-			when "Host"
-				record_host(attrs)
-			when "Service"
-				record_service(attrs)
-			when "Port", "Protocol", "Banner"
-				@state[:has_text] = true
-			when "Vuln" # under VulnsFound, ignore risk 0 things
-				record_vuln(attrs)
-			when "Risk" # for Vuln
-				@state[:has_text] = true
-			when "CVE" # Under Vuln
-				@state[:has_text] = true
-			end
-		end
-
-		# When we exit a tag, this is triggered.
-		def end_element(name=nil)
-			block = @block
-			return unless @report_type_ok
-			case name
-			when "Host" # Wrap it up
-				collect_host_data
-				host_object = report_host &block
-				if host_object
-					db.report_import_note(@args[:wspace],host_object)
-					report_fingerprint(host_object)
-					report_services(host_object)
-					report_vulns(host_object)
-				end
-				# Reset the state once we close a host
-				@state.delete_if {|k| k != :current_tag}
-			when "Port"
-				@state[:has_text] = false
-				collect_port
-			when "Protocol"
-				@state[:has_text] = false
-				collect_protocol
-			when "Banner"
-				collect_banner
-				@state[:has_text] = false
-			when "Service"
-				collect_service
-			when "Vuln"
-				collect_vuln
-			when "Risk"
-				@state[:has_text] = false
-				collect_risk
-			when "CVE"
-				@state[:has_text] = false
-				collect_cve
-			end
-			@state[:current_tag].delete name
-		end
-
-		# Nothing technically stopping us from parsing this as well,
-		# but saving this for later
-		def check_for_correct_report_type(attrs,&block)
-			report_type = attr_hash(attrs)["ReportType"]
-			if report_type == "Network Inventory"
-				@report_type_ok = true
-			else
-				if report_type == "Risk Data"
-					msg = "The Foundstone/Mcafee report type '#{report_type}' is not currently supported"
-					msg << ",\nso no data will be imported. Please use the 'Network Inventory' report instead."
-				else
-					msg = ".\nThe Foundstone/Macafee report type '#{report_type}' is unsupported."
-				end
-				db.emit(:warning,msg,&block) if block
-				@report_type_ok = false
-			end
-		end
-
-		def collect_risk
-			return unless in_tag("VulnsFound")
-			return unless in_tag("HostData")
-			return unless in_tag("Host")
-			risk = @text.to_s.to_i
-			@state[:vuln][:risk] = risk
-			@text = nil
-		end
-
-		def collect_cve
-			return unless in_tag("VulnsFound")
-			return unless in_tag("HostData")
-			return unless in_tag("Host")
-			cve = @text.to_s
-			@state[:vuln][:cves] ||= []
-			@state[:vuln][:cves] << cve unless cve == "CVE-MAP-NOMATCH"
-			@text = nil
-		end
-
-		# Determines if we should keep the vuln or not. Note that
-		# we cannot tie them to a service.
-		def collect_vuln
-			return unless in_tag("VulnsFound")
-			return unless in_tag("HostData")
-			return unless in_tag("Host")
-			return if @state[:vuln][:risk] == 0
-			@report_data[:vulns] ||= []
-			vuln_hash = {}
-			vuln_hash[:name] = @state[:vuln]["VulnName"]
-			refs = []
-			refs << "FID-#{@state[:vuln]["id"]}"
-			if @state[:vuln][:cves]
-				@state[:vuln][:cves].each {|cve| refs << cve}
-			end
-			vuln_hash[:refs] = refs
-			@report_data[:vulns] << vuln_hash
-		end
-
-		# These are per host.
-		def record_vuln(attrs)
-			return unless in_tag("VulnsFound")
-			return unless in_tag("HostData")
-			return unless in_tag("Host")
-			@state[:vulns] ||= []
-
-			@state[:vuln] = attr_hash(attrs) # id and VulnName
-		end
-
-		def record_service(attrs)
-			return unless in_tag("ServicesFound")
-			return unless in_tag("Host")
-			@state[:service] = attr_hash(attrs)
-		end
-
-		def collect_port
-			return unless in_tag("Service")
-			return unless in_tag("ServicesFound")
-			return unless in_tag("Host")
-			return if @text.nil? || @text.empty?
-			@state[:service][:port] = @text.strip
-			@text = nil
-		end
-
-		def collect_protocol
-			return unless in_tag("Service")
-			return unless in_tag("ServicesFound")
-			return unless in_tag("Host")
-			return if @text.nil? || @text.empty?
-			@state[:service][:proto] = @text.strip
-			@text = nil
-		end
-
-		def collect_banner
-			return unless in_tag("Service")
-			return unless in_tag("ServicesFound")
-			return unless in_tag("Host")
-			return if @text.nil? || @text.empty?
-			banner = normalize_foundstone_banner(@state[:service]["ServiceName"],@text)
-			unless banner.nil? || banner.empty?
-				@state[:service][:banner] = banner
-			end
-			@text = nil
-		end
-
-		def collect_service
-			return unless in_tag("ServicesFound")
-			return unless in_tag("Host")
-			return unless @state[:service][:port]
-			@report_data[:ports] ||= []
-			port_hash = {}
-		 	port_hash[:port] = @state[:service][:port]
-		 	port_hash[:proto] = @state[:service][:proto]
-		 	port_hash[:info] = @state[:service][:banner]
-		 	port_hash[:name] = db.nmap_msf_service_map(@state[:service]["ServiceName"])
-			@report_data[:ports] << port_hash
-		end
-
-		def record_host(attrs)
-			return unless in_tag("HostData")
-			@state[:host] = attr_hash(attrs)
-		end
-
-		def collect_host_data
-			@report_data[:host] = @state[:host]["IPAddress"]
-			if @state[:host]["NBName"] && !@state[:host]["NBName"].empty?
-				@report_data[:name] = @state[:host]["NBName"]
-			elsif @state[:host]["DNSName"] && !@state[:host]["DNSName"].empty?
-				@report_data[:name] = @state[:host]["DNSName"]
-			end
-			if @state[:host]["OSName"] && !@state[:host]["OSName"].empty?
-				@report_data[:os_fingerprint] = @state[:host]["OSName"]
-			end
-			@report_data[:state] = Msf::HostState::Alive
-			@report_data[:mac] = @state[:mac] if @state[:mac]
-		end
-
-		def report_host(&block)
-			return unless in_tag("HostData")
-			if host_is_okay
-				db.emit(:address,@report_data[:host],&block) if block
-				host_info = @report_data.merge(:workspace => @args[:wspace])
-				db_report(:host,host_info)
-			end
-		end
-
-		def report_fingerprint(host_object)
-			fp_note = {
-				:workspace => host_object.workspace,
-				:host => host_object,
-				:type => 'host.os.foundstone_fingerprint',
-				:data => {:os => @report_data[:os_fingerprint] }
-			}
-			db_report(:note, fp_note)
-		end
-
-		def report_services(host_object)
-			return unless in_tag("HostData")
-			return unless host_object.kind_of? ::Mdm::Host
-			return unless @report_data[:ports]
-			return if @report_data[:ports].empty?
-			@report_data[:ports].each do |svc|
-				db_report(:service, svc.merge(:host => host_object))
-			end
-		end
-
-		def report_vulns(host_object)
-			return unless in_tag("HostData")
-			return unless host_object.kind_of? ::Mdm::Host
-			return unless @report_data[:vulns]
-			return if @report_data[:vulns].empty?
-			@report_data[:vulns].each do |vuln|
-				db_report(:vuln, vuln.merge(:host => host_object))
-			end
-		end
-
-		# Foundstone's banners are pretty free-form
-		# and often not just banners. Clean them up
-		# for the :info field, delegate off for other
-		# protocol data we can use.
-		def normalize_foundstone_banner(service,banner)
-			return "" if(banner.nil? || banner.strip.empty?)
-			if first_line_only? service
-				return (first_line banner)
-			elsif needs_more_processing? service
-				return process_service(service,banner)
-			else
-				return (first_line banner)
-			end
-		end
-
-		# Services where we only care about the first
-		# line of the banner tag.
-		def first_line_only?(service)
-			svcs = %w{
-				vnc ftp ftps smtp oracle-tns nntp ssh ntp
-			}
-			9.times {|i| svcs << "vnc-#{i}"}
-			svcs.include? service
-		end
-
-		# Services where we need to do more processing
-		# before handing the banner back.
-		def needs_more_processing?(service)
-			svcs = %w{
-				microsoft-ds loc-srv http https sunrpc netbios-ns
-			}
-			svcs.include? service
-		end
-
-		def first_line(str)
-			str.split("\n").first.to_s.strip
-		end
-
-		# XXX: Actually implement more of these
-		def process_service(service,banner)
-			meth = "process_service_#{service.gsub("-","_")}"
-			if self.respond_to? meth
-				self.send meth, banner
-			else
-				return (first_line banner)
-			end
-		end
-
-		# XXX: Register a proper netbios note as the regular
-		# scanner does.
-		def process_service_netbios_ns(banner)
-			mac_regex = /[0-9A-Fa-f:]{17}/
-			@state[:mac] = banner[mac_regex]
-			first_line banner
-		end
-
-		# XXX: Make this behave more like the smb scanner
-		def process_service_microsoft_ds(banner)
-			lm_regex = /Native LAN Manager/
-			lm_banner = nil
-			banner.each_line { |line|
-				if line[lm_regex]
-					lm_banner = line
-					break
-				end
-			}
-			lm_banner || first_line(banner)
-		end
-
-		def process_service_http(banner)
-			server = nil
-			banner.each_line do |line|
-				if line =~ /^Server:\s+(.*)/
-					server = $1
-					break
-				end
-			end
-			server || first_line(banner)
-		end
-
-		alias :process_service_https :process_service_http
-		alias :process_service_rtsp :process_service_http
-
-	end
+  module Parser
+
+    # If Nokogiri is available, define Template document class.
+    load_nokogiri && class FoundstoneDocument < Nokogiri::XML::SAX::Document
+
+    include NokogiriDocMixin
+
+    def start_document
+      @report_type_ok = true # Optimistic
+    end
+
+    # Triggered every time a new element is encountered. We keep state
+    # ourselves with the @state variable, turning things on when we
+    # get here (and turning things off when we exit in end_element()).
+    def start_element(name=nil,attrs=[])
+      attrs = normalize_attrs(attrs)
+      block = @block
+      return unless @report_type_ok
+      @state[:current_tag][name] = true
+      case name
+      when "ReportInfo"
+        check_for_correct_report_type(attrs,&block)
+      when "Host"
+        record_host(attrs)
+      when "Service"
+        record_service(attrs)
+      when "Port", "Protocol", "Banner"
+        @state[:has_text] = true
+      when "Vuln" # under VulnsFound, ignore risk 0 things
+        record_vuln(attrs)
+      when "Risk" # for Vuln
+        @state[:has_text] = true
+      when "CVE" # Under Vuln
+        @state[:has_text] = true
+      end
+    end
+
+    # When we exit a tag, this is triggered.
+    def end_element(name=nil)
+      block = @block
+      return unless @report_type_ok
+      case name
+      when "Host" # Wrap it up
+        collect_host_data
+        host_object = report_host &block
+        if host_object
+          db.report_import_note(@args[:wspace],host_object)
+          report_fingerprint(host_object)
+          report_services(host_object)
+          report_vulns(host_object)
+        end
+        # Reset the state once we close a host
+        @state.delete_if {|k| k != :current_tag}
+        @report_data = {:wspace => args[:wspace]}
+      when "Port"
+        @state[:has_text] = false
+        collect_port
+      when "Protocol"
+        @state[:has_text] = false
+        collect_protocol
+      when "Banner"
+        collect_banner
+        @state[:has_text] = false
+      when "Service"
+        collect_service
+      when "Vuln"
+        collect_vuln
+      when "Risk"
+        @state[:has_text] = false
+        collect_risk
+      when "CVE"
+        @state[:has_text] = false
+        collect_cve
+      end
+      @state[:current_tag].delete name
+    end
+
+    # Nothing technically stopping us from parsing this as well,
+    # but saving this for later
+    def check_for_correct_report_type(attrs,&block)
+      report_type = attr_hash(attrs)["ReportType"]
+      if report_type == "Network Inventory"
+        @report_type_ok = true
+      else
+        if report_type == "Risk Data"
+          msg = "The Foundstone/Mcafee report type '#{report_type}' is not currently supported"
+          msg << ",\nso no data will be imported. Please use the 'Network Inventory' report instead."
+        else
+          msg = ".\nThe Foundstone/Macafee report type '#{report_type}' is unsupported."
+        end
+        db.emit(:warning,msg,&block) if block
+        @report_type_ok = false
+      end
+    end
+
+    def collect_risk
+      return unless in_tag("VulnsFound")
+      return unless in_tag("HostData")
+      return unless in_tag("Host")
+      risk = @text.to_s.to_i
+      @state[:vuln][:risk] = risk
+      @text = nil
+    end
+
+    def collect_cve
+      return unless in_tag("VulnsFound")
+      return unless in_tag("HostData")
+      return unless in_tag("Host")
+      cve = @text.to_s
+      @state[:vuln][:cves] ||= []
+      @state[:vuln][:cves] << cve unless cve == "CVE-MAP-NOMATCH"
+      @text = nil
+    end
+
+    # Determines if we should keep the vuln or not. Note that
+    # we cannot tie them to a service.
+    def collect_vuln
+      return unless in_tag("VulnsFound")
+      return unless in_tag("HostData")
+      return unless in_tag("Host")
+      return if @state[:vuln][:risk] == 0
+      @report_data[:vulns] ||= []
+      vuln_hash = {}
+      vuln_hash[:name] = @state[:vuln]["VulnName"]
+      refs = []
+      refs << "FID-#{@state[:vuln]["id"]}"
+      if @state[:vuln][:cves]
+        @state[:vuln][:cves].each {|cve| refs << cve}
+      end
+      vuln_hash[:refs] = refs
+      @report_data[:vulns] << vuln_hash
+    end
+
+    # These are per host.
+    def record_vuln(attrs)
+      return unless in_tag("VulnsFound")
+      return unless in_tag("HostData")
+      return unless in_tag("Host")
+      @state[:vulns] ||= []
+
+      @state[:vuln] = attr_hash(attrs) # id and VulnName
+    end
+
+    def record_service(attrs)
+      return unless in_tag("ServicesFound")
+      return unless in_tag("Host")
+      @state[:service] = attr_hash(attrs)
+    end
+
+    def collect_port
+      return unless in_tag("Service")
+      return unless in_tag("ServicesFound")
+      return unless in_tag("Host")
+      return if @text.nil? || @text.empty?
+      @state[:service][:port] = @text.strip
+      @text = nil
+    end
+
+    def collect_protocol
+      return unless in_tag("Service")
+      return unless in_tag("ServicesFound")
+      return unless in_tag("Host")
+      return if @text.nil? || @text.empty?
+      @state[:service][:proto] = @text.strip
+      @text = nil
+    end
+
+    def collect_banner
+      return unless in_tag("Service")
+      return unless in_tag("ServicesFound")
+      return unless in_tag("Host")
+      return if @text.nil? || @text.empty?
+      banner = normalize_foundstone_banner(@state[:service]["ServiceName"],@text)
+      unless banner.nil? || banner.empty?
+        @state[:service][:banner] = banner
+      end
+      @text = nil
+    end
+
+    def collect_service
+      return unless in_tag("ServicesFound")
+      return unless in_tag("Host")
+      return unless @state[:service][:port]
+      @report_data[:ports] ||= []
+      port_hash = {}
+       port_hash[:port] = @state[:service][:port]
+       port_hash[:proto] = @state[:service][:proto]
+       port_hash[:info] = @state[:service][:banner]
+       port_hash[:name] = db.nmap_msf_service_map(@state[:service]["ServiceName"])
+      @report_data[:ports] << port_hash
+    end
+
+    def record_host(attrs)
+      return unless in_tag("HostData")
+      @state[:host] = attr_hash(attrs)
+    end
+
+    def collect_host_data
+      @report_data[:host] = @state[:host]["IPAddress"]
+      if @state[:host]["NBName"] && !@state[:host]["NBName"].empty?
+        @report_data[:name] = @state[:host]["NBName"]
+      elsif @state[:host]["DNSName"] && !@state[:host]["DNSName"].empty?
+        @report_data[:name] = @state[:host]["DNSName"]
+      end
+      if @state[:host]["OSName"] && !@state[:host]["OSName"].empty?
+        @report_data[:os_fingerprint] = @state[:host]["OSName"]
+      end
+      @report_data[:state] = Msf::HostState::Alive
+      @report_data[:mac] = @state[:mac] if @state[:mac]
+    end
+
+    def report_host(&block)
+      return unless in_tag("HostData")
+      if host_is_okay
+        db.emit(:address,@report_data[:host],&block) if block
+        host_info = @report_data.merge(:workspace => @args[:wspace])
+        db_report(:host,host_info)
+      end
+    end
+
+    def report_fingerprint(host_object)
+      fp_note = {
+        :workspace => host_object.workspace,
+        :host => host_object,
+        :type => 'host.os.foundstone_fingerprint',
+        :data => {:os => @report_data[:os_fingerprint] }
+      }
+      db_report(:note, fp_note)
+    end
+
+    def report_services(host_object)
+      return unless in_tag("HostData")
+      return unless host_object.kind_of? ::Mdm::Host
+      return unless @report_data[:ports]
+      return if @report_data[:ports].empty?
+      @report_data[:ports].each do |svc|
+        db_report(:service, svc.merge(:host => host_object))
+      end
+    end
+
+    def report_vulns(host_object)
+      return unless in_tag("HostData")
+      return unless host_object.kind_of? ::Mdm::Host
+      return unless @report_data[:vulns]
+      return if @report_data[:vulns].empty?
+      @report_data[:vulns].each do |vuln|
+        db_report(:vuln, vuln.merge(:host => host_object))
+      end
+    end
+
+    # Foundstone's banners are pretty free-form
+    # and often not just banners. Clean them up
+    # for the :info field, delegate off for other
+    # protocol data we can use.
+    def normalize_foundstone_banner(service,banner)
+      return "" if(banner.nil? || banner.strip.empty?)
+      if first_line_only? service
+        return (first_line banner)
+      elsif needs_more_processing? service
+        return process_service(service,banner)
+      else
+        return (first_line banner)
+      end
+    end
+
+    # Services where we only care about the first
+    # line of the banner tag.
+    def first_line_only?(service)
+      svcs = %w{
+        vnc ftp ftps smtp oracle-tns nntp ssh ntp
+      }
+      9.times {|i| svcs << "vnc-#{i}"}
+      svcs.include? service
+    end
+
+    # Services where we need to do more processing
+    # before handing the banner back.
+    def needs_more_processing?(service)
+      svcs = %w{
+        microsoft-ds loc-srv http https sunrpc netbios-ns
+      }
+      svcs.include? service
+    end
+
+    def first_line(str)
+      str.split("\n").first.to_s.strip
+    end
+
+    # XXX: Actually implement more of these
+    def process_service(service,banner)
+      meth = "process_service_#{service.gsub("-","_")}"
+      if self.respond_to? meth
+        self.send meth, banner
+      else
+        return (first_line banner)
+      end
+    end
+
+    # XXX: Register a proper netbios note as the regular
+    # scanner does.
+    def process_service_netbios_ns(banner)
+      mac_regex = /[0-9A-Fa-f:]{17}/
+      @state[:mac] = banner[mac_regex]
+      first_line banner
+    end
+
+    # XXX: Make this behave more like the smb scanner
+    def process_service_microsoft_ds(banner)
+      lm_regex = /Native LAN Manager/
+      lm_banner = nil
+      banner.each_line { |line|
+        if line[lm_regex]
+          lm_banner = line
+          break
+        end
+      }
+      lm_banner || first_line(banner)
+    end
+
+    def process_service_http(banner)
+      server = nil
+      banner.each_line do |line|
+        if line =~ /^Server:\s+(.*)/
+          server = $1
+          break
+        end
+      end
+      server || first_line(banner)
+    end
+
+    alias :process_service_https :process_service_http
+    alias :process_service_rtsp :process_service_http
+
+  end
 
 end
 end