RubyGems - recog-intrigue - Versions diffs - 2.3.7 - Mend

recog-intrigue 2.3.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (130) hide show

checksums.yaml +7 -0
data/.github/ISSUE_TEMPLATE/bug_report.md +37 -0
data/.github/ISSUE_TEMPLATE/feature_request.md +17 -0
data/.github/ISSUE_TEMPLATE/fingerprint_request.md +27 -0
data/.github/PULL_REQUEST_TEMPLATE +24 -0
data/.gitignore +14 -0
data/.rbenv-gemset +1 -0
data/.rspec +3 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/.travis.yml +25 -0
data/.yardopts +1 -0
data/CONTRIBUTING.md +171 -0
data/COPYING +23 -0
data/Gemfile +10 -0
data/LICENSE +7 -0
data/README.md +85 -0
data/Rakefile +22 -0
data/bin/recog_export +81 -0
data/bin/recog_match +55 -0
data/bin/recog_standardize +118 -0
data/bin/recog_verify +64 -0
data/cpe-remap.yaml +134 -0
data/features/data/failing_banners_fingerprints.xml +20 -0
data/features/data/matching_banners_fingerprints.xml +23 -0
data/features/data/multiple_banners_fingerprints.xml +32 -0
data/features/data/no_tests.xml +3 -0
data/features/data/sample_banner.txt +2 -0
data/features/data/successful_tests.xml +18 -0
data/features/data/tests_with_failures.xml +20 -0
data/features/data/tests_with_warnings.xml +17 -0
data/features/match.feature +36 -0
data/features/support/aruba.rb +3 -0
data/features/support/env.rb +6 -0
data/features/verify.feature +48 -0
data/identifiers/README.md +47 -0
data/identifiers/os_architecture.txt +20 -0
data/identifiers/os_device.txt +52 -0
data/identifiers/os_family.txt +160 -0
data/identifiers/os_product.txt +199 -0
data/identifiers/service_family.txt +185 -0
data/identifiers/service_product.txt +255 -0
data/identifiers/software_class.txt +26 -0
data/identifiers/software_family.txt +91 -0
data/identifiers/software_product.txt +333 -0
data/identifiers/vendor.txt +405 -0
data/lib/recog.rb +4 -0
data/lib/recog/db.rb +78 -0
data/lib/recog/db_manager.rb +31 -0
data/lib/recog/fingerprint.rb +280 -0
data/lib/recog/fingerprint/regexp_factory.rb +56 -0
data/lib/recog/fingerprint/test.rb +18 -0
data/lib/recog/formatter.rb +51 -0
data/lib/recog/match_reporter.rb +77 -0
data/lib/recog/matcher.rb +94 -0
data/lib/recog/matcher_factory.rb +14 -0
data/lib/recog/nizer.rb +347 -0
data/lib/recog/verifier.rb +39 -0
data/lib/recog/verifier_factory.rb +13 -0
data/lib/recog/verify_reporter.rb +86 -0
data/lib/recog/version.rb +3 -0
data/misc/convert_mysql_err +61 -0
data/misc/order.xsl +17 -0
data/recog-intrigue.gemspec +45 -0
data/requirements.txt +2 -0
data/spec/data/best_os_match_1.yml +17 -0
data/spec/data/best_os_match_2.yml +17 -0
data/spec/data/best_service_match_1.yml +17 -0
data/spec/data/smb_native_os.txt +25 -0
data/spec/data/test_fingerprints.xml +36 -0
data/spec/data/verification_fingerprints.xml +86 -0
data/spec/data/whitespaced_fingerprint.xml +5 -0
data/spec/lib/fingerprint_self_test_spec.rb +174 -0
data/spec/lib/recog/db_spec.rb +98 -0
data/spec/lib/recog/fingerprint/regexp_factory_spec.rb +73 -0
data/spec/lib/recog/fingerprint_spec.rb +112 -0
data/spec/lib/recog/formatter_spec.rb +69 -0
data/spec/lib/recog/match_reporter_spec.rb +91 -0
data/spec/lib/recog/nizer_spec.rb +330 -0
data/spec/lib/recog/verify_reporter_spec.rb +113 -0
data/spec/spec_helper.rb +82 -0
data/update_cpes.py +186 -0
data/xml/apache_modules.xml +1911 -0
data/xml/apache_os.xml +273 -0
data/xml/architecture.xml +36 -0
data/xml/dns_versionbind.xml +761 -0
data/xml/fingerprints.xsd +128 -0
data/xml/ftp_banners.xml +1553 -0
data/xml/h323_callresp.xml +603 -0
data/xml/hp_pjl_id.xml +358 -0
data/xml/html_title.xml +1630 -0
data/xml/http_cookies.xml +411 -0
data/xml/http_servers.xml +3195 -0
data/xml/http_wwwauth.xml +595 -0
data/xml/imap_banners.xml +245 -0
data/xml/ldap_searchresult.xml +711 -0
data/xml/mdns_device-info_txt.xml +1796 -0
data/xml/mdns_workstation_txt.xml +15 -0
data/xml/mysql_banners.xml +1649 -0
data/xml/mysql_error.xml +871 -0
data/xml/nntp_banners.xml +82 -0
data/xml/ntp_banners.xml +1223 -0
data/xml/operating_system.xml +629 -0
data/xml/pop_banners.xml +499 -0
data/xml/rsh_resp.xml +76 -0
data/xml/rtsp_servers.xml +76 -0
data/xml/sip_banners.xml +359 -0
data/xml/sip_user_agents.xml +221 -0
data/xml/smb_native_lm.xml +62 -0
data/xml/smb_native_os.xml +662 -0
data/xml/smtp_banners.xml +1690 -0
data/xml/smtp_debug.xml +39 -0
data/xml/smtp_ehlo.xml +49 -0
data/xml/smtp_expn.xml +82 -0
data/xml/smtp_help.xml +157 -0
data/xml/smtp_mailfrom.xml +20 -0
data/xml/smtp_noop.xml +44 -0
data/xml/smtp_quit.xml +29 -0
data/xml/smtp_rcptto.xml +25 -0
data/xml/smtp_rset.xml +26 -0
data/xml/smtp_turn.xml +26 -0
data/xml/smtp_vrfy.xml +89 -0
data/xml/snmp_sysdescr.xml +6507 -0
data/xml/snmp_sysobjid.xml +430 -0
data/xml/ssh_banners.xml +1968 -0
data/xml/telnet_banners.xml +1595 -0
data/xml/x11_banners.xml +232 -0
data/xml/x509_issuers.xml +134 -0
data/xml/x509_subjects.xml +1268 -0
metadata +304 -0

data/xml/smtp_debug.xml ADDED

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service" preference="0.14">
+  <!--
+  SMTP response lines to the DEBUG command are matched against these patterns
+  (1 line at a time) to fingerprint SMTP servers.
+  See comment at the top of smtp_banners.xml for additional info.
+  'preference' note: This value has been set so as to implement the ordering
+    of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
+  -->
+  <fingerprint pattern="^500 No way!$">
+    <description>Exim</description>
+    <example>500 No way!</example>
+    <param pos="0" name="service.vendor" value="exim"/>
+    <param pos="0" name="service.family" value="exim"/>
+    <param pos="0" name="service.product" value="exim"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
+  </fingerprint>
+  <fingerprint pattern="^250[ -] *Debug set -NOT!$">
+    <description>TIS FWTK and derivatives (other firewalls, like Gauntlet, are derived from TIS)</description>
+    <param pos="0" name="service.vendor" value="TIS"/>
+    <param pos="0" name="service.family" value="FWTK"/>
+    <param pos="0" name="service.product" value="FWTK"/>
+  </fingerprint>
+  <fingerprint pattern="^500[ -]What\? I don't understand that\.$">
+    <description>Alt-N MDaemon SMTP</description>
+    <example>500 What? I don't understand that.</example>
+    <param pos="0" name="service.vendor" value="Alt-N"/>
+    <param pos="0" name="service.family" value="MDaemon"/>
+    <param pos="0" name="service.product" value="MDaemon"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:altn:mdaemon:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.arch" value="x86"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_ehlo.xml ADDED

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service" preference="0.19">
+  <!--
+  SMTP response lines to the EHLO command are matched against these patterns
+  (1 line at a time) to fingerprint SMTP servers.
+  See comment at the top of smtp_banners.xml for additional info.
+  'preference' note: This value has been set so as to implement the ordering
+    of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
+  -->
+  <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX&quot; unrecognized$">
+    <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server</description>
+    <param pos="0" name="os.vendor" value="Cisco"/>
+    <param pos="0" name="os.family" value="PIX"/>
+    <param pos="0" name="os.product" value="PIX"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
+  </fingerprint>
+  <!--
+   Don't try to infer a fingerprint from XEXCH50, because if we do, it might overwrite
+   a very precise MS IIS SMTP service or MS Exchange Server fingerprint found with the
+   help of smtp_banners.xml. Instead, this case is handled specially by the Jess rule
+   smtp-iis-xexch50-svc-fingerprint. -mrb
+   <fingerprint pattern="^250[ -] *XEXCH50.*$">
+      <description>
+         Microsoft Exchange/IIS server
+      </description>
+      <param pos="0" name="service.vendor" value="Microsoft"/>
+      <param pos="0" name="service.family" value="IIS"/>
+      <param pos="0" name="service.product" value="IIS"/>
+      <param pos="0" name="os.vendor" value="Microsoft"/>
+      <param pos="0" name="os.family" value="Windows"/>
+      <param pos="0" name="os.product" value="Windows"/>
+   </fingerprint>
+   -->
+  <fingerprint pattern="^221[ -]See ya in cyberspace$">
+    <description>221 See ya in cyberspace</description>
+    <param pos="0" name="service.vendor" value="Alt-N"/>
+    <param pos="0" name="service.family" value="MDaemon"/>
+    <param pos="0" name="service.product" value="MDaemon"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:altn:mdaemon:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.arch" value="x86"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_expn.xml ADDED

@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service" preference="0.16">
+  <!--
+  SMTP response lines to the EXPN command are matched against these patterns
+  (1 line at a time) to fingerprint SMTP servers.
+  See comment at the top of smtp_banners.xml for additional info.
+  'preference' note: This value has been set so as to implement the ordering
+    of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
+  -->
+  <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX.*&quot; unrecognized$">
+    <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server - expn variant</description>
+    <param pos="0" name="os.vendor" value="Cisco"/>
+    <param pos="0" name="os.family" value="PIX"/>
+    <param pos="0" name="os.product" value="PIX"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
+  </fingerprint>
+  <fingerprint pattern="^550[ -]EXPN not available to \(.+\) \[.+\] *$">
+    <description>Exim - expn variant 1</description>
+    <example>550 EXPN not available to (foo.bar.com) [192.168.0.1]</example>
+    <param pos="0" name="service.vendor" value="exim"/>
+    <param pos="0" name="service.family" value="exim"/>
+    <param pos="0" name="service.product" value="exim"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
+  </fingerprint>
+  <fingerprint pattern="^550[ -]EXPN not available to [^ ]+ \(.+\) \[.+\] *$">
+    <description>Exim - expn variant 2</description>
+    <example>550 EXPN not available to evil.com (foo.bar.com) [192.168.0.1]</example>
+    <param pos="0" name="service.vendor" value="exim"/>
+    <param pos="0" name="service.family" value="exim"/>
+    <param pos="0" name="service.product" value="exim"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
+  </fingerprint>
+  <fingerprint pattern="^500[ -]Don't you wish! *$">
+    <description>GNAT box SMTP</description>
+    <param pos="0" name="service.vendor" value="Global Technology Associates"/>
+    <param pos="0" name="service.family" value="GNAT Box"/>
+    <param pos="0" name="service.product" value="GNAT Box"/>
+  </fingerprint>
+  <!-- VM SMTP server doesn't like brackets in EXPN commands... -->
+  <fingerprint pattern="^501[ -]Syntax Error\. Only ListId or Userid allowed as argument to this command *$">
+    <description>IBM VM SMTP</description>
+    <param pos="0" name="service.vendor" value="IBM"/>
+    <param pos="0" name="service.family" value="VM"/>
+    <param pos="0" name="service.product" value="VM"/>
+  </fingerprint>
+  <fingerprint pattern="^550[ -]lists are confidential *$">
+    <description>Ipswitch IMail Server - expn variant</description>
+    <example>550 lists are confidential</example>
+    <param pos="0" name="service.vendor" value="Ipswitch"/>
+    <param pos="0" name="service.family" value="IMail Server"/>
+    <param pos="0" name="service.product" value="IMail Server"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:ipswitch:imail_server:-"/>
+  </fingerprint>
+  <fingerprint pattern="^502[ -]command is not active$">
+    <description>Alt-N MDaemon - expn variant</description>
+    <example>502 command is not active</example>
+    <param pos="0" name="service.vendor" value="Alt-N"/>
+    <param pos="0" name="service.family" value="MDaemon"/>
+    <param pos="0" name="service.product" value="MDaemon"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:altn:mdaemon:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.arch" value="x86"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+  <fingerprint pattern="^252 Unable to EXPN &quot;.*&quot;, but will accept message and attempt delivery *$">
+    <description>Lotus Domino</description>
+    <param pos="0" name="service.vendor" value="Lotus"/>
+    <param pos="0" name="service.family" value="Lotus Domino"/>
+    <param pos="0" name="service.product" value="Lotus Domino"/>
+  </fingerprint>
+  <fingerprint pattern="^550[ -]Unable to find list '.*'\.$">
+    <description>Seattle Labs SLMail</description>
+    <example>550 Unable to find list 'list'.</example>
+    <param pos="0" name="service.vendor" value="Seattle Labs"/>
+    <param pos="0" name="service.family" value="SLMail"/>
+    <param pos="0" name="service.product" value="SLMail"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_help.xml ADDED

@@ -0,0 +1,157 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service" preference="0.18">
+  <!--
+  SMTP response lines to the HELP command are matched against these patterns
+  (1 line at a time) to fingerprint SMTP servers.
+  See comment at the top of smtp_banners.xml for additional info.
+  'preference' note: This value has been set so as to implement the ordering
+    of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
+  -->
+  <fingerprint pattern="^214[ -]This is ArGoSoft Mail Server, Version [^ ]+ \(([^ ]+\.[^ ]+\.[^ ]+\.[^ ]+)\) *$">
+    <description>ArgoSoft mail server HELP response with version</description>
+    <example service.version="1.4.0.3">214-This is ArGoSoft Mail Server, Version 1.4 (1.4.0.3)</example>
+    <param pos="0" name="service.vendor" value="ArGoSoft"/>
+    <param pos="0" name="service.family" value="Mail Server"/>
+    <param pos="0" name="service.product" value="Mail Server"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*support@argosoft\.com *$">
+    <description>ArgoSoft mail server HELP response</description>
+    <example>214-To report bug, send mail to support@argosoft.com</example>
+    <param pos="0" name="service.vendor" value="ArGoSoft"/>
+    <param pos="0" name="service.family" value="Mail Server"/>
+    <param pos="0" name="service.product" value="Mail Server"/>
+  </fingerprint>
+  <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX&quot; unrecognized$">
+    <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server</description>
+    <param pos="0" name="os.vendor" value="Cisco"/>
+    <param pos="0" name="os.family" value="PIX"/>
+    <param pos="0" name="os.product" value="PIX"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
+  </fingerprint>
+  <fingerprint pattern="^500[ -]5.5.1 unrecognised command HELP$">
+    <description>Eudora IMS uses the British spelling "unrecognised"</description>
+    <param pos="0" name="service.vendor" value="Eudora"/>
+    <param pos="0" name="service.family" value="Internet Mail Server"/>
+    <param pos="0" name="service.product" value="Internet Mail Server"/>
+    <param pos="0" name="os.vendor" value="Apple"/>
+    <param pos="0" name="os.family" value="Mac OS"/>
+    <param pos="0" name="os.product" value="Mac OS"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os:-"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -]([^ ]+) is running the IBM VM operating system$">
+    <description>IBM VM</description>
+    <param pos="0" name="service.vendor" value="IBM"/>
+    <param pos="0" name="service.family" value="VM"/>
+    <param pos="0" name="service.product" value="VM"/>
+    <param pos="1" name="host.name"/>
+  </fingerprint>
+  <!--
+   Shouldn't we ignore XEXCH50 for the same reasons than described in the XEXCH50 regex
+   in smtp_ehlo.xml ? -mrb
+   -->
+  <fingerprint pattern="^214[ -].* XEXCH50 *.*$">
+    <description>Microsoft Exchange/IIS server</description>
+    <param pos="0" name="service.vendor" value="Microsoft"/>
+    <param pos="0" name="service.family" value="Exchange Server"/>
+    <param pos="0" name="service.product" value="Exchange Server"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:microsoft:exchange_server:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -]Help system currently inactive\.$">
+    <description>Alt-N MDaemon - 214 Help system currently inactive.</description>
+    <param pos="0" name="service.vendor" value="Alt-N"/>
+    <param pos="0" name="service.family" value="MDaemon"/>
+    <param pos="0" name="service.product" value="MDaemon"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:altn:mdaemon:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.arch" value="x86"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*This is MERAK ([^ ]+\.[^ ]+\.[^ ]+).*$">
+    <description> Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x)</description>
+    <param pos="0" name="service.vendor" value="Merak"/>
+    <param pos="0" name="service.family" value="Mail Server"/>
+    <param pos="0" name="service.product" value="Mail Server"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*This is Merak ([^ ]+\.[^ ]+\.[^ ]+).*$">
+    <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - variant 1</description>
+    <param pos="0" name="service.vendor" value="Merak"/>
+    <param pos="0" name="service.family" value="Mail Server"/>
+    <param pos="0" name="service.product" value="Mail Server"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*bugs@merakmail\.com.*$">
+    <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - email variant</description>
+    <param pos="0" name="service.vendor" value="Merak"/>
+    <param pos="0" name="service.family" value="Mail Server"/>
+    <param pos="0" name="service.product" value="Mail Server"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*bugs@icewarp\.com.*$">
+    <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - icewarp variant </description>
+    <param pos="0" name="service.vendor" value="Merak"/>
+    <param pos="0" name="service.family" value="Mail Server"/>
+    <param pos="0" name="service.product" value="Mail Server"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -]qmail home page: http://pobox.com/~djb/qmail.html *$">
+    <description>QMail - help variant</description>
+    <example>214 qmail home page: http://pobox.com/~djb/qmail.html</example>
+    <param pos="0" name="service.vendor" value="qmail"/>
+    <param pos="0" name="service.family" value="qmail"/>
+    <param pos="0" name="service.product" value="qmail"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*contact the Digital Customer Support Center at 1-800-354-9000.*$">
+    <description>Sendmail on Digital OSF UNIX</description>
+    <param pos="0" name="service.family" value="Sendmail"/>
+    <param pos="0" name="service.product" value="Sendmail"/>
+    <param pos="0" name="service.certainty" value="0.85"/>
+    <param pos="0" name="os.vendor" value="DEC"/>
+    <param pos="0" name="os.family" value="Digital UNIX"/>
+    <param pos="0" name="os.product" value="OSF/1"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -]2.0.0 This is [s|S]endmail version ([^ ]+)$">
+    <description>Sendmail often returns version information for HELP, even when the greeting is obscured</description>
+    <param pos="0" name="service.family" value="Sendmail"/>
+    <param pos="0" name="service.product" value="Sendmail"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -]This is [s|S]endmail version ([^ ]+)$">
+    <description>Sendmail often returns version information for HELP - variant 1</description>
+    <param pos="0" name="service.family" value="Sendmail"/>
+    <param pos="0" name="service.product" value="Sendmail"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+  <fingerprint pattern="^502[ -]5\.3\.0 Sendmail ([^ ]+) -- HELP not implemented$">
+    <description>Sendmail - help not implemented variant</description>
+    <example>502 5.3.0 Sendmail 8.11.2 -- HELP not implemented</example>
+    <param pos="0" name="service.family" value="Sendmail"/>
+    <param pos="0" name="service.product" value="Sendmail"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*sendmail-bugs@sendmail\.org.*$">
+    <description>Sendmail often returns version information for HELP - email variant</description>
+    <param pos="0" name="service.family" value="Sendmail"/>
+    <param pos="0" name="service.product" value="Sendmail"/>
+    <param pos="0" name="service.certainty" value="0.85"/>
+  </fingerprint>
+  <fingerprint pattern="^241[ -].*$">
+    <description>ZMailer versions earlier than 2.99.21 mistakenly return the status code 241 on some HELP response lines (instead of 214).</description>
+    <param pos="0" name="service.vendor" value="ZMailer"/>
+    <param pos="0" name="service.family" value="ZMailer"/>
+    <param pos="0" name="service.product" value="ZMailer"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*Yoyodyne Propulsion.*$">
+    <description>ZMailer has distinctive default HELP text in smtpserver.conf</description>
+    <param pos="0" name="service.vendor" value="ZMailer"/>
+    <param pos="0" name="service.family" value="ZMailer"/>
+    <param pos="0" name="service.product" value="ZMailer"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_mailfrom.xml ADDED

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service">
+  <!--
+  This file is currently unused.
+  -->
+  <fingerprint pattern="250 .* is syntactically correct *">
+    <description>exim</description>
+    <example>250 &lt;nosuchuser@rapid7.com&gt; is syntactically correct</example>
+    <param pos="0" name="service.vendor" value="exim"/>
+    <param pos="0" name="service.family" value="exim"/>
+    <param pos="0" name="service.product" value="exim"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
+  </fingerprint>
+  <fingerprint pattern="501[ -]System error\. *">
+    <description>GNAT Box SMTP</description>
+    <param pos="0" name="service.vendor" value="Global Technology Associates"/>
+    <param pos="0" name="service.family" value="GNAT Box"/>
+    <param pos="0" name="service.product" value="GNAT Box"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_noop.xml ADDED

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service" preference="0.17">
+  <!--
+  SMTP response lines to the NOOP command are matched against these patterns
+  (1 line at a time) to fingerprint SMTP servers.
+  See comment at the top of smtp_banners.xml for additional info.
+  'preference' note: This value has been set so as to implement the ordering
+    of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
+  -->
+  <fingerprint pattern="^220 OK.*$">
+    <description>CheckPoint FireWall-1 returns code 220 for NOOP command (instead of 250)</description>
+    <param pos="0" name="service.vendor" value="Check Point"/>
+    <param pos="0" name="service.family" value="Check Point"/>
+    <param pos="0" name="service.product" value="Firewall-1"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:checkpoint:firewall-1:-"/>
+  </fingerprint>
+  <fingerprint pattern="^250[ -]2.0.0 doing nothing$">
+    <description>Eudora IMS - noop variant</description>
+    <example>250 2.0.0 doing nothing</example>
+    <param pos="0" name="service.vendor" value="Eudora"/>
+    <param pos="0" name="service.family" value="Internet Mail Server"/>
+    <param pos="0" name="service.product" value="Internet Mail Server"/>
+    <param pos="0" name="os.vendor" value="Apple"/>
+    <param pos="0" name="os.family" value="Mac OS"/>
+    <param pos="0" name="os.product" value="Mac OS"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os:-"/>
+  </fingerprint>
+  <fingerprint pattern="^250[ -]Why is there an NOOP instruction\?$">
+    <description>Alt-N MDaemon - noop variant</description>
+    <example>250 Why is there an NOOP instruction?</example>
+    <param pos="0" name="service.vendor" value="Alt-N"/>
+    <param pos="0" name="service.family" value="MDaemon"/>
+    <param pos="0" name="service.product" value="MDaemon"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:altn:mdaemon:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.arch" value="x86"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_quit.xml ADDED

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service" preference="0.11">
+  <!--
+  SMTP response lines to the QUIT command are matched against these patterns
+  (1 line at a time) to fingerprint SMTP servers.
+  See comment at the top of smtp_banners.xml for additional info.
+  'preference' note: This value has been set so as to implement the ordering
+    of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
+  -->
+  <fingerprint pattern="^221[ -]See ya in cyberspace$">
+    <description>221 See ya in cyberspace</description>
+    <param pos="0" name="service.vendor" value="Alt-N"/>
+    <param pos="0" name="service.family" value="MDaemon"/>
+    <param pos="0" name="service.product" value="MDaemon"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:altn:mdaemon:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.arch" value="x86"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+  <fingerprint pattern="^503[ -]5\.5\.0 Not accepting any command except QUIT$">
+    <description>Raptor Firewall</description>
+    <example>503 5.5.0 Not accepting any command except QUIT</example>
+    <param pos="0" name="service.product" value="raptor"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_rcptto.xml ADDED

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service">
+  <!--
+   <fingerprint pattern="501[ -]Invalid domain *">
+      <description> Description here</description>
+      <param pos="0" name="service.vendor" value="Global Technology Associates"/>
+      <param pos="0" name="service.family" value="GNAT Box"/>
+      <param pos="0" name="service.product" value="GNAT Box"/>
+   </fingerprint>
+   <fingerprint pattern="550[ -]System error\. *">
+      <description>and here</description>
+      <param pos="0" name="service.vendor" value="Global Technology Associates"/>
+      <param pos="0" name="service.family" value="GNAT Box"/>
+      <param pos="0" name="service.product" value="GNAT Box"/>
+   </fingerprint>
+   -->
+  <fingerprint pattern="550[ -]not local host .*, not a gateway *">
+    <description>550 not local host foo.bar, not a gateway</description>
+    <param pos="0" name="service.vendor" value="Ipswitch"/>
+    <param pos="0" name="service.family" value="IMail Server"/>
+    <param pos="0" name="service.product" value="IMail Server"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:ipswitch:imail_server:-"/>
+  </fingerprint>
+</fingerprints>