RubyGems - recog-intrigue - Versions diffs - 2.3.7 - Mend

recog-intrigue 2.3.7

Files changed (130) hide show

checksums.yaml +7 -0
data/.github/ISSUE_TEMPLATE/bug_report.md +37 -0
data/.github/ISSUE_TEMPLATE/feature_request.md +17 -0
data/.github/ISSUE_TEMPLATE/fingerprint_request.md +27 -0
data/.github/PULL_REQUEST_TEMPLATE +24 -0
data/.gitignore +14 -0
data/.rbenv-gemset +1 -0
data/.rspec +3 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/.travis.yml +25 -0
data/.yardopts +1 -0
data/CONTRIBUTING.md +171 -0
data/COPYING +23 -0
data/Gemfile +10 -0
data/LICENSE +7 -0
data/README.md +85 -0
data/Rakefile +22 -0
data/bin/recog_export +81 -0
data/bin/recog_match +55 -0
data/bin/recog_standardize +118 -0
data/bin/recog_verify +64 -0
data/cpe-remap.yaml +134 -0
data/features/data/failing_banners_fingerprints.xml +20 -0
data/features/data/matching_banners_fingerprints.xml +23 -0
data/features/data/multiple_banners_fingerprints.xml +32 -0
data/features/data/no_tests.xml +3 -0
data/features/data/sample_banner.txt +2 -0
data/features/data/successful_tests.xml +18 -0
data/features/data/tests_with_failures.xml +20 -0
data/features/data/tests_with_warnings.xml +17 -0
data/features/match.feature +36 -0
data/features/support/aruba.rb +3 -0
data/features/support/env.rb +6 -0
data/features/verify.feature +48 -0
data/identifiers/README.md +47 -0
data/identifiers/os_architecture.txt +20 -0
data/identifiers/os_device.txt +52 -0
data/identifiers/os_family.txt +160 -0
data/identifiers/os_product.txt +199 -0
data/identifiers/service_family.txt +185 -0
data/identifiers/service_product.txt +255 -0
data/identifiers/software_class.txt +26 -0
data/identifiers/software_family.txt +91 -0
data/identifiers/software_product.txt +333 -0
data/identifiers/vendor.txt +405 -0
data/lib/recog.rb +4 -0
data/lib/recog/db.rb +78 -0
data/lib/recog/db_manager.rb +31 -0
data/lib/recog/fingerprint.rb +280 -0
data/lib/recog/fingerprint/regexp_factory.rb +56 -0
data/lib/recog/fingerprint/test.rb +18 -0
data/lib/recog/formatter.rb +51 -0
data/lib/recog/match_reporter.rb +77 -0
data/lib/recog/matcher.rb +94 -0
data/lib/recog/matcher_factory.rb +14 -0
data/lib/recog/nizer.rb +347 -0
data/lib/recog/verifier.rb +39 -0
data/lib/recog/verifier_factory.rb +13 -0
data/lib/recog/verify_reporter.rb +86 -0
data/lib/recog/version.rb +3 -0
data/misc/convert_mysql_err +61 -0
data/misc/order.xsl +17 -0
data/recog-intrigue.gemspec +45 -0
data/requirements.txt +2 -0
data/spec/data/best_os_match_1.yml +17 -0
data/spec/data/best_os_match_2.yml +17 -0
data/spec/data/best_service_match_1.yml +17 -0
data/spec/data/smb_native_os.txt +25 -0
data/spec/data/test_fingerprints.xml +36 -0
data/spec/data/verification_fingerprints.xml +86 -0
data/spec/data/whitespaced_fingerprint.xml +5 -0
data/spec/lib/fingerprint_self_test_spec.rb +174 -0
data/spec/lib/recog/db_spec.rb +98 -0
data/spec/lib/recog/fingerprint/regexp_factory_spec.rb +73 -0
data/spec/lib/recog/fingerprint_spec.rb +112 -0
data/spec/lib/recog/formatter_spec.rb +69 -0
data/spec/lib/recog/match_reporter_spec.rb +91 -0
data/spec/lib/recog/nizer_spec.rb +330 -0
data/spec/lib/recog/verify_reporter_spec.rb +113 -0
data/spec/spec_helper.rb +82 -0
data/update_cpes.py +186 -0
data/xml/apache_modules.xml +1911 -0
data/xml/apache_os.xml +273 -0
data/xml/architecture.xml +36 -0
data/xml/dns_versionbind.xml +761 -0
data/xml/fingerprints.xsd +128 -0
data/xml/ftp_banners.xml +1553 -0
data/xml/h323_callresp.xml +603 -0
data/xml/hp_pjl_id.xml +358 -0
data/xml/html_title.xml +1630 -0
data/xml/http_cookies.xml +411 -0
data/xml/http_servers.xml +3195 -0
data/xml/http_wwwauth.xml +595 -0
data/xml/imap_banners.xml +245 -0
data/xml/ldap_searchresult.xml +711 -0
data/xml/mdns_device-info_txt.xml +1796 -0
data/xml/mdns_workstation_txt.xml +15 -0
data/xml/mysql_banners.xml +1649 -0
data/xml/mysql_error.xml +871 -0
data/xml/nntp_banners.xml +82 -0
data/xml/ntp_banners.xml +1223 -0
data/xml/operating_system.xml +629 -0
data/xml/pop_banners.xml +499 -0
data/xml/rsh_resp.xml +76 -0
data/xml/rtsp_servers.xml +76 -0
data/xml/sip_banners.xml +359 -0
data/xml/sip_user_agents.xml +221 -0
data/xml/smb_native_lm.xml +62 -0
data/xml/smb_native_os.xml +662 -0
data/xml/smtp_banners.xml +1690 -0
data/xml/smtp_debug.xml +39 -0
data/xml/smtp_ehlo.xml +49 -0
data/xml/smtp_expn.xml +82 -0
data/xml/smtp_help.xml +157 -0
data/xml/smtp_mailfrom.xml +20 -0
data/xml/smtp_noop.xml +44 -0
data/xml/smtp_quit.xml +29 -0
data/xml/smtp_rcptto.xml +25 -0
data/xml/smtp_rset.xml +26 -0
data/xml/smtp_turn.xml +26 -0
data/xml/smtp_vrfy.xml +89 -0
data/xml/snmp_sysdescr.xml +6507 -0
data/xml/snmp_sysobjid.xml +430 -0
data/xml/ssh_banners.xml +1968 -0
data/xml/telnet_banners.xml +1595 -0
data/xml/x11_banners.xml +232 -0
data/xml/x509_issuers.xml +134 -0
data/xml/x509_subjects.xml +1268 -0
metadata +304 -0

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service" preference="0.14">
+  <!--
+  SMTP response lines to the DEBUG command are matched against these patterns
+  (1 line at a time) to fingerprint SMTP servers.
+  See comment at the top of smtp_banners.xml for additional info.
+  'preference' note: This value has been set so as to implement the ordering
+    of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
+  -->
+  <fingerprint pattern="^500 No way!$">
+    <description>Exim</description>
+    <example>500 No way!</example>
+    <param pos="0" name="service.vendor" value="exim"/>
+    <param pos="0" name="service.family" value="exim"/>
+    <param pos="0" name="service.product" value="exim"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
+  </fingerprint>
+  <fingerprint pattern="^250[ -] *Debug set -NOT!$">
+    <description>TIS FWTK and derivatives (other firewalls, like Gauntlet, are derived from TIS)</description>
+    <param pos="0" name="service.vendor" value="TIS"/>
+    <param pos="0" name="service.family" value="FWTK"/>
+    <param pos="0" name="service.product" value="FWTK"/>
+  </fingerprint>
+  <fingerprint pattern="^500[ -]What\? I don't understand that\.$">
+    <description>Alt-N MDaemon SMTP</description>
+    <example>500 What? I don't understand that.</example>
+    <param pos="0" name="service.vendor" value="Alt-N"/>
+    <param pos="0" name="service.family" value="MDaemon"/>
+    <param pos="0" name="service.product" value="MDaemon"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:altn:mdaemon:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.arch" value="x86"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_ehlo.xml ADDED

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service" preference="0.19">
+  <!--
+  SMTP response lines to the EHLO command are matched against these patterns
+  (1 line at a time) to fingerprint SMTP servers.
+  See comment at the top of smtp_banners.xml for additional info.
+  'preference' note: This value has been set so as to implement the ordering
+    of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
+  -->
+  <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX&quot; unrecognized$">
+    <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server</description>
+    <param pos="0" name="os.vendor" value="Cisco"/>
+    <param pos="0" name="os.family" value="PIX"/>
+    <param pos="0" name="os.product" value="PIX"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
+  </fingerprint>
+  <!--
+   Don't try to infer a fingerprint from XEXCH50, because if we do, it might overwrite
+   a very precise MS IIS SMTP service or MS Exchange Server fingerprint found with the
+   help of smtp_banners.xml. Instead, this case is handled specially by the Jess rule
+   smtp-iis-xexch50-svc-fingerprint. -mrb
+   <fingerprint pattern="^250[ -] *XEXCH50.*$">
+      <description>
+         Microsoft Exchange/IIS server
+      </description>
+      <param pos="0" name="service.vendor" value="Microsoft"/>
+      <param pos="0" name="service.family" value="IIS"/>
+      <param pos="0" name="service.product" value="IIS"/>
+      <param pos="0" name="os.vendor" value="Microsoft"/>
+      <param pos="0" name="os.family" value="Windows"/>
+      <param pos="0" name="os.product" value="Windows"/>
+   </fingerprint>
+   -->
+  <fingerprint pattern="^221[ -]See ya in cyberspace$">
+    <description>221 See ya in cyberspace</description>
+    <param pos="0" name="service.vendor" value="Alt-N"/>
+    <param pos="0" name="service.family" value="MDaemon"/>
+    <param pos="0" name="service.product" value="MDaemon"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:altn:mdaemon:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.arch" value="x86"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_expn.xml ADDED

@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service" preference="0.16">
+  <!--
+  SMTP response lines to the EXPN command are matched against these patterns
+  (1 line at a time) to fingerprint SMTP servers.
+  See comment at the top of smtp_banners.xml for additional info.
+  'preference' note: This value has been set so as to implement the ordering
+    of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
+  -->
+  <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX.*&quot; unrecognized$">
+    <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server - expn variant</description>
+    <param pos="0" name="os.vendor" value="Cisco"/>
+    <param pos="0" name="os.family" value="PIX"/>
+    <param pos="0" name="os.product" value="PIX"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
+  </fingerprint>
+  <fingerprint pattern="^550[ -]EXPN not available to \(.+\) \[.+\] *$">
+    <description>Exim - expn variant 1</description>
+    <example>550 EXPN not available to (foo.bar.com) [192.168.0.1]</example>
+    <param pos="0" name="service.vendor" value="exim"/>
+    <param pos="0" name="service.family" value="exim"/>
+    <param pos="0" name="service.product" value="exim"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
+  </fingerprint>
+  <fingerprint pattern="^550[ -]EXPN not available to [^ ]+ \(.+\) \[.+\] *$">
+    <description>Exim - expn variant 2</description>
+    <example>550 EXPN not available to evil.com (foo.bar.com) [192.168.0.1]</example>
+    <param pos="0" name="service.vendor" value="exim"/>
+    <param pos="0" name="service.family" value="exim"/>
+    <param pos="0" name="service.product" value="exim"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
+  </fingerprint>
+  <fingerprint pattern="^500[ -]Don't you wish! *$">
+    <description>GNAT box SMTP</description>
+    <param pos="0" name="service.vendor" value="Global Technology Associates"/>
+    <param pos="0" name="service.family" value="GNAT Box"/>
+    <param pos="0" name="service.product" value="GNAT Box"/>
+  </fingerprint>
+  <!-- VM SMTP server doesn't like brackets in EXPN commands... -->
+  <fingerprint pattern="^501[ -]Syntax Error\. Only ListId or Userid allowed as argument to this command *$">
+    <description>IBM VM SMTP</description>
+    <param pos="0" name="service.vendor" value="IBM"/>
+    <param pos="0" name="service.family" value="VM"/>
+    <param pos="0" name="service.product" value="VM"/>
+  </fingerprint>
+  <fingerprint pattern="^550[ -]lists are confidential *$">
+    <description>Ipswitch IMail Server - expn variant</description>
+    <example>550 lists are confidential</example>
+    <param pos="0" name="service.vendor" value="Ipswitch"/>
+    <param pos="0" name="service.family" value="IMail Server"/>
+    <param pos="0" name="service.product" value="IMail Server"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:ipswitch:imail_server:-"/>
+  </fingerprint>
+  <fingerprint pattern="^502[ -]command is not active$">
+    <description>Alt-N MDaemon - expn variant</description>
+    <example>502 command is not active</example>
+    <param pos="0" name="service.vendor" value="Alt-N"/>
+    <param pos="0" name="service.family" value="MDaemon"/>
+    <param pos="0" name="service.product" value="MDaemon"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:altn:mdaemon:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.arch" value="x86"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+  <fingerprint pattern="^252 Unable to EXPN &quot;.*&quot;, but will accept message and attempt delivery *$">
+    <description>Lotus Domino</description>
+    <param pos="0" name="service.vendor" value="Lotus"/>
+    <param pos="0" name="service.family" value="Lotus Domino"/>
+    <param pos="0" name="service.product" value="Lotus Domino"/>
+  </fingerprint>
+  <fingerprint pattern="^550[ -]Unable to find list '.*'\.$">
+    <description>Seattle Labs SLMail</description>
+    <example>550 Unable to find list 'list'.</example>
+    <param pos="0" name="service.vendor" value="Seattle Labs"/>
+    <param pos="0" name="service.family" value="SLMail"/>
+    <param pos="0" name="service.product" value="SLMail"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_help.xml ADDED

@@ -0,0 +1,157 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service" preference="0.18">
+  <!--
+  SMTP response lines to the HELP command are matched against these patterns
+  (1 line at a time) to fingerprint SMTP servers.
+  See comment at the top of smtp_banners.xml for additional info.
+  'preference' note: This value has been set so as to implement the ordering
+    of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
+  -->
+  <fingerprint pattern="^214[ -]This is ArGoSoft Mail Server, Version [^ ]+ \(([^ ]+\.[^ ]+\.[^ ]+\.[^ ]+)\) *$">
+    <description>ArgoSoft mail server HELP response with version</description>
+    <example service.version="1.4.0.3">214-This is ArGoSoft Mail Server, Version 1.4 (1.4.0.3)</example>
+    <param pos="0" name="service.vendor" value="ArGoSoft"/>
+    <param pos="0" name="service.family" value="Mail Server"/>
+    <param pos="0" name="service.product" value="Mail Server"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*support@argosoft\.com *$">
+    <description>ArgoSoft mail server HELP response</description>
+    <example>214-To report bug, send mail to support@argosoft.com</example>
+    <param pos="0" name="service.vendor" value="ArGoSoft"/>
+    <param pos="0" name="service.family" value="Mail Server"/>
+    <param pos="0" name="service.product" value="Mail Server"/>
+  </fingerprint>
+  <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX&quot; unrecognized$">
+    <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server</description>
+    <param pos="0" name="os.vendor" value="Cisco"/>
+    <param pos="0" name="os.family" value="PIX"/>
+    <param pos="0" name="os.product" value="PIX"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
+  </fingerprint>
+  <fingerprint pattern="^500[ -]5.5.1 unrecognised command HELP$">
+    <description>Eudora IMS uses the British spelling "unrecognised"</description>
+    <param pos="0" name="service.vendor" value="Eudora"/>
+    <param pos="0" name="service.family" value="Internet Mail Server"/>
+    <param pos="0" name="service.product" value="Internet Mail Server"/>
+    <param pos="0" name="os.vendor" value="Apple"/>
+    <param pos="0" name="os.family" value="Mac OS"/>
+    <param pos="0" name="os.product" value="Mac OS"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os:-"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -]([^ ]+) is running the IBM VM operating system$">
+    <description>IBM VM</description>
+    <param pos="0" name="service.vendor" value="IBM"/>
+    <param pos="0" name="service.family" value="VM"/>
+    <param pos="0" name="service.product" value="VM"/>
+    <param pos="1" name="host.name"/>
+  </fingerprint>
+  <!--
+   Shouldn't we ignore XEXCH50 for the same reasons than described in the XEXCH50 regex
+   in smtp_ehlo.xml ? -mrb
+   -->
+  <fingerprint pattern="^214[ -].* XEXCH50 *.*$">
+    <description>Microsoft Exchange/IIS server</description>
+    <param pos="0" name="service.vendor" value="Microsoft"/>
+    <param pos="0" name="service.family" value="Exchange Server"/>
+    <param pos="0" name="service.product" value="Exchange Server"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:microsoft:exchange_server:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -]Help system currently inactive\.$">
+    <description>Alt-N MDaemon - 214 Help system currently inactive.</description>
+    <param pos="0" name="service.vendor" value="Alt-N"/>
+    <param pos="0" name="service.family" value="MDaemon"/>
+    <param pos="0" name="service.product" value="MDaemon"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:altn:mdaemon:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.arch" value="x86"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*This is MERAK ([^ ]+\.[^ ]+\.[^ ]+).*$">
+    <description> Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x)</description>
+    <param pos="0" name="service.vendor" value="Merak"/>
+    <param pos="0" name="service.family" value="Mail Server"/>
+    <param pos="0" name="service.product" value="Mail Server"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*This is Merak ([^ ]+\.[^ ]+\.[^ ]+).*$">
+    <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - variant 1</description>
+    <param pos="0" name="service.vendor" value="Merak"/>
+    <param pos="0" name="service.family" value="Mail Server"/>
+    <param pos="0" name="service.product" value="Mail Server"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*bugs@merakmail\.com.*$">
+    <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - email variant</description>
+    <param pos="0" name="service.vendor" value="Merak"/>
+    <param pos="0" name="service.family" value="Mail Server"/>
+    <param pos="0" name="service.product" value="Mail Server"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*bugs@icewarp\.com.*$">
+    <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - icewarp variant </description>
+    <param pos="0" name="service.vendor" value="Merak"/>
+    <param pos="0" name="service.family" value="Mail Server"/>
+    <param pos="0" name="service.product" value="Mail Server"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -]qmail home page: http://pobox.com/~djb/qmail.html *$">
+    <description>QMail - help variant</description>
+    <example>214 qmail home page: http://pobox.com/~djb/qmail.html</example>
+    <param pos="0" name="service.vendor" value="qmail"/>
+    <param pos="0" name="service.family" value="qmail"/>
+    <param pos="0" name="service.product" value="qmail"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*contact the Digital Customer Support Center at 1-800-354-9000.*$">
+    <description>Sendmail on Digital OSF UNIX</description>
+    <param pos="0" name="service.family" value="Sendmail"/>
+    <param pos="0" name="service.product" value="Sendmail"/>
+    <param pos="0" name="service.certainty" value="0.85"/>
+    <param pos="0" name="os.vendor" value="DEC"/>
+    <param pos="0" name="os.family" value="Digital UNIX"/>
+    <param pos="0" name="os.product" value="OSF/1"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -]2.0.0 This is [s|S]endmail version ([^ ]+)$">
+    <description>Sendmail often returns version information for HELP, even when the greeting is obscured</description>
+    <param pos="0" name="service.family" value="Sendmail"/>
+    <param pos="0" name="service.product" value="Sendmail"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -]This is [s|S]endmail version ([^ ]+)$">
+    <description>Sendmail often returns version information for HELP - variant 1</description>
+    <param pos="0" name="service.family" value="Sendmail"/>
+    <param pos="0" name="service.product" value="Sendmail"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+  <fingerprint pattern="^502[ -]5\.3\.0 Sendmail ([^ ]+) -- HELP not implemented$">
+    <description>Sendmail - help not implemented variant</description>
+    <example>502 5.3.0 Sendmail 8.11.2 -- HELP not implemented</example>
+    <param pos="0" name="service.family" value="Sendmail"/>
+    <param pos="0" name="service.product" value="Sendmail"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*sendmail-bugs@sendmail\.org.*$">
+    <description>Sendmail often returns version information for HELP - email variant</description>
+    <param pos="0" name="service.family" value="Sendmail"/>
+    <param pos="0" name="service.product" value="Sendmail"/>
+    <param pos="0" name="service.certainty" value="0.85"/>
+  </fingerprint>
+  <fingerprint pattern="^241[ -].*$">
+    <description>ZMailer versions earlier than 2.99.21 mistakenly return the status code 241 on some HELP response lines (instead of 214).</description>
+    <param pos="0" name="service.vendor" value="ZMailer"/>
+    <param pos="0" name="service.family" value="ZMailer"/>
+    <param pos="0" name="service.product" value="ZMailer"/>
+  </fingerprint>
+  <fingerprint pattern="^214[ -].*Yoyodyne Propulsion.*$">
+    <description>ZMailer has distinctive default HELP text in smtpserver.conf</description>
+    <param pos="0" name="service.vendor" value="ZMailer"/>
+    <param pos="0" name="service.family" value="ZMailer"/>
+    <param pos="0" name="service.product" value="ZMailer"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_mailfrom.xml ADDED

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service">
+  <!--
+  This file is currently unused.
+  -->
+  <fingerprint pattern="250 .* is syntactically correct *">
+    <description>exim</description>
+    <example>250 &lt;nosuchuser@rapid7.com&gt; is syntactically correct</example>
+    <param pos="0" name="service.vendor" value="exim"/>
+    <param pos="0" name="service.family" value="exim"/>
+    <param pos="0" name="service.product" value="exim"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
+  </fingerprint>
+  <fingerprint pattern="501[ -]System error\. *">
+    <description>GNAT Box SMTP</description>
+    <param pos="0" name="service.vendor" value="Global Technology Associates"/>
+    <param pos="0" name="service.family" value="GNAT Box"/>
+    <param pos="0" name="service.product" value="GNAT Box"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_noop.xml ADDED

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service" preference="0.17">
+  <!--
+  SMTP response lines to the NOOP command are matched against these patterns
+  (1 line at a time) to fingerprint SMTP servers.
+  See comment at the top of smtp_banners.xml for additional info.
+  'preference' note: This value has been set so as to implement the ordering
+    of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
+  -->
+  <fingerprint pattern="^220 OK.*$">
+    <description>CheckPoint FireWall-1 returns code 220 for NOOP command (instead of 250)</description>
+    <param pos="0" name="service.vendor" value="Check Point"/>
+    <param pos="0" name="service.family" value="Check Point"/>
+    <param pos="0" name="service.product" value="Firewall-1"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:checkpoint:firewall-1:-"/>
+  </fingerprint>
+  <fingerprint pattern="^250[ -]2.0.0 doing nothing$">
+    <description>Eudora IMS - noop variant</description>
+    <example>250 2.0.0 doing nothing</example>
+    <param pos="0" name="service.vendor" value="Eudora"/>
+    <param pos="0" name="service.family" value="Internet Mail Server"/>
+    <param pos="0" name="service.product" value="Internet Mail Server"/>
+    <param pos="0" name="os.vendor" value="Apple"/>
+    <param pos="0" name="os.family" value="Mac OS"/>
+    <param pos="0" name="os.product" value="Mac OS"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os:-"/>
+  </fingerprint>
+  <fingerprint pattern="^250[ -]Why is there an NOOP instruction\?$">
+    <description>Alt-N MDaemon - noop variant</description>
+    <example>250 Why is there an NOOP instruction?</example>
+    <param pos="0" name="service.vendor" value="Alt-N"/>
+    <param pos="0" name="service.family" value="MDaemon"/>
+    <param pos="0" name="service.product" value="MDaemon"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:altn:mdaemon:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.arch" value="x86"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_quit.xml ADDED

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service" preference="0.11">
+  <!--
+  SMTP response lines to the QUIT command are matched against these patterns
+  (1 line at a time) to fingerprint SMTP servers.
+  See comment at the top of smtp_banners.xml for additional info.
+  'preference' note: This value has been set so as to implement the ordering
+    of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
+  -->
+  <fingerprint pattern="^221[ -]See ya in cyberspace$">
+    <description>221 See ya in cyberspace</description>
+    <param pos="0" name="service.vendor" value="Alt-N"/>
+    <param pos="0" name="service.family" value="MDaemon"/>
+    <param pos="0" name="service.product" value="MDaemon"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:altn:mdaemon:-"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.arch" value="x86"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
+  </fingerprint>
+  <fingerprint pattern="^503[ -]5\.5\.0 Not accepting any command except QUIT$">
+    <description>Raptor Firewall</description>
+    <example>503 5.5.0 Not accepting any command except QUIT</example>
+    <param pos="0" name="service.product" value="raptor"/>
+  </fingerprint>
+</fingerprints>

data/xml/smtp_rcptto.xml ADDED

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<fingerprints protocol="smtp" database_type="service">
+  <!--
+   <fingerprint pattern="501[ -]Invalid domain *">
+      <description> Description here</description>
+      <param pos="0" name="service.vendor" value="Global Technology Associates"/>
+      <param pos="0" name="service.family" value="GNAT Box"/>
+      <param pos="0" name="service.product" value="GNAT Box"/>
+   </fingerprint>
+   <fingerprint pattern="550[ -]System error\. *">
+      <description>and here</description>
+      <param pos="0" name="service.vendor" value="Global Technology Associates"/>
+      <param pos="0" name="service.family" value="GNAT Box"/>
+      <param pos="0" name="service.product" value="GNAT Box"/>
+   </fingerprint>
+   -->
+  <fingerprint pattern="550[ -]not local host .*, not a gateway *">
+    <description>550 not local host foo.bar, not a gateway</description>
+    <param pos="0" name="service.vendor" value="Ipswitch"/>
+    <param pos="0" name="service.family" value="IMail Server"/>
+    <param pos="0" name="service.product" value="IMail Server"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:ipswitch:imail_server:-"/>
+  </fingerprint>
+</fingerprints>