recog 0.01

data/xml/smtp_debug.xml

@@ -0,0 +1,45 @@
+<?xml version="1.0"?>
+<!--
+SMTP response lines to the DEBUG command are matched against these patterns
+(1 line at a time) to fingerprint SMTP servers.
+
+See comment at the top of smtp_banners.xml for additional info.
+-->
+
+<fingerprints>
+   <fingerprint pattern="^500 No way!$">
+      <description>
+         Exim
+         example: 500 No way!
+      </description>
+      <param pos="0" name="service.vendor" value="exim"/>
+      <param pos="0" name="service.family" value="exim"/>
+      <param pos="0" name="service.product" value="exim"/>
+   </fingerprint>
+
+   <fingerprint pattern="^250[ -] *Debug set -NOT!$">
+      <description>
+         TIS FWTK and derivatives
+         http://www.tis.com/research/software/
+         This fingerprint may be ambiguous because other firewalls (like
+         Gauntlet) are derived from TIS
+      </description>
+      <param pos="0" name="service.vendor" value="TIS"/>
+      <param pos="0" name="service.family" value="FWTK"/>
+      <param pos="0" name="service.product" value="FWTK"/>
+   </fingerprint>
+
+   <fingerprint pattern="^500[ -]What\? I don't understand that\.$">
+      <description>
+         500 What? I don't understand that.
+      </description>
+      <param pos="0" name="service.vendor" value="Alt-N"/>
+      <param pos="0" name="service.family" value="MDaemon"/>
+      <param pos="0" name="service.product" value="MDaemon"/>
+      <param pos="0" name="os.vendor" value="Microsoft"/>
+      <param pos="0" name="os.family" value="Windows"/>
+      <param pos="0" name="os.device" value="General"/>
+      <param pos="0" name="os.product" value="Windows"/>
+      <param pos="0" name="os.arch" value="x86"/>
+   </fingerprint>
+</fingerprints>

data/xml/smtp_ehlo.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0"?>
+<!--
+SMTP response lines to the EHLO command are matched against these patterns
+(1 line at a time) to fingerprint SMTP servers.
+
+See comment at the top of smtp_banners.xml for additional info.
+-->
+
+<fingerprints>
+   <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX&quot; unrecognized$">
+      <description>
+         Cisco PIX changes the command letters to 'X' before passing
+         them to the real SMTP server.
+      </description>
+      <param pos="0" name="service.vendor" value="Cisco"/>
+      <param pos="0" name="service.family" value="PIX"/>
+      <param pos="0" name="service.product" value="PIX"/>
+   </fingerprint>
+
+   <!--
+   Don't try to infer a fingerprint from XEXCH50, because if we do, it might overwrite
+   a very precise MS IIS SMTP service or MS Exchange Server fingerprint found with the
+   help of smtp_banners.xml. Instead, this case is handled specially by the Jess rule
+   smtp-iis-xexch50-svc-fingerprint. -mrb
+
+   <fingerprint pattern="^250[ -] *XEXCH50.*$">
+      <description>
+         Microsoft Exchange/IIS server
+      </description>
+      <param pos="0" name="service.vendor" value="Microsoft"/>
+      <param pos="0" name="service.family" value="IIS"/>
+      <param pos="0" name="service.product" value="IIS"/>
+      <param pos="0" name="os.vendor" value="Microsoft"/>
+      <param pos="0" name="os.family" value="Windows"/>
+      <param pos="0" name="os.device" value="General"/>
+      <param pos="0" name="os.product" value="Windows"/>
+   </fingerprint>
+   -->
+
+   <fingerprint pattern="^221[ -]See ya in cyberspace$">
+      <description>
+         221 See ya in cyberspace
+      </description>
+      <param pos="0" name="service.vendor" value="Alt-N"/>
+      <param pos="0" name="service.family" value="MDaemon"/>
+      <param pos="0" name="service.product" value="MDaemon"/>
+      <param pos="0" name="os.vendor" value="Microsoft"/>
+      <param pos="0" name="os.family" value="Windows"/>
+      <param pos="0" name="os.device" value="General"/>
+      <param pos="0" name="os.product" value="Windows"/>
+      <param pos="0" name="os.arch" value="x86"/>
+   </fingerprint>
+</fingerprints>

data/xml/smtp_expn.xml

@@ -0,0 +1,95 @@
+<?xml version="1.0"?>
+<!--
+SMTP response lines to the EXPN command are matched against these patterns
+(1 line at a time) to fingerprint SMTP servers.
+
+See comment at the top of smtp_banners.xml for additional info.
+-->
+
+<fingerprints>
+   <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX.*&quot; unrecognized$">
+      <description>
+         Cisco PIX changes the command letters to 'X' before passing
+         them to the real SMTP server.
+      </description>
+      <param pos="0" name="service.vendor" value="Cisco"/>
+      <param pos="0" name="service.family" value="PIX"/>
+      <param pos="0" name="service.product" value="PIX"/>
+   </fingerprint>
+
+   <fingerprint pattern="^550[ -]EXPN not available to \(.+\) \[.+\] *$">
+      <description>
+         Exim
+         example: 550 EXPN not available to (foo.bar.com) [192.168.0.1]
+      </description>
+      <param pos="0" name="service.vendor" value="exim"/>
+      <param pos="0" name="service.family" value="exim"/>
+      <param pos="0" name="service.product" value="exim"/>
+   </fingerprint>
+
+   <fingerprint pattern="^550[ -]EXPN not available to [^ ]+ \(.+\) \[.+\] *$">
+      <description>
+         Exim
+         example: 550 EXPN not available to evil.com (foo.bar.com) [192.168.0.1]
+      </description>
+      <param pos="0" name="service.vendor" value="exim"/>
+      <param pos="0" name="service.family" value="exim"/>
+      <param pos="0" name="service.product" value="exim"/>
+   </fingerprint>
+
+   <fingerprint pattern="^500[ -]Don't you wish! *$">
+      <description>
+      </description>
+      <param pos="0" name="service.vendor" value="Global Technology Associates"/>
+      <param pos="0" name="service.family" value="GNAT Box"/>
+      <param pos="0" name="service.product" value="GNAT Box"/>
+   </fingerprint>
+
+   <!-- VM SMTP server doesn't like brackets in EXPN commands... -->
+   <fingerprint pattern="^501[ -]Syntax Error\. Only ListId or Userid allowed as argument to this command *$">
+      <param pos="0" name="service.vendor" value="IBM"/>
+      <param pos="0" name="service.family" value="VM"/>
+      <param pos="0" name="service.product" value="VM"/>
+   </fingerprint>
+
+   <fingerprint pattern="^550[ -]lists are confidential *$">
+      <description>
+         example: 550 lists are confidential
+      </description>
+      <param pos="0" name="service.vendor" value="Ipswitch"/>
+      <param pos="0" name="service.family" value="IMail Server"/>
+      <param pos="0" name="service.product" value="IMail Server"/>
+   </fingerprint>
+
+   <fingerprint pattern="^502[ -]command is not active$">
+      <description>
+         502 command is not active
+      </description>
+      <param pos="0" name="service.vendor" value="Alt-N"/>
+      <param pos="0" name="service.family" value="MDaemon"/>
+      <param pos="0" name="service.product" value="MDaemon"/>
+      <param pos="0" name="os.vendor" value="Microsoft"/>
+      <param pos="0" name="os.family" value="Windows"/>
+      <param pos="0" name="os.device" value="General"/>
+      <param pos="0" name="os.product" value="Windows"/>
+      <param pos="0" name="os.arch" value="x86"/>
+   </fingerprint>
+
+   <fingerprint pattern="^252 Unable to EXPN &quot;.*&quot;, but will accept message and attempt delivery *$">
+      <description>
+         Lotus Domino
+      </description>
+      <param pos="0" name="service.vendor" value="Lotus"/>
+      <param pos="0" name="service.family" value="Lotus Domino"/>
+      <param pos="0" name="service.product" value="Lotus Domino"/>
+   </fingerprint>
+
+   <fingerprint pattern="^550[ -]Unable to find list '.*'\.$">
+      <description>
+         example: 550 Unable to find list 'list'.
+      </description>
+      <param pos="0" name="service.vendor" value="Seattle Labs"/>
+      <param pos="0" name="service.family" value="SLMail"/>
+      <param pos="0" name="service.product" value="SLMail"/>
+   </fingerprint>
+</fingerprints>

data/xml/smtp_help.xml

@@ -0,0 +1,212 @@
+<?xml version="1.0"?>
+<!--
+SMTP response lines to the HELP command are matched against these patterns
+(1 line at a time) to fingerprint SMTP servers.
+
+See comment at the top of smtp_banners.xml for additional info.
+-->
+
+<fingerprints>
+   <fingerprint pattern="^214[ -]This is ArGoSoft Mail Server, Version [^ ]+ \(([^ ]+\.[^ ]+\.[^ ]+\.[^ ]+)\) *$">
+      <description>
+         ArgoSoft mail server HELP response
+         Example: 214-This is ArGoSoft Mail Server, Version 1.4 (1.4.0.3)
+      </description>
+      <param pos="0" name="service.vendor" value="ArGoSoft"/>
+      <param pos="0" name="service.family" value="Mail Server"/>
+      <param pos="0" name="service.product" value="Mail Server"/>
+      <param pos="1" name="service.version"/>
+   </fingerprint>
+
+   <fingerprint pattern="^214[ -].*support@argosoft\.com *$">
+      <description>
+         ArgoSoft mail server HELP response
+         Example: 214-To report bug, send mail to support@argosoft.com
+      </description>
+      <param pos="0" name="service.vendor" value="ArGoSoft"/>
+      <param pos="0" name="service.family" value="Mail Server"/>
+      <param pos="0" name="service.product" value="Mail Server"/>
+   </fingerprint>
+
+   <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX&quot; unrecognized$">
+      <description>
+         Cisco PIX changes the command letters to 'X' before passing
+         them to the real SMTP server.
+      </description>
+      <param pos="0" name="service.vendor" value="Cisco"/>
+      <param pos="0" name="service.family" value="PIX"/>
+      <param pos="0" name="service.product" value="PIX"/>
+   </fingerprint>
+
+   <fingerprint pattern="^500[ -]5.5.1 unrecognised command HELP$">
+      <description>
+         Eudora IMS uses the British spelling &quot;unrecognised&quot;
+      </description>
+      <param pos="0" name="service.vendor" value="Eudora"/>
+      <param pos="0" name="service.family" value="Internet Mail Server"/>
+      <param pos="0" name="service.product" value="Internet Mail Server"/>
+      <param pos="0" name="os.vendor" value="Apple"/>
+      <param pos="0" name="os.family" value="Mac OS"/>
+      <param pos="0" name="os.device" value="General"/>
+      <param pos="0" name="os.product" value="Mac OS"/>
+   </fingerprint>
+
+   <fingerprint pattern="^214[ -]([^ ]+) is running the IBM VM operating system$">
+      <param pos="0" name="service.vendor" value="IBM"/>
+      <param pos="0" name="service.family" value="VM"/>
+      <param pos="0" name="service.product" value="VM"/>
+      <param pos="1" name="host.name"/>
+   </fingerprint>
+
+   <!--
+   Shouldn't we ignore XEXCH50 for the same reasons than described in the XEXCH50 regex
+   in smtp_ehlo.xml ? -mrb
+   -->
+   <fingerprint pattern="^214[ -].* XEXCH50 *.*$">
+      <description>
+         Microsoft Exchange/IIS server
+      </description>
+      <param pos="0" name="service.vendor" value="Microsoft"/>
+      <param pos="0" name="service.family" value="Exchange Server"/>
+      <param pos="0" name="service.product" value="Exchange Server"/>
+      <param pos="0" name="os.vendor" value="Microsoft"/>
+      <param pos="0" name="os.family" value="Windows"/>
+      <param pos="0" name="os.device" value="General"/>
+      <param pos="0" name="os.product" value="Windows"/>
+   </fingerprint>
+
+   <fingerprint pattern="^214[ -]Help system currently inactive\.$">
+      <description>
+         214 Help system currently inactive.
+      </description>
+      <param pos="0" name="service.vendor" value="Alt-N"/>
+      <param pos="0" name="service.family" value="MDaemon"/>
+      <param pos="0" name="service.product" value="MDaemon"/>
+      <param pos="0" name="os.vendor" value="Microsoft"/>
+      <param pos="0" name="os.family" value="Windows"/>
+      <param pos="0" name="os.device" value="General"/>
+      <param pos="0" name="os.product" value="Windows"/>
+      <param pos="0" name="os.arch" value="x86"/>
+   </fingerprint>
+
+   <fingerprint pattern="^214[ -].*This is MERAK ([^ ]+\.[^ ]+\.[^ ]+).*$">
+      <description>
+         Merak mail server http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x)
+      </description>
+      <param pos="0" name="service.vendor" value="Merak"/>
+      <param pos="0" name="service.family" value="Mail Server"/>
+      <param pos="0" name="service.product" value="Mail Server"/>
+      <param pos="1" name="service.version"/>
+   </fingerprint>
+
+   <fingerprint pattern="^214[ -].*This is Merak ([^ ]+\.[^ ]+\.[^ ]+).*$">
+      <description>
+         Merak mail server http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x)
+      </description>
+      <param pos="0" name="service.vendor" value="Merak"/>
+      <param pos="0" name="service.family" value="Mail Server"/>
+      <param pos="0" name="service.product" value="Mail Server"/>
+      <param pos="1" name="service.version"/>
+   </fingerprint>
+
+   <fingerprint pattern="^214[ -].*bugs@merakmail\.com.*$">
+      <description>
+         Merak mail server http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x)
+      </description>
+      <param pos="0" name="service.vendor" value="Merak"/>
+      <param pos="0" name="service.family" value="Mail Server"/>
+      <param pos="0" name="service.product" value="Mail Server"/>
+   </fingerprint>
+
+   <fingerprint pattern="^214[ -].*bugs@icewarp\.com.*$">
+      <description>
+         Merak mail server http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x)
+      </description>
+      <param pos="0" name="service.vendor" value="Merak"/>
+      <param pos="0" name="service.family" value="Mail Server"/>
+      <param pos="0" name="service.product" value="Mail Server"/>
+   </fingerprint>
+
+   <fingerprint pattern="^214[ -]qmail home page: http://pobox.com/~djb/qmail.html *$">
+      <description>
+         example: 214 qmail home page: http://pobox.com/~djb/qmail.html
+      </description>
+      <param pos="0" name="service.vendor" value="qmail"/>
+      <param pos="0" name="service.family" value="qmail"/>
+      <param pos="0" name="service.product" value="qmail"/>
+   </fingerprint>   
+
+   <fingerprint pattern="^214[ -].*contact the Digital Customer Support Center at 1-800-354-9000.*$">
+      <description>
+         sendmail on Digital OSF UNIX
+      </description>
+      <param pos="0" name="service.family" value="Sendmail"/>
+      <param pos="0" name="service.product" value="Sendmail"/>
+      <param pos="0" name="service.certainty" value="0.85"/> <!-- no version, hence less precise than the banner -->
+      <param pos="0" name="os.vendor" value="DEC"/>
+      <param pos="0" name="os.family" value="Digital UNIX"/>
+      <param pos="0" name="os.device" value="General"/>
+      <param pos="0" name="os.product" value="OSF/1"/>
+   </fingerprint>
+
+   <fingerprint pattern="^214[ -]2.0.0 This is [s|S]endmail version ([^ ]+)$">
+      <description>
+         sendmail often returns version information for HELP, even when the
+         greeting is obscured
+      </description>
+      <param pos="0" name="service.family" value="Sendmail"/>
+      <param pos="0" name="service.product" value="Sendmail"/>
+      <param pos="1" name="service.version"/>
+   </fingerprint>
+
+   <fingerprint pattern="^214[ -]This is [s|S]endmail version ([^ ]+)$">
+      <description>
+         sendmail often returns version information for HELP, even when the
+         greeting is obscured
+      </description>
+      <param pos="0" name="service.family" value="Sendmail"/>
+      <param pos="0" name="service.product" value="Sendmail"/>
+      <param pos="1" name="service.version"/>
+   </fingerprint>
+
+   <fingerprint pattern="^502[ -]5\.3\.0 Sendmail ([^ ]+) -- HELP not implemented$">
+      <description>
+         502 5.3.0 Sendmail 8.11.2 -- HELP not implemented
+      </description>
+      <param pos="0" name="service.family" value="Sendmail"/>
+      <param pos="0" name="service.product" value="Sendmail"/>
+      <param pos="1" name="service.version"/>
+   </fingerprint>
+
+   <fingerprint pattern="^214[ -].*sendmail-bugs@sendmail\.org.*$">
+      <description>
+         sendmail often returns version information for HELP, even when the
+         greeting is obscured
+      </description>
+      <param pos="0" name="service.family" value="Sendmail"/>
+      <param pos="0" name="service.product" value="Sendmail"/>
+      <param pos="0" name="service.certainty" value="0.85"/> <!-- no version, hence less precise than the banner -->
+   </fingerprint>
+
+   <fingerprint pattern="^241[ -].*$">
+      <description>
+         ZMailer versions earlier than 2.99.21 mistakenly return the status
+         code 241 on some HELP response lines (instead of 214).
+      </description>
+      <param pos="0" name="service.vendor" value="ZMailer"/>
+      <param pos="0" name="service.family" value="ZMailer"/>
+      <param pos="0" name="service.product" value="ZMailer"/>
+      <!-- todo: it would be nice to say that this is version 2.99.21 or earlier -->
+   </fingerprint>
+
+   <fingerprint pattern="^214[ -].*Yoyodyne Propulsion.*$">
+      <description>
+         ZMailer has distinctive default HELP text in smtpserver.conf.
+         See http://www.zmailer.org/zman/zadm-smtpserver.html#ZADM-SMTPSERVER-CONF
+      </description>
+      <param pos="0" name="service.vendor" value="ZMailer"/>
+      <param pos="0" name="service.family" value="ZMailer"/>
+      <param pos="0" name="service.product" value="ZMailer"/>
+      <!-- todo: it would be nice to say that this is version 2.99.21 or earlier -->
+   </fingerprint>
+</fingerprints>

data/xml/smtp_mailfrom.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<!--
+This file is currently unused.
+-->
+
+<fingerprints>
+   <fingerprint pattern="250 .* is syntactically correct *">
+      <description>
+         Exim
+         example: 250 &lt;nosuchuser@rapid7.com&gt; is syntactically correct
+      </description>
+      <param pos="0" name="service.vendor" value="exim"/>
+      <param pos="0" name="service.family" value="exim"/>
+      <param pos="0" name="service.product" value="exim"/>
+   </fingerprint>
+
+   <fingerprint pattern="501[ -]System error\. *">
+      <description>
+      </description>
+      <param pos="0" name="service.vendor" value="Global Technology Associates"/>
+      <param pos="0" name="service.family" value="GNAT Box"/>
+      <param pos="0" name="service.product" value="GNAT Box"/>
+   </fingerprint>
+</fingerprints>

data/xml/smtp_noop.xml

@@ -0,0 +1,45 @@
+<?xml version="1.0"?>
+<!--
+SMTP response lines to the NOOP command are matched against these patterns
+(1 line at a time) to fingerprint SMTP servers.
+
+See comment at the top of smtp_banners.xml for additional info.
+-->
+
+<fingerprints>
+   <fingerprint pattern="^220 OK.*$">
+      <description>
+         CheckPoint FireWall-1 returns code 220 for NOOP command (instead of 250)
+      </description>
+      <param pos="0" name="service.vendor" value="Check Point"/>
+      <param pos="0" name="service.family" value="Check Point"/>
+      <param pos="0" name="service.product" value="Firewall-1"/>
+   </fingerprint>
+
+   <fingerprint pattern="^250[ -]2.0.0 doing nothing$">
+      <description>
+         Example: 250 2.0.0 doing nothing
+      </description>
+      <param pos="0" name="service.vendor" value="Eudora"/>
+      <param pos="0" name="service.family" value="Internet Mail Server"/>
+      <param pos="0" name="service.product" value="Internet Mail Server"/>
+      <param pos="0" name="os.vendor" value="Apple"/>
+      <param pos="0" name="os.family" value="Mac OS"/>
+      <param pos="0" name="os.device" value="General"/>
+      <param pos="0" name="os.product" value="Mac OS"/>
+   </fingerprint>
+
+   <fingerprint pattern="^250[ -]Why is there an NOOP instruction\?$">
+      <description>
+         250 Why is there an NOOP instruction?
+      </description>
+      <param pos="0" name="service.vendor" value="Alt-N"/>
+      <param pos="0" name="service.family" value="MDaemon"/>
+      <param pos="0" name="service.product" value="MDaemon"/>
+      <param pos="0" name="os.vendor" value="Microsoft"/>
+      <param pos="0" name="os.family" value="Windows"/>
+      <param pos="0" name="os.device" value="General"/>
+      <param pos="0" name="os.product" value="Windows"/>
+      <param pos="0" name="os.arch" value="x86"/>
+   </fingerprint>
+</fingerprints>