recog 2.0.15 → 2.0.16

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 81ca81c5892d0fb7882afdb14f8c6e0324196cbb
-  data.tar.gz: 793218a1570ce08ee7e3c0895b1c5822e5f49922
+  metadata.gz: ebf510b58ac33138c4fdcf5ee549e8a357f705af
+  data.tar.gz: d66456b16899f7af045ab574181bc344ac67a7f6
 SHA512:
-  metadata.gz: fa6edf956ca223ea34ebd8c39a6a2e4a471b3f225d9642ba83e4e945ce4135f0691b64b67b767d48b557df83c474563ccf7ff28f11e77bac5007a6607cc81272
-  data.tar.gz: 9e9045604f3a260422e0002bf63d565ebedad35ab1a2afb99775a2bb28bf70d459ed9330feba2742c1f1b118daf421c2965b7c11498c30de02c406dc967a4831
+  metadata.gz: 86f98b254c38d880fa44c03a2be7d5ba5264163b6b119890fc4a91b40e37b1958e4a201ed84a8b47b5e1ee33a2be52db9920ecfedb243a271f80c6043c978309
+  data.tar.gz: b81423e03118c816b4402c1fc69e42732d5907996889b95d1e28fda0f8cd9dbb945b1fbe4e06a756b0e2bdd54d59d587c44941caa4282a84b88525ab0d8fc5e5

data/.gitignore

@@ -2,7 +2,7 @@
 coverage/
 doc/
 pkg/
-
+.idea/
 /Gemfile.lock
 
 # ignore rvm files

data/bin/recog_match

@@ -6,7 +6,7 @@ require 'ostruct'
 require 'recog'
 require 'recog/matcher_factory'
 
-options = OpenStruct.new(color: false, detail: false, fail_fast: false)
+options = OpenStruct.new(color: false, detail: false, fail_fast: false, multi_match: false)
 
 option_parser = OptionParser.new do |opts|
   opts.banner = "Usage: #{$0} [options] XML_FINGERPRINT_FILE [BANNERS_FILE]"
@@ -33,6 +33,10 @@ option_parser = OptionParser.new do |opts|
     options.color = true
   end
 
+  opts.on("--[no-]multi-match", "Enable or disable multiple matches (defaults to disabled)") do |o|
+    options.multi_match = o
+  end
+
   opts.on("-h", "--help", "Show this message.") do
     puts opts
     exit

data/features/data/multiple_banners_fingerprints.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0"?>
+<fingerprints>
+  <fingerprint pattern="FTP">
+    <example>---- FTP Stuff ----</example>
+    <example>FTP server</example>
+    <description>Generic FTP,
+      Checks for the existence of the word FTP in the line
+    </description>
+    <!-- Asserting nothing -->
+  </fingerprint>
+  <fingerprint pattern="^-{10} Welcome to Pure-FTPd (.*)-{10}$">
+    <example>---------- Welcome to Pure-FTPd ----------</example>
+    <description>Pure-FTPd
+      Config data can be zero or more of: [privsep] [TLS]
+    </description>
+    <param pos="1" name="pureftpd.config"/>
+    <param pos="0" name="service.family" value="Pure-FTPd"/>
+    <param pos="0" name="service.product" value="Pure-FTPd"/>
+  </fingerprint>
+  <fingerprint pattern="^(\S+) FTP Server \(SunOS (\S+)\) ready\.?$" flags="REG_ICASE">
+    <description>SunOS/Solaris</description>
+    <example>example.com FTP server (SunOS 5.7) ready.</example>
+    <param pos="0" name="os.vendor" value="Sun"/>
+    <param pos="0" name="os.family" value="Solaris"/>
+    <param pos="0" name="os.product" value="Solaris"/>
+    <param pos="0" name="os.device" value="General"/>
+    <param pos="1" name="host.name"/>
+    <param pos="2" name="os.version"/>
+  </fingerprint>
+</fingerprints>

data/features/match.feature

@@ -14,3 +14,19 @@ Feature: Match
       FAIL: ---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
       FAIL: polaris FTP server (SunOS 5.8) ready
       """
+
+  Scenario: Finds multiple matches
+    When I run `recog_match multiple_banners_fingerprints.xml sample_banner.txt --multi-match`
+    Then it should pass with:
+      """
+      MATCHES: {"matched"=>"Generic FTP, Checks for the existence of the word FTP in the line", "data"=>"---------- Welcome to Pure-FTPd [privsep] [TLS] ----------"},{"matched"=>"Pure-FTPd Config data can be zero or more of: [privsep] [TLS]", "pureftpd.config"=>"[privsep] [TLS] ", "service.family"=>"Pure-FTPd", "service.product"=>"Pure-FTPd", "data"=>"---------- Welcome to Pure-FTPd [privsep] [TLS] ----------"}
+      MATCHES: {"matched"=>"Generic FTP, Checks for the existence of the word FTP in the line", "data"=>"polaris FTP server (SunOS 5.8) ready."},{"matched"=>"SunOS/Solaris", "os.vendor"=>"Sun", "os.family"=>"Solaris", "os.product"=>"Solaris", "os.device"=>"General", "host.name"=>"polaris", "os.version"=>"5.8", "data"=>"polaris FTP server (SunOS 5.8) ready."}
+      """
+
+  Scenario: Finds first matches using no-multi-match flag
+    When I run `recog_match multiple_banners_fingerprints.xml sample_banner.txt --no-multi-match`
+    Then it should pass with:
+    """
+    MATCH: {"matched"=>"Generic FTP, Checks for the existence of the word FTP in the line", "data"=>"---------- Welcome to Pure-FTPd [privsep] [TLS] ----------"}
+    MATCH: {"matched"=>"Generic FTP, Checks for the existence of the word FTP in the line", "data"=>"polaris FTP server (SunOS 5.8) ready."}
+    """

data/lib/recog/matcher.rb

@@ -1,12 +1,17 @@
 module Recog
 class Matcher
-  attr_reader :fingerprints, :reporter
+  attr_reader :fingerprints, :reporter, :multi_match
 
-  def initialize(fingerprints, reporter)
+  # @param fingerprints Array of [Recog::Fingerprint] The list of fingerprints from the Recog DB to find possible matches.
+  # @param reporter [Recog::MatchReporter] The reporting structure that holds the matches and fails
+  # @param multi_match [Boolean] specifies whether or not to use multi-match (true) or not (false)
+  def initialize(fingerprints, reporter, multi_match)
     @fingerprints = fingerprints
     @reporter = reporter
+    @multi_match = multi_match
   end
 
+  # @param banners_file [String] The source of banners to attempt to match against the Recog DB.
   def match_banners(banners_file)
     reporter.report do
 
@@ -22,14 +27,26 @@ class Matcher
         reporter.increment_line_count
 
         line = line.to_s.unpack("C*").pack("C*").strip.gsub(/\\[rn]/, '')
-        extractions = nil
+        found_extractions = false
+
+        all_extractions = []
         fingerprints.each do |fp|
-          break if (extractions = fp.match(line))
+          extractions = fp.match(line)
+          if extractions
+            found_extractions = true
+            extractions['data'] = line
+            if multi_match
+              all_extractions << extractions
+            else
+              reporter.match "MATCH: #{extractions.inspect}"
+              break
+            end
+          end
         end
 
-        if extractions
-          extractions['data'] = line
-          reporter.match "MATCH: #{extractions.inspect}"
+        if found_extractions
+          match_prefix = all_extractions.size > 1 ? 'MATCHES' : 'MATCH'
+          reporter.match "#{match_prefix}: #{all_extractions.map(&:inspect).join(',')}" if multi_match
         else
           reporter.failure "FAIL: #{line}"
         end
@@ -37,6 +54,7 @@ class Matcher
         if reporter.stop?
           break
         end
+
       end
 
       fd.close if file_source

data/lib/recog/matcher_factory.rb

@@ -8,7 +8,7 @@ module MatcherFactory
   def self.build(options)
     formatter = Formatter.new(options, $stdout)
     reporter  = MatchReporter.new(options, formatter)
-    Matcher.new(options.fingerprints, reporter)
+    Matcher.new(options.fingerprints, reporter, options.multi_match)
   end
 end
 end

data/lib/recog/nizer.rb

@@ -41,6 +41,24 @@ class Nizer
     nil
   end
 
+  def self.multi_match(match_key, match_string)
+    match_string = match_string.to_s.unpack("C*").pack("C*")
+    @@db_manager ||= Recog::DBManager.new
+
+    matches = Array.new #array to hold all fingerprint matches
+
+    @@db_manager.databases.each do |db|
+      next unless db.match_key == match_key
+
+      db.fingerprints.each do |fp|
+        m = fp.match(match_string)
+        matches.push(m) if m
+      end
+    end
+
+    return matches
+  end
+
   #
   # Consider an array of match outputs, choose the best result, taking into
   # account the granularity of OS vs Version vs SP vs Language. Only consider

data/lib/recog/version.rb

@@ -1,3 +1,3 @@
 module Recog
-  VERSION = '2.0.15'
+  VERSION = '2.0.16'
 end

data/spec/lib/recog/nizer_spec.rb

@@ -26,6 +26,54 @@ describe Recog::Nizer do
 
       end
     end
+
+    line = 'non-existent'
+    context "with non-existent match" do
+      let(:match_result) {subject.match('smb.native_os', line) }
+      it "returns a nil" do
+        expect(match_result).to be_nil
+      end
+    end
+  end
+
+  describe ".multi_match" do
+    File.readlines(File.expand_path(File.join('spec', 'data', 'smb_native_os.txt'))).each do |line|
+      data = line.strip
+
+      context "with smb_native_os:#{data}" do
+        let(:match_results) {subject.multi_match('smb.native_os', data) }
+
+        it "returns an array" do
+          expect(match_results.class).to eq(::Array)
+        end
+
+        it "returns at least one successful match" do
+          expect(match_results.size).to be > 0
+        end
+
+        it "correctly matches service or os" do
+          match_results do |mr|
+            if data =~ /^Windows/
+              expect(mr['os.product']).to match(/^Windows/)
+            end
+          end
+        end
+      end
+
+    end
+
+    line = 'non-existent'
+    context "with non-existent match" do
+      let(:match_results) {subject.multi_match('smb.native_os', line) }
+
+      it "returns an array" do
+        expect(match_results.class).to eq(::Array)
+      end
+
+      it "returns an empty array" do
+        expect(match_results).to be_empty
+      end
+    end
   end
 
   describe ".best_os_match" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: recog
 version: !ruby/object:Gem::Version
-  version: 2.0.15
+  version: 2.0.16
 platform: ruby
 authors:
 - Rapid7 Research
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-10-27 00:00:00.000000000 Z
+date: 2015-11-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -136,6 +136,7 @@ files:
 - bin/recog_verify
 - features/data/failing_banners_fingerprints.xml
 - features/data/matching_banners_fingerprints.xml
+- features/data/multiple_banners_fingerprints.xml
 - features/data/no_tests.xml
 - features/data/sample_banner.txt
 - features/data/successful_tests.xml