recog 2.1.18 → 2.1.19

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 2dfccd0a5a515fd50d6e1b37df8eecc70c1d66b2
4
- data.tar.gz: af23bc1ecb8338a683a5d9a0ad08b46ef111a545
3
+ metadata.gz: ca666a0361fcb46b9fb7bca00434fdfd98b98f99
4
+ data.tar.gz: b0f0741ca09a7e715f275c72ee1b56865a5239b8
5
5
  SHA512:
6
- metadata.gz: 69850c82b9b6e62ffffaa4e90337e89cdf404c467c3ca9097a0726246b2ddda82fe771810d3d1cf166da4bf67bcd675db63cb49571f65f372ca03dae8ed086f4
7
- data.tar.gz: 47d6cd3edbd0ef2d24761a88273955e4d5d9a38b128b961369326384c7900576338675389c403d327138eb1591d67ed69c4bffcd1345dad6573769ca3a38bfed
6
+ metadata.gz: fa394f748d7dc282b765434e8ffd234b0c6071af08db6d43b161f4287b32e4fd3701a0f1811a35ea3278826dcb4243ef3c0e99c1f961ae97afa2eba2f66fd37e
7
+ data.tar.gz: 6d375315056567afc494c1b0727f0db9f27c03303656a4728d0abdb8c35ac8d08eaf5939c1bb14b568de8ebd1a362d5a2588384a7f137ce19212e9c37b487be3
@@ -1,3 +1,3 @@
1
1
  module Recog
2
- VERSION = '2.1.18'
2
+ VERSION = '2.1.19'
3
3
  end
@@ -24,7 +24,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
24
24
  -->
25
25
  <fingerprints matches="smtp.banner" protocol="smtp" database_type="service" preference="0.20">
26
26
  <fingerprint pattern="^X1 NT-ESMTP Server ([^ ]+) \(IMail (\d+\.[^ ]+) EVAL \d+-\d+\)$">
27
- <description>IMail EVAL version</description>
27
+ <description>IMail - EVAL version</description>
28
28
  <example service.version="6.06">X1 NT-ESMTP Server foo.bar (IMail 6.06 EVAL 11347-1)</example>
29
29
  <param pos="0" name="service.vendor" value="Ipswitch"/>
30
30
  <param pos="0" name="service.family" value="IMail Server"/>
@@ -34,7 +34,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
34
34
  <param pos="0" name="imail.eval" value="yes"/>
35
35
  </fingerprint>
36
36
  <fingerprint pattern="^X1 NT-ESMTP Server ([^ ]+) \(IMail (\d+\.[^ ]+) \d+-\d+\)$">
37
- <description>IMail non-EVAL version</description>
37
+ <description>IMail - non-EVAL version</description>
38
38
  <example service.version="6.06">X1 NT-ESMTP Server foo.bar (IMail 6.06 899085-1)</example>
39
39
  <param pos="0" name="service.vendor" value="Ipswitch"/>
40
40
  <param pos="0" name="service.family" value="IMail Server"/>
@@ -43,7 +43,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
43
43
  <param pos="1" name="host.name"/>
44
44
  </fingerprint>
45
45
  <fingerprint pattern="^([^ ]+) \(IMail (\d+\.[^ ]+) \d+-\d+\) NT-ESMTP Server X1$">
46
- <description>IMail non-EVAL version, NT-ESMTP at end</description>
46
+ <description>IMail - non-EVAL version, NT-ESMTP at end</description>
47
47
  <example service.version="12.4.2.27">foo.bar (IMail 12.4.2.27 21349-1) NT-ESMTP Server X1</example>
48
48
  <param pos="0" name="service.vendor" value="Ipswitch"/>
49
49
  <param pos="0" name="service.family" value="IMail Server"/>
@@ -52,10 +52,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
52
52
  <param pos="1" name="host.name"/>
53
53
  </fingerprint>
54
54
  <fingerprint pattern="^([^ ]+) SMTP AnalogX Proxy ([^ ]+\.[^ ]+) \(Release\) ready *$">
55
- <description>
56
- AnalogX proxy
57
- http://www.analogx.com/contents/download/network/proxy.htm
58
- </description>
55
+ <description>AnalogX proxy (http://www.analogx.com/contents/download/network/proxy.htm)</description>
59
56
  <example host.name="192.168.1.1" service.version="4.15">192.168.1.1 SMTP AnalogX Proxy 4.15 (Release) ready</example>
60
57
  <param pos="0" name="service.vendor" value="AnalogX"/>
61
58
  <param pos="0" name="service.family" value="Proxy"/>
@@ -64,38 +61,45 @@ The system or service fingerprint with the highest certainty overwrites the othe
64
61
  <param pos="1" name="host.name"/>
65
62
  </fingerprint>
66
63
  <fingerprint pattern="^ArGoSoft Mail Server, Version [^ ]+ \(([^ ]+\.[^ ]+\.[^ ]+\.[^ ]+)\) *$">
67
- <description>
68
- ArGoSoft Mail Server is fully functional STMP/POP3/Finger server for Windows 95/98/NT/2000.
69
- http://www.argosoft.com/applications/mailserver/
70
- Example: 220 ArGoSoft Mail Server, Version 1.4 (1.4.0.3)
71
- </description>
64
+ <description>ArGoSoft Mail Server</description>
65
+ <example service.version="1.4.0.7">ArGoSoft Mail Server, Version 1.4 (1.4.0.7)</example>
66
+ <param pos="0" name="os.vendor" value="Microsoft"/>
67
+ <param pos="0" name="os.family" value="Windows"/>
68
+ <param pos="0" name="os.product" value="Windows"/>
72
69
  <param pos="0" name="service.vendor" value="ArGoSoft"/>
73
70
  <param pos="0" name="service.family" value="Mail Server"/>
74
71
  <param pos="0" name="service.product" value="Mail Server"/>
75
72
  <param pos="1" name="service.version"/>
76
73
  </fingerprint>
77
- <fingerprint pattern="^(\S+) ArGoSoft Mail Server Freeware, Version [^ ]+ \(([^ ]+\.[^ ]+\.[^ ]+\.[^ ]+)\) *$">
78
- <description>ArGoSoft Mail, freeware version</description>
79
- <example host.name="example.com" service.version="1.8.8.8">example.com ArGoSoft Mail Server Freeware, Version 1.8 (1.8.8.8)</example>
74
+ <fingerprint pattern="^^(?:(\S+) +)?ArGoSoft Mail Server Freeware, Version [^ ]+ \(([^ ]+\.[^ ]+\.[^ ]+\.[^ ]+)\) *$">
75
+ <description>ArGoSoft Mail Server - freeware version</description>
76
+ <example host.name="foo.bar" service.version="1.8.8.8">foo.bar ArGoSoft Mail Server Freeware, Version 1.8 (1.8.8.8)</example>
77
+ <example service.version="1.8.8.8">ArGoSoft Mail Server Freeware, Version 1.8 (1.8.8.8)</example>
78
+ <param pos="0" name="os.vendor" value="Microsoft"/>
79
+ <param pos="0" name="os.family" value="Windows"/>
80
+ <param pos="0" name="os.product" value="Windows"/>
80
81
  <param pos="0" name="service.vendor" value="ArGoSoft"/>
81
82
  <param pos="0" name="service.family" value="Mail Server"/>
82
83
  <param pos="0" name="service.product" value="Mail Server"/>
83
84
  <param pos="2" name="service.version"/>
84
85
  <param pos="1" name="host.name"/>
85
86
  </fingerprint>
86
- <fingerprint pattern="^ArGoSoft Mail Server Pro for WinNT\/2000(?:\/XP)?, Version [^ ]+ \(([^ ]+\.[^ ]+\.[^ ]+\.[^ ]+)\) *$">
87
- <description>ArGoSoft Mail, Pro version </description>
87
+ <fingerprint pattern="^(?:(\S+) +)?ArGoSoft Mail Server Pro for WinNT\/2000(?:\/XP)?, Version [^ ]+ \(([^ ]+\.[^ ]+\.[^ ]+\.[^ ]+)\) *$">
88
+ <description>ArGoSoft Mail Server - Pro version</description>
88
89
  <example service.version="1.6.1.8">ArGoSoft Mail Server Pro for WinNT/2000, Version 1.61 (1.6.1.8)</example>
89
90
  <example service.version="1.8.9.5">ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.9.5)</example>
91
+ <example host.name="foo.bar" service.version="1.8.9.5">foo.bar ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.9.5)</example>
92
+ <param pos="0" name="os.vendor" value="Microsoft"/>
93
+ <param pos="0" name="os.family" value="Windows"/>
94
+ <param pos="0" name="os.product" value="Windows"/>
90
95
  <param pos="0" name="service.vendor" value="ArGoSoft"/>
91
96
  <param pos="0" name="service.family" value="Mail Server"/>
92
97
  <param pos="0" name="service.product" value="Mail Server"/>
93
- <param pos="1" name="service.version"/>
98
+ <param pos="1" name="host.name"/>
99
+ <param pos="2" name="service.version"/>
94
100
  </fingerprint>
95
101
  <fingerprint pattern="^([^ ]+) +AppleShare IP Mail Server ([^ ]+\.[\d.]+) SMTP Server Ready *$">
96
- <description>
97
- AppleShare IP Mail Server
98
- </description>
102
+ <description>AppleShare IP Mail Server</description>
99
103
  <example service.version="6.2.1">foo.bar AppleShare IP Mail Server 6.2.1 SMTP Server Ready</example>
100
104
  <example service.version="6.2">foo.bar AppleShare IP Mail Server 6.2 SMTP Server Ready</example>
101
105
  <param pos="0" name="service.vendor" value="Apple"/>
@@ -105,9 +109,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
105
109
  <param pos="2" name="service.version"/>
106
110
  </fingerprint>
107
111
  <fingerprint pattern="^CheckPoint FireWall-1 secure E?SMTP server *$">
108
- <description>
109
- CheckPoint FireWall-1
110
- </description>
112
+ <description>CheckPoint FireWall-1</description>
111
113
  <example>CheckPoint FireWall-1 secure SMTP server</example>
112
114
  <example>CheckPoint FireWall-1 secure ESMTP server</example>
113
115
  <param pos="0" name="service.vendor" value="Check Point"/>
@@ -115,9 +117,8 @@ The system or service fingerprint with the highest certainty overwrites the othe
115
117
  <param pos="0" name="service.product" value="Firewall-1"/>
116
118
  </fingerprint>
117
119
  <fingerprint pattern="^SMTP/cmap ready_+$">
118
- <description>
119
- Cisco Pix v4.x
120
- </description>
120
+ <description>Cisco Pix v4.x</description>
121
+ <example>SMTP/cmap ready________________________________________________________________________</example>
121
122
  <param pos="0" name="service.vendor" value="Cisco"/>
122
123
  <param pos="0" name="service.family" value="PIX"/>
123
124
  <param pos="0" name="service.product" value="PIX"/>
@@ -148,8 +149,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
148
149
  <param pos="0" name="service.product" value="PIX"/>
149
150
  </fingerprint>
150
151
  <fingerprint pattern="^([^ ]+) +ESMTP CPMTA-([^ ]+)_([^ ]+)_([^ ]+)_([^ ]+) - NO UCE *$">
151
- <description>
152
- Critical Path (aka InScribe) Messaging Server
152
+ <description>Critical Path (aka InScribe) Messaging Server
153
153
  http://www.cp.net/products/inscr_messagingserv_overview.html
154
154
  Runs on Windows NT4/2k, Solaris 2.6, 2.7, and 2.8 Sparc/Intel, SGI IRIX 6.5.3 or later, and AIX
155
155
  </description>
@@ -163,22 +163,16 @@ The system or service fingerprint with the highest certainty overwrites the othe
163
163
  <param pos="5" name="service.version.version.version.version"/>
164
164
  </fingerprint>
165
165
  <fingerprint pattern="^CSM Internet Mail Scanner SMTP-Gateway ready?\. *$">
166
- <description>
167
- CSM Internet Mail Scanner SMTP proxy
168
- see http://www.csm-usa.com/product/ims/release.htm
169
- TODO: Some versions return a typo "read." instead of "ready." - use this to fingerprint
170
- example: 220 CSM Internet Mail Scanner SMTP-Gateway ready.
171
- example: 220 CSM Internet Mail Scanner SMTP-Gateway read.
172
- </description>
166
+ <description>CSM Internet Mail Scanner SMTP Proxy</description>
167
+ <example>CSM Internet Mail Scanner SMTP-Gateway ready.</example>
168
+ <example>CSM Internet Mail Scanner SMTP-Gateway read.</example>
173
169
  <param pos="0" name="service.vendor" value="CSM"/>
174
170
  <param pos="0" name="service.family" value="Internet Mail Scanner"/>
175
171
  <param pos="0" name="service.product" value="Internet Mail Scanner"/>
176
172
  </fingerprint>
177
173
  <fingerprint pattern="^([^ ]+) +IMS SMTP Receiver Version ([^ ]+\.[^ ]+) Ready *$">
178
- <description>
179
- EMWAC Internet Mail Services http://emwac.ed.ac.uk/html/internet_toolchest/ims/ims.htm
180
- example: 220 gabriela.networld.com.ar IMS SMTP Receiver Version 0.83 Ready
181
- </description>
174
+ <description>EMWAC Internet Mail Services (http://emwac.ed.ac.uk/html/internet_toolchest/ims/ims.htm)</description>
175
+ <example service.version="0.83" host.name="foo.bar">foo.bar IMS SMTP Receiver Version 0.83 Ready</example>
182
176
  <param pos="0" name="service.vendor" value="EMWAC"/>
183
177
  <param pos="0" name="service.family" value="Internet Mail Services"/>
184
178
  <param pos="0" name="service.product" value="Internet Mail Services"/>
@@ -186,7 +180,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
186
180
  <param pos="2" name="service.version"/>
187
181
  </fingerprint>
188
182
  <fingerprint pattern="^([^ ]+) running Eudora Internet Mail Server (\d\.[\d.]+) *$">
189
- <description> Eudora Internet Mail Server</description>
183
+ <description>Eudora Internet Mail Server</description>
190
184
  <example service.version="3.0.2" host.name="foo.bar">foo.bar running Eudora Internet Mail Server 3.0.2</example>
191
185
  <example service.version="2.2" host.name="foo.bar">foo.bar running Eudora Internet Mail Server 2.2</example>
192
186
  <param pos="0" name="service.vendor" value="Eudora"/>
@@ -200,10 +194,8 @@ The system or service fingerprint with the highest certainty overwrites the othe
200
194
  <param pos="2" name="service.version"/>
201
195
  </fingerprint>
202
196
  <fingerprint pattern="^([^ ]+) +ESMTP Server \(Microsoft Exchange Internet Mail Service (\d+\.\d+\.\d+\.\d+)\) ready *$">
203
- <description>
204
- Microsoft Exchange Server 5.5 and above
205
- (for sure, can't be confused with the IIS builtin SMTP service)
206
- </description>
197
+ <description>Microsoft Exchange Server 5.5 and above (for sure, can't be confused with the IIS builtin SMTP service)</description>
198
+ <example host.name="foo.bar" service.version="5.5.2653.13">foo.bar ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready</example>
207
199
  <param pos="0" name="service.vendor" value="Microsoft"/>
208
200
  <param pos="0" name="service.family" value="Exchange Server"/>
209
201
  <param pos="0" name="service.product" value="Exchange Server"/>
@@ -215,10 +207,8 @@ The system or service fingerprint with the highest certainty overwrites the othe
215
207
  <param pos="0" name="os.product" value="Windows"/>
216
208
  </fingerprint>
217
209
  <fingerprint pattern="^([^ ]+) Microsoft Exchange Internet Mail Service (\d+\.\d+\.\d+\.\d+) ready *$">
218
- <description>
219
- Microsoft Exchange Server 5.0
220
- (for sure, can't be confused with the IIS builtin SMTP service)
221
- </description>
210
+ <description>Microsoft Exchange Server 5.0 (for sure, can't be confused with the IIS builtin SMTP service)</description>
211
+ <example host.name="foo.bar" service.version="5.0.1460.8">foo.bar Microsoft Exchange Internet Mail Service 5.0.1460.8 ready</example>
222
212
  <param pos="0" name="service.vendor" value="Microsoft"/>
223
213
  <param pos="0" name="service.family" value="Exchange Server"/>
224
214
  <param pos="0" name="service.product" value="Exchange Server"/>
@@ -230,11 +220,8 @@ The system or service fingerprint with the highest certainty overwrites the othe
230
220
  <param pos="0" name="os.product" value="Windows"/>
231
221
  </fingerprint>
232
222
  <fingerprint pattern="^([^ ]+) Microsoft ESMTP MAIL Service ready at .*$">
233
- <description>
234
- Microsoft Exchange 2007/2010
235
- (for sure, can't be confused with the IIS builtin SMTP service)
236
- </description>
237
- <example>foo Microsoft ESMTP MAIL Service ready at Wed, 21 Jul 2010 19:04:24 -0700</example>
223
+ <description>Microsoft Exchange 2007/2010 (for sure, can't be confused with the IIS builtin SMTP service)</description>
224
+ <example>foo.bar Microsoft ESMTP MAIL Service ready at Wed, 21 Jul 2010 19:04:24 -0700</example>
238
225
  <param pos="0" name="service.vendor" value="Microsoft"/>
239
226
  <param pos="0" name="service.family" value="Exchange Server"/>
240
227
  <param pos="0" name="service.product" value="Exchange Server"/>
@@ -245,77 +232,77 @@ The system or service fingerprint with the highest certainty overwrites the othe
245
232
  <param pos="0" name="os.product" value="Windows"/>
246
233
  </fingerprint>
247
234
  <fingerprint pattern="^([^ ]+) Microsoft SMTP MAIL ready at (.+) Version: +(\d+\.\d+\.\d+\.\d+\.\d+) *$">
248
- <description>
249
- Microsoft IIS builtin SMTP service, or Microsoft Exchange Server
250
- (they are differentiated from each other in smtp-iis.clp)
251
- </description>
235
+ <description>Microsoft IIS builtin SMTP service, or Microsoft Exchange Server (they are differentiated from each other in smtp-iis.clp) - variant 1</description>
236
+ <example host.name="foo.bar" service.version="5.5.1877.197.19">foo.bar Microsoft SMTP MAIL ready at Wed, 29 Nov 2017 23:48:59 +0000 Version: 5.5.1877.197.19</example>
252
237
  <param pos="0" name="service.vendor" value="Microsoft"/>
253
238
  <param pos="0" name="service.family" value="IIS"/>
254
239
  <param pos="0" name="service.product" value="IIS"/>
255
240
  <param pos="3" name="service.version"/>
256
241
  <param pos="1" name="host.name"/>
257
242
  <param pos="2" name="system.time"/>
258
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
243
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
259
244
  <param pos="0" name="os.vendor" value="Microsoft"/>
260
245
  <param pos="0" name="os.family" value="Windows"/>
261
246
  <param pos="0" name="os.device" value="General"/>
262
247
  <param pos="0" name="os.product" value="Windows"/>
263
248
  </fingerprint>
264
- <fingerprint pattern="^([^ ]+) +Microsoft ESMTP MAIL Service, Version: +(\d+\.\d+\.\d+\.\d+) +ready at +(.+)$">
265
- <description>
266
- Microsoft IIS builtin SMTP service, or Microsoft Exchange Server
267
- (they are differentiated from each other in smtp-iis.clp)
268
- </description>
249
+ <fingerprint pattern="^(:?[^ ]+)? ?Microsoft ESMTP MAIL Service, Version: +(\d+\.\d+\.\d+\.\d+) +ready +(?:at +)?(.+)$">
250
+ <description>Microsoft IIS builtin SMTP service, or Microsoft Exchange Server (they are differentiated from each other in smtp-iis.clp) - variant 2 </description>
251
+ <example service.version="5.0.2195.5329"> Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready Thu, 30 Nov 2017 11:40:25 +0200</example>
269
252
  <example service.version="6.0.3790.4675">foo Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Wed, 21 Jul 2010 19:04:24 -0700</example>
253
+ <example service.version="6.0.2600.5512" system.time="Thu, 30 Nov 2017 18:22:40 +0900">Microsoft ESMTP MAIL Service, Version: 6.0.2600.5512 ready at Thu, 30 Nov 2017 18:22:40 +0900</example>
270
254
  <param pos="0" name="service.vendor" value="Microsoft"/>
271
255
  <param pos="0" name="service.family" value="IIS"/>
272
256
  <param pos="0" name="service.product" value="IIS"/>
273
257
  <param pos="2" name="service.version"/>
274
258
  <param pos="1" name="host.name"/>
275
259
  <param pos="3" name="system.time"/>
276
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
260
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
277
261
  <param pos="0" name="os.vendor" value="Microsoft"/>
278
262
  <param pos="0" name="os.family" value="Windows"/>
279
263
  <param pos="0" name="os.device" value="General"/>
280
264
  <param pos="0" name="os.product" value="Windows"/>
281
265
  </fingerprint>
282
266
  <fingerprint pattern="^ESMTP Exim$">
283
- <description>Exim without version string or hostname</description>
267
+ <description>Exim - without version string or hostname</description>
284
268
  <example>ESMTP Exim</example>
285
269
  <param pos="0" name="service.vendor" value="exim"/>
286
270
  <param pos="0" name="service.family" value="exim"/>
287
271
  <param pos="0" name="service.product" value="exim"/>
288
272
  </fingerprint>
289
- <fingerprint pattern="^ ?([^, ]+)(?:,)? ESMTP (?i:Exim) +(\d+\.[\d_.-]+)(?: +#\d)? ?.?((?:\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)?) *(?:We do not authorize the use of this system to transport unsolicited, and\/or bulk e-mail.)?$">
290
- <description>Exim with version string and optional timestamp</description>
273
+ <fingerprint pattern="^ ?([^, ]+)(?:,)? ESMTP \(?(?i:Exim) +(\d+\.[\d_.bRC-]+)\)?(?: +#\d)? ?.?((?:\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)?) *(?:We do not authorize the use of this system to transport unsolicited, and\/or bulk e-mail.)?$">
274
+ <description>Exim - with version string and optional timestamp</description>
291
275
  <example service.version="4.89" host.name="foo.bar">foo.bar ESMTP Exim 4.89 "</example>
292
- <example service.version="4.83" host.name="foo.bar">foo.bar, ESMTP EXIM 4.83"</example>
293
- <example service.version="4.84_2" host.name="foo.bar">foo.bar ESMTP Exim 4.84_2 "</example>
276
+ <example service.version="4.83" host.name="foo.bar">foo.bar, ESMTP EXIM 4.83</example>
277
+ <example service.version="4.84_2" host.name="foo.bar">foo.bar ESMTP Exim 4.84_2 </example>
278
+ <example service.version="4.90_RC3" host.name="foo.bar">foo.bar ESMTP Exim 4.90_RC3 Thu, 30 Nov 2017 03:52:16 -0700 </example>
279
+ <example service.version="4.89_1b" host.name="foo.bar">foo.bar ESMTP Exim 4.89_1b Thu, 05 Apr 2018 21:30:37 +0200</example>
294
280
  <example service.version="4.89-122312">foo.bar ESMTP Exim 4.89-122312 Thu, 16 Nov 2017 10:33:38 +0200 </example>
281
+ <example service.version="4.87">foo.bar ESMTP (Exim 4.87) Thu, 30 Nov 2017 03:25:58 -0800 </example>
295
282
  <example service.version="4.80" system.time="Thu, 16 Nov 2017 01:04:30 -0800">foo.bar ESMTP Exim 4.80 Thu, 16 Nov 2017 01:04:30 -0800 </example>
296
283
  <example service.version="3.12" system.time="Wed, 31 Jan 2001 15:47:23 +1100">foo.bar ESMTP Exim 3.12 #1 Wed, 31 Jan 2001 15:47:23 +1100 </example>
297
284
  <example service.version="4.89" host.name="foo.bar"> foo.bar ESMTP Exim 4.89 #1 Thu, 16 Nov 2017 04:55:31 -0500 We do not authorize the use of this system to transport unsolicited, and/or bulk e-mail.</example>
298
285
  <param pos="0" name="service.vendor" value="exim"/>
299
286
  <param pos="0" name="service.family" value="exim"/>
300
287
  <param pos="0" name="service.product" value="exim"/>
301
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
288
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
302
289
  <param pos="1" name="host.name"/>
303
290
  <param pos="2" name="service.version"/>
304
291
  <param pos="3" name="system.time"/>
305
292
  </fingerprint>
306
293
  <fingerprint pattern="^([^, ]+)(?:,)? ESMTP (?i:Exim) +(\d+) ((?:\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)?) *$">
307
- <description>Exim with digit only version string and optional timestamp</description>
294
+ <description>Exim - with digit only version string and optional timestamp</description>
308
295
  <example service.version="125302" host.name="foo.bar">foo.bar ESMTP Exim 125302 Thu, 16 Nov 2017 04:55:11 -0500 </example>
309
296
  <param pos="0" name="service.vendor" value="exim"/>
310
297
  <param pos="0" name="service.family" value="exim"/>
311
298
  <param pos="0" name="service.product" value="exim"/>
312
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
299
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
313
300
  <param pos="1" name="host.name"/>
314
301
  <param pos="2" name="service.version"/>
315
302
  <param pos="3" name="system.time"/>
316
303
  </fingerprint>
317
304
  <fingerprint pattern="^([^, ]+)(?:,)? ESMTP (?i:Exim) +(\d+\.[\d_.]+)(?: +#\d)? Ubuntu ((?:\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)?) *$">
318
- <description>Exim with version string and optional timestamp (Ubuntu)</description>
305
+ <description>Exim - with version string and optional timestamp (Ubuntu)</description>
319
306
  <example service.version="4.82" system.time="Thu, 16 Nov 2017 11:30:44 +0300">foo.bar ESMTP Exim 4.82 Ubuntu Thu, 16 Nov 2017 11:30:44 +0300 </example>
320
307
  <param pos="0" name="os.vendor" value="Ubuntu"/>
321
308
  <param pos="0" name="os.family" value="Linux"/>
@@ -323,60 +310,57 @@ The system or service fingerprint with the highest certainty overwrites the othe
323
310
  <param pos="0" name="service.vendor" value="exim"/>
324
311
  <param pos="0" name="service.family" value="exim"/>
325
312
  <param pos="0" name="service.product" value="exim"/>
326
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
313
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
327
314
  <param pos="1" name="host.name"/>
328
315
  <param pos="2" name="service.version"/>
329
316
  <param pos="3" name="system.time"/>
330
317
  </fingerprint>
331
- <fingerprint pattern="^([^, ]+)(?:,)? ESMTP (?i:Exim) *((?:\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)?) *$">
332
- <description>Exim without version string and with optional timestamp</description>
318
+ <fingerprint pattern="^([^, ]+)(?:,)? ESMTP (?i:Exim)(?: +#\d)? *((?:\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)?) *$">
319
+ <description>Exim - without version string and with optional timestamp</description>
333
320
  <example host.name="foo.bar">foo.bar ESMTP Exim</example>
334
321
  <example host.name="foo.bar" system.time="Thu, 16 Nov 2017 01:11:30 -0800">foo.bar ESMTP Exim Thu, 16 Nov 2017 01:11:30 -0800 </example>
322
+ <example host.name="foo.bar" system.time="Thu, 30 Nov 2017 05:31:32 -0500">foo.bar ESMTP Exim #1 Thu, 30 Nov 2017 05:31:32 -0500 </example>
335
323
  <param pos="0" name="service.vendor" value="exim"/>
336
324
  <param pos="0" name="service.family" value="exim"/>
337
325
  <param pos="0" name="service.product" value="exim"/>
338
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
326
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
339
327
  <param pos="1" name="host.name"/>
340
328
  <param pos="2" name="system.time"/>
341
329
  </fingerprint>
342
330
  <fingerprint pattern="^ ?ESMTP (?i:Exim) (\d+\.[\d_.]+)(?: +#\d)? ?.?((?:\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)?) *$">
343
- <description>Exim without hostname</description>
331
+ <description>Exim - without hostname</description>
344
332
  <example service.version="4.82" system.time="Thu, 16 Nov 2017 12:19:22 +0300">ESMTP Exim 4.82 Thu, 16 Nov 2017 12:19:22 +0300 </example>
345
333
  <example service.version="4.82"> ESMTP Exim 4.82 Thu, 16 Nov 2017 11:41:41 +0300 </example>
346
334
  <example service.version="4.89"> ESMTP Exim 4.89 #1 Thu, 16 Nov 2017 07:32:28 -0200 </example>
347
335
  <param pos="0" name="service.vendor" value="exim"/>
348
336
  <param pos="0" name="service.family" value="exim"/>
349
337
  <param pos="0" name="service.product" value="exim"/>
350
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
338
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
351
339
  <param pos="1" name="service.version"/>
352
340
  <param pos="2" name="system.time"/>
353
341
  </fingerprint>
354
342
  <fingerprint pattern="^([^ ]+) FTGate server ready .*$">
355
- <description>
356
- FTGate mail server, runs on Windows 9x/NT/2k
357
- http://www.ftgate.com
358
- </description>
343
+ <description>FTGate mail server, runs on Windows 9x/NT/2k (http://www.ftgate.com)</description>
359
344
  <example host.name="foo.bar">foo.bar FTGate server ready -attitude [C.o.r.E]</example>
360
345
  <param pos="0" name="service.vendor" value="Floosietek"/>
361
346
  <param pos="0" name="service.family" value="FTGate"/>
362
347
  <param pos="0" name="service.product" value="FTGate"/>
363
348
  <param pos="1" name="host.name"/>
364
349
  </fingerprint>
365
- <fingerprint pattern="^(?:[^ ]+) +SMTP/smap Ready\.$">
366
- <description>
367
- TIS FWTK and derivatives
350
+ <fingerprint pattern="^([^ ]+) +SMTP/smap Ready\.$">
351
+ <description>TIS FWTK and derivatives
368
352
  http://www.tis.com/research/software/
369
353
  This fingerprint may be ambiguous because other firewalls (like
370
354
  Gauntlet) are derived from TIS
371
355
  </description>
356
+ <example host.name="foo.bar">foo.bar SMTP/smap Ready.</example>
372
357
  <param pos="0" name="service.vendor" value="TIS"/>
373
358
  <param pos="0" name="service.family" value="FWTK"/>
374
359
  <param pos="0" name="service.product" value="FWTK"/>
360
+ <param pos="1" name="host.name"/>
375
361
  </fingerprint>
376
362
  <fingerprint pattern="^([^ ]+) GroupWise Internet Agent ([^ ]+\.[^ ]+\.[^ ]+) Ready \(C\).* Novell, Inc\. *$">
377
- <description>
378
- Novell GroupWise Internet Agent versions 5 and higher
379
- </description>
363
+ <description>Novell GroupWise Internet Agent - versions 5 and higher</description>
380
364
  <example service.version="5.5.1">foo.bar GroupWise Internet Agent 5.5.1 Ready (C)1993, 1998 Novell, Inc.</example>
381
365
  <param pos="0" name="service.vendor" value="Novell"/>
382
366
  <param pos="0" name="service.family" value="GroupWise"/>
@@ -385,9 +369,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
385
369
  <param pos="2" name="service.version"/>
386
370
  </fingerprint>
387
371
  <fingerprint pattern="^([^ ]+) GroupWise Internet Agent (\d+\.[\d.]+) Copyright .*\d{4}-\d{4} Novell, Inc..* All rights reserved. Ready *$">
388
- <description>
389
- Novell GroupWise Internet Agent versions 5 and higher, second variant
390
- </description>
372
+ <description>Novell GroupWise Internet Agent - versions 5 and higher, second variant</description>
391
373
  <example service.version="8.0.3">foo.bar GroupWise Internet Agent 8.0.3 Copyright (c) 1993-2012 Novell, Inc. All rights reserved. Ready</example>
392
374
  <example service.version="14.2.1">foo.bar GroupWise Internet Agent 14.2.1 Copyright 1993-2016 Novell, Inc., a Micro Focus Company. All rights reserved. Ready</example>
393
375
  <param pos="0" name="service.vendor" value="Novell"/>
@@ -397,10 +379,8 @@ The system or service fingerprint with the highest certainty overwrites the othe
397
379
  <param pos="2" name="service.version"/>
398
380
  </fingerprint>
399
381
  <fingerprint pattern="^([^ ]+) GroupWise SMTP/MIME Daemon ([^ ]+\.[^ ]+) v([^ ]+) Ready \(C\).* Novell, Inc\. *$">
400
- <description>
401
- Novell GroupWise versions below 5
402
- example: 220 bates.at GroupWise SMTP/MIME Daemon 4.1 v3 Ready (C)1993, 1996 Novell, Inc.
403
- </description>
382
+ <description>Novell GroupWise - versions below 5</description>
383
+ <example host.name="foo.bar" service.version="4.1" service.version.version="3">foo.bar GroupWise SMTP/MIME Daemon 4.1 v3 Ready (C)1993, 1996 Novell, Inc.</example>
404
384
  <param pos="0" name="service.vendor" value="Novell"/>
405
385
  <param pos="0" name="service.family" value="GroupWise"/>
406
386
  <param pos="0" name="service.product" value="GroupWise"/>
@@ -408,35 +388,15 @@ The system or service fingerprint with the highest certainty overwrites the othe
408
388
  <param pos="2" name="service.version"/>
409
389
  <param pos="3" name="service.version.version"/>
410
390
  </fingerprint>
411
- <fingerprint pattern="^([^ ]+) running IBM VM SMTP (.+) on (.+) *$">
412
- <description>
413
- IBM SMTP server for VM/ESA on IBM S/390 and IBM eserver z/Series 900.
414
- http://www.vm.ibm.com
415
- http://www-1.ibm.com/servers/eserver/zseries/
416
- http://mitvma.mit.edu/system/vm.html
417
- example: 220 mail.foo.bar running IBM VM SMTP Level 3A0 on Mon, 10 Sep 2001 07:21:54 EDT
418
- example: 220 mail.foo.bar running IBM VM SMTP V2R4 on Mon, 10 Sep 2001 12:23:47 +0100
419
- </description>
391
+ <fingerprint pattern="^([^ ]+) (?:ESMTP )?running IBM VM SMTP (.+)(?:; | on )(.+) *$">
392
+ <description>IBM SMTP server for VM/ESA on IBM S/390 and IBM eserver z/Series 900.</description>
393
+ <example service.version="Level 640" system.time="Thu, 30 Nov 2017 01:08:59 PDT">foo.bar running IBM VM SMTP Level 640 on Thu, 30 Nov 2017 01:08:59 PDT</example>
394
+ <example service.version="Level 3A0">foo.bar running IBM VM SMTP Level 3A0 on Mon, 10 Sep 2001 07:21:54 EDT</example>
395
+ <example service.version="V2R4" system.time="Mon, 10 Sep 2001 07:24:35 -0400 (EDT)">foo.bar ESMTP running IBM VM SMTP V2R4; Mon, 10 Sep 2001 07:24:35 -0400 (EDT)</example>
420
396
  <param pos="0" name="service.vendor" value="IBM"/>
421
397
  <param pos="0" name="service.family" value="VM"/>
422
398
  <param pos="0" name="service.product" value="VM"/>
423
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
424
- <param pos="1" name="host.name"/>
425
- <param pos="2" name="service.version"/>
426
- <param pos="3" name="system.time"/>
427
- </fingerprint>
428
- <fingerprint pattern="^([^ ]+) running IBM VM SMTP (.+); (.+) *$">
429
- <description>
430
- IBM SMTP server for VM/ESA on IBM S/390 and IBM eserver z/Series 900.
431
- http://www.vm.ibm.com
432
- http://www-1.ibm.com/servers/eserver/zseries/
433
- http://mitvma.mit.edu/system/vm.html
434
- example: 220 mail.foo.bar ESMTP running IBM VM SMTP V2R4; Mon, 10 Sep 2001 07:24:35 -0400 (EDT)
435
- </description>
436
- <param pos="0" name="service.vendor" value="IBM"/>
437
- <param pos="0" name="service.family" value="VM"/>
438
- <param pos="0" name="service.product" value="VM"/>
439
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
399
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
440
400
  <param pos="1" name="host.name"/>
441
401
  <param pos="2" name="service.version"/>
442
402
  <param pos="3" name="system.time"/>
@@ -453,57 +413,60 @@ The system or service fingerprint with the highest certainty overwrites the othe
453
413
  <param pos="0" name="service.product" value="IntraStore"/>
454
414
  <param pos="1" name="host.name"/>
455
415
  </fingerprint>
456
- <fingerprint pattern="^(\S+) E?SMTP Server \(JAMES E?SMTP Server ([\d\.]+)\) ready (\S{3}, \d{2} \S{3} \d{4} \d{2}:\d{2}:\d{2} \S+) \(\S+\)$">
416
+ <fingerprint pattern="^(\S+) E?SMTP Server \(JAMES E?SMTP Server ([\d\.]+)\) ready (\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d) \(.+\)$">
457
417
  <description>JAMES SMTP Server</description>
458
- <example host.name="example.com" service.version="2.3.2">example.com SMTP Server (JAMES SMTP Server 2.3.2) ready Tue, 19 May 2015 00:36:13 +0200 (CEST)</example>
418
+ <example host.name="foo.bar" service.version="2.3.2">foo.bar SMTP Server (JAMES SMTP Server 2.3.2) ready Tue, 19 May 2015 00:36:13 +0200 (CEST)</example>
459
419
  <param pos="0" name="service.vendor" value="Apache"/>
460
420
  <param pos="0" name="service.product" value="James"/>
461
421
  <param pos="2" name="service.version"/>
462
422
  <param pos="1" name="host.name"/>
463
423
  <param pos="3" name="system.time"/>
464
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
424
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
465
425
  </fingerprint>
466
- <fingerprint pattern="^([^ ]+) \(Mail-Max Version (\d+\.\d+\.\d+\.\d+), (.+, .+)\) ESMTP Mail Server Ready. *$">
467
- <description>
468
- Mail Max (4 version numbers)
469
- example: 220 MAIL3 (Mail-Max Version 4.2.4.7, Wed, 31 Jan 2001 03:44:35 +0100 WST) ESMTP Mail Server Ready.
470
- </description>
471
- <param pos="0" name="service.vendor" value="Mail-Max"/>
472
- <param pos="0" name="service.family" value="Mail-Max"/>
473
- <param pos="0" name="service.product" value="Mail-Max"/>
474
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
426
+ <fingerprint pattern="^(?:(\S+) +)?ESMTP MailEnable Service, Version: ([\d.]+)$">
427
+ <description>MailEnable - Simple</description>
428
+ <example service.version="9.53">ESMTP MailEnable Service, Version: 9.53</example>
429
+ <param pos="0" name="os.vendor" value="Microsoft"/>
430
+ <param pos="0" name="os.family" value="Windows"/>
431
+ <param pos="0" name="os.product" value="Windows"/>
432
+ <param pos="0" name="service.vendor" value="MailEnable"/>
433
+ <param pos="0" name="service.family" value="Mail Server"/>
434
+ <param pos="0" name="service.product" value="Mail Server"/>
475
435
  <param pos="1" name="host.name"/>
476
436
  <param pos="2" name="service.version"/>
477
- <param pos="3" name="system.time"/>
478
437
  </fingerprint>
479
- <fingerprint pattern="^(\S+) E?SMTP MailEnable Service, Version: ([\d\.]+)-- ready at (\d{2}/\d{2}/\d{2} \d{2}:\d{2}:\d{2})$">
480
- <description>Simple MailEnable</description>
481
- <example host.name="example.com">example.com ESMTP MailEnable Service, Version: 1.8-- ready at 05/20/15 08:50:22</example>
438
+ <!-- MailEnable has an odd, three version string. Not sure about the meaning the second and third version #s. -->
439
+ <fingerprint pattern="^(?:(\S+) +)?ESMTP MailEnable Service, Version: (?:([\d.]+))?-[\d.]*-[\d.]* (?:ready|denied access) at (\d{2}/\d{2}/\d{2} \d{2}:\d{2}:\d{2})$">
440
+ <description>MailEnable - Complex</description>
441
+ <example host.name="foo.bar" service.version="1.8">foo.bar ESMTP MailEnable Service, Version: 1.8-- ready at 05/20/15 08:50:22</example>
442
+ <example host.name="foo.bar" service.version="9.53">foo.bar ESMTP MailEnable Service, Version: 9.53-9.53- ready at 11/30/17 00:57:37</example>
443
+ <example host.name="foo.bar" service.version="9.00" system.time="11/30/17 09:30:34">foo.bar ESMTP MailEnable Service, Version: 9.00--9.00 ready at 11/30/17 09:30:34</example>
444
+ <example host.name="foo.bar" service.version="1.986" system.time="04/05/18 16:15:25">foo.bar ESMTP MailEnable Service, Version: 1.986-- denied access at 04/05/18 16:15:25</example>
445
+ <param pos="0" name="os.vendor" value="Microsoft"/>
446
+ <param pos="0" name="os.family" value="Windows"/>
447
+ <param pos="0" name="os.product" value="Windows"/>
482
448
  <param pos="0" name="service.vendor" value="MailEnable"/>
483
- <param pos="0" name="service.family" value="MailEnable"/>
484
- <param pos="0" name="service.product" value="MailEnable"/>
449
+ <param pos="0" name="service.family" value="Mail Server"/>
450
+ <param pos="0" name="service.product" value="Mail Server"/>
485
451
  <param pos="0" name="system.time.format" value="MM/dd/yy HH:mm:ss"/>
486
452
  <param pos="1" name="host.name"/>
487
453
  <param pos="2" name="service.version"/>
488
454
  <param pos="3" name="system.time"/>
489
455
  </fingerprint>
490
- <fingerprint pattern="^([^ ]+) \(Mail-Max Version (\d+\.\d+), (.+, .+)\) ESMTP Mail Server Ready. *$">
491
- <description>
492
- Mail Max (2 version numbers)
493
- example: 220 WEBB (Mail-Max Version 3.065, Wed, 31 Jan 2001 03:46:11 +0100 WST) ESMTP Mail Server Ready.
494
- </description>
456
+ <fingerprint pattern="^([^ ]+) \(Mail-Max Version (\d+\.[\d\.]+), (.+, .+)\) ESMTP Mail Server Ready. *$">
457
+ <description>Mail Max</description>
458
+ <example host.name="foo.bar" service.version="4.2.4.7">foo.bar (Mail-Max Version 4.2.4.7, Wed, 31 Jan 2001 03:44:35 +0100 WST) ESMTP Mail Server Ready.</example>
459
+ <example host.name="foo.bar" service.version="3.073">foo.bar (Mail-Max Version 3.073, Thu, 30 Nov 2017 17:24:59 +0800 ) ESMTP Mail Server Ready.</example>
495
460
  <param pos="0" name="service.vendor" value="Mail-Max"/>
496
461
  <param pos="0" name="service.family" value="Mail-Max"/>
497
462
  <param pos="0" name="service.product" value="Mail-Max"/>
498
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
463
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
499
464
  <param pos="1" name="host.name"/>
500
465
  <param pos="2" name="service.version"/>
501
466
  <param pos="3" name="system.time"/>
502
467
  </fingerprint>
503
468
  <fingerprint pattern="^([^ ]+) +MailSite E?SMTP Receiver Version (\d+\.[\d.]+) Ready *$">
504
- <description>
505
- Rockliffe MailSite with version (http://www.rockliffe.com)
506
- </description>
469
+ <description>Rockliffe MailSite - with version (http://www.rockliffe.com)</description>
507
470
  <example host.name="foo.bar" service.version="3.4.6.0">foo.bar MailSite ESMTP Receiver Version 3.4.6.0 Ready</example>
508
471
  <example host.name="foo.bar" service.version="2.1.7">foo.bar MailSite SMTP Receiver Version 2.1.7 Ready</example>
509
472
  <param pos="0" name="service.vendor" value="Rockliffe"/>
@@ -513,9 +476,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
513
476
  <param pos="2" name="service.version"/>
514
477
  </fingerprint>
515
478
  <fingerprint pattern="^([^ ]+) +MailSite E?SMTP Receiver Ready *$">
516
- <description>
517
- Rockliffe MailSite without version (http://www.rockliffe.com)
518
- </description>
479
+ <description>Rockliffe MailSite - without version (http://www.rockliffe.com)</description>
519
480
  <example host.name="foo.bar">foo.bar MailSite SMTP Receiver Ready</example>
520
481
  <param pos="0" name="service.vendor" value="Rockliffe"/>
521
482
  <param pos="0" name="service.family" value="MailSite"/>
@@ -523,9 +484,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
523
484
  <param pos="1" name="host.name"/>
524
485
  </fingerprint>
525
486
  <fingerprint pattern="^ ?MailSite E?SMTP Receiver Version (\d+\.[\d.]+) Ready *$">
526
- <description>
527
- Rockliffe MailSite without hostname(http://www.rockliffe.com)
528
- </description>
487
+ <description>Rockliffe MailSite - without hostname (http://www.rockliffe.com)</description>
529
488
  <example service.version="10.2.0.0"> MailSite ESMTP Receiver Version 10.2.0.0 Ready</example>
530
489
  <param pos="0" name="service.vendor" value="Rockliffe"/>
531
490
  <param pos="0" name="service.family" value="MailSite"/>
@@ -533,10 +492,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
533
492
  <param pos="1" name="service.version"/>
534
493
  </fingerprint>
535
494
  <fingerprint pattern="^([^ ]+) +MAILsweeper ESMTP Receiver Version (\d\.[\d.]+) Ready *$">
536
- <description>
537
- Content Security MAILsweeper for SMTP http://www.contenttechnologies.com/products/msw4smtp/default.asp
538
- example: 220 infotech.at MAILsweeper ESMTP Receiver Version 4.2.1.0 Ready
539
- </description>
495
+ <description>Content Security MAILsweeper for SMTP (http://www.contenttechnologies.com/products/msw4smtp/default.asp)</description>
540
496
  <example service.version="4.2.1.0">foo.bar MAILsweeper ESMTP Receiver Version 4.2.1.0 Ready</example>
541
497
  <param pos="0" name="service.vendor" value="Clearswift"/>
542
498
  <param pos="0" name="service.family" value="MAILsweeper"/>
@@ -545,12 +501,12 @@ The system or service fingerprint with the highest certainty overwrites the othe
545
501
  <param pos="2" name="service.version"/>
546
502
  </fingerprint>
547
503
  <fingerprint pattern="^([^ ]+) +ESMTP MDaemon ([^ ]+\.[^ ]+\.[^ ]+) UNREGISTERED; *(.+) *$">
548
- <description>MDaemon mail server, with timestamp, unregistered</description>
504
+ <description>MDaemon mail server - with timestamp, unregistered</description>
549
505
  <example service.version="4.0.5">foo.bar ESMTP MDaemon 4.0.5 UNREGISTERED; Sat, 06 Oct 2001 09:10:56 +0400</example>
550
506
  <param pos="0" name="service.vendor" value="Alt-N"/>
551
507
  <param pos="0" name="service.family" value="MDaemon"/>
552
508
  <param pos="0" name="service.product" value="MDaemon"/>
553
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
509
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
554
510
  <param pos="0" name="mdaemon.unregistered" value="yes"/>
555
511
  <param pos="0" name="os.vendor" value="Microsoft"/>
556
512
  <param pos="0" name="os.family" value="Windows"/>
@@ -562,12 +518,12 @@ The system or service fingerprint with the highest certainty overwrites the othe
562
518
  <param pos="3" name="system.time"/>
563
519
  </fingerprint>
564
520
  <fingerprint pattern="^([^ ]+) +ESMTP MDaemon ([^ ]+\.[^ ]+\.[^ ]+); *(.+) *$">
565
- <description>MDaemon mail server, with timestamp</description>
521
+ <description>MDaemon mail server - with timestamp</description>
566
522
  <example service.version="4.0.2">foo.bar ESMTP MDaemon 4.0.2; Sat, 06 Oct 2001 01:46:44 -0500</example>
567
523
  <param pos="0" name="service.vendor" value="Alt-N"/>
568
524
  <param pos="0" name="service.family" value="MDaemon"/>
569
525
  <param pos="0" name="service.product" value="MDaemon"/>
570
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
526
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
571
527
  <param pos="0" name="os.vendor" value="Microsoft"/>
572
528
  <param pos="0" name="os.family" value="Windows"/>
573
529
  <param pos="0" name="os.device" value="General"/>
@@ -578,7 +534,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
578
534
  <param pos="3" name="system.time"/>
579
535
  </fingerprint>
580
536
  <fingerprint pattern="^([^ ]+) +ESMTP MDaemon ([^ ]+\.[^ ]+\.[^ ]+) ready *$">
581
- <description>MDaemon mail server, without timestamp</description>
537
+ <description>MDaemon mail server - without timestamp</description>
582
538
  <example service.version="3.5.7">foo.bar ESMTP MDaemon 3.5.7 ready</example>
583
539
  <param pos="0" name="service.vendor" value="Alt-N"/>
584
540
  <param pos="0" name="service.family" value="MDaemon"/>
@@ -592,9 +548,10 @@ The system or service fingerprint with the highest certainty overwrites the othe
592
548
  <param pos="2" name="service.version"/>
593
549
  </fingerprint>
594
550
  <fingerprint pattern="^([^ ]+) +ESMTP service ready \[[0-9]+\] (?:using )?MDaemon v(\d+\.[\d.]+) ([^ ]+) *$">
595
- <description>MDaemon mail server, with version revision</description>
551
+ <description>MDaemon mail server - with version revision</description>
596
552
  <example service.version="2.84" service.version.version="R">foo.bar ESMTP service ready [1] MDaemon v2.84 R</example>
597
553
  <example service.version="3.0.3" service.version.version="R">foo.bar ESMTP service ready [1] using MDaemon v3.0.3 R</example>
554
+ <example service.version="2.8.7.0" service.version.version="R">foo.bar ESMTP service ready [1] MDaemon v2.8.7.0 R</example>
598
555
  <param pos="0" name="service.vendor" value="Alt-N"/>
599
556
  <param pos="0" name="service.family" value="MDaemon"/>
600
557
  <param pos="0" name="service.product" value="MDaemon"/>
@@ -607,49 +564,10 @@ The system or service fingerprint with the highest certainty overwrites the othe
607
564
  <param pos="2" name="service.version"/>
608
565
  <param pos="3" name="service.version.version"/>
609
566
  </fingerprint>
610
- <fingerprint pattern="^([^ ]+) +ESMTP service ready \[[0-9]+\] MDaemon v([^ ]+\.[^ ]+) ([^ ]+) ([^ ]+) *$">
611
- <description>
612
- MDaemon mail server
613
- 220 foo.bar.com ESMTP service ready [1] MDaemon v2.7 SP5 R
614
- </description>
615
- <param pos="0" name="service.vendor" value="Alt-N"/>
616
- <param pos="0" name="service.family" value="MDaemon"/>
617
- <param pos="0" name="service.product" value="MDaemon"/>
618
- <param pos="0" name="os.vendor" value="Microsoft"/>
619
- <param pos="0" name="os.family" value="Windows"/>
620
- <param pos="0" name="os.device" value="General"/>
621
- <param pos="0" name="os.product" value="Windows"/>
622
- <param pos="0" name="os.arch" value="x86"/>
623
- <param pos="1" name="host.name"/>
624
- <param pos="2" name="service.version"/>
625
- <param pos="3" name="service.version.version"/>
626
- <param pos="4" name="service.version.version.version"/>
627
- </fingerprint>
628
- <fingerprint pattern="^([^ ]+) +ESMTP service ready \[[0-9]+\] MDaemon v([^ ]+)\.([^ ]+)\.([^ ]+)\.([^ ]+) ([^ ]+) *$">
629
- <description>
630
- MDaemon mail server
631
- 220 foo.bar.com ESMTP service ready [1] MDaemon v2.8.7.0 R
632
- </description>
633
- <param pos="0" name="service.vendor" value="Alt-N"/>
634
- <param pos="0" name="service.family" value="MDaemon"/>
635
- <param pos="0" name="service.product" value="MDaemon"/>
636
- <param pos="0" name="os.vendor" value="Microsoft"/>
637
- <param pos="0" name="os.family" value="Windows"/>
638
- <param pos="0" name="os.device" value="General"/>
639
- <param pos="0" name="os.product" value="Windows"/>
640
- <param pos="0" name="os.arch" value="x86"/>
641
- <param pos="1" name="host.name"/>
642
- <param pos="2" name="service.version"/>
643
- <param pos="3" name="service.version.version"/>
644
- <param pos="4" name="service.version.version.version"/>
645
- <param pos="5" name="service.version.version.version.version"/>
646
- <param pos="6" name="service.version.version.version.version.version"/>
647
- </fingerprint>
648
- <fingerprint pattern="^([^ ]+) +ESMTP service ready \[[0-9]+\] \(MDaemon v([^ ]+\.[^ ]+) ([^ ]+) ([^ ]+)\) *$">
649
- <description>
650
- MDaemon mail server
651
- 220 foo.bar.com ESMTP service ready [2] (MDaemon v2.7 SP4 R)
652
- </description>
567
+ <fingerprint pattern="^([^ ]+) +ESMTP service ready \[[0-9]+\] (?:\()?MDaemon v([\d.]+) ([^ ]+) ([^ )]+)(?:\))? *$">
568
+ <description>MDaemon mail server - with service pack</description>
569
+ <example service.version="2.7" service.version.version="SP5" service.version.version.version="R">foo.bar ESMTP service ready [1] MDaemon v2.7 SP5 R</example>
570
+ <example service.version="2.7" service.version.version="SP4" service.version.version.version="R">foo.bar ESMTP service ready [1] (MDaemon v2.7 SP4 R)</example>
653
571
  <param pos="0" name="service.vendor" value="Alt-N"/>
654
572
  <param pos="0" name="service.family" value="MDaemon"/>
655
573
  <param pos="0" name="service.product" value="MDaemon"/>
@@ -664,10 +582,8 @@ The system or service fingerprint with the highest certainty overwrites the othe
664
582
  <param pos="4" name="service.version.version.version"/>
665
583
  </fingerprint>
666
584
  <fingerprint pattern="^([^ ]+) +ESMTP service ready \[[0-9]+\] \(MDaemon v([^ ]+\.[^ ]+) ([^ ]+) ([^ ]+) ([^ ]+)\) *$">
667
- <description>
668
- MDaemon mail server
669
- 220 foo.bar.com ESMTP service ready [1] (MDaemon v2.5 rB b1 32-T)
670
- </description>
585
+ <description>MDaemon mail server</description>
586
+ <example service.version="2.5" service.version.version.version="b1">foo.bar ESMTP service ready [1] (MDaemon v2.5 rB b1 32-T)</example>
671
587
  <param pos="0" name="service.vendor" value="Alt-N"/>
672
588
  <param pos="0" name="service.family" value="MDaemon"/>
673
589
  <param pos="0" name="service.product" value="MDaemon"/>
@@ -683,42 +599,26 @@ The system or service fingerprint with the highest certainty overwrites the othe
683
599
  <param pos="5" name="service.version.version.version.version"/>
684
600
  </fingerprint>
685
601
  <!-- example: 220 mail.db-list.com ESMTP MERAK 3.00.140; Tue, 24 Jul 2001 21:30:47 -0700 -->
686
- <fingerprint pattern="^([^ ]+) +ESMTP MERAK ([^ ]+\.[^ ]+\.[^ ]+); *(.+) *$">
687
- <description>
688
- Merak mail server http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x)
689
- 220 mail.db-list.com ESMTP MERAK 3.00.140; Tue, 24 Jul 2001 21:30:47 -0700
690
- </description>
602
+ <fingerprint pattern="^([^ ]+) +E?SMTP (?i:MERAK) ([^ ]+\.[^ ]+\.[^ ]+); *(.+) *$">
603
+ <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x)</description>
604
+ <example host.name="foo.bar" service.version="8.0.3">foo.bar SMTP Merak 8.0.3; Thu, 30 Nov 2017 20:01:41 +1000</example>
605
+ <example host.name="foo.bar" service.version="8.0.3">foo.bar ESMTP Merak 8.0.3; Thu, 30 Nov 2017 12:08:09 +0200</example>
606
+ <example host.name="foo.bar" service.version="2.10.284">foo.bar ESMTP MERAK 2.10.284; Thu, 30 Nov 2017 17:55:10 +0800</example>
691
607
  <param pos="0" name="service.vendor" value="Merak"/>
692
608
  <param pos="0" name="service.family" value="Mail Server"/>
693
609
  <param pos="0" name="service.product" value="Mail Server"/>
694
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
610
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
695
611
  <param pos="1" name="host.name"/>
696
612
  <param pos="2" name="service.version"/>
697
613
  <param pos="3" name="system.time"/>
698
614
  </fingerprint>
699
615
  <fingerprint pattern="^MERCUR SMTP-Server \(v([^ ]+\.[^ ])0\.([^ ]+) ([^ ]+)\) for (.+) ready at (.+) *$">
700
- <description>
701
- Atrium's MERCUR SMTP server
702
- http://www.atrium-software.com/pub/support_e.cfm
703
- example: 220 MERCUR SMTP-Server (v3.20.01 KA-0098304) for Windows NT ready at Tue, 6 Feb 2001 21:38:26 +0100
704
- example: 220 MERCUR SMTP-Server (v3.20.01 KA-0098304) for Windows NT ready at Tue, 6 Feb 2001 21:38:26 +0100
705
- example: 220 MERCUR SMTP-Server (v3.10.18 KA-0098307) for Windows NT ready at Tue, 6 Feb 2001 18:44:03 +0100
706
- example: 220 MERCUR SMTP-Server (v3.10.18 KA-0098316) for Windows NT ready at Tue, 6 Feb 2001 15:01:51 +0100
707
- example: 220 MERCUR SMTP-Server (v3.30.03 KA-0098319) for Windows NT ready at Tue, 6 Feb 2001 19:06:18 +0100
708
- example: 220 MERCUR SMTP-Server (v3.30.03 KA-5341199) for Windows NT ready at Tue, 6 Feb 2001 18:47:09 +0100
709
- example: 220 MERCUR SMTP-Server (v3.20.01 AS-0098307) for Windows NT ready at Tue, 6 Feb 2001 15:13:14 +0100
710
- example: 220 MERCUR SMTP-Server (v3.20.01 AS-0098309) for Windows NT ready at Tue, 6 Feb 2001 16:11:42 +0100
711
- example: 220 MERCUR SMTP-Server (v3.10.16 AS-7962628) for Windows 95 ready at Tue, 6 Feb 2001 16:37:38 +0100
712
- example: 220 MERCUR SMTP-Server (v3.10.18 AS-5341186) for Windows NT ready at Tue, 6 Feb 2001 19:27:24 +0100
713
- example: 220 MERCUR SMTP-Server (v3.30.03 CO-0098319) for Windows NT ready at Tue, 6 Feb 2001 20:45:01 +0100
714
- example: 220 MERCUR SMTP-Server (v3.30.01 NR-7864330) for Windows NT ready at Tue, 6 Feb 2001 21:31:18 +0100
715
- example: 220 MERCUR SMTP-Server (v3.30.03 DG-0098304) for Windows NT ready at Tue, 6 Feb 2001 22:52:50 +0100
716
- example: 220 MERCUR SMTP-Server (v3.20.01 SY-0098318) for Windows NT ready at Tue, 6 Feb 2001 23:26:22 +0100
717
- </description>
616
+ <description>Atrium's MERCUR SMTP server (http://www.atrium-software.com/pub/support_e.cfm)</description>
617
+ <example service.version="3.3" service.version.version="09" service.version.version.version="SA-0000005" mercur.os.info="Windows NT">MERCUR SMTP-Server (v3.30.09 SA-0000005) for Windows NT ready at Thu, 30 Nov 2017 10:01:06 +0100</example>
718
618
  <param pos="0" name="service.vendor" value="Atrium Software"/>
719
619
  <param pos="0" name="service.family" value="MERCUR"/>
720
620
  <param pos="0" name="service.product" value="MERCUR"/>
721
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
621
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
722
622
  <param pos="1" name="service.version"/>
723
623
  <param pos="2" name="service.version.version"/>
724
624
  <param pos="3" name="service.version.version.version"/>
@@ -726,9 +626,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
726
626
  <param pos="5" name="system.time"/>
727
627
  </fingerprint>
728
628
  <fingerprint pattern="^([^ ]+) Mercury ([^ ]+\.[^ ]+) ESMTP server ready.$">
729
- <description>
730
- Mercury NLM for Netware ( http://www.pmail.com/index.cfm )
731
- </description>
629
+ <description>Mercury NLM for Netware ( http://www.pmail.com/index.cfm )</description>
732
630
  <example service.version="1.43">foo.bar Mercury 1.43 ESMTP server ready.</example>
733
631
  <param pos="0" name="service.family" value="Mercury Mail Transport System"/>
734
632
  <param pos="0" name="service.product" value="Mercury Mail Transport System"/>
@@ -740,9 +638,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
740
638
  <param pos="2" name="service.version"/>
741
639
  </fingerprint>
742
640
  <fingerprint pattern="^^([^ ]+) Mercury\/32 v([^ ]+\.[^ ]+) (?:SMTP\/)?ESMTP server ready.?$">
743
- <description>
744
- Mercury/32 for Win9x/NT/2000 ( http://www.pmail.com/index.cfm )
745
- </description>
641
+ <description>Mercury/32 for Win9x/NT/2000 ( http://www.pmail.com/index.cfm )</description>
746
642
  <example service.version="3.01a">foo.bar Mercury/32 v3.01a SMTP/ESMTP server ready.</example>
747
643
  <example service.version="3.30">foo.bar Mercury/32 v3.30 ESMTP server ready.</example>
748
644
  <param pos="0" name="service.family" value="Mercury Mail Transport System"/>
@@ -755,25 +651,19 @@ The system or service fingerprint with the highest certainty overwrites the othe
755
651
  <param pos="2" name="service.version"/>
756
652
  </fingerprint>
757
653
  <fingerprint pattern="^([^ ]+) SMTP NAVIEG ([^ ]+\.[^ ]+\.[^ ]+); (.+)* http.*$">
758
- <description>
759
- Norton Antivirus for Internet Email Gateways
760
- (note the product changed its name from "Norton Antivirus for Internet Email Gateways" (NAVIEG) to
761
- "Norton Antivirus for Gateways" (NAVGW) as of version 2.1
762
- example: mailman.laughlin.af.mil SMTP NAVIEG 2.0.1; Sun, 29 Jul 2001 22:02:16 -0500 http://www.symantec.com
763
- </description>
654
+ <description>Norton Antivirus for Internet Email Gateways (becomes NAVGW in 2.1)</description>
655
+ <example host.name="foo.bar" service.version="2.0.1">foo.bar SMTP NAVIEG 2.0.1; Sun, 29 Jul 2001 22:02:16 -0500 http://www.symantec.com</example>
764
656
  <param pos="0" name="service.vendor" value="Norton"/>
765
657
  <param pos="0" name="service.family" value="Antivirus for Gateways"/>
766
658
  <param pos="0" name="service.product" value="Antivirus for Gateways"/>
767
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
659
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
768
660
  <param pos="1" name="host.name"/>
769
661
  <param pos="2" name="service.version"/>
770
662
  <param pos="3" name="system.time"/>
771
663
  </fingerprint>
772
664
  <fingerprint pattern="^([^ ]+) ESMTP service \(Netscape Messaging Server ([^ ]+\.[^ ]+) Patch ([^ ]+).*$">
773
- <description>
774
- Netscape Messaging Server
775
- example: 220 mail.iasmail.net ESMTP service (Netscape Messaging Server 4.15 Patch 2 (built May 30 2000))
776
- </description>
665
+ <description>Netscape Messaging Server - with patch number</description>
666
+ <example host.name="foo.bar" service.version="4.15" service.version.version="7">foo.bar ESMTP service (Netscape Messaging Server 4.15 Patch 7 (built Sep 12 2001))</example>
777
667
  <param pos="0" name="service.vendor" value="Netscape"/>
778
668
  <param pos="0" name="service.family" value="Messaging Server"/>
779
669
  <param pos="0" name="service.product" value="Messaging Server"/>
@@ -781,75 +671,64 @@ The system or service fingerprint with the highest certainty overwrites the othe
781
671
  <param pos="2" name="service.version"/>
782
672
  <param pos="3" name="service.version.version"/>
783
673
  </fingerprint>
784
- <fingerprint pattern="^([^ ]+) ESMTP service \(Netscape Messaging Server ([^ ]+\.[^ ]+)\) ready (.+)$">
785
- <description>
786
- Netscape Messaging Server
787
- </description>
674
+ <fingerprint pattern="^([^ ]+) ESMTP server \(Netscape Messaging Server - Version ([\d.]+)\) ready (\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d) *$">
675
+ <description>Netscape Messaging Server - w/o patch number</description>
676
+ <example host.name="foo.bar" service.version="3.6" system.time="Thu, 30 Nov 2017 04:19:10 -0500">foo.bar ESMTP server (Netscape Messaging Server - Version 3.6) ready Thu, 30 Nov 2017 04:19:10 -0500</example>
788
677
  <param pos="0" name="service.vendor" value="Netscape"/>
789
678
  <param pos="0" name="service.family" value="Messaging Server"/>
790
679
  <param pos="0" name="service.product" value="Messaging Server"/>
791
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
680
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
792
681
  <param pos="1" name="host.name"/>
793
682
  <param pos="2" name="service.version"/>
794
683
  <param pos="3" name="system.time"/>
795
684
  </fingerprint>
796
685
  <fingerprint pattern="^([^ ]+) Lotus SMTP MTA Service Ready *$">
797
- <description>
798
- Lotus Notes 4 SMTP MTA
799
- </description>
686
+ <description>Lotus Notes 4 SMTP MTA</description>
687
+ <example host.name="foo.bar">foo.bar Lotus SMTP MTA Service Ready</example>
800
688
  <param pos="0" name="service.vendor" value="Lotus"/>
801
689
  <param pos="0" name="service.family" value="Lotus Domino"/>
802
690
  <param pos="0" name="service.product" value="Lotus Domino"/>
803
691
  <param pos="0" name="service.version" value="4"/>
804
692
  <param pos="1" name="host.name"/>
805
693
  </fingerprint>
806
- <fingerprint pattern="^([^ ]+) ESMTP Service \(Lotus Domino Release (\d+\.\d+\.\w+)\) ready at (.+) *$">
694
+ <!-- Branding is muddy here, IBM bought Lotus in 1995, server product wasn't
695
+ named Domino until Dec 1996 w/ v 4.5. Seems to have started being
696
+ called IBM Domino as of v9.0 on product and in banners.
697
+ -->
698
+ <fingerprint pattern="^ ?(?:([^ ]+))? *ESMTP Service \(Lotus Domino Release (\d+\.[\w.]+(?: FP\d+)?(?: HF\d+)?)(?: \(Intl\))?\) ready at (.+) *$">
807
699
  <description>Lotus Domino SMTP MTA</description>
808
- <example service.version="5.0.8">foo.bar ESMTP Service (Lotus Domino Release 5.0.8) ready at Thu, 16 Nov 2017 18:14:12 +0900</example>
809
- <example service.version="5.0.13a">foo.bar ESMTP Service (Lotus Domino Release 5.0.13a) ready at Thu, 16 Nov 2017 17:47:42 +0800</example>
810
- <example service.version="7.0.4">foo.bar ESMTP Service (Lotus Domino Release 7.0.4) ready at Thu, 16 Nov 2017 18:28:36 +0900</example>
700
+ <example service.version="8.5">foo.bar ESMTP Service (Lotus Domino Release 8.5) ready at Thu, 30 Nov 2017 17:01:45 +0800</example>
701
+ <example service.version="8.5.3FP6 HF1944">foo.bar ESMTP Service (Lotus Domino Release 8.5.3FP6 HF1944) ready at Thu, 30 Nov 2017 17:17:43 +0800</example>
702
+ <example service.version="8.0.2 FP1 HF82">foo.bar ESMTP Service (Lotus Domino Release 8.0.2 FP1 HF82) ready at Thu, 5 Apr 2018 22:03:28 +0200</example>
703
+ <example service.version="5.0.13a"> foo.bar ESMTP Service (Lotus Domino Release 5.0.13a) ready at Thu, 16 Nov 2017 17:47:42 +0800</example>
704
+ <example service.version="7.0.4">foo.bar ESMTP Service (Lotus Domino Release 7.0.4) ready at Thu, 16 Nov 2017 18:28:36 +0900</example>
811
705
  <example service.version="8.0.2FP2">foo.bar ESMTP Service (Lotus Domino Release 8.0.2FP2) ready at Thu, 16 Nov 2017 02:17:33 -0700</example>
812
706
  <example service.version="8.5.3">foo.bar ESMTP Service (Lotus Domino Release 8.5.3) ready at Thu, 16 Nov 2017 17:52:21 +0800</example>
813
- <param pos="0" name="service.vendor" value="Lotus"/>
814
- <param pos="0" name="service.family" value="Lotus Domino"/>
815
- <param pos="0" name="service.product" value="Lotus Domino"/>
816
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
817
- <param pos="1" name="host.name"/>
818
- <param pos="2" name="service.version"/>
819
- <param pos="3" name="system.time"/>
820
- </fingerprint>
821
- <fingerprint pattern="^([^ ]+) ESMTP Service \(Lotus Domino Release (\d+\.\w+)\) ready at (.+) *$">
822
- <description>
823
- Lotus Domino 5 SMTP MTA
824
- example: 220 foo.bar.com ESMTP Service (Lotus Domino Release 5.0a) ready at Wed, 20 Jun 2001 08:59:17 +0200
825
- </description>
826
- <param pos="0" name="service.vendor" value="Lotus"/>
707
+ <example service.version="7.0"> ESMTP Service (Lotus Domino Release 7.0) ready at Thu, 30 Nov 2017 17:00:41 +0800</example>
708
+ <example host.name="foo.bar" service.version="5.0.1">foo.bar ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) ready at Thu, 30 Nov 2017 12:38:43 +0300</example>
709
+ <param pos="0" name="service.vendor" value="IBM"/>
827
710
  <param pos="0" name="service.family" value="Lotus Domino"/>
828
711
  <param pos="0" name="service.product" value="Lotus Domino"/>
829
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
712
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
830
713
  <param pos="1" name="host.name"/>
831
714
  <param pos="2" name="service.version"/>
832
715
  <param pos="3" name="system.time"/>
833
716
  </fingerprint>
834
- <fingerprint pattern="^([^ ]+) ESMTP Service \(Lotus Domino Release (\d+\.\d+\.\w+) \(Intl\)\) ready at (.+) *$">
835
- <description>
836
- Lotus Domino 5 SMTP MTA, International product version
837
- example: 220 foo.bar.com ESMTP Service (Lotus Domino Release 5.0.5 (Intl)) ready at Tue, 6 Feb 2001 18:54:23 -0500
838
- </description>
839
- <param pos="0" name="service.vendor" value="Lotus"/>
840
- <param pos="0" name="service.family" value="Lotus Domino"/>
841
- <param pos="0" name="service.product" value="Lotus Domino"/>
842
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
843
- <param pos="0" name="notes.intl" value="yes"/>
717
+ <fingerprint pattern="^ ?(?:([^ ]+))? *ESMTP Service \(IBM Domino Release (\d+\.[\w.]+(?: HF\d+)?)\) ready at (.+) *$">
718
+ <description>IBM Domino SMTP MTA</description>
719
+ <example host.name="foo.bar" service.version="9.0.1FP8 HF475">foo.bar ESMTP Service (IBM Domino Release 9.0.1FP8 HF475) ready at Thu, 30 Nov 2017 17:55:48 +0900</example>
720
+ <example host.name="foo.bar" service.version="9.0.1"> foo.bar ESMTP Service (IBM Domino Release 9.0.1) ready at Thu, 30 Nov 2017 10:12:26 +0100</example>
721
+ <example service.version="9.0.1FP8"> ESMTP Service (IBM Domino Release 9.0.1FP8) ready at Thu, 30 Nov 2017 13:51:59 -0800</example>
722
+ <param pos="0" name="service.vendor" value="IBM"/>
723
+ <param pos="0" name="service.family" value="IBM Domino"/>
724
+ <param pos="0" name="service.product" value="IBM Domino"/>
725
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
844
726
  <param pos="1" name="host.name"/>
845
727
  <param pos="2" name="service.version"/>
846
728
  <param pos="3" name="system.time"/>
847
729
  </fingerprint>
848
730
  <fingerprint pattern="^([^ ]+) ESMTP Service \(Lotus Domino Build (V?[\w.]+)\) ready at (.+) *$">
849
- <description>
850
- Lotus Domino (some early build)
851
- 220 foo.bar.com ESMTP Service (Lotus Domino Build 166.1) ready at Tue, 6 Feb 2001 2
852
- </description>
731
+ <description>Lotus Domino (some early build)</description>
853
732
  <example notes.build.version="166.1">foo.bar ESMTP Service (Lotus Domino Build 166.1) ready at Thu, 16 Nov 2017 10:39:22 +0200</example>
854
733
  <example notes.build.version="V85_M2_08202008">foo.bar ESMTP Service (Lotus Domino Build V85_M2_08202008) ready at Thu, 16 Nov 2017 03:57:40 -0500</example>
855
734
  <param pos="0" name="service.vendor" value="Lotus"/>
@@ -860,23 +739,18 @@ The system or service fingerprint with the highest certainty overwrites the othe
860
739
  <param pos="3" name="system.time"/>
861
740
  </fingerprint>
862
741
  <fingerprint pattern="^Lotus Notes ESMTP Server X[^ ]+\.[^ ]+ on (.+) ready at (.+)\. *$">
863
- <description>
864
- Lotus Notes 4.x with SMTP MTA add-on
865
- 220 Lotus Notes ESMTP Server X1.0 on RedSox R45 Server/Red Sox/US ready at Fri, 15 Feb 2002 09:46:19 -0800.
866
- </description>
742
+ <description>Lotus Notes 4.x with SMTP MTA add-on</description>
743
+ <example host.name="FooBar R45 Server/Foo Bar/US" system.time="Fri, 15 Feb 2002 09:46:19 -0800">Lotus Notes ESMTP Server X1.0 on FooBar R45 Server/Foo Bar/US ready at Fri, 15 Feb 2002 09:46:19 -0800.</example>
867
744
  <param pos="0" name="service.vendor" value="Lotus"/>
868
745
  <param pos="0" name="service.family" value="Lotus Domino"/>
869
746
  <param pos="0" name="service.product" value="Lotus Domino"/>
870
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
747
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
871
748
  <param pos="1" name="host.name"/>
872
749
  <param pos="2" name="system.time"/>
873
750
  </fingerprint>
874
751
  <fingerprint pattern="^([^ ]+) NTMail \(v(\d+\.\d+\.\d+)/([^ ]+)\) ready for ESMTP transfer *$">
875
- <description>
876
- NTMail http://www.gordano.com
877
- example: 220 lilzmail.liwest.at NTMail (v4.30.0012/NU2182.02.1cf87970) ready for ESMTP transfer
878
- example: 220 pluto.wvwc.edu NTMail (v5.06.0016/NT9445.00.28cc9615) ready for ESMTP transfer
879
- </description>
752
+ <description>NTMail (http://www.gordano.com)</description>
753
+ <example host.name="foo.bar" service.version="7.02.3037" ntmail.id="NU1319.01.5b000000">foo.bar NTMail (v7.02.3037/NU1319.01.5b000000) ready for ESMTP transfer </example>
880
754
  <param pos="0" name="service.vendor" value="Gordano"/>
881
755
  <param pos="0" name="service.family" value="NTMail"/>
882
756
  <param pos="0" name="service.product" value="NTMail"/>
@@ -885,20 +759,12 @@ The system or service fingerprint with the highest certainty overwrites the othe
885
759
  <param pos="3" name="ntmail.id"/>
886
760
  </fingerprint>
887
761
  <fingerprint pattern="^([^ ]+) WindowsNT SMTP Server v([^ ]+\.[^ ]+\.[^ ]+)/([^ ]+)/SP ESMTP ready at (.+) *$">
888
- <description>
889
- versions 3.x and earlier of NTMail http://www.gordano.com (it was called Internet Shopper's something or other)
890
- example: 220 mail.Networkengineering WindowsNT SMTP Server v3.03.0018/1.aio1/SP ESMTP ready at Wed, 25 Jul 2001 23:03:11 -0400
891
- example: 220 mars.wvwc.edu WindowsNT SMTP Server v3.03.0018/1.ajhf/SP ESMTP ready at Thu, 29 Oct 1998 18:01:30 -0500
892
- example: 220 mail.someisp.net WindowsNT SMTP Server v3.03.0017/1.aihl/SP ESMTP ready at Sun, 6 Jun 1999 10:39:30 -0400
893
- example: 220 nt03s02.switchlink.be WindowsNT SMTP Server v3.03.0014/1.aiss/SP ESMTP ready at Fri, 17 Apr 1998 16:59:04 +0100
894
- example: 220 www.afsc.org WindowsNT SMTP Server v3.03.0017/1.abkz/SP ESMTP ready at Mon, 2 Oct 2000 11:50:29 -0400
895
- example: 220 wwmerchant.osopinion.com WindowsNT SMTP Server v3.03.0017/4c.adur/SP ESMTP ready at Fri, 26 Mar 1999 13:20:30 -0700
896
- example: 220 digital-hoon.tecdm.dmi.co.kr WindowsNT SMTP Server v3.02.07/2c.aaaj ready at Thu, 5 Dec 1996 22:46:12 +0000
897
- </description>
762
+ <description>NTMail - versions 3.x and earlier (it was called Internet Shopper's something or other)</description>
763
+ <example host.name="foo.bar" service.version="3.03.0018" ntmail.id="7.aavn">foo.bar WindowsNT SMTP Server v3.03.0018/7.aavn/SP ESMTP ready at Thu, 30 Nov 2017 10:15:31 +0100</example>
898
764
  <param pos="0" name="service.vendor" value="Gordano"/>
899
765
  <param pos="0" name="service.family" value="NTMail"/>
900
766
  <param pos="0" name="service.product" value="NTMail"/>
901
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
767
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
902
768
  <param pos="1" name="host.name"/>
903
769
  <param pos="2" name="service.version"/>
904
770
  <param pos="3" name="ntmail.id"/>
@@ -906,10 +772,10 @@ The system or service fingerprint with the highest certainty overwrites the othe
906
772
  </fingerprint>
907
773
  <fingerprint pattern="^(\S+)(?: UCX)? V\S+, OpenVMS V(\S+) (\S+) ready at .*$">
908
774
  <description>Some unknown mail server on OpenVMS</description>
909
- <example host.name="example.com" os.arch="IA64" os.version="8.4">example.com V5.7-ECO4, OpenVMS V8.4 IA64 ready at Wed, 20 May 2015 01:22:32 +0100 (BST)</example>
910
- <example host.name="example.com" os.arch="Alpha" os.version="7.3-2">example.com V5.4-15E, OpenVMS V7.3-2 Alpha ready at Wed, 20 May 2015 01:22:18 +0100 (BST)</example>
911
- <example host.name="example.com" os.arch="VAX" os.version="6.2">example.com UCX V4.2-21I, OpenVMS V6.2 VAX ready at Wed, 20 May 2015 01:15:16 GMT</example>
912
- <example host.name="example.com" os.arch="Alpha" os.version="6.2-1H3">example.com UCX V4.2-21I, OpenVMS V6.2-1H3 Alpha ready at Wed, 20 May 2015 00:55:37 GMT</example>
775
+ <example host.name="foo.bar" os.arch="IA64" os.version="8.4">foo.bar V5.7-ECO4, OpenVMS V8.4 IA64 ready at Wed, 20 May 2015 01:22:32 +0100 (BST)</example>
776
+ <example host.name="foo.bar" os.arch="Alpha" os.version="7.3-2">foo.bar V5.4-15E, OpenVMS V7.3-2 Alpha ready at Wed, 20 May 2015 01:22:18 +0100 (BST)</example>
777
+ <example host.name="foo.bar" os.arch="VAX" os.version="6.2">foo.bar UCX V4.2-21I, OpenVMS V6.2 VAX ready at Wed, 20 May 2015 01:15:16 GMT</example>
778
+ <example host.name="foo.bar" os.arch="Alpha" os.version="6.2-1H3">foo.bar UCX V4.2-21I, OpenVMS V6.2-1H3 Alpha ready at Wed, 20 May 2015 00:55:37 GMT</example>
913
779
  <param pos="1" name="host.name"/>
914
780
  <param pos="0" name="os.vendor" value="HP"/>
915
781
  <param pos="0" name="os.family" value="OpenVMS"/>
@@ -918,20 +784,19 @@ The system or service fingerprint with the highest certainty overwrites the othe
918
784
  <param pos="2" name="os.version"/>
919
785
  <param pos="3" name="os.arch"/>
920
786
  </fingerprint>
921
- <fingerprint pattern="^(\S+) E?SMTP PMailServer(?: \[Free Edition\]) ([\d\.]+); (\S{3}, \d{2} \S{3} \d{4} \d{2}:\d{2}:\d{2})$">
787
+ <fingerprint pattern="^(\S+) E?SMTP PMailServer(?: \[Free Edition\])? ([\d\.]+); (\w\w\w, +\d+ \w\w\w \d\d\d\d [\d:]+)$">
922
788
  <description>A.K.I PMail</description>
923
- <example host.name="example.com" service.version="1.91">example.com ESMTP PMailServer [Free Edition] 1.91; Fri, 22 May 2015 02:04:56</example>
789
+ <example host.name="foo.bar" service.version="1.91">foo.bar ESMTP PMailServer [Free Edition] 1.91; Fri, 22 May 2015 02:04:56</example>
790
+ <example host.name="foo.bar" service.version="1.78">foo.bar ESMTP PMailServer 1.78; Fri, 6 Apr 2018 04:34:11</example>
924
791
  <param pos="0" name="service.vendor" value="A.K.I Software"/>
925
792
  <param pos="0" name="service.product" value="PMail Server"/>
926
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss"/>
793
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss"/>
927
794
  <param pos="1" name="host.name"/>
928
795
  <param pos="2" name="service.version"/>
929
796
  <param pos="3" name="system.time"/>
930
797
  </fingerprint>
931
798
  <fingerprint pattern="^([^ ]+) Postfix \(Postfix-([^ ]+)-([^ ]+)\) \(([^ ]+)\) *$">
932
- <description>
933
- Postfix (2 version ids, followed by os)
934
- </description>
799
+ <description>Postfix - version + build, followed by os</description>
935
800
  <param pos="0" name="service.family" value="Postfix"/>
936
801
  <param pos="0" name="service.product" value="Postfix"/>
937
802
  <param pos="1" name="host.name"/>
@@ -939,20 +804,17 @@ The system or service fingerprint with the highest certainty overwrites the othe
939
804
  <param pos="3" name="service.version.version"/>
940
805
  <param pos="4" name="postfix.os.info"/>
941
806
  </fingerprint>
942
- <fingerprint pattern="^([^ ]+) ESMTP Postfix \(Postfix-([^ ]+)-([^ ]+)\) *$">
943
- <description>
944
- Postfix (2 version numbers)
945
- </description>
807
+ <fingerprint pattern="^([^ ]+) ESMTP Postfix \(?([\d.]+)\)?$">
808
+ <description>Postfix - Std semantic versioning, w/ optional parens</description>
809
+ <example service.version="3.1.4">foo.bar ESMTP Postfix (3.1.4)</example>
810
+ <example service.version="2.7.1">foo.bar ESMTP Postfix 2.7.1</example>
946
811
  <param pos="0" name="service.family" value="Postfix"/>
947
812
  <param pos="0" name="service.product" value="Postfix"/>
948
813
  <param pos="1" name="host.name"/>
949
814
  <param pos="2" name="service.version"/>
950
- <param pos="3" name="service.version.version"/>
951
815
  </fingerprint>
952
- <fingerprint pattern="^([^ ]+) ESMTP Postfix \(([\d.]+)-([^ ]+)\)$">
953
- <description>
954
- Postfix (2 version numbers )
955
- </description>
816
+ <fingerprint pattern="^([^ ]+) ESMTP Postfix \((?:Postfix-)?([\d.]+)-([^ ]+)\)$">
817
+ <description>Postfix - version + build</description>
956
818
  <example service.version="2.8" service.version.version="20100306">foo.bar ESMTP Postfix (2.8-20100306)</example>
957
819
  <param pos="0" name="service.family" value="Postfix"/>
958
820
  <param pos="0" name="service.product" value="Postfix"/>
@@ -960,21 +822,21 @@ The system or service fingerprint with the highest certainty overwrites the othe
960
822
  <param pos="2" name="service.version"/>
961
823
  <param pos="3" name="service.version.version"/>
962
824
  </fingerprint>
963
- <fingerprint pattern="^([^ ]+) Postfix \(Postfix-([^ ]+)\) \(([^ ]+)\) *$">
964
- <description>
965
- Postfix (1 version number)
966
- </description>
825
+ <fingerprint pattern="^([^ ]+) +E?SMTP Postfix \(Ubuntu\)$">
826
+ <description>Postfix - Ubuntu</description>
827
+ <example>foo.bar ESMTP Postfix (Ubuntu)</example>
967
828
  <param pos="0" name="service.family" value="Postfix"/>
968
829
  <param pos="0" name="service.product" value="Postfix"/>
969
830
  <param pos="1" name="host.name"/>
970
- <param pos="2" name="service.version"/>
971
- <param pos="3" name="postfix.os.info"/>
831
+ <param pos="0" name="os.vendor" value="Ubuntu"/>
832
+ <param pos="0" name="os.device" value="General"/>
833
+ <param pos="0" name="os.family" value="Linux"/>
834
+ <param pos="0" name="os.product" value="Linux"/>
972
835
  </fingerprint>
973
- <fingerprint pattern="^([^ ]+) E?SMTP Postfix \(Ubuntu\)$">
974
- <description>
975
- Postfix Ubuntu package.
976
- </description>
977
- <example>foo.bar.com ESMTP Postfix (Ubuntu)</example>
836
+ <fingerprint pattern="^([^ ]+)(?: ESMTP)? Hi, I'm a Mail-in-a-Box \(Ubuntu/Postfix; see https://mailinabox.email/\)$">
837
+ <description>Postfix - Ubuntu, Mail-in-a-Box package</description>
838
+ <example>foo.bar ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)</example>
839
+ <example>foo.bar Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)</example>
978
840
  <param pos="0" name="service.family" value="Postfix"/>
979
841
  <param pos="0" name="service.product" value="Postfix"/>
980
842
  <param pos="1" name="host.name"/>
@@ -983,11 +845,9 @@ The system or service fingerprint with the highest certainty overwrites the othe
983
845
  <param pos="0" name="os.family" value="Linux"/>
984
846
  <param pos="0" name="os.product" value="Linux"/>
985
847
  </fingerprint>
986
- <fingerprint pattern="^([^ ]+) E?SMTP Postfix \(Debian/GNU\)$">
987
- <description>
988
- Postfix Debian package.
989
- </description>
990
- <example>foo.bar.com ESMTP Postfix (Debian/GNU)</example>
848
+ <fingerprint pattern="^([^ ]+) +E?SMTP Postfix \(Debian/GNU\)$">
849
+ <description>Postfix - Debian</description>
850
+ <example>foo.bar ESMTP Postfix (Debian/GNU)</example>
991
851
  <param pos="0" name="service.family" value="Postfix"/>
992
852
  <param pos="0" name="service.product" value="Postfix"/>
993
853
  <param pos="1" name="host.name"/>
@@ -997,50 +857,40 @@ The system or service fingerprint with the highest certainty overwrites the othe
997
857
  <param pos="0" name="os.product" value="Linux"/>
998
858
  </fingerprint>
999
859
  <fingerprint pattern="^([^ ]+) ESMTP.* Postfix *\(.+\) *$">
1000
- <description>
1001
- Generic Postfix banner with amusing comments in parentheses
1002
- </description>
1003
- <example>foo.bar.com ESMTP Postfix (lol)</example>
860
+ <description>Postfix - generic banner with amusing comments in parentheses</description>
861
+ <example>foo.bar ESMTP Postfix (lol)</example>
1004
862
  <param pos="0" name="service.family" value="Postfix"/>
1005
863
  <param pos="0" name="service.product" value="Postfix"/>
1006
864
  <param pos="1" name="host.name"/>
1007
865
  </fingerprint>
1008
- <fingerprint pattern="^([^ ]+) ESMTP.* Postfix *$">
1009
- <description>
1010
- Generic Postfix banner.
1011
- </description>
1012
- <example>foo.bar.com ESMTP Postfix</example>
866
+ <fingerprint pattern="^(?i)([^ ]+) +E?SMTP.* Postfix *$">
867
+ <description>Postfix - generic banner</description>
868
+ <example>foo.bar ESMTP Postfix</example>
869
+ <example>foo.bar SMTP Postfix</example>
1013
870
  <param pos="0" name="service.family" value="Postfix"/>
1014
871
  <param pos="0" name="service.product" value="Postfix"/>
1015
872
  <param pos="1" name="host.name"/>
1016
873
  </fingerprint>
1017
- <fingerprint pattern="^ESMTP Postfix$">
1018
- <description>Postfix banner without hostname or version</description>
874
+ <fingerprint pattern="^ *ESMTP Postfix$">
875
+ <description>Postfix - banner without hostname or version</description>
1019
876
  <example>ESMTP Postfix</example>
1020
877
  <param pos="0" name="service.family" value="Postfix"/>
1021
878
  <param pos="0" name="service.product" value="Postfix"/>
1022
879
  </fingerprint>
1023
- <fingerprint pattern="^([^ ]+) ESMTP server \(Post\.Office v([^ ]+) release (.+) ID# ([^ ]+)\) ready (.+) *$">
1024
- <description>
1025
- Post.Office (3 version numbers)
1026
- </description>
1027
- <example host.name="192.168.1.1" service.version="3.1" postoffice.build="PO205e" postoffice.id="0-42000U100L2S100" system.time="Tue, 6 Feb 2001 19:38:32 +0100">192.168.1.1 ESMTP server (Post.Office v3.1 release PO205e ID# 0-42000U100L2S100) ready Tue, 6 Feb 2001 19:38:32 +0100</example>
1028
- <param pos="0" name="service.family" value="Post.Office"/>
1029
- <param pos="0" name="service.product" value="Post.Office"/>
1030
- <param pos="2" name="service.version"/>
1031
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
880
+ <fingerprint pattern="^(?i)((?!ESMTP)[^ ]+) POSTFIX$">
881
+ <description>Postfix - generic w/o ESMTP</description>
882
+ <example host.name="foo.bar">foo.bar Postfix</example>
883
+ <param pos="0" name="service.family" value="Postfix"/>
884
+ <param pos="0" name="service.product" value="Postfix"/>
1032
885
  <param pos="1" name="host.name"/>
1033
- <param pos="3" name="postoffice.build"/>
1034
- <param pos="4" name="postoffice.id"/>
1035
- <param pos="5" name="system.time"/>
1036
886
  </fingerprint>
1037
- <fingerprint pattern="^([^ ]+) ESMTP server \(P|post\.O|office v([^ ]+\.[^ ]+) (.+) ID# ([^ ]+)\) ready (.+) *$">
1038
- <description>
1039
- Post.Office lacking word "release" before release tag
1040
- </description>
887
+ <fingerprint pattern="^([^ ]+) ESMTP server \((?i:P)ost\.(?i:O)ffice v([^ ]+\.[^ ]+)(?: release)? (.+) ID# ([^ ]+)\) ready (.+) *$">
888
+ <description>Post.Office</description>
889
+ <example host.name="foo.bar" service.version="3.8.4" postoffice.build="116" postoffice.id="1001-65749U100L10S0V38" system.time="Thu, 30 Nov 2017 18:46:24 +0900">foo.bar ESMTP server (post.office v3.8.4 release 116 ID# 1001-65749U100L10S0V38) ready Thu, 30 Nov 2017 18:46:24 +0900</example>
890
+ <example host.name="foo.bar" service.version="3.1" postoffice.build="PO205e" postoffice.id="0-42000U100L2S100" system.time="Tue, 6 Feb 2001 19:38:32 +0100">foo.bar ESMTP server (Post.Office v3.1 release PO205e ID# 0-42000U100L2S100) ready Tue, 6 Feb 2001 19:38:32 +0100</example>
1041
891
  <param pos="0" name="service.family" value="Post.Office"/>
1042
892
  <param pos="0" name="service.product" value="Post.Office"/>
1043
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
893
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1044
894
  <param pos="1" name="host.name"/>
1045
895
  <param pos="2" name="service.version"/>
1046
896
  <param pos="3" name="postoffice.build"/>
@@ -1048,44 +898,44 @@ The system or service fingerprint with the highest certainty overwrites the othe
1048
898
  <param pos="5" name="system.time"/>
1049
899
  </fingerprint>
1050
900
  <fingerprint pattern="^([^ ]+) Generic SMTP handler *$">
1051
- <description>
1052
- Raptor Firewall
1053
- example: 220 foo.bar.com Generic SMTP handler
1054
- </description>
901
+ <description>Raptor Firewall (low confidence)</description>
902
+ <example host.name="foo.bar">foo.bar Generic SMTP handler</example>
1055
903
  <param pos="0" name="service.product" value="raptor"/>
1056
904
  <param pos="1" name="host.name"/>
1057
905
  </fingerprint>
1058
906
  <fingerprint pattern="^(\S+) SAP (\S+) E?SMTP service ready$">
1059
907
  <description>SAP SMTP Server</description>
1060
- <example host.name="example.com" service.version="8.04(53)">example.com SAP 8.04(53) ESMTP service ready</example>
908
+ <example host.name="foo.bar" service.version="8.04(53)">foo.bar SAP 8.04(53) ESMTP service ready</example>
1061
909
  <param pos="0" name="service.vendor" value="SAP"/>
1062
910
  <param pos="0" name="service.product" value="SMTP"/>
1063
911
  <param pos="2" name="service.version"/>
1064
912
  <param pos="1" name="host.name"/>
1065
913
  </fingerprint>
914
+ <fingerprint pattern="^Sendmail ESMTP ready$">
915
+ <description>Sendmail - short banner w/o hostname, version, platform, or date.</description>
916
+ <example>Sendmail ESMTP ready</example>
917
+ <param pos="0" name="service.family" value="Sendmail"/>
918
+ <param pos="0" name="service.product" value="Sendmail"/>
919
+ </fingerprint>
1066
920
  <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail +([^ ]+) \(PHNE_([^ ]+)\) */ *(.+); *(.+) \(.+\)$">
1067
- <description>
1068
- sendmail on HPUX with a PHNE (HP Networking patch) installed
1069
- </description>
1070
- <example>foo.bar.com ESMTP Sendmail 8.8.6 (PHNE_14041)/8.7.1; Tue, 6 Feb 2001 10:04:32 -0300 (SAT)</example>
921
+ <description>Sendmail - HP-UX with a PHNE (HP Networking patch) installed</description>
922
+ <example host.name="foo.bar" service.version="8.8.6" sendmail.config.version="8.7.1">foo.bar ESMTP Sendmail 8.8.6 (PHNE_14041)/8.7.1; Tue, 6 Feb 2001 10:04:32 -0300 (SAT)</example>
1071
923
  <param pos="0" name="service.family" value="Sendmail"/>
1072
924
  <param pos="0" name="service.product" value="Sendmail"/>
1073
925
  <param pos="0" name="os.vendor" value="HP"/>
1074
926
  <param pos="0" name="os.family" value="HP-UX"/>
1075
927
  <param pos="0" name="os.device" value="General"/>
1076
928
  <param pos="0" name="os.product" value="HP-UX"/>
1077
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
929
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1078
930
  <param pos="1" name="host.name"/>
1079
931
  <param pos="2" name="service.version"/>
1080
932
  <param pos="3" name="sendmail.hpux.phne.version"/>
1081
933
  <param pos="4" name="sendmail.config.version"/>
1082
934
  <param pos="5" name="system.time"/>
1083
935
  </fingerprint>
1084
- <fingerprint pattern="^(\S+) ESMTP Sendmail \S+ version ([\d\.]+) - Revision \S+ HP-UX([\d\.]+).*(\S{3}, \d{2} \S{3} \d{4} \d{2}:\d{2}:\d{2} \S{3})$">
1085
- <description>
1086
- sendmail on HPUX
1087
- </description>
1088
- <example host.name="example.com" os.version="11.31" service.version="8.13.3">example.com ESMTP Sendmail @(#)Sendmail version 8.13.3 - Revision 1.004:: HP-UX11.31 - 03rd February,2010/8.11.1; Wed, 20 May 2015 23:35:38 GMT</example>
936
+ <fingerprint pattern="^(\S+) ESMTP Sendmail \S+ version ([\d\.]+) - Revision \S+ HP-UX([\d\.]+).*(\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ \w\w\w)$">
937
+ <description>Sendmail - HP-UX</description>
938
+ <example host.name="foo.bar" os.version="11.31" service.version="8.13.3">foo.bar ESMTP Sendmail @(#)Sendmail version 8.13.3 - Revision 1.004:: HP-UX11.31 - 03rd February,2010/8.11.1; Wed, 20 May 2015 23:35:38 GMT</example>
1089
939
  <param pos="0" name="service.family" value="Sendmail"/>
1090
940
  <param pos="0" name="service.product" value="Sendmail"/>
1091
941
  <param pos="0" name="os.vendor" value="HP"/>
@@ -1093,57 +943,51 @@ The system or service fingerprint with the highest certainty overwrites the othe
1093
943
  <param pos="0" name="os.device" value="General"/>
1094
944
  <param pos="0" name="os.product" value="HP-UX"/>
1095
945
  <param pos="3" name="os.version"/>
1096
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
946
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss z"/>
1097
947
  <param pos="1" name="host.name"/>
1098
948
  <param pos="2" name="service.version"/>
1099
949
  <param pos="4" name="system.time"/>
1100
950
  </fingerprint>
1101
951
  <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail +([^ ]+)/UW([^ ]+) ready at *(.+) \(.+\) *$">
1102
- <description>
1103
- sendmail on unixware
1104
- </description>
1105
- <example>foo.bar.com ESMTP Sendmail 8.8.7/UW7.1.0 ready at Tue, 6 Feb 2001 16:39:30 -0300 (GMT-0300)</example>
952
+ <description>Sendmail - Unixware</description>
953
+ <example service.version="8.8.7">foo.bar ESMTP Sendmail 8.8.7/UW7.1.0 ready at Tue, 6 Feb 2001 16:39:30 -0300 (GMT-0300)</example>
1106
954
  <param pos="0" name="service.family" value="Sendmail"/>
1107
955
  <param pos="0" name="service.product" value="Sendmail"/>
1108
956
  <param pos="0" name="os.vendor" value="SCO"/>
1109
957
  <param pos="0" name="os.family" value="UnixWare"/>
1110
958
  <param pos="0" name="os.device" value="General"/>
1111
959
  <param pos="0" name="os.product" value="UnixWare"/>
1112
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
960
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1113
961
  <param pos="1" name="host.name"/>
1114
962
  <param pos="2" name="service.version"/>
1115
963
  <param pos="3" name="os.version"/>
1116
964
  <param pos="4" name="system.time"/>
1117
965
  </fingerprint>
1118
966
  <fingerprint pattern="^([^ ]+) ESMTP Sendmail AIX([^/]+)/UCB ([^;]+); (.+) \(.+\)$">
1119
- <description>
1120
- sendmail on AIX
1121
- </description>
1122
- <example>foo.bar.com ESMTP Sendmail AIX4.2/UCB 8.7; Sun, 29 Jul 2001 22:34:37 -0400 (EDT)</example>
967
+ <description>Sendmail - AIX (UCB variant)</description>
968
+ <example os.version="4.2" service.version="8.7">foo.bar ESMTP Sendmail AIX4.2/UCB 8.7; Sun, 29 Jul 2001 22:34:37 -0400 (EDT)</example>
1123
969
  <param pos="0" name="service.family" value="Sendmail"/>
1124
970
  <param pos="0" name="service.product" value="Sendmail"/>
1125
971
  <param pos="0" name="os.vendor" value="IBM"/>
1126
972
  <param pos="0" name="os.family" value="AIX"/>
1127
973
  <param pos="0" name="os.device" value="General"/>
1128
974
  <param pos="0" name="os.product" value="AIX"/>
1129
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
975
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1130
976
  <param pos="1" name="host.name"/>
1131
977
  <param pos="2" name="os.version"/>
1132
978
  <param pos="3" name="service.version"/>
1133
979
  <param pos="4" name="system.time"/>
1134
980
  </fingerprint>
1135
981
  <fingerprint pattern="^([^ ]+) Sendmail AIX([^/]+)/UCB ([^/]+)/([^ ]+) ready at (.+)$">
1136
- <description>
1137
- sendmail on AIX
1138
- </description>
1139
- <example>foo.bar.com Sendmail AIX 4.1/UCB 5.64/4.03 ready at Mon, 30 Jul 2001 00:42:21 -0500</example>
982
+ <description>Sendmail - AIX (UCB/ready at variant)</description>
983
+ <example>foo.bar Sendmail AIX 4.1/UCB 5.64/4.03 ready at Mon, 30 Jul 2001 00:42:21 -0500</example>
1140
984
  <param pos="0" name="service.family" value="Sendmail"/>
1141
985
  <param pos="0" name="service.product" value="Sendmail"/>
1142
986
  <param pos="0" name="os.vendor" value="IBM"/>
1143
987
  <param pos="0" name="os.family" value="AIX"/>
1144
988
  <param pos="0" name="os.device" value="General"/>
1145
989
  <param pos="0" name="os.product" value="AIX"/>
1146
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
990
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1147
991
  <param pos="1" name="host.name"/>
1148
992
  <param pos="2" name="os.version"/>
1149
993
  <param pos="3" name="service.version"/>
@@ -1151,18 +995,16 @@ The system or service fingerprint with the highest certainty overwrites the othe
1151
995
  <param pos="5" name="system.time"/>
1152
996
  </fingerprint>
1153
997
  <fingerprint pattern="^([^ ]+) ESMTP Sendmail AIX([^/]+)/([^/]+)/([^;]+); (.+)(?: \(.+\))?$">
1154
- <description>
1155
- sendmail on AIX
1156
- </description>
1157
- <example host.name="example.com" os.version="4.2" service.version="8.7" sendmail.config.version="8.8">example.com ESMTP Sendmail AIX4.2/8.7/8.8; Sun, 29 Jul 2001 22:34:37 -0400 (EDT)</example>
1158
- <example host.name="example.com" os.version="5.1" service.version="8.11.6p2" sendmail.config.version="8.11.0">example.com ESMTP Sendmail AIX5.1/8.11.6p2/8.11.0; Fri, 28 Aug 1970 19:42:05 -0800</example>
998
+ <description>Sendmail - AIX</description>
999
+ <example host.name="foo.bar" os.version="4.2" service.version="8.7" sendmail.config.version="8.8">foo.bar ESMTP Sendmail AIX4.2/8.7/8.8; Sun, 29 Jul 2001 22:34:37 -0400 (EDT)</example>
1000
+ <example host.name="foo.bar" os.version="5.1" service.version="8.11.6p2" sendmail.config.version="8.11.0">foo.bar ESMTP Sendmail AIX5.1/8.11.6p2/8.11.0; Fri, 28 Aug 1970 19:42:05 -0800</example>
1159
1001
  <param pos="0" name="service.family" value="Sendmail"/>
1160
1002
  <param pos="0" name="service.product" value="Sendmail"/>
1161
1003
  <param pos="0" name="os.vendor" value="IBM"/>
1162
1004
  <param pos="0" name="os.family" value="AIX"/>
1163
1005
  <param pos="0" name="os.device" value="General"/>
1164
1006
  <param pos="0" name="os.product" value="AIX"/>
1165
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1007
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1166
1008
  <param pos="1" name="host.name"/>
1167
1009
  <param pos="2" name="os.version"/>
1168
1010
  <param pos="3" name="service.version"/>
@@ -1170,17 +1012,15 @@ The system or service fingerprint with the highest certainty overwrites the othe
1170
1012
  <param pos="5" name="system.time"/>
1171
1013
  </fingerprint>
1172
1014
  <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^/]+)/([^/]+)/SuSE Linux ([^;]+); (.+)$">
1173
- <description>
1174
- sendmail on suse
1175
- </description>
1176
- <example>foo.bar.com ESMTP Sendmail 8.9.3/8.9.3/SuSE Linux 8.9.3-0.1; Mon, 30 Jul 2001 04:48:54 +0200</example>
1015
+ <description>Sendmail - SuSE Linux</description>
1016
+ <example>foo.bar ESMTP Sendmail 8.9.3/8.9.3/SuSE Linux 8.9.3-0.1; Mon, 30 Jul 2001 04:48:54 +0200</example>
1177
1017
  <param pos="0" name="service.family" value="Sendmail"/>
1178
1018
  <param pos="0" name="service.product" value="Sendmail"/>
1179
1019
  <param pos="0" name="os.vendor" value="SuSE"/>
1180
1020
  <param pos="0" name="os.family" value="Linux"/>
1181
1021
  <param pos="0" name="os.device" value="General"/>
1182
1022
  <param pos="0" name="os.product" value="Linux"/>
1183
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1023
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1184
1024
  <param pos="1" name="host.name"/>
1185
1025
  <param pos="2" name="service.version"/>
1186
1026
  <param pos="3" name="sendmail.config.version"/>
@@ -1188,129 +1028,190 @@ The system or service fingerprint with the highest certainty overwrites the othe
1188
1028
  <param pos="5" name="system.time"/>
1189
1029
  </fingerprint>
1190
1030
  <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^ ]+)\+Sun/([^ ]+); (.+)$">
1191
- <description>
1192
- sendmail on Solaris
1193
- </description>
1194
- <example>foo.bar.com ESMTP Sendmail 8.9.3+Sun/8.9.1; Mon, 30 Jul 2001 02:50:22 GMT</example>
1031
+ <description>Sendmail - Solaris with date (no time offeset variant)</description>
1032
+ <example>foo.bar ESMTP Sendmail 8.9.3+Sun/8.9.1; Mon, 30 Jul 2001 02:50:22 GMT</example>
1195
1033
  <param pos="0" name="service.family" value="Sendmail"/>
1196
1034
  <param pos="0" name="service.product" value="Sendmail"/>
1197
1035
  <param pos="0" name="os.vendor" value="Sun"/>
1198
1036
  <param pos="0" name="os.family" value="Solaris"/>
1199
1037
  <param pos="0" name="os.device" value="General"/>
1200
1038
  <param pos="0" name="os.product" value="Solaris"/>
1201
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1039
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss zzz"/>
1202
1040
  <param pos="1" name="host.name"/>
1203
1041
  <param pos="2" name="service.version"/>
1204
1042
  <param pos="3" name="sendmail.config.version"/>
1205
1043
  <param pos="4" name="system.time"/>
1206
1044
  </fingerprint>
1207
1045
  <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^ ]+)\+Sun/([^ ]+) ready at (.+) \(.+\)$">
1208
- <description>
1209
- sendmail on Solaris
1210
- </description>
1211
- <example>foo.bar.com ESMTP Sendmail 8.8.8+Sun/8.6.4 ready at Thu, 15 Nov 2000 11:40:32 -0800 (PST)</example>
1046
+ <description>Sendmail - Solaris with date (ready variant)</description>
1047
+ <example>foo.bar ESMTP Sendmail 8.8.8+Sun/8.6.4 ready at Thu, 15 Nov 2000 11:40:32 -0800 (PST)</example>
1212
1048
  <param pos="0" name="service.family" value="Sendmail"/>
1213
1049
  <param pos="0" name="service.product" value="Sendmail"/>
1214
1050
  <param pos="0" name="os.vendor" value="Sun"/>
1215
1051
  <param pos="0" name="os.family" value="Solaris"/>
1216
1052
  <param pos="0" name="os.device" value="General"/>
1217
1053
  <param pos="0" name="os.product" value="Solaris"/>
1218
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1054
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1219
1055
  <param pos="1" name="host.name"/>
1220
1056
  <param pos="2" name="service.version"/>
1221
1057
  <param pos="3" name="sendmail.config.version"/>
1222
1058
  <param pos="4" name="system.time"/>
1223
1059
  </fingerprint>
1224
- <fingerprint pattern="^([^ ]+) ESMTP Debian Sendmail ([^/]+)/([^/]+)/Debian ([^/]+); (.+) *$">
1225
- <description>
1226
- sendmail on debian
1227
- </description>
1228
- <example>foo.bar.com ESMTP Debian Sendmail 8.12.0.Beta7/8.12.0.Beta7/Debian 8.12.0.Beta7-1; Sun, 29 Jul 2001 18:52:20 -0800</example>
1060
+ <fingerprint pattern="^([^ ]+) ESMTP (?:Debian )?Sendmail ([^/]+)/([^/]+)/Debian ([^/]+); (.+) *$">
1061
+ <description>Sendmail - Debian</description>
1062
+ <example service.version="8.12.0.Beta7" sendmail.config.version="8.12.0.Beta7" sendmail.vendor.version="8.12.0.Beta7-1">foo.bar ESMTP Debian Sendmail 8.12.0.Beta7/8.12.0.Beta7/Debian 8.12.0.Beta7-1; Sun, 29 Jul 2001 18:52:20 -0800</example>
1063
+ <example service.version="8.11.0" sendmail.config.version="8.9.3" sendmail.vendor.version="8.9.3-21">foo.bar ESMTP Sendmail 8.11.0/8.9.3/Debian 8.9.3-21; Sun, 29 Jul 2001 19:51:00 -0700</example>
1229
1064
  <param pos="0" name="service.family" value="Sendmail"/>
1230
1065
  <param pos="0" name="service.product" value="Sendmail"/>
1231
1066
  <param pos="0" name="os.vendor" value="Debian"/>
1232
1067
  <param pos="0" name="os.family" value="Linux"/>
1233
1068
  <param pos="0" name="os.device" value="General"/>
1234
1069
  <param pos="0" name="os.product" value="Linux"/>
1235
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1070
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1236
1071
  <param pos="1" name="host.name"/>
1237
1072
  <param pos="2" name="service.version"/>
1238
1073
  <param pos="3" name="sendmail.config.version"/>
1239
1074
  <param pos="4" name="sendmail.vendor.version"/>
1240
1075
  <param pos="5" name="system.time"/>
1241
1076
  </fingerprint>
1242
- <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^/]+)/([^/]+)/Debian ([^/]+); (.+) *$">
1243
- <description>
1244
- sendmail on debian
1245
- </description>
1246
- <example>foo.bar.com ESMTP Sendmail 8.11.0/8.9.3/Debian 8.9.3-21; Sun, 29 Jul 2001 19:51:00 -0700</example>
1077
+ <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+(?:wheezy|deb7u)\d; (.+); .*$">
1078
+ <description>Sendmail - Debian 7.x (wheezy)</description>
1079
+ <example service.version="8.14.4">foo.bar ESMTP Sendmail 8.14.4/8.14.4/Debian-4+wheezy1; Thu, 30 Nov 2017 10:33:05 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
1080
+ <example service.version="8.14.4">foo.bar ESMTP Sendmail 8.14.4/8.14.4/Debian-4+deb7u1; Thu, 30 Nov 2017 11:00:33 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
1247
1081
  <param pos="0" name="service.family" value="Sendmail"/>
1248
1082
  <param pos="0" name="service.product" value="Sendmail"/>
1249
1083
  <param pos="0" name="os.vendor" value="Debian"/>
1250
1084
  <param pos="0" name="os.family" value="Linux"/>
1251
- <param pos="0" name="os.device" value="General"/>
1252
1085
  <param pos="0" name="os.product" value="Linux"/>
1253
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1086
+ <param pos="0" name="os.version" value="7.0"/>
1087
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1254
1088
  <param pos="1" name="host.name"/>
1255
1089
  <param pos="2" name="service.version"/>
1256
1090
  <param pos="3" name="sendmail.config.version"/>
1257
- <param pos="4" name="sendmail.vendor.version"/>
1258
- <param pos="5" name="system.time"/>
1091
+ <param pos="4" name="system.time"/>
1259
1092
  </fingerprint>
1260
- <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^/]+)/[^/]+/Debian-\dubuntu[^ ]*; (.+); .*$">
1261
- <description>
1262
- Sendmail for Ubuntu
1263
- </description>
1264
- <example>foo.bar.com ESMTP Sendmail 8.13.5.20060308/8.13.5/Debian-3ubuntu1.1; Fri, 24 Jul 2009 01:41:21 -0700; (No UCE/UBE) logging access from: xyz.example.com(OK)-xyz.example.com [10.0.0.1]</example>
1093
+ <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+deb8u\d; (.+); .*$">
1094
+ <description>Sendmail - Debian 8.x (jessie)</description>
1095
+ <example service.version="8.14.4">foo.bar ESMTP Sendmail 8.14.4/8.14.4/Debian-8+deb8u2; Thu, 30 Nov 2017 10:25:48 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
1096
+ <param pos="0" name="service.family" value="Sendmail"/>
1097
+ <param pos="0" name="service.product" value="Sendmail"/>
1098
+ <param pos="0" name="os.vendor" value="Debian"/>
1099
+ <param pos="0" name="os.family" value="Linux"/>
1100
+ <param pos="0" name="os.product" value="Linux"/>
1101
+ <param pos="0" name="os.version" value="8.0"/>
1102
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1103
+ <param pos="1" name="host.name"/>
1104
+ <param pos="2" name="service.version"/>
1105
+ <param pos="3" name="sendmail.config.version"/>
1106
+ <param pos="4" name="system.time"/>
1107
+ </fingerprint>
1108
+ <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+lenny\d; (.+); .*$">
1109
+ <description>Sendmail - Debian 5.x (lenny)</description>
1110
+ <example service.version="8.14.3">foo.bar ESMTP Sendmail 8.14.3/8.14.3/Debian-5+lenny1; Thu, 30 Nov 2017 12:29:40 +0300; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
1111
+ <param pos="0" name="service.family" value="Sendmail"/>
1112
+ <param pos="0" name="service.product" value="Sendmail"/>
1113
+ <param pos="0" name="os.vendor" value="Debian"/>
1114
+ <param pos="0" name="os.family" value="Linux"/>
1115
+ <param pos="0" name="os.product" value="Linux"/>
1116
+ <param pos="0" name="os.version" value="5.0"/>
1117
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1118
+ <param pos="1" name="host.name"/>
1119
+ <param pos="2" name="service.version"/>
1120
+ <param pos="3" name="sendmail.config.version"/>
1121
+ <param pos="4" name="system.time"/>
1122
+ </fingerprint>
1123
+ <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+etch\d; (.+); .*$">
1124
+ <description>Sendmail - Debian 4.x (etch)</description>
1125
+ <example service.version="8.13.8" sendmail.config.version="8.13.8">foo.bar ESMTP Sendmail 8.13.8/8.13.8/Debian-3+etch1; Thu, 30 Nov 2017 10:28:23 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
1126
+ <param pos="0" name="service.family" value="Sendmail"/>
1127
+ <param pos="0" name="service.product" value="Sendmail"/>
1128
+ <param pos="0" name="os.vendor" value="Debian"/>
1129
+ <param pos="0" name="os.family" value="Linux"/>
1130
+ <param pos="0" name="os.product" value="Linux"/>
1131
+ <param pos="0" name="os.version" value="4.0"/>
1132
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1133
+ <param pos="1" name="host.name"/>
1134
+ <param pos="2" name="service.version"/>
1135
+ <param pos="3" name="sendmail.config.version"/>
1136
+ <param pos="4" name="system.time"/>
1137
+ </fingerprint>
1138
+ <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\dsarge\d; (.+); .*$">
1139
+ <description>Sendmail - Debian 3.1 (sarge)</description>
1140
+ <example service.version="8.13.4">foo.bar ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge1; Thu, 30 Nov 2017 10:55:47 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
1141
+ <param pos="0" name="service.family" value="Sendmail"/>
1142
+ <param pos="0" name="service.product" value="Sendmail"/>
1143
+ <param pos="0" name="os.vendor" value="Debian"/>
1144
+ <param pos="0" name="os.family" value="Linux"/>
1145
+ <param pos="0" name="os.product" value="Linux"/>
1146
+ <param pos="0" name="os.version" value="3.1"/>
1147
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1148
+ <param pos="1" name="host.name"/>
1149
+ <param pos="2" name="service.version"/>
1150
+ <param pos="3" name="sendmail.config.version"/>
1151
+ <param pos="4" name="system.time"/>
1152
+ </fingerprint>
1153
+ <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d(?:\.\d)?(?:build\d)?+; (.+); .*$">
1154
+ <description>Sendmail - Debian patch only</description>
1155
+ <example service.version="8.15.2">foo.bar ESMTP Sendmail 8.15.2/8.15.2/Debian-3; Thu, 30 Nov 2017 10:55:50 +0200; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
1156
+ <example service.version="8.14.3">foo.bar ESMTP Sendmail 8.14.3/8.14.3/Debian-9.4; Thu, 30 Nov 2017 10:11:54 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
1157
+ <example service.version="8.14.2">foo.bar ESMTP Sendmail 8.14.2/8.14.2/Debian-2build1; Thu, 30 Nov 2017 04:09:50 -0600; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
1158
+ <param pos="0" name="service.family" value="Sendmail"/>
1159
+ <param pos="0" name="service.product" value="Sendmail"/>
1160
+ <param pos="0" name="os.vendor" value="Debian"/>
1161
+ <param pos="0" name="os.family" value="Linux"/>
1162
+ <param pos="0" name="os.product" value="Linux"/>
1163
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1164
+ <param pos="1" name="host.name"/>
1165
+ <param pos="2" name="service.version"/>
1166
+ <param pos="3" name="sendmail.config.version"/>
1167
+ <param pos="4" name="system.time"/>
1168
+ </fingerprint>
1169
+ <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^/]+)/[^/]+/Debian-[\d.]+ubuntu[^ ]*; (.+); .*$">
1170
+ <description>Sendmail - Ubuntu</description>
1171
+ <example service.version="8.13.5.20060308">foo.bar ESMTP Sendmail 8.13.5.20060308/8.13.5/Debian-3ubuntu1.1; Fri, 24 Jul 2009 01:41:21 -0700; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
1172
+ <example service.version="8.14.4">foo.bar ESMTP Sendmail 8.14.4/8.14.4/Debian-4.1ubuntu1; Thu, 30 Nov 2017 11:00:30 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
1265
1173
  <param pos="0" name="service.family" value="Sendmail"/>
1266
1174
  <param pos="0" name="service.product" value="Sendmail"/>
1267
1175
  <param pos="0" name="os.vendor" value="Ubuntu"/>
1268
1176
  <param pos="0" name="os.family" value="Linux"/>
1269
- <param pos="0" name="os.device" value="General"/>
1270
1177
  <param pos="0" name="os.product" value="Linux"/>
1271
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1178
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1272
1179
  <param pos="1" name="host.name"/>
1273
1180
  <param pos="2" name="service.version"/>
1274
1181
  <param pos="3" name="system.time"/>
1275
1182
  </fingerprint>
1276
1183
  <fingerprint pattern="^([^ ]+) (?:E?SMTP )?Sendmail SMI-([^/]+)/(SMI-SVR4) ready at (.+)$">
1277
- <description>
1278
- unknown
1279
- </description>
1280
- <example>foo.bar.com Sendmail SMI-8.6/SMI-SVR4 ready at Sun, 29 Jul 2001 22:58:46 -0400</example>
1184
+ <description>Sendmail - Solaris (SMI variant)</description>
1185
+ <example>foo.bar Sendmail SMI-8.6/SMI-SVR4 ready at Sun, 29 Jul 2001 22:58:46 -0400</example>
1281
1186
  <param pos="0" name="service.family" value="Sendmail"/>
1282
1187
  <param pos="0" name="service.product" value="Sendmail"/>
1283
1188
  <param pos="0" name="os.vendor" value="Sun"/>
1284
1189
  <param pos="0" name="os.family" value="SunOS"/>
1285
1190
  <param pos="0" name="os.device" value="General"/>
1286
1191
  <param pos="0" name="os.product" value="Solaris"/>
1287
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1192
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1288
1193
  <param pos="1" name="host.name"/>
1289
1194
  <param pos="2" name="service.version"/>
1290
1195
  <param pos="3" name="sendmail.config.version"/>
1291
1196
  <param pos="4" name="system.time"/>
1292
1197
  </fingerprint>
1293
1198
  <fingerprint pattern="^([^ ]+) ESMTP Sendmail ([^ ]+)/(linuxconf); (.+)$">
1294
- <description>
1295
- unknown
1296
- </description>
1297
- <example>foo.bar.com ESMTP Sendmail 8.9.3/linuxconf; Sun, 29 Jul 2001 22:48:28 -0400</example>
1199
+ <description>Sendmail - unknown platform (linuxconf variant)</description>
1200
+ <example>foo.bar ESMTP Sendmail 8.9.3/linuxconf; Sun, 29 Jul 2001 22:48:28 -0400</example>
1298
1201
  <param pos="0" name="service.family" value="Sendmail"/>
1299
1202
  <param pos="0" name="service.product" value="Sendmail"/>
1300
1203
  <param pos="0" name="os.family" value="Linux"/>
1301
1204
  <param pos="0" name="os.device" value="General"/>
1302
1205
  <param pos="0" name="os.product" value="Linux"/>
1303
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1206
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1304
1207
  <param pos="1" name="host.name"/>
1305
1208
  <param pos="2" name="service.version"/>
1306
1209
  <param pos="3" name="sendmail.config.version"/>
1307
1210
  <param pos="4" name="system.time"/>
1308
1211
  </fingerprint>
1309
1212
  <fingerprint pattern="^([^ ]+) ESMTP MetaInfo Sendmail ([^ ]+) Build ([^ ]+) \(Berkeley ([^ ]+)\)/([^;]+); (.+)$">
1310
- <description>
1311
- unknown
1312
- </description>
1313
- <example>foo.bar.com ESMTP MetaInfo Sendmail 2.5 Build 2630 (Berkeley 8.8.6)/8.8.4; Mon, 30 Jul</example>
1213
+ <description>Sendmail - MetaInfo</description>
1214
+ <example>foo.bar ESMTP MetaInfo Sendmail 2.5 Build 2630 (Berkeley 8.8.6)/8.8.4; Mon, 30 Jul</example>
1314
1215
  <param pos="0" name="service.vendor" value="MetaInfo"/>
1315
1216
  <param pos="0" name="service.family" value="Sendmail"/>
1316
1217
  <param pos="0" name="service.product" value="Sendmail"/>
@@ -1318,7 +1219,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
1318
1219
  <param pos="0" name="os.family" value="Windows"/>
1319
1220
  <param pos="0" name="os.device" value="General"/>
1320
1221
  <param pos="0" name="os.product" value="Windows NT"/>
1321
- <param pos="0" name="system.time.format" value="EEE, dd MMM"/>
1222
+ <param pos="0" name="system.time.format" value="EEE, d MMM"/>
1322
1223
  <param pos="1" name="host.name"/>
1323
1224
  <param pos="2" name="metainfo.version"/>
1324
1225
  <param pos="3" name="metainfo.version.version"/>
@@ -1326,186 +1227,120 @@ The system or service fingerprint with the highest certainty overwrites the othe
1326
1227
  <param pos="5" name="sendmail.config.version"/>
1327
1228
  <param pos="6" name="system.time"/>
1328
1229
  </fingerprint>
1329
- <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail +([^ ]+\+[^ ]+) */ *([^ ]+\+[^ ]+); *(.+) \(.+\)$">
1330
- <description>
1331
- sendmail where both daemon and config file are patched
1332
- </description>
1333
- <example>foo.bar.com ESMTP Sendmail 8.9.3+3.4W/8.9.3+3.4W; Tue, 30 Jan 2001 20:40:09 -0500 (EST)</example>
1334
- <param pos="0" name="service.family" value="Sendmail"/>
1230
+ <fingerprint pattern="^([^ ]+) +ESMTP .*Sendmail +([^/ ]+) */ *([^/ ]+); *((?:\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)?)(?: \(.+\))?$">
1231
+ <description>Sendmail - optional timezone and timestamp, w/o OS</description>
1232
+ <example host.name="foo.bar" service.version="8.9.3+3.4W" sendmail.config.version="8.9.3+3.4W" system.time="Tue, 30 Jan 2001 20:40:09 -0500">foo.bar ESMTP Sendmail 8.9.3+3.4W/8.9.3+3.4W; Tue, 30 Jan 2001 20:40:09 -0500 (EST)</example>
1233
+ <example host.name="foo.bar" service.version="8.12.10" sendmail.config.version="8.12.10">foo.bar ESMTP Sendmail 8.12.10/8.12.10;</example>
1234
+ <example host.name="foo.bar" service.version="8.8.8" sendmail.config.version="8.8.9">foo.bar ESMTP Sendmail 8.8.8/8.8.9; Wed, 21 Nov 2001 23:39:07 +0100 (CET)</example>
1235
+ <example host.name="foo.bar" service.version="8.8.8" sendmail.config.version="8.8.9">foo.bar ESMTP blah Sendmail 8.8.8/8.8.9; Wed, 21 Nov 2001 23:39:07 +0100 (CET)</example>
1236
+ <example host.name="foo.bar" service.version="8.10.2" sendmail.config.version="8.10.3">foo.bar ESMTP Sendmail 8.10.2/8.10.3; Mon, 10 Sep 2001 08:37:14 -0400</example>
1237
+ <example host.name="foo.bar" service.version="8.13.8" sendmail.config.version="8.13.9">foo.bar ESMTP foo-MTA Sendmail 8.13.8/8.13.9; Mon, 18 Apr 2011 08:52:38 -0700</example>
1335
1238
  <param pos="0" name="service.product" value="Sendmail"/>
1336
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1239
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1337
1240
  <param pos="1" name="host.name"/>
1338
1241
  <param pos="2" name="service.version"/>
1339
1242
  <param pos="3" name="sendmail.config.version"/>
1340
1243
  <param pos="4" name="system.time"/>
1341
1244
  </fingerprint>
1342
- <fingerprint pattern="^([^ ]+) +ESMTP .*Sendmail +([^/ ]+) */ *([^/ ]+); *(.+)(?: \(.+\))?$">
1343
- <description>
1344
- sendmail where neither daemon nor config file are patched, with and without timezone
1345
- </description>
1346
- <example host.name="example.com" service.version="8.8.8" sendmail.config.version="8.8.9">example.com ESMTP Sendmail 8.8.8/8.8.9; Wed, 21 Nov 2001 23:39:07 +0100 (CET)</example>
1347
- <example host.name="example.com" service.version="8.8.8" sendmail.config.version="8.8.9">example.com ESMTP blah Sendmail 8.8.8/8.8.9; Wed, 21 Nov 2001 23:39:07 +0100 (CET)</example>
1348
- <example host.name="example.com" service.version="8.10.2" sendmail.config.version="8.10.3">example.com ESMTP Sendmail 8.10.2/8.10.3; Mon, 10 Sep 2001 08:37:14 -0400</example>
1349
- <example host.name="example.com" service.version="8.13.8" sendmail.config.version="8.13.9">example.com ESMTP foo-MTA Sendmail 8.13.8/8.13.9; Mon, 18 Apr 2011 08:52:38 -0700</example>
1350
- <param pos="0" name="service.family" value="Sendmail"/>
1245
+ <fingerprint pattern="^([^ ]+) +ESMTP .*Sendmail +([^/ ]+) */ *([^/ ]+); *(\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ \w+)\.?$">
1246
+ <description>Sendmail - with timezone and timestamp, w/o timezone offset or OS</description>
1247
+ <example host.name="foo.bar" service.version="8.14.4" sendmail.config.version="8.14.4" system.time="Thu, 5 Apr 2018 19:30:58 GMT">foo.bar ESMTP Sendmail 8.14.4/8.14.4; Thu, 5 Apr 2018 19:30:58 GMT</example>
1351
1248
  <param pos="0" name="service.product" value="Sendmail"/>
1352
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1249
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss z"/>
1353
1250
  <param pos="1" name="host.name"/>
1354
1251
  <param pos="2" name="service.version"/>
1355
1252
  <param pos="3" name="sendmail.config.version"/>
1356
1253
  <param pos="4" name="system.time"/>
1357
1254
  </fingerprint>
1358
- <fingerprint pattern="^([^ ]+) +Sendmail ready\. *$">
1359
- <description>
1360
- some old version of sendmail - TODO: figure out which versions this could be
1361
- </description>
1362
- <example>mail.foo.bar Sendmail ready.</example>
1255
+ <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail ([^ ]+) ready at *(\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)(?: \(.+\))$">
1256
+ <description>Sendmail - with version and date (optional timezone), w/o config version</description>
1257
+ <example host.name="foo.bar" service.version="8.8.8" system.time="Tue, 6 Feb 2001 14:37:14 +0100">foo.bar ESMTP Sendmail 8.8.8 ready at Tue, 6 Feb 2001 14:37:14 +0100 (CET)</example>
1363
1258
  <param pos="0" name="service.family" value="Sendmail"/>
1364
1259
  <param pos="0" name="service.product" value="Sendmail"/>
1365
- <param pos="1" name="host.name"/>
1366
- </fingerprint>
1367
- <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail ([^ ]+) ready at *(.+) \(.+\)$">
1368
- <description>
1369
- sendmail with daemon version only
1370
- </description>
1371
- <example>mail.foo.bar ESMTP Sendmail 8.8.8 ready at Tue, 6 Feb 2001 14:37:14 +0100 (CET)</example>
1372
- <param pos="0" name="service.family" value="Sendmail"/>
1373
- <param pos="0" name="service.product" value="Sendmail"/>
1374
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1260
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1375
1261
  <param pos="1" name="host.name"/>
1376
1262
  <param pos="2" name="service.version"/>
1377
1263
  <param pos="3" name="system.time"/>
1378
1264
  </fingerprint>
1379
- <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail ([^ /]+) \([^\)]+\) *(.+) \(.+\)$">
1380
- <description>
1381
- unknown
1382
- </description>
1383
- <example>mail.foo.bar ESMTP Sendmail 8.11.1 (1.1.2.11/12Jul01-1016AM) Wed, 8 Jan 2003 11:21:22 +0100 (MET)</example>
1265
+ <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail ([^ /]+) - \([^\)]+\)/[^ ]+;? *(\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)(?: \(.+\)) *$">
1266
+ <description>Sendmail - revision variant 1</description>
1267
+ <example>foo.foo.bar ESMTP Sendmail 8.11.1 - (Revision 1.010)/8.9.3; Sat, 22 Jan 2011 10:08:35 -0500 (EST)</example>
1384
1268
  <param pos="0" name="service.family" value="Sendmail"/>
1385
1269
  <param pos="0" name="service.product" value="Sendmail"/>
1386
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1270
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1387
1271
  <param pos="1" name="host.name"/>
1388
1272
  <param pos="2" name="service.version"/>
1389
1273
  <param pos="3" name="system.time"/>
1390
1274
  </fingerprint>
1391
- <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail ([^ /]+) - \([^\)]+\)/[^ ]+;? *(.+) \(.+\)$">
1392
- <description>
1393
- unknown
1394
- </description>
1395
- <example>foo.example.com ESMTP Sendmail 8.11.1 - (Revision 1.010)/8.9.3; Sat, 22 Jan 2011 10:08:35 -0500 (EST)</example>
1275
+ <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail +(?:[^ ]+) +version +([^ ]+) +- +(?:[^;]+); *(\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)(?: \(.+\)) *$">
1276
+ <description>Sendmail - revision variant 2</description>
1277
+ <example>foo.foo.bar ESMTP Sendmail @(#)Sendmail version 8.13.3 - Revision 2.007 - 8 December 2008/8.8.6; Wed, 21 Jul 2010 11:17:01 -0400 (EDT)</example>
1396
1278
  <param pos="0" name="service.family" value="Sendmail"/>
1397
1279
  <param pos="0" name="service.product" value="Sendmail"/>
1398
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1280
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1399
1281
  <param pos="1" name="host.name"/>
1400
1282
  <param pos="2" name="service.version"/>
1401
1283
  <param pos="3" name="system.time"/>
1402
1284
  </fingerprint>
1403
- <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail +(?:[^ ]+) +version +([^ ]+) +- +(?:[^;]+); +(.+) +\(.+\)$">
1404
- <description>
1405
- unknown
1406
- </description>
1407
- <example>foo.example.com ESMTP Sendmail @(#)Sendmail version 8.13.3 - Revision 2.007 - 8 December 2008/8.8.6; Wed, 21 Jul 2010 11:17:01 -0400 (EDT)</example>
1285
+ <fingerprint pattern="^(?i)([^ ]+) +(?:ESMTP +)?Sendmail *(?: Ready.? ?)?(?:;|at)? ?((?:\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)?)(?: \(.+\))?$">
1286
+ <description>Sendmail - with date, w/o version or platform, optional status string.</description>
1287
+ <example host.name="foo.bar">foo.bar ESMTP Sendmail ; Thu, 30 Nov 2017 17:50:14 +0900</example>
1288
+ <example host.name="foo.bar">foo.bar ESMTP Sendmail; Thu, 30 Nov 2017 17:50:14 +0900</example>
1289
+ <example host.name="foo.bar" system.time="Wed, 20 May 2015 17:17:56 -0600">foo.bar ESMTP Sendmail Wed, 20 May 2015 17:17:56 -0600</example>
1290
+ <example host.name="foo.bar" system.time="Thu, 30 Nov 2017 10:24:14 +0100">foo.bar ESMTP Sendmail Ready; Thu, 30 Nov 2017 10:24:14 +0100</example>
1291
+ <example host.name="foo.bar">foo.bar ESMTP Sendmail ready at Fri, 6 Apr 2018 04:57:01 +0900</example>
1292
+ <example host.name="foo.bar">foo.bar ESMTP Sendmail ready</example>
1293
+ <example host.name="foo.bar">foo.bar ESMTP Sendmail ready. </example>
1294
+ <example host.name="foo.bar">foo.bar ESMTP Sendmail</example>
1295
+ <example host.name="foo.bar">foo.bar Sendmail ready. </example>
1408
1296
  <param pos="0" name="service.family" value="Sendmail"/>
1409
- <param pos="0" name="service.product" value="Sendmail"/>
1410
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1411
- <param pos="1" name="host.name"/>
1412
- <param pos="2" name="service.version"/>
1413
- <param pos="3" name="system.time"/>
1414
- </fingerprint>
1415
- <fingerprint pattern="^Sendmail ESMTP ready$">
1416
- <description>
1417
- catch all for other versions of sendmail, no hostname or date
1418
- </description>
1419
- <example>Sendmail ESMTP ready</example>
1420
1297
  <param pos="0" name="service.family" value="Sendmail"/>
1421
1298
  <param pos="0" name="service.product" value="Sendmail"/>
1422
- </fingerprint>
1423
- <fingerprint pattern="^Sendmail ([^/]+)/([^/]+) ready on ([^ ]+)$">
1424
- <description>
1425
- catch all for other versions of sendmail
1426
- </description>
1427
- <param pos="0" name="service.family" value="Sendmail"/>
1428
- <param pos="0" name="service.product" value="Sendmail"/>
1429
- <param pos="1" name="service.version"/>
1430
- <param pos="2" name="sendmail.config.version"/>
1431
- <param pos="3" name="host.name"/>
1432
- </fingerprint>
1433
- <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail ready at (.+) \(.+\)$">
1434
- <description>
1435
- catch all for other versions of sendmail
1436
- </description>
1437
- <param pos="0" name="service.family" value="Sendmail"/>
1438
- <param pos="0" name="service.product" value="Sendmail"/>
1439
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1440
1299
  <param pos="1" name="host.name"/>
1441
1300
  <param pos="2" name="system.time"/>
1301
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1442
1302
  </fingerprint>
1443
- <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail ;.*$">
1444
- <description>
1445
- catch all for other versions of sendmail
1446
- </description>
1447
- <param pos="0" name="service.family" value="Sendmail"/>
1448
- <param pos="0" name="service.product" value="Sendmail"/>
1449
- <param pos="1" name="host.name"/>
1450
- </fingerprint>
1451
- <fingerprint pattern="^([^ ]+) ESMTP Sendmail ready$">
1452
- <description>
1453
- catch all for other versions of sendmail
1454
- </description>
1303
+ <fingerprint pattern="^ESMTP Sendmail +([^/ ]+) */ *([^/ ]+); (\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d)$">
1304
+ <description>Sendmail - with version and date, w/o hostname or platform (semicolon variant)</description>
1305
+ <example service.version="8.13.1" sendmail.config.version="8.13.1" system.time="Thu, 30 Nov 2017 01:58:22 -0700">ESMTP Sendmail 8.13.1/8.13.1; Thu, 30 Nov 2017 01:58:22 -0700</example>
1455
1306
  <param pos="0" name="service.family" value="Sendmail"/>
1456
1307
  <param pos="0" name="service.product" value="Sendmail"/>
1457
- <param pos="1" name="host.name"/>
1308
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1309
+ <param pos="1" name="service.version"/>
1310
+ <param pos="2" name="sendmail.config.version"/>
1311
+ <param pos="3" name="system.time"/>
1458
1312
  </fingerprint>
1459
- <fingerprint pattern="^([^ ]+) Sendmail ([^/]+)/([^ ]+) ready at ([^;\.]+)$">
1460
- <description>
1461
- catch all for other versions of sendmail
1462
- </description>
1313
+ <fingerprint pattern="^([^ ]+) +ESMTP +Sendmail ([^ /]+) \([^\)]+\) *(.+) \(.+\)$">
1314
+ <description>Sendmail - unknown (date in version string variant)</description>
1315
+ <example>mail.foo.bar ESMTP Sendmail 8.11.1 (1.1.2.11/12Jul01-1016AM) Wed, 8 Jan 2003 11:21:22 +0100 (MET)</example>
1463
1316
  <param pos="0" name="service.family" value="Sendmail"/>
1464
1317
  <param pos="0" name="service.product" value="Sendmail"/>
1465
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1318
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1466
1319
  <param pos="1" name="host.name"/>
1467
1320
  <param pos="2" name="service.version"/>
1468
- <param pos="3" name="sendmail.config.version"/>
1469
- <param pos="4" name="system.time"/>
1321
+ <param pos="3" name="system.time"/>
1470
1322
  </fingerprint>
1323
+ <!-- *Sendmail* fingerprints after this line had NO matches in 2017.11.30 Project Sonar data set-->
1471
1324
  <fingerprint pattern="^([^ ]+) Sendmail ([^;]+); ([^;\.]+)$">
1472
- <description>
1473
- catch all for other versions of sendmail
1474
- </description>
1325
+ <description>Sendmail - unknown platform, variant 1</description>
1475
1326
  <param pos="0" name="service.family" value="Sendmail"/>
1476
1327
  <param pos="0" name="service.product" value="Sendmail"/>
1477
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1328
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss zzz"/>
1478
1329
  <param pos="1" name="host.name"/>
1479
1330
  <param pos="2" name="service.version"/>
1480
1331
  <param pos="3" name="system.time"/>
1481
1332
  </fingerprint>
1482
- <fingerprint pattern="^([^ ]+) ESMTP Sendmail$">
1483
- <description>
1484
- catch all for other versions of sendmail
1485
- </description>
1486
- <param pos="0" name="service.family" value="Sendmail"/>
1487
- <param pos="0" name="service.product" value="Sendmail"/>
1488
- <param pos="1" name="host.name"/>
1489
- </fingerprint>
1490
- <fingerprint pattern="^(\S+) ESMTP Sendmail (\S{3}, \d{1,2} \S{3} \d{4} \d{2}:\d{2}:\d{2} \S+)$">
1491
- <description>
1492
- catch all for other versions of sendmail, with a date/time
1493
- </description>
1494
- <example host.name="example.com">example.com ESMTP Sendmail Wed, 20 May 2015 17:17:56 -0600</example>
1495
- <example host.name="example.com">example.com ESMTP Sendmail Wed, 5 Aug 2015 17:40:38 -0400</example>
1333
+ <fingerprint pattern="^Sendmail ([^/]+)/([^/]+) ready on ([^ ]+)$">
1334
+ <description>Sendmail - basic with version and date</description>
1496
1335
  <param pos="0" name="service.family" value="Sendmail"/>
1497
1336
  <param pos="0" name="service.product" value="Sendmail"/>
1498
- <param pos="1" name="host.name"/>
1499
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1500
- <param pos="2" name="system.time"/>
1337
+ <param pos="1" name="service.version"/>
1338
+ <param pos="2" name="sendmail.config.version"/>
1339
+ <param pos="3" name="host.name"/>
1501
1340
  </fingerprint>
1502
- <!-- Sun Internet Mail Server -->
1503
- <!-- Sun Internet Mail Server sims\.([^\.]+)([^\.]+)([^\.]+)([^\.]+)([^\.]+)([^\.]+)([^\.]+)([^\.]+) -->
1504
- <!-- these suckers can have LOTS of version numbers -->
1505
- <fingerprint pattern="^([^ ]+) -- Server ESMTP \(Sun Internet Mail Server sims\.([^\.]+\.[^\.]+\.[^\.]+\.[^\.]+\.[^\.]+\.[^\.]+\.[^\.]+\.[^\.]+)\)$">
1506
- <description>
1507
- 220 smtp.foo.bar -- Server ESMTP (Sun Internet Mail Server sims.4.0.2000.10.12.16.25.p8)
1508
- </description>
1341
+ <fingerprint pattern="^([^ ]+) -- Server ESMTP \(Sun Internet Mail Server sims\.(\d\.[\w.]+)\)$">
1342
+ <description>Sun Internet Mail Server</description>
1343
+ <example host.name="foo.bar" service.version="4.0.2000.10.12.16.25.p8">foo.bar -- Server ESMTP (Sun Internet Mail Server sims.4.0.2000.10.12.16.25.p8)</example>
1509
1344
  <param pos="0" name="service.vendor" value="Sun"/>
1510
1345
  <param pos="0" name="service.family" value="Internet Mail Server"/>
1511
1346
  <param pos="0" name="service.product" value="Internet Mail Server"/>
@@ -1516,27 +1351,23 @@ The system or service fingerprint with the highest certainty overwrites the othe
1516
1351
  <param pos="1" name="host.name"/>
1517
1352
  <param pos="2" name="service.version"/>
1518
1353
  </fingerprint>
1519
- <!-- these suckers can have LOTS of version numbers -->
1520
- <fingerprint pattern="^([^ ]+) -- Server ESMTP \(Sun Internet Mail Server sims\.([^\.]+\.[^\.]+\.[^\.]+\.[^\.]+\.[^\.]+\.[^\.]+\.[^\.]+)\)$">
1521
- <description>
1522
- 220 mercury.doc.ntu.ac.uk -- Server ESMTP (Sun Internet Mail Server sims.4.0.1999.06.13.00.20)
1523
- </description>
1524
- <param pos="0" name="service.vendor" value="Sun"/>
1525
- <param pos="0" name="service.family" value="Internet Mail Server"/>
1526
- <param pos="0" name="service.product" value="Internet Mail Server"/>
1527
- <param pos="0" name="os.vendor" value="Sun"/>
1528
- <param pos="0" name="os.family" value="Solaris"/>
1529
- <param pos="0" name="os.device" value="General"/>
1530
- <param pos="0" name="os.product" value="Solaris"/>
1354
+ <fingerprint pattern="^(?:2.0.0 )?([^ ]+) ESMTP ecelerity (\d\.[\d.]+) r\(([^)]+)\) (\w\w\w, \d+ \w\w\w \d\d\d\d [\d:]+ [-+]\d\d\d\d) *$">
1355
+ <description>Ecelerity</description>
1356
+ <example host.name="foo.bar" system.time="Thu, 30 Nov 2017 05:11:00 -0500">2.0.0 foo.bar ESMTP ecelerity 4.0.0.43760 r(Platform:4.0.0.1) Thu, 30 Nov 2017 05:11:00 -0500</example>
1357
+ <example>foo.bar ESMTP ecelerity 3.3.1.44388 r(44388) Thu, 30 Nov 2017 03:10:11 -0700</example>
1358
+ <example>foo.bar ESMTP ecelerity 3.6.25.56547 r(Core:3.6.25.0) Thu, 30 Nov 2017 03:17:07 -0600</example>
1359
+ <example service.version="4.2.37.61980" service.component.version=":">foo.bar ESMTP ecelerity 4.2.37.61980 r(:) Thu, 30 Nov 2017 09:58:54 +0000</example>
1360
+ <param pos="0" name="service.vendor" value="Ecelerity"/>
1361
+ <param pos="0" name="service.family" value="Ecelerity Mail Server"/>
1362
+ <param pos="0" name="service.product" value="Ecelerity Mail Server"/>
1363
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1531
1364
  <param pos="1" name="host.name"/>
1532
1365
  <param pos="2" name="service.version"/>
1366
+ <param pos="3" name="service.component.version"/>
1367
+ <param pos="4" name="system.time"/>
1533
1368
  </fingerprint>
1534
- <fingerprint pattern="^([^ ]+) SMTP Server SLMail v?(\d\.[\d.]+) Ready ESMTP spoken here *$" flags="REG_ICASE">
1535
- <description>
1536
- Seattle Labs SLMail server for Windows NT/2k (v2.7 runs on Win9x)
1537
- http://serverwatch.internet.com/reviews/mail-slmail.html
1538
- http://www.seattlelab.com/
1539
- </description>
1369
+ <fingerprint pattern="^(?i)([^ ]+) SMTP Server SLMail v?(\d\.[\d.]+) Ready ESMTP spoken here *$">
1370
+ <description>Seattle Labs SLMail server for Windows NT/2k (v2.7 runs on Win9x)</description>
1540
1371
  <example service.version="2.7">foo.bar Smtp Server SLMail v2.7 Ready ESMTP spoken here</example>
1541
1372
  <example service.version="3.2.3113">foo.bar SMTP Server SLmail 3.2.3113 Ready ESMTP spoken here</example>
1542
1373
  <example service.version="5.5.0.4433">foo.bar SMTP Server SLmail 5.5.0.4433 Ready ESMTP spoken here</example>
@@ -1560,10 +1391,29 @@ The system or service fingerprint with the highest certainty overwrites the othe
1560
1391
  <param pos="0" name="service.product" value="Symantec Messaging Gateway"/>
1561
1392
  <param pos="1" name="host.name"/>
1562
1393
  </fingerprint>
1394
+ <!-- SonicWall makes hardware, virtual appliances, and Windows software. The banner doesn't indicate which. -->
1395
+ <fingerprint pattern="^(?i)([^ ]+) ESMTP SonicWALL \(([\d.]+)\)$">
1396
+ <description>SonicWall Email Security</description>
1397
+ <example host.name="foo.bar" service.version="9.0.5.2077">foo.bar ESMTP SonicWALL (9.0.5.2077)</example>
1398
+ <example host.name="foo.bar" service.version="9.1.1.3113">foo.bar ESMTP SonicWall (9.1.1.3113)</example>
1399
+ <param pos="0" name="service.vendor" value="SonicWall"/>
1400
+ <param pos="0" name="service.vendor" value="SonicWall"/>
1401
+ <param pos="0" name="service.family" value="Email Security"/>
1402
+ <param pos="0" name="service.product" value="Email Security"/>
1403
+ <param pos="1" name="host.name"/>
1404
+ <param pos="2" name="service.version"/>
1405
+ </fingerprint>
1406
+ <fingerprint pattern="^([^ ]+) \(PowerMTA\(TM\) v([\d.r]+)\) ESMTP service ready$">
1407
+ <description>PowerMTA</description>
1408
+ <example host.name="foo.bar" service.version="3.2r24">foo.bar (PowerMTA(TM) v3.2r24) ESMTP service ready</example>
1409
+ <param pos="0" name="service.vendor" value="port25"/>
1410
+ <param pos="0" name="service.family" value="PowerMTA"/>
1411
+ <param pos="0" name="service.product" value="PowerMTA"/>
1412
+ <param pos="1" name="host.name"/>
1413
+ <param pos="2" name="service.version"/>
1414
+ </fingerprint>
1563
1415
  <fingerprint pattern="^([^ ]+) +VOPmail ESMTP Receiver Version (\d\.[\d.]+) Ready$">
1564
- <description>
1565
- VOPMail http://www.vircom.com/en/products/vopmail/vopmail.shtml
1566
- </description>
1416
+ <description>VOPMail http://www.vircom.com/en/products/vopmail/vopmail.shtml</description>
1567
1417
  <example host.name="foo.bar" service.version="4.0.179.0">foo.bar VOPmail ESMTP Receiver Version 4.0.179.0 Ready</example>
1568
1418
  <param pos="0" name="service.vendor" value="Vircom"/>
1569
1419
  <param pos="0" name="service.family" value="VOPMail"/>
@@ -1572,9 +1422,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
1572
1422
  <param pos="2" name="service.version"/>
1573
1423
  </fingerprint>
1574
1424
  <fingerprint pattern="^([^ ]+) VPOP3 E?SMTP Server (?:Ready|access not allowed!)$">
1575
- <description>
1576
- VPOP3 Email server: http://www.pscs.co.uk/products/vpop3/index.html
1577
- </description>
1425
+ <description>VPOP3 Email server: http://www.pscs.co.uk/products/vpop3/index.html</description>
1578
1426
  <example>foo.bar VPOP3 ESMTP Server Ready</example>
1579
1427
  <example>foo.bar VPOP3 SMTP Server Ready</example>
1580
1428
  <example>foo.bar VPOP3 SMTP Server access not allowed!</example>
@@ -1583,44 +1431,26 @@ The system or service fingerprint with the highest certainty overwrites the othe
1583
1431
  <param pos="0" name="service.product" value="VPOP3"/>
1584
1432
  <param pos="1" name="host.name"/>
1585
1433
  </fingerprint>
1586
- <fingerprint pattern="^([^ ]+) WebShield SMTP V([^ ]+\.[^ ]+) Network Associates.*Ready at (.+) *$">
1587
- <description>
1588
- http://www.mcafeeb2b.com/products/webshield-smtp/default.asp
1589
- example:220 smtp.foo.bar WebShield SMTP V4.5 Network Associates, Inc. Ready at Fri Jun 22 02:36:23 2001
1590
- </description>
1591
- <param pos="0" name="service.vendor" value="McAfee"/>
1592
- <param pos="0" name="service.family" value="WebShield"/>
1593
- <param pos="0" name="service.product" value="WebShield"/>
1594
- <param pos="0" name="system.time.format" value="EEE dd MMM yyyy HH:mm:ss zzz"/>
1595
- <param pos="1" name="host.name"/>
1596
- <param pos="2" name="service.version"/>
1597
- <param pos="3" name="system.time"/>
1598
- </fingerprint>
1599
- <fingerprint pattern="^([^ ]+) WebShield SMTP V([^ ]+\.[^ ]+) ([^ ]+) Network Associates.*Ready at (.+) *$">
1600
- <description>
1601
- http://www.mcafeeb2b.com/products/webshield-smtp/default.asp
1602
- example:220 wsigate WebShield SMTP V4.5 MR1 Network Associates, Inc. Ready at Sun Jul 29 22:47:44 2001
1603
- </description>
1434
+ <fingerprint pattern="^([^ ]+) WebShield SMTP V([^ ]+\.[^ ]+) (:?[^ ]+)? ?Network Associates.*Ready at (.+) *$">
1435
+ <description>McAfee WebShield</description>
1436
+ <example host.name="foo.bar" service.version="4.5" service.version.version="MR1a">foo.bar WebShield SMTP V4.5 MR1a Network Associates, Inc. Ready at Thu Nov 30 09:15:32 2017</example>
1437
+ <example host.name="foo.bar" service.version="4.5" system.time="Thu Nov 30 09:15:32 2017">foo.bar WebShield SMTP V4.5 Network Associates, Inc. Ready at Thu Nov 30 09:15:32 2017</example>
1604
1438
  <param pos="0" name="service.vendor" value="McAfee"/>
1605
1439
  <param pos="0" name="service.family" value="WebShield"/>
1606
1440
  <param pos="0" name="service.product" value="WebShield"/>
1607
- <param pos="0" name="system.time.format" value="EEE dd MMM yyyy HH:mm:ss zzz"/>
1441
+ <param pos="0" name="system.time.format" value="EEE d MMM HH:mm:ss yyyy"/>
1608
1442
  <param pos="1" name="host.name"/>
1609
1443
  <param pos="2" name="service.version"/>
1610
1444
  <param pos="3" name="service.version.version"/>
1611
1445
  <param pos="4" name="system.time"/>
1612
1446
  </fingerprint>
1613
1447
  <fingerprint pattern="^([^ ]+) McAfee WebShield ASaP v([^ ]+\.[^ ]+\.[^ ]+): (.+) *$">
1614
- <description>
1615
- McAfee Webshield ASaP is a combination hardware/software platform,
1616
- basically consisting of a 1U Linux rackmount box with McAfee's filtering software
1617
- http://www.mcafeeb2b.com/services/webshield-asap/faq.asp
1618
- example: 220 smtp.foo.bar McAfee WebShield ASaP v1.0.1: Sun, 29 Jul 2001 22:46:18 -0700
1619
- </description>
1448
+ <description>McAfee Webshield ASaP (bundled hardware / software)</description>
1449
+ <example host.name="foo.bar" service.version="1.0.1" system.time="Sun, 29 Jul 2001 22:46:18 -0700">foo.bar McAfee WebShield ASaP v1.0.1: Sun, 29 Jul 2001 22:46:18 -0700</example>
1620
1450
  <param pos="0" name="service.vendor" value="McAfee"/>
1621
1451
  <param pos="0" name="service.family" value="WebShield"/>
1622
1452
  <param pos="0" name="service.product" value="WebShield"/>
1623
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1453
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1624
1454
  <param pos="0" name="os.vendor" value="McAfee"/>
1625
1455
  <param pos="0" name="os.family" value="Linux"/>
1626
1456
  <param pos="0" name="os.device" value="General"/>
@@ -1630,13 +1460,12 @@ The system or service fingerprint with the highest certainty overwrites the othe
1630
1460
  <param pos="3" name="system.time"/>
1631
1461
  </fingerprint>
1632
1462
  <fingerprint pattern="^([^ ]+) McAfee VirusScreen ASaP v([^ ]+\.[^ ]+): (.+) *$">
1633
- <description>
1634
- example: 220 smtp.foo.bar McAfee VirusScreen ASaP v1.1: Sun, 20 Jul 2003 09:20:52 -0700
1635
- </description>
1463
+ <description>McAfee VirusScreen</description>
1464
+ <example host.name="foo.bar" service.version="1.1" system.time="Sun, 20 Jul 2003 09:20:52 -0700">foo.bar McAfee VirusScreen ASaP v1.1: Sun, 20 Jul 2003 09:20:52 -0700</example>
1636
1465
  <param pos="0" name="service.vendor" value="McAfee"/>
1637
1466
  <param pos="0" name="service.family" value="WebShield"/>
1638
1467
  <param pos="0" name="service.product" value="WebShield"/>
1639
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1468
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1640
1469
  <param pos="0" name="os.vendor" value="McAfee"/>
1641
1470
  <param pos="0" name="os.family" value="Linux"/>
1642
1471
  <param pos="0" name="os.device" value="General"/>
@@ -1645,11 +1474,16 @@ The system or service fingerprint with the highest certainty overwrites the othe
1645
1474
  <param pos="2" name="service.version"/>
1646
1475
  <param pos="3" name="system.time"/>
1647
1476
  </fingerprint>
1477
+ <fingerprint pattern="^([^ ]+) ESMTP Lyris ListManager service ready$">
1478
+ <description>Lyris ListManager</description>
1479
+ <example host.name="foo.bar">foo.bar ESMTP Lyris ListManager service ready</example>
1480
+ <param pos="0" name="service.vendor" value="Lyris"/>
1481
+ <param pos="0" name="service.family" value="ListManager"/>
1482
+ <param pos="0" name="service.product" value="ListManager"/>
1483
+ <param pos="1" name="host.name"/>
1484
+ </fingerprint>
1648
1485
  <fingerprint pattern="^([^ ]+) ESMTP - WinRoute Pro ([^ ]+\.[^ ]+)$">
1649
- <description>
1650
- WinRoute Pro, runs on 9x/NT/2k
1651
- http://www.tinysoftware.com/winpro.php
1652
- </description>
1486
+ <description>WinRoute Pro, runs on 9x/NT/2k http://www.tinysoftware.com/winpro.php</description>
1653
1487
  <example host.name="foo.bar" service.version="4.2.4">foo.bar ESMTP - WinRoute Pro 4.2.4</example>
1654
1488
  <param pos="0" name="service.family" value="WinRoute"/>
1655
1489
  <param pos="0" name="service.product" value="WinRoute"/>
@@ -1661,7 +1495,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
1661
1495
  <example service.version="4.2.1">ESMTP - WinRoute Pro 4.2.1 Thu, 16 Nov 2017 11:48:15 +0300</example>
1662
1496
  <param pos="0" name="service.family" value="WinRoute"/>
1663
1497
  <param pos="0" name="service.product" value="WinRoute"/>
1664
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1498
+ <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss Z"/>
1665
1499
  <param pos="1" name="service.version"/>
1666
1500
  <param pos="2" name="system.time"/>
1667
1501
  </fingerprint>
@@ -1671,7 +1505,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
1671
1505
  <param pos="0" name="service.vendor" value="ZMailer"/>
1672
1506
  <param pos="0" name="service.family" value="ZMailer"/>
1673
1507
  <param pos="0" name="service.product" value="ZMailer"/>
1674
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1508
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1675
1509
  <param pos="1" name="host.name"/>
1676
1510
  <param pos="2" name="service.version"/>
1677
1511
  <param pos="3" name="service.version.version"/>
@@ -1683,27 +1517,84 @@ The system or service fingerprint with the highest certainty overwrites the othe
1683
1517
  <param pos="0" name="service.vendor" value="ZMailer"/>
1684
1518
  <param pos="0" name="service.family" value="ZMailer"/>
1685
1519
  <param pos="0" name="service.product" value="ZMailer"/>
1686
- <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
1520
+ <param pos="0" name="system.time.format" value="EEE, d MMM yyyy HH:mm:ss Z"/>
1687
1521
  <param pos="0" name="zmailer.ident" value="yes"/>
1688
1522
  <param pos="1" name="host.name"/>
1689
1523
  <param pos="2" name="service.version"/>
1690
1524
  <param pos="3" name="service.version.version"/>
1691
1525
  <param pos="4" name="system.time"/>
1692
1526
  </fingerprint>
1693
- <fingerprint pattern="^(\S+) E?SMTP Perl" flags="REG_ICASE">
1527
+ <fingerprint pattern="^([^ ]+) Kerio Connect (\d\.[\d.]+) (?:patch (\d) )?ESMTP ready$">
1528
+ <description>Kerio Connect ESMTP</description>
1529
+ <example host.name="foo.bar" service.version="8.0.2">foo.bar Kerio Connect 8.0.2 ESMTP ready</example>
1530
+ <example service.version="9.2.5" service.version.version="3">foo.bar Kerio Connect 9.2.5 patch 3 ESMTP ready</example>
1531
+ <param pos="0" name="service.vendor" value="Kerio"/>
1532
+ <param pos="0" name="service.family" value="Connect"/>
1533
+ <param pos="0" name="service.product" value="ESMTP"/>
1534
+ <param pos="1" name="host.name"/>
1535
+ <param pos="2" name="service.version"/>
1536
+ <param pos="3" name="service.version.version"/>
1537
+ </fingerprint>
1538
+ <fingerprint pattern="^([^ ]+) ESMTP CommuniGate Pro (\d\.[\w.]+)(?:. It is you again :-\()?$">
1539
+ <description>Communigate Pro</description>
1540
+ <example host.name="foo.bar" service.version="5.3.1">foo.bar ESMTP CommuniGate Pro 5.3.1</example>
1541
+ <example host.name="foo.bar" service.version="6.2c3">foo.bar ESMTP CommuniGate Pro 6.2c3</example>
1542
+ <example host.name="foo.bar" service.version="4.3.12">foo.bar ESMTP CommuniGate Pro 4.3.12. It is you again :-(</example>
1543
+ <param pos="0" name="service.vendor" value="Communigater"/>
1544
+ <param pos="0" name="service.family" value="Pro"/>
1545
+ <param pos="0" name="service.product" value="ESMTP"/>
1546
+ <param pos="1" name="host.name"/>
1547
+ <param pos="2" name="service.version"/>
1548
+ </fingerprint>
1549
+ <fingerprint pattern="^(\S+) NO UCE NO UBE NO RELAY PROBES ESMTP">
1550
+ <description>Twisted SMTP server</description>
1551
+ <example host.name="foo.bar">foo.bar NO UCE NO UBE NO RELAY PROBES ESMTP</example>
1552
+ <param pos="0" name="service.vendor" value="Twisted Matrix Labs"/>
1553
+ <param pos="0" name="service.family" value="Twisted"/>
1554
+ <param pos="0" name="service.product" value="ESMTP"/>
1555
+ <param pos="1" name="host.name"/>
1556
+ </fingerprint>
1557
+ <fingerprint pattern="^Cellopoint E-mail Firewall v(\d\.[\d.]+) Build (\d+) ready$">
1558
+ <description>Cellopoint E-mail Firewall</description>
1559
+ <example service.version="3.9.12" service.version.version="0324">Cellopoint E-mail Firewall v3.9.12 Build 0324 ready</example>
1560
+ <param pos="0" name="service.vendor" value="Cellopoint"/>
1561
+ <param pos="0" name="service.family" value="UTM"/>
1562
+ <param pos="0" name="service.product" value="E-mail Firewall"/>
1563
+ <param pos="1" name="service.version"/>
1564
+ <param pos="2" name="service.version.version"/>
1565
+ </fingerprint>
1566
+ <fingerprint pattern="^ESMTP on WinWebMail \[(\d\.[\d.]+)\] ready\. http://www.winwebmail.com$">
1567
+ <description>Ma Jian WinWebMail</description>
1568
+ <example service.version="3.9.0.7">ESMTP on WinWebMail [3.9.0.7] ready. http://www.winwebmail.com</example>
1569
+ <param pos="0" name="service.vendor" value="Ma Jian"/>
1570
+ <param pos="0" name="service.family" value="WinWebMail"/>
1571
+ <param pos="0" name="service.product" value="ESMTP"/>
1572
+ <param pos="1" name="service.version"/>
1573
+ </fingerprint>
1574
+ <fingerprint pattern="^([^ ]+) Service ready by David.fx \((\d+)\) ESMTP Server \(Tobit.Software, Germany\)$">
1575
+ <description>Tobit Software David</description>
1576
+ <example service.version="0486">foo.bar Service ready by David.fx (0486) ESMTP Server (Tobit.Software, Germany)</example>
1577
+ <param pos="0" name="service.vendor" value="Tobit Software"/>
1578
+ <param pos="0" name="service.family" value="David"/>
1579
+ <param pos="0" name="service.product" value="ESMTP"/>
1580
+ <param pos="1" name="host.name"/>
1581
+ <param pos="2" name="service.version"/>>
1582
+ </fingerprint>
1583
+ <fingerprint pattern="^(?i)(\S+) E?SMTP Perl">
1694
1584
  <description>Some simple PERL SMTP server</description>
1695
- <example host.name="example.com">example.com ESMTP Perl</example>
1585
+ <example host.name="foo.bar">foo.bar ESMTP Perl</example>
1696
1586
  <param pos="0" name="service.product" value="Perl"/>
1697
1587
  <param pos="1" name="host.name"/>
1698
1588
  </fingerprint>
1699
- <fingerprint pattern="^([^ ]+) E?SMTP(?: (?:Service )?Ready\.?)?$" flags="REG_ICASE">
1700
- <description>
1701
- catch all for daemons that have no distinguishing fingerprint whatsoever
1702
- </description>
1703
- <example host.name="example.com">example.com ESMTP</example>
1704
- <example host.name="example.com">example.com ESMTP Ready</example>
1705
- <example host.name="example.com">example.com SMTP</example>
1706
- <example host.name="example.com">example.com ESMTP Service ready</example>
1589
+ <fingerprint pattern="^(?i)(?:([^ ]+) )?E?SMTP(?: (?:Service )?Ready\.?)?$">
1590
+ <description>Non-specific banner with optional hostname</description>
1591
+ <example host.name="foo.bar">foo.bar ESMTP</example>
1592
+ <example host.name="foo.bar">foo.bar ESMTP Ready</example>
1593
+ <example host.name="foo.bar">foo.bar SMTP</example>
1594
+ <example host.name="foo.bar">foo.bar ESMTP Service ready</example>
1595
+ <example>ESMTP ready</example>
1596
+ <example>SMTP Ready</example>
1597
+ <example>ESMTP READY</example>
1707
1598
  <param pos="0" name="service.product" value="Unknown"/>
1708
1599
  <param pos="1" name="host.name"/>
1709
1600
  </fingerprint>