recog 2.3.0 → 2.3.1

data/xml/http_wwwauth.xml

@@ -26,7 +26,7 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:cisco:ios:11"/>
   </fingerprint>
   <fingerprint pattern="^(?:Basic|Digest) realm=.level[ _]15[ _]or[ _]view[ _]access.$">
-    <description>Cisco IOS 12.x</description>
+    <description>Cisco IOS 12.x - view access variant</description>
     <param pos="0" name="service.vendor" value="Cisco"/>
     <param pos="0" name="service.product" value="IOS"/>
     <param pos="0" name="service.family" value="IOS"/>
@@ -168,7 +168,7 @@
     <param pos="0" name="hw.vendor" value="Ruijie"/>
   </fingerprint>
   <fingerprint pattern="^(?:Basic|Digest) realm=.SpeedTouch \(([0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2})\).$">
-    <description>Thomson SpeedTouch xDSL routers</description>
+    <description>Thomson SpeedTouch xDSL router</description>
     <param pos="0" name="service.vendor" value="Thomson"/>
     <param pos="0" name="service.product" value="SpeedTouch"/>
     <param pos="0" name="service.family" value="SpeedTouch"/>
@@ -179,7 +179,7 @@
     <param pos="1" name="host.mac"/>
   </fingerprint>
   <fingerprint pattern="^(?:Basic|Digest) realm=.SpeedTouch., nonce=.[0-9A-Z]+:([0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}):\d+:\d+., qop=.auth.$">
-    <description>Thomson SpeedTouch xDSL routers</description>
+    <description>Thomson SpeedTouch xDSL router - qop variant</description>
     <param pos="0" name="service.vendor" value="Thomson"/>
     <param pos="0" name="service.product" value="SpeedTouch"/>
     <param pos="0" name="service.family" value="SpeedTouch"/>
@@ -190,7 +190,7 @@
     <param pos="1" name="host.mac"/>
   </fingerprint>
   <fingerprint pattern="^(?:Basic|Digest) realm=.ST (\d+) R 5.x Telecom Italia., nonce=.[0-9A-Z]+:([0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}):\d+:\d+., qop=.auth.$">
-    <description>Thomson SpeedTouch xDSL routers</description>
+    <description>Thomson SpeedTouch xDSL router - Telecom Italia</description>
     <param pos="0" name="service.vendor" value="Thomson"/>
     <param pos="0" name="service.product" value="SpeedTouch"/>
     <param pos="0" name="service.family" value="SpeedTouch"/>
@@ -240,7 +240,7 @@
     <param pos="0" name="os.product" value="WRT54G"/>
   </fingerprint>
   <fingerprint pattern="^(?:Basic|Digest) realm=.(TD-[VW8][A-Z0-9]+)(?:| \d+\.\d+).$">
-    <description>TP-LINK SoHo Router</description>
+    <description>TP-LINK SoHo Router - dash variant</description>
     <example>Basic realm="TD-W8901G"</example>
     <example>Basic realm="TD-8840T 2.0"</example>
     <example>Basic realm="TD-8811"</example>
@@ -259,7 +259,7 @@
     <param pos="1" name="os.product"/>
   </fingerprint>
   <fingerprint pattern="^(?:Basic|Digest) realm=.TP-LINK.*(?:Access Point|Extender|AP) ([A-Z0-9\-\+]+).*$">
-    <description>TP-LINK SoHo Router</description>
+    <description>TP-LINK SoHo Router - verbose variant</description>
     <example>Basic realm="TP-LINK Wireless N Access Point WA801N"</example>
     <example>Basic realm="TP-LINK Wireless Range Extender WA830RE"</example>
     <example>Basic realm="TP-LINK Wireless Range Extender WA850RE"</example>

data/xml/imap_banners.xml

@@ -3,6 +3,7 @@
   <!-- IMAP banners are matched against these patterns to fingerprint IMAP servers. -->
   <fingerprint pattern="^Microsoft Exchange IMAP4rev1 server version (5\.5\.\d{4}\.\d+) \((.*)\) ready$">
     <description>Microsoft Exchange Server 5.5</description>
+    <example service.version="5.5.2448.8" host.name="foo.bar">Microsoft Exchange IMAP4rev1 server version 5.5.2448.8 (foo.bar) ready</example>
     <param pos="0" name="service.vendor" value="Microsoft"/>
     <param pos="0" name="service.family" value="Exchange Server"/>
     <param pos="0" name="service.product" value="Exchange Server 5.5"/>
@@ -16,6 +17,7 @@
   </fingerprint>
   <fingerprint pattern="^Microsoft Exchange 2000 IMAP4rev1 server version (6\.0\.\d{4}\.\d+) \((.*)\) ready\.$">
     <description>Microsoft Exchange Server 2000</description>
+    <example service.version="6.0.6249.0" host.name="foo.bar">Microsoft Exchange 2000 IMAP4rev1 server version 6.0.6249.0 (foo.bar) ready.</example>
     <param pos="0" name="service.vendor" value="Microsoft"/>
     <param pos="0" name="service.family" value="Exchange Server"/>
     <param pos="0" name="service.product" value="Exchange 2000 Server"/>
@@ -29,6 +31,7 @@
   </fingerprint>
   <fingerprint pattern="^Microsoft Exchange Server 2003 IMAP4rev1 server version (6\.5\.\d{4}\.\d+) \((.*)\) ready\.$">
     <description>Microsoft Exchange Server 2003</description>
+    <example service.version="6.5.7638.1" host.name="foo.bar">Microsoft Exchange Server 2003 IMAP4rev1 server version 6.5.7638.1 (foo.bar) ready.</example>
     <param pos="0" name="service.vendor" value="Microsoft"/>
     <param pos="0" name="service.family" value="Exchange Server"/>
     <param pos="0" name="service.product" value="Exchange 2003 Server"/>
@@ -42,6 +45,7 @@
   </fingerprint>
   <fingerprint pattern="^Der Microsoft Exchange Server 2003 IMAP4rev1-Server, Version (6\.5\.\d{4}\.\d+) \((.*)\),.*$">
     <description>Microsoft Exchange Server 2003, German</description>
+    <example service.version="6.5.7638.1" host.name="foo.bar">Der Microsoft Exchange Server 2003 IMAP4rev1-Server, Version 6.5.7638.1 (foo.bar), steht zur Verfgung.</example>
     <param pos="0" name="service.vendor" value="Microsoft"/>
     <param pos="0" name="service.family" value="Exchange Server"/>
     <param pos="0" name="service.product" value="Exchange 2003 Server"/>
@@ -55,6 +59,7 @@
   </fingerprint>
   <fingerprint pattern="^Microsoft Exchange Server 2007 IMAP4 service ready$">
     <description>Microsoft Exchange Server 2007</description>
+    <example>Microsoft Exchange Server 2007 IMAP4 service ready</example>
     <param pos="0" name="service.vendor" value="Microsoft"/>
     <param pos="0" name="service.family" value="Exchange Server"/>
     <param pos="0" name="service.product" value="Exchange 2007 Server"/>
@@ -78,6 +83,7 @@
   </fingerprint>
   <fingerprint pattern="^Domino IMAP4 Server Release (\d+\.\d+.*) ready (.+)$">
     <description>IBM Lotus Notes/Domino</description>
+    <example service.version="9.0.1FP9" host.time="Thu, 4 Apr 2019 20:19:31 +0200">Domino IMAP4 Server Release 9.0.1FP9 ready Thu, 4 Apr 2019 20:19:31 +0200</example>
     <param pos="0" name="service.vendor" value="IBM"/>
     <param pos="0" name="service.family" value="Lotus Domino"/>
     <param pos="0" name="service.product" value="Lotus Domino"/>
@@ -86,7 +92,7 @@
     <param pos="2" name="host.time"/>
   </fingerprint>
   <fingerprint pattern="^Domino IMAP4 Server V\.?(\d+\.\d+.*) ready (.+)$">
-    <description>IBM Lotus Notes/Domino</description>
+    <description>IBM Lotus Notes/Domino - variant 2</description>
     <param pos="0" name="service.vendor" value="IBM"/>
     <param pos="0" name="service.family" value="Lotus Domino"/>
     <param pos="0" name="service.product" value="Lotus Domino"/>
@@ -96,6 +102,8 @@
   </fingerprint>
   <fingerprint pattern="^[dD]ovecot (?:DA )?ready\.$">
     <description>Dovecot Secure IMAP Server</description>
+    <example>Dovecot ready.</example>
+    <example>Dovecot DA ready.</example>
     <param pos="0" name="service.family" value="Dovecot"/>
     <param pos="0" name="service.product" value="Dovecot"/>
   </fingerprint>
@@ -118,16 +126,15 @@
   </fingerprint>
   <fingerprint pattern="^(\S+) Zimbra IMAP4rev1 server ready\.?$">
     <description>VMware Zimbra IMAP</description>
-    <example>catfood.zimbra.com Zimbra IMAP4rev1 server ready</example>
-    <example>dogfood.zimbra.com Zimbra IMAP4rev1 server ready</example>
+    <example host.name="foo.bar">foo.bar Zimbra IMAP4rev1 server ready</example>
     <param pos="0" name="service.vendor" value="VMware"/>
     <param pos="0" name="service.product" value="Zimbra"/>
     <param pos="0" name="service.cpe23" value="cpe:/a:vmware:zimbra_desktop:-"/>
     <param pos="1" name="host.name"/>
   </fingerprint>
   <fingerprint pattern="^(\S+) Zimbra (\S+) IMAP4rev1 server ready\.?$">
-    <description>VMware Zimbra IMAP</description>
-    <example>example.com Zimbra 7.0.0_GA_3079 IMAP4rev1 server ready</example>
+    <description>VMware Zimbra IMAP with service version</description>
+    <example host.name="foo.bar" service.version="7.0.0_GA_3079">foo.bar Zimbra 7.0.0_GA_3079 IMAP4rev1 server ready</example>
     <param pos="0" name="service.vendor" value="VMware"/>
     <param pos="0" name="service.product" value="Zimbra"/>
     <param pos="2" name="service.version"/>

data/xml/ldap_searchresult.xml

@@ -404,7 +404,7 @@
     <param pos="1" name="service.version"/>
   </fingerprint>
   <fingerprint pattern="(?im:IBM Lotus Software0.\x04\rvendorversion1.\x04.Release (\d+\.\d+[\w .]*)0.\x04.dominomajminversion)">
-    <description>IBM (Lotus) Domino LDAP Server</description>
+    <description>IBM (Lotus) Domino LDAP Server - majminversion variant</description>
     <example service.version="8.5.3" _encoding="base64">
       SUJNIExvdHVzIFNvZnR3YXJlMCAEDXZlbmRvcnZlcnNpb24xDwQNUmVsZWFzZSA4LjUuMzAeB
       BNkb21pbm9tYWptaW52ZXJzaW9uMQcE
@@ -428,7 +428,7 @@
     <param pos="1" name="service.version"/>
   </fingerprint>
   <fingerprint pattern="(?im:IBM Lotus Software0.\x04\rvendorversion1.\x04.Build (V[\w .]*)0.\x04.dominomajminversion)">
-    <description>IBM (Lotus) Domino LDAP Server</description>
+    <description>IBM (Lotus) Domino LDAP Server - build variant</description>
     <example service.version="V902_12302013" _encoding="base64">
       SUJNIExvdHVzIFNvZnR3YXJlMCYEDXZlbmRvcnZlcnNpb24xFQQTQnVpbGQgVjkwMl8xMjMwM
       jAxMzAeBBNkb21pbm9tYWptaW52ZXJzaW9uMQcE

data/xml/mysql_banners.xml

@@ -144,7 +144,7 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:canonical:ubuntu_linux:{os.version}"/>
   </fingerprint>
   <fingerprint pattern="^(\d{1,2}\.\d{1,3}\.\d{1,2})-(?:Debian_)?\dubuntu(\d{1,2}\.\d\d)[.\d]*(?:-log)?$">
-    <description>Oracle MySQL on Ubuntu</description>
+    <description>Oracle MySQL on Ubuntu - Debian string variant</description>
     <example service.version="5.0.22" os.version="6.06">5.0.22-Debian_0ubuntu6.06.14-log</example>
     <example service.version="5.1.41" os.version="12.10">5.1.41-3ubuntu12.10</example>
     <param pos="1" name="service.version"/>
@@ -458,7 +458,7 @@
     <param pos="0" name="os.family" value="Windows"/>
   </fingerprint>
   <fingerprint pattern="^(\d{1,2}\.\d{1,3}\.[a-f\d]{1,3})(?:-rc)?-enterprise" flags="REG_ICASE">
-    <description>Oracle MySQL Enterprise Edition</description>
+    <description>Oracle MySQL Enterprise Edition - variant 1</description>
     <example service.version="5.1.26">5.1.26-rc-enterprise-gpl-log</example>
     <example service.version="5.5.27">5.5.27-enterprise-commercial-advanced-log</example>
     <param pos="1" name="service.version"/>
@@ -469,7 +469,7 @@
     <param pos="0" name="service.cpe23" value="cpe:/a:oracle:mysql:{service.version}"/>
   </fingerprint>
   <fingerprint pattern="^(\d{1,2}\.\d{1,3}\.[a-f\d]{1,3}-ndb-\d\.\d{1,2}\.[a-f\d]{1,3})" flags="REG_ICASE">
-    <description>Oracle MySQL Cluster Edition</description>
+    <description>Oracle MySQL Cluster Edition - nbd variant</description>
     <example service.version="5.1.30-ndb-6.3.20">5.1.30-ndb-6.3.20-cluster-gpl-log</example>
     <example service.version="5.5.20-ndb-7.2.5">5.5.20-ndb-7.2.5-gpl</example>
     <param pos="1" name="service.version"/>

data/xml/mysql_error.xml

@@ -52,7 +52,6 @@
   <fingerprint pattern="^^(?:#HY000)?Host '[^']+' is not allowed to connect to this MySQL server$$">
     <description>Oracle MySQL error ER_HOST_NOT_PRIVILEGED (eng)</description>
     <example>Host '10.10.10.10' is not allowed to connect to this MySQL server</example>
-    <example>Host '10.10.10.10' is not allowed to connect to this MySQL server</example>
     <example>#HY000Host '10.10.10.10' is not allowed to connect to this MySQL server</example>
     <param pos="0" name="service.vendor" value="Oracle"/>
     <param pos="0" name="service.family" value="MySQL"/>

data/xml/ntp_banners.xml

@@ -380,7 +380,7 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:netbsd:netbsd:{os.version}"/>
   </fingerprint>
   <fingerprint pattern="^.*processor=&quot;([^ ]+)&quot;,.*system=&quot;NetBSD/?([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
-    <description>ntpd running on NetBSD</description>
+    <description>ntpd running on NetBSD - variant 2</description>
     <example os.arch="i386" os.version="1.5.3">
       processor="i386", system="NetBSD1.5.3"
     </example>
@@ -1034,7 +1034,7 @@
     <param pos="1" name="os.product"/>
   </fingerprint>
   <fingerprint pattern="^.*processor=&quot;([^&quot;]+)&quot;, system=&quot;SCO_SV([\d\.]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
-    <description>SCO Unixware NTP</description>
+    <description>SCO Unixware NTP - SCO_SV variant</description>
     <example os.version="3.2" os.arch="i386">
       processor="i386", system="SCO_SV3.2", leap=0, stratum=2, precision=-18
     </example>

data/xml/operating_system.xml

@@ -17,7 +17,6 @@
     <example os.product="Windows Server 2008" os.edition="Enterprise" os.version="Service Pack 2">Windows Server 2008 Enterprise without Hyper-V Service Pack 2</example>
     <example os.product="Windows Server 2008" os.edition="Enterprise" os.version="SP1">Windows Server 2008 Enterprise with Hyper-V SP1</example>
     <example os.product="Windows Server 2012 R2" os.edition="Foundation">Windows Server 2012 R2 Foundation Edition</example>
-    <example os.product="Windows Storage Server 2012 R2">Windows Storage Server 2012 R2</example>
     <param pos="0" name="os.vendor" value="Microsoft"/>
     <param pos="0" name="os.family" value="Windows"/>
     <param pos="1" name="os.product"/>

data/xml/pop_banners.xml

@@ -37,8 +37,8 @@
     <param pos="0" name="service.cpe23" value="cpe:/a:ibm:lotus_domino:-"/>
   </fingerprint>
   <fingerprint pattern="^Lotus Notes POP3 server version Release ([^ ]+) ready on .*$">
-    <description>IBM Lotus Notes/Domino</description>
-    <example>Lotus Notes POP3 server version Release 8.5.1FP5 ready on foo/US.</example>
+    <description>IBM Lotus Notes/Domino - Release variant</description>
+    <example service.version="8.5.1FP5">Lotus Notes POP3 server version Release 8.5.1FP5 ready on foo/US.</example>
     <param pos="0" name="service.vendor" value="IBM"/>
     <param pos="0" name="service.family" value="Lotus Domino"/>
     <param pos="0" name="service.product" value="Lotus Domino"/>
@@ -171,16 +171,15 @@
   </fingerprint>
   <fingerprint pattern="^(\S+) Zimbra POP3 server ready\.?$">
     <description>VMware Zimbra POP</description>
-    <example>catfood.example.com Zimbra POP3 server ready</example>
-    <example>dogfood.example.com Zimbra POP3 server ready</example>
+    <example host.name="foo.bar">foo.bar Zimbra POP3 server ready</example>
     <param pos="0" name="service.vendor" value="VMware"/>
     <param pos="0" name="service.product" value="Zimbra"/>
     <param pos="0" name="service.cpe23" value="cpe:/a:vmware:zimbra_desktop:-"/>
     <param pos="1" name="host.name"/>
   </fingerprint>
   <fingerprint pattern="^(\S+) Zimbra (\S+) POP3 server ready\.?$">
-    <description>VMware Zimbra POP</description>
-    <example>example.com Zimbra 7.0.0_GA_3079 POP3 server ready</example>
+    <description>VMware Zimbra POP with version</description>
+    <example host.name="foo.bar">foo.bar Zimbra 7.0.0_GA_3079 POP3 server ready</example>
     <param pos="0" name="service.vendor" value="VMware"/>
     <param pos="0" name="service.product" value="Zimbra"/>
     <param pos="2" name="service.version"/>

data/xml/smb_native_os.xml

@@ -35,7 +35,7 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_xp:-"/>
   </fingerprint>
   <fingerprint pattern="^Windows XP (\d+) (Service Pack \d+)$">
-    <description>Windows XP</description>
+    <description>Windows XP with Service Pack</description>
     <example os.build="2600" os.version="Service Pack 1">Windows XP 2600 Service Pack 1</example>
     <param pos="0" name="os.certainty" value="1.0"/>
     <param pos="0" name="os.vendor" value="Microsoft"/>
@@ -45,7 +45,7 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_xp:{os.version}"/>
   </fingerprint>
   <fingerprint pattern="^Windows XP (\d+)$">
-    <description>Windows XP</description>
+    <description>Windows XP with build number</description>
     <example os.build="2600">Windows XP 2600</example>
     <param pos="0" name="os.certainty" value="1.0"/>
     <param pos="0" name="os.vendor" value="Microsoft"/>
@@ -205,7 +205,7 @@
   </fingerprint>
   <!-- 2008 R2 -->
   <fingerprint pattern="^Windows Server 2008 R2 (\w+|\w+ \w+|\w+ \w+ \w+) (\d+) (Service Pack \d+)(?:, v\.\d+)?$">
-    <description>Windows Server 2008</description>
+    <description>Windows Server 2008 R2</description>
     <example>Windows Server 2008 R2 Enterprise 7601 Service Pack 1</example>
     <example>Windows Server 2008 R2 Standard 7601 Service Pack 1</example>
     <param pos="0" name="os.certainty" value="1.0"/>
@@ -217,7 +217,7 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2008:{os.version}"/>
   </fingerprint>
   <fingerprint pattern="^Windows Server 2008 R2 (\w+|\w+ \w+|\w+ \w+ \w+) (\d+)$">
-    <description>Windows Server 2008 R2</description>
+    <description>Windows Server 2008 R2 without Service Pack</description>
     <example os.edition="Enterprise">Windows Server 2008 R2 Enterprise 7600</example>
     <example os.edition="Standard">Windows Server 2008 R2 Standard 7600</example>
     <example os.edition="Datacenter">Windows Server 2008 R2 Datacenter 7600</example>

data/xml/smtp_banners.xml

@@ -141,17 +141,18 @@
     <param pos="0" name="service.product" value="CCProxy"/>
     <param pos="1" name="service.version"/>
   </fingerprint>
-  <fingerprint pattern="^[\*20 ]+$">
-    <description>
-         Cisco PIX firewall: PIX sits between an internal SMTP server and the rest of the world.
+  <!--
+  Cisco PIX sits between an internal SMTP server and the rest of the world.
 
-         Its MailGuard feature strips all information out of the 220 header except for the ' ' (space), '2' (digit two),
-         and '0' (digit zero) characters, replacing them with asterisks. While this effectively
-         hides the back-end SMTP server, it does tell us that they are running Cisco PIX firewall
-         (at least for SMTP, and possibly other services as well).
+    Its MailGuard feature strips all information out of the 220 header except for the ' ' (space), '2' (digit two),
+    and '0' (digit zero) characters, replacing them with asterisks. While this effectively
+    hides the back-end SMTP server, it does tell us that they are running Cisco PIX firewall
+    (at least for SMTP, and possibly other services as well).
 
-         Search Cisco's documentation for "fixup protocol SMTP" for more information.
-      </description>
+    Search Cisco's documentation for "fixup protocol SMTP" for more information.
+  -->
+  <fingerprint pattern="^[\*20 ]+$">
+    <description>Cisco PIX firewall MailGuard banner stripping</description>
     <example os.product="PIX">***************************</example>
     <param pos="0" name="os.vendor" value="Cisco"/>
     <param pos="0" name="os.family" value="PIX"/>
@@ -159,10 +160,7 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
   </fingerprint>
   <fingerprint pattern="^([^ ]+) +ESMTP CPMTA-([^ ]+)_([^ ]+)_([^ ]+)_([^ ]+) - NO UCE *$">
-    <description>Critical Path (aka InScribe) Messaging Server
-         http://www.cp.net/products/inscr_messagingserv_overview.html
-         Runs on Windows NT4/2k, Solaris 2.6, 2.7, and 2.8 Sparc/Intel, SGI IRIX 6.5.3 or later, and AIX
-      </description>
+    <description>Critical Path (aka InScribe) Messaging Server on Windows NT4/2k, Solaris 2.6/2.7/2.8 Sparc/Intel, SGI IRIX 6.5.3 or later, or AIX </description>
     <param pos="0" name="service.vendor" value="Critical Path"/>
     <param pos="0" name="service.family" value="Messaging Server"/>
     <param pos="0" name="service.product" value="Messaging Server"/>
@@ -370,11 +368,7 @@
     <param pos="1" name="host.name"/>
   </fingerprint>
   <fingerprint pattern="^([^ ]+) +SMTP/smap Ready\.$">
-    <description>TIS FWTK and derivatives
-         http://www.tis.com/research/software/
-         This fingerprint may be ambiguous because other firewalls (like
-         Gauntlet) are derived from TIS
-      </description>
+    <description>TIS FWTK and derivatives (other firewalls, like Gauntlet, are derived from TIS)</description>
     <example host.name="foo.bar">foo.bar SMTP/smap Ready.</example>
     <param pos="0" name="service.vendor" value="TIS"/>
     <param pos="0" name="service.family" value="FWTK"/>
@@ -1255,7 +1249,7 @@
   </fingerprint>
   <fingerprint pattern="^([^ ]+) ESMTP MetaInfo Sendmail ([^ ]+) Build ([^ ]+) \(Berkeley ([^ ]+)\)/([^;]+); (.+)$">
     <description>Sendmail - MetaInfo</description>
-    <example>foo.bar ESMTP MetaInfo Sendmail 2.5 Build 2630 (Berkeley 8.8.6)/8.8.4; Mon, 30 Jul</example>
+    <example host.name="foo.bar" service.version="8.8.6">foo.bar ESMTP MetaInfo Sendmail 2.5 Build 2630 (Berkeley 8.8.6)/8.8.4; Mon, 30 Jul</example>
     <param pos="0" name="service.vendor" value="MetaInfo"/>
     <param pos="0" name="service.family" value="Sendmail"/>
     <param pos="0" name="service.product" value="Sendmail"/>

data/xml/smtp_debug.xml

@@ -10,30 +10,22 @@
     of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
   -->
   <fingerprint pattern="^500 No way!$">
-    <description>
-         Exim
-         example: 500 No way!
-      </description>
+    <description>Exim</description>
+    <example>500 No way!</example>
     <param pos="0" name="service.vendor" value="exim"/>
     <param pos="0" name="service.family" value="exim"/>
     <param pos="0" name="service.product" value="exim"/>
     <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
   </fingerprint>
   <fingerprint pattern="^250[ -] *Debug set -NOT!$">
-    <description>
-         TIS FWTK and derivatives
-         http://www.tis.com/research/software/
-         This fingerprint may be ambiguous because other firewalls (like
-         Gauntlet) are derived from TIS
-      </description>
+    <description>TIS FWTK and derivatives (other firewalls, like Gauntlet, are derived from TIS)</description>
     <param pos="0" name="service.vendor" value="TIS"/>
     <param pos="0" name="service.family" value="FWTK"/>
     <param pos="0" name="service.product" value="FWTK"/>
   </fingerprint>
   <fingerprint pattern="^500[ -]What\? I don't understand that\.$">
-    <description>
-         500 What? I don't understand that.
-      </description>
+    <description>Alt-N MDaemon SMTP</description>
+    <example>500 What? I don't understand that.</example>
     <param pos="0" name="service.vendor" value="Alt-N"/>
     <param pos="0" name="service.family" value="MDaemon"/>
     <param pos="0" name="service.product" value="MDaemon"/>

data/xml/smtp_ehlo.xml

@@ -10,10 +10,7 @@
     of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
   -->
   <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX&quot; unrecognized$">
-    <description>
-         Cisco PIX changes the command letters to 'X' before passing
-         them to the real SMTP server.
-      </description>
+    <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server</description>
     <param pos="0" name="os.vendor" value="Cisco"/>
     <param pos="0" name="os.family" value="PIX"/>
     <param pos="0" name="os.product" value="PIX"/>
@@ -38,9 +35,7 @@
    </fingerprint>
    -->
   <fingerprint pattern="^221[ -]See ya in cyberspace$">
-    <description>
-         221 See ya in cyberspace
-      </description>
+    <description>221 See ya in cyberspace</description>
     <param pos="0" name="service.vendor" value="Alt-N"/>
     <param pos="0" name="service.family" value="MDaemon"/>
     <param pos="0" name="service.product" value="MDaemon"/>

data/xml/smtp_expn.xml

@@ -10,30 +10,23 @@
     of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
   -->
   <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX.*&quot; unrecognized$">
-    <description>
-         Cisco PIX changes the command letters to 'X' before passing
-         them to the real SMTP server.
-      </description>
+    <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server - expn variant</description>
     <param pos="0" name="os.vendor" value="Cisco"/>
     <param pos="0" name="os.family" value="PIX"/>
     <param pos="0" name="os.product" value="PIX"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
   </fingerprint>
   <fingerprint pattern="^550[ -]EXPN not available to \(.+\) \[.+\] *$">
-    <description>
-         Exim
-         example: 550 EXPN not available to (foo.bar.com) [192.168.0.1]
-      </description>
+    <description>Exim - expn variant 1</description>
+    <example>550 EXPN not available to (foo.bar.com) [192.168.0.1]</example>
     <param pos="0" name="service.vendor" value="exim"/>
     <param pos="0" name="service.family" value="exim"/>
     <param pos="0" name="service.product" value="exim"/>
     <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
   </fingerprint>
   <fingerprint pattern="^550[ -]EXPN not available to [^ ]+ \(.+\) \[.+\] *$">
-    <description>
-         Exim
-         example: 550 EXPN not available to evil.com (foo.bar.com) [192.168.0.1]
-      </description>
+    <description>Exim - expn variant 2</description>
+    <example>550 EXPN not available to evil.com (foo.bar.com) [192.168.0.1]</example>
     <param pos="0" name="service.vendor" value="exim"/>
     <param pos="0" name="service.family" value="exim"/>
     <param pos="0" name="service.product" value="exim"/>
@@ -53,18 +46,16 @@
     <param pos="0" name="service.product" value="VM"/>
   </fingerprint>
   <fingerprint pattern="^550[ -]lists are confidential *$">
-    <description>
-         example: 550 lists are confidential
-      </description>
+    <description>Ipswitch IMail Server - expn variant</description>
+    <example>550 lists are confidential</example>
     <param pos="0" name="service.vendor" value="Ipswitch"/>
     <param pos="0" name="service.family" value="IMail Server"/>
     <param pos="0" name="service.product" value="IMail Server"/>
     <param pos="0" name="service.cpe23" value="cpe:/a:ipswitch:imail_server:-"/>
   </fingerprint>
   <fingerprint pattern="^502[ -]command is not active$">
-    <description>
-         502 command is not active
-      </description>
+    <description>Alt-N MDaemon - expn variant</description>
+    <example>502 command is not active</example>
     <param pos="0" name="service.vendor" value="Alt-N"/>
     <param pos="0" name="service.family" value="MDaemon"/>
     <param pos="0" name="service.product" value="MDaemon"/>
@@ -76,17 +67,14 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
   </fingerprint>
   <fingerprint pattern="^252 Unable to EXPN &quot;.*&quot;, but will accept message and attempt delivery *$">
-    <description>
-         Lotus Domino
-      </description>
+    <description>Lotus Domino</description>
     <param pos="0" name="service.vendor" value="Lotus"/>
     <param pos="0" name="service.family" value="Lotus Domino"/>
     <param pos="0" name="service.product" value="Lotus Domino"/>
   </fingerprint>
   <fingerprint pattern="^550[ -]Unable to find list '.*'\.$">
-    <description>
-         example: 550 Unable to find list 'list'.
-      </description>
+    <description>Seattle Labs SLMail</description>
+    <example>550 Unable to find list 'list'.</example>
     <param pos="0" name="service.vendor" value="Seattle Labs"/>
     <param pos="0" name="service.family" value="SLMail"/>
     <param pos="0" name="service.product" value="SLMail"/>