recog 2.3.10 → 2.3.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 882d241ba5d8115e818c1f3a9373171d502cc4cd1b0d9069a41bd9383aabf90a
-  data.tar.gz: d90114dc975f4ae473af3958ba30cfe1d14953299a9585726a6b1d834e6c2091
+  metadata.gz: 97d63040d77ee814dfef18425b59f861c5502b6e929826c27b3f6ec81423edfe
+  data.tar.gz: 27f184ce296b50e0c061e67c0fb5cff846eca187ee72750684904aea66061bc7
 SHA512:
-  metadata.gz: c98f1e8fc087478c4ac5cc2a6512059976ff8bb99bd83c5f7098856888e31af4f9e8a3643a18a091fa4676df9da83314aee24ef01b0367a381ebee7077aa2fdd
-  data.tar.gz: 01034d8c3ca39855af88582e1027ce6f2bd2f60b312d06e9a11f81b8e3ed896801d0e40e09a18a37e57df1adb58dfb0125bcca74bea26443e9b068fd6b60f7d7
+  metadata.gz: fec43f32715f27d49b9c0258cd46b2b647c11d9649d30601ac7220b4f37459a9664686c25f84304c307e74690815de91e3883ba018d4b9d1546aea4867cebe42
+  data.tar.gz: e8612ca2e848fe0c8f8ccd32646309614fca7cdbc3101f01554c4e770ea738fead20ea24c003b70f0241a412186cbaa819b5d805b2e71d834dd77a327bdfc7e6

data/cpe-remap.yaml

@@ -48,7 +48,6 @@ mappings:
     products:
       lotus_domino: lotus_domino_server
       os/400: os_400
-      z/os: z\/os
   jamf:
     products:
       jamf_pro: jamf

data/identifiers/hw_family.txt

@@ -93,4 +93,4 @@ iPad
 iPad Air
 iPad Pro
 iPad mini
-iPhone
+iPhone

data/identifiers/hw_product.txt

@@ -325,4 +325,4 @@ iPhone X
 iPhone XR
 iPhone XS
 iPhone XS Max
-vManage
+vManage

data/identifiers/service_product.txt

@@ -554,3 +554,4 @@ vsFTPd
 vsFTPd Extended
 z/OS FTP Server
 zFTPServer
+TCP/IP

data/identifiers/vendor.txt

@@ -782,6 +782,7 @@ Tomato
 TornadoWeb
 Toshiba
 Trancell
+Treck
 Trend Micro
 Tridium
 Troy

data/lib/recog/version.rb

@@ -1,3 +1,3 @@
 module Recog
-  VERSION = '2.3.10'
+  VERSION = '2.3.11'
 end

data/update_cpes.py

@@ -24,6 +24,7 @@ def parse_cpe_vp_map(file):
                 vp_map[cpe_type] = {}
             if not vendor in vp_map[cpe_type]:
                 vp_map[cpe_type][vendor] = set()
+            product = product.replace('%2f', '/')
             vp_map[cpe_type][vendor].add(product)
         else:
             logging.error("Unexpected CPE %s", cpe_name)
@@ -160,6 +161,8 @@ def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
                         continue
 
                 # building the CPE string
+                # Last minute escaping of '/'
+                product = product.replace('/', '\/')
                 cpe_value = 'cpe:/{}:{}:{}'.format(cpe_type, vendor, product)
 
                 if version:

data/xml/dns_versionbind.xml

@@ -8,6 +8,42 @@
     dnsmasq-2.76-1-ubnt2
   -->
 
+  <!--
+  The following 'assert nothing' block is intended to handle banners so simple
+  that they cannot be attributed to a product or vendor. They are at the
+  beginning of the file as a performance tweak given how frequenty they occur.
+  -->
+
+  <fingerprint pattern="^$">
+    <description>empty string -- assert nothing.</description>
+    <example/>
+    <param pos="0" name="service.certainty" value="0.0"/>
+  </fingerprint>
+
+  <fingerprint pattern="^none$">
+    <description>bare 'none' -- assert nothing.</description>
+    <example>none</example>
+    <param pos="0" name="service.certainty" value="0.0"/>
+  </fingerprint>
+
+  <fingerprint pattern="^null$">
+    <description>bare 'null' -- assert nothing.</description>
+    <example>null</example>
+    <param pos="0" name="service.certainty" value="0.0"/>
+  </fingerprint>
+
+  <fingerprint pattern="(?i)^unknown$">
+    <description>bare 'unknown' -- assert nothing.</description>
+    <example>unknown</example>
+    <param pos="0" name="service.certainty" value="0.0"/>
+  </fingerprint>
+
+  <fingerprint pattern="^no version$">
+    <description>bare 'no version' -- assert nothing.</description>
+    <example>no version</example>
+    <param pos="0" name="service.certainty" value="0.0"/>
+  </fingerprint>
+
   <!-- Red Hat package naming:
        https://fedoraproject.org/wiki/Packaging:DistTag
        https://fedoraproject.org/wiki/Packaging:Versioning
@@ -161,6 +197,21 @@
     <param pos="0" name="os.product" value="Zentyal"/>
   </fingerprint>
 
+  <fingerprint pattern="^(9.[^-]+(?:-[SP]\d)?)(?:-[\d\.]+)?\+deb10[\w~\.]+-Debian$">
+    <description>ISC BIND: Debian 10.0 (buster)</description>
+    <example service.version="9.11.5-P4">9.11.5-P4-5.1+deb10u1-Debian</example>
+    <param pos="0" name="service.vendor" value="ISC"/>
+    <param pos="0" name="service.family" value="BIND"/>
+    <param pos="0" name="service.product" value="BIND"/>
+    <param pos="1" name="service.version"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:isc:bind:{service.version}"/>
+    <param pos="0" name="os.vendor" value="Debian"/>
+    <param pos="0" name="os.family" value="Linux"/>
+    <param pos="0" name="os.product" value="Linux"/>
+    <param pos="0" name="os.version" value="10.0"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:debian:debian_linux:10.0"/>
+  </fingerprint>
+
   <fingerprint pattern="^(9.[^-]+(?:-[SP]\d)?)-9\+deb8u[\w~\.]+-Debian$">
     <description>ISC BIND: Debian 8.0 (jessie)</description>
     <example service.version="9.9.5">9.9.5-9+deb8u11-Debian</example>
@@ -376,13 +427,14 @@
     <param pos="0" name="service.cpe23" value="cpe:/a:powerdns:authoritative_server:{service.version}"/>
   </fingerprint>
 
-  <fingerprint pattern="^PowerDNS Authoritative Server (\d\.[\w.]+(?:-rc\d)?(?:-alpha\d)?(?:-beta\d)?) \(built [\w\s:]+ by [\w]+\@[\w.-:-]*\)$">
+  <fingerprint pattern="^PowerDNS Authoritative Server (\d\.[\w.]+(?:-rc\d)?(?:-alpha\d)?(?:-beta\d)?[^ ]*) \(built [\w\s:]+ by [\w]+\@[\w.-:-]*\)$">
     <description>PowerDNS Authoritative Server: format 2</description>
     <example service.version="4.0.4">PowerDNS Authoritative Server 4.0.4 (built Jul 26 2017 15:04:27 by root@FreeBSD:11:amd64-default-job-03)</example>
     <example service.version="4.0.0-rc2">PowerDNS Authoritative Server 4.0.0-rc2 (built Jul  4 2016 15:44:39 by root@foo-bar.baz)</example>
     <example service.version="4.0.0-alpha2">PowerDNS Authoritative Server 4.0.0-alpha2 (built Feb 01 2016 00:12:05 by buildbot@baz)</example>
     <example service.version="4.0.0-beta1">PowerDNS Authoritative Server 4.0.0-beta1 (built Feb 01 2016 00:00:00 by buildbot@baz)</example>
     <example service.version="0.0.g56d692a">PowerDNS Authoritative Server 0.0.g56d692a (built Feb 25 2017 13:10:19 by root@foo-bar.baz)</example>
+    <example service.version="4.2.0-rc2.995.master.g8cc411dc4">PowerDNS Authoritative Server 4.2.0-rc2.995.master.g8cc411dc4 (built Nov  6 2019 11:48:12 by root@foo-bar.baz)</example>
     <param pos="0" name="service.vendor" value="PowerDNS"/>
     <param pos="0" name="service.family" value="PowerDNS"/>
     <param pos="0" name="service.product" value="Authoritative Server"/>
@@ -483,6 +535,20 @@
     <param pos="0" name="service.product" value="unbound"/>
   </fingerprint>
 
+  <fingerprint pattern="^(?:BIND )?(9.[^-]+(?:-[SP]\d)?)(?:-[\d\.]+)?\+deb10u\d+-Raspbian$">
+    <description>ISC BIND: Raspbian based on Debian Buster</description>
+    <example service.version="9.11.5-P4">9.11.5-P4-5.1+deb10u1-Raspbian</example>
+    <param pos="0" name="service.vendor" value="ISC"/>
+    <param pos="0" name="service.family" value="BIND"/>
+    <param pos="0" name="service.product" value="BIND"/>
+    <param pos="1" name="service.version"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:isc:bind:{service.version}"/>
+    <param pos="0" name="os.vendor" value="Raspbian"/>
+    <param pos="0" name="os.family" value="Linux"/>
+    <param pos="0" name="os.product" value="Linux"/>
+    <param pos="0" name="os.version" value="10.0"/>
+  </fingerprint>
+
   <fingerprint pattern="^(?:BIND )?(9.[^-]+(?:-[SP]\d)?)-9\+deb8u\d+-Raspbian$">
     <description>ISC BIND: Raspbian based on Debian Jessie</description>
     <example service.version="9.9.5">9.9.5-9+deb8u7-Raspbian</example>
@@ -625,6 +691,34 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2008:-"/>
   </fingerprint>
 
+  <!-- This value is a spoofed value. There isn't a publicly available version
+       of Windows with build 6.0.6100 and this explicit string is used in an
+       example of how to change your version on BIND. We tested servers reporting
+       this string and NONE of them were Windows DNS.
+       This fingerprint serves to prevent someone who doesn't know from creating
+       one and stops further pattern matching efforts.
+  -->
+
+  <fingerprint pattern="^Microsoft DNS 6.0.6100 \(2AEF76E\)$">
+    <description>SPOOFED - Microsoft DNS on Windows 2008 SP something</description>
+    <example>Microsoft DNS 6.0.6100 (2AEF76E)</example>
+  </fingerprint>
+
+  <fingerprint pattern="^Microsoft DNS 6.0.6003(?: \(\w+\))?$">
+    <description>Microsoft DNS on Windows 2008 Service Pack 2 - Preview Rollup KB4489887 and later</description>
+    <example>Microsoft DNS 6.0.6003 (1773501D)</example>
+    <param pos="0" name="service.vendor" value="Microsoft"/>
+    <param pos="0" name="service.family" value="DNS"/>
+    <param pos="0" name="service.product" value="DNS"/>
+    <param pos="0" name="service.version" value="6.0.6003"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows Server 2008"/>
+    <param pos="0" name="os.version" value="Service Pack 2"/>
+    <param pos="0" name="os.build" value="6.0.6003"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2008:Service Pack 2"/>
+  </fingerprint>
+
   <fingerprint pattern="^Microsoft DNS 6.0.6002(?: \(\w+\))?$">
     <description>Microsoft DNS on Windows 2008 Service Pack 2</description>
     <example>Microsoft DNS 6.0.6002 (17724D35)</example>
@@ -788,8 +882,8 @@
 
   <fingerprint pattern="^CleanBrowsing v([^ ]+) - (.*)">
     <description>CleanBrowsing DNS Server</description>
-    <example service.vendor="CleanBrowsing" service.family="CleanBrowsing" service.version="1.5a" service.node="dns-edge-usa-west-sunnyvale-p">CleanBrowsing v1.5a - dns-edge-usa-west-sunnyvale-p</example>
-    <example service.vendor="CleanBrowsing" service.family="CleanBrowsing" service.version="1.4a" service.node="dns-edge-usa-west-sunnyvale.cleanbrowsing.org">CleanBrowsing v1.4a - dns-edge-usa-west-sunnyvale.cleanbrowsing.org</example>
+    <example service.version="1.5a" service.node="dns-edge-usa-west-sunnyvale-p">CleanBrowsing v1.5a - dns-edge-usa-west-sunnyvale-p</example>
+    <example service.version="1.4a" service.node="dns-edge-usa-west-sunnyvale.cleanbrowsing.org">CleanBrowsing v1.4a - dns-edge-usa-west-sunnyvale.cleanbrowsing.org</example>
     <param pos="0" name="service.vendor" value="CleanBrowsing"/>
     <param pos="0" name="service.family" value="CleanBrowsing"/>
     <param pos="0" name="service.product" value="DNS"/>
@@ -809,7 +903,7 @@
 
   <fingerprint pattern="^Q9-[^\-]-(.*)$">
     <description>Quad9 Resolver</description>
-    <example service.vendor="IBM" service.family="Quad9" service.product="DNS" service.version="6.0">Q9-P-6.0</example>
+    <example service.version="6.0">Q9-P-6.0</example>
     <param pos="0" name="service.vendor" value="IBM"/>
     <param pos="0" name="service.family" value="Quad9"/>
     <param pos="0" name="service.product" value="DNS"/>
@@ -818,10 +912,18 @@
 
   <fingerprint pattern="^keweonDNS v\.(.*)$">
     <description>Keweon DNS</description>
-    <example service.vendor="Keweon" service.product="DNS" service.version="9.63.7201">keweonDNS v.9.63.7201</example>
+    <example service.version="9.63.7201">keweonDNS v.9.63.7201</example>
     <param pos="0" name="service.vendor" value="Keweon"/>
     <param pos="0" name="service.product" value="DNS"/>
     <param pos="1" name="service.version"/>
   </fingerprint>
 
+  <fingerprint pattern="^Version: recursive-main/(\d+)$">
+    <description>Akamai AnswerX DNS server</description>
+    <example service.version="22386077">Version: recursive-main/22386077</example>
+    <param pos="0" name="service.vendor" value="Akamai"/>
+    <param pos="0" name="service.product" value="AnswerX"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+
 </fingerprints>

data/xml/favicons.xml

@@ -362,11 +362,12 @@
     <param pos="0" name="service.cpe23" value="cpe:/a:jetbrains:teamcity:-"/>
   </fingerprint>
 
-  <fingerprint pattern="^e48c482f8f5a8e5a6249b21a39f911e7$"><description>Cockroach DB Console</description>
+  <fingerprint pattern="^e48c482f8f5a8e5a6249b21a39f911e7$">
+    <description>Cockroach DB Console</description>
     <example>e48c482f8f5a8e5a6249b21a39f911e7</example>
     <param pos="0" name="service.vendor" value="Cockroach Labs"/>
     <param pos="0" name="service.product" value="CockroachDB"/>
-	  <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.certainty" value="0.5"/>
   </fingerprint>
 
   <fingerprint pattern="^(?:4f21edb50ae95a99bbd4aa0a956a179e|1531801cb9e3047e72034ed34da9d104)$">

data/xml/ftp_banners.xml

@@ -574,6 +574,7 @@ more text
     <param pos="0" name="os.family" value="z/OS"/>
     <param pos="0" name="os.device" value="Mainframe"/>
     <param pos="1" name="os.version"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:ibm:z\/os:{os.version}"/>
     <param pos="2" name="host.name"/>
   </fingerprint>
 

data/xml/http_servers.xml

@@ -1656,6 +1656,24 @@
     <param pos="0" name="service.component.cpe23" value="cpe:/a:sap:netweaver_application_server:-"/>
   </fingerprint>
 
+  <fingerprint pattern="^SAP Internet Graphics Server$">
+    <description>SAP Internet Graphics Server</description>
+    <example>SAP Internet Graphics Server</example>
+    <param pos="0" name="service.vendor" value="SAP"/>
+    <param pos="0" name="service.product" value="Internet Graphics Server"/>
+    <param pos="0" name="service.component.vendor" value="SAP"/>
+    <param pos="0" name="service.component.product" value="NetWeaver Application Server"/>
+    <param pos="0" name="service.component.cpe23" value="cpe:/a:sap:netweaver_application_server:-"/>
+  </fingerprint>
+
+  <fingerprint pattern="^SAP Message Server, release ([\d.]+) \(LNK\)$">
+    <description>SAP Message Server</description>
+    <example service.version="753">SAP Message Server, release 753 (LNK)</example>
+    <param pos="0" name="service.vendor" value="SAP"/>
+    <param pos="0" name="service.product" value="SAP Message Server"/>
+    <param pos="1" name="service.version"/>
+  </fingerprint>
+
   <fingerprint pattern="^SQLAnywhere/([\d.]+)$">
     <description>SAP SQLAnywhere</description>
     <example service.version="16.0.0.2207">SQLAnywhere/16.0.0.2207</example>
@@ -2542,12 +2560,16 @@
        variety of products including printers, PDUs, etc.
   -->
 
-  <fingerprint pattern="^\$ProjectRevision: 4.0.2.38 \$$">
-    <description>This banner is seen on some HP LaserJet printers.</description>
+  <fingerprint pattern="^\$ProjectRevision:[\s\w:]* ([\d\.]+) \$$">
+    <description>This banner is used to see if devices have Treck TCP/IP</description>
     <example>$ProjectRevision: 4.0.2.38 $</example>
-    <param pos="0" name="os.vendor" value="HP"/>
-    <param pos="0" name="os.device" value="Printer"/>
-    <param pos="0" name="os.family" value="LaserJet"/>
+    <example>$ProjectRevision: 4.2 $</example>
+    <example>$ProjectRevision: 6.0.1.5 $</example>
+    <example>$ProjectRevision: Last Checkpoint: 4.2.2.13 $</example>
+    <param pos="0" name="service.vendor" value="Treck"/>
+    <param pos="0" name="service.product" value="TCP/IP"/>
+    <param pos="1" name="service.version"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:treck:tcp\/ip:{service.version}"/>
   </fingerprint>
 
   <fingerprint pattern="^WEBrick/([\d\.]+) .*$">

data/xml/http_wwwauth.xml

@@ -515,9 +515,9 @@
 
   <fingerprint pattern="^(?:Basic|Digest) realm=&quot;NETGEAR (Orbi(?:-(?:micro|mini))?)&quot;.*$">
     <description>Netgear Orbi</description>
-    <example hw.product="Orbi">Basic realm=&quot;NETGEAR Orbi&quot;</example>
-    <example hw.product="Orbi-micro">Basic realm=&quot;NETGEAR Orbi-micro&quot;</example>
-    <example hw.product="Orbi-mini">Basic realm=&quot;NETGEAR Orbi-mini&quot;</example>
+    <example hw.product="Orbi">Basic realm="NETGEAR Orbi"</example>
+    <example hw.product="Orbi-micro">Basic realm="NETGEAR Orbi-micro"</example>
+    <example hw.product="Orbi-mini">Basic realm="NETGEAR Orbi-mini"</example>
     <param pos="0" name="hw.vendor" value="Netgear"/>
     <param pos="0" name="hw.device" value="WAP"/>
     <param pos="0" name="hw.family" value="Orbi"/>
@@ -526,9 +526,9 @@
 
   <fingerprint pattern="(?:Basic|Digest) realm=&quot;NETGEAR ([a-zA-Z0-9\-\+]+)\s*&quot;.*$">
     <description>Netgear Routers</description>
-    <example hw.product="DG834">Basic realm=&quot;NETGEAR DG834  &quot;</example>
-    <example hw.product="C7000v2">Basic realm=&quot;NETGEAR C7000v2&quot;</example>
-    <example hw.product="R7000P">Basic realm=&quot;NETGEAR R7000P&quot;</example>
+    <example hw.product="DG834">Basic realm="NETGEAR DG834  "</example>
+    <example hw.product="C7000v2">Basic realm="NETGEAR C7000v2"</example>
+    <example hw.product="R7000P">Basic realm="NETGEAR R7000P"</example>
     <param pos="0" name="hw.vendor" value="Netgear"/>
     <param pos="0" name="hw.device" value="Router"/>
     <param pos="1" name="hw.product"/>
@@ -538,7 +538,7 @@
 
   <fingerprint pattern="(?:Basic|Digest) realm=&quot;Netgear&quot;.*$">
     <description>Netgear Unspecified Router</description>
-    <example>Basic realm=&quot;Netgear&quot;</example>
+    <example>Basic realm="Netgear"</example>
     <param pos="0" name="hw.vendor" value="Netgear"/>
     <param pos="0" name="hw.device" value="Router"/>
   </fingerprint>

data/xml/snmp_sysdescr.xml

@@ -3353,6 +3353,7 @@ Copyright (c) 1995-2005 by Cisco Systems
     <param pos="0" name="os.vendor" value="IBM"/>
     <param pos="0" name="os.family" value="z/OS"/>
     <param pos="0" name="os.product" value="z/OS"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:ibm:z\/os:-"/>
   </fingerprint>
 
   <fingerprint pattern="^BladeCenter Management Module$">

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: recog
 version: !ruby/object:Gem::Version
-  version: 2.3.10
+  version: 2.3.11
 platform: ruby
 authors:
 - Rapid7 Research
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-14 00:00:00.000000000 Z
+date: 2020-07-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec