recog 2.3.15 → 2.3.20

Sign up to get free protection for your applications and to get access to all the features.
Files changed (53) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/ci.yml +26 -0
  3. data/.snyk +10 -0
  4. data/LICENSE +1 -1
  5. data/bin/recog_standardize +8 -2
  6. data/cpe-remap.yaml +314 -170
  7. data/identifiers/README.md +24 -10
  8. data/identifiers/fields.txt +104 -0
  9. data/identifiers/hw_device.txt +5 -4
  10. data/identifiers/hw_family.txt +17 -0
  11. data/identifiers/hw_product.txt +87 -6
  12. data/identifiers/os_architecture.txt +0 -10
  13. data/identifiers/os_device.txt +12 -31
  14. data/identifiers/os_family.txt +2 -94
  15. data/identifiers/os_product.txt +45 -124
  16. data/identifiers/service_family.txt +14 -37
  17. data/identifiers/service_product.txt +283 -88
  18. data/identifiers/vendor.txt +99 -192
  19. data/lib/recog/version.rb +1 -1
  20. data/requirements.txt +1 -1
  21. data/update_cpes.py +110 -49
  22. data/xml/apache_modules.xml +60 -0
  23. data/xml/dns_versionbind.xml +40 -17
  24. data/xml/favicons.xml +163 -20
  25. data/xml/ftp_banners.xml +25 -25
  26. data/xml/hp_pjl_id.xml +1 -1
  27. data/xml/html_title.xml +561 -51
  28. data/xml/http_cookies.xml +266 -61
  29. data/xml/http_servers.xml +472 -96
  30. data/xml/http_wwwauth.xml +53 -26
  31. data/xml/ldap_searchresult.xml +10 -6
  32. data/xml/mdns_device-info_txt.xml +308 -10
  33. data/xml/ntp_banners.xml +15 -1
  34. data/xml/operating_system.xml +1 -0
  35. data/xml/rtsp_servers.xml +7 -0
  36. data/xml/sip_banners.xml +346 -8
  37. data/xml/sip_user_agents.xml +321 -7
  38. data/xml/smb_native_lm.xml +32 -1
  39. data/xml/smb_native_os.xml +158 -33
  40. data/xml/smtp_banners.xml +48 -7
  41. data/xml/smtp_expn.xml +1 -0
  42. data/xml/smtp_help.xml +2 -0
  43. data/xml/smtp_vrfy.xml +3 -1
  44. data/xml/snmp_sysdescr.xml +211 -42
  45. data/xml/ssh_banners.xml +127 -14
  46. data/xml/telnet_banners.xml +44 -14
  47. data/xml/tls_jarm.xml +140 -0
  48. data/xml/x509_issuers.xml +179 -7
  49. data/xml/x509_subjects.xml +252 -35
  50. metadata +6 -5
  51. data/identifiers/software_class.txt +0 -26
  52. data/identifiers/software_family.txt +0 -91
  53. data/identifiers/software_product.txt +0 -333
data/lib/recog/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Recog
2
- VERSION = '2.3.15'
2
+ VERSION = '2.3.20'
3
3
  end
data/requirements.txt CHANGED
@@ -1,2 +1,2 @@
1
- lxml==4.5.1
1
+ lxml==4.6.3
2
2
  pyyaml
data/update_cpes.py CHANGED
@@ -1,28 +1,37 @@
1
1
  #!/usr/bin/env python
2
2
 
3
- import yaml
4
3
  import logging
5
4
  import re
6
5
  import sys
7
6
 
7
+ import yaml
8
8
  from lxml import etree
9
9
 
10
10
  def parse_r7_remapping(file):
11
11
  with open(file) as remap_file:
12
- return yaml.load(remap_file)["mappings"]
12
+ return yaml.safe_load(remap_file)["mappings"]
13
13
 
14
14
  def parse_cpe_vp_map(file):
15
15
  vp_map = {} # cpe_type -> vendor -> products
16
16
  parser = etree.XMLParser(remove_comments=False)
17
17
  doc = etree.parse(file, parser)
18
18
  namespaces = {'ns': 'http://cpe.mitre.org/dictionary/2.0', 'meta': 'http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2'}
19
- for cpe_name in doc.xpath("//ns:cpe-list/ns:cpe-item/@name", namespaces=namespaces):
19
+ for entry in doc.xpath("//ns:cpe-list/ns:cpe-item", namespaces=namespaces):
20
+ cpe_name = entry.get("name")
21
+ if not cpe_name:
22
+ continue
23
+
24
+ # If the entry is deprecated then don't add it to our list of valid CPEs.
25
+ if entry.get("deprecated"):
26
+ continue
27
+
20
28
  cpe_match = re.match('^cpe:/([aho]):([^:]+):([^:]+)', cpe_name)
29
+
21
30
  if cpe_match:
22
31
  cpe_type, vendor, product = cpe_match.group(1, 2, 3)
23
- if not cpe_type in vp_map:
32
+ if cpe_type not in vp_map:
24
33
  vp_map[cpe_type] = {}
25
- if not vendor in vp_map[cpe_type]:
34
+ if vendor not in vp_map[cpe_type]:
26
35
  vp_map[cpe_type][vendor] = set()
27
36
  product = product.replace('%2f', '/')
28
37
  vp_map[cpe_type][vendor].add(product)
@@ -34,12 +43,12 @@ def parse_cpe_vp_map(file):
34
43
  def main():
35
44
  if len(sys.argv) != 4:
36
45
  logging.critical("Expecting exactly 3 arguments; recog XML file, CPE 2.3 XML dictionary, JSON remapping, got %s", (len(sys.argv) - 1))
37
- exit(1)
46
+ sys.exit(1)
38
47
 
39
48
  cpe_vp_map = parse_cpe_vp_map(sys.argv[2])
40
49
  if not cpe_vp_map:
41
50
  logging.critical("No CPE vendor => product mappings read from CPE 2.3 XML dictionary %s", sys.argv[2])
42
- exit(1)
51
+ sys.exit(1)
43
52
 
44
53
  r7_vp_map = parse_r7_remapping(sys.argv[3])
45
54
  if not r7_vp_map:
@@ -47,6 +56,86 @@ def main():
47
56
 
48
57
  update_cpes(sys.argv[1], cpe_vp_map, r7_vp_map)
49
58
 
59
+ def lookup_cpe(vendor, product, cpe_type, cpe_table, remap):
60
+ """Identify the correct vendor and product values for a CPE
61
+
62
+ This function attempts to determine the correct CPE using vendor and product
63
+ values supplied by the caller as well as a remapping dictionary for mapping
64
+ these values to more correct values used by NIST.
65
+
66
+ For example, the remapping might tell us that a value of 'alpine' for the
67
+ vendor string should be 'aplinelinux' instead, or for product 'solaris'
68
+ should be 'sunos'.
69
+
70
+ This function should only emit values seen in the official NIST CPE list
71
+ which is provided to it in cpe_table.
72
+
73
+ Lookup priority:
74
+ 1. Original vendor / product
75
+ 2. Original vendor / remap product
76
+ 3. Remap vendor / original product
77
+ 4. Remap vendor / remap product
78
+
79
+ Args:
80
+ vendor (str): vendor name
81
+ product (str): product name
82
+ cpe_type (str): CPE type - o, a, h, etc.
83
+ cpe_table (dict): dict containing the official NIST CPE data
84
+ remap (dict): dict containing the remapping values
85
+ Returns:
86
+ success, vendor, product
87
+ """
88
+
89
+ if (
90
+ vendor in cpe_table[cpe_type]
91
+ and product in cpe_table[cpe_type][vendor]
92
+ ):
93
+ # Hot path, success with original values
94
+ return True, vendor, product
95
+
96
+ # Everything else depends on a remap of some sort.
97
+ # get the remappings for this one vendor string.
98
+ vendor_remap = None
99
+
100
+ remap_type = remap.get(cpe_type, None)
101
+ if remap_type:
102
+ vendor_remap = remap_type.get(vendor, None)
103
+
104
+ if vendor_remap:
105
+ # If we have product remappings, work that angle next
106
+ possible_product = None
107
+ if (
108
+ vendor_remap.get('products', None)
109
+ and product in vendor_remap['products']
110
+ ):
111
+ possible_product = vendor_remap['products'][product]
112
+
113
+ if (vendor in cpe_table[cpe_type]
114
+ and possible_product
115
+ and possible_product in cpe_table[cpe_type][vendor]):
116
+ # Found original vendor, remap product
117
+ return True, vendor, possible_product
118
+
119
+ # Start working the process to find a match with a remapped vendor name
120
+ if vendor_remap.get('vendor', None):
121
+ new_vendor = vendor_remap['vendor']
122
+
123
+ if new_vendor in cpe_table[cpe_type]:
124
+
125
+ if product in cpe_table[cpe_type][new_vendor]:
126
+ # Found remap vendor, original product
127
+ return True, new_vendor, product
128
+
129
+ if possible_product and possible_product in cpe_table[cpe_type][new_vendor]:
130
+ # Found remap vendor, remap product
131
+ return True, new_vendor, possible_product
132
+
133
+
134
+ logging.error("Product %s from vendor %s invalid for CPE %s and no mapping",
135
+ product, vendor, cpe_type)
136
+ return False, None, None
137
+
138
+
50
139
  def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
51
140
  parser = etree.XMLParser(remove_comments=False, remove_blank_text=True)
52
141
  doc = etree.parse(xml_file, parser)
@@ -114,55 +203,27 @@ def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
114
203
  continue
115
204
 
116
205
  vendor = vendor.lower().replace(' ', '_').replace(',', '')
117
- product = product.lower().replace(' ', '_').replace(',', '')
206
+ product = product.lower().replace(' ', '_').replace(',', '').replace('!', '%21')
118
207
  if 'unknown' in [vendor, product]:
119
208
  continue
120
209
 
121
210
  if (vendor.startswith('{') and vendor.endswith('}')) or (product.startswith('{') and product.endswith('}')):
122
211
  continue
123
212
 
124
- remapped_vendor = False
125
- og_vendor = vendor
126
- if not vendor in cpe_vp_map[cpe_type]:
127
- if vendor in r7_vp_map:
128
- vendor = r7_vp_map[vendor]['vendor']
129
- remapped_vendor = True
130
- if not vendor in cpe_vp_map[cpe_type]:
131
- logging.error("Remapped vendor %s (remapped from %s) invalid for CPE %s (product %s)", vendor, og_vendor, cpe_type, product)
132
- continue
133
- else:
134
- logging.error("Vendor %s invalid for CPE %s and no remapping (product %s)", vendor, cpe_type, product)
135
- continue
136
-
137
-
138
- # if the product as specified is not found in the CPE dictionary for this vendor
139
- if not product in cpe_vp_map[cpe_type][vendor]:
140
- # if this vendor has a remapping from R7
141
- if og_vendor in r7_vp_map and 'products' in r7_vp_map[og_vendor]:
142
- # if this product has a remapping for this vendor from R7
143
- if product in r7_vp_map[og_vendor]['products']:
144
- og_product = product
145
- product = r7_vp_map[og_vendor]['products'][product]
146
- # ensure that the remapped product is valid for the given vendor in CPE
147
- if not product in cpe_vp_map[cpe_type][vendor]:
148
- logging.error("Remapped product %s (remapped from %s) from vendor %s invalid for CPE %s", product, og_product, vendor, cpe_type)
149
- continue
150
- else:
151
- if remapped_vendor:
152
- logging.error("Product %s from vendor %s (remapped from %s) invalid for CPE %s and no mapping", product, vendor, og_vendor, cpe_type)
153
- else:
154
- logging.error("Product %s from vendor %s invalid for CPE %s and no mapping", product, vendor, cpe_type)
155
- continue
156
- else:
157
- if remapped_vendor:
158
- logging.error("Vendor %s (remapped from %s) is valid for CPE %s but product %s not valid and no mapping", vendor, og_vendor, cpe_type, product)
159
- else:
160
- logging.error("Vendor %s is valid for CPE %s but product %s not valid and no mapping", vendor, cpe_type, product)
161
- continue
213
+ success, vendor, product = lookup_cpe(vendor, product, cpe_type, cpe_vp_map, r7_vp_map)
214
+ if not success:
215
+ continue
216
+
217
+ # Sanity check the value to ensure that no invalid values will
218
+ # slip in due to logic or mapping bugs.
219
+ # If it's not in the official NIST list then log it and kick it out
220
+ if product not in cpe_vp_map[cpe_type][vendor]:
221
+ logging.error("Invalid CPE type %s created for vendor %s and product %s. This may be due to an invalid mapping.", cpe_type, vendor, product)
222
+ continue
162
223
 
163
224
  # building the CPE string
164
- # Last minute escaping of '/'
165
- product = product.replace('/', '\/')
225
+ # Last minute escaping of '/' and `!`
226
+ product = product.replace('/', '\/').replace('%21', '\!')
166
227
  cpe_value = 'cpe:/{}:{}:{}'.format(cpe_type, vendor, product)
167
228
 
168
229
  if version:
@@ -185,5 +246,5 @@ def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
185
246
  xml_out.write(etree.tostring(root, pretty_print=True, xml_declaration=True, encoding=doc.docinfo.encoding))
186
247
 
187
248
  if __name__ == '__main__':
188
- try: exit(main())
249
+ try: sys.exit(main())
189
250
  except KeyboardInterrupt: pass
@@ -220,6 +220,36 @@
220
220
  <param pos="0" name="service.component.product" value="mod_auth_ldap"/>
221
221
  </fingerprint>
222
222
 
223
+ <fingerprint pattern="mod_auth_oracle/(\S+)$">
224
+ <description>mod_auth_oracle with version</description>
225
+ <example service.component.version="1.2.3">mod_auth_oracle/1.2.3</example>
226
+ <param pos="0" name="service.component.vendor" value="Apache"/>
227
+ <param pos="0" name="service.component.product" value="mod_auth_oracle"/>
228
+ <param pos="1" name="service.component.version"/>
229
+ </fingerprint>
230
+
231
+ <fingerprint pattern="mod_auth_oracle/?$">
232
+ <description>mod_auth_oracle without version</description>
233
+ <example>mod_auth_oracle/</example>
234
+ <param pos="0" name="service.component.vendor" value="Apache"/>
235
+ <param pos="0" name="service.component.product" value="mod_auth_oracle"/>
236
+ </fingerprint>
237
+
238
+ <fingerprint pattern="mod_auth_pgsql/(\S+)$">
239
+ <description>mod_auth_pgsql with version</description>
240
+ <example service.component.version="1.2.3">mod_auth_pgsql/1.2.3</example>
241
+ <param pos="0" name="service.component.vendor" value="Apache"/>
242
+ <param pos="0" name="service.component.product" value="mod_auth_pgsql"/>
243
+ <param pos="1" name="service.component.version"/>
244
+ </fingerprint>
245
+
246
+ <fingerprint pattern="mod_auth_pgsql/?$">
247
+ <description>mod_auth_pgsql without version</description>
248
+ <example>mod_auth_pgsql/</example>
249
+ <param pos="0" name="service.component.vendor" value="Apache"/>
250
+ <param pos="0" name="service.component.product" value="mod_auth_pgsql"/>
251
+ </fingerprint>
252
+
223
253
  <fingerprint pattern="mod_auth_radius/(\S+)$">
224
254
  <description>mod_auth_radius with version</description>
225
255
  <example service.component.version="1.2.3">mod_auth_radius/1.2.3</example>
@@ -978,6 +1008,36 @@
978
1008
  <param pos="0" name="service.component.product" value="mod_filter"/>
979
1009
  </fingerprint>
980
1010
 
1011
+ <fingerprint pattern="mod_frontpage/(\S+)$">
1012
+ <description>mod_frontpage with version</description>
1013
+ <example service.component.version="1.2.3">mod_frontpage/1.2.3</example>
1014
+ <param pos="0" name="service.component.vendor" value="Apache"/>
1015
+ <param pos="0" name="service.component.product" value="mod_frontpage"/>
1016
+ <param pos="1" name="service.component.version"/>
1017
+ </fingerprint>
1018
+
1019
+ <fingerprint pattern="mod_frontpage/?$">
1020
+ <description>mod_frontpage without version</description>
1021
+ <example>mod_frontpage/</example>
1022
+ <param pos="0" name="service.component.vendor" value="Apache"/>
1023
+ <param pos="0" name="service.component.product" value="mod_frontpage"/>
1024
+ </fingerprint>
1025
+
1026
+ <fingerprint pattern="mod_gzip/(\S+)$">
1027
+ <description>mod_gzip with version</description>
1028
+ <example service.component.version="1.2.3">mod_gzip/1.2.3</example>
1029
+ <param pos="0" name="service.component.vendor" value="Apache"/>
1030
+ <param pos="0" name="service.component.product" value="mod_gzip"/>
1031
+ <param pos="1" name="service.component.version"/>
1032
+ </fingerprint>
1033
+
1034
+ <fingerprint pattern="mod_gzip/?$">
1035
+ <description>mod_gzip without version</description>
1036
+ <example>mod_gzip/</example>
1037
+ <param pos="0" name="service.component.vendor" value="Apache"/>
1038
+ <param pos="0" name="service.component.product" value="mod_gzip"/>
1039
+ </fingerprint>
1040
+
981
1041
  <fingerprint pattern="mod_headers/(\S+)$">
982
1042
  <description>mod_headers with version</description>
983
1043
  <example service.component.version="1.2.3">mod_headers/1.2.3</example>
@@ -427,7 +427,7 @@
427
427
  <param pos="0" name="service.cpe23" value="cpe:/a:powerdns:authoritative_server:{service.version}"/>
428
428
  </fingerprint>
429
429
 
430
- <fingerprint pattern="^PowerDNS Authoritative Server (\d\.[\w.]+(?:-rc\d)?(?:-alpha\d)?(?:-beta\d)?[^ ]*) \(built [\w\s:]+ by [\w]+\@[\w.-:-]*\)$">
430
+ <fingerprint pattern="^PowerDNS Authoritative Server (\d\.[\w.]+(?:-rc\d)?(?:-alpha\d)?(?:-beta\d)?[^ ]*) \(built [\w\s:]+ by [\w]+\@[\w.:-]*\)$">
431
431
  <description>PowerDNS Authoritative Server: format 2</description>
432
432
  <example service.version="4.0.4">PowerDNS Authoritative Server 4.0.4 (built Jul 26 2017 15:04:27 by root@FreeBSD:11:amd64-default-job-03)</example>
433
433
  <example service.version="4.0.0-rc2">PowerDNS Authoritative Server 4.0.0-rc2 (built Jul 4 2016 15:44:39 by root@foo-bar.baz)</example>
@@ -619,17 +619,18 @@
619
619
  dnscmd /config /EnableVersionQuery 1
620
620
  -->
621
621
 
622
- <fingerprint pattern="^Microsoft DNS (10.0.\d+)(?: \(\w+\))?$">
622
+ <fingerprint pattern="^Microsoft DNS (10.0.\d+)(?: \(([^)]+)\))?$">
623
623
  <description>Microsoft DNS on Windows 2016: GA</description>
624
624
  <!-- Windows 10 / 2016 moved towards a rolling release so capturing build
625
625
  is required unlike other Windows versions where we use a fixed string.
626
626
  -->
627
627
 
628
- <example service.version="10.0.14393" os.build="10.0.14393">Microsoft DNS 10.0.14393 (383900CE)</example>
628
+ <example service.version="10.0.14393" os.build="10.0.14393" service.version.version="383900CE">Microsoft DNS 10.0.14393 (383900CE)</example>
629
629
  <param pos="0" name="service.vendor" value="Microsoft"/>
630
630
  <param pos="0" name="service.family" value="DNS"/>
631
631
  <param pos="0" name="service.product" value="DNS"/>
632
632
  <param pos="1" name="service.version"/>
633
+ <param pos="2" name="service.version.version"/>
633
634
  <param pos="0" name="os.vendor" value="Microsoft"/>
634
635
  <param pos="0" name="os.family" value="Windows"/>
635
636
  <param pos="0" name="os.product" value="Windows Server 2016"/>
@@ -637,13 +638,14 @@
637
638
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2016:-"/>
638
639
  </fingerprint>
639
640
 
640
- <fingerprint pattern="^Microsoft DNS 6.3.9600(?: \(\w+\))?$">
641
+ <fingerprint pattern="^Microsoft DNS 6.3.9600(?: \(([^)]+)\))?$">
641
642
  <description>Microsoft DNS on Windows 2012 R2</description>
642
- <example>Microsoft DNS 6.3.9600 (25804825)</example>
643
+ <example service.version.version="25804825">Microsoft DNS 6.3.9600 (25804825)</example>
643
644
  <param pos="0" name="service.vendor" value="Microsoft"/>
644
645
  <param pos="0" name="service.family" value="DNS"/>
645
646
  <param pos="0" name="service.product" value="DNS"/>
646
647
  <param pos="0" name="service.version" value="6.3.9600"/>
648
+ <param pos="1" name="service.version.version"/>
647
649
  <param pos="0" name="os.vendor" value="Microsoft"/>
648
650
  <param pos="0" name="os.family" value="Windows"/>
649
651
  <param pos="0" name="os.product" value="Windows Server 2012 R2"/>
@@ -651,13 +653,14 @@
651
653
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2012:-"/>
652
654
  </fingerprint>
653
655
 
654
- <fingerprint pattern="^Microsoft DNS 6.2.9200(?: \(\w+\))?$">
656
+ <fingerprint pattern="^Microsoft DNS 6.2.9200(?: \(([^)]+)\))?$">
655
657
  <description>Microsoft DNS on Windows 2012</description>
656
- <example>Microsoft DNS 6.2.9200 (23F04000)</example>
658
+ <example service.version.version="23F04000">Microsoft DNS 6.2.9200 (23F04000)</example>
657
659
  <param pos="0" name="service.vendor" value="Microsoft"/>
658
660
  <param pos="0" name="service.family" value="DNS"/>
659
661
  <param pos="0" name="service.product" value="DNS"/>
660
662
  <param pos="0" name="service.version" value="6.2.9200"/>
663
+ <param pos="1" name="service.version.version"/>
661
664
  <param pos="0" name="os.vendor" value="Microsoft"/>
662
665
  <param pos="0" name="os.family" value="Windows"/>
663
666
  <param pos="0" name="os.product" value="Windows Server 2012"/>
@@ -665,14 +668,15 @@
665
668
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2012:-"/>
666
669
  </fingerprint>
667
670
 
668
- <fingerprint pattern="^Microsoft DNS 6.1.7601(?: \(\w+\))?$">
671
+ <fingerprint pattern="^Microsoft DNS 6.1.7601(?: \(([^)]+)\))?$">
669
672
  <description>Microsoft DNS on Windows 2008 R2 Service Pack 1</description>
670
- <example>Microsoft DNS 6.1.7601 (1DB15CD4)</example>
673
+ <example service.version.version="1DB15CD4">Microsoft DNS 6.1.7601 (1DB15CD4)</example>
671
674
  <example>Microsoft DNS 6.1.7601</example>
672
675
  <param pos="0" name="service.vendor" value="Microsoft"/>
673
676
  <param pos="0" name="service.family" value="DNS"/>
674
677
  <param pos="0" name="service.product" value="DNS"/>
675
678
  <param pos="0" name="service.version" value="6.1.7601"/>
679
+ <param pos="1" name="service.version.version"/>
676
680
  <param pos="0" name="os.vendor" value="Microsoft"/>
677
681
  <param pos="0" name="os.family" value="Windows"/>
678
682
  <param pos="0" name="os.product" value="Windows Server 2008 R2"/>
@@ -681,13 +685,14 @@
681
685
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2008:Service Pack 1"/>
682
686
  </fingerprint>
683
687
 
684
- <fingerprint pattern="^Microsoft DNS 6.1.7600(?: \(\w+\))?$">
688
+ <fingerprint pattern="^Microsoft DNS 6.1.7600(?: \(([^)]+)\))?$">
685
689
  <description>Microsoft DNS on Windows 2008 R2</description>
686
- <example>Microsoft DNS 6.1.7600 (1DB04228)</example>
690
+ <example service.version.version="1DB04228">Microsoft DNS 6.1.7600 (1DB04228)</example>
687
691
  <param pos="0" name="service.vendor" value="Microsoft"/>
688
692
  <param pos="0" name="service.family" value="DNS"/>
689
693
  <param pos="0" name="service.product" value="DNS"/>
690
694
  <param pos="0" name="service.version" value="6.1.7600"/>
695
+ <param pos="1" name="service.version.version"/>
691
696
  <param pos="0" name="os.vendor" value="Microsoft"/>
692
697
  <param pos="0" name="os.family" value="Windows"/>
693
698
  <param pos="0" name="os.product" value="Windows Server 2008 R2"/>
@@ -708,13 +713,14 @@
708
713
  <example>Microsoft DNS 6.0.6100 (2AEF76E)</example>
709
714
  </fingerprint>
710
715
 
711
- <fingerprint pattern="^Microsoft DNS 6.0.6003(?: \(\w+\))?$">
716
+ <fingerprint pattern="^Microsoft DNS 6.0.6003(?: \(([^)]+)\))?$">
712
717
  <description>Microsoft DNS on Windows 2008 Service Pack 2 - Preview Rollup KB4489887 and later</description>
713
- <example>Microsoft DNS 6.0.6003 (1773501D)</example>
718
+ <example service.version.version="1773501D">Microsoft DNS 6.0.6003 (1773501D)</example>
714
719
  <param pos="0" name="service.vendor" value="Microsoft"/>
715
720
  <param pos="0" name="service.family" value="DNS"/>
716
721
  <param pos="0" name="service.product" value="DNS"/>
717
722
  <param pos="0" name="service.version" value="6.0.6003"/>
723
+ <param pos="1" name="service.version.version"/>
718
724
  <param pos="0" name="os.vendor" value="Microsoft"/>
719
725
  <param pos="0" name="os.family" value="Windows"/>
720
726
  <param pos="0" name="os.product" value="Windows Server 2008"/>
@@ -723,13 +729,14 @@
723
729
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2008:Service Pack 2"/>
724
730
  </fingerprint>
725
731
 
726
- <fingerprint pattern="^Microsoft DNS 6.0.6002(?: \(\w+\))?$">
732
+ <fingerprint pattern="^Microsoft DNS 6.0.6002(?: \(([^)]+)\))?$">
727
733
  <description>Microsoft DNS on Windows 2008 Service Pack 2</description>
728
- <example>Microsoft DNS 6.0.6002 (17724D35)</example>
734
+ <example service.version.version="17724D35">Microsoft DNS 6.0.6002 (17724D35)</example>
729
735
  <param pos="0" name="service.vendor" value="Microsoft"/>
730
736
  <param pos="0" name="service.family" value="DNS"/>
731
737
  <param pos="0" name="service.product" value="DNS"/>
732
738
  <param pos="0" name="service.version" value="6.0.6002"/>
739
+ <param pos="1" name="service.version.version"/>
733
740
  <param pos="0" name="os.vendor" value="Microsoft"/>
734
741
  <param pos="0" name="os.family" value="Windows"/>
735
742
  <param pos="0" name="os.product" value="Windows Server 2008"/>
@@ -738,13 +745,14 @@
738
745
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2008:Service Pack 2"/>
739
746
  </fingerprint>
740
747
 
741
- <fingerprint pattern="^Microsoft DNS 6.0.6001(?: \(\w+\))?$">
748
+ <fingerprint pattern="^Microsoft DNS 6.0.6001(?: \(([^)]+)\))?$">
742
749
  <description>Microsoft DNS on Windows 2008 Service Pack 1</description>
743
- <example>Microsoft DNS 6.0.6001 (17714726)</example>
750
+ <example service.version.version="17714726">Microsoft DNS 6.0.6001 (17714726)</example>
744
751
  <param pos="0" name="service.vendor" value="Microsoft"/>
745
752
  <param pos="0" name="service.family" value="DNS"/>
746
753
  <param pos="0" name="service.product" value="DNS"/>
747
754
  <param pos="0" name="service.version" value="6.0.6001"/>
755
+ <param pos="1" name="service.version.version"/>
748
756
  <param pos="0" name="os.vendor" value="Microsoft"/>
749
757
  <param pos="0" name="os.family" value="Windows"/>
750
758
  <param pos="0" name="os.product" value="Windows Server 2008"/>
@@ -753,6 +761,21 @@
753
761
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2008:Service Pack 1"/>
754
762
  </fingerprint>
755
763
 
764
+ <fingerprint pattern="^Microsoft DNS 5.2.3790(?: \(([^)]+)\))?$">
765
+ <description>Microsoft DNS on Windows 2003</description>
766
+ <example service.version.version="ECE135D">Microsoft DNS 5.2.3790 (ECE135D)</example>
767
+ <param pos="0" name="service.vendor" value="Microsoft"/>
768
+ <param pos="0" name="service.family" value="DNS"/>
769
+ <param pos="0" name="service.product" value="DNS"/>
770
+ <param pos="0" name="service.version" value="5.2.3790"/>
771
+ <param pos="1" name="service.version.version"/>
772
+ <param pos="0" name="os.vendor" value="Microsoft"/>
773
+ <param pos="0" name="os.family" value="Windows"/>
774
+ <param pos="0" name="os.product" value="Windows Server 2003"/>
775
+ <param pos="0" name="os.build" value="5.2.3790"/>
776
+ <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2003:-"/>
777
+ </fingerprint>
778
+
756
779
  <fingerprint pattern="^DNSServer$">
757
780
  <description>Synology DNS service</description>
758
781
  <example>DNSServer</example>