recog 2.3.16 → 2.3.17

data/lib/recog/version.rb

@@ -1,3 +1,3 @@
 module Recog
-  VERSION = '2.3.16'
+  VERSION = '2.3.17'
 end

data/requirements.txt

@@ -1,2 +1,2 @@
-lxml==4.5.1
+lxml==4.6.2
 pyyaml

data/update_cpes.py

@@ -1,10 +1,10 @@
 #!/usr/bin/env python
 
-import yaml
 import logging
 import re
 import sys
 
+import yaml
 from lxml import etree
 
 def parse_r7_remapping(file):
@@ -20,9 +20,9 @@ def parse_cpe_vp_map(file):
         cpe_match = re.match('^cpe:/([aho]):([^:]+):([^:]+)', cpe_name)
         if cpe_match:
             cpe_type, vendor, product = cpe_match.group(1, 2, 3)
-            if not cpe_type in vp_map:
+            if cpe_type not in vp_map:
                 vp_map[cpe_type] = {}
-            if not vendor in vp_map[cpe_type]:
+            if vendor not in vp_map[cpe_type]:
                 vp_map[cpe_type][vendor] = set()
             product = product.replace('%2f', '/')
             vp_map[cpe_type][vendor].add(product)
@@ -34,12 +34,12 @@ def parse_cpe_vp_map(file):
 def main():
     if len(sys.argv) != 4:
         logging.critical("Expecting exactly 3 arguments; recog XML file, CPE 2.3 XML dictionary, JSON remapping, got %s", (len(sys.argv) - 1))
-        exit(1)
+        sys.exit(1)
 
     cpe_vp_map = parse_cpe_vp_map(sys.argv[2])
     if not cpe_vp_map:
         logging.critical("No CPE vendor => product mappings read from CPE 2.3 XML dictionary %s", sys.argv[2])
-        exit(1)
+        sys.exit(1)
 
     r7_vp_map = parse_r7_remapping(sys.argv[3])
     if not r7_vp_map:
@@ -47,6 +47,82 @@ def main():
 
     update_cpes(sys.argv[1], cpe_vp_map, r7_vp_map)
 
+def lookup_cpe(vendor, product, cpe_type, cpe_table, remap):
+    """Identify the correct vendor and product values for a CPE
+
+    This function attempts to determine the correct CPE using vendor and product
+    values supplied by the caller as well as a remapping dictionary for mapping
+    these values to more correct values used by NIST.
+
+    For example, the remapping might tell us that a value of 'alpine' for the
+    vendor string should be 'aplinelinux' instead, or for product 'solaris'
+    should be 'sunos'.
+
+    This function should only emit values seen in the official NIST CPE list
+    which is provided to it in cpe_table.
+
+    Lookup priority:
+    1. Original vendor / product
+    2. Original vendor / remap product
+    3. Remap vendor / original product
+    4. Remap vendor / remap product
+
+    Args:
+        vendor (str):  vendor name
+        product (str): product name
+        cpe_type (str): CPE type - o, a, h, etc.
+        cpe_table (dict): dict containing the official NIST CPE data
+        remap (dict): dict containing the remapping values
+    Returns:
+        success, vendor, product
+    """
+
+    if (
+        vendor in cpe_table[cpe_type]
+        and product in cpe_table[cpe_type][vendor]
+    ):
+        # Hot path, success with original values
+        return True, vendor, product
+
+    # Everything else depends on a remap of some sort.
+    # get the remappings for this one vendor string.
+    vendor_remap = remap.get(vendor, None)
+
+    if vendor_remap:
+        # If we have product remappings, work that angle next
+        possible_product = None
+        if (
+            vendor_remap.get('products', None)
+            and product in vendor_remap['products']
+        ):
+            possible_product = vendor_remap['products'][product]
+
+        if (vendor in cpe_table[cpe_type]
+            and possible_product
+            and possible_product in cpe_table[cpe_type][vendor]):
+            # Found original vendor, remap product
+            return True, vendor, possible_product
+
+        # Start working the process to find a match with a remapped vendor name
+        if vendor_remap.get('vendor', None):
+            new_vendor = vendor_remap['vendor']
+
+            if new_vendor in cpe_table[cpe_type]:
+
+                if product in cpe_table[cpe_type][new_vendor]:
+                    # Found remap vendor, original product
+                    return True, new_vendor, product
+
+                if possible_product and possible_product in cpe_table[cpe_type][new_vendor]:
+                    # Found remap vendor, remap product
+                    return True, new_vendor, possible_product
+
+
+    logging.error("Product %s from vendor %s invalid for CPE %s and no mapping",
+                  product, vendor, cpe_type)
+    return False, None, None
+
+
 def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
     parser = etree.XMLParser(remove_comments=False, remove_blank_text=True)
     doc = etree.parse(xml_file, parser)
@@ -121,44 +197,16 @@ def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
                 if (vendor.startswith('{') and vendor.endswith('}')) or (product.startswith('{') and product.endswith('}')):
                     continue
 
-                remapped_vendor = False
-                og_vendor = vendor
-                if not vendor in cpe_vp_map[cpe_type]:
-                    if vendor in r7_vp_map:
-                        vendor = r7_vp_map[vendor]['vendor']
-                        remapped_vendor = True
-                        if not vendor in cpe_vp_map[cpe_type]:
-                            logging.error("Remapped vendor %s (remapped from %s) invalid for CPE %s (product %s)", vendor, og_vendor, cpe_type, product)
-                            continue
-                    else:
-                        logging.error("Vendor %s invalid for CPE %s and no remapping (product %s)", vendor, cpe_type, product)
-                        continue
-
-
-                # if the product as specified is not found in the CPE dictionary for this vendor
-                if not product in cpe_vp_map[cpe_type][vendor]:
-                    # if this vendor has a remapping from R7
-                    if og_vendor in r7_vp_map and 'products' in r7_vp_map[og_vendor]:
-                        # if this product has a remapping for this vendor from R7
-                        if product in r7_vp_map[og_vendor]['products']:
-                            og_product = product
-                            product = r7_vp_map[og_vendor]['products'][product]
-                            # ensure that the remapped product is valid for the given vendor in CPE
-                            if not product in cpe_vp_map[cpe_type][vendor]:
-                                logging.error("Remapped product %s (remapped from %s) from vendor %s invalid for CPE %s", product, og_product, vendor, cpe_type)
-                                continue
-                        else:
-                            if remapped_vendor:
-                                logging.error("Product %s from vendor %s (remapped from %s) invalid for CPE %s and no mapping", product, vendor, og_vendor, cpe_type)
-                            else:
-                                logging.error("Product %s from vendor %s invalid for CPE %s and no mapping", product, vendor, cpe_type)
-                            continue
-                    else:
-                        if remapped_vendor:
-                            logging.error("Vendor %s (remapped from %s) is valid for CPE %s but product %s not valid and no mapping", vendor, og_vendor, cpe_type, product)
-                        else:
-                            logging.error("Vendor %s is valid for CPE %s but product %s not valid and no mapping", vendor, cpe_type, product)
-                        continue
+                success, vendor, product = lookup_cpe(vendor, product, cpe_type, cpe_vp_map, r7_vp_map)
+                if not success:
+                    continue
+
+                # Sanity check the value to ensure that no invalid values will
+                # slip in due to logic or mapping bugs.
+                # If it's not in the official NIST list then log it and kick it out
+                if product not in cpe_vp_map[cpe_type][vendor]:
+                    logging.error("Invalid CPE type %s created for vendor %s and product %s. This may be due to an invalid mapping.", cpe_type, vendor, product)
+                    continue
 
                 # building the CPE string
                 # Last minute escaping of '/'
@@ -185,5 +233,5 @@ def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
         xml_out.write(etree.tostring(root, pretty_print=True, xml_declaration=True, encoding=doc.docinfo.encoding))
 
 if __name__ == '__main__':
-    try: exit(main())
+    try: sys.exit(main())
     except KeyboardInterrupt: pass

data/xml/dns_versionbind.xml

@@ -761,6 +761,21 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2008:Service Pack 1"/>
   </fingerprint>
 
+  <fingerprint pattern="^Microsoft DNS 5.2.3790(?: \(([^)]+)\))?$">
+    <description>Microsoft DNS on Windows 2003</description>
+    <example service.version.version="ECE135D">Microsoft DNS 5.2.3790 (ECE135D)</example>
+    <param pos="0" name="service.vendor" value="Microsoft"/>
+    <param pos="0" name="service.family" value="DNS"/>
+    <param pos="0" name="service.product" value="DNS"/>
+    <param pos="0" name="service.version" value="5.2.3790"/>
+    <param pos="1" name="service.version.version"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows Server 2003"/>
+    <param pos="0" name="os.build" value="5.2.3790"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows_server_2003:-"/>
+  </fingerprint>
+
   <fingerprint pattern="^DNSServer$">
     <description>Synology DNS service</description>
     <example>DNSServer</example>

data/xml/favicons.xml

@@ -21,6 +21,7 @@
     <param pos="0" name="service.vendor" value="Munin"/>
     <param pos="0" name="service.product" value="Munin"/>
     <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:munin-monitoring:munin:-"/>
   </fingerprint>
 
   <fingerprint pattern="^ce849e0d986f73c97aa81290c2052164$">
@@ -57,6 +58,7 @@
     <param pos="0" name="service.vendor" value="Drupal"/>
     <param pos="0" name="service.product" value="CMS"/>
     <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:drupal:drupal:-"/>
   </fingerprint>
 
   <fingerprint pattern="^91b72b23e7f499d6c09cb18c7b1278f1$">
@@ -65,6 +67,7 @@
     <param pos="0" name="service.vendor" value="Kodi"/>
     <param pos="0" name="service.product" value="Media Server"/>
     <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:kodi:kodi:-"/>
   </fingerprint>
 
   <fingerprint pattern="^d403850756671a93ca205b8128140494$">
@@ -111,8 +114,9 @@
     <description>Moodle</description>
     <example>135aed33c0a7b8f44f0227a71b9ce345</example>
     <param pos="0" name="service.vendor" value="Moodle"/>
-    <param pos="0" name="service.product" value="Moodle CMS"/>
+    <param pos="0" name="service.product" value="Moodle"/>
     <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:moodle:moodle:-"/>
   </fingerprint>
 
   <fingerprint pattern="^23ab9cf3907dfc3b047d8b14e7303d0d$">
@@ -146,6 +150,7 @@
     <param pos="0" name="service.vendor" value="ownCloud"/>
     <param pos="0" name="service.product" value="ownCloud Server"/>
     <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:owncloud:owncloud:-"/>
   </fingerprint>
 
   <fingerprint pattern="^da897184fba34d5fe72148963f42b577$">
@@ -168,8 +173,10 @@
     <description>Metasploit Pro</description>
     <example>08ff173efec0750dd29ac7f44d972427</example>
     <param pos="0" name="service.vendor" value="Rapid7"/>
-    <param pos="0" name="service.product" value="Metasploit Pro"/>
+    <param pos="0" name="service.product" value="Metasploit"/>
+    <param pos="0" name="service.edition" value="Pro"/>
     <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:rapid7:metasploit:-"/>
   </fingerprint>
 
   <fingerprint pattern="^23671ccca2849ae58d1b04c218013382$">
@@ -236,8 +243,9 @@
     <description>Swagger UI</description>
     <example>f983f318b0f0dff7a9303973f36ec45a</example>
     <param pos="0" name="service.vendor" value="Swagger"/>
-    <param pos="0" name="service.product" value="UI"/>
+    <param pos="0" name="service.product" value="Swagger UI"/>
     <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:smartbear:swagger_ui:-"/>
   </fingerprint>
 
   <fingerprint pattern="^1c4201c7da53d6c7e48251d3a9680449$">
@@ -272,6 +280,7 @@
     <param pos="0" name="service.vendor" value="Progress"/>
     <param pos="0" name="service.product" value="OpenEdge Explorer"/>
     <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:progress:openedge:-"/>
   </fingerprint>
 
   <fingerprint pattern="^297a81069094d00a052733d3a0537d18$">
@@ -280,6 +289,7 @@
     <param pos="0" name="service.vendor" value="CrushFTP"/>
     <param pos="0" name="service.product" value="CrushFTP Web Interface"/>
     <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:crushftp:crushftp:-"/>
   </fingerprint>
 
   <fingerprint pattern="^f7728520c81b7a303d8e54d282e13a16$">
@@ -413,7 +423,7 @@
     <example>5856edf7bcbea0817312d9e535e5eb2a</example>
     <example>f4f3cb900258441d5dbc9105b7ab9b44</example>
     <example>c6acedaff906029fc5455d9ec52c7f42</example>
-    <param pos="0" name="service.vendor" value="VMWare"/>
+    <param pos="0" name="service.vendor" value="VMware"/>
     <param pos="0" name="service.product" value="Horizon"/>
     <param pos="0" name="service.certainty" value="0.5"/>
     <param pos="0" name="service.cpe23" value="cpe:/a:vmware:horizon:-"/>
@@ -501,6 +511,7 @@
     <param pos="0" name="service.vendor" value="Lynx Technology"/>
     <param pos="0" name="service.product" value="Twonky Media Server"/>
     <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:lynxtechnology:twonky_server:-"/>
   </fingerprint>
 
   <fingerprint pattern="^d14310fffe94d78c0da0c8fadb993f78$">
@@ -958,7 +969,7 @@
     <description>D-Link Network Camera</description>
     <example>842c79ab11f38323fc554afbea5c990a</example>
     <param pos="0" name="hw.vendor" value="D-Link"/>
-    <param pos="0" name="hw.device" value="Web cam"/>
+    <param pos="0" name="hw.device" value="IP Camera"/>
     <param pos="0" name="hw.product" value="DCS-932"/>
     <param pos="0" name="os.certainty" value="0.5"/>
   </fingerprint>
@@ -970,15 +981,21 @@
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="EdgeOS"/>
     <param pos="0" name="os.certainty" value="0.5"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:ui:edgeos:-"/>
     <param pos="0" name="hw.vendor" value="Ubiquiti"/>
     <param pos="0" name="hw.product" value="EdgeSwitch"/>
     <param pos="0" name="hw.certainty" value="0.5"/>
+    <param pos="0" name="hw.cpe23" value="cpe:/h:ui:edgeswitch:-"/>
   </fingerprint>
 
   <fingerprint pattern="^(?:7da8813873190b6e3d7d8957d798bd1e|31ccf4e22ba33dbec54cc357a43a36d3)$">
     <description>OpenMediaVault</description>
     <example>7da8813873190b6e3d7d8957d798bd1e</example>
     <example>31ccf4e22ba33dbec54cc357a43a36d3</example>
+    <param pos="0" name="service.vendor" value="OpenMediaVault"/>
+    <param pos="0" name="service.product" value="OpenMediaVault"/>
+    <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:openmediavault:openmediavault:-"/>
     <param pos="0" name="os.vendor" value="OpenMediaVault"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="OpenMediaVault"/>
@@ -990,11 +1007,11 @@
     <description>ELAN Network Camera</description>
     <example>9dac0d6bad34f38552361f3a3b5bab16</example>
     <param pos="0" name="hw.vendor" value="ELAN"/>
-    <param pos="0" name="hw.device" value="Web cam"/>
+    <param pos="0" name="hw.device" value="IP Camera"/>
     <param pos="0" name="hw.product" value="HDIPCam"/>
     <param pos="0" name="hw.certainty" value="0.5"/>
     <param pos="0" name="os.vendor" value="ELAN"/>
-    <param pos="0" name="os.device" value="Web cam"/>
+    <param pos="0" name="os.device" value="IP Camera"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.certainty" value="0.5"/>
   </fingerprint>
@@ -1024,7 +1041,7 @@
     <description>Genetec AutoVu SharpV ALPR Camera</description>
     <example>979d9a884c322862e6830f61e2c378e6</example>
     <param pos="0" name="hw.vendor" value="Genetec"/>
-    <param pos="0" name="hw.device" value="Web cam"/>
+    <param pos="0" name="hw.device" value="IP Camera"/>
     <param pos="0" name="hw.product" value="AutoVu SharpV"/>
     <param pos="0" name="hw.certainty" value="0.5"/>
   </fingerprint>
@@ -1048,7 +1065,7 @@
     <description>IQinVision IQeye Network Camera</description>
     <example>665f96fcdcc9da0ab89312acc02fa815</example>
     <param pos="0" name="hw.vendor" value="IQinVision"/>
-    <param pos="0" name="hw.device" value="Web cam"/>
+    <param pos="0" name="hw.device" value="IP Camera"/>
     <param pos="0" name="hw.certainty" value="0.5"/>
   </fingerprint>
 
@@ -1141,6 +1158,10 @@
     <example>af13b379bdb4ae7a5e68d9aa4419b2e4</example>
     <example>cd844ad9671131f5464458a2ef58b7bc</example>
     <example>c32e2dc4d7caedd5cefc9d44cc4f62ec</example>
+    <param pos="0" name="service.vendor" value="Cisco"/>
+    <param pos="0" name="service.product" value="APIC"/>
+    <param pos="0" name="service.certainty" value="0.5"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:cisco:application_policy_infrastructure_controller:-"/>
     <param pos="0" name="hw.vendor" value="Cisco"/>
     <param pos="0" name="hw.product" value="APIC"/>
     <param pos="0" name="hw.device" value="Network Appliance"/>
@@ -1204,7 +1225,7 @@
     <description>ServerTech Sentry Switched CDU</description>
     <example>b56508cc967af50baddfd69596901dab</example>
     <param pos="0" name="hw.vendor" value="ServerTech"/>
-    <param pos="0" name="hw.device" value="Power device"/>
+    <param pos="0" name="hw.device" value="Power Device"/>
     <param pos="0" name="hw.product" value="Sentry Switched CDU"/>
     <param pos="0" name="hw.certainty" value="0.5"/>
   </fingerprint>
@@ -1232,7 +1253,7 @@
     <param pos="0" name="os.product" value="Linux"/>
     <param pos="0" name="os.certainty" value="0.5"/>
     <param pos="0" name="hw.vendor" value="TRENDnet"/>
-    <param pos="0" name="hw.device" value="Web Cam"/>
+    <param pos="0" name="hw.device" value="IP Camera"/>
     <param pos="0" name="hw.product" value="IP Camera"/>
     <param pos="0" name="hw.certainty" value="0.5"/>
   </fingerprint>
@@ -1240,7 +1261,7 @@
   <fingerprint pattern="^89167393768668c72fab6a9f025b5da6$">
     <description>APC Power Device</description>
     <example>89167393768668c72fab6a9f025b5da6</example>
-    <param pos="0" name="hw.device" value="Power device"/>
+    <param pos="0" name="hw.device" value="Power Device"/>
     <param pos="0" name="hw.vendor" value="APC"/>
   </fingerprint>
 
@@ -1290,10 +1311,10 @@
     <description>Axis Network Camera</description>
     <example>a3fd8705f010b90e37d42128000f620b</example>
     <param pos="0" name="hw.vendor" value="AXIS"/>
-    <param pos="0" name="hw.device" value="Web cam"/>
+    <param pos="0" name="hw.device" value="IP Camera"/>
     <param pos="0" name="hw.certainty" value="0.5"/>
     <param pos="0" name="os.vendor" value="AXIS"/>
-    <param pos="0" name="os.device" value="Web cam"/>
+    <param pos="0" name="os.device" value="IP Camera"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
     <param pos="0" name="os.certainty" value="0.5"/>
@@ -1417,7 +1438,7 @@
   <fingerprint pattern="^efe29d50711d9b093d8187e97cc0e593$">
     <description>Panduit PDU</description>
     <example>efe29d50711d9b093d8187e97cc0e593</example>
-    <param pos="0" name="hw.device" value="Power device"/>
+    <param pos="0" name="hw.device" value="Power Device"/>
     <param pos="0" name="hw.vendor" value="Panduit"/>
     <param pos="0" name="hw.certainty" value="0.25"/>
   </fingerprint>
@@ -1426,7 +1447,7 @@
     <description>ScienceLogic EM7</description>
     <example>6eb3dbf248df10d70eab44dbf836cb77</example>
     <param pos="0" name="hw.vendor" value="Science Logic"/>
-    <param pos="0" name="hw.device" value="Network Management"/>
+    <param pos="0" name="hw.device" value="Network Management Device"/>
     <param pos="0" name="hw.product" value="EM7"/>
     <param pos="0" name="hw.certainty" value="0.5"/>
   </fingerprint>
@@ -1495,6 +1516,7 @@
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="EdgeOS"/>
     <param pos="0" name="os.certainty" value="0.5"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:ui:edgeos:-"/>
     <param pos="0" name="hw.vendor" value="Ubiquiti"/>
     <param pos="0" name="hw.device" value="Router"/>
     <param pos="0" name="hw.certainty" value="0.25"/>
@@ -1584,7 +1606,7 @@
     <description>Mobotix Network Camera</description>
     <example>d9526978908979fa5018db0bcc762aa0</example>
     <param pos="0" name="hw.vendor" value="Mobotix"/>
-    <param pos="0" name="hw.device" value="Web cam"/>
+    <param pos="0" name="hw.device" value="IP Camera"/>
     <param pos="0" name="hw.product" value="IP Camera"/>
     <param pos="0" name="hw.certainty" value="0.5"/>
   </fingerprint>
@@ -1673,6 +1695,7 @@
     <param pos="0" name="os.product" value="DD OS"/>
     <param pos="0" name="os.device" value="Storage"/>
     <param pos="0" name="os.certainty" value="0.5"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:dell:emc_data_domain_os:-"/>
     <param pos="0" name="hw.vendor" value="Data Domain"/>
     <param pos="0" name="hw.product" value="DD OS"/>
     <param pos="0" name="hw.device" value="Storage"/>