recog 2.3.20 → 2.3.23

data/update_cpes.py

@@ -7,56 +7,117 @@ import sys
 import yaml
 from lxml import etree
 
+BASE_LOG_FORMAT = '%(levelname)s: %(message)s'
+
+# CPE w/o 2.3 component: cpe:/a:nginx:nginx:0.1.0"
+REGEX_CPE = re.compile('^cpe:/([aho]):([^:]+):([^:]+)')
+# CPE w/  2.3 component: cpe:2.3:a:f5:nginx:0.1.0:*:*:*:*:*:*:*
+REGEX_CPE_23 = re.compile('^cpe:2.3:([aho]):([^:]+):([^:]+)')
+
+XML_PATH_DEPRECATED_BY = "./{http://scap.nist.gov/schema/cpe-extension/2.3}cpe23-item/{http://scap.nist.gov/schema/cpe-extension/2.3}deprecation/{http://scap.nist.gov/schema/cpe-extension/2.3}deprecated-by"
+
+
 def parse_r7_remapping(file):
     with open(file) as remap_file:
         return yaml.safe_load(remap_file)["mappings"]
 
+
+def update_vp_map(target_map, cpe_type, vendor, product):
+    """Add an entry to the dict tracking valid combinations
+    """
+
+    if cpe_type not in target_map:
+        target_map[cpe_type] = {}
+
+    if vendor not in target_map[cpe_type]:
+        target_map[cpe_type][vendor] = set()
+
+    product = product.replace('%2f', '/')
+    target_map[cpe_type][vendor].add(product)
+
+
+def update_deprecated_map(target_map, dep_string, entry):
+    """Add an entry to the dict tracking deprecations
+
+    target_map example:
+
+    {
+      "a:100plus:101eip":
+        {
+          "deprecated_date": "2021-06-10T15:28:05.490Z",
+          "deprecated_by": "a:hundredplus:101eip"
+        }
+    }
+
+    Args:
+        target_map (dict): dict containing deprecations
+        dep_string (str): key to add in the format of 'type:vendor:product'
+        entry (lxml.etree._Element): XML element to pull additional data from
+
+    Returns:
+        None, target_map modified in place
+    """
+
+    deprecated_date = entry.get("deprecation_date", "")
+
+    # Find the CPE that deprecated this entry
+    raw_dep_by = entry.find(XML_PATH_DEPRECATED_BY).get('name')
+
+    # Extract the type, vendor, product
+    dep_by_match = REGEX_CPE_23.match(raw_dep_by)
+    if not dep_by_match:
+        logging.error("CPE %s is deprecated but we can't build the deprecation mapping entry for some reason.", dep_string)
+        return
+
+    dep_type, dep_vendor, dep_product = dep_by_match.group(1, 2, 3)
+    deprecated_by = "{}:{}:{}".format(dep_type, dep_vendor, dep_product)
+
+    if dep_string not in target_map:
+        target_map[dep_string] = {}
+
+    if not target_map[dep_string].get('deprecated_date'):
+        target_map[dep_string]['deprecated_date'] = deprecated_date
+
+    if not target_map[dep_string].get('deprecated_by'):
+        target_map[dep_string]['deprecated_by'] = deprecated_by
+
+
 def parse_cpe_vp_map(file):
+    deprecated_map = {}
     vp_map = {} # cpe_type -> vendor -> products
+
     parser = etree.XMLParser(remove_comments=False)
     doc = etree.parse(file, parser)
-    namespaces = {'ns': 'http://cpe.mitre.org/dictionary/2.0', 'meta': 'http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2'}
+    namespaces = {
+        'ns':     'http://cpe.mitre.org/dictionary/2.0',
+        'meta':   'http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2'
+    }
     for entry in doc.xpath("//ns:cpe-list/ns:cpe-item", namespaces=namespaces):
         cpe_name = entry.get("name")
         if not cpe_name:
             continue
 
-        # If the entry is deprecated then don't add it to our list of valid CPEs.
-        if entry.get("deprecated"):
-            continue
-
-        cpe_match = re.match('^cpe:/([aho]):([^:]+):([^:]+)', cpe_name)
-
+        cpe_match = REGEX_CPE.match(cpe_name)
         if cpe_match:
             cpe_type, vendor, product = cpe_match.group(1, 2, 3)
-            if cpe_type not in vp_map:
-                vp_map[cpe_type] = {}
-            if vendor not in vp_map[cpe_type]:
-                vp_map[cpe_type][vendor] = set()
-            product = product.replace('%2f', '/')
-            vp_map[cpe_type][vendor].add(product)
-        else:
-            logging.error("Unexpected CPE %s", cpe_name)
+            # If the entry is deprecated then don't add it to our list of valid
+            # CPEs, but instead add it to a list for reference later.
+            if entry.get("deprecated"):
+                # This will be the key under which we store the deprecation data
+                deprecated_string = "{}:{}:{}".format(cpe_type, vendor, product)
 
-    return vp_map
+                update_deprecated_map(deprecated_map, deprecated_string, entry)
+                continue
 
-def main():
-    if len(sys.argv) != 4:
-        logging.critical("Expecting exactly 3 arguments; recog XML file, CPE 2.3 XML dictionary, JSON remapping, got %s", (len(sys.argv) - 1))
-        sys.exit(1)
+            update_vp_map(vp_map, cpe_type, vendor, product)
 
-    cpe_vp_map = parse_cpe_vp_map(sys.argv[2])
-    if not cpe_vp_map:
-        logging.critical("No CPE vendor => product mappings read from CPE 2.3 XML dictionary %s", sys.argv[2])
-        sys.exit(1)
+        else:
+            logging.error("Unexpected CPE %s", cpe_name)
 
-    r7_vp_map = parse_r7_remapping(sys.argv[3])
-    if not r7_vp_map:
-        logging.warning("No Rapid7 vendor/product => CPE mapping read from %s", sys.argv[3])
+    return vp_map, deprecated_map
 
-    update_cpes(sys.argv[1], cpe_vp_map, r7_vp_map)
 
-def lookup_cpe(vendor, product, cpe_type, cpe_table, remap):
+def lookup_cpe(vendor, product, cpe_type, cpe_table, remap, deprecated_map):
     """Identify the correct vendor and product values for a CPE
 
     This function attempts to determine the correct CPE using vendor and product
@@ -64,7 +125,7 @@ def lookup_cpe(vendor, product, cpe_type, cpe_table, remap):
     these values to more correct values used by NIST.
 
     For example, the remapping might tell us that a value of 'alpine' for the
-    vendor string should be 'aplinelinux' instead, or for product 'solaris'
+    vendor string should be 'alpinelinux' instead, or for product 'solaris'
     should be 'sunos'.
 
     This function should only emit values seen in the official NIST CPE list
@@ -82,6 +143,8 @@ def lookup_cpe(vendor, product, cpe_type, cpe_table, remap):
         cpe_type (str): CPE type - o, a, h, etc.
         cpe_table (dict): dict containing the official NIST CPE data
         remap (dict): dict containing the remapping values
+        deprecated_cves (set): set of all deprecated CPEs in the format
+            'type:vendor:product'
     Returns:
         success, vendor, product
     """
@@ -130,13 +193,20 @@ def lookup_cpe(vendor, product, cpe_type, cpe_table, remap):
                     # Found remap vendor, remap product
                     return True, new_vendor, possible_product
 
+    deprecated_string = "{}:{}:{}".format(cpe_type, vendor, product)
+    if deprecated_map.get(deprecated_string, False):
+        dep_by = deprecated_map[deprecated_string].get("deprecated_by", "")
+        dep_date = deprecated_map[deprecated_string].get("deprecated_date", "")
+        logging.error("Product %s from vendor %s invalid for CPE %s and no mapping.  This combination is DEPRECATED by %s at %s",
+                    product, vendor, cpe_type, dep_by, dep_date)
+    else:
+        logging.error("Product %s from vendor %s invalid for CPE %s and no mapping.",
+                    product, vendor, cpe_type)
 
-    logging.error("Product %s from vendor %s invalid for CPE %s and no mapping",
-                  product, vendor, cpe_type)
     return False, None, None
 
 
-def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
+def update_cpes(xml_file, cpe_vp_map, r7_vp_map, deprecated_cves):
     parser = etree.XMLParser(remove_comments=False, remove_blank_text=True)
     doc = etree.parse(xml_file, parser)
 
@@ -160,7 +230,6 @@ def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
                     raise ValueError('Duplicated fingerprint named {} in fingerprint {} in file {}'.format(name, fingerprint.attrib['pattern'], xml_file))
                 params[fp_type][name] = param
 
-
         # for each of the applicable os/service param groups, build a CPE
         for fp_type in params:
             if fp_type == 'os':
@@ -210,7 +279,7 @@ def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
                 if (vendor.startswith('{') and vendor.endswith('}')) or (product.startswith('{') and product.endswith('}')):
                     continue
 
-                success, vendor, product = lookup_cpe(vendor, product, cpe_type, cpe_vp_map, r7_vp_map)
+                success, vendor, product = lookup_cpe(vendor, product, cpe_type, cpe_vp_map, r7_vp_map, deprecated_cves)
                 if not success:
                     continue
 
@@ -245,6 +314,30 @@ def update_cpes(xml_file, cpe_vp_map, r7_vp_map):
     with open(xml_file, 'wb') as xml_out:
         xml_out.write(etree.tostring(root, pretty_print=True, xml_declaration=True, encoding=doc.docinfo.encoding))
 
+
+def main():
+    if len(sys.argv) != 4:
+        logging.critical("Expecting exactly 3 arguments; recog XML file, CPE 2.3 XML dictionary, JSON remapping, got %s", (len(sys.argv) - 1))
+        sys.exit(1)
+
+    cpe_vp_map, deprecated_map = parse_cpe_vp_map(sys.argv[2])
+    if not cpe_vp_map:
+        logging.critical("No CPE vendor => product mappings read from CPE 2.3 XML dictionary %s", sys.argv[2])
+        sys.exit(1)
+
+    r7_vp_map = parse_r7_remapping(sys.argv[3])
+    if not r7_vp_map:
+        logging.warning("No Rapid7 vendor/product => CPE mapping read from %s", sys.argv[3])
+
+    # update format string for the logging handler to include the recog XML filename
+    logging.basicConfig(force=True, format=f"{sys.argv[1]}: {BASE_LOG_FORMAT}")
+
+    update_cpes(sys.argv[1], cpe_vp_map, r7_vp_map, deprecated_map)
+
+
 if __name__ == '__main__':
-    try: sys.exit(main())
-    except KeyboardInterrupt: pass
+    logging.basicConfig(format=BASE_LOG_FORMAT)
+    try:
+        sys.exit(main())
+    except KeyboardInterrupt:
+        pass

data/xml/apache_os.xml

@@ -6,16 +6,18 @@
   against the following patterns to extract OS information.
   -->
 
-  <fingerprint pattern=".*\(iSeries\).*">
+  <fingerprint pattern="\(iSeries\)">
     <description>IBM i5/OS iSeries (OS/400)</description>
+    <example>Apache/2.0.52 (iSeries)</example>
     <param pos="0" name="os.vendor" value="IBM"/>
     <param pos="0" name="os.family" value="OS/400"/>
     <param pos="0" name="os.product" value="OS/400"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:ibm:os_400:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Mandrake Linux/\d+\.\d+\.92mdk\).*">
+  <fingerprint pattern="\(Mandrake Linux/\d+\.\d+\.92mdk\)">
     <description>Mandriva (formerly Mandrake) Linux 9.2</description>
+    <example>Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/6.3.92mdk) mod_ssl/2.0.47 OpenSSL/0.9.7b PHP/4.3.2</example>
     <param pos="0" name="os.certainty" value="0.9"/>
     <param pos="0" name="os.vendor" value="Mandriva"/>
     <param pos="0" name="os.family" value="Linux"/>
@@ -24,8 +26,9 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:mandriva:linux:9.2"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Mandrake Linux/\d+\.\d+\.100mdk\).*">
+  <fingerprint pattern="\(Mandrake Linux/\d+\.\d+\.100mdk\)">
     <description>Mandriva (formerly Mandrake) Linux 10.0</description>
+    <example>Apache-AdvancedExtranetServer/2.0.48 (Mandrake Linux/6.11.100mdk)</example>
     <param pos="0" name="os.certainty" value="0.9"/>
     <param pos="0" name="os.vendor" value="Mandriva"/>
     <param pos="0" name="os.family" value="Linux"/>
@@ -34,31 +37,35 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:mandriva:linux:10.0"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\((?:Mandrake|Mandriva) Linux/.*">
+  <fingerprint pattern="\((?:Mandrake|Mandriva) Linux/">
     <description>Mandriva (formerly Mandrake) Linux unknown version</description>
+    <example>Apache-AdvancedExtranetServer/2.0.44 (Mandrake Linux/11mdk) mod_perl/1.99_08 Perl/v5.8.0 mod_ssl/2.0.44 OpenSSL/0.9.7a PHP/4.3.1 mod_jk2/2.0.0</example>
     <param pos="0" name="os.vendor" value="Mandriva"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:mandriva:linux:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Mandrakelinux/.*">
+  <fingerprint pattern="\(Mandrakelinux/">
     <description>Mandriva (formerly Mandrake) Linux unknown version - variant 2</description>
+    <example>Apache-AdvancedExtranetServer/2.0.53 (Mandrakelinux/PREFORK-9mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10 mod_perl/1.999.21 Perl/v5.8.6</example>
     <param pos="0" name="os.vendor" value="Mandriva"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:mandriva:linux:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(PalmOS\).*">
+  <fingerprint pattern="\(PalmOS\)">
     <description>PalmOS</description>
+    <example>Apache/1.2.42 (PalmOS)</example>
     <param pos="0" name="os.vendor" value="Palm"/>
     <param pos="0" name="os.family" value="PalmOS"/>
     <param pos="0" name="os.product" value="PalmOS"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Win32\).*">
+  <fingerprint pattern="\(Win32\)">
     <description>Microsoft Windows</description>
+    <example>Apache/2.2.25 (Win32)</example>
     <param pos="0" name="os.certainty" value="0.75"/>
     <param pos="0" name="os.vendor" value="Microsoft"/>
     <param pos="0" name="os.family" value="Windows"/>
@@ -66,106 +73,119 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Darwin\).*">
+  <fingerprint pattern="\(Darwin\)">
     <description>Apple Mac OS X</description>
+    <example>Apache/1.3.33 (Darwin)</example>
     <param pos="0" name="os.vendor" value="Apple"/>
     <param pos="0" name="os.family" value="Mac OS X"/>
     <param pos="0" name="os.product" value="Mac OS X"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os_x:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Ubuntu\).*">
+  <fingerprint pattern="\(Ubuntu\)">
     <description>Ubuntu</description>
+    <example>Apache (Ubuntu)</example>
     <param pos="0" name="os.vendor" value="Ubuntu"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:canonical:ubuntu_linux:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*(?:Sun )?Cobalt \(Unix\)?.*">
+  <fingerprint pattern=".{0,512}(?:Sun )?Cobalt \(Unix\)?">
     <description>Sun Cobalt RaQ (Red Hat based Linux)</description>
+    <example>Apache/1.3.3 Cobalt (Unix) (Red Hat/Linux)</example>
     <param pos="0" name="os.vendor" value="Sun"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Cobalt RaQ"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(BlueQuartz\).*">
+  <fingerprint pattern="\(BlueQuartz\)">
     <description>Blue Quartz is created by a Cobalt RaQ UG</description>
+    <example>Apache/2.0.52 (BlueQuartz)</example>
     <param pos="0" name="os.vendor" value="Sun"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Cobalt RaQ"/>
   </fingerprint>
 
-  <fingerprint pattern="^Apache\/2\.2\.11.*\(Fedora\).*">
+  <fingerprint pattern="^Apache\/2\.2\.11.*\(Fedora\)">
     <description>Red Hat Fedora 11</description>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <example>Apache/2.2.11 (Fedora)</example>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
     <param pos="0" name="os.version" value="11"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:11"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:11"/>
   </fingerprint>
 
-  <fingerprint pattern="^Apache\/2\.2\.15.*\(Fedora\).*">
+  <fingerprint pattern="^Apache\/2\.2\.15.*\(Fedora\)">
     <description>Red Hat Fedora 13</description>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <example>Apache/2.2.15 (Fedora)</example>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
     <param pos="0" name="os.version" value="13"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:13"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:13"/>
   </fingerprint>
 
-  <fingerprint pattern="^Apache\/2\.2\.16.*\(Fedora\).*">
+  <fingerprint pattern="^Apache\/2\.2\.16.*\(Fedora\)">
     <description>Red Hat Fedora 14</description>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <example>Apache/2.2.16 (Fedora)</example>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
     <param pos="0" name="os.version" value="14"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:14"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:14"/>
   </fingerprint>
 
-  <fingerprint pattern="^Apache\/2\.2\.23.*\(Fedora\).*">
+  <fingerprint pattern="^Apache\/2\.2\.23.*\(Fedora\)">
     <description>Red Hat Fedora 17</description>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <example>Apache/2.2.23 (Fedora)</example>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
     <param pos="0" name="os.version" value="17"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:17"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:17"/>
   </fingerprint>
 
-  <fingerprint pattern="^Apache\/2\.4\.3.*\(Fedora\).*">
+  <fingerprint pattern="^Apache\/2\.4\.3.*\(Fedora\)">
     <description>Red Hat Fedora 18</description>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <example>Apache/2.4.3 (Fedora) PHP/5.4.12</example>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
     <param pos="0" name="os.version" value="18"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:18"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:18"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Fedora\).*">
+  <fingerprint pattern="\(Fedora\)">
     <description>Red Hat Fedora</description>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <example>Apache (Fedora)</example>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:-"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(RHEL\).*">
+  <fingerprint pattern="\(RHEL\)">
     <description>Red Hat Enterprise Linux</description>
+    <example>Apache/2.0.53 (RHEL)</example>
     <param pos="0" name="os.vendor" value="Red Hat"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Enterprise Linux"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:redhat:enterprise_linux:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Red[ -]Hat(?:[/ ]Linux)?\).*">
+  <fingerprint pattern="\(Red[ -]Hat(?:[/ ]Linux)?\)">
     <description>Red Hat Linux</description>
+    <example>Apache (Red Hat Linux)</example>
+    <example>Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b PHP/4.3.11</example>
     <param pos="0" name="os.vendor" value="Red Hat"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:redhat:linux:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Red Hat Enterprise (?:Linux)?\).*">
+  <fingerprint pattern="\(Red Hat Enterprise (?:Linux)?\)">
     <description>Apache OS: Red Hat Enterprise Linux</description>
     <example os.vendor="Red Hat">Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips</example>
     <param pos="0" name="os.vendor" value="Red Hat"/>
@@ -174,136 +194,158 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:redhat:enterprise_linux:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*Debian(?:[/ ]GNU)?(?:/Linux)?.*">
+  <fingerprint pattern="Debian(?:[/ ]GNU)?(?:/Linux)?">
     <description>Debian Linux</description>
+    <example>Debian GNU/Linux</example>
+    <example>Apache/1.3.26 (Unix) Debian GNU/Linux</example>
     <param pos="0" name="os.vendor" value="Debian"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:debian:debian_linux:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\((?:Linux/)?S[uU]SE(?:/Linux)?\).*">
+  <fingerprint pattern="\((?:Linux/)?S[uU]SE(?:/Linux)?\)">
     <description>Novell SuSE Linux</description>
+    <example>Apache (SuSE/Linux)</example>
+    <example>Apache/2.2.12 (Linux/SUSE)</example>
     <param pos="0" name="os.vendor" value="SuSE"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:suse:linux:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(NETWARE\).*">
+  <fingerprint pattern="\(NETWARE\)">
     <description>Novell NetWare</description>
+    <example>Apache/2.0.64 (NETWARE)</example>
     <param pos="0" name="os.vendor" value="Novell"/>
     <param pos="0" name="os.family" value="NetWare"/>
     <param pos="0" name="os.product" value="NetWare"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:novell:netware:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*HP-UX_Apache-based_Web_Server.*">
+  <fingerprint pattern="HP-UX_Apache-based_Web_Server">
     <description>HP HP-UX</description>
+    <example>Apache/2.0.58 HP-UX_Apache-based_Web_Server</example>
     <param pos="0" name="os.vendor" value="HP"/>
     <param pos="0" name="os.family" value="HP-UX"/>
     <param pos="0" name="os.product" value="HP-UX"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:hp:hp-ux:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(CentOS\).*">
+  <fingerprint pattern="\(CentOS\)">
     <description>CentOS Linux</description>
+    <example>Apache/2.2.15 (CentOS)</example>
     <param pos="0" name="os.vendor" value="CentOS"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:centos:centos:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Turbolinux\).*">
+  <fingerprint pattern="\(Turbolinux\)">
     <description>Turbolinux</description>
+    <example>Apache/2.2.6 (Turbolinux)</example>
     <param pos="0" name="os.vendor" value="Turbolinux"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(FreeBSD\).*">
+  <fingerprint pattern="\(FreeBSD\)">
     <description>FreeBSD</description>
+    <example>Apache/2.4.51 (FreeBSD) OpenSSL/1.1.1h-freebsd</example>
     <param pos="0" name="os.vendor" value="FreeBSD"/>
     <param pos="0" name="os.family" value="FreeBSD"/>
     <param pos="0" name="os.product" value="FreeBSD"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:freebsd:freebsd:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Asianux\).*">
+  <fingerprint pattern="\(Asianux\)">
     <description>Asianux Linux</description>
+    <example>Apache/2.2.15 (Asianux)</example>
     <param pos="0" name="os.vendor" value="Asianux"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Gentoo(?:/Linux)?\).*">
+  <fingerprint pattern="\(Gentoo(?:/Linux)?\)">
     <description>Gentoo Linux</description>
+    <example>Apache/2.2.6 (Gentoo) DAV/2 mod_python/3.3.1</example>
     <param pos="0" name="os.vendor" value="Gentoo"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:gentoo:linux:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Conectiva(?:/Linux)?\).*">
+  <fingerprint pattern="\(Conectiva(?:/Linux)?\)">
     <description>Conectiva Linux</description>
+    <example>Apache/1.3.33 (Unix) (Conectiva/Linux)</example>
     <param pos="0" name="os.vendor" value="Conectiva"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:conectiva:linux:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Trustix Secure Linux(?:/Linux)?\).*">
+  <fingerprint pattern="\(Trustix Secure Linux(?:/Linux)?\)">
     <description>Trustix Linux</description>
+    <example>Apache/2.0.55 (Trustix Secure Linux/Linux)</example>
     <param pos="0" name="os.vendor" value="Trustix"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Secure Linux"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:trustix:secure_linux:-"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(White Box\).*">
+  <fingerprint pattern="\(White Box\)">
     <description>White Box Enterprise Linux</description>
+    <example>Apache/2.0.46 (White Box)</example>
     <param pos="0" name="os.vendor" value="White Box"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Enterprise Linux"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(UnitedLinux\).*">
+  <fingerprint pattern="\(UnitedLinux\)">
     <description>UnitedLinux</description>
+    <example>Apache/1.3.26 (UnitedLinux) mod_ssl/2.8.10</example>
     <param pos="0" name="os.vendor" value="UnitedLinux"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(PLD/Linux\).*">
+  <fingerprint pattern="\(PLD/Linux\)">
     <description>PLD Linux</description>
+    <example>Apache/1.3.42 (PLD/Linux)</example>
     <param pos="0" name="os.vendor" value="PLD"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(Vine/Linux\).*">
+  <fingerprint pattern="\(Vine/Linux\)">
     <description>Vine Linux</description>
+    <example>Apache/1.3.27 (Unix) (Vine/Linux)</example>
     <param pos="0" name="os.vendor" value="Vine"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(rPath\).*">
+  <fingerprint pattern="\(rPath\)">
     <description>rPath Linux</description>
+    <example>Apache/2.2.9 (rPath)</example>
     <param pos="0" name="os.vendor" value="rPath"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
   </fingerprint>
 
-  <fingerprint pattern=".*\(StartCom Linux\).*">
+  <fingerprint pattern="\(StartCom(?: Linux)?\)">
     <description>StartCom Linux</description>
+    <example>Apache/2.2.3 (StartCom)</example>
+    <example>Apache/2.2.3 (StartCom) (Release 31.SEL5_4)</example>
+    <example>Apache/2.2.0 (StartCom Linux)</example>
     <param pos="0" name="os.vendor" value="StartCom"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>
   </fingerprint>
 
-  <fingerprint pattern=".*Linux.*">
+  <fingerprint pattern="Linux">
     <description>Generic Linux fallback</description>
+    <example>Apache/Linux</example>
     <param pos="0" name="os.certainty" value="0.75"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="Linux"/>