RubyGems - recog - Versions diffs - 2.3.21 → 2.3.22 - Mend

recog 2.3.21 → 2.3.22

Files changed (59) hide show

checksums.yaml +4 -4
data/.github/dependabot.yml +8 -0
data/.github/workflows/verify.yml +89 -0
data/CONTRIBUTING.md +6 -0
data/README.md +17 -0
data/bin/recog_standardize +28 -13
data/bin/recog_verify +1 -2
data/cpe-remap.yaml +13 -0
data/features/verify.feature +14 -14
data/identifiers/fields.txt +5 -4
data/identifiers/hw_device.txt +6 -0
data/identifiers/hw_family.txt +8 -0
data/identifiers/hw_product.txt +51 -0
data/identifiers/os_family.txt +1 -0
data/identifiers/os_product.txt +10 -0
data/identifiers/service_product.txt +12 -0
data/identifiers/vendor.txt +49 -0
data/lib/recog/db.rb +2 -1
data/lib/recog/fingerprint.rb +18 -5
data/lib/recog/verifier.rb +5 -5
data/lib/recog/verifier_factory.rb +3 -3
data/lib/recog/verify_reporter.rb +14 -4
data/lib/recog/version.rb +1 -1
data/spec/lib/fingerprint_self_test_spec.rb +1 -0
data/spec/lib/recog/verify_reporter_spec.rb +69 -0
data/tools/dev/hooks/pre-commit +21 -0
data/update_cpes.py +1 -1
data/xml/apache_os.xml +38 -38
data/xml/dhcp_vendor_class.xml +206 -0
data/xml/favicons.xml +148 -42
data/xml/ftp_banners.xml +30 -16
data/xml/h323_callresp.xml +99 -99
data/xml/hp_pjl_id.xml +3 -3
data/xml/html_title.xml +502 -25
data/xml/http_cookies.xml +64 -56
data/xml/http_servers.xml +74 -14
data/xml/http_wwwauth.xml +107 -38
data/xml/imap_banners.xml +3 -3
data/xml/mdns_device-info_txt.xml +389 -26
data/xml/mysql_banners.xml +1 -1
data/xml/nntp_banners.xml +3 -3
data/xml/ntp_banners.xml +64 -64
data/xml/operating_system.xml +3 -3
data/xml/pop_banners.xml +7 -7
data/xml/rsh_resp.xml +3 -3
data/xml/sip_banners.xml +27 -0
data/xml/sip_user_agents.xml +54 -1
data/xml/smtp_banners.xml +15 -15
data/xml/smtp_ehlo.xml +1 -1
data/xml/smtp_help.xml +10 -10
data/xml/smtp_noop.xml +2 -2
data/xml/snmp_sysdescr.xml +325 -200
data/xml/snmp_sysobjid.xml +25 -25
data/xml/ssh_banners.xml +7 -5
data/xml/telnet_banners.xml +155 -20
data/xml/tls_jarm.xml +26 -4
data/xml/x509_issuers.xml +36 -0
data/xml/x509_subjects.xml +136 -35
metadata +7 -3

data/xml/operating_system.xml CHANGED Viewed

@@ -386,7 +386,7 @@
   <fingerprint pattern="^(?i:VMWare Photon(?:\/)?(?:\s?Linux)?\s?(?:v)?(\d+?(?:\.\d+?)*?)?)$">
     <description>Photon Linux</description>
-    <example>VMWare Photon Linux</example>
+    <example>VMware Photon Linux</example>
     <example os.version="1.0">VMWare Photon 1.0</example>
     <param pos="0" name="os.vendor" value="VMware"/>
     <param pos="0" name="os.family" value="Linux"/>
@@ -409,7 +409,7 @@
   <!-- Linux catch-all goes at the bottom-->
-  <fingerprint pattern="(?i)^.{0,1024}Linux?\s?(\d+?(?:\.\d+?)*?)?$">
+  <fingerprint pattern="(?i)^.{0,1000}Linux?\s?(\d+?(?:\.\d+?)*?)?$">
     <description>Linux catch-all</description>
     <example os.version="2.42.6">Linux 2.42.6</example>
     <param pos="0" name="os.vendor" value="Linux"/>
@@ -434,7 +434,7 @@
     <param pos="0" name="os.family" value="Mac OS"/>
     <param pos="0" name="os.product" value="Mac OS"/>
     <param pos="1" name="os.version"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os:{os.version}"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:apple:macos:{os.version}"/>
   </fingerprint>
   <fingerprint pattern="^(?i:(?:Apple OS X|Apple Mac OS X|Mac OS X|OS X|Mac OS)\s?(\d+?(?:\.\d+?)*?)?)$">

data/xml/pop_banners.xml CHANGED Viewed

@@ -31,7 +31,7 @@
     <param pos="1" name="host.domain"/>
   </fingerprint>
-  <fingerprint pattern="^Lotus Notes POP3 server version X[^ ]+ ready on .*$">
+  <fingerprint pattern="^Lotus Notes POP3 server version X[^ ]+ ready on">
     <description>IBM Lotus Notes/Domino</description>
     <example>Lotus Notes POP3 server version X2.0 ready on foo/bar.</example>
     <param pos="0" name="service.vendor" value="IBM"/>
@@ -40,7 +40,7 @@
     <param pos="0" name="service.cpe23" value="cpe:/a:ibm:lotus_domino:-"/>
   </fingerprint>
-  <fingerprint pattern="^Lotus Notes POP3 server version Release ([^ ]+) ready on .*$">
+  <fingerprint pattern="^Lotus Notes POP3 server version Release ([^ ]+) ready on">
     <description>IBM Lotus Notes/Domino - Release variant</description>
     <example service.version="8.5.1FP5">Lotus Notes POP3 server version Release 8.5.1FP5 ready on foo/US.</example>
     <param pos="0" name="service.vendor" value="IBM"/>
@@ -50,7 +50,7 @@
     <param pos="0" name="service.cpe23" value="cpe:/a:ibm:lotus_domino:{service.version}"/>
   </fingerprint>
-  <fingerprint pattern="^Qpopper \(version (\d+\.\d+\.\d+), modified by Sphera Technologies\) at (.+) starting\..*$">
+  <fingerprint pattern="^Qpopper \(version (\d+\.\d+\.\d+), modified by Sphera Technologies\) at (.+) starting\.">
     <description>Qpopper with Sphera mods</description>
     <example>Qpopper (version 4.0.3, modified by Sphera Technologies) at domain starting.  &lt;xxx@domain&gt;</example>
     <param pos="0" name="service.vendor" value="Sphera"/>
@@ -60,7 +60,7 @@
     <param pos="2" name="host.domain"/>
   </fingerprint>
-  <fingerprint pattern="^Qpopper \(version (\d+\.\d+\.\d+)-mysql-(.+)\) at (.+) starting\..*$">
+  <fingerprint pattern="^Qpopper \(version (\d+\.\d+\.\d+)-mysql-(.+)\) at (.+) starting\.">
     <description>Qpopper with MySQL auth module</description>
     <example>Qpopper (version 4.0.3-mysql-0.13) at domain starting.  &lt;xxx@domain&gt;</example>
     <param pos="0" name="service.vendor" value="Qualcomm"/>
@@ -73,7 +73,7 @@
     <param pos="3" name="host.domain"/>
   </fingerprint>
-  <fingerprint pattern="(?i)^Qpop(?:per)? \(version ([\d\.]+)\) at (.+)(?: starting\.)?.*$">
+  <fingerprint pattern="(?i)^Qpop(?:per)? \(version ([\d\.]+)\) at (.+)(?: starting\.)?">
     <description>Qpopper missing version info</description>
     <example>Qpopper (version 4.0.16) at foo.example.com</example>
     <example>QPOP (version 2.53) at domain starting.  &lt;xxx@domain&gt;</example>
@@ -85,7 +85,7 @@
     <param pos="2" name="host.domain"/>
   </fingerprint>
-  <fingerprint pattern="^QPOP \(version (.*)\) at (.+) starting\..*$">
+  <fingerprint pattern="^QPOP \(version (.*)\) at (.+) starting\.">
     <description>Qpopper with missing version info</description>
     <example>QPOP (version ?) at domain starting.  &lt;xxx@domain&gt;</example>
     <param pos="0" name="service.vendor" value="Qualcomm"/>
@@ -269,7 +269,7 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os_x:{os.version}"/>
   </fingerprint>
-  <fingerprint pattern="^TCPIP POP server V\d\.\d\S-\S{3}, OpenVMS V(\d\.\d-\d)(?:\s+\S+)?\s+at\s+(\S+), .*$">
+  <fingerprint pattern="^TCPIP POP server V\d\.\d\S-\S{3}, OpenVMS V(\d\.\d-\d)(?:\s+\S+)?\s+at\s+(\S+),">
     <description>TCP/IP Services for OpenVMS POP server</description>
     <example os.version="7.3-2" host.name="example.com">TCPIP POP server V5.4J-15A, OpenVMS V7.3-2 Alpha at example.com, up since 2015-02-12 08:44:53 20400434.2</example>
     <param pos="0" name="service.family" value="OpenVMS"/>

data/xml/rsh_resp.xml CHANGED Viewed

@@ -41,7 +41,7 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:ibm:aix:-"/>
   </fingerprint>
-  <fingerprint pattern="^.rlogind: Host name for your address \([\d.]+\) unknown\..*$" flags="REG_DOT_NEWLINE">
+  <fingerprint pattern="^.rlogind: Host name for your address \([\d.]+\) unknown\." flags="REG_DOT_NEWLINE">
     <description>A/UX rlogind</description>
     <example>xrlogind: Host name for your address (127.0.0.1) unknown.
       </example>
@@ -49,7 +49,7 @@
     <param pos="0" name="os.family" value="A/UX"/>
   </fingerprint>
-  <fingerprint pattern="^.rexecd: Login incorrect\..*$" flags="REG_DOT_NEWLINE">
+  <fingerprint pattern="^.rexecd: Login incorrect\." flags="REG_DOT_NEWLINE">
     <description>HP-UX rexecd</description>
     <example>xrexecd: Login incorrect.
       </example>
@@ -59,7 +59,7 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:hp:hp-ux:-"/>
   </fingerprint>
-  <fingerprint pattern="^.rexecd: [-\d]+.*$" flags="REG_DOT_NEWLINE">
+  <fingerprint pattern="^.rexecd: [-\d]+" flags="REG_DOT_NEWLINE">
     <description>AIX rexecd</description>
     <example>xrexecd: 0-1 The login is not correct.
       </example>

data/xml/sip_banners.xml CHANGED Viewed

@@ -689,4 +689,31 @@
     <param pos="0" name="service.cpe23" value="cpe:/a:freeswitch:freeswitch:{service.version}"/>
   </fingerprint>
+  <fingerprint pattern="^(OpenStage|OpenScape)_(\d+)_(V\d \S+) ">
+    <description>Unify OpenStage VoIP Phone 1</description>
+    <example hw.family="OpenStage" unify.model="40" os.version="V3 R5.13.0">OpenStage_40_V3 R5.13.0      SIP  190111</example>
+    <param pos="0" name="os.vendor" value="Unify"/>
+    <param pos="0" name="os.product" value="{hw.family} {unify.model} Firmware"/>
+    <param pos="0" name="hw.vendor" value="Unify"/>
+    <param pos="0" name="hw.product" value="{hw.family} {unify.model}"/>
+    <param pos="0" name="hw.device" value="VoIP"/>
+    <param pos="1" name="hw.family"/>
+    <param pos="2" name="unify.model"/>
+    <param pos="3" name="os.version"/>
+  </fingerprint>
+  <fingerprint pattern="^Desk_Phone_IP_(CP\d+[EXT]?)_(V\d \S+) ">
+    <description>Unify OpenStage VoIP Phone 2</description>
+    <example unify.model="CP200" os.version="V1 R6.14.0">Desk_Phone_IP_CP200_V1 R6.14.0      SIP  190802</example>
+    <example unify.model="CP400" os.version="V1 R6.14.0">Desk_Phone_IP_CP400_V1 R6.14.0      SIP  190802</example>
+    <example unify.model="CP600" os.version="V1 R6.14.0">Desk_Phone_IP_CP600_V1 R6.14.0      SIP  190802</example>
+    <param pos="0" name="os.vendor" value="Unify"/>
+    <param pos="0" name="hw.vendor" value="Unify"/>
+    <param pos="0" name="hw.family" value="OpenScape Desk Phone"/>
+    <param pos="0" name="hw.product" value="{hw.family} {unify.model}"/>
+    <param pos="0" name="hw.device" value="VoIP"/>
+    <param pos="1" name="unify.model"/>
+    <param pos="2" name="os.version"/>
+  </fingerprint>
 </fingerprints>

data/xml/sip_user_agents.xml CHANGED Viewed

@@ -129,6 +129,35 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:cisco:ios:{os.version}"/>
   </fingerprint>
+  <fingerprint pattern="^Cisco-CP(39\d{2})/([\d.]+)$">
+    <description>Cisco Unified SIP Phone 3900 Series</description>
+    <example cisco.model="3905" hw.product="Unified SIP Phone 3905" os.version="9.4.1">Cisco-CP3905/9.4.1</example>
+    <param pos="1" name="cisco.model"/>
+    <param pos="0" name="hw.vendor" value="Cisco"/>
+    <param pos="0" name="hw.device" value="VoIP"/>
+    <param pos="0" name="hw.product" value="Unified SIP Phone {cisco.model}"/>
+    <param pos="0" name="os.vendor" value="Cisco"/>
+    <param pos="0" name="os.product" value="Unified SIP Phone 3900 Firmware"/>
+    <param pos="2" name="os.version"/>
+    <param pos="0" name="hw.certainty" value="0.95"/>
+    <param pos="0" name="os.certainty" value="0.95"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:cisco:unified_sip_phone_3900_firmware:{os.version}"/>
+  </fingerprint>
+  <fingerprint pattern="^Cisco-ATA(\d{3})/([\d.]+)$">
+    <description>Cisco Analog Telephone Adapters (ATA)</description>
+    <example cisco.model="187" hw.product="ATA 187" os.version="9.2.3">Cisco-ATA187/9.2.3</example>
+    <param pos="1" name="cisco.model"/>
+    <param pos="0" name="hw.vendor" value="Cisco"/>
+    <param pos="0" name="hw.device" value="VoIP"/>
+    <param pos="0" name="hw.product" value="ATA {cisco.model}"/>
+    <param pos="0" name="os.vendor" value="Cisco"/>
+    <param pos="0" name="os.product" value="ATA {cisco.model} Firmware"/>
+    <param pos="2" name="os.version"/>
+    <param pos="0" name="hw.certainty" value="0.9"/>
+    <param pos="0" name="os.certainty" value="0.9"/>
+  </fingerprint>
   <!-- AVM.DE Devices -->
   <fingerprint pattern="^FRITZ!OS$">
@@ -303,10 +332,11 @@
     <param pos="1" name="service.version"/>
   </fingerprint>
-  <fingerprint pattern="^ShoreGear/([\d\.]+)\s+\(ShoreTel \d+\)$">
+  <fingerprint pattern="^ShoreGear/([\d\.]+)\s+\(ShoreTel [\d\.]+\)$">
     <description>ShoreTel VoIP Switch</description>
     <example hw.version="21.90.4128.0">ShoreGear/21.90.4128.0 (ShoreTel 15)</example>
     <example hw.version="22.11.4900.0">ShoreGear/22.11.4900.0 (ShoreTel 15)</example>
+    <example hw.version="19.48.2600.0">ShoreGear/19.48.2600.0 (ShoreTel 14.2)</example>
     <param pos="0" name="hw.vendor" value="ShoreTel"/>
     <param pos="0" name="hw.device" value="VoIP Switch"/>
     <param pos="1" name="hw.version"/>
@@ -564,4 +594,27 @@
     <param pos="0" name="service.cpe23" value="cpe:/a:freeswitch:freeswitch:{service.version}"/>
   </fingerprint>
+  <fingerprint pattern="^Valcom (VIP-\w+) sw([\d.]+)">
+    <description>Valcom SIP device with version</description>
+    <example os.version="1.50.28">Valcom VIP-204 sw1.50.28</example>
+    <param pos="0" name="os.vendor" value="Valcom"/>
+    <param pos="0" name="os.product" value="{hw.product} Firmware"/>
+    <param pos="2" name="os.version"/>
+    <param pos="0" name="os.device" value="SIP Device"/>
+    <param pos="0" name="hw.vendor" value="Valcom"/>
+    <param pos="1" name="hw.product"/>
+    <param pos="0" name="hw.device" value="SIP Device"/>
+  </fingerprint>
+  <fingerprint pattern="^DX800A/([\d.]+)$">
+    <description>Gigaset SIP Phones</description>
+    <example os.version="41.175.00.000.000">DX800A/41.175.00.000.000</example>
+    <param pos="0" name="hw.vendor" value="Gigaset"/>
+    <param pos="0" name="hw.device" value="VoIP"/>
+    <param pos="0" name="hw.product" value="DX800A"/>
+    <param pos="0" name="os.vendor" value="Gigaset"/>
+    <param pos="0" name="os.product" value="{hw.product} Firmware"/>
+    <param pos="1" name="os.version"/>
+  </fingerprint>
 </fingerprints>

data/xml/smtp_banners.xml CHANGED Viewed

@@ -162,7 +162,7 @@
     Search Cisco's documentation for "fixup protocol SMTP" for more information.
   -->
-  <fingerprint pattern="^[\*20 ]{1,1024}$">
+  <fingerprint pattern="^[\*20 ]{1,1000}$">
     <description>Cisco PIX firewall MailGuard banner stripping</description>
     <example os.product="PIX">***************************</example>
     <param pos="0" name="os.vendor" value="Cisco"/>
@@ -212,7 +212,7 @@
     <param pos="0" name="os.vendor" value="Apple"/>
     <param pos="0" name="os.family" value="Mac OS"/>
     <param pos="0" name="os.product" value="Mac OS"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os:-"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:apple:macos:-"/>
     <param pos="1" name="host.name"/>
     <param pos="2" name="service.version"/>
   </fingerprint>
@@ -247,7 +247,7 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512}) Microsoft ESMTP MAIL Service ready at .*$">
+  <fingerprint pattern="^([^ ]{1,512}) Microsoft ESMTP MAIL Service ready at">
     <description>Microsoft Exchange 2007/2010 (for sure, can't be confused with the IIS builtin SMTP service)</description>
     <example>foo.bar Microsoft ESMTP MAIL Service ready at Wed, 21 Jul 2010 19:04:24 -0700</example>
     <param pos="0" name="service.vendor" value="Microsoft"/>
@@ -446,7 +446,7 @@
     <param pos="1" name="host.name"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512}) FTGate server ready .*$">
+  <fingerprint pattern="^([^ ]{1,512}) FTGate server ready">
     <description>FTGate mail server, runs on Windows 9x/NT/2k (http://www.ftgate.com)</description>
     <example host.name="foo.bar">foo.bar FTGate server ready -attitude [C.o.r.E]</example>
     <param pos="0" name="service.vendor" value="Floosietek"/>
@@ -795,7 +795,7 @@
     <param pos="2" name="service.version"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512}) SMTP NAVIEG ([^ ]+\.[^ ]+\.[^ ]+); (.+)* http.*$">
+  <fingerprint pattern="^([^ ]{1,512}) SMTP NAVIEG ([^ ]+\.[^ ]+\.[^ ]+); (.+)* http">
     <description>Norton Antivirus for Internet Email Gateways (becomes NAVGW in 2.1)</description>
     <example host.name="foo.bar" service.version="2.0.1">foo.bar SMTP NAVIEG 2.0.1; Sun, 29 Jul 2001 22:02:16 -0500 http://www.symantec.com</example>
     <param pos="0" name="service.vendor" value="Norton"/>
@@ -807,7 +807,7 @@
     <param pos="3" name="system.time"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512}) ESMTP service \(Netscape Messaging Server ([^ ]+\.[^ ]+) Patch ([^ ]+).*$">
+  <fingerprint pattern="^([^ ]{1,512}) ESMTP service \(Netscape Messaging Server ([^ ]+\.[^ ]+) Patch ([^ ]+)">
     <description>Netscape Messaging Server - with patch number</description>
     <example host.name="foo.bar" service.version="4.15" service.version.version="7">foo.bar ESMTP service (Netscape Messaging Server 4.15 Patch 7 (built Sep 12 2001))</example>
     <param pos="0" name="service.vendor" value="Netscape"/>
@@ -933,7 +933,7 @@
     <param pos="4" name="system.time"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512})(?: UCX)? V\S+, OpenVMS V(\S+) (\S+) ready at .*$">
+  <fingerprint pattern="^([^ ]{1,512})(?: UCX)? V\S+, OpenVMS V(\S+) (\S+) ready at">
     <description>Some unknown mail server on OpenVMS</description>
     <example host.name="foo.bar" os.arch="IA64" os.version="8.4">foo.bar V5.7-ECO4, OpenVMS V8.4 IA64 ready at Wed, 20 May 2015 01:22:32 +0100 (BST)</example>
     <example host.name="foo.bar" os.arch="Alpha" os.version="7.3-2">foo.bar V5.4-15E, OpenVMS V7.3-2 Alpha ready at Wed, 20 May 2015 01:22:18 +0100 (BST)</example>
@@ -1304,7 +1304,7 @@
     <param pos="5" name="system.time"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+(?:wheezy|deb7u)\d; (.+); .*$">
+  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+(?:wheezy|deb7u)\d; (.+);">
     <description>Sendmail - Debian 7.x (wheezy)</description>
     <example host.name="foo.bar" service.version="8.14.4">foo.bar ESMTP Sendmail 8.14.4/8.14.4/Debian-4+wheezy1; Thu, 30 Nov 2017 10:33:05 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
     <example service.version="8.14.4">foo.bar ESMTP Sendmail 8.14.4/8.14.4/Debian-4+deb7u1; Thu, 30 Nov 2017 11:00:33 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
@@ -1324,7 +1324,7 @@
     <param pos="4" name="system.time"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+deb8u\d; (.+); .*$">
+  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+deb8u\d; (.+);">
     <description>Sendmail - Debian 8.x (jessie)</description>
     <example service.version="8.14.4">foo.bar ESMTP Sendmail 8.14.4/8.14.4/Debian-8+deb8u2; Thu, 30 Nov 2017 10:25:48 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
     <param pos="0" name="service.vendor" value="Sendmail"/>
@@ -1343,7 +1343,7 @@
     <param pos="4" name="system.time"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+deb9u1; (.+); .*$">
+  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+deb9u1; (.+);">
     <description>Sendmail - Debian 9.1 (stretch)</description>
     <example host.name="foo.bar" service.version="8.15.2">foo.bar ESMTP Sendmail 8.15.2/8.15.2/Debian-8+deb9u1; Thu, 29 Apr 2021 06:45:02 +0200; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
     <param pos="0" name="service.vendor" value="Sendmail"/>
@@ -1362,7 +1362,7 @@
     <param pos="4" name="system.time"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+lenny\d; (.+); .*$">
+  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+lenny\d; (.+);">
     <description>Sendmail - Debian 5.x (lenny)</description>
     <example service.version="8.14.3">foo.bar ESMTP Sendmail 8.14.3/8.14.3/Debian-5+lenny1; Thu, 30 Nov 2017 12:29:40 +0300; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
     <param pos="0" name="service.vendor" value="Sendmail"/>
@@ -1381,7 +1381,7 @@
     <param pos="4" name="system.time"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+etch\d; (.+); .*$">
+  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+etch\d; (.+);">
     <description>Sendmail - Debian 4.x (etch)</description>
     <example service.version="8.13.8" sendmail.config.version="8.13.8">foo.bar ESMTP Sendmail 8.13.8/8.13.8/Debian-3+etch1; Thu, 30 Nov 2017 10:28:23 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
     <param pos="0" name="service.vendor" value="Sendmail"/>
@@ -1400,7 +1400,7 @@
     <param pos="4" name="system.time"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\dsarge\d; (.+); .*$">
+  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\dsarge\d; (.+);">
     <description>Sendmail - Debian 3.1 (sarge)</description>
     <example service.version="8.13.4">foo.bar ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge1; Thu, 30 Nov 2017 10:55:47 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
     <param pos="0" name="service.vendor" value="Sendmail"/>
@@ -1419,7 +1419,7 @@
     <param pos="4" name="system.time"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d(?:\.\d)?(?:build\d)?;+ (.+); .*$">
+  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d(?:\.\d)?(?:build\d)?;+ (.+);">
     <description>Sendmail - Debian patch only</description>
     <example service.version="8.15.2">foo.bar ESMTP Sendmail 8.15.2/8.15.2/Debian-3; Thu, 30 Nov 2017 10:55:50 +0200; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
     <example service.version="8.14.3">foo.bar ESMTP Sendmail 8.14.3/8.14.3/Debian-9.4; Thu, 30 Nov 2017 10:11:54 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
@@ -1439,7 +1439,7 @@
     <param pos="4" name="system.time"/>
   </fingerprint>
-  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/[^/]+/Debian-[\d.]+ubuntu[^ ]*; (.+); .*$">
+  <fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/[^/]+/Debian-[\d.]+ubuntu[^ ]*; (.+);">
     <description>Sendmail - Ubuntu</description>
     <example service.version="8.13.5.20060308">foo.bar ESMTP Sendmail 8.13.5.20060308/8.13.5/Debian-3ubuntu1.1; Fri, 24 Jul 2009 01:41:21 -0700; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
     <example service.version="8.14.4">foo.bar ESMTP Sendmail 8.14.4/8.14.4/Debian-4.1ubuntu1; Thu, 30 Nov 2017 11:00:30 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>

data/xml/smtp_ehlo.xml CHANGED Viewed

@@ -21,7 +21,7 @@
    a very precise MS IIS SMTP service or MS Exchange Server fingerprint found with the
    help of smtp_banners.xml. Instead, this case is handled specially by the Jess rule
    smtp-iis-xexch50-svc-fingerprint. -mrb
-   <fingerprint pattern="^250[ -] *XEXCH50.*$">
+   <fingerprint pattern="^250[ -] *XEXCH50">
       <description>
          Microsoft Exchange/IIS server
       </description>

data/xml/smtp_help.xml CHANGED Viewed

@@ -43,7 +43,7 @@
     <param pos="0" name="os.vendor" value="Apple"/>
     <param pos="0" name="os.family" value="Mac OS"/>
     <param pos="0" name="os.product" value="Mac OS"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os:-"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:apple:macos:-"/>
   </fingerprint>
   <fingerprint pattern="^214[ -]([^ ]+) is running the IBM VM operating system$">
@@ -59,7 +59,7 @@
    in smtp_ehlo.xml ? -mrb
    -->
-  <fingerprint pattern="^214[ -].* XEXCH50 *.*$">
+  <fingerprint pattern="^214[ -].* XEXCH50 *">
     <description>Microsoft Exchange/IIS server</description>
     <param pos="0" name="service.vendor" value="Microsoft"/>
     <param pos="0" name="service.family" value="Exchange Server"/>
@@ -84,7 +84,7 @@
     <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
   </fingerprint>
-  <fingerprint pattern="^214[ -].*This is MERAK ([^ ]+\.[^ ]+\.[^ ]+).*$">
+  <fingerprint pattern="^214[ -].*This is MERAK ([^ ]+\.[^ ]+\.[^ ]+)">
     <description> Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x)</description>
     <param pos="0" name="service.vendor" value="Merak"/>
     <param pos="0" name="service.family" value="Mail Server"/>
@@ -92,7 +92,7 @@
     <param pos="1" name="service.version"/>
   </fingerprint>
-  <fingerprint pattern="^214[ -].*This is Merak ([^ ]+\.[^ ]+\.[^ ]+).*$">
+  <fingerprint pattern="^214[ -].*This is Merak ([^ ]+\.[^ ]+\.[^ ]+)">
     <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - variant 1</description>
     <param pos="0" name="service.vendor" value="Merak"/>
     <param pos="0" name="service.family" value="Mail Server"/>
@@ -100,14 +100,14 @@
     <param pos="1" name="service.version"/>
   </fingerprint>
-  <fingerprint pattern="^214[ -].*bugs@merakmail\.com.*$">
+  <fingerprint pattern="^214[ -].*bugs@merakmail\.com">
     <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - email variant</description>
     <param pos="0" name="service.vendor" value="Merak"/>
     <param pos="0" name="service.family" value="Mail Server"/>
     <param pos="0" name="service.product" value="Mail Server"/>
   </fingerprint>
-  <fingerprint pattern="^214[ -].*bugs@icewarp\.com.*$">
+  <fingerprint pattern="^214[ -].*bugs@icewarp\.com">
     <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - icewarp variant </description>
     <param pos="0" name="service.vendor" value="Merak"/>
     <param pos="0" name="service.family" value="Mail Server"/>
@@ -122,7 +122,7 @@
     <param pos="0" name="service.product" value="qmail"/>
   </fingerprint>
-  <fingerprint pattern="^214[ -].*contact the Digital Customer Support Center at 1-800-354-9000.*$">
+  <fingerprint pattern="^214[ -].*contact the Digital Customer Support Center at 1-800-354-9000">
     <description>Sendmail on Digital OSF UNIX</description>
     <param pos="0" name="service.family" value="Sendmail"/>
     <param pos="0" name="service.product" value="Sendmail"/>
@@ -154,21 +154,21 @@
     <param pos="1" name="service.version"/>
   </fingerprint>
-  <fingerprint pattern="^214[ -].*sendmail-bugs@sendmail\.org.*$">
+  <fingerprint pattern="^214[ -].*sendmail-bugs@sendmail\.org">
     <description>Sendmail often returns version information for HELP - email variant</description>
     <param pos="0" name="service.family" value="Sendmail"/>
     <param pos="0" name="service.product" value="Sendmail"/>
     <param pos="0" name="service.certainty" value="0.85"/>
   </fingerprint>
-  <fingerprint pattern="^241[ -].*$">
+  <fingerprint pattern="^241[ -]">
     <description>ZMailer versions earlier than 2.99.21 mistakenly return the status code 241 on some HELP response lines (instead of 214).</description>
     <param pos="0" name="service.vendor" value="ZMailer"/>
     <param pos="0" name="service.family" value="ZMailer"/>
     <param pos="0" name="service.product" value="ZMailer"/>
   </fingerprint>
-  <fingerprint pattern="^214[ -].*Yoyodyne Propulsion.*$">
+  <fingerprint pattern="^214[ -].*Yoyodyne Propulsion">
     <description>ZMailer has distinctive default HELP text in smtpserver.conf</description>
     <param pos="0" name="service.vendor" value="ZMailer"/>
     <param pos="0" name="service.family" value="ZMailer"/>

data/xml/smtp_noop.xml CHANGED Viewed

@@ -8,7 +8,7 @@
     of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
   -->
-  <fingerprint pattern="^220 OK.*$">
+  <fingerprint pattern="^220 OK">
     <description>CheckPoint FireWall-1 returns code 220 for NOOP command (instead of 250)</description>
     <param pos="0" name="service.vendor" value="Check Point"/>
     <param pos="0" name="service.family" value="Check Point"/>
@@ -25,7 +25,7 @@
     <param pos="0" name="os.vendor" value="Apple"/>
     <param pos="0" name="os.family" value="Mac OS"/>
     <param pos="0" name="os.product" value="Mac OS"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os:-"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:apple:macos:-"/>
   </fingerprint>
   <fingerprint pattern="^250[ -]Why is there an NOOP instruction\?$">