recog 2.3.21 → 2.3.22
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/dependabot.yml +8 -0
- data/.github/workflows/verify.yml +89 -0
- data/CONTRIBUTING.md +6 -0
- data/README.md +17 -0
- data/bin/recog_standardize +28 -13
- data/bin/recog_verify +1 -2
- data/cpe-remap.yaml +13 -0
- data/features/verify.feature +14 -14
- data/identifiers/fields.txt +5 -4
- data/identifiers/hw_device.txt +6 -0
- data/identifiers/hw_family.txt +8 -0
- data/identifiers/hw_product.txt +51 -0
- data/identifiers/os_family.txt +1 -0
- data/identifiers/os_product.txt +10 -0
- data/identifiers/service_product.txt +12 -0
- data/identifiers/vendor.txt +49 -0
- data/lib/recog/db.rb +2 -1
- data/lib/recog/fingerprint.rb +18 -5
- data/lib/recog/verifier.rb +5 -5
- data/lib/recog/verifier_factory.rb +3 -3
- data/lib/recog/verify_reporter.rb +14 -4
- data/lib/recog/version.rb +1 -1
- data/spec/lib/fingerprint_self_test_spec.rb +1 -0
- data/spec/lib/recog/verify_reporter_spec.rb +69 -0
- data/tools/dev/hooks/pre-commit +21 -0
- data/update_cpes.py +1 -1
- data/xml/apache_os.xml +38 -38
- data/xml/dhcp_vendor_class.xml +206 -0
- data/xml/favicons.xml +148 -42
- data/xml/ftp_banners.xml +30 -16
- data/xml/h323_callresp.xml +99 -99
- data/xml/hp_pjl_id.xml +3 -3
- data/xml/html_title.xml +502 -25
- data/xml/http_cookies.xml +64 -56
- data/xml/http_servers.xml +74 -14
- data/xml/http_wwwauth.xml +107 -38
- data/xml/imap_banners.xml +3 -3
- data/xml/mdns_device-info_txt.xml +389 -26
- data/xml/mysql_banners.xml +1 -1
- data/xml/nntp_banners.xml +3 -3
- data/xml/ntp_banners.xml +64 -64
- data/xml/operating_system.xml +3 -3
- data/xml/pop_banners.xml +7 -7
- data/xml/rsh_resp.xml +3 -3
- data/xml/sip_banners.xml +27 -0
- data/xml/sip_user_agents.xml +54 -1
- data/xml/smtp_banners.xml +15 -15
- data/xml/smtp_ehlo.xml +1 -1
- data/xml/smtp_help.xml +10 -10
- data/xml/smtp_noop.xml +2 -2
- data/xml/snmp_sysdescr.xml +325 -200
- data/xml/snmp_sysobjid.xml +25 -25
- data/xml/ssh_banners.xml +7 -5
- data/xml/telnet_banners.xml +155 -20
- data/xml/tls_jarm.xml +26 -4
- data/xml/x509_issuers.xml +36 -0
- data/xml/x509_subjects.xml +136 -35
- metadata +7 -3
data/xml/operating_system.xml
CHANGED
@@ -386,7 +386,7 @@
|
|
386
386
|
|
387
387
|
<fingerprint pattern="^(?i:VMWare Photon(?:\/)?(?:\s?Linux)?\s?(?:v)?(\d+?(?:\.\d+?)*?)?)$">
|
388
388
|
<description>Photon Linux</description>
|
389
|
-
<example>
|
389
|
+
<example>VMware Photon Linux</example>
|
390
390
|
<example os.version="1.0">VMWare Photon 1.0</example>
|
391
391
|
<param pos="0" name="os.vendor" value="VMware"/>
|
392
392
|
<param pos="0" name="os.family" value="Linux"/>
|
@@ -409,7 +409,7 @@
|
|
409
409
|
|
410
410
|
<!-- Linux catch-all goes at the bottom-->
|
411
411
|
|
412
|
-
<fingerprint pattern="(?i)^.{0,
|
412
|
+
<fingerprint pattern="(?i)^.{0,1000}Linux?\s?(\d+?(?:\.\d+?)*?)?$">
|
413
413
|
<description>Linux catch-all</description>
|
414
414
|
<example os.version="2.42.6">Linux 2.42.6</example>
|
415
415
|
<param pos="0" name="os.vendor" value="Linux"/>
|
@@ -434,7 +434,7 @@
|
|
434
434
|
<param pos="0" name="os.family" value="Mac OS"/>
|
435
435
|
<param pos="0" name="os.product" value="Mac OS"/>
|
436
436
|
<param pos="1" name="os.version"/>
|
437
|
-
<param pos="0" name="os.cpe23" value="cpe:/o:apple:
|
437
|
+
<param pos="0" name="os.cpe23" value="cpe:/o:apple:macos:{os.version}"/>
|
438
438
|
</fingerprint>
|
439
439
|
|
440
440
|
<fingerprint pattern="^(?i:(?:Apple OS X|Apple Mac OS X|Mac OS X|OS X|Mac OS)\s?(\d+?(?:\.\d+?)*?)?)$">
|
data/xml/pop_banners.xml
CHANGED
@@ -31,7 +31,7 @@
|
|
31
31
|
<param pos="1" name="host.domain"/>
|
32
32
|
</fingerprint>
|
33
33
|
|
34
|
-
<fingerprint pattern="^Lotus Notes POP3 server version X[^ ]+ ready on
|
34
|
+
<fingerprint pattern="^Lotus Notes POP3 server version X[^ ]+ ready on">
|
35
35
|
<description>IBM Lotus Notes/Domino</description>
|
36
36
|
<example>Lotus Notes POP3 server version X2.0 ready on foo/bar.</example>
|
37
37
|
<param pos="0" name="service.vendor" value="IBM"/>
|
@@ -40,7 +40,7 @@
|
|
40
40
|
<param pos="0" name="service.cpe23" value="cpe:/a:ibm:lotus_domino:-"/>
|
41
41
|
</fingerprint>
|
42
42
|
|
43
|
-
<fingerprint pattern="^Lotus Notes POP3 server version Release ([^ ]+) ready on
|
43
|
+
<fingerprint pattern="^Lotus Notes POP3 server version Release ([^ ]+) ready on">
|
44
44
|
<description>IBM Lotus Notes/Domino - Release variant</description>
|
45
45
|
<example service.version="8.5.1FP5">Lotus Notes POP3 server version Release 8.5.1FP5 ready on foo/US.</example>
|
46
46
|
<param pos="0" name="service.vendor" value="IBM"/>
|
@@ -50,7 +50,7 @@
|
|
50
50
|
<param pos="0" name="service.cpe23" value="cpe:/a:ibm:lotus_domino:{service.version}"/>
|
51
51
|
</fingerprint>
|
52
52
|
|
53
|
-
<fingerprint pattern="^Qpopper \(version (\d+\.\d+\.\d+), modified by Sphera Technologies\) at (.+) starting
|
53
|
+
<fingerprint pattern="^Qpopper \(version (\d+\.\d+\.\d+), modified by Sphera Technologies\) at (.+) starting\.">
|
54
54
|
<description>Qpopper with Sphera mods</description>
|
55
55
|
<example>Qpopper (version 4.0.3, modified by Sphera Technologies) at domain starting. <xxx@domain></example>
|
56
56
|
<param pos="0" name="service.vendor" value="Sphera"/>
|
@@ -60,7 +60,7 @@
|
|
60
60
|
<param pos="2" name="host.domain"/>
|
61
61
|
</fingerprint>
|
62
62
|
|
63
|
-
<fingerprint pattern="^Qpopper \(version (\d+\.\d+\.\d+)-mysql-(.+)\) at (.+) starting
|
63
|
+
<fingerprint pattern="^Qpopper \(version (\d+\.\d+\.\d+)-mysql-(.+)\) at (.+) starting\.">
|
64
64
|
<description>Qpopper with MySQL auth module</description>
|
65
65
|
<example>Qpopper (version 4.0.3-mysql-0.13) at domain starting. <xxx@domain></example>
|
66
66
|
<param pos="0" name="service.vendor" value="Qualcomm"/>
|
@@ -73,7 +73,7 @@
|
|
73
73
|
<param pos="3" name="host.domain"/>
|
74
74
|
</fingerprint>
|
75
75
|
|
76
|
-
<fingerprint pattern="(?i)^Qpop(?:per)? \(version ([\d\.]+)\) at (.+)(?: starting\.)
|
76
|
+
<fingerprint pattern="(?i)^Qpop(?:per)? \(version ([\d\.]+)\) at (.+)(?: starting\.)?">
|
77
77
|
<description>Qpopper missing version info</description>
|
78
78
|
<example>Qpopper (version 4.0.16) at foo.example.com</example>
|
79
79
|
<example>QPOP (version 2.53) at domain starting. <xxx@domain></example>
|
@@ -85,7 +85,7 @@
|
|
85
85
|
<param pos="2" name="host.domain"/>
|
86
86
|
</fingerprint>
|
87
87
|
|
88
|
-
<fingerprint pattern="^QPOP \(version (.*)\) at (.+) starting
|
88
|
+
<fingerprint pattern="^QPOP \(version (.*)\) at (.+) starting\.">
|
89
89
|
<description>Qpopper with missing version info</description>
|
90
90
|
<example>QPOP (version ?) at domain starting. <xxx@domain></example>
|
91
91
|
<param pos="0" name="service.vendor" value="Qualcomm"/>
|
@@ -269,7 +269,7 @@
|
|
269
269
|
<param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os_x:{os.version}"/>
|
270
270
|
</fingerprint>
|
271
271
|
|
272
|
-
<fingerprint pattern="^TCPIP POP server V\d\.\d\S-\S{3}, OpenVMS V(\d\.\d-\d)(?:\s+\S+)?\s+at\s+(\S+),
|
272
|
+
<fingerprint pattern="^TCPIP POP server V\d\.\d\S-\S{3}, OpenVMS V(\d\.\d-\d)(?:\s+\S+)?\s+at\s+(\S+),">
|
273
273
|
<description>TCP/IP Services for OpenVMS POP server</description>
|
274
274
|
<example os.version="7.3-2" host.name="example.com">TCPIP POP server V5.4J-15A, OpenVMS V7.3-2 Alpha at example.com, up since 2015-02-12 08:44:53 20400434.2</example>
|
275
275
|
<param pos="0" name="service.family" value="OpenVMS"/>
|
data/xml/rsh_resp.xml
CHANGED
@@ -41,7 +41,7 @@
|
|
41
41
|
<param pos="0" name="os.cpe23" value="cpe:/o:ibm:aix:-"/>
|
42
42
|
</fingerprint>
|
43
43
|
|
44
|
-
<fingerprint pattern="^.rlogind: Host name for your address \([\d.]+\) unknown
|
44
|
+
<fingerprint pattern="^.rlogind: Host name for your address \([\d.]+\) unknown\." flags="REG_DOT_NEWLINE">
|
45
45
|
<description>A/UX rlogind</description>
|
46
46
|
<example>xrlogind: Host name for your address (127.0.0.1) unknown.
|
47
47
|
</example>
|
@@ -49,7 +49,7 @@
|
|
49
49
|
<param pos="0" name="os.family" value="A/UX"/>
|
50
50
|
</fingerprint>
|
51
51
|
|
52
|
-
<fingerprint pattern="^.rexecd: Login incorrect
|
52
|
+
<fingerprint pattern="^.rexecd: Login incorrect\." flags="REG_DOT_NEWLINE">
|
53
53
|
<description>HP-UX rexecd</description>
|
54
54
|
<example>xrexecd: Login incorrect.
|
55
55
|
</example>
|
@@ -59,7 +59,7 @@
|
|
59
59
|
<param pos="0" name="os.cpe23" value="cpe:/o:hp:hp-ux:-"/>
|
60
60
|
</fingerprint>
|
61
61
|
|
62
|
-
<fingerprint pattern="^.rexecd: [-\d]
|
62
|
+
<fingerprint pattern="^.rexecd: [-\d]+" flags="REG_DOT_NEWLINE">
|
63
63
|
<description>AIX rexecd</description>
|
64
64
|
<example>xrexecd: 0-1 The login is not correct.
|
65
65
|
</example>
|
data/xml/sip_banners.xml
CHANGED
@@ -689,4 +689,31 @@
|
|
689
689
|
<param pos="0" name="service.cpe23" value="cpe:/a:freeswitch:freeswitch:{service.version}"/>
|
690
690
|
</fingerprint>
|
691
691
|
|
692
|
+
<fingerprint pattern="^(OpenStage|OpenScape)_(\d+)_(V\d \S+) ">
|
693
|
+
<description>Unify OpenStage VoIP Phone 1</description>
|
694
|
+
<example hw.family="OpenStage" unify.model="40" os.version="V3 R5.13.0">OpenStage_40_V3 R5.13.0 SIP 190111</example>
|
695
|
+
<param pos="0" name="os.vendor" value="Unify"/>
|
696
|
+
<param pos="0" name="os.product" value="{hw.family} {unify.model} Firmware"/>
|
697
|
+
<param pos="0" name="hw.vendor" value="Unify"/>
|
698
|
+
<param pos="0" name="hw.product" value="{hw.family} {unify.model}"/>
|
699
|
+
<param pos="0" name="hw.device" value="VoIP"/>
|
700
|
+
<param pos="1" name="hw.family"/>
|
701
|
+
<param pos="2" name="unify.model"/>
|
702
|
+
<param pos="3" name="os.version"/>
|
703
|
+
</fingerprint>
|
704
|
+
|
705
|
+
<fingerprint pattern="^Desk_Phone_IP_(CP\d+[EXT]?)_(V\d \S+) ">
|
706
|
+
<description>Unify OpenStage VoIP Phone 2</description>
|
707
|
+
<example unify.model="CP200" os.version="V1 R6.14.0">Desk_Phone_IP_CP200_V1 R6.14.0 SIP 190802</example>
|
708
|
+
<example unify.model="CP400" os.version="V1 R6.14.0">Desk_Phone_IP_CP400_V1 R6.14.0 SIP 190802</example>
|
709
|
+
<example unify.model="CP600" os.version="V1 R6.14.0">Desk_Phone_IP_CP600_V1 R6.14.0 SIP 190802</example>
|
710
|
+
<param pos="0" name="os.vendor" value="Unify"/>
|
711
|
+
<param pos="0" name="hw.vendor" value="Unify"/>
|
712
|
+
<param pos="0" name="hw.family" value="OpenScape Desk Phone"/>
|
713
|
+
<param pos="0" name="hw.product" value="{hw.family} {unify.model}"/>
|
714
|
+
<param pos="0" name="hw.device" value="VoIP"/>
|
715
|
+
<param pos="1" name="unify.model"/>
|
716
|
+
<param pos="2" name="os.version"/>
|
717
|
+
</fingerprint>
|
718
|
+
|
692
719
|
</fingerprints>
|
data/xml/sip_user_agents.xml
CHANGED
@@ -129,6 +129,35 @@
|
|
129
129
|
<param pos="0" name="os.cpe23" value="cpe:/o:cisco:ios:{os.version}"/>
|
130
130
|
</fingerprint>
|
131
131
|
|
132
|
+
<fingerprint pattern="^Cisco-CP(39\d{2})/([\d.]+)$">
|
133
|
+
<description>Cisco Unified SIP Phone 3900 Series</description>
|
134
|
+
<example cisco.model="3905" hw.product="Unified SIP Phone 3905" os.version="9.4.1">Cisco-CP3905/9.4.1</example>
|
135
|
+
<param pos="1" name="cisco.model"/>
|
136
|
+
<param pos="0" name="hw.vendor" value="Cisco"/>
|
137
|
+
<param pos="0" name="hw.device" value="VoIP"/>
|
138
|
+
<param pos="0" name="hw.product" value="Unified SIP Phone {cisco.model}"/>
|
139
|
+
<param pos="0" name="os.vendor" value="Cisco"/>
|
140
|
+
<param pos="0" name="os.product" value="Unified SIP Phone 3900 Firmware"/>
|
141
|
+
<param pos="2" name="os.version"/>
|
142
|
+
<param pos="0" name="hw.certainty" value="0.95"/>
|
143
|
+
<param pos="0" name="os.certainty" value="0.95"/>
|
144
|
+
<param pos="0" name="os.cpe23" value="cpe:/o:cisco:unified_sip_phone_3900_firmware:{os.version}"/>
|
145
|
+
</fingerprint>
|
146
|
+
|
147
|
+
<fingerprint pattern="^Cisco-ATA(\d{3})/([\d.]+)$">
|
148
|
+
<description>Cisco Analog Telephone Adapters (ATA)</description>
|
149
|
+
<example cisco.model="187" hw.product="ATA 187" os.version="9.2.3">Cisco-ATA187/9.2.3</example>
|
150
|
+
<param pos="1" name="cisco.model"/>
|
151
|
+
<param pos="0" name="hw.vendor" value="Cisco"/>
|
152
|
+
<param pos="0" name="hw.device" value="VoIP"/>
|
153
|
+
<param pos="0" name="hw.product" value="ATA {cisco.model}"/>
|
154
|
+
<param pos="0" name="os.vendor" value="Cisco"/>
|
155
|
+
<param pos="0" name="os.product" value="ATA {cisco.model} Firmware"/>
|
156
|
+
<param pos="2" name="os.version"/>
|
157
|
+
<param pos="0" name="hw.certainty" value="0.9"/>
|
158
|
+
<param pos="0" name="os.certainty" value="0.9"/>
|
159
|
+
</fingerprint>
|
160
|
+
|
132
161
|
<!-- AVM.DE Devices -->
|
133
162
|
|
134
163
|
<fingerprint pattern="^FRITZ!OS$">
|
@@ -303,10 +332,11 @@
|
|
303
332
|
<param pos="1" name="service.version"/>
|
304
333
|
</fingerprint>
|
305
334
|
|
306
|
-
<fingerprint pattern="^ShoreGear/([\d\.]+)\s+\(ShoreTel \d+\)$">
|
335
|
+
<fingerprint pattern="^ShoreGear/([\d\.]+)\s+\(ShoreTel [\d\.]+\)$">
|
307
336
|
<description>ShoreTel VoIP Switch</description>
|
308
337
|
<example hw.version="21.90.4128.0">ShoreGear/21.90.4128.0 (ShoreTel 15)</example>
|
309
338
|
<example hw.version="22.11.4900.0">ShoreGear/22.11.4900.0 (ShoreTel 15)</example>
|
339
|
+
<example hw.version="19.48.2600.0">ShoreGear/19.48.2600.0 (ShoreTel 14.2)</example>
|
310
340
|
<param pos="0" name="hw.vendor" value="ShoreTel"/>
|
311
341
|
<param pos="0" name="hw.device" value="VoIP Switch"/>
|
312
342
|
<param pos="1" name="hw.version"/>
|
@@ -564,4 +594,27 @@
|
|
564
594
|
<param pos="0" name="service.cpe23" value="cpe:/a:freeswitch:freeswitch:{service.version}"/>
|
565
595
|
</fingerprint>
|
566
596
|
|
597
|
+
<fingerprint pattern="^Valcom (VIP-\w+) sw([\d.]+)">
|
598
|
+
<description>Valcom SIP device with version</description>
|
599
|
+
<example os.version="1.50.28">Valcom VIP-204 sw1.50.28</example>
|
600
|
+
<param pos="0" name="os.vendor" value="Valcom"/>
|
601
|
+
<param pos="0" name="os.product" value="{hw.product} Firmware"/>
|
602
|
+
<param pos="2" name="os.version"/>
|
603
|
+
<param pos="0" name="os.device" value="SIP Device"/>
|
604
|
+
<param pos="0" name="hw.vendor" value="Valcom"/>
|
605
|
+
<param pos="1" name="hw.product"/>
|
606
|
+
<param pos="0" name="hw.device" value="SIP Device"/>
|
607
|
+
</fingerprint>
|
608
|
+
|
609
|
+
<fingerprint pattern="^DX800A/([\d.]+)$">
|
610
|
+
<description>Gigaset SIP Phones</description>
|
611
|
+
<example os.version="41.175.00.000.000">DX800A/41.175.00.000.000</example>
|
612
|
+
<param pos="0" name="hw.vendor" value="Gigaset"/>
|
613
|
+
<param pos="0" name="hw.device" value="VoIP"/>
|
614
|
+
<param pos="0" name="hw.product" value="DX800A"/>
|
615
|
+
<param pos="0" name="os.vendor" value="Gigaset"/>
|
616
|
+
<param pos="0" name="os.product" value="{hw.product} Firmware"/>
|
617
|
+
<param pos="1" name="os.version"/>
|
618
|
+
</fingerprint>
|
619
|
+
|
567
620
|
</fingerprints>
|
data/xml/smtp_banners.xml
CHANGED
@@ -162,7 +162,7 @@
|
|
162
162
|
Search Cisco's documentation for "fixup protocol SMTP" for more information.
|
163
163
|
-->
|
164
164
|
|
165
|
-
<fingerprint pattern="^[\*20 ]{1,
|
165
|
+
<fingerprint pattern="^[\*20 ]{1,1000}$">
|
166
166
|
<description>Cisco PIX firewall MailGuard banner stripping</description>
|
167
167
|
<example os.product="PIX">***************************</example>
|
168
168
|
<param pos="0" name="os.vendor" value="Cisco"/>
|
@@ -212,7 +212,7 @@
|
|
212
212
|
<param pos="0" name="os.vendor" value="Apple"/>
|
213
213
|
<param pos="0" name="os.family" value="Mac OS"/>
|
214
214
|
<param pos="0" name="os.product" value="Mac OS"/>
|
215
|
-
<param pos="0" name="os.cpe23" value="cpe:/o:apple:
|
215
|
+
<param pos="0" name="os.cpe23" value="cpe:/o:apple:macos:-"/>
|
216
216
|
<param pos="1" name="host.name"/>
|
217
217
|
<param pos="2" name="service.version"/>
|
218
218
|
</fingerprint>
|
@@ -247,7 +247,7 @@
|
|
247
247
|
<param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
|
248
248
|
</fingerprint>
|
249
249
|
|
250
|
-
<fingerprint pattern="^([^ ]{1,512}) Microsoft ESMTP MAIL Service ready at
|
250
|
+
<fingerprint pattern="^([^ ]{1,512}) Microsoft ESMTP MAIL Service ready at">
|
251
251
|
<description>Microsoft Exchange 2007/2010 (for sure, can't be confused with the IIS builtin SMTP service)</description>
|
252
252
|
<example>foo.bar Microsoft ESMTP MAIL Service ready at Wed, 21 Jul 2010 19:04:24 -0700</example>
|
253
253
|
<param pos="0" name="service.vendor" value="Microsoft"/>
|
@@ -446,7 +446,7 @@
|
|
446
446
|
<param pos="1" name="host.name"/>
|
447
447
|
</fingerprint>
|
448
448
|
|
449
|
-
<fingerprint pattern="^([^ ]{1,512}) FTGate server ready
|
449
|
+
<fingerprint pattern="^([^ ]{1,512}) FTGate server ready">
|
450
450
|
<description>FTGate mail server, runs on Windows 9x/NT/2k (http://www.ftgate.com)</description>
|
451
451
|
<example host.name="foo.bar">foo.bar FTGate server ready -attitude [C.o.r.E]</example>
|
452
452
|
<param pos="0" name="service.vendor" value="Floosietek"/>
|
@@ -795,7 +795,7 @@
|
|
795
795
|
<param pos="2" name="service.version"/>
|
796
796
|
</fingerprint>
|
797
797
|
|
798
|
-
<fingerprint pattern="^([^ ]{1,512}) SMTP NAVIEG ([^ ]+\.[^ ]+\.[^ ]+); (.+)* http
|
798
|
+
<fingerprint pattern="^([^ ]{1,512}) SMTP NAVIEG ([^ ]+\.[^ ]+\.[^ ]+); (.+)* http">
|
799
799
|
<description>Norton Antivirus for Internet Email Gateways (becomes NAVGW in 2.1)</description>
|
800
800
|
<example host.name="foo.bar" service.version="2.0.1">foo.bar SMTP NAVIEG 2.0.1; Sun, 29 Jul 2001 22:02:16 -0500 http://www.symantec.com</example>
|
801
801
|
<param pos="0" name="service.vendor" value="Norton"/>
|
@@ -807,7 +807,7 @@
|
|
807
807
|
<param pos="3" name="system.time"/>
|
808
808
|
</fingerprint>
|
809
809
|
|
810
|
-
<fingerprint pattern="^([^ ]{1,512}) ESMTP service \(Netscape Messaging Server ([^ ]+\.[^ ]+) Patch ([^ ]+)
|
810
|
+
<fingerprint pattern="^([^ ]{1,512}) ESMTP service \(Netscape Messaging Server ([^ ]+\.[^ ]+) Patch ([^ ]+)">
|
811
811
|
<description>Netscape Messaging Server - with patch number</description>
|
812
812
|
<example host.name="foo.bar" service.version="4.15" service.version.version="7">foo.bar ESMTP service (Netscape Messaging Server 4.15 Patch 7 (built Sep 12 2001))</example>
|
813
813
|
<param pos="0" name="service.vendor" value="Netscape"/>
|
@@ -933,7 +933,7 @@
|
|
933
933
|
<param pos="4" name="system.time"/>
|
934
934
|
</fingerprint>
|
935
935
|
|
936
|
-
<fingerprint pattern="^([^ ]{1,512})(?: UCX)? V\S+, OpenVMS V(\S+) (\S+) ready at
|
936
|
+
<fingerprint pattern="^([^ ]{1,512})(?: UCX)? V\S+, OpenVMS V(\S+) (\S+) ready at">
|
937
937
|
<description>Some unknown mail server on OpenVMS</description>
|
938
938
|
<example host.name="foo.bar" os.arch="IA64" os.version="8.4">foo.bar V5.7-ECO4, OpenVMS V8.4 IA64 ready at Wed, 20 May 2015 01:22:32 +0100 (BST)</example>
|
939
939
|
<example host.name="foo.bar" os.arch="Alpha" os.version="7.3-2">foo.bar V5.4-15E, OpenVMS V7.3-2 Alpha ready at Wed, 20 May 2015 01:22:18 +0100 (BST)</example>
|
@@ -1304,7 +1304,7 @@
|
|
1304
1304
|
<param pos="5" name="system.time"/>
|
1305
1305
|
</fingerprint>
|
1306
1306
|
|
1307
|
-
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+(?:wheezy|deb7u)\d; (.+);
|
1307
|
+
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+(?:wheezy|deb7u)\d; (.+);">
|
1308
1308
|
<description>Sendmail - Debian 7.x (wheezy)</description>
|
1309
1309
|
<example host.name="foo.bar" service.version="8.14.4">foo.bar ESMTP Sendmail 8.14.4/8.14.4/Debian-4+wheezy1; Thu, 30 Nov 2017 10:33:05 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
|
1310
1310
|
<example service.version="8.14.4">foo.bar ESMTP Sendmail 8.14.4/8.14.4/Debian-4+deb7u1; Thu, 30 Nov 2017 11:00:33 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
|
@@ -1324,7 +1324,7 @@
|
|
1324
1324
|
<param pos="4" name="system.time"/>
|
1325
1325
|
</fingerprint>
|
1326
1326
|
|
1327
|
-
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+deb8u\d; (.+);
|
1327
|
+
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+deb8u\d; (.+);">
|
1328
1328
|
<description>Sendmail - Debian 8.x (jessie)</description>
|
1329
1329
|
<example service.version="8.14.4">foo.bar ESMTP Sendmail 8.14.4/8.14.4/Debian-8+deb8u2; Thu, 30 Nov 2017 10:25:48 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
|
1330
1330
|
<param pos="0" name="service.vendor" value="Sendmail"/>
|
@@ -1343,7 +1343,7 @@
|
|
1343
1343
|
<param pos="4" name="system.time"/>
|
1344
1344
|
</fingerprint>
|
1345
1345
|
|
1346
|
-
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+deb9u1; (.+);
|
1346
|
+
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+deb9u1; (.+);">
|
1347
1347
|
<description>Sendmail - Debian 9.1 (stretch)</description>
|
1348
1348
|
<example host.name="foo.bar" service.version="8.15.2">foo.bar ESMTP Sendmail 8.15.2/8.15.2/Debian-8+deb9u1; Thu, 29 Apr 2021 06:45:02 +0200; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
|
1349
1349
|
<param pos="0" name="service.vendor" value="Sendmail"/>
|
@@ -1362,7 +1362,7 @@
|
|
1362
1362
|
<param pos="4" name="system.time"/>
|
1363
1363
|
</fingerprint>
|
1364
1364
|
|
1365
|
-
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+lenny\d; (.+);
|
1365
|
+
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+lenny\d; (.+);">
|
1366
1366
|
<description>Sendmail - Debian 5.x (lenny)</description>
|
1367
1367
|
<example service.version="8.14.3">foo.bar ESMTP Sendmail 8.14.3/8.14.3/Debian-5+lenny1; Thu, 30 Nov 2017 12:29:40 +0300; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
|
1368
1368
|
<param pos="0" name="service.vendor" value="Sendmail"/>
|
@@ -1381,7 +1381,7 @@
|
|
1381
1381
|
<param pos="4" name="system.time"/>
|
1382
1382
|
</fingerprint>
|
1383
1383
|
|
1384
|
-
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+etch\d; (.+);
|
1384
|
+
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d\+etch\d; (.+);">
|
1385
1385
|
<description>Sendmail - Debian 4.x (etch)</description>
|
1386
1386
|
<example service.version="8.13.8" sendmail.config.version="8.13.8">foo.bar ESMTP Sendmail 8.13.8/8.13.8/Debian-3+etch1; Thu, 30 Nov 2017 10:28:23 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
|
1387
1387
|
<param pos="0" name="service.vendor" value="Sendmail"/>
|
@@ -1400,7 +1400,7 @@
|
|
1400
1400
|
<param pos="4" name="system.time"/>
|
1401
1401
|
</fingerprint>
|
1402
1402
|
|
1403
|
-
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\dsarge\d; (.+);
|
1403
|
+
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\dsarge\d; (.+);">
|
1404
1404
|
<description>Sendmail - Debian 3.1 (sarge)</description>
|
1405
1405
|
<example service.version="8.13.4">foo.bar ESMTP Sendmail 8.13.4/8.13.4/Debian-3sarge1; Thu, 30 Nov 2017 10:55:47 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
|
1406
1406
|
<param pos="0" name="service.vendor" value="Sendmail"/>
|
@@ -1419,7 +1419,7 @@
|
|
1419
1419
|
<param pos="4" name="system.time"/>
|
1420
1420
|
</fingerprint>
|
1421
1421
|
|
1422
|
-
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d(?:\.\d)?(?:build\d)?;+ (.+);
|
1422
|
+
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/([^/]+)/Debian-\d(?:\.\d)?(?:build\d)?;+ (.+);">
|
1423
1423
|
<description>Sendmail - Debian patch only</description>
|
1424
1424
|
<example service.version="8.15.2">foo.bar ESMTP Sendmail 8.15.2/8.15.2/Debian-3; Thu, 30 Nov 2017 10:55:50 +0200; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
|
1425
1425
|
<example service.version="8.14.3">foo.bar ESMTP Sendmail 8.14.3/8.14.3/Debian-9.4; Thu, 30 Nov 2017 10:11:54 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
|
@@ -1439,7 +1439,7 @@
|
|
1439
1439
|
<param pos="4" name="system.time"/>
|
1440
1440
|
</fingerprint>
|
1441
1441
|
|
1442
|
-
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/[^/]+/Debian-[\d.]+ubuntu[^ ]*; (.+);
|
1442
|
+
<fingerprint pattern="^([^ ]{1,512}) ESMTP Sendmail ([^/]+)/[^/]+/Debian-[\d.]+ubuntu[^ ]*; (.+);">
|
1443
1443
|
<description>Sendmail - Ubuntu</description>
|
1444
1444
|
<example service.version="8.13.5.20060308">foo.bar ESMTP Sendmail 8.13.5.20060308/8.13.5/Debian-3ubuntu1.1; Fri, 24 Jul 2009 01:41:21 -0700; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
|
1445
1445
|
<example service.version="8.14.4">foo.bar ESMTP Sendmail 8.14.4/8.14.4/Debian-4.1ubuntu1; Thu, 30 Nov 2017 11:00:30 +0100; (No UCE/UBE) logging access from: xyz.foo.bar(OK)-xyz.foo.bar [10.0.0.1]</example>
|
data/xml/smtp_ehlo.xml
CHANGED
@@ -21,7 +21,7 @@
|
|
21
21
|
a very precise MS IIS SMTP service or MS Exchange Server fingerprint found with the
|
22
22
|
help of smtp_banners.xml. Instead, this case is handled specially by the Jess rule
|
23
23
|
smtp-iis-xexch50-svc-fingerprint. -mrb
|
24
|
-
<fingerprint pattern="^250[ -] *XEXCH50
|
24
|
+
<fingerprint pattern="^250[ -] *XEXCH50">
|
25
25
|
<description>
|
26
26
|
Microsoft Exchange/IIS server
|
27
27
|
</description>
|
data/xml/smtp_help.xml
CHANGED
@@ -43,7 +43,7 @@
|
|
43
43
|
<param pos="0" name="os.vendor" value="Apple"/>
|
44
44
|
<param pos="0" name="os.family" value="Mac OS"/>
|
45
45
|
<param pos="0" name="os.product" value="Mac OS"/>
|
46
|
-
<param pos="0" name="os.cpe23" value="cpe:/o:apple:
|
46
|
+
<param pos="0" name="os.cpe23" value="cpe:/o:apple:macos:-"/>
|
47
47
|
</fingerprint>
|
48
48
|
|
49
49
|
<fingerprint pattern="^214[ -]([^ ]+) is running the IBM VM operating system$">
|
@@ -59,7 +59,7 @@
|
|
59
59
|
in smtp_ehlo.xml ? -mrb
|
60
60
|
-->
|
61
61
|
|
62
|
-
<fingerprint pattern="^214[ -].* XEXCH50
|
62
|
+
<fingerprint pattern="^214[ -].* XEXCH50 *">
|
63
63
|
<description>Microsoft Exchange/IIS server</description>
|
64
64
|
<param pos="0" name="service.vendor" value="Microsoft"/>
|
65
65
|
<param pos="0" name="service.family" value="Exchange Server"/>
|
@@ -84,7 +84,7 @@
|
|
84
84
|
<param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
|
85
85
|
</fingerprint>
|
86
86
|
|
87
|
-
<fingerprint pattern="^214[ -].*This is MERAK ([^ ]+\.[^ ]+\.[^ ]+)
|
87
|
+
<fingerprint pattern="^214[ -].*This is MERAK ([^ ]+\.[^ ]+\.[^ ]+)">
|
88
88
|
<description> Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x)</description>
|
89
89
|
<param pos="0" name="service.vendor" value="Merak"/>
|
90
90
|
<param pos="0" name="service.family" value="Mail Server"/>
|
@@ -92,7 +92,7 @@
|
|
92
92
|
<param pos="1" name="service.version"/>
|
93
93
|
</fingerprint>
|
94
94
|
|
95
|
-
<fingerprint pattern="^214[ -].*This is Merak ([^ ]+\.[^ ]+\.[^ ]+)
|
95
|
+
<fingerprint pattern="^214[ -].*This is Merak ([^ ]+\.[^ ]+\.[^ ]+)">
|
96
96
|
<description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - variant 1</description>
|
97
97
|
<param pos="0" name="service.vendor" value="Merak"/>
|
98
98
|
<param pos="0" name="service.family" value="Mail Server"/>
|
@@ -100,14 +100,14 @@
|
|
100
100
|
<param pos="1" name="service.version"/>
|
101
101
|
</fingerprint>
|
102
102
|
|
103
|
-
<fingerprint pattern="^214[ -].*bugs@merakmail\.com
|
103
|
+
<fingerprint pattern="^214[ -].*bugs@merakmail\.com">
|
104
104
|
<description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - email variant</description>
|
105
105
|
<param pos="0" name="service.vendor" value="Merak"/>
|
106
106
|
<param pos="0" name="service.family" value="Mail Server"/>
|
107
107
|
<param pos="0" name="service.product" value="Mail Server"/>
|
108
108
|
</fingerprint>
|
109
109
|
|
110
|
-
<fingerprint pattern="^214[ -].*bugs@icewarp\.com
|
110
|
+
<fingerprint pattern="^214[ -].*bugs@icewarp\.com">
|
111
111
|
<description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - icewarp variant </description>
|
112
112
|
<param pos="0" name="service.vendor" value="Merak"/>
|
113
113
|
<param pos="0" name="service.family" value="Mail Server"/>
|
@@ -122,7 +122,7 @@
|
|
122
122
|
<param pos="0" name="service.product" value="qmail"/>
|
123
123
|
</fingerprint>
|
124
124
|
|
125
|
-
<fingerprint pattern="^214[ -].*contact the Digital Customer Support Center at 1-800-354-9000
|
125
|
+
<fingerprint pattern="^214[ -].*contact the Digital Customer Support Center at 1-800-354-9000">
|
126
126
|
<description>Sendmail on Digital OSF UNIX</description>
|
127
127
|
<param pos="0" name="service.family" value="Sendmail"/>
|
128
128
|
<param pos="0" name="service.product" value="Sendmail"/>
|
@@ -154,21 +154,21 @@
|
|
154
154
|
<param pos="1" name="service.version"/>
|
155
155
|
</fingerprint>
|
156
156
|
|
157
|
-
<fingerprint pattern="^214[ -].*sendmail-bugs@sendmail\.org
|
157
|
+
<fingerprint pattern="^214[ -].*sendmail-bugs@sendmail\.org">
|
158
158
|
<description>Sendmail often returns version information for HELP - email variant</description>
|
159
159
|
<param pos="0" name="service.family" value="Sendmail"/>
|
160
160
|
<param pos="0" name="service.product" value="Sendmail"/>
|
161
161
|
<param pos="0" name="service.certainty" value="0.85"/>
|
162
162
|
</fingerprint>
|
163
163
|
|
164
|
-
<fingerprint pattern="^241[ -]
|
164
|
+
<fingerprint pattern="^241[ -]">
|
165
165
|
<description>ZMailer versions earlier than 2.99.21 mistakenly return the status code 241 on some HELP response lines (instead of 214).</description>
|
166
166
|
<param pos="0" name="service.vendor" value="ZMailer"/>
|
167
167
|
<param pos="0" name="service.family" value="ZMailer"/>
|
168
168
|
<param pos="0" name="service.product" value="ZMailer"/>
|
169
169
|
</fingerprint>
|
170
170
|
|
171
|
-
<fingerprint pattern="^214[ -].*Yoyodyne Propulsion
|
171
|
+
<fingerprint pattern="^214[ -].*Yoyodyne Propulsion">
|
172
172
|
<description>ZMailer has distinctive default HELP text in smtpserver.conf</description>
|
173
173
|
<param pos="0" name="service.vendor" value="ZMailer"/>
|
174
174
|
<param pos="0" name="service.family" value="ZMailer"/>
|
data/xml/smtp_noop.xml
CHANGED
@@ -8,7 +8,7 @@
|
|
8
8
|
of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
|
9
9
|
-->
|
10
10
|
|
11
|
-
<fingerprint pattern="^220 OK
|
11
|
+
<fingerprint pattern="^220 OK">
|
12
12
|
<description>CheckPoint FireWall-1 returns code 220 for NOOP command (instead of 250)</description>
|
13
13
|
<param pos="0" name="service.vendor" value="Check Point"/>
|
14
14
|
<param pos="0" name="service.family" value="Check Point"/>
|
@@ -25,7 +25,7 @@
|
|
25
25
|
<param pos="0" name="os.vendor" value="Apple"/>
|
26
26
|
<param pos="0" name="os.family" value="Mac OS"/>
|
27
27
|
<param pos="0" name="os.product" value="Mac OS"/>
|
28
|
-
<param pos="0" name="os.cpe23" value="cpe:/o:apple:
|
28
|
+
<param pos="0" name="os.cpe23" value="cpe:/o:apple:macos:-"/>
|
29
29
|
</fingerprint>
|
30
30
|
|
31
31
|
<fingerprint pattern="^250[ -]Why is there an NOOP instruction\?$">
|