RubyGems - recog - Versions diffs - 2.3.22 → 2.3.23 - Mend

recog 2.3.22 → 2.3.23

Files changed (69) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yml +1 -1
data/.github/workflows/verify.yml +1 -1
data/.vscode/bin/monitor-recog-fingerprints.sh +54 -0
data/.vscode/extensions.json +5 -0
data/.vscode/settings.json +8 -0
data/.vscode/tasks.json +77 -0
data/CONTRIBUTING.md +2 -0
data/bin/recog_verify +42 -7
data/cpe-remap.yaml +20 -2
data/features/data/schema_failure.xml +4 -0
data/features/data/tests_with_failures.xml +6 -0
data/features/support/hooks.rb +9 -0
data/features/verify.feature +81 -17
data/identifiers/hw_device.txt +2 -0
data/identifiers/hw_product.txt +2 -0
data/identifiers/os_device.txt +2 -0
data/identifiers/os_family.txt +1 -0
data/identifiers/os_product.txt +8 -1
data/identifiers/service_product.txt +14 -0
data/identifiers/vendor.txt +13 -1
data/lib/recog/fingerprint.rb +21 -7
data/lib/recog/fingerprint_parse_error.rb +10 -0
data/lib/recog/verifier.rb +4 -4
data/lib/recog/verify_reporter.rb +7 -6
data/lib/recog/version.rb +1 -1
data/requirements.txt +1 -1
data/spec/data/external_example_fingerprint/hp_printer_ex_01.txt +1 -0
data/spec/data/external_example_fingerprint/hp_printer_ex_02.txt +1 -0
data/spec/data/external_example_fingerprint.xml +8 -0
data/spec/data/external_example_illegal_path_fingerprint.xml +7 -0
data/spec/lib/recog/db_spec.rb +84 -61
data/spec/lib/recog/fingerprint_spec.rb +4 -4
data/spec/lib/recog/verify_reporter_spec.rb +8 -8
data/update_cpes.py +129 -36
data/xml/apache_os.xml +61 -19
data/xml/architecture.xml +15 -1
data/xml/dhcp_vendor_class.xml +1 -1
data/xml/dns_versionbind.xml +16 -13
data/xml/favicons.xml +87 -5
data/xml/fingerprints.xsd +9 -1
data/xml/ftp_banners.xml +131 -141
data/xml/h323_callresp.xml +2 -2
data/xml/hp_pjl_id.xml +81 -81
data/xml/html_title.xml +178 -9
data/xml/http_cookies.xml +83 -27
data/xml/http_servers.xml +409 -269
data/xml/http_wwwauth.xml +70 -37
data/xml/imap_banners.xml +2 -2
data/xml/nntp_banners.xml +8 -5
data/xml/ntp_banners.xml +33 -33
data/xml/operating_system.xml +92 -77
data/xml/pop_banners.xml +17 -17
data/xml/sip_banners.xml +16 -5
data/xml/sip_user_agents.xml +122 -27
data/xml/smb_native_lm.xml +5 -5
data/xml/smb_native_os.xml +25 -25
data/xml/smtp_banners.xml +132 -131
data/xml/smtp_help.xml +1 -1
data/xml/snmp_sysdescr.xml +1227 -1227
data/xml/snmp_sysobjid.xml +2 -2
data/xml/ssh_banners.xml +9 -5
data/xml/telnet_banners.xml +49 -0
data/xml/tls_jarm.xml +22 -2
data/xml/x11_banners.xml +3 -3
data/xml/x509_issuers.xml +3 -2
data/xml/x509_subjects.xml +3 -3
metadata +19 -3
data/lib/recog/verifier_factory.rb +0 -13

data/xml/http_wwwauth.xml CHANGED Viewed

@@ -289,7 +289,7 @@
   <fingerprint pattern="^(?:Basic|Digest) realm=&quot;(?:SmartAX )?(MT\d+[^ ]*)(?: ADSL Router)?&quot;$">
     <description>Huawei xDSL routers</description>
-    <example hw.product="MT882">Basic realm="SmartAX MT882"</example>
+    <example hw.product="MT882" service.product="MT882" os.product="MT882">Basic realm="SmartAX MT882"</example>
     <param pos="0" name="service.vendor" value="Huawei"/>
     <param pos="0" name="service.family" value="MT"/>
     <param pos="1" name="service.product"/>
@@ -322,10 +322,10 @@
   <fingerprint pattern="^(?:Basic|Digest) realm=&quot;(WRT54G\w*)&quot;$">
     <description>Linksys WRT54G wireless access point (dozen of variants of the product)</description>
-    <example hw.product="WRT54G">Basic realm="WRT54G"</example>
-    <example hw.product="WRT54GL">Basic realm="WRT54GL"</example>
-    <example hw.product="WRT54GSV4">Basic realm="WRT54GSV4"</example>
-    <example hw.product="WRT54GCv3">Basic realm="WRT54GCv3"</example>
+    <example hw.product="WRT54G" os.product="WRT54G">Basic realm="WRT54G"</example>
+    <example hw.product="WRT54GL" os.product="WRT54GL">Basic realm="WRT54GL"</example>
+    <example hw.product="WRT54GSV4" os.product="WRT54GSV4">Basic realm="WRT54GSV4"</example>
+    <example hw.product="WRT54GCv3" os.product="WRT54GCv3">Basic realm="WRT54GCv3"</example>
     <param pos="0" name="os.vendor" value="Linksys"/>
     <param pos="0" name="os.device" value="WAP"/>
     <param pos="1" name="os.product"/>
@@ -336,9 +336,9 @@
   <fingerprint pattern="^(?:Basic|Digest) realm=&quot;(TD-[VW8][A-Z0-9]+)(?:| \d+\.\d+)&quot;$">
     <description>TP-LINK SoHo Router - dash variant</description>
-    <example os.product="TD-W8901G">Basic realm="TD-W8901G"</example>
-    <example>Basic realm="TD-8840T 2.0"</example>
-    <example hw.product="TD-8811">Basic realm="TD-8811"</example>
+    <example os.product="TD-W8901G" hw.product="TD-W8901G">Basic realm="TD-W8901G"</example>
+    <example os.product="TD-8840T" hw.product="TD-8840T">Basic realm="TD-8840T 2.0"</example>
+    <example hw.product="TD-8811" os.product="TD-8811">Basic realm="TD-8811"</example>
     <param pos="0" name="os.vendor" value="TP-LINK"/>
     <param pos="0" name="os.device" value="Router"/>
     <param pos="1" name="os.product"/>
@@ -349,10 +349,10 @@
   <fingerprint pattern="^(?:Basic|Digest) realm=&quot;(TD8[A-Z0-9]+)&quot;$">
     <description>TP-LINK SoHo Router</description>
-    <example os.product="TD854W">Basic realm="TD854W"</example>
-    <example hw.product="TD811">Basic realm="TD811"</example>
-    <example>Basic realm="TD821"</example>
-    <example>Basic realm="TD841"</example>
+    <example os.product="TD854W" hw.product="TD854W">Basic realm="TD854W"</example>
+    <example hw.product="TD811" os.product="TD811">Basic realm="TD811"</example>
+    <example os.product="TD821" hw.product="TD821">Basic realm="TD821"</example>
+    <example os.product="TD841" hw.product="TD841">Basic realm="TD841"</example>
     <param pos="0" name="os.vendor" value="TP-LINK"/>
     <param pos="0" name="os.device" value="Router"/>
     <param pos="1" name="os.product"/>
@@ -363,22 +363,22 @@
   <fingerprint pattern="^(?:Basic|Digest) realm=&quot;TP-LINK.*(?:Access Point|Extender|AP) ([A-Z0-9\-\+]+)&quot;">
     <description>TP-LINK SoHo Router - verbose variant</description>
-    <example os.product="WA801N">Basic realm="TP-LINK Wireless N Access Point WA801N"</example>
-    <example hw.product="WA830RE">Basic realm="TP-LINK Wireless Range Extender WA830RE"</example>
-    <example>Basic realm="TP-LINK Wireless Range Extender WA850RE"</example>
-    <example>Basic realm="TP-LINK Wireless AP WA501G"</example>
-    <example>Basic realm="TP-LINK Wireless N Access Point WA701ND"</example>
-    <example>Basic realm="TP-LINK Wireless N Access Point WA901ND"</example>
-    <example>Basic realm="TP-LINK Wireless AP WA601G"</example>
-    <example>Basic realm="TP-LINK Wireless AP WR710N"</example>
-    <example>Basic realm="TP-LINK Wireless AP WR700N"</example>
-    <example>Basic realm="TP-LINK Wireless Range Extender WA750RE"</example>
-    <example>Basic realm="TP-LINK Wireless AP WR702N"</example>
-    <example>Basic realm="TP-LINK Wireless AP WR800N"</example>
-    <example>Basic realm="TP-LINK Wireless Range Extender WA730RE"</example>
-    <example>Basic realm="TP-LINK Wireless N Access Point WA805N"</example>
-    <example>Basic realm="TP-LINK Wireless N Access Point WA701N"</example>
-    <example>Basic realm="TP-LINK Wireless AP WR706N"</example>
+    <example os.product="WA801N" hw.product="WA801N">Basic realm="TP-LINK Wireless N Access Point WA801N"</example>
+    <example hw.product="WA830RE" os.product="WA830RE">Basic realm="TP-LINK Wireless Range Extender WA830RE"</example>
+    <example os.product="WA850RE" hw.product="WA850RE">Basic realm="TP-LINK Wireless Range Extender WA850RE"</example>
+    <example os.product="WA501G" hw.product="WA501G">Basic realm="TP-LINK Wireless AP WA501G"</example>
+    <example os.product="WA701ND" hw.product="WA701ND">Basic realm="TP-LINK Wireless N Access Point WA701ND"</example>
+    <example os.product="WA901ND" hw.product="WA901ND">Basic realm="TP-LINK Wireless N Access Point WA901ND"</example>
+    <example os.product="WA601G" hw.product="WA601G">Basic realm="TP-LINK Wireless AP WA601G"</example>
+    <example os.product="WR710N" hw.product="WR710N">Basic realm="TP-LINK Wireless AP WR710N"</example>
+    <example os.product="WR700N" hw.product="WR700N">Basic realm="TP-LINK Wireless AP WR700N"</example>
+    <example os.product="WA750RE" hw.product="WA750RE">Basic realm="TP-LINK Wireless Range Extender WA750RE"</example>
+    <example os.product="WR702N" hw.product="WR702N">Basic realm="TP-LINK Wireless AP WR702N"</example>
+    <example os.product="WR800N" hw.product="WR800N">Basic realm="TP-LINK Wireless AP WR800N"</example>
+    <example os.product="WA730RE" hw.product="WA730RE">Basic realm="TP-LINK Wireless Range Extender WA730RE"</example>
+    <example os.product="WA805N" hw.product="WA805N">Basic realm="TP-LINK Wireless N Access Point WA805N"</example>
+    <example os.product="WA701N" hw.product="WA701N">Basic realm="TP-LINK Wireless N Access Point WA701N"</example>
+    <example os.product="WR706N" hw.product="WR706N">Basic realm="TP-LINK Wireless AP WR706N"</example>
     <param pos="0" name="os.vendor" value="TP-LINK"/>
     <param pos="0" name="os.device" value="WAP"/>
     <param pos="1" name="os.product"/>
@@ -389,9 +389,9 @@
   <fingerprint pattern="(?i)^(?:Basic|Digest).*realm=&quot;TP-LINK (.*Router.*)&quot;">
     <description>TP-LINK Routers</description>
-    <example>Basic realm="TP-LINK Wireless N Router WR841N"</example>
-    <example>Basic realm="TP-LINK Gigabit Broadband VPN Router R600VPN"</example>
-    <example>Basic realm="TP-LINK Wireless Lite N Router WR740N/WR741ND"</example>
+    <example hw.product="Wireless N Router WR841N">Basic realm="TP-LINK Wireless N Router WR841N"</example>
+    <example hw.product="Gigabit Broadband VPN Router R600VPN">Basic realm="TP-LINK Gigabit Broadband VPN Router R600VPN"</example>
+    <example hw.product="Wireless Lite N Router WR740N/WR741ND">Basic realm="TP-LINK Wireless Lite N Router WR740N/WR741ND"</example>
     <param pos="0" name="hw.vendor" value="TP-LINK"/>
     <param pos="0" name="hw.device" value="Router"/>
     <param pos="1" name="hw.product"/>
@@ -504,7 +504,7 @@
   <fingerprint pattern="(?i)^(?:Basic|Digest).*realm=&quot;ZXHN (\S+)&quot;">
     <description>ZTE ZXHN router</description>
-    <example>Basic realm="ZXHN H108L"</example>
+    <example hw.product="H108L">Basic realm="ZXHN H108L"</example>
     <param pos="0" name="hw.vendor" value="ZTE"/>
     <param pos="0" name="hw.device" value="Router"/>
     <param pos="0" name="hw.family" value="ZXHN"/>
@@ -662,17 +662,41 @@
     <param pos="0" name="hw.family" value="Eurotherm"/>
   </fingerprint>
+  <fingerprint pattern="(?i)^Basic realm=&quot;TomatoUSB&quot;">
+    <description>TomatoUSB Router Firmware</description>
+    <example>Basic realm="TomatoUSB"</example>
+    <param pos="0" name="os.vendor" value="TomatoUSB"/>
+    <param pos="0" name="os.family" value="Linux"/>
+    <param pos="0" name="os.product" value="TomatoUSB"/>
+    <param pos="0" name="os.device" value="Router"/>
+  </fingerprint>
+  <fingerprint pattern="(?i)^Basic realm=&quot;FreshTomato&quot;">
+    <description>FreshTomato Router Firmware</description>
+    <example>Basic realm="FreshTomato"</example>
+    <param pos="0" name="os.vendor" value="FreshTomato"/>
+    <param pos="0" name="os.family" value="Linux"/>
+    <param pos="0" name="os.product" value="FreshTomato"/>
+    <param pos="0" name="os.device" value="Router"/>
+  </fingerprint>
   <!-- a variety of headers we currently just ignore -->
   <fingerprint pattern="(?i)^NTLM$">
-    <description>Ignore NTLM-only</description>
+    <description>Ignore NTLM-only -- assert nothing</description>
     <example>NTLM</example>
     <example>Ntlm</example>
+    <param pos="0" name="hw.certainty" value="0.0"/>
+    <param pos="0" name="os.certainty" value="0.0"/>
+    <param pos="0" name="service.certainty" value="0.0"/>
   </fingerprint>
   <fingerprint pattern="^Negotiate$">
-    <description>Ignore Negotiate-only</description>
+    <description>Ignore Negotiate-only -- assert nothing</description>
     <example>Negotiate</example>
+    <param pos="0" name="hw.certainty" value="0.0"/>
+    <param pos="0" name="os.certainty" value="0.0"/>
+    <param pos="0" name="service.certainty" value="0.0"/>
   </fingerprint>
   <!--
@@ -681,24 +705,33 @@
   -->
   <fingerprint pattern="^(?:Basic|Digest) .*realm=['&quot;](?:\/|\.|null|\/?index.html?)?['&quot;]">
-    <description>Ignore null/empty/period/index.</description>
+    <description>Ignore null/empty/period/index -- assert nothing</description>
     <example>Basic realm="null"</example>
     <example>Basic realm="."</example>
     <example>Basic realm=""</example>
     <example>Basic realm="/"</example>
     <example>Basic realm='/'</example>
     <example>Basic realm="index.html"</example>
+    <param pos="0" name="hw.certainty" value="0.0"/>
+    <param pos="0" name="os.certainty" value="0.0"/>
+    <param pos="0" name="service.certainty" value="0.0"/>
   </fingerprint>
   <fingerprint pattern="^(?:Basic|Digest) .*realm=&quot;(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)&quot;">
-    <description>Ignore realms with an IPv4 address</description>
+    <description>Ignore realms with an IPv4 address -- assert nothing</description>
     <example>Basic realm="192.168.0.1"</example>
     <example>Digest qop="auth", realm="172.16.0.1", nonce="AAAAAAAAAAAAAP//DwHpM0IvM78=", algorithm="MD5"</example>
+    <param pos="0" name="hw.certainty" value="0.0"/>
+    <param pos="0" name="os.certainty" value="0.0"/>
+    <param pos="0" name="service.certainty" value="0.0"/>
   </fingerprint>
   <fingerprint pattern="^(?:Basic|Digest) .*realm=&quot;config&quot;">
-    <description>Ignore generic 'config' realms</description>
+    <description>Ignore generic 'config' realms -- assert nothing</description>
     <example>Digest realm="config", nonce="1155041914", algorithm="MD5", qop="auth"</example>
+    <param pos="0" name="hw.certainty" value="0.0"/>
+    <param pos="0" name="os.certainty" value="0.0"/>
+    <param pos="0" name="service.certainty" value="0.0"/>
   </fingerprint>
   <!--

data/xml/imap_banners.xml CHANGED Viewed

@@ -168,8 +168,8 @@
   <fingerprint pattern="^(\S{1,512}) CallPilot IMAP4rev1 v(\S+) server ready\.?$">
     <description>Nortel CallPilot</description>
-    <example>nottest.localdomain CallPilot IMAP4rev1 v42.02.05.22 server ready.</example>
-    <example>test.localdomain CallPilot IMAP4rev1 v43.03.19.22 server ready.</example>
+    <example service.version="42.02.05.22" host.name="nottest.localdomain">nottest.localdomain CallPilot IMAP4rev1 v42.02.05.22 server ready.</example>
+    <example service.version="43.03.19.22" host.name="test.localdomain">test.localdomain CallPilot IMAP4rev1 v43.03.19.22 server ready.</example>
     <param pos="0" name="service.vendor" value="Nortel"/>
     <param pos="0" name="service.product" value="CallPilot"/>
     <param pos="2" name="service.version"/>

data/xml/nntp_banners.xml CHANGED Viewed

@@ -24,8 +24,8 @@
   <fingerprint pattern="^NNTP Service (?:.*) Version: (5.0.2195.[0-9]+)">
     <description>Microsoft IIS NNTP Server on Windows 2000</description>
-    <example>NNTP Service 5.00.0984 Version: 5.0.2195.7034 Posting Allowed</example>
-    <example>NNTP Service 5.00.0984 Version: 5.0.2195.5329 Posting Allowed</example>
+    <example service.version="5.0.2195.7034" ms.nttp.version="5.0.2195.7034">NNTP Service 5.00.0984 Version: 5.0.2195.7034 Posting Allowed</example>
+    <example service.version="5.0.2195.5329" ms.nttp.version="5.0.2195.5329">NNTP Service 5.00.0984 Version: 5.0.2195.5329 Posting Allowed</example>
     <param pos="0" name="service.vendor" value="Microsoft"/>
     <param pos="0" name="service.product" value="IIS"/>
     <param pos="0" name="service.family" value="IIS"/>
@@ -40,8 +40,8 @@
   <fingerprint pattern="^NNTP Service (?:.*) Version: (6.0.3790.[0-9]+)">
     <description>Microsoft IIS NNTP Server on Windows Server 2003</description>
-    <example>NNTP Service 6.0.3790.3959 Version: 6.0.3790.3959 Posting Allowed</example>
-    <example>NNTP Service 6.0.3790.206 Version: 6.0.3790.206 Posting Allowed</example>
+    <example service.version="6.0.3790.3959" ms.nttp.version="6.0.3790.3959">NNTP Service 6.0.3790.3959 Version: 6.0.3790.3959 Posting Allowed</example>
+    <example service.version="6.0.3790.206" ms.nttp.version="6.0.3790.206">NNTP Service 6.0.3790.206 Version: 6.0.3790.206 Posting Allowed</example>
     <param pos="0" name="service.vendor" value="Microsoft"/>
     <param pos="0" name="service.product" value="IIS"/>
     <param pos="0" name="service.family" value="IIS"/>
@@ -82,9 +82,12 @@
   </fingerprint>
   <fingerprint pattern="^NNTP server ready(?: \(no posting\))?$">
-    <description>Non-specific NNTP</description>
+    <description>Non-specific NNTP -- assert nothing</description>
     <example>NNTP server ready (no posting)</example>
     <example>NNTP server ready</example>
+    <param pos="0" name="hw.certainty" value="0.0"/>
+    <param pos="0" name="os.certainty" value="0.0"/>
+    <param pos="0" name="service.certainty" value="0.0"/>
   </fingerprint>
 </fingerprints>

data/xml/ntp_banners.xml CHANGED Viewed

@@ -92,7 +92,7 @@
   <fingerprint pattern="version=&quot;ntpd (\S+)[^&quot;]+&quot;,.*system=&quot;Equallogic \(R\) storage array&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on an EqualLogic Storage Array that includes the NTP version</description>
-    <example>
+    <example service.version="4.2.0-r">
       version="ntpd 4.2.0-r Fri Feb  5 15:18:30 EST 2010 (1)",
       processor="Working", system="EqualLogic (R) storage array", leap=0,
       stratum=3, precision=-7, rootdelay=102.894, rootdispersion=245.154,
@@ -140,7 +140,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;Linux/?([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Linux</description>
-    <example>
+    <example service.version="4.2.4p3@1.1502-o" os.arch="i686" os.version="2.4.29">
       version="ntpd 4.2.4p3@1.1502-o Wed Jul 18 11:45:01 UTC 2007 (1)",
       processor="i686", system="Linux/2.4.29", leap=00, stratum=3,
     </example>
@@ -157,7 +157,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^&quot;]+)&quot;,.*system=&quot;Darwin/?6\.([^&quot;]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Mac OSX 10.2/Jaguar</description>
-    <example service.version="4.1.1@1.786" os.version.version="8">
+    <example service.version="4.1.1@1.786" os.version.version="8" os.arch="Power Macintosh">
       version="ntpd 4.1.1@1.786 Tue Nov 12 09:30:41 PST 2002 (1)", processor="Power Macintosh", system="Darwin6.8",
     </example>
     <param pos="0" name="service.family" value="NTP"/>
@@ -190,7 +190,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^&quot;]+)&quot;,.*system=&quot;Darwin/?8\.([^&quot;]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Mac OSX 10.4/Tiger</description>
-    <example>
+    <example service.version="4.2.0@1.1161-r" os.arch="i386" os.version.version="11.1">
       version="ntpd 4.2.0@1.1161-r Fri Jan 13 11:36:23 PST 2006 (1)",
       processor="i386", system="Darwin/8.11.1", leap=11, stratum=16,
     </example>
@@ -209,7 +209,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^&quot;]+)&quot;,.*system=&quot;Darwin/?9\.([^&quot;]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Mac OSX 10.5/Leopard</description>
-    <example>
+    <example service.version="4.2.2@1.1532-o" os.arch="Power Macintosh" os.version.version="0.0">
       version="ntpd 4.2.2@1.1532-o Mon Sep 24 01:42:27 UTC 2007 (1)",
       processor="Power Macintosh", system="Darwin/9.0.0", leap=3, stratum=16,
     </example>
@@ -228,7 +228,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^&quot;]+)&quot;,.*system=&quot;Darwin/?10\.([^&quot;]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Mac OSX 10.6/Snow Leopard</description>
-    <example>
+    <example service.version="4.2.4p4@1.1520-o" os.arch="i386" os.version.version="8.0">
       version="ntpd 4.2.4p4@1.1520-o Mon May 18 19:38:25 UTC 2009 (1)",
       processor="i386", system="Darwin/10.8.0", leap=0, stratum=3,
     </example>
@@ -267,7 +267,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^&quot;]+)&quot;,.*system=&quot;Darwin/?11\.([^&quot;]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Mac OSX 10.7/Lion</description>
-    <example>
+    <example service.version="4.2.6@1.2089-o" os.arch="x86_64" os.version.version="2.0">
       version="ntpd 4.2.6@1.2089-o Fri May 28 01:20:53 UTC 2010 (1)",
       processor="x86_64", system="Darwin/11.2.0", leap=11, stratum=16,
     </example>
@@ -367,7 +367,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;FreeBSD/?([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on FreeBSD</description>
-    <example>
+    <example service.version="4.2.6p2@1.2194" os.arch="i386" os.version="7.4-PRERELEASE">
       version="ntpd 4.2.6p2@1.2194 Wed Nov 24 15:54:11 UTC 2010 (1)",
       processor="i386", system="FreeBSD/7.4-PRERELEASE", leap=00, stratum=3,
     </example>
@@ -400,7 +400,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;NetBSD/?([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on NetBSD</description>
-    <example>
+    <example service.version="4.2.4p6-o" os.arch="sparc64" os.version="5.0_STABLE">
       version="ntpd 4.2.4p6-o Thu Jan  8 21:02:40 MET 2009 (import)",
       processor="sparc64", system="NetBSD/5.0_STABLE", leap=00, stratum=1,
     </example>
@@ -420,34 +420,34 @@
     <example os.arch="i386" os.version="1.5.3">
       processor="i386", system="NetBSD1.5.3"
     </example>
-    <example>
+    <example os.arch="i386" os.version="1.6">
       processor="i386", system="NetBSD1.6"
     </example>
-    <example>
+    <example os.arch="i386" os.version="1.6.1">
       processor="i386", system="NetBSD1.6.1"
     </example>
-    <example>
+    <example os.arch="i386" os.version="1.6.2_STABLE">
       processor="i386", system="NetBSD1.6.2_STABLE"
     </example>
-    <example>
+    <example os.arch="sbmips" os.version="3.0">
       processor="sbmips", system="NetBSD3.0"
     </example>
-    <example>
+    <example os.arch="se100" os.version="1.5.3">
       processor="se100", system="NetBSD1.5.3"
     </example>
-    <example>
+    <example os.arch="seil3" os.version="1.6.1_STABLE">
       processor="seil3", system="NetBSD1.6.1_STABLE"
     </example>
-    <example>
+    <example os.arch="seil3" os.version="1.6.2_STABLE">
       processor="seil3", system="NetBSD1.6.2_STABLE"
     </example>
-    <example>
+    <example os.arch="seil4" os.version="1.6.1_STABLE">
       processor="seil4", system="NetBSD1.6.1_STABLE"
     </example>
-    <example>
+    <example os.arch="seil4" os.version="1.6.2_STABLE">
       processor="seil4", system="NetBSD1.6.2_STABLE"
     </example>
-    <example>
+    <example os.arch="siara2k" os.version="1.5.3">
       processor="siara2k", system="NetBSD1.5.3"
     </example>
     <param pos="0" name="os.vendor" value="NetBSD"/>
@@ -818,7 +818,7 @@
   <fingerprint pattern="system=&quot;UNIX/SunOS ([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>SunOS with no ntp version</description>
-    <example>
+    <example os.version="4.x">
       system="UNIX/SunOS 4.x",
     </example>
     <param pos="0" name="os.vendor" value="Sun"/>
@@ -830,7 +830,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;JUNOS/?([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Juniper/Netscreen JunOS</description>
-    <example>
+    <example service.version="4.2.0-a" os.arch="i386" os.version="9.3R4.4">
       version="ntpd 4.2.0-a Wed Aug 12 04:22:47 UTC 2009 (1)",
       processor="i386", system="JUNOS9.3R4.4", leap=11, stratum=16,
     </example>
@@ -860,11 +860,11 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;Windows/?([^ ]+)?&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Windows</description>
-    <example>
+    <example service.version="4.2.4p7@copenhagen-o" os.arch="x86">
       version="ntpd 4.2.4p7@copenhagen-o May 22 11:25:36 (UTC+02:00) 2009  (3)",
       processor="x86", system="Windows", leap=00, stratum=2, precision=-19,
     </example>
-    <example>
+    <example service.version="4.2.4p4@1.1520-modena-o" os.arch="unknown" os.version="NT">
       version="ntpd 4.2.4p4@1.1520-modena-o Dec 05 9:35:28 (UTC+01:00) 2007  (11)",
       processor="unknown", system="WINDOWS/NT", leap=00, stratum=2,
     </example>
@@ -881,7 +881,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;HP-UX/?([^ ]+)?&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on HP-UX</description>
-    <example>
+    <example service.version="4.2.2@1.1532-o" os.arch="9000/800" os.version="B.11.11">
       version="ntpd 4.2.2@1.1532-o Wed Sep  6 16:49:43 EDT 2006 (2)",
       processor="9000/800", system="HP-UX/B.11.11", leap=00, stratum=1,
     </example>
@@ -913,7 +913,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;[^ ]+&quot;,.*system=&quot;([^ ]+)-hp-hpux([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on HP-UX, where the processor is in the 'system' variable</description>
-    <example>
+    <example service.version="4.2.5p154@1.1802" os.arch="ia64" os.version="11.31">
       version="ntpd 4.2.5p154@1.1802 Tue Mar 22 22:09:00 UTC 2011 (39)",
       processor="unknown", system="ia64-hp-hpux11.31", leap=00, stratum=1,
     </example>
@@ -935,7 +935,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;VMkernel/?([^ ]+)?&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on VMware ESXi</description>
-    <example>
+    <example service.version="4.2.4p6@1.1495" os.arch="x86_64" os.version="4.1.0">
       version="ntpd 4.2.4p6@1.1495 Wed Sep 22 02:33:15 UTC 2010 (1)",
       processor="x86_64", system="VMkernel/4.1.0", leap=11, stratum=16,
     </example>
@@ -1031,7 +1031,7 @@
   <fingerprint pattern="system=&quot;Data ONTAP/+(\S+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>NetApp file servers</description>
-    <example>
+    <example os.version="8.1RC2">
       system="Data ONTAP/8.1RC2"
     </example>
     <param pos="0" name="os.vendor" value="NetApp"/>
@@ -1110,7 +1110,7 @@
   <fingerprint pattern="system=&quot;UNIX/Unixware([^ ]+)&quot;" flags="REG_ICASE">
     <description>SCO Unixware NTP</description>
-    <example>
+    <example os.product="2">
       system="UNIX/Unixware2", leap=3, stratum=16, rootdelay=0.00,
       rootdispersion=0.00, peer=0, refid=0.0.0.0, reftime=0x00000000.00000000,
       poll=4, clock=0xd1d874b7.051ec000, phase=0.000, freq=0.00, error=0.00
@@ -1134,7 +1134,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*\s*processor=&quot;([^ ]+)&quot;,.*system=&quot;SecureOS/([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>McAfee Network Firewall Enterprise NTP (SecureOS)</description>
-    <example>
+    <example service.version="4.2.0-r" os.arch="i386" os.version="7.0.1.00">
       version="ntpd 4.2.0-r Thu Aug 11 12:41:19 CDT 2005 (1)",
       processor="i386", system="SecureOS/7.0.1.00", leap=0, stratum=3,
       precision=-19, rootdelay=27.044, rootdispersion=87.845, peer=2357,
@@ -1142,7 +1142,7 @@
       clock=0xd2636c8e.d5e2d427, state=4, offset=0.519, frequency=-3.027,
       jitter=5.132, stability=0.394
     </example>
-    <example>
+    <example service.version="4.2.0-r" os.arch="i386" os.version="7.0.0.04">
       version="ntpd 4.2.0-r Thu Aug 11 12:41:19 CDT 2005 (1)",
       processor="i386", system="SecureOS/7.0.0.04", leap=0, stratum=2,
       precision=-19, rootdelay=56.480, rootdispersion=35.772, peer=8677,
@@ -1161,14 +1161,14 @@
   <fingerprint pattern="processor=&quot;([^ ]+)&quot;.*system=&quot;Linux([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on linux</description>
-    <example>
+    <example os.arch="i686" os.version="2.6.10">
       processor="i686", system="Linux2.6.10", leap=0, stratum=2,
       precision=-17, rootdelay=44.644, rootdispersion=29.933, peer=13317,
       refid=A.B.C.D, reftime=0xd2c29f69.407570c5, poll=10,
       clock=0xd2c2a335.360999dc, state=4, phase=1.037, frequency=55.898,
       jitter=0.203, stability=0.004
     </example>
-    <example>
+    <example os.arch="i686" os.version="2.6.23.waas">
       processor="i686", system="Linux2.6.23.waas", leap=0, stratum=2,
       precision=-18, rootdelay=37.550, rootdispersion=427.047, peer=40613,
       refid=172.20.62.191, reftime=0xd297a442.8b66c6de, poll=14,
@@ -1188,7 +1188,7 @@
   <fingerprint pattern="version=&quot;ntpd (\S+)[^&quot;]+&quot;,.*\s*processor=&quot;([^ ]+)&quot;.*system=&quot;Isilon OneFS/v([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>Isilon OneFS NTP Server</description>
-    <example>
+    <example service.version="4.2.4p4-o" os.arch="i386" os.version="5.5.4.21">
       version="ntpd 4.2.4p4-o Thu Feb  4 20:43:00 UTC 2010 (1)",
       processor="i386", system="Isilon OneFS/v5.5.4.21", leap=0, stratum=14,
       precision=-19, rootdelay=0.000, rootdispersion=11.260, peer=60044,