RubyGems - recog - Versions diffs - 2.3.22 → 2.3.23 - Mend

recog 2.3.22 → 2.3.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yml +1 -1
data/.github/workflows/verify.yml +1 -1
data/.vscode/bin/monitor-recog-fingerprints.sh +54 -0
data/.vscode/extensions.json +5 -0
data/.vscode/settings.json +8 -0
data/.vscode/tasks.json +77 -0
data/CONTRIBUTING.md +2 -0
data/bin/recog_verify +42 -7
data/cpe-remap.yaml +20 -2
data/features/data/schema_failure.xml +4 -0
data/features/data/tests_with_failures.xml +6 -0
data/features/support/hooks.rb +9 -0
data/features/verify.feature +81 -17
data/identifiers/hw_device.txt +2 -0
data/identifiers/hw_product.txt +2 -0
data/identifiers/os_device.txt +2 -0
data/identifiers/os_family.txt +1 -0
data/identifiers/os_product.txt +8 -1
data/identifiers/service_product.txt +14 -0
data/identifiers/vendor.txt +13 -1
data/lib/recog/fingerprint.rb +21 -7
data/lib/recog/fingerprint_parse_error.rb +10 -0
data/lib/recog/verifier.rb +4 -4
data/lib/recog/verify_reporter.rb +7 -6
data/lib/recog/version.rb +1 -1
data/requirements.txt +1 -1
data/spec/data/external_example_fingerprint/hp_printer_ex_01.txt +1 -0
data/spec/data/external_example_fingerprint/hp_printer_ex_02.txt +1 -0
data/spec/data/external_example_fingerprint.xml +8 -0
data/spec/data/external_example_illegal_path_fingerprint.xml +7 -0
data/spec/lib/recog/db_spec.rb +84 -61
data/spec/lib/recog/fingerprint_spec.rb +4 -4
data/spec/lib/recog/verify_reporter_spec.rb +8 -8
data/update_cpes.py +129 -36
data/xml/apache_os.xml +61 -19
data/xml/architecture.xml +15 -1
data/xml/dhcp_vendor_class.xml +1 -1
data/xml/dns_versionbind.xml +16 -13
data/xml/favicons.xml +87 -5
data/xml/fingerprints.xsd +9 -1
data/xml/ftp_banners.xml +131 -141
data/xml/h323_callresp.xml +2 -2
data/xml/hp_pjl_id.xml +81 -81
data/xml/html_title.xml +178 -9
data/xml/http_cookies.xml +83 -27
data/xml/http_servers.xml +409 -269
data/xml/http_wwwauth.xml +70 -37
data/xml/imap_banners.xml +2 -2
data/xml/nntp_banners.xml +8 -5
data/xml/ntp_banners.xml +33 -33
data/xml/operating_system.xml +92 -77
data/xml/pop_banners.xml +17 -17
data/xml/sip_banners.xml +16 -5
data/xml/sip_user_agents.xml +122 -27
data/xml/smb_native_lm.xml +5 -5
data/xml/smb_native_os.xml +25 -25
data/xml/smtp_banners.xml +132 -131
data/xml/smtp_help.xml +1 -1
data/xml/snmp_sysdescr.xml +1227 -1227
data/xml/snmp_sysobjid.xml +2 -2
data/xml/ssh_banners.xml +9 -5
data/xml/telnet_banners.xml +49 -0
data/xml/tls_jarm.xml +22 -2
data/xml/x11_banners.xml +3 -3
data/xml/x509_issuers.xml +3 -2
data/xml/x509_subjects.xml +3 -3
metadata +19 -3
data/lib/recog/verifier_factory.rb +0 -13

data/xml/http_wwwauth.xml CHANGED Viewed

@@ -289,7 +289,7 @@
   <fingerprint pattern="^(?:Basic|Digest) realm=&quot;(?:SmartAX )?(MT\d+[^ ]*)(?: ADSL Router)?&quot;$">
     <description>Huawei xDSL routers</description>
-    <example hw.product="MT882">Basic realm="SmartAX MT882"</example>
+    <example hw.product="MT882" service.product="MT882" os.product="MT882">Basic realm="SmartAX MT882"</example>
     <param pos="0" name="service.vendor" value="Huawei"/>
     <param pos="0" name="service.family" value="MT"/>
     <param pos="1" name="service.product"/>
@@ -322,10 +322,10 @@
   <fingerprint pattern="^(?:Basic|Digest) realm=&quot;(WRT54G\w*)&quot;$">
     <description>Linksys WRT54G wireless access point (dozen of variants of the product)</description>
-    <example hw.product="WRT54G">Basic realm="WRT54G"</example>
-    <example hw.product="WRT54GL">Basic realm="WRT54GL"</example>
-    <example hw.product="WRT54GSV4">Basic realm="WRT54GSV4"</example>
-    <example hw.product="WRT54GCv3">Basic realm="WRT54GCv3"</example>
+    <example hw.product="WRT54G" os.product="WRT54G">Basic realm="WRT54G"</example>
+    <example hw.product="WRT54GL" os.product="WRT54GL">Basic realm="WRT54GL"</example>
+    <example hw.product="WRT54GSV4" os.product="WRT54GSV4">Basic realm="WRT54GSV4"</example>
+    <example hw.product="WRT54GCv3" os.product="WRT54GCv3">Basic realm="WRT54GCv3"</example>
     <param pos="0" name="os.vendor" value="Linksys"/>
     <param pos="0" name="os.device" value="WAP"/>
     <param pos="1" name="os.product"/>
@@ -336,9 +336,9 @@
   <fingerprint pattern="^(?:Basic|Digest) realm=&quot;(TD-[VW8][A-Z0-9]+)(?:| \d+\.\d+)&quot;$">
     <description>TP-LINK SoHo Router - dash variant</description>
-    <example os.product="TD-W8901G">Basic realm="TD-W8901G"</example>
-    <example>Basic realm="TD-8840T 2.0"</example>
-    <example hw.product="TD-8811">Basic realm="TD-8811"</example>
+    <example os.product="TD-W8901G" hw.product="TD-W8901G">Basic realm="TD-W8901G"</example>
+    <example os.product="TD-8840T" hw.product="TD-8840T">Basic realm="TD-8840T 2.0"</example>
+    <example hw.product="TD-8811" os.product="TD-8811">Basic realm="TD-8811"</example>
     <param pos="0" name="os.vendor" value="TP-LINK"/>
     <param pos="0" name="os.device" value="Router"/>
     <param pos="1" name="os.product"/>
@@ -349,10 +349,10 @@
   <fingerprint pattern="^(?:Basic|Digest) realm=&quot;(TD8[A-Z0-9]+)&quot;$">
     <description>TP-LINK SoHo Router</description>
-    <example os.product="TD854W">Basic realm="TD854W"</example>
-    <example hw.product="TD811">Basic realm="TD811"</example>
-    <example>Basic realm="TD821"</example>
-    <example>Basic realm="TD841"</example>
+    <example os.product="TD854W" hw.product="TD854W">Basic realm="TD854W"</example>
+    <example hw.product="TD811" os.product="TD811">Basic realm="TD811"</example>
+    <example os.product="TD821" hw.product="TD821">Basic realm="TD821"</example>
+    <example os.product="TD841" hw.product="TD841">Basic realm="TD841"</example>
     <param pos="0" name="os.vendor" value="TP-LINK"/>
     <param pos="0" name="os.device" value="Router"/>
     <param pos="1" name="os.product"/>
@@ -363,22 +363,22 @@
   <fingerprint pattern="^(?:Basic|Digest) realm=&quot;TP-LINK.*(?:Access Point|Extender|AP) ([A-Z0-9\-\+]+)&quot;">
     <description>TP-LINK SoHo Router - verbose variant</description>
-    <example os.product="WA801N">Basic realm="TP-LINK Wireless N Access Point WA801N"</example>
-    <example hw.product="WA830RE">Basic realm="TP-LINK Wireless Range Extender WA830RE"</example>
-    <example>Basic realm="TP-LINK Wireless Range Extender WA850RE"</example>
-    <example>Basic realm="TP-LINK Wireless AP WA501G"</example>
-    <example>Basic realm="TP-LINK Wireless N Access Point WA701ND"</example>
-    <example>Basic realm="TP-LINK Wireless N Access Point WA901ND"</example>
-    <example>Basic realm="TP-LINK Wireless AP WA601G"</example>
-    <example>Basic realm="TP-LINK Wireless AP WR710N"</example>
-    <example>Basic realm="TP-LINK Wireless AP WR700N"</example>
-    <example>Basic realm="TP-LINK Wireless Range Extender WA750RE"</example>
-    <example>Basic realm="TP-LINK Wireless AP WR702N"</example>
-    <example>Basic realm="TP-LINK Wireless AP WR800N"</example>
-    <example>Basic realm="TP-LINK Wireless Range Extender WA730RE"</example>
-    <example>Basic realm="TP-LINK Wireless N Access Point WA805N"</example>
-    <example>Basic realm="TP-LINK Wireless N Access Point WA701N"</example>
-    <example>Basic realm="TP-LINK Wireless AP WR706N"</example>
+    <example os.product="WA801N" hw.product="WA801N">Basic realm="TP-LINK Wireless N Access Point WA801N"</example>
+    <example hw.product="WA830RE" os.product="WA830RE">Basic realm="TP-LINK Wireless Range Extender WA830RE"</example>
+    <example os.product="WA850RE" hw.product="WA850RE">Basic realm="TP-LINK Wireless Range Extender WA850RE"</example>
+    <example os.product="WA501G" hw.product="WA501G">Basic realm="TP-LINK Wireless AP WA501G"</example>
+    <example os.product="WA701ND" hw.product="WA701ND">Basic realm="TP-LINK Wireless N Access Point WA701ND"</example>
+    <example os.product="WA901ND" hw.product="WA901ND">Basic realm="TP-LINK Wireless N Access Point WA901ND"</example>
+    <example os.product="WA601G" hw.product="WA601G">Basic realm="TP-LINK Wireless AP WA601G"</example>
+    <example os.product="WR710N" hw.product="WR710N">Basic realm="TP-LINK Wireless AP WR710N"</example>
+    <example os.product="WR700N" hw.product="WR700N">Basic realm="TP-LINK Wireless AP WR700N"</example>
+    <example os.product="WA750RE" hw.product="WA750RE">Basic realm="TP-LINK Wireless Range Extender WA750RE"</example>
+    <example os.product="WR702N" hw.product="WR702N">Basic realm="TP-LINK Wireless AP WR702N"</example>
+    <example os.product="WR800N" hw.product="WR800N">Basic realm="TP-LINK Wireless AP WR800N"</example>
+    <example os.product="WA730RE" hw.product="WA730RE">Basic realm="TP-LINK Wireless Range Extender WA730RE"</example>
+    <example os.product="WA805N" hw.product="WA805N">Basic realm="TP-LINK Wireless N Access Point WA805N"</example>
+    <example os.product="WA701N" hw.product="WA701N">Basic realm="TP-LINK Wireless N Access Point WA701N"</example>
+    <example os.product="WR706N" hw.product="WR706N">Basic realm="TP-LINK Wireless AP WR706N"</example>
     <param pos="0" name="os.vendor" value="TP-LINK"/>
     <param pos="0" name="os.device" value="WAP"/>
     <param pos="1" name="os.product"/>
@@ -389,9 +389,9 @@
   <fingerprint pattern="(?i)^(?:Basic|Digest).*realm=&quot;TP-LINK (.*Router.*)&quot;">
     <description>TP-LINK Routers</description>
-    <example>Basic realm="TP-LINK Wireless N Router WR841N"</example>
-    <example>Basic realm="TP-LINK Gigabit Broadband VPN Router R600VPN"</example>
-    <example>Basic realm="TP-LINK Wireless Lite N Router WR740N/WR741ND"</example>
+    <example hw.product="Wireless N Router WR841N">Basic realm="TP-LINK Wireless N Router WR841N"</example>
+    <example hw.product="Gigabit Broadband VPN Router R600VPN">Basic realm="TP-LINK Gigabit Broadband VPN Router R600VPN"</example>
+    <example hw.product="Wireless Lite N Router WR740N/WR741ND">Basic realm="TP-LINK Wireless Lite N Router WR740N/WR741ND"</example>
     <param pos="0" name="hw.vendor" value="TP-LINK"/>
     <param pos="0" name="hw.device" value="Router"/>
     <param pos="1" name="hw.product"/>
@@ -504,7 +504,7 @@
   <fingerprint pattern="(?i)^(?:Basic|Digest).*realm=&quot;ZXHN (\S+)&quot;">
     <description>ZTE ZXHN router</description>
-    <example>Basic realm="ZXHN H108L"</example>
+    <example hw.product="H108L">Basic realm="ZXHN H108L"</example>
     <param pos="0" name="hw.vendor" value="ZTE"/>
     <param pos="0" name="hw.device" value="Router"/>
     <param pos="0" name="hw.family" value="ZXHN"/>
@@ -662,17 +662,41 @@
     <param pos="0" name="hw.family" value="Eurotherm"/>
   </fingerprint>
+  <fingerprint pattern="(?i)^Basic realm=&quot;TomatoUSB&quot;">
+    <description>TomatoUSB Router Firmware</description>
+    <example>Basic realm="TomatoUSB"</example>
+    <param pos="0" name="os.vendor" value="TomatoUSB"/>
+    <param pos="0" name="os.family" value="Linux"/>
+    <param pos="0" name="os.product" value="TomatoUSB"/>
+    <param pos="0" name="os.device" value="Router"/>
+  </fingerprint>
+  <fingerprint pattern="(?i)^Basic realm=&quot;FreshTomato&quot;">
+    <description>FreshTomato Router Firmware</description>
+    <example>Basic realm="FreshTomato"</example>
+    <param pos="0" name="os.vendor" value="FreshTomato"/>
+    <param pos="0" name="os.family" value="Linux"/>
+    <param pos="0" name="os.product" value="FreshTomato"/>
+    <param pos="0" name="os.device" value="Router"/>
+  </fingerprint>
   <!-- a variety of headers we currently just ignore -->
   <fingerprint pattern="(?i)^NTLM$">
-    <description>Ignore NTLM-only</description>
+    <description>Ignore NTLM-only -- assert nothing</description>
     <example>NTLM</example>
     <example>Ntlm</example>
+    <param pos="0" name="hw.certainty" value="0.0"/>
+    <param pos="0" name="os.certainty" value="0.0"/>
+    <param pos="0" name="service.certainty" value="0.0"/>
   </fingerprint>
   <fingerprint pattern="^Negotiate$">
-    <description>Ignore Negotiate-only</description>
+    <description>Ignore Negotiate-only -- assert nothing</description>
     <example>Negotiate</example>
+    <param pos="0" name="hw.certainty" value="0.0"/>
+    <param pos="0" name="os.certainty" value="0.0"/>
+    <param pos="0" name="service.certainty" value="0.0"/>
   </fingerprint>
   <!--
@@ -681,24 +705,33 @@
   -->
   <fingerprint pattern="^(?:Basic|Digest) .*realm=['&quot;](?:\/|\.|null|\/?index.html?)?['&quot;]">
-    <description>Ignore null/empty/period/index.</description>
+    <description>Ignore null/empty/period/index -- assert nothing</description>
     <example>Basic realm="null"</example>
     <example>Basic realm="."</example>
     <example>Basic realm=""</example>
     <example>Basic realm="/"</example>
     <example>Basic realm='/'</example>
     <example>Basic realm="index.html"</example>
+    <param pos="0" name="hw.certainty" value="0.0"/>
+    <param pos="0" name="os.certainty" value="0.0"/>
+    <param pos="0" name="service.certainty" value="0.0"/>
   </fingerprint>
   <fingerprint pattern="^(?:Basic|Digest) .*realm=&quot;(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)&quot;">
-    <description>Ignore realms with an IPv4 address</description>
+    <description>Ignore realms with an IPv4 address -- assert nothing</description>
     <example>Basic realm="192.168.0.1"</example>
     <example>Digest qop="auth", realm="172.16.0.1", nonce="AAAAAAAAAAAAAP//DwHpM0IvM78=", algorithm="MD5"</example>
+    <param pos="0" name="hw.certainty" value="0.0"/>
+    <param pos="0" name="os.certainty" value="0.0"/>
+    <param pos="0" name="service.certainty" value="0.0"/>
   </fingerprint>
   <fingerprint pattern="^(?:Basic|Digest) .*realm=&quot;config&quot;">
-    <description>Ignore generic 'config' realms</description>
+    <description>Ignore generic 'config' realms -- assert nothing</description>
     <example>Digest realm="config", nonce="1155041914", algorithm="MD5", qop="auth"</example>
+    <param pos="0" name="hw.certainty" value="0.0"/>
+    <param pos="0" name="os.certainty" value="0.0"/>
+    <param pos="0" name="service.certainty" value="0.0"/>
   </fingerprint>
   <!--

data/xml/imap_banners.xml CHANGED Viewed

@@ -168,8 +168,8 @@
   <fingerprint pattern="^(\S{1,512}) CallPilot IMAP4rev1 v(\S+) server ready\.?$">
     <description>Nortel CallPilot</description>
-    <example>nottest.localdomain CallPilot IMAP4rev1 v42.02.05.22 server ready.</example>
-    <example>test.localdomain CallPilot IMAP4rev1 v43.03.19.22 server ready.</example>
+    <example service.version="42.02.05.22" host.name="nottest.localdomain">nottest.localdomain CallPilot IMAP4rev1 v42.02.05.22 server ready.</example>
+    <example service.version="43.03.19.22" host.name="test.localdomain">test.localdomain CallPilot IMAP4rev1 v43.03.19.22 server ready.</example>
     <param pos="0" name="service.vendor" value="Nortel"/>
     <param pos="0" name="service.product" value="CallPilot"/>
     <param pos="2" name="service.version"/>

data/xml/nntp_banners.xml CHANGED Viewed

@@ -24,8 +24,8 @@
   <fingerprint pattern="^NNTP Service (?:.*) Version: (5.0.2195.[0-9]+)">
     <description>Microsoft IIS NNTP Server on Windows 2000</description>
-    <example>NNTP Service 5.00.0984 Version: 5.0.2195.7034 Posting Allowed</example>
-    <example>NNTP Service 5.00.0984 Version: 5.0.2195.5329 Posting Allowed</example>
+    <example service.version="5.0.2195.7034" ms.nttp.version="5.0.2195.7034">NNTP Service 5.00.0984 Version: 5.0.2195.7034 Posting Allowed</example>
+    <example service.version="5.0.2195.5329" ms.nttp.version="5.0.2195.5329">NNTP Service 5.00.0984 Version: 5.0.2195.5329 Posting Allowed</example>
     <param pos="0" name="service.vendor" value="Microsoft"/>
     <param pos="0" name="service.product" value="IIS"/>
     <param pos="0" name="service.family" value="IIS"/>
@@ -40,8 +40,8 @@
   <fingerprint pattern="^NNTP Service (?:.*) Version: (6.0.3790.[0-9]+)">
     <description>Microsoft IIS NNTP Server on Windows Server 2003</description>
-    <example>NNTP Service 6.0.3790.3959 Version: 6.0.3790.3959 Posting Allowed</example>
-    <example>NNTP Service 6.0.3790.206 Version: 6.0.3790.206 Posting Allowed</example>
+    <example service.version="6.0.3790.3959" ms.nttp.version="6.0.3790.3959">NNTP Service 6.0.3790.3959 Version: 6.0.3790.3959 Posting Allowed</example>
+    <example service.version="6.0.3790.206" ms.nttp.version="6.0.3790.206">NNTP Service 6.0.3790.206 Version: 6.0.3790.206 Posting Allowed</example>
     <param pos="0" name="service.vendor" value="Microsoft"/>
     <param pos="0" name="service.product" value="IIS"/>
     <param pos="0" name="service.family" value="IIS"/>
@@ -82,9 +82,12 @@
   </fingerprint>
   <fingerprint pattern="^NNTP server ready(?: \(no posting\))?$">
-    <description>Non-specific NNTP</description>
+    <description>Non-specific NNTP -- assert nothing</description>
     <example>NNTP server ready (no posting)</example>
     <example>NNTP server ready</example>
+    <param pos="0" name="hw.certainty" value="0.0"/>
+    <param pos="0" name="os.certainty" value="0.0"/>
+    <param pos="0" name="service.certainty" value="0.0"/>
   </fingerprint>
 </fingerprints>

data/xml/ntp_banners.xml CHANGED Viewed

@@ -92,7 +92,7 @@
   <fingerprint pattern="version=&quot;ntpd (\S+)[^&quot;]+&quot;,.*system=&quot;Equallogic \(R\) storage array&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on an EqualLogic Storage Array that includes the NTP version</description>
-    <example>
+    <example service.version="4.2.0-r">
       version="ntpd 4.2.0-r Fri Feb  5 15:18:30 EST 2010 (1)",
       processor="Working", system="EqualLogic (R) storage array", leap=0,
       stratum=3, precision=-7, rootdelay=102.894, rootdispersion=245.154,
@@ -140,7 +140,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;Linux/?([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Linux</description>
-    <example>
+    <example service.version="4.2.4p3@1.1502-o" os.arch="i686" os.version="2.4.29">
       version="ntpd 4.2.4p3@1.1502-o Wed Jul 18 11:45:01 UTC 2007 (1)",
       processor="i686", system="Linux/2.4.29", leap=00, stratum=3,
     </example>
@@ -157,7 +157,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^&quot;]+)&quot;,.*system=&quot;Darwin/?6\.([^&quot;]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Mac OSX 10.2/Jaguar</description>
-    <example service.version="4.1.1@1.786" os.version.version="8">
+    <example service.version="4.1.1@1.786" os.version.version="8" os.arch="Power Macintosh">
       version="ntpd 4.1.1@1.786 Tue Nov 12 09:30:41 PST 2002 (1)", processor="Power Macintosh", system="Darwin6.8",
     </example>
     <param pos="0" name="service.family" value="NTP"/>
@@ -190,7 +190,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^&quot;]+)&quot;,.*system=&quot;Darwin/?8\.([^&quot;]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Mac OSX 10.4/Tiger</description>
-    <example>
+    <example service.version="4.2.0@1.1161-r" os.arch="i386" os.version.version="11.1">
       version="ntpd 4.2.0@1.1161-r Fri Jan 13 11:36:23 PST 2006 (1)",
       processor="i386", system="Darwin/8.11.1", leap=11, stratum=16,
     </example>
@@ -209,7 +209,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^&quot;]+)&quot;,.*system=&quot;Darwin/?9\.([^&quot;]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Mac OSX 10.5/Leopard</description>
-    <example>
+    <example service.version="4.2.2@1.1532-o" os.arch="Power Macintosh" os.version.version="0.0">
       version="ntpd 4.2.2@1.1532-o Mon Sep 24 01:42:27 UTC 2007 (1)",
       processor="Power Macintosh", system="Darwin/9.0.0", leap=3, stratum=16,
     </example>
@@ -228,7 +228,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^&quot;]+)&quot;,.*system=&quot;Darwin/?10\.([^&quot;]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Mac OSX 10.6/Snow Leopard</description>
-    <example>
+    <example service.version="4.2.4p4@1.1520-o" os.arch="i386" os.version.version="8.0">
       version="ntpd 4.2.4p4@1.1520-o Mon May 18 19:38:25 UTC 2009 (1)",
       processor="i386", system="Darwin/10.8.0", leap=0, stratum=3,
     </example>
@@ -267,7 +267,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^&quot;]+)&quot;,.*system=&quot;Darwin/?11\.([^&quot;]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Mac OSX 10.7/Lion</description>
-    <example>
+    <example service.version="4.2.6@1.2089-o" os.arch="x86_64" os.version.version="2.0">
       version="ntpd 4.2.6@1.2089-o Fri May 28 01:20:53 UTC 2010 (1)",
       processor="x86_64", system="Darwin/11.2.0", leap=11, stratum=16,
     </example>
@@ -367,7 +367,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;FreeBSD/?([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on FreeBSD</description>
-    <example>
+    <example service.version="4.2.6p2@1.2194" os.arch="i386" os.version="7.4-PRERELEASE">
       version="ntpd 4.2.6p2@1.2194 Wed Nov 24 15:54:11 UTC 2010 (1)",
       processor="i386", system="FreeBSD/7.4-PRERELEASE", leap=00, stratum=3,
     </example>
@@ -400,7 +400,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;NetBSD/?([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on NetBSD</description>
-    <example>
+    <example service.version="4.2.4p6-o" os.arch="sparc64" os.version="5.0_STABLE">
       version="ntpd 4.2.4p6-o Thu Jan  8 21:02:40 MET 2009 (import)",
       processor="sparc64", system="NetBSD/5.0_STABLE", leap=00, stratum=1,
     </example>
@@ -420,34 +420,34 @@
     <example os.arch="i386" os.version="1.5.3">
       processor="i386", system="NetBSD1.5.3"
     </example>
-    <example>
+    <example os.arch="i386" os.version="1.6">
       processor="i386", system="NetBSD1.6"
     </example>
-    <example>
+    <example os.arch="i386" os.version="1.6.1">
       processor="i386", system="NetBSD1.6.1"
     </example>
-    <example>
+    <example os.arch="i386" os.version="1.6.2_STABLE">
       processor="i386", system="NetBSD1.6.2_STABLE"
     </example>
-    <example>
+    <example os.arch="sbmips" os.version="3.0">
       processor="sbmips", system="NetBSD3.0"
     </example>
-    <example>
+    <example os.arch="se100" os.version="1.5.3">
       processor="se100", system="NetBSD1.5.3"
     </example>
-    <example>
+    <example os.arch="seil3" os.version="1.6.1_STABLE">
       processor="seil3", system="NetBSD1.6.1_STABLE"
     </example>
-    <example>
+    <example os.arch="seil3" os.version="1.6.2_STABLE">
       processor="seil3", system="NetBSD1.6.2_STABLE"
     </example>
-    <example>
+    <example os.arch="seil4" os.version="1.6.1_STABLE">
       processor="seil4", system="NetBSD1.6.1_STABLE"
     </example>
-    <example>
+    <example os.arch="seil4" os.version="1.6.2_STABLE">
       processor="seil4", system="NetBSD1.6.2_STABLE"
     </example>
-    <example>
+    <example os.arch="siara2k" os.version="1.5.3">
       processor="siara2k", system="NetBSD1.5.3"
     </example>
     <param pos="0" name="os.vendor" value="NetBSD"/>
@@ -818,7 +818,7 @@
   <fingerprint pattern="system=&quot;UNIX/SunOS ([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>SunOS with no ntp version</description>
-    <example>
+    <example os.version="4.x">
       system="UNIX/SunOS 4.x",
     </example>
     <param pos="0" name="os.vendor" value="Sun"/>
@@ -830,7 +830,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;JUNOS/?([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Juniper/Netscreen JunOS</description>
-    <example>
+    <example service.version="4.2.0-a" os.arch="i386" os.version="9.3R4.4">
       version="ntpd 4.2.0-a Wed Aug 12 04:22:47 UTC 2009 (1)",
       processor="i386", system="JUNOS9.3R4.4", leap=11, stratum=16,
     </example>
@@ -860,11 +860,11 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;Windows/?([^ ]+)?&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on Windows</description>
-    <example>
+    <example service.version="4.2.4p7@copenhagen-o" os.arch="x86">
       version="ntpd 4.2.4p7@copenhagen-o May 22 11:25:36 (UTC+02:00) 2009  (3)",
       processor="x86", system="Windows", leap=00, stratum=2, precision=-19,
     </example>
-    <example>
+    <example service.version="4.2.4p4@1.1520-modena-o" os.arch="unknown" os.version="NT">
       version="ntpd 4.2.4p4@1.1520-modena-o Dec 05 9:35:28 (UTC+01:00) 2007  (11)",
       processor="unknown", system="WINDOWS/NT", leap=00, stratum=2,
     </example>
@@ -881,7 +881,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;HP-UX/?([^ ]+)?&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on HP-UX</description>
-    <example>
+    <example service.version="4.2.2@1.1532-o" os.arch="9000/800" os.version="B.11.11">
       version="ntpd 4.2.2@1.1532-o Wed Sep  6 16:49:43 EDT 2006 (2)",
       processor="9000/800", system="HP-UX/B.11.11", leap=00, stratum=1,
     </example>
@@ -913,7 +913,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;[^ ]+&quot;,.*system=&quot;([^ ]+)-hp-hpux([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on HP-UX, where the processor is in the 'system' variable</description>
-    <example>
+    <example service.version="4.2.5p154@1.1802" os.arch="ia64" os.version="11.31">
       version="ntpd 4.2.5p154@1.1802 Tue Mar 22 22:09:00 UTC 2011 (39)",
       processor="unknown", system="ia64-hp-hpux11.31", leap=00, stratum=1,
     </example>
@@ -935,7 +935,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*processor=&quot;([^ ]+)&quot;,.*system=&quot;VMkernel/?([^ ]+)?&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on VMware ESXi</description>
-    <example>
+    <example service.version="4.2.4p6@1.1495" os.arch="x86_64" os.version="4.1.0">
       version="ntpd 4.2.4p6@1.1495 Wed Sep 22 02:33:15 UTC 2010 (1)",
       processor="x86_64", system="VMkernel/4.1.0", leap=11, stratum=16,
     </example>
@@ -1031,7 +1031,7 @@
   <fingerprint pattern="system=&quot;Data ONTAP/+(\S+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>NetApp file servers</description>
-    <example>
+    <example os.version="8.1RC2">
       system="Data ONTAP/8.1RC2"
     </example>
     <param pos="0" name="os.vendor" value="NetApp"/>
@@ -1110,7 +1110,7 @@
   <fingerprint pattern="system=&quot;UNIX/Unixware([^ ]+)&quot;" flags="REG_ICASE">
     <description>SCO Unixware NTP</description>
-    <example>
+    <example os.product="2">
       system="UNIX/Unixware2", leap=3, stratum=16, rootdelay=0.00,
       rootdispersion=0.00, peer=0, refid=0.0.0.0, reftime=0x00000000.00000000,
       poll=4, clock=0xd1d874b7.051ec000, phase=0.000, freq=0.00, error=0.00
@@ -1134,7 +1134,7 @@
   <fingerprint pattern="version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,.*\s*processor=&quot;([^ ]+)&quot;,.*system=&quot;SecureOS/([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>McAfee Network Firewall Enterprise NTP (SecureOS)</description>
-    <example>
+    <example service.version="4.2.0-r" os.arch="i386" os.version="7.0.1.00">
       version="ntpd 4.2.0-r Thu Aug 11 12:41:19 CDT 2005 (1)",
       processor="i386", system="SecureOS/7.0.1.00", leap=0, stratum=3,
       precision=-19, rootdelay=27.044, rootdispersion=87.845, peer=2357,
@@ -1142,7 +1142,7 @@
       clock=0xd2636c8e.d5e2d427, state=4, offset=0.519, frequency=-3.027,
       jitter=5.132, stability=0.394
     </example>
-    <example>
+    <example service.version="4.2.0-r" os.arch="i386" os.version="7.0.0.04">
       version="ntpd 4.2.0-r Thu Aug 11 12:41:19 CDT 2005 (1)",
       processor="i386", system="SecureOS/7.0.0.04", leap=0, stratum=2,
       precision=-19, rootdelay=56.480, rootdispersion=35.772, peer=8677,
@@ -1161,14 +1161,14 @@
   <fingerprint pattern="processor=&quot;([^ ]+)&quot;.*system=&quot;Linux([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>ntpd running on linux</description>
-    <example>
+    <example os.arch="i686" os.version="2.6.10">
       processor="i686", system="Linux2.6.10", leap=0, stratum=2,
       precision=-17, rootdelay=44.644, rootdispersion=29.933, peer=13317,
       refid=A.B.C.D, reftime=0xd2c29f69.407570c5, poll=10,
       clock=0xd2c2a335.360999dc, state=4, phase=1.037, frequency=55.898,
       jitter=0.203, stability=0.004
     </example>
-    <example>
+    <example os.arch="i686" os.version="2.6.23.waas">
       processor="i686", system="Linux2.6.23.waas", leap=0, stratum=2,
       precision=-18, rootdelay=37.550, rootdispersion=427.047, peer=40613,
       refid=172.20.62.191, reftime=0xd297a442.8b66c6de, poll=14,
@@ -1188,7 +1188,7 @@
   <fingerprint pattern="version=&quot;ntpd (\S+)[^&quot;]+&quot;,.*\s*processor=&quot;([^ ]+)&quot;.*system=&quot;Isilon OneFS/v([^ ]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">
     <description>Isilon OneFS NTP Server</description>
-    <example>
+    <example service.version="4.2.4p4-o" os.arch="i386" os.version="5.5.4.21">
       version="ntpd 4.2.4p4-o Thu Feb  4 20:43:00 UTC 2010 (1)",
       processor="i386", system="Isilon OneFS/v5.5.4.21", leap=0, stratum=14,
       precision=-19, rootdelay=0.000, rootdispersion=11.260, peer=60044,