recog 2.3.22 → 3.0.2

data/{xml → recog/xml}/snmp_sysobjid.xml

@@ -89,8 +89,8 @@
 
   <fingerprint pattern="^Microsoft Windows CE Version ([\d.]+)">
     <description>Windows CE</description>
-    <example>Microsoft Windows CE Version 4.20 (Build 0)</example>
-    <example>Microsoft Windows CE Version 4.20 (Build 1088)</example>
+    <example os.version="4.20">Microsoft Windows CE Version 4.20 (Build 0)</example>
+    <example os.version="4.20">Microsoft Windows CE Version 4.20 (Build 1088)</example>
     <param pos="0" name="os.vendor" value="Microsoft"/>
     <param pos="0" name="os.family" value="Windows"/>
     <param pos="0" name="os.product" value="Windows CE"/>
@@ -472,4 +472,15 @@
     <param pos="0" name="service.cpe23" value="cpe:/a:net-snmp:net-snmp:-"/>
   </fingerprint>
 
+  <fingerprint pattern="^1\.3\.6\.1\.4\.1\.11\.2\.3\.7\.11\.181\.21\sAruba\s(JL\d+A)\s(\d+[A-Z]?)\S+\sSwitch.+ROM\s([A-Z]+(?:\.\d+)+)">
+    <description>HP Aruba Network Switch</description>
+    <example hw.model="JL256A" hw.product="2930F" os.version="WC.16.01.0010">1.3.6.1.4.1.11.2.3.7.11.181.21 Aruba JL256A 2930F-48G-PoE+-4SFP+ Switch, revision WC.16.11.0004, ROM WC.16.01.0010</example>
+    <param pos="0" name="os.vendor" value="Aruba Networks"/>
+    <param pos="3" name="os.version"/>
+    <param pos="0" name="hw.vendor" value="Aruba Networks"/>
+    <param pos="2" name="hw.product"/>
+    <param pos="1" name="hw.model"/>
+    <param pos="0" name="hw.device" value="Switch"/>
+  </fingerprint>
+
 </fingerprints>

data/{xml → recog/xml}/ssh_banners.xml

@@ -653,7 +653,7 @@
   <fingerprint pattern="^OpenSSH_(4\.2p1) (Debian-7ubuntu\d+(?:\.\d+)?)$">
     <description>OpenSSH running on Ubuntu 6.04</description>
     <example service.version="4.2p1" openssh.comment="Debian-7ubuntu3.1">OpenSSH_4.2p1 Debian-7ubuntu3.1</example>
-    <example>OpenSSH_4.2p1 Debian-7ubuntu3.2</example>
+    <example service.version="4.2p1" openssh.comment="Debian-7ubuntu3.2">OpenSSH_4.2p1 Debian-7ubuntu3.2</example>
     <param pos="1" name="service.version"/>
     <param pos="2" name="openssh.comment"/>
     <param pos="0" name="service.vendor" value="OpenBSD"/>
@@ -686,9 +686,9 @@
   <fingerprint pattern="^OpenSSH_(4\.6p1) (Debian-5ubuntu\d+(?:\.\d+)?)$">
     <description>OpenSSH running on Ubuntu 7.10</description>
     <example service.version="4.6p1" openssh.comment="Debian-5ubuntu0.2">OpenSSH_4.6p1 Debian-5ubuntu0.2</example>
-    <example>OpenSSH_4.6p1 Debian-5ubuntu0.5</example>
-    <example>OpenSSH_4.6p1 Debian-5ubuntu0.6</example>
-    <example>OpenSSH_4.6p1 Debian-5ubuntu0</example>
+    <example service.version="4.6p1" openssh.comment="Debian-5ubuntu0.5">OpenSSH_4.6p1 Debian-5ubuntu0.5</example>
+    <example service.version="4.6p1" openssh.comment="Debian-5ubuntu0.6">OpenSSH_4.6p1 Debian-5ubuntu0.6</example>
+    <example service.version="4.6p1" openssh.comment="Debian-5ubuntu0">OpenSSH_4.6p1 Debian-5ubuntu0</example>
     <param pos="1" name="service.version"/>
     <param pos="2" name="openssh.comment"/>
     <param pos="0" name="service.vendor" value="OpenBSD"/>
@@ -858,7 +858,7 @@
   <fingerprint pattern="^OpenSSH_(6\.0p1) (Debian-3ubuntu\d(?:\.\d)?)$">
     <description>OpenSSH running on Ubuntu 12.10</description>
     <example service.version="6.0p1" openssh.comment="Debian-3ubuntu1">OpenSSH_6.0p1 Debian-3ubuntu1</example>
-    <example>OpenSSH_6.0p1 Debian-3ubuntu1.2</example>
+    <example service.version="6.0p1" openssh.comment="Debian-3ubuntu1.2">OpenSSH_6.0p1 Debian-3ubuntu1.2</example>
     <param pos="1" name="service.version"/>
     <param pos="2" name="openssh.comment"/>
     <param pos="0" name="service.vendor" value="OpenBSD"/>
@@ -1732,6 +1732,7 @@
 
   <fingerprint pattern="^SSH Protocol Compatible Server SCS (.*)$">
     <description>Netscreen with version</description>
+    <example service.version="2.0">SSH Protocol Compatible Server SCS 2.0</example>
     <param pos="1" name="service.version"/>
     <param pos="0" name="service.vendor" value="Juniper"/>
     <param pos="0" name="service.family" value="NetScreen"/>
@@ -1859,6 +1860,7 @@
 
   <fingerprint pattern="^([\d.]{1,8}) sshlib: MOVEit DMZ SSH (.*)$">
     <description>MOVEit DMZ (which uses Bitvise sshlib)</description>
+    <example service.component.version="1.29" service.version="3.0.5.0">1.29 sshlib: MOVEit DMZ SSH 3.0.5.0</example>
     <param pos="1" name="service.component.version"/>
     <param pos="2" name="service.version"/>
     <param pos="0" name="service.component.vendor" value="Bitvise"/>
@@ -1886,6 +1888,7 @@
 
   <fingerprint pattern="^Pragma SecureShell\s*(.*)$">
     <description>Pragma SecureShell</description>
+    <example service.version="3.0">Pragma SecureShell 3.0</example>
     <param pos="1" name="service.version"/>
     <param pos="0" name="service.vendor" value="Pragma Systems"/>
     <param pos="0" name="service.family" value="FortressSSH Server"/>
@@ -2047,6 +2050,7 @@
 
   <fingerprint pattern="MultiNet">
     <description>Process Software MultiNet is a suite of network apps for OpenVMS</description>
+    <example>Process Software SSH 6.1.5.0 MultiNet</example>
     <param pos="0" name="service.vendor" value="Process Software"/>
     <param pos="0" name="service.family" value="MultiNet"/>
     <param pos="0" name="service.product" value="MultiNet"/>

data/{xml → recog/xml}/telnet_banners.xml

@@ -1095,7 +1095,7 @@
    </example>
     <param pos="0" name="os.vendor" value="Red Hat"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.device" value="Linux"/>
+    <param pos="0" name="os.product" value="Linux"/>
     <param pos="1" name="os.version"/>
   </fingerprint>
 
@@ -2238,6 +2238,55 @@
     <param pos="3" name="hw.version"/>
   </fingerprint>
 
+  <fingerprint pattern="^(TAU-\d+[A-Z]*(?:\.IP)?) login:$$">
+    <description>Eltex TAU model VoIP gateway</description>
+    <example hw.product="TAU-8">TAU-8 login:</example>
+    <example hw.product="TAU-2M.IP">TAU-2M.IP login:</example>
+    <param pos="0" name="os.vendor" value="Eltex"/>
+    <param pos="0" name="os.product" value="{hw.product} Firmware"/>
+    <param pos="0" name="os.device" value="VoIP Gateway"/>
+    <param pos="0" name="hw.vendor" value="Eltex"/>
+    <param pos="1" name="hw.product"/>
+    <param pos="0" name="hw.device" value="VoIP Gateway"/>
+  </fingerprint>
+
+  <fingerprint pattern="(?m)^\**(?:\r|\n)*\**\s*Welcome to (SMG-?\d+[A-Z]?)\s*\**(?:\r|\n)*\**(?:\r|\n)+(\S+) login:\s*$">
+    <description>Eltex SMG model VoIP gateway - banner with model number</description>
+    <!--
+      ********************************************
+      *            Welcome to SMG1016M           *
+      ********************************************
+
+      foo.bar.baz login:
+    -->
+    <example hw.product="SMG1016M" host.name="foo.bar.baz" _encoding="base64">
+      DQ0KDQoNKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCg0qI
+      CAgICAgICAgICAgV2VsY29tZSB0byBTTUcxMDE2TSAgICAgICAgICAgKg0KDSoqKioqKioqKi
+      oqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqDQoNDQoNZm9vLmJhci5iYXogbG9
+      naW46IA==
+    </example>
+    <param pos="0" name="os.vendor" value="Eltex"/>
+    <param pos="0" name="os.product" value="{hw.product} Firmware"/>
+    <param pos="0" name="os.device" value="VoIP Gateway"/>
+    <param pos="0" name="hw.vendor" value="Eltex"/>
+    <param pos="1" name="hw.product"/>
+    <param pos="0" name="hw.device" value="VoIP Gateway"/>
+    <param pos="2" name="host.name"/>
+  </fingerprint>
+
+  <fingerprint pattern="^eltex-nv(\d+) login:$">
+    <description>Eltex - NV model IPTV set top box</description>
+    <example hw.model="101">eltex-nv101 login:</example>
+    <example hw.product="NV102">eltex-nv102 login:</example>
+    <param pos="0" name="os.vendor" value="Eltex"/>
+    <param pos="0" name="os.product" value="{hw.product} Firmware"/>
+    <param pos="0" name="os.device" value="IPTV"/>
+    <param pos="1" name="hw.model"/>
+    <param pos="0" name="hw.vendor" value="Eltex"/>
+    <param pos="0" name="hw.product" value="NV{hw.model}"/>
+    <param pos="0" name="hw.device" value="IPTV"/>
+  </fingerprint>
+
   <fingerprint pattern="&quot;BeerTemp&quot;:.*&quot;FridgeTemp&quot;:">
     <description>Fermentrack Beer Brewing Monitor</description>
     <example>T:{"BeerTemp":null,"BeerSet":null,"BeerAnn":null,"FridgeTemp":null,"FridgeSet":null,"FridgeAnn":null,"State":0}</example>
@@ -2245,4 +2294,37 @@
     <param pos="0" name="os.product" value="Fermentrack"/>
   </fingerprint>
 
+  <fingerprint pattern="(?m)^Welcome to the SIGMA Spectrum Diagnostic Terminal(?:\r|\n)*Wireless Battery Module \(802\.11[abgn\/]+\)(?:\r|\n)*MAC Address: ((?:[0-9a-f]{2}-?){6}) SW: \d+[\sD]*\d+\s*(?:\r|\n)*Sigma Spectrum SN: (\d+) SW: v([\d.]+)(?:\r|\n)*Radio up since: [\w\s:]+(?:\r|\n)*login:\s*$">
+    <description>Baxter SIGMA Spectrum Infusion System with Wireless Battery Module</description>
+    <!--
+      Welcome to the SIGMA Spectrum Diagnostic Terminal
+
+      Wireless Battery Module (802.11a/b/g/n)
+      MAC Address: 00-40-9d-12-34-56 SW: 20 D29
+      Sigma Spectrum SN: 1234567 SW: v8.00.01
+      Radio up since: Fri Mar  1 03:14:24 2019
+
+      login:
+    -->
+
+    <example host.mac="00-40-9d-12-34-56" hw.serial_number="1234567" os.version="8.00.01" _encoding="base64">
+      V2VsY29tZSB0byB0aGUgU0lHTUEgU3BlY3RydW0gRGlhZ25vc3RpYyBUZXJtaW5hbA0KDQpXa
+      XJlbGVzcyBCYXR0ZXJ5IE1vZHVsZSAoODAyLjExYS9iL2cvbikNCk1BQyBBZGRyZXNzOiAwMC
+      00MC05ZC0xMi0zNC01NiBTVzogMjAgRDI5DQpTaWdtYSBTcGVjdHJ1bSBTTjogMTIzNDU2NyB
+      TVzogdjguMDAuMDENClJhZGlvIHVwIHNpbmNlOiBGcmkgTWFyICAxIDAzOjE0OjI0IDIwMTkN
+      Cg0KbG9naW46IA==
+    </example>
+    <param pos="0" name="os.vendor" value="Baxter"/>
+    <param pos="0" name="os.product" value="SIGMA Spectrum Infusion System Firmware"/>
+    <param pos="0" name="os.device" value="Medical"/>
+    <param pos="3" name="os.version"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:baxter:sigma_spectrum_infusion_system_firmware:{os.version}"/>
+    <param pos="0" name="hw.vendor" value="Baxter"/>
+    <param pos="0" name="hw.product" value="SIGMA Spectrum Infusion System"/>
+    <param pos="0" name="hw.device" value="Medical"/>
+    <param pos="2" name="hw.serial_number"/>
+    <param pos="0" name="hw.cpe23" value="cpe:/h:baxter:sigma_spectrum_infusion_system:-"/>
+    <param pos="1" name="host.mac"/>
+  </fingerprint>
+
 </fingerprints>

data/{xml → recog/xml}/tls_jarm.xml

@@ -56,9 +56,13 @@
     <param pos="0" name="os.device" value="Router"/>
   </fingerprint>
 
-  <fingerprint pattern="^07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d$">
+  <fingerprint pattern="^07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d|07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823|07b08b09b21b21b07b07b08b07b21b23aeefb38b723c523befb314af6e95ac|07c08c09c21c21c07c07c08c07c21c23aeefb38b723c523befb314af6e95ac|07d14d16d21d21d00007d14d07d21d0ae59125bcd90b8876b50928af8f6cd4$">
     <description>Metasploit listener</description>
+    <example>07b08b09b21b21b07b07b08b07b21b23aeefb38b723c523befb314af6e95ac</example>
+    <example>07c08c09c21c21c07c07c08c07c21c23aeefb38b723c523befb314af6e95ac</example>
+    <example>07d14d16d21d21d00007d14d07d21d0ae59125bcd90b8876b50928af8f6cd4</example>
     <example>07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d</example>
+    <example>07d14d16d21d21d07c42d43d000000f50d155305214cf247147c43c0f1a823</example>
     <param pos="0" name="service.vendor" value="Rapid7"/>
     <param pos="0" name="service.product" value="Metasploit"/>
     <param pos="0" name="service.cpe23" value="cpe:/a:rapid7:metasploit:-"/>
@@ -67,9 +71,10 @@
   <!-- This fingerprint matches Java's TLS stack,
     see https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/ for details -->
 
-  <fingerprint pattern="^07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1$">
+  <fingerprint pattern="^07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1|07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2$">
     <description>Cobalt Strike listener</description>
     <example>07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1</example>
+    <example>07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2</example>
     <param pos="0" name="service.vendor" value="Strategic Cyber LLC"/>
     <param pos="0" name="service.product" value="Cobalt Strike Listener"/>
     <param pos="0" name="service.certainty" value="0.3"/>
@@ -159,4 +164,27 @@
     <param pos="0" name="service.product" value="Merlin"/>
   </fingerprint>
 
+  <fingerprint pattern="^21d14d00000000000021d14d21d21d16c46827964490e6024618c0a3d7d893$">
+    <description>Covenant .NET C2 framework</description>
+    <example>21d14d00000000000021d14d21d21d16c46827964490e6024618c0a3d7d893</example>
+    <param pos="0" name="service.product" value="Covenant"/>
+  </fingerprint>
+
+  <fingerprint pattern="^16d16d16d14d16d00016d16d16d16da6fda484e06f95db4f56339284c90672$">
+    <description>HP Printer</description>
+    <example>16d16d16d14d16d00016d16d16d16da6fda484e06f95db4f56339284c90672</example>
+    <param pos="0" name="hw.device" value="Printer"/>
+    <param pos="0" name="hw.vendor" value="HP"/>
+    <param pos="0" name="os.vendor" value="HP"/>
+    <param pos="0" name="os.device" value="Printer"/>
+  </fingerprint>
+
+  <fingerprint pattern="^27d27d27d00027d00041d41d00041dea7155aeeb5fe0855bcdf1e51aa692cd$">
+    <description>openHAB - open-source home automation</description>
+    <example>27d27d27d00027d00041d41d00041dea7155aeeb5fe0855bcdf1e51aa692cd</example>
+    <param pos="0" name="service.vendor" value="openHAB"/>
+    <param pos="0" name="service.product" value="openHAB"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:openhab:openhab:-"/>
+  </fingerprint>
+
 </fingerprints>

data/{xml → recog/xml}/x11_banners.xml

@@ -62,13 +62,13 @@
   <fingerprint pattern="^Fedora Project$">
     <description>Fedora Project</description>
     <example>Fedora Project</example>
-    <param pos="0" name="os.vendor" value="Red Hat"/>
+    <param pos="0" name="os.vendor" value="Fedora Project"/>
     <param pos="0" name="service.vendor" value="X.Org"/>
     <param pos="0" name="service.product" value="X.Org X11"/>
     <param pos="0" name="service.cpe23" value="cpe:/a:x.org:x11:-"/>
-    <param pos="0" name="os.product" value="Fedora Core Linux"/>
+    <param pos="0" name="os.product" value="Fedora Core"/>
     <param pos="0" name="os.family" value="Linux"/>
-    <param pos="0" name="os.cpe23" value="cpe:/o:redhat:fedora_core:-"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:fedoraproject:fedora_core:-"/>
   </fingerprint>
 
   <fingerprint pattern="^freedesktop\.org$">

data/{xml → recog/xml}/x509_issuers.xml

@@ -227,7 +227,7 @@
   <fingerprint pattern="^CN=Temporary CA [a-fA-F0-9]{8}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{12},OU=Temporary CA">
     <description>Cisco Video Communication Server</description>
     <example>CN=Temporary CA 218131fe-8af4-11e7-aa6e-9950d6bbaf74,OU=Temporary CA 218131fe-8af4-11e7-aa6e-9950d6bbaf74,O=Temporary CA 218131fe-8af4-11e7-aa6e-9950d6bbaf74</example>
-    <param pos="0" name="hw.device" value="Video Conference"/>
+    <param pos="0" name="hw.device" value="Video Conferencing"/>
     <param pos="0" name="hw.vendor" value="Cisco"/>
     <param pos="0" name="hw.product" value="TelePresence"/>
   </fingerprint>
@@ -363,7 +363,7 @@
     <description>Avaya Video Conferencing Device - CU360</description>
     <example hw.serial_number="11YT11111111">CN=Avaya cu360 11YT11111111</example>
     <param pos="0" name="hw.vendor" value="Avaya"/>
-    <param pos="0" name="hw.device" value="Video Conference"/>
+    <param pos="0" name="hw.device" value="Video Conferencing"/>
     <param pos="0" name="hw.product" value="CU360"/>
     <param pos="1" name="hw.serial_number"/>
   </fingerprint>
@@ -377,10 +377,11 @@
   </fingerprint>
 
   <fingerprint pattern="(?i)^CN=\S+,OU=FreshTomato Team,O=FreshTomato,L=Columbus,ST=Ohio,C=US(?:.*)$">
-    <description>FreshTomato Router Fireware</description>
+    <description>FreshTomato Router Firmware</description>
     <example>CN=192.168.1.1,OU=FreshTomato Team,O=FreshTomato,L=Columbus,ST=Ohio,C=US</example>
     <param pos="0" name="os.vendor" value="FreshTomato"/>
-    <param pos="0" name="os.product" value="Linux"/>
+    <param pos="0" name="os.family" value="Linux"/>
+    <param pos="0" name="os.product" value="FreshTomato"/>
     <param pos="0" name="os.device" value="Router"/>
   </fingerprint>
 
@@ -393,4 +394,23 @@
     <param pos="2" name="host.mac"/>
   </fingerprint>
 
+  <fingerprint pattern="^CN=Proxmox Virtual Environment,OU=[a-f0-9-]+,O=PVE Cluster Manager CA$">
+    <description>Proxmox open-source virtualization platform</description>
+    <example>CN=Proxmox Virtual Environment,OU=dd69676f-e203-490e-b040-79b75ed6a9d7,O=PVE Cluster Manager CA</example>
+    <param pos="0" name="service.vendor" value="Proxmox"/>
+    <param pos="0" name="service.product" value="Virtual Environment"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:proxmox:virtual_environment:-"/>
+    <param pos="0" name="os.vendor" value="Proxmox"/>
+    <param pos="0" name="os.family" value="Linux"/>
+    <param pos="0" name="os.product" value="Proxmox"/>
+  </fingerprint>
+
+  <fingerprint pattern="^CN=minikubeCA$">
+    <description>Kubernetes minikube</description>
+    <example>CN=minikubeCA</example>
+    <param pos="0" name="service.vendor" value="Kubernetes"/>
+    <param pos="0" name="service.product" value="minikube"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:kubernetes:minikube:-"/>
+  </fingerprint>
+
 </fingerprints>

data/{xml → recog/xml}/x509_subjects.xml

@@ -248,7 +248,7 @@
   <fingerprint pattern="^CN=OA\-([a-fA-F0-9]+),OU=Onboard Administrator,">
     <description>HP iLO (Onboard Administrator)</description>
     <example host.mac="001F296E21A3">CN=OA-001F296E21A3,OU=Onboard Administrator,O=Corp.,L=Location,ST=N/A,C=US</example>
-    <example>CN=OA-80C16E999999,OU=Onboard Administrator,O=Hewlett-Packard</example>
+    <example host.mac="80C16E999999">CN=OA-80C16E999999,OU=Onboard Administrator,O=Hewlett-Packard</example>
     <param pos="0" name="hw.device" value="Lights Out Management"/>
     <param pos="0" name="hw.vendor" value="HP"/>
     <param pos="0" name="hw.family" value="iLO"/>
@@ -353,8 +353,8 @@
 
   <fingerprint pattern="^CN=HP Jetdirect [a-zA-Z0-9]+,OU=([a-fA-F0-9]{12})\+OU=([a-zA-Z0-9]+),O=Hewlett-Packard Co\.$">
     <description>HP Jet Direct - with host MAC and product</description>
-    <example host.mac="2C413883186A" hw.product="J8028E">CN=HP Jetdirect 38831831,OU=2C413883186A+OU=J8028E,O=Hewlett-Packard Co.</example>
-    <example os.product="J8016E">CN=HP Jetdirect FBFA31E7,OU=8851FBE33ABB+OU=J8016E,O=Hewlett-Packard Co.</example>
+    <example host.mac="2C413883186A" hw.product="J8028E" os.product="J8028E">CN=HP Jetdirect 38831831,OU=2C413883186A+OU=J8028E,O=Hewlett-Packard Co.</example>
+    <example os.product="J8016E" host.mac="8851FBE33ABB" hw.product="J8016E">CN=HP Jetdirect FBFA31E7,OU=8851FBE33ABB+OU=J8016E,O=Hewlett-Packard Co.</example>
     <param pos="0" name="hw.device" value="Printer"/>
     <param pos="0" name="hw.vendor" value="HP"/>
     <param pos="0" name="hw.family" value="JetDirect"/>
@@ -1755,4 +1755,33 @@
     <param pos="0" name="os.product" value="Proxmox"/>
   </fingerprint>
 
+  <fingerprint pattern="^CN=(\S{1,512}),OU=Endpoint Health,O=Duo Security\\, Inc.,L=Ann Arbor,ST=Michigan,C=US(?:,\S+)?$">
+    <description>Duo Device Health</description>
+    <example host.name="127.0.0.1">CN=127.0.0.1,OU=Endpoint Health,O=Duo Security\, Inc.,L=Ann Arbor,ST=Michigan,C=US,1.2.840.113549.1.9.1=#0c1e656e64706f696e746865616c74684064756f73656375726974792e636f6d</example>
+    <param pos="0" name="service.vendor" value="Duo"/>
+    <param pos="0" name="service.product" value="Duo Device Health"/>
+    <param pos="1" name="host.name"/>
+  </fingerprint>
+
+  <fingerprint pattern="^CN=(\S{1,512}),OU=Mac Certifier,O=Duo Security\\, Inc.,L=Ann Arbor,ST=Michigan,C=US(?:,\S+)?$">
+    <description>Duo Certifier</description>
+    <example host.name="localhost">CN=localhost,OU=Mac Certifier,O=Duo Security\, Inc.,L=Ann Arbor,ST=Michigan,C=US,1.2.840.113549.1.9.1=#0c18656e64706f696e744064756f73656375726974792e636f6d</example>
+    <param pos="0" name="service.vendor" value="Duo"/>
+    <param pos="0" name="service.product" value="Duo Certifier"/>
+    <param pos="0" name="os.vendor" value="Apple"/>
+    <param pos="0" name="os.family" value="Mac OS"/>
+    <param pos="0" name="os.product" value="Mac OS"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:apple:macos:-"/>
+    <param pos="1" name="host.name"/>
+  </fingerprint>
+
+  <fingerprint pattern="^CN=(\S{1,512}),OU=Zimbra Collaboration Server$">
+    <description>Zimbra Collaboration Server</description>
+    <example host.name="foo.bar">CN=foo.bar,OU=Zimbra Collaboration Server</example>
+    <param pos="0" name="service.vendor" value="Zimbra"/>
+    <param pos="0" name="service.product" value="Collaboration Server"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:zimbra:collaboration_server:-"/>
+    <param pos="1" name="host.name"/>
+  </fingerprint>
+
 </fingerprints>

data/recog.gemspec

@@ -12,7 +12,7 @@ Gem::Specification.new do |s|
   s.email       = [
       'research@rapid7.com'
   ]
-  s.homepage    = "https://www.github.com/rapid7/recog"
+  s.homepage    = "https://www.github.com/rapid7/recog-ruby"
   s.summary     = %q{Network service fingerprint database, classes, and utilities}
   s.description = %q{
     Recog is a framework for identifying products, services, operating systems, and hardware by matching
@@ -20,9 +20,14 @@ Gem::Specification.new do |s|
     information from web server banners, snmp system description fields, and a whole lot more.
   }.gsub(/\s+/, ' ').strip
 
-  s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.bindir        = 'recog/bin'
+  s.files         = %w(Gemfile Rakefile COPYING LICENSE README.md recog.gemspec .yardopts) +
+                    Dir.glob('lib/**/*.rb') +
+                    Dir.glob('spec/**/*') +
+                    Dir.glob('recog/xml/*') +
+                    Dir.glob('recog/bin/recog_match')
+  s.test_files    = s.files.grep(%r{^(test|spec|features)/})
+  s.executables   = s.files.grep(%r{^recog/bin/}).map{ |f| File.basename(f) }
   s.require_paths = ['lib']
 
   # ---- Dependencies ----
@@ -36,7 +41,6 @@ Gem::Specification.new do |s|
     # markdown formatting for yard
     s.add_development_dependency 'redcarpet'
   end
-  s.add_development_dependency 'cucumber'
   s.add_development_dependency 'aruba'
   s.add_development_dependency 'simplecov'
 

data/spec/data/external_example_fingerprint/hp_printer_ex_01.txt

@@ -0,0 +1 @@
+HP LaserJet 4100 Series

data/spec/data/external_example_fingerprint/hp_printer_ex_02.txt

@@ -0,0 +1 @@
+HP LaserJet 2200

data/spec/data/external_example_fingerprint.xml

@@ -0,0 +1,8 @@
+<fingerprints>
+  <fingerprint pattern="laserjet (.*)(?: series)?" flags="REG_ICASE">
+    <description>HP JetDirect Printer</description>
+    <example _filename="hp_printer_ex_01.txt"/>
+    <example _filename="hp_printer_ex_02.txt"/>
+    <param pos="0" name="service.vendor" value="HP"/>
+  </fingerprint>
+</fingerprints>

data/spec/data/external_example_illegal_path_fingerprint.xml

@@ -0,0 +1,7 @@
+<fingerprints>
+  <fingerprint pattern="laserjet (.*)(?: series)?" flags="REG_ICASE">
+    <description>HP JetDirect Printer</description>
+    <example _filename="../bad_path.txt"/>
+    <param pos="0" name="service.vendor" value="HP"/>
+  </fingerprint>
+</fingerprints>

data/spec/lib/recog/db_spec.rb

@@ -1,97 +1,120 @@
 require 'recog/db'
 
 describe Recog::DB do
-  let(:xml_file) { File.expand_path File.join('spec', 'data', 'test_fingerprints.xml') }
-  subject { Recog::DB.new(xml_file) }
 
   describe "#fingerprints" do
-    subject(:fingerprints) { described_class.new(xml_file).fingerprints }
+    context "with inline example content" do
+      let(:xml_file) { File.expand_path File.join('spec', 'data', 'test_fingerprints.xml') }
+      subject { Recog::DB.new(xml_file) }
 
-    it { is_expected.to be_a(Enumerable) }
+      subject(:fingerprints) { described_class.new(xml_file).fingerprints }
 
-    context "with only a pattern" do
-      subject(:entry) { described_class.new(xml_file).fingerprints[0] }
+      it { is_expected.to be_a(Enumerable) }
 
-      it "has a blank name with no description" do
-        expect(entry.name).to be_empty
-      end
+      context "with only a pattern" do
+        subject(:entry) { described_class.new(xml_file).fingerprints[0] }
 
-      it "has a pattern" do
-        expect(entry.regex.source).to eq(".*\\(iSeries\\).*")
-      end
+        it "has a blank name with no description" do
+          expect(entry.name).to be_empty
+        end
 
-      it "has no params" do
-        expect(entry.params).to be_empty
-      end
+        it "has a pattern" do
+          expect(entry.regex.source).to eq(".*\\(iSeries\\).*")
+        end
+
+        it "has no params" do
+          expect(entry.params).to be_empty
+        end
 
-      it "has no tests" do
-        expect(entry.tests).to be_empty
+        it "has no tests" do
+          expect(entry.tests).to be_empty
+        end
       end
-    end
 
-    context "with params" do
-      subject(:entry) { described_class.new(xml_file).fingerprints[1] }
+      context "with params" do
+        subject(:entry) { described_class.new(xml_file).fingerprints[1] }
 
-      it "has a name" do
-        expect(entry.name).to eq('PalmOS')
-      end
+        it "has a name" do
+          expect(entry.name).to eq('PalmOS')
+        end
 
-      it "has a pattern" do
-        expect(entry.regex.source).to eq(".*\\(PalmOS\\).*")
-      end
+        it "has a pattern" do
+          expect(entry.regex.source).to eq(".*\\(PalmOS\\).*")
+        end
 
-      it "has params" do
-        expect(entry.params).to eq({"os.vendor"=>[1, "Palm"], "os.device"=>[2, "General"]})
-      end
+        it "has params" do
+          expect(entry.params).to eq({"os.vendor"=>[1, "Palm"], "os.device"=>[2, "General"]})
+        end
 
-      it "has no tests" do
-        expect(entry.tests).to be_empty
+        it "has no tests" do
+          expect(entry.tests).to be_empty
+        end
       end
-    end
 
-    context "with pattern flags" do
-      subject(:entry) { described_class.new(xml_file).fingerprints[2] }
+      context "with pattern flags" do
+        subject(:entry) { described_class.new(xml_file).fingerprints[2] }
 
-      it "has a name and only uses the first value" do
-        expect(entry.name).to eq('HP Designjet printer')
-      end
+        it "has a name and only uses the first value" do
+          expect(entry.name).to eq('HP Designjet printer')
+        end
 
-      it 'creates a Regexp with expected flags' do
-        expect(entry.regex).to be_a(Regexp)
-        expect(entry.regex.options).to eq(Recog::Fingerprint::RegexpFactory::DEFAULT_FLAGS | Regexp::IGNORECASE)
-      end
+        it 'creates a Regexp with expected flags' do
+          expect(entry.regex).to be_a(Regexp)
+          expect(entry.regex.options).to eq(Recog::Fingerprint::RegexpFactory::DEFAULT_FLAGS | Regexp::IGNORECASE)
+        end
 
-      it "has a pattern" do
-        expect(entry.regex).to be_a(Regexp)
-        expect(entry.regex.source).to eq("(designjet \\S+)")
-      end
+        it "has a pattern" do
+          expect(entry.regex).to be_a(Regexp)
+          expect(entry.regex.source).to eq("(designjet \\S+)")
+        end
+
+        it "has params" do
+          expect(entry.params).to eq({"service.vendor"=>[0, "HP"]})
+        end
 
-      it "has params" do
-        expect(entry.params).to eq({"service.vendor"=>[0, "HP"]})
+        it "has no tests" do
+          expect(entry.tests).to be_empty
+        end
       end
 
-      it "has no tests" do
-        expect(entry.tests).to be_empty
+      context "with test" do
+        subject(:entry) { described_class.new(xml_file).fingerprints[3] }
+
+        it "has a name" do
+          expect(entry.name).to eq('HP JetDirect Printer')
+        end
+
+        it "has a pattern" do
+          expect(entry.regex.source).to eq("laserjet (.*)(?: series)?")
+        end
+
+        it "has params" do
+          expect(entry.params).to eq({"service.vendor"=>[0, "HP"]})
+        end
+
+        it "has tests" do
+          expect(entry.tests.map(&:content)).to match_array(["HP LaserJet 4100 Series", "HP LaserJet 2200"])
+        end
       end
     end
 
-    context "with test" do
-      subject(:entry) { described_class.new(xml_file).fingerprints[3] }
+    context "with external example content" do
+      let(:xml_file) { File.expand_path File.join('spec', 'data', 'external_example_fingerprint.xml') }
+      subject { Recog::DB.new(xml_file) }
 
-      it "has a name" do
-        expect(entry.name).to eq('HP JetDirect Printer')
-      end
+      subject(:entry) { described_class.new(xml_file).fingerprints[0] }
 
-      it "has a pattern" do
-        expect(entry.regex.source).to eq("laserjet (.*)(?: series)?")
+      it "has tests" do
+        expect(entry.tests.map(&:content)).to match_array(["HP LaserJet 4100 Series", "HP LaserJet 2200"])
       end
+    end
 
-      it "has params" do
-        expect(entry.params).to eq({"service.vendor"=>[0, "HP"]})
-      end
+    context "with external example content illegal path" do
+      let(:xml_file) { File.expand_path File.join('spec', 'data', 'external_example_illegal_path_fingerprint.xml') }
+      subject { Recog::DB.new(xml_file) }
 
-      it "has no tests" do
-        expect(entry.tests.map(&:content)).to match_array(["HP LaserJet 4100 Series", "HP LaserJet 2200"])
+      it "raises an illegal file path error" do
+        expect { subject }.to raise_error(/an example specifies an illegal file path '.+'/)
       end
     end
   end