recog 2.3.8 → 2.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (67) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +6 -0
  3. data/CONTRIBUTING.md +136 -37
  4. data/README.md +18 -16
  5. data/bin/recog_cleanup +16 -0
  6. data/bin/recog_standardize +30 -6
  7. data/identifiers/README.md +9 -0
  8. data/identifiers/hw_device.txt +77 -0
  9. data/identifiers/hw_family.txt +96 -0
  10. data/identifiers/hw_product.txt +328 -0
  11. data/identifiers/os_architecture.txt +6 -6
  12. data/identifiers/os_device.txt +45 -3
  13. data/identifiers/os_family.txt +206 -41
  14. data/identifiers/os_product.txt +238 -17
  15. data/identifiers/service_family.txt +144 -57
  16. data/identifiers/service_product.txt +384 -83
  17. data/identifiers/vendor.txt +553 -68
  18. data/lib/recog/version.rb +1 -1
  19. data/requirements.txt +1 -1
  20. data/xml/apache_modules.xml +292 -5
  21. data/xml/apache_os.xml +41 -2
  22. data/xml/architecture.xml +11 -3
  23. data/xml/dns_versionbind.xml +76 -8
  24. data/xml/favicons.xml +1700 -0
  25. data/xml/ftp_banners.xml +178 -8
  26. data/xml/h323_callresp.xml +112 -12
  27. data/xml/hp_pjl_id.xml +47 -5
  28. data/xml/html_title.xml +1258 -25
  29. data/xml/http_cookies.xml +64 -9
  30. data/xml/http_servers.xml +667 -37
  31. data/xml/http_wwwauth.xml +141 -26
  32. data/xml/imap_banners.xml +19 -13
  33. data/xml/ldap_searchresult.xml +81 -9
  34. data/xml/mdns_device-info_txt.xml +175 -2
  35. data/xml/mdns_workstation_txt.xml +4 -2
  36. data/xml/mysql_banners.xml +134 -7
  37. data/xml/mysql_error.xml +113 -6
  38. data/xml/nntp_banners.xml +10 -2
  39. data/xml/ntp_banners.xml +80 -4
  40. data/xml/operating_system.xml +89 -3
  41. data/xml/pop_banners.xml +30 -31
  42. data/xml/rsh_resp.xml +11 -2
  43. data/xml/rtsp_servers.xml +22 -2
  44. data/xml/sip_banners.xml +35 -4
  45. data/xml/sip_user_agents.xml +29 -2
  46. data/xml/smb_native_lm.xml +10 -2
  47. data/xml/smb_native_os.xml +79 -2
  48. data/xml/smtp_banners.xml +146 -7
  49. data/xml/smtp_debug.xml +6 -4
  50. data/xml/smtp_ehlo.xml +7 -5
  51. data/xml/smtp_expn.xml +13 -4
  52. data/xml/smtp_help.xml +23 -4
  53. data/xml/smtp_mailfrom.xml +5 -2
  54. data/xml/smtp_noop.xml +6 -5
  55. data/xml/smtp_quit.xml +5 -4
  56. data/xml/smtp_rcptto.xml +5 -2
  57. data/xml/smtp_rset.xml +4 -4
  58. data/xml/smtp_turn.xml +4 -4
  59. data/xml/smtp_vrfy.xml +14 -4
  60. data/xml/snmp_sysdescr.xml +731 -24
  61. data/xml/snmp_sysobjid.xml +47 -2
  62. data/xml/ssh_banners.xml +175 -5
  63. data/xml/telnet_banners.xml +266 -15
  64. data/xml/x11_banners.xml +26 -3
  65. data/xml/x509_issuers.xml +30 -6
  66. data/xml/x509_subjects.xml +200 -31
  67. metadata +8 -2
@@ -1,14 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.14">
3
3
  <!--
4
4
  SMTP response lines to the DEBUG command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
9
  -->
10
+
12
11
  <fingerprint pattern="^500 No way!$">
13
12
  <description>Exim</description>
14
13
  <example>500 No way!</example>
@@ -17,12 +16,14 @@
17
16
  <param pos="0" name="service.product" value="exim"/>
18
17
  <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
19
18
  </fingerprint>
19
+
20
20
  <fingerprint pattern="^250[ -] *Debug set -NOT!$">
21
21
  <description>TIS FWTK and derivatives (other firewalls, like Gauntlet, are derived from TIS)</description>
22
22
  <param pos="0" name="service.vendor" value="TIS"/>
23
23
  <param pos="0" name="service.family" value="FWTK"/>
24
24
  <param pos="0" name="service.product" value="FWTK"/>
25
25
  </fingerprint>
26
+
26
27
  <fingerprint pattern="^500[ -]What\? I don't understand that\.$">
27
28
  <description>Alt-N MDaemon SMTP</description>
28
29
  <example>500 What? I don't understand that.</example>
@@ -36,4 +37,5 @@
36
37
  <param pos="0" name="os.arch" value="x86"/>
37
38
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
38
39
  </fingerprint>
39
- </fingerprints>
40
+
41
+ </fingerprints>
@@ -1,14 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.19">
3
3
  <!--
4
4
  SMTP response lines to the EHLO command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
9
  -->
10
+
12
11
  <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX&quot; unrecognized$">
13
12
  <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server</description>
14
13
  <param pos="0" name="os.vendor" value="Cisco"/>
@@ -16,12 +15,12 @@
16
15
  <param pos="0" name="os.product" value="PIX"/>
17
16
  <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
18
17
  </fingerprint>
18
+
19
19
  <!--
20
20
  Don't try to infer a fingerprint from XEXCH50, because if we do, it might overwrite
21
21
  a very precise MS IIS SMTP service or MS Exchange Server fingerprint found with the
22
22
  help of smtp_banners.xml. Instead, this case is handled specially by the Jess rule
23
23
  smtp-iis-xexch50-svc-fingerprint. -mrb
24
-
25
24
  <fingerprint pattern="^250[ -] *XEXCH50.*$">
26
25
  <description>
27
26
  Microsoft Exchange/IIS server
@@ -33,7 +32,9 @@
33
32
  <param pos="0" name="os.family" value="Windows"/>
34
33
  <param pos="0" name="os.product" value="Windows"/>
35
34
  </fingerprint>
35
+
36
36
  -->
37
+
37
38
  <fingerprint pattern="^221[ -]See ya in cyberspace$">
38
39
  <description>221 See ya in cyberspace</description>
39
40
  <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -46,4 +47,5 @@
46
47
  <param pos="0" name="os.arch" value="x86"/>
47
48
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
48
49
  </fingerprint>
49
- </fingerprints>
50
+
51
+ </fingerprints>
@@ -1,14 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.16">
3
3
  <!--
4
4
  SMTP response lines to the EXPN command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
9
  -->
10
+
12
11
  <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX.*&quot; unrecognized$">
13
12
  <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server - expn variant</description>
14
13
  <param pos="0" name="os.vendor" value="Cisco"/>
@@ -16,6 +15,7 @@
16
15
  <param pos="0" name="os.product" value="PIX"/>
17
16
  <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
18
17
  </fingerprint>
18
+
19
19
  <fingerprint pattern="^550[ -]EXPN not available to \(.+\) \[.+\] *$">
20
20
  <description>Exim - expn variant 1</description>
21
21
  <example>550 EXPN not available to (foo.bar.com) [192.168.0.1]</example>
@@ -24,6 +24,7 @@
24
24
  <param pos="0" name="service.product" value="exim"/>
25
25
  <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
26
26
  </fingerprint>
27
+
27
28
  <fingerprint pattern="^550[ -]EXPN not available to [^ ]+ \(.+\) \[.+\] *$">
28
29
  <description>Exim - expn variant 2</description>
29
30
  <example>550 EXPN not available to evil.com (foo.bar.com) [192.168.0.1]</example>
@@ -32,19 +33,23 @@
32
33
  <param pos="0" name="service.product" value="exim"/>
33
34
  <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
34
35
  </fingerprint>
36
+
35
37
  <fingerprint pattern="^500[ -]Don't you wish! *$">
36
38
  <description>GNAT box SMTP</description>
37
39
  <param pos="0" name="service.vendor" value="Global Technology Associates"/>
38
40
  <param pos="0" name="service.family" value="GNAT Box"/>
39
41
  <param pos="0" name="service.product" value="GNAT Box"/>
40
42
  </fingerprint>
43
+
41
44
  <!-- VM SMTP server doesn't like brackets in EXPN commands... -->
45
+
42
46
  <fingerprint pattern="^501[ -]Syntax Error\. Only ListId or Userid allowed as argument to this command *$">
43
47
  <description>IBM VM SMTP</description>
44
48
  <param pos="0" name="service.vendor" value="IBM"/>
45
49
  <param pos="0" name="service.family" value="VM"/>
46
50
  <param pos="0" name="service.product" value="VM"/>
47
51
  </fingerprint>
52
+
48
53
  <fingerprint pattern="^550[ -]lists are confidential *$">
49
54
  <description>Ipswitch IMail Server - expn variant</description>
50
55
  <example>550 lists are confidential</example>
@@ -53,6 +58,7 @@
53
58
  <param pos="0" name="service.product" value="IMail Server"/>
54
59
  <param pos="0" name="service.cpe23" value="cpe:/a:ipswitch:imail_server:-"/>
55
60
  </fingerprint>
61
+
56
62
  <fingerprint pattern="^502[ -]command is not active$">
57
63
  <description>Alt-N MDaemon - expn variant</description>
58
64
  <example>502 command is not active</example>
@@ -66,12 +72,14 @@
66
72
  <param pos="0" name="os.arch" value="x86"/>
67
73
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
68
74
  </fingerprint>
75
+
69
76
  <fingerprint pattern="^252 Unable to EXPN &quot;.*&quot;, but will accept message and attempt delivery *$">
70
77
  <description>Lotus Domino</description>
71
78
  <param pos="0" name="service.vendor" value="Lotus"/>
72
79
  <param pos="0" name="service.family" value="Lotus Domino"/>
73
80
  <param pos="0" name="service.product" value="Lotus Domino"/>
74
81
  </fingerprint>
82
+
75
83
  <fingerprint pattern="^550[ -]Unable to find list '.*'\.$">
76
84
  <description>Seattle Labs SLMail</description>
77
85
  <example>550 Unable to find list 'list'.</example>
@@ -79,4 +87,5 @@
79
87
  <param pos="0" name="service.family" value="SLMail"/>
80
88
  <param pos="0" name="service.product" value="SLMail"/>
81
89
  </fingerprint>
82
- </fingerprints>
90
+
91
+ </fingerprints>
@@ -1,14 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.18">
3
3
  <!--
4
4
  SMTP response lines to the HELP command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
9
  -->
10
+
12
11
  <fingerprint pattern="^214[ -]This is ArGoSoft Mail Server, Version [^ ]+ \(([^ ]+\.[^ ]+\.[^ ]+\.[^ ]+)\) *$">
13
12
  <description>ArgoSoft mail server HELP response with version</description>
14
13
  <example service.version="1.4.0.3">214-This is ArGoSoft Mail Server, Version 1.4 (1.4.0.3)</example>
@@ -17,6 +16,7 @@
17
16
  <param pos="0" name="service.product" value="Mail Server"/>
18
17
  <param pos="1" name="service.version"/>
19
18
  </fingerprint>
19
+
20
20
  <fingerprint pattern="^214[ -].*support@argosoft\.com *$">
21
21
  <description>ArgoSoft mail server HELP response</description>
22
22
  <example>214-To report bug, send mail to support@argosoft.com</example>
@@ -24,6 +24,7 @@
24
24
  <param pos="0" name="service.family" value="Mail Server"/>
25
25
  <param pos="0" name="service.product" value="Mail Server"/>
26
26
  </fingerprint>
27
+
27
28
  <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX&quot; unrecognized$">
28
29
  <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server</description>
29
30
  <param pos="0" name="os.vendor" value="Cisco"/>
@@ -31,6 +32,7 @@
31
32
  <param pos="0" name="os.product" value="PIX"/>
32
33
  <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
33
34
  </fingerprint>
35
+
34
36
  <fingerprint pattern="^500[ -]5.5.1 unrecognised command HELP$">
35
37
  <description>Eudora IMS uses the British spelling "unrecognised"</description>
36
38
  <param pos="0" name="service.vendor" value="Eudora"/>
@@ -41,6 +43,7 @@
41
43
  <param pos="0" name="os.product" value="Mac OS"/>
42
44
  <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os:-"/>
43
45
  </fingerprint>
46
+
44
47
  <fingerprint pattern="^214[ -]([^ ]+) is running the IBM VM operating system$">
45
48
  <description>IBM VM</description>
46
49
  <param pos="0" name="service.vendor" value="IBM"/>
@@ -48,10 +51,12 @@
48
51
  <param pos="0" name="service.product" value="VM"/>
49
52
  <param pos="1" name="host.name"/>
50
53
  </fingerprint>
54
+
51
55
  <!--
52
56
  Shouldn't we ignore XEXCH50 for the same reasons than described in the XEXCH50 regex
53
57
  in smtp_ehlo.xml ? -mrb
54
58
  -->
59
+
55
60
  <fingerprint pattern="^214[ -].* XEXCH50 *.*$">
56
61
  <description>Microsoft Exchange/IIS server</description>
57
62
  <param pos="0" name="service.vendor" value="Microsoft"/>
@@ -63,6 +68,7 @@
63
68
  <param pos="0" name="os.product" value="Windows"/>
64
69
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
65
70
  </fingerprint>
71
+
66
72
  <fingerprint pattern="^214[ -]Help system currently inactive\.$">
67
73
  <description>Alt-N MDaemon - 214 Help system currently inactive.</description>
68
74
  <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -75,6 +81,7 @@
75
81
  <param pos="0" name="os.arch" value="x86"/>
76
82
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
77
83
  </fingerprint>
84
+
78
85
  <fingerprint pattern="^214[ -].*This is MERAK ([^ ]+\.[^ ]+\.[^ ]+).*$">
79
86
  <description> Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x)</description>
80
87
  <param pos="0" name="service.vendor" value="Merak"/>
@@ -82,6 +89,7 @@
82
89
  <param pos="0" name="service.product" value="Mail Server"/>
83
90
  <param pos="1" name="service.version"/>
84
91
  </fingerprint>
92
+
85
93
  <fingerprint pattern="^214[ -].*This is Merak ([^ ]+\.[^ ]+\.[^ ]+).*$">
86
94
  <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - variant 1</description>
87
95
  <param pos="0" name="service.vendor" value="Merak"/>
@@ -89,18 +97,21 @@
89
97
  <param pos="0" name="service.product" value="Mail Server"/>
90
98
  <param pos="1" name="service.version"/>
91
99
  </fingerprint>
100
+
92
101
  <fingerprint pattern="^214[ -].*bugs@merakmail\.com.*$">
93
102
  <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - email variant</description>
94
103
  <param pos="0" name="service.vendor" value="Merak"/>
95
104
  <param pos="0" name="service.family" value="Mail Server"/>
96
105
  <param pos="0" name="service.product" value="Mail Server"/>
97
106
  </fingerprint>
107
+
98
108
  <fingerprint pattern="^214[ -].*bugs@icewarp\.com.*$">
99
109
  <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - icewarp variant </description>
100
110
  <param pos="0" name="service.vendor" value="Merak"/>
101
111
  <param pos="0" name="service.family" value="Mail Server"/>
102
112
  <param pos="0" name="service.product" value="Mail Server"/>
103
113
  </fingerprint>
114
+
104
115
  <fingerprint pattern="^214[ -]qmail home page: http://pobox.com/~djb/qmail.html *$">
105
116
  <description>QMail - help variant</description>
106
117
  <example>214 qmail home page: http://pobox.com/~djb/qmail.html</example>
@@ -108,6 +119,7 @@
108
119
  <param pos="0" name="service.family" value="qmail"/>
109
120
  <param pos="0" name="service.product" value="qmail"/>
110
121
  </fingerprint>
122
+
111
123
  <fingerprint pattern="^214[ -].*contact the Digital Customer Support Center at 1-800-354-9000.*$">
112
124
  <description>Sendmail on Digital OSF UNIX</description>
113
125
  <param pos="0" name="service.family" value="Sendmail"/>
@@ -117,18 +129,21 @@
117
129
  <param pos="0" name="os.family" value="Digital UNIX"/>
118
130
  <param pos="0" name="os.product" value="OSF/1"/>
119
131
  </fingerprint>
132
+
120
133
  <fingerprint pattern="^214[ -]2.0.0 This is [s|S]endmail version ([^ ]+)$">
121
134
  <description>Sendmail often returns version information for HELP, even when the greeting is obscured</description>
122
135
  <param pos="0" name="service.family" value="Sendmail"/>
123
136
  <param pos="0" name="service.product" value="Sendmail"/>
124
137
  <param pos="1" name="service.version"/>
125
138
  </fingerprint>
139
+
126
140
  <fingerprint pattern="^214[ -]This is [s|S]endmail version ([^ ]+)$">
127
141
  <description>Sendmail often returns version information for HELP - variant 1</description>
128
142
  <param pos="0" name="service.family" value="Sendmail"/>
129
143
  <param pos="0" name="service.product" value="Sendmail"/>
130
144
  <param pos="1" name="service.version"/>
131
145
  </fingerprint>
146
+
132
147
  <fingerprint pattern="^502[ -]5\.3\.0 Sendmail ([^ ]+) -- HELP not implemented$">
133
148
  <description>Sendmail - help not implemented variant</description>
134
149
  <example>502 5.3.0 Sendmail 8.11.2 -- HELP not implemented</example>
@@ -136,22 +151,26 @@
136
151
  <param pos="0" name="service.product" value="Sendmail"/>
137
152
  <param pos="1" name="service.version"/>
138
153
  </fingerprint>
154
+
139
155
  <fingerprint pattern="^214[ -].*sendmail-bugs@sendmail\.org.*$">
140
156
  <description>Sendmail often returns version information for HELP - email variant</description>
141
157
  <param pos="0" name="service.family" value="Sendmail"/>
142
158
  <param pos="0" name="service.product" value="Sendmail"/>
143
159
  <param pos="0" name="service.certainty" value="0.85"/>
144
160
  </fingerprint>
161
+
145
162
  <fingerprint pattern="^241[ -].*$">
146
163
  <description>ZMailer versions earlier than 2.99.21 mistakenly return the status code 241 on some HELP response lines (instead of 214).</description>
147
164
  <param pos="0" name="service.vendor" value="ZMailer"/>
148
165
  <param pos="0" name="service.family" value="ZMailer"/>
149
166
  <param pos="0" name="service.product" value="ZMailer"/>
150
167
  </fingerprint>
168
+
151
169
  <fingerprint pattern="^214[ -].*Yoyodyne Propulsion.*$">
152
170
  <description>ZMailer has distinctive default HELP text in smtpserver.conf</description>
153
171
  <param pos="0" name="service.vendor" value="ZMailer"/>
154
172
  <param pos="0" name="service.family" value="ZMailer"/>
155
173
  <param pos="0" name="service.product" value="ZMailer"/>
156
174
  </fingerprint>
157
- </fingerprints>
175
+
176
+ </fingerprints>
@@ -1,8 +1,9 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service">
3
3
  <!--
4
4
  This file is currently unused.
5
5
  -->
6
+
6
7
  <fingerprint pattern="250 .* is syntactically correct *">
7
8
  <description>exim</description>
8
9
  <example>250 &lt;nosuchuser@rapid7.com&gt; is syntactically correct</example>
@@ -11,10 +12,12 @@
11
12
  <param pos="0" name="service.product" value="exim"/>
12
13
  <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
13
14
  </fingerprint>
15
+
14
16
  <fingerprint pattern="501[ -]System error\. *">
15
17
  <description>GNAT Box SMTP</description>
16
18
  <param pos="0" name="service.vendor" value="Global Technology Associates"/>
17
19
  <param pos="0" name="service.family" value="GNAT Box"/>
18
20
  <param pos="0" name="service.product" value="GNAT Box"/>
19
21
  </fingerprint>
20
- </fingerprints>
22
+
23
+ </fingerprints>
@@ -1,15 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.17">
3
3
  <!--
4
4
  SMTP response lines to the NOOP command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
-
12
9
  -->
10
+
13
11
  <fingerprint pattern="^220 OK.*$">
14
12
  <description>CheckPoint FireWall-1 returns code 220 for NOOP command (instead of 250)</description>
15
13
  <param pos="0" name="service.vendor" value="Check Point"/>
@@ -17,6 +15,7 @@
17
15
  <param pos="0" name="service.product" value="Firewall-1"/>
18
16
  <param pos="0" name="service.cpe23" value="cpe:/a:checkpoint:firewall-1:-"/>
19
17
  </fingerprint>
18
+
20
19
  <fingerprint pattern="^250[ -]2.0.0 doing nothing$">
21
20
  <description>Eudora IMS - noop variant</description>
22
21
  <example>250 2.0.0 doing nothing</example>
@@ -28,6 +27,7 @@
28
27
  <param pos="0" name="os.product" value="Mac OS"/>
29
28
  <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os:-"/>
30
29
  </fingerprint>
30
+
31
31
  <fingerprint pattern="^250[ -]Why is there an NOOP instruction\?$">
32
32
  <description>Alt-N MDaemon - noop variant</description>
33
33
  <example>250 Why is there an NOOP instruction?</example>
@@ -41,4 +41,5 @@
41
41
  <param pos="0" name="os.arch" value="x86"/>
42
42
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
43
43
  </fingerprint>
44
- </fingerprints>
44
+
45
+ </fingerprints>
@@ -1,14 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.11">
3
3
  <!--
4
4
  SMTP response lines to the QUIT command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
9
  -->
10
+
12
11
  <fingerprint pattern="^221[ -]See ya in cyberspace$">
13
12
  <description>221 See ya in cyberspace</description>
14
13
  <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -21,9 +20,11 @@
21
20
  <param pos="0" name="os.arch" value="x86"/>
22
21
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
23
22
  </fingerprint>
23
+
24
24
  <fingerprint pattern="^503[ -]5\.5\.0 Not accepting any command except QUIT$">
25
25
  <description>Raptor Firewall</description>
26
26
  <example>503 5.5.0 Not accepting any command except QUIT</example>
27
27
  <param pos="0" name="service.product" value="raptor"/>
28
28
  </fingerprint>
29
- </fingerprints>
29
+
30
+ </fingerprints>
@@ -1,4 +1,4 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service">
3
3
  <!--
4
4
  <fingerprint pattern="501[ -]Invalid domain *">
@@ -14,7 +14,9 @@
14
14
  <param pos="0" name="service.family" value="GNAT Box"/>
15
15
  <param pos="0" name="service.product" value="GNAT Box"/>
16
16
  </fingerprint>
17
+
17
18
  -->
19
+
18
20
  <fingerprint pattern="550[ -]not local host .*, not a gateway *">
19
21
  <description>550 not local host foo.bar, not a gateway</description>
20
22
  <param pos="0" name="service.vendor" value="Ipswitch"/>
@@ -22,4 +24,5 @@
22
24
  <param pos="0" name="service.product" value="IMail Server"/>
23
25
  <param pos="0" name="service.cpe23" value="cpe:/a:ipswitch:imail_server:-"/>
24
26
  </fingerprint>
25
- </fingerprints>
27
+
28
+ </fingerprints>
@@ -1,14 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.12">
3
3
  <!--
4
4
  SMTP response lines to the RSET command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
9
  -->
10
+
12
11
  <fingerprint pattern="^250[ -]RSET\? Well, OK\.$">
13
12
  <description>
14
13
  500 What? I don't understand that.
@@ -23,4 +22,5 @@
23
22
  <param pos="0" name="os.arch" value="x86"/>
24
23
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
25
24
  </fingerprint>
26
- </fingerprints>
25
+
26
+ </fingerprints>