recog 2.3.8 → 2.3.9

Sign up to get free protection for your applications and to get access to all the features.
Files changed (67) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +6 -0
  3. data/CONTRIBUTING.md +136 -37
  4. data/README.md +18 -16
  5. data/bin/recog_cleanup +16 -0
  6. data/bin/recog_standardize +30 -6
  7. data/identifiers/README.md +9 -0
  8. data/identifiers/hw_device.txt +77 -0
  9. data/identifiers/hw_family.txt +96 -0
  10. data/identifiers/hw_product.txt +328 -0
  11. data/identifiers/os_architecture.txt +6 -6
  12. data/identifiers/os_device.txt +45 -3
  13. data/identifiers/os_family.txt +206 -41
  14. data/identifiers/os_product.txt +238 -17
  15. data/identifiers/service_family.txt +144 -57
  16. data/identifiers/service_product.txt +384 -83
  17. data/identifiers/vendor.txt +553 -68
  18. data/lib/recog/version.rb +1 -1
  19. data/requirements.txt +1 -1
  20. data/xml/apache_modules.xml +292 -5
  21. data/xml/apache_os.xml +41 -2
  22. data/xml/architecture.xml +11 -3
  23. data/xml/dns_versionbind.xml +76 -8
  24. data/xml/favicons.xml +1700 -0
  25. data/xml/ftp_banners.xml +178 -8
  26. data/xml/h323_callresp.xml +112 -12
  27. data/xml/hp_pjl_id.xml +47 -5
  28. data/xml/html_title.xml +1258 -25
  29. data/xml/http_cookies.xml +64 -9
  30. data/xml/http_servers.xml +667 -37
  31. data/xml/http_wwwauth.xml +141 -26
  32. data/xml/imap_banners.xml +19 -13
  33. data/xml/ldap_searchresult.xml +81 -9
  34. data/xml/mdns_device-info_txt.xml +175 -2
  35. data/xml/mdns_workstation_txt.xml +4 -2
  36. data/xml/mysql_banners.xml +134 -7
  37. data/xml/mysql_error.xml +113 -6
  38. data/xml/nntp_banners.xml +10 -2
  39. data/xml/ntp_banners.xml +80 -4
  40. data/xml/operating_system.xml +89 -3
  41. data/xml/pop_banners.xml +30 -31
  42. data/xml/rsh_resp.xml +11 -2
  43. data/xml/rtsp_servers.xml +22 -2
  44. data/xml/sip_banners.xml +35 -4
  45. data/xml/sip_user_agents.xml +29 -2
  46. data/xml/smb_native_lm.xml +10 -2
  47. data/xml/smb_native_os.xml +79 -2
  48. data/xml/smtp_banners.xml +146 -7
  49. data/xml/smtp_debug.xml +6 -4
  50. data/xml/smtp_ehlo.xml +7 -5
  51. data/xml/smtp_expn.xml +13 -4
  52. data/xml/smtp_help.xml +23 -4
  53. data/xml/smtp_mailfrom.xml +5 -2
  54. data/xml/smtp_noop.xml +6 -5
  55. data/xml/smtp_quit.xml +5 -4
  56. data/xml/smtp_rcptto.xml +5 -2
  57. data/xml/smtp_rset.xml +4 -4
  58. data/xml/smtp_turn.xml +4 -4
  59. data/xml/smtp_vrfy.xml +14 -4
  60. data/xml/snmp_sysdescr.xml +731 -24
  61. data/xml/snmp_sysobjid.xml +47 -2
  62. data/xml/ssh_banners.xml +175 -5
  63. data/xml/telnet_banners.xml +266 -15
  64. data/xml/x11_banners.xml +26 -3
  65. data/xml/x509_issuers.xml +30 -6
  66. data/xml/x509_subjects.xml +200 -31
  67. metadata +8 -2
@@ -1,14 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.14">
3
3
  <!--
4
4
  SMTP response lines to the DEBUG command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
9
  -->
10
+
12
11
  <fingerprint pattern="^500 No way!$">
13
12
  <description>Exim</description>
14
13
  <example>500 No way!</example>
@@ -17,12 +16,14 @@
17
16
  <param pos="0" name="service.product" value="exim"/>
18
17
  <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
19
18
  </fingerprint>
19
+
20
20
  <fingerprint pattern="^250[ -] *Debug set -NOT!$">
21
21
  <description>TIS FWTK and derivatives (other firewalls, like Gauntlet, are derived from TIS)</description>
22
22
  <param pos="0" name="service.vendor" value="TIS"/>
23
23
  <param pos="0" name="service.family" value="FWTK"/>
24
24
  <param pos="0" name="service.product" value="FWTK"/>
25
25
  </fingerprint>
26
+
26
27
  <fingerprint pattern="^500[ -]What\? I don't understand that\.$">
27
28
  <description>Alt-N MDaemon SMTP</description>
28
29
  <example>500 What? I don't understand that.</example>
@@ -36,4 +37,5 @@
36
37
  <param pos="0" name="os.arch" value="x86"/>
37
38
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
38
39
  </fingerprint>
39
- </fingerprints>
40
+
41
+ </fingerprints>
@@ -1,14 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.19">
3
3
  <!--
4
4
  SMTP response lines to the EHLO command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
9
  -->
10
+
12
11
  <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX&quot; unrecognized$">
13
12
  <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server</description>
14
13
  <param pos="0" name="os.vendor" value="Cisco"/>
@@ -16,12 +15,12 @@
16
15
  <param pos="0" name="os.product" value="PIX"/>
17
16
  <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
18
17
  </fingerprint>
18
+
19
19
  <!--
20
20
  Don't try to infer a fingerprint from XEXCH50, because if we do, it might overwrite
21
21
  a very precise MS IIS SMTP service or MS Exchange Server fingerprint found with the
22
22
  help of smtp_banners.xml. Instead, this case is handled specially by the Jess rule
23
23
  smtp-iis-xexch50-svc-fingerprint. -mrb
24
-
25
24
  <fingerprint pattern="^250[ -] *XEXCH50.*$">
26
25
  <description>
27
26
  Microsoft Exchange/IIS server
@@ -33,7 +32,9 @@
33
32
  <param pos="0" name="os.family" value="Windows"/>
34
33
  <param pos="0" name="os.product" value="Windows"/>
35
34
  </fingerprint>
35
+
36
36
  -->
37
+
37
38
  <fingerprint pattern="^221[ -]See ya in cyberspace$">
38
39
  <description>221 See ya in cyberspace</description>
39
40
  <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -46,4 +47,5 @@
46
47
  <param pos="0" name="os.arch" value="x86"/>
47
48
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
48
49
  </fingerprint>
49
- </fingerprints>
50
+
51
+ </fingerprints>
@@ -1,14 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.16">
3
3
  <!--
4
4
  SMTP response lines to the EXPN command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
9
  -->
10
+
12
11
  <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX.*&quot; unrecognized$">
13
12
  <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server - expn variant</description>
14
13
  <param pos="0" name="os.vendor" value="Cisco"/>
@@ -16,6 +15,7 @@
16
15
  <param pos="0" name="os.product" value="PIX"/>
17
16
  <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
18
17
  </fingerprint>
18
+
19
19
  <fingerprint pattern="^550[ -]EXPN not available to \(.+\) \[.+\] *$">
20
20
  <description>Exim - expn variant 1</description>
21
21
  <example>550 EXPN not available to (foo.bar.com) [192.168.0.1]</example>
@@ -24,6 +24,7 @@
24
24
  <param pos="0" name="service.product" value="exim"/>
25
25
  <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
26
26
  </fingerprint>
27
+
27
28
  <fingerprint pattern="^550[ -]EXPN not available to [^ ]+ \(.+\) \[.+\] *$">
28
29
  <description>Exim - expn variant 2</description>
29
30
  <example>550 EXPN not available to evil.com (foo.bar.com) [192.168.0.1]</example>
@@ -32,19 +33,23 @@
32
33
  <param pos="0" name="service.product" value="exim"/>
33
34
  <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
34
35
  </fingerprint>
36
+
35
37
  <fingerprint pattern="^500[ -]Don't you wish! *$">
36
38
  <description>GNAT box SMTP</description>
37
39
  <param pos="0" name="service.vendor" value="Global Technology Associates"/>
38
40
  <param pos="0" name="service.family" value="GNAT Box"/>
39
41
  <param pos="0" name="service.product" value="GNAT Box"/>
40
42
  </fingerprint>
43
+
41
44
  <!-- VM SMTP server doesn't like brackets in EXPN commands... -->
45
+
42
46
  <fingerprint pattern="^501[ -]Syntax Error\. Only ListId or Userid allowed as argument to this command *$">
43
47
  <description>IBM VM SMTP</description>
44
48
  <param pos="0" name="service.vendor" value="IBM"/>
45
49
  <param pos="0" name="service.family" value="VM"/>
46
50
  <param pos="0" name="service.product" value="VM"/>
47
51
  </fingerprint>
52
+
48
53
  <fingerprint pattern="^550[ -]lists are confidential *$">
49
54
  <description>Ipswitch IMail Server - expn variant</description>
50
55
  <example>550 lists are confidential</example>
@@ -53,6 +58,7 @@
53
58
  <param pos="0" name="service.product" value="IMail Server"/>
54
59
  <param pos="0" name="service.cpe23" value="cpe:/a:ipswitch:imail_server:-"/>
55
60
  </fingerprint>
61
+
56
62
  <fingerprint pattern="^502[ -]command is not active$">
57
63
  <description>Alt-N MDaemon - expn variant</description>
58
64
  <example>502 command is not active</example>
@@ -66,12 +72,14 @@
66
72
  <param pos="0" name="os.arch" value="x86"/>
67
73
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
68
74
  </fingerprint>
75
+
69
76
  <fingerprint pattern="^252 Unable to EXPN &quot;.*&quot;, but will accept message and attempt delivery *$">
70
77
  <description>Lotus Domino</description>
71
78
  <param pos="0" name="service.vendor" value="Lotus"/>
72
79
  <param pos="0" name="service.family" value="Lotus Domino"/>
73
80
  <param pos="0" name="service.product" value="Lotus Domino"/>
74
81
  </fingerprint>
82
+
75
83
  <fingerprint pattern="^550[ -]Unable to find list '.*'\.$">
76
84
  <description>Seattle Labs SLMail</description>
77
85
  <example>550 Unable to find list 'list'.</example>
@@ -79,4 +87,5 @@
79
87
  <param pos="0" name="service.family" value="SLMail"/>
80
88
  <param pos="0" name="service.product" value="SLMail"/>
81
89
  </fingerprint>
82
- </fingerprints>
90
+
91
+ </fingerprints>
@@ -1,14 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.18">
3
3
  <!--
4
4
  SMTP response lines to the HELP command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
9
  -->
10
+
12
11
  <fingerprint pattern="^214[ -]This is ArGoSoft Mail Server, Version [^ ]+ \(([^ ]+\.[^ ]+\.[^ ]+\.[^ ]+)\) *$">
13
12
  <description>ArgoSoft mail server HELP response with version</description>
14
13
  <example service.version="1.4.0.3">214-This is ArGoSoft Mail Server, Version 1.4 (1.4.0.3)</example>
@@ -17,6 +16,7 @@
17
16
  <param pos="0" name="service.product" value="Mail Server"/>
18
17
  <param pos="1" name="service.version"/>
19
18
  </fingerprint>
19
+
20
20
  <fingerprint pattern="^214[ -].*support@argosoft\.com *$">
21
21
  <description>ArgoSoft mail server HELP response</description>
22
22
  <example>214-To report bug, send mail to support@argosoft.com</example>
@@ -24,6 +24,7 @@
24
24
  <param pos="0" name="service.family" value="Mail Server"/>
25
25
  <param pos="0" name="service.product" value="Mail Server"/>
26
26
  </fingerprint>
27
+
27
28
  <fingerprint pattern="^500[ -]Syntax error, command &quot;XXXX&quot; unrecognized$">
28
29
  <description>Cisco PIX - changes the command letters to 'X' before passing them to the real SMTP server</description>
29
30
  <param pos="0" name="os.vendor" value="Cisco"/>
@@ -31,6 +32,7 @@
31
32
  <param pos="0" name="os.product" value="PIX"/>
32
33
  <param pos="0" name="os.cpe23" value="cpe:/o:cisco:pix_firewall_software:-"/>
33
34
  </fingerprint>
35
+
34
36
  <fingerprint pattern="^500[ -]5.5.1 unrecognised command HELP$">
35
37
  <description>Eudora IMS uses the British spelling "unrecognised"</description>
36
38
  <param pos="0" name="service.vendor" value="Eudora"/>
@@ -41,6 +43,7 @@
41
43
  <param pos="0" name="os.product" value="Mac OS"/>
42
44
  <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os:-"/>
43
45
  </fingerprint>
46
+
44
47
  <fingerprint pattern="^214[ -]([^ ]+) is running the IBM VM operating system$">
45
48
  <description>IBM VM</description>
46
49
  <param pos="0" name="service.vendor" value="IBM"/>
@@ -48,10 +51,12 @@
48
51
  <param pos="0" name="service.product" value="VM"/>
49
52
  <param pos="1" name="host.name"/>
50
53
  </fingerprint>
54
+
51
55
  <!--
52
56
  Shouldn't we ignore XEXCH50 for the same reasons than described in the XEXCH50 regex
53
57
  in smtp_ehlo.xml ? -mrb
54
58
  -->
59
+
55
60
  <fingerprint pattern="^214[ -].* XEXCH50 *.*$">
56
61
  <description>Microsoft Exchange/IIS server</description>
57
62
  <param pos="0" name="service.vendor" value="Microsoft"/>
@@ -63,6 +68,7 @@
63
68
  <param pos="0" name="os.product" value="Windows"/>
64
69
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
65
70
  </fingerprint>
71
+
66
72
  <fingerprint pattern="^214[ -]Help system currently inactive\.$">
67
73
  <description>Alt-N MDaemon - 214 Help system currently inactive.</description>
68
74
  <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -75,6 +81,7 @@
75
81
  <param pos="0" name="os.arch" value="x86"/>
76
82
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
77
83
  </fingerprint>
84
+
78
85
  <fingerprint pattern="^214[ -].*This is MERAK ([^ ]+\.[^ ]+\.[^ ]+).*$">
79
86
  <description> Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x)</description>
80
87
  <param pos="0" name="service.vendor" value="Merak"/>
@@ -82,6 +89,7 @@
82
89
  <param pos="0" name="service.product" value="Mail Server"/>
83
90
  <param pos="1" name="service.version"/>
84
91
  </fingerprint>
92
+
85
93
  <fingerprint pattern="^214[ -].*This is Merak ([^ ]+\.[^ ]+\.[^ ]+).*$">
86
94
  <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - variant 1</description>
87
95
  <param pos="0" name="service.vendor" value="Merak"/>
@@ -89,18 +97,21 @@
89
97
  <param pos="0" name="service.product" value="Mail Server"/>
90
98
  <param pos="1" name="service.version"/>
91
99
  </fingerprint>
100
+
92
101
  <fingerprint pattern="^214[ -].*bugs@merakmail\.com.*$">
93
102
  <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - email variant</description>
94
103
  <param pos="0" name="service.vendor" value="Merak"/>
95
104
  <param pos="0" name="service.family" value="Mail Server"/>
96
105
  <param pos="0" name="service.product" value="Mail Server"/>
97
106
  </fingerprint>
107
+
98
108
  <fingerprint pattern="^214[ -].*bugs@icewarp\.com.*$">
99
109
  <description>Merak mail server - http://www.icewarp.com/merakmail/ (runs on 2000/NT/9x) - icewarp variant </description>
100
110
  <param pos="0" name="service.vendor" value="Merak"/>
101
111
  <param pos="0" name="service.family" value="Mail Server"/>
102
112
  <param pos="0" name="service.product" value="Mail Server"/>
103
113
  </fingerprint>
114
+
104
115
  <fingerprint pattern="^214[ -]qmail home page: http://pobox.com/~djb/qmail.html *$">
105
116
  <description>QMail - help variant</description>
106
117
  <example>214 qmail home page: http://pobox.com/~djb/qmail.html</example>
@@ -108,6 +119,7 @@
108
119
  <param pos="0" name="service.family" value="qmail"/>
109
120
  <param pos="0" name="service.product" value="qmail"/>
110
121
  </fingerprint>
122
+
111
123
  <fingerprint pattern="^214[ -].*contact the Digital Customer Support Center at 1-800-354-9000.*$">
112
124
  <description>Sendmail on Digital OSF UNIX</description>
113
125
  <param pos="0" name="service.family" value="Sendmail"/>
@@ -117,18 +129,21 @@
117
129
  <param pos="0" name="os.family" value="Digital UNIX"/>
118
130
  <param pos="0" name="os.product" value="OSF/1"/>
119
131
  </fingerprint>
132
+
120
133
  <fingerprint pattern="^214[ -]2.0.0 This is [s|S]endmail version ([^ ]+)$">
121
134
  <description>Sendmail often returns version information for HELP, even when the greeting is obscured</description>
122
135
  <param pos="0" name="service.family" value="Sendmail"/>
123
136
  <param pos="0" name="service.product" value="Sendmail"/>
124
137
  <param pos="1" name="service.version"/>
125
138
  </fingerprint>
139
+
126
140
  <fingerprint pattern="^214[ -]This is [s|S]endmail version ([^ ]+)$">
127
141
  <description>Sendmail often returns version information for HELP - variant 1</description>
128
142
  <param pos="0" name="service.family" value="Sendmail"/>
129
143
  <param pos="0" name="service.product" value="Sendmail"/>
130
144
  <param pos="1" name="service.version"/>
131
145
  </fingerprint>
146
+
132
147
  <fingerprint pattern="^502[ -]5\.3\.0 Sendmail ([^ ]+) -- HELP not implemented$">
133
148
  <description>Sendmail - help not implemented variant</description>
134
149
  <example>502 5.3.0 Sendmail 8.11.2 -- HELP not implemented</example>
@@ -136,22 +151,26 @@
136
151
  <param pos="0" name="service.product" value="Sendmail"/>
137
152
  <param pos="1" name="service.version"/>
138
153
  </fingerprint>
154
+
139
155
  <fingerprint pattern="^214[ -].*sendmail-bugs@sendmail\.org.*$">
140
156
  <description>Sendmail often returns version information for HELP - email variant</description>
141
157
  <param pos="0" name="service.family" value="Sendmail"/>
142
158
  <param pos="0" name="service.product" value="Sendmail"/>
143
159
  <param pos="0" name="service.certainty" value="0.85"/>
144
160
  </fingerprint>
161
+
145
162
  <fingerprint pattern="^241[ -].*$">
146
163
  <description>ZMailer versions earlier than 2.99.21 mistakenly return the status code 241 on some HELP response lines (instead of 214).</description>
147
164
  <param pos="0" name="service.vendor" value="ZMailer"/>
148
165
  <param pos="0" name="service.family" value="ZMailer"/>
149
166
  <param pos="0" name="service.product" value="ZMailer"/>
150
167
  </fingerprint>
168
+
151
169
  <fingerprint pattern="^214[ -].*Yoyodyne Propulsion.*$">
152
170
  <description>ZMailer has distinctive default HELP text in smtpserver.conf</description>
153
171
  <param pos="0" name="service.vendor" value="ZMailer"/>
154
172
  <param pos="0" name="service.family" value="ZMailer"/>
155
173
  <param pos="0" name="service.product" value="ZMailer"/>
156
174
  </fingerprint>
157
- </fingerprints>
175
+
176
+ </fingerprints>
@@ -1,8 +1,9 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service">
3
3
  <!--
4
4
  This file is currently unused.
5
5
  -->
6
+
6
7
  <fingerprint pattern="250 .* is syntactically correct *">
7
8
  <description>exim</description>
8
9
  <example>250 &lt;nosuchuser@rapid7.com&gt; is syntactically correct</example>
@@ -11,10 +12,12 @@
11
12
  <param pos="0" name="service.product" value="exim"/>
12
13
  <param pos="0" name="service.cpe23" value="cpe:/a:exim:exim:-"/>
13
14
  </fingerprint>
15
+
14
16
  <fingerprint pattern="501[ -]System error\. *">
15
17
  <description>GNAT Box SMTP</description>
16
18
  <param pos="0" name="service.vendor" value="Global Technology Associates"/>
17
19
  <param pos="0" name="service.family" value="GNAT Box"/>
18
20
  <param pos="0" name="service.product" value="GNAT Box"/>
19
21
  </fingerprint>
20
- </fingerprints>
22
+
23
+ </fingerprints>
@@ -1,15 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.17">
3
3
  <!--
4
4
  SMTP response lines to the NOOP command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
-
12
9
  -->
10
+
13
11
  <fingerprint pattern="^220 OK.*$">
14
12
  <description>CheckPoint FireWall-1 returns code 220 for NOOP command (instead of 250)</description>
15
13
  <param pos="0" name="service.vendor" value="Check Point"/>
@@ -17,6 +15,7 @@
17
15
  <param pos="0" name="service.product" value="Firewall-1"/>
18
16
  <param pos="0" name="service.cpe23" value="cpe:/a:checkpoint:firewall-1:-"/>
19
17
  </fingerprint>
18
+
20
19
  <fingerprint pattern="^250[ -]2.0.0 doing nothing$">
21
20
  <description>Eudora IMS - noop variant</description>
22
21
  <example>250 2.0.0 doing nothing</example>
@@ -28,6 +27,7 @@
28
27
  <param pos="0" name="os.product" value="Mac OS"/>
29
28
  <param pos="0" name="os.cpe23" value="cpe:/o:apple:mac_os:-"/>
30
29
  </fingerprint>
30
+
31
31
  <fingerprint pattern="^250[ -]Why is there an NOOP instruction\?$">
32
32
  <description>Alt-N MDaemon - noop variant</description>
33
33
  <example>250 Why is there an NOOP instruction?</example>
@@ -41,4 +41,5 @@
41
41
  <param pos="0" name="os.arch" value="x86"/>
42
42
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
43
43
  </fingerprint>
44
- </fingerprints>
44
+
45
+ </fingerprints>
@@ -1,14 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.11">
3
3
  <!--
4
4
  SMTP response lines to the QUIT command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
9
  -->
10
+
12
11
  <fingerprint pattern="^221[ -]See ya in cyberspace$">
13
12
  <description>221 See ya in cyberspace</description>
14
13
  <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -21,9 +20,11 @@
21
20
  <param pos="0" name="os.arch" value="x86"/>
22
21
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
23
22
  </fingerprint>
23
+
24
24
  <fingerprint pattern="^503[ -]5\.5\.0 Not accepting any command except QUIT$">
25
25
  <description>Raptor Firewall</description>
26
26
  <example>503 5.5.0 Not accepting any command except QUIT</example>
27
27
  <param pos="0" name="service.product" value="raptor"/>
28
28
  </fingerprint>
29
- </fingerprints>
29
+
30
+ </fingerprints>
@@ -1,4 +1,4 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service">
3
3
  <!--
4
4
  <fingerprint pattern="501[ -]Invalid domain *">
@@ -14,7 +14,9 @@
14
14
  <param pos="0" name="service.family" value="GNAT Box"/>
15
15
  <param pos="0" name="service.product" value="GNAT Box"/>
16
16
  </fingerprint>
17
+
17
18
  -->
19
+
18
20
  <fingerprint pattern="550[ -]not local host .*, not a gateway *">
19
21
  <description>550 not local host foo.bar, not a gateway</description>
20
22
  <param pos="0" name="service.vendor" value="Ipswitch"/>
@@ -22,4 +24,5 @@
22
24
  <param pos="0" name="service.product" value="IMail Server"/>
23
25
  <param pos="0" name="service.cpe23" value="cpe:/a:ipswitch:imail_server:-"/>
24
26
  </fingerprint>
25
- </fingerprints>
27
+
28
+ </fingerprints>
@@ -1,14 +1,13 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
1
+ <?xml version='1.0' encoding='UTF-8'?>
2
2
  <fingerprints protocol="smtp" database_type="service" preference="0.12">
3
3
  <!--
4
4
  SMTP response lines to the RSET command are matched against these patterns
5
5
  (1 line at a time) to fingerprint SMTP servers.
6
-
7
6
  See comment at the top of smtp_banners.xml for additional info.
8
-
9
7
  'preference' note: This value has been set so as to implement the ordering
10
8
  of SMTP related fingerprint databases as described in 'smtp_banners.xml'.
11
9
  -->
10
+
12
11
  <fingerprint pattern="^250[ -]RSET\? Well, OK\.$">
13
12
  <description>
14
13
  500 What? I don't understand that.
@@ -23,4 +22,5 @@
23
22
  <param pos="0" name="os.arch" value="x86"/>
24
23
  <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
25
24
  </fingerprint>
26
- </fingerprints>
25
+
26
+ </fingerprints>