recog 3.0.3 → 3.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data/README.md +45 -2
- data/lib/recog/fingerprint.rb +9 -2
- data/lib/recog/version.rb +1 -1
- data/recog/xml/dhcp_vendor_class.xml +535 -1
- data/recog/xml/dns_versionbind.xml +3 -3
- data/recog/xml/favicons.xml +156 -6
- data/recog/xml/ftp_banners.xml +23 -9
- data/recog/xml/html_title.xml +153 -6
- data/recog/xml/http_cookies.xml +73 -2
- data/recog/xml/http_servers.xml +256 -4
- data/recog/xml/http_wwwauth.xml +13 -1
- data/recog/xml/imap_banners.xml +0 -1
- data/recog/xml/smb_native_os.xml +1 -1
- data/recog/xml/smtp_banners.xml +7 -7
- data/recog/xml/snmp_sysdescr.xml +26 -5
- data/recog/xml/ssh_banners.xml +2 -2
- data.tar.gz.sig +0 -0
- metadata +2 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: adbba4275e0d4b8b6c41541ea76d522529d17525f1f1fcce5147625d2a8adb59
|
4
|
+
data.tar.gz: 71929660f907cd74dfcd3f74ea0f3761efd33992821333059b50e5e6e5d52629
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e37368c659cbeadbc38cd90e9a71b41825a02d2e060d88b19f06bab86f791474033b0a26c0481be4a89ab46dc9ddbc5f151241f45bdf96eeb0644edd19be548b
|
7
|
+
data.tar.gz: c7d438651a3b40f1586793ce60d1589c00541fd8fe587e480d477af6f02618d013c2edd5afeafff010931aa495ef6c417ba980072c8667e5e41a1a25efe585c6
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data/README.md
CHANGED
@@ -74,8 +74,6 @@ At least one `example` element should be present, however multiple `example` ele
|
|
74
74
|
|
75
75
|
tests that `RomSShell_4.62` matches the provided regular expression and that the value of `service.version` is 4.62.
|
76
76
|
|
77
|
-
The `param` elements contain a `pos` attribute, which indicates what capture field from the `pattern` should be extracted, or `0` for a static string. The `name` attribute is the key that will be reported in the case of a successful match and the `value` will either be a static string for `pos` values of `0` or missing and taken from the captured field.
|
78
|
-
|
79
77
|
The `example` string can be base64 encoded to permit the use of unprintable characters. To signal this to Recog an `_encoding` attribute with the value of `base64` is added to the `example` element. Based64 encoded text that is longer than 80 characters may be wrapped with newlines as shown below to aid in readability.
|
80
78
|
|
81
79
|
```xml
|
@@ -102,6 +100,51 @@ They can then be loaded using the `_filename` attribute:
|
|
102
100
|
|
103
101
|
This is useful for long examples.
|
104
102
|
|
103
|
+
The `param` elements contain a `pos` attribute, which indicates what capture field
|
104
|
+
from the `pattern` should be extracted, or `0` for a static string. The `name` attribute
|
105
|
+
is the key that will be reported in the case of a successful match and the `value`
|
106
|
+
will either be a static string for `pos` values of `0` or missing and taken from the
|
107
|
+
captured field.
|
108
|
+
|
109
|
+
The `value` attribute supports interpolation of data from other fields. This is
|
110
|
+
often useful when capturing the value for `hw.product` via regex and re-using this
|
111
|
+
value in `os.product`.
|
112
|
+
|
113
|
+
Here is an example from`http_servers.xml` where `hw.product` is captured and reused.
|
114
|
+
|
115
|
+
```xml
|
116
|
+
<fingerprint pattern="^Eltex (TAU-\d+[A-Z]*(?:\.IP)?)$">
|
117
|
+
<description>Eltex TAU model VoIP gateway</description>
|
118
|
+
<example hw.product="TAU-72">Eltex TAU-72</example>
|
119
|
+
<example hw.product="TAU-1.IP">Eltex TAU-1.IP</example>
|
120
|
+
<param pos="0" name="os.vendor" value="Eltex"/>
|
121
|
+
<param pos="0" name="os.product" value="{hw.product} Firmware"/>
|
122
|
+
<param pos="0" name="os.device" value="VoIP Gateway"/>
|
123
|
+
<param pos="0" name="hw.vendor" value="Eltex"/>
|
124
|
+
<param pos="1" name="hw.product"/>
|
125
|
+
<param pos="0" name="hw.device" value="VoIP Gateway"/>
|
126
|
+
</fingerprint>
|
127
|
+
```
|
128
|
+
|
129
|
+
There is special handling for temporary attributes that have a name starting with
|
130
|
+
`_tmp.`. These attributes can be used for interpolation but are not emitted in the
|
131
|
+
output. This is useful when a particular product name is inconsistent in various
|
132
|
+
banners, vendor marketing, or with NIST values when trying to generate CPEs. In
|
133
|
+
these cases the useful parts of the banner can be extracted and a new value
|
134
|
+
crafted without cluttering the data emitted by a match.
|
135
|
+
|
136
|
+
```xml
|
137
|
+
<fingerprint pattern="^foo baz switchThing-(\d{4})$">
|
138
|
+
<description>NetCorp NX series switches</description>
|
139
|
+
<example hw.product="NX8200">foo baz switchThing-8200</example>
|
140
|
+
<param pos="0" name="hw.vendor" value="NetCorp"/>
|
141
|
+
<param pos="0" name="hw.product" value="NX{_tmp.001}"/>
|
142
|
+
<param pos="2" name="_tmp.001"/>
|
143
|
+
</fingerprint>
|
144
|
+
```
|
145
|
+
|
146
|
+
These temporary attributes are not tracked in the `identifiers/fields.txt`.
|
147
|
+
|
105
148
|
[^back to top](#recog-ruby-a-recognition-framework)
|
106
149
|
|
107
150
|
## Contributing
|
data/lib/recog/fingerprint.rb
CHANGED
@@ -136,6 +136,13 @@ class Fingerprint
|
|
136
136
|
end
|
137
137
|
end
|
138
138
|
|
139
|
+
# After performing interpolation, remove temporary keys from results
|
140
|
+
result.each_pair do |k, _|
|
141
|
+
if k.start_with?('_tmp.')
|
142
|
+
result.delete(k)
|
143
|
+
end
|
144
|
+
end
|
145
|
+
|
139
146
|
return result
|
140
147
|
end
|
141
148
|
|
@@ -230,9 +237,9 @@ class Fingerprint
|
|
230
237
|
end
|
231
238
|
end
|
232
239
|
|
233
|
-
# alert on untested parameters
|
240
|
+
# alert on untested parameters unless they are temporary
|
234
241
|
capture_group_used.each do |param_name, param_used|
|
235
|
-
if !param_used
|
242
|
+
if !param_used && !param_name.start_with?('_tmp.')
|
236
243
|
message = "'#{@name}' is missing an example that checks for parameter '#{param_name}' " +
|
237
244
|
"which is derived from a capture group"
|
238
245
|
yield :fail, message
|
data/lib/recog/version.rb
CHANGED