recog 1.0.14 → 1.0.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e644a53b22cb83686c20e04a157cf4c449ab2949
-  data.tar.gz: 57ebf0489c9e197013abb195d286ecba48ddc76e
+  metadata.gz: ce44c3b625cc253b8729d4aac5677dbda2f71c46
+  data.tar.gz: b4ab896d1fc5e06370a73fc51efc339e24e13794
 SHA512:
-  metadata.gz: 1095c9c7208450e6d8c3ab4cd98e0f2ff4f0f05fec8a08a2aaf27a712af0780772e9710516218c97859fde2b998eaae6b2872549dbc07c9acc1822eeca0e90fa
-  data.tar.gz: 84ed98140d16270b44113b7a3120312cf0ddd77064708c261cbd080c74922275fe3961b9da7a870123585c5a86bd5dd5517cf085836f316682d8c5e28d0b706d
+  metadata.gz: 4bad5f89498020b13dc9d667004f6d07ab1a39aec9feaefd39a75714bfbf16fef7a180dfd0c8c949b06b2409b680a976a487d450037948a728b5c82269396ec9
+  data.tar.gz: 1056e591a107d473509c8f9c99058c399ad2d604eb0aa77401722a8c9dc88e4179e3eda201beca530c306c0013ca9ed79249d6ecadcc6ebfc54f37128551cabe

data/.travis.yml

@@ -1,4 +1,5 @@
 language: ruby
+cache: bundler
 rvm:
   - 2.1.5
   - 1.9.3

data/Gemfile

@@ -8,4 +8,5 @@ group :test do
   gem 'rspec', '>= 2.99'
   gem 'cucumber', '~> 1.3.8'
   gem 'aruba', '~> 0.5.3'
+  gem 'regexp_parser', '~> 0.2.0'
 end

data/lib/recog/fingerprint.rb

@@ -45,26 +45,6 @@ class Fingerprint
     match_data = @regex.match(match_string)
     return if match_data.nil?
 
-    # sanity check any positional extractions
-    positions = @params.values.map(&:first).map(&:to_i)
-    captures_size = match_data.captures.size
-    if @params.empty? && captures_size > 0
-      raise "Non-asserting fingerprint with regex #{@regex} captures #{captures_size} time(s); 0 are needed"
-    else
-      if captures_size > 0
-        max_pos = positions.max
-        # if it is actually looking to extract, ensure that there is enough to extract
-        if max_pos > 0 && captures_size < max_pos
-          raise "Regex #{@regex} only has #{captures_size} captures; cannot extract from position #{max_pos}"
-        end
-        # if there is not extraction but capturing is happening, fail since this is a waste
-        if captures_size > max_pos
-          raise "Regex #{@regex} captures #{captures_size - max_pos} too many (#{captures_size} vs #{max_pos})"
-        end
-      end
-    end
-
-    # now do extraction
     result = { 'matched' => @name }
     @params.each_pair do |k,v|
       pos = v[0]

data/lib/recog/matcher.rb

@@ -22,27 +22,14 @@ class Matcher
         reporter.increment_line_count
 
         line = line.to_s.unpack("C*").pack("C*").strip.gsub(/\\[rn]/, '')
-        found = nil
+        extractions = nil
         fingerprints.each do |fp|
-          m = line.match(fp.regex)
-          if m
-            found = [fp, m]
-            break
-          end
+          break if (extractions = fp.match(line))
         end
 
-        if found
-          info = { }
-          fp, m = found
-          fp.params.each_pair do |k,v|
-            if v[0] == 0
-              info[k] = v[1]
-            else
-              info[k] = m[ v[0] ]
-            end
-          end
-          info['data'] = line
-          reporter.match "MATCH: #{info.inspect}"
+        if extractions
+          extractions['data'] = line
+          reporter.match "MATCH: #{extractions.inspect}"
         else
           reporter.failure "FAIL: #{line}"
         end

data/lib/recog/version.rb

@@ -1,3 +1,3 @@
 module Recog
-  VERSION = '1.0.14'
+  VERSION = '1.0.15'
 end

data/spec/lib/fingerprint_self_test_spec.rb

@@ -1,4 +1,5 @@
 require 'recog/db'
+require 'regexp_parser'
 
 describe Recog::DB do
   Dir[File.expand_path File.join('xml', '*.xml')].each do |xml_file_name|
@@ -27,6 +28,30 @@ describe Recog::DB do
             expect(fp.regex.class).to be ::Regexp
           end
 
+          it 'uses capturing regular expressions properly' do
+            # the list of index-based captures that the fingerprint is expecting
+            expected_capture_positions = fp.params.values.map(&:first).map(&:to_i).select { |i| i > 0 }
+            if fp.params.empty? && expected_capture_positions.size > 0
+              fail "Non-asserting fingerprint with regex #{fp.regex} captures #{expected_capture_positions.size} time(s); 0 are needed"
+            else
+              # parse the regex and count the number of captures
+              actual_capture_positions = []
+              capture_number = 1
+              Regexp::Scanner.scan(fp.regex).each do |token_parts|
+                if token_parts.first == :group  && ![:close, :passive].include?(token_parts[1])
+                  actual_capture_positions << capture_number
+                  capture_number += 1
+                end
+              end
+              # compare the captures actually performed to those being used and ensure that they contain
+              # the same elements regardless of order, preventing, over-, under- and other forms of mis-capturing.
+              actual_capture_positions = actual_capture_positions.sort.uniq
+              expected_capture_positions = expected_capture_positions.sort.uniq
+              expect(actual_capture_positions).to eq(expected_capture_positions),
+                "Regex didn't capture (#{actual_capture_positions}) exactly what fingerprint extracted (#{expected_capture_positions})"
+            end
+          end
+
           # Not yet enforced
           # it "has test cases" do
           #  expect(fp.tests.length).not_to equal(0)
@@ -38,7 +63,7 @@ describe Recog::DB do
               expect(match).to_not be_nil, 'Regex did not match'
               # test any extractions specified in the example
               example.attributes.each_pair do |k,v|
-                expect(match[k]).to eq(v), "Regex didn't extracted expected value for fingerprint attribute #{k}"
+                expect(match[k]).to eq(v), "Regex didn't extract expected value for fingerprint attribute #{k} -- got #{match[k]} instead of #{v}"
               end
             end
 

data/xml/h323_callresp.xml

@@ -117,11 +117,11 @@ to fingerprint H.323 servers.
       <param pos="2" name="service.version"/>
    </fingerprint>
 
-   <fingerprint pattern="^0x(82000002|a5000001)\:(.*)\:.*?(\d*\.*\d*\.*\d*).*$" flags="REG_ICASE">
+   <fingerprint pattern="^0x(?:82000002|a5000001)\:(.*)\:.*?(\d*\.*\d*\.*\d*).*$" flags="REG_ICASE">
       <description>Ericsson H.323 Server</description>
       <param pos="0" name="service.vendor" value="Ericsson"/>
-      <param pos="2" name="service.product"/>
-      <param pos="3" name="service.version"/>
+      <param pos="1" name="service.product"/>
+      <param pos="2" name="service.version"/>
    </fingerprint>
 
    <fingerprint pattern="^0x8a000003\:(.*)\:.*?(\d*\.*\d*\.*\d*).*$" flags="REG_ICASE">
@@ -657,11 +657,11 @@ to fingerprint H.323 servers.
       <param pos="2" name="service.version"/>
    </fingerprint>
 
-   <fingerprint pattern="^0xb500(4c54|600d)\:(.*)\:.*?(\d*\.*\d*\.*\d*).*$" flags="REG_ICASE">
+   <fingerprint pattern="^0xb500(?:4c54|600d)\:(.*)\:.*?(\d*\.*\d*\.*\d*).*$" flags="REG_ICASE">
       <description>Lucent Technologies H.323 Server</description>
       <param pos="0" name="service.vendor" value="Lucent Technologies"/>
-      <param pos="2" name="service.product"/>
-      <param pos="3" name="service.version"/>
+      <param pos="1" name="service.product"/>
+      <param pos="2" name="service.version"/>
    </fingerprint>
 
    <fingerprint pattern="^0xb5004d47\:(.*)\:.*?(\d*\.*\d*\.*\d*).*$" flags="REG_ICASE">

data/xml/http_cookies.xml

@@ -231,7 +231,7 @@ servers.
       <param pos="0" name="service.product" value="Alteon Web Switch"/>
    </fingerprint>
 
-   <fingerprint pattern="^((SS_X_)?CSINTERSESSIONID)=.*">
+   <fingerprint pattern="^((?:SS_X_)?CSINTERSESSIONID)=.*">
       <description>OpenMarket/FatWire Content Server (www.fatwire.com)</description>
       <param pos="1" name="cookie"/>
       <param pos="0" name="service.vendor" value="FatWire"/>

data/xml/pop_banners.xml

@@ -8,7 +8,7 @@ matched against these patterns to fingerprint POP3 servers.
 
    <fingerprint pattern="^([^ ]+) +Cyrus POP3 v(\d+\.\d+.*)-OS X(?: Server)? ([\d\.]+).* server ready">
       <description>OSX Cyrus POP</description>
-      <example>8.8.8.8 Cyrus POP3 v2.3.8-OS X Server 10.5: 9A562 server ready &lt;1999107648.1324502155@8.8.8.8&gt;</example>
+      <example host.domain="8.8.8.8" service.version="2.3.8" os.version="10.5">8.8.8.8 Cyrus POP3 v2.3.8-OS X Server 10.5: 9A562 server ready &lt;1999107648.1324502155@8.8.8.8&gt;</example>
       <param pos="0" name="service.family" value="Cyrus"/>
       <param pos="0" name="service.product" value="Cyrus POP"/>
       <param pos="0" name="service.vendor" value="CMU"/>
@@ -18,17 +18,18 @@ matched against these patterns to fingerprint POP3 servers.
       <param pos="0" name="os.product" value="Mac OS X"/>
       <param pos="0" name="os.device" value="General"/>
       <param pos="3" name="os.version"/>
+      <param pos="1" name="host.domain"/>
     </fingerprint>
 
-   <fingerprint pattern="^([^ ]+) +Cyrus POP3 v([\d\.]+)[^OS\s+X].*$">
+   <fingerprint pattern="^([^ ]+) +Cyrus POP3 v([\d\.]+)">
       <description>CMU Cyrus POP</description>
-      <example>foo Cyrus POP3 v2.3</example>
-      <example>foo Cyrus POP3 v2.3.14 server ready &lt;13087751828270990591.1301068892@foo&gt;</example>
+      <example host.domain="foo" service.version="2.3">foo Cyrus POP3 v2.3</example>
+      <example host.domain="foo" service.version="2.3.14">foo Cyrus POP3 v2.3.14 server ready &lt;13087751828270990591.1301068892@foo&gt;</example>
       <param pos="0" name="service.vendor" value="CMU"/>
       <param pos="0" name="service.family" value="Cyrus"/>
       <param pos="0" name="service.product" value="Cyrus POP"/>
-      <param pos="1" name="service.version"/>
-      <param pos="2" name="host.domain"/>
+      <param pos="2" name="service.version"/>
+      <param pos="1" name="host.domain"/>
     </fingerprint>
 
     <fingerprint pattern="^Lotus Notes POP3 server version X[^ ]+ ready on .*$">
@@ -248,15 +249,15 @@ matched against these patterns to fingerprint POP3 servers.
 
 // +OK X1 POP3 Mail Server
 
-// +OK server POP3 server (DeskNow POP3 Server 1.0) ready 
+// +OK server POP3 server (DeskNow POP3 Server 1.0) ready
 
 // +OK <1185161310.3352@goto15028.com> [XMail 1.24 POP3 Server] service ready; Mon, 23 Jul 2007 11:28:30 +0800
 
 // +OK IdeaPop3Server v0.50 ready.
 
-// +OK qxztmail POP3 server (STD Ymailserver v1.8 POP3) ready 
+// +OK qxztmail POP3 server (STD Ymailserver v1.8 POP3) ready
 
-// +OK blue.forest-green.lan POP3 server (JAMES POP3 Server 2.2.0) ready 
+// +OK blue.forest-green.lan POP3 server (JAMES POP3 Server 2.2.0) ready
 
 // +OK xxx CMailServer 5.2 POP3 Service Ready
 
@@ -299,7 +300,7 @@ matched against these patterns to fingerprint POP3 servers.
 -ERR sorry, POP server too busy right now.  Try again later.
 -ERR This IP is not configured for POP3 service.  Please contact Allstream at 1-888-655-7670.
 +OK
-+OK 
++OK
 +OK <0bdec6022085d6c34a0e48bb77bf8cf3@juno.thinkburst.com>
 +OK <869521546.23059@mail.tecedge.net>, POP3 server ready.
 +OK host CMailServer 5.2 POP3 Service Ready
@@ -307,7 +308,7 @@ matched against these patterns to fingerprint POP3 servers.
 +OK alakhan.kz POP MDaemon 6.8.4 ready <MDAEMON-F200707231617.AA1715437MD3489@alakhan.kz>
 +OK alquilerpc.com.mx POP3 Server (Version 1.020h) ready.
 +OK ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.8.9)
-+OK blue.forest-green.lan POP3 server (JAMES POP3 Server 2.2.0) ready 
++OK blue.forest-green.lan POP3 server (JAMES POP3 Server 2.2.0) ready
 +OK canoeregatta.org POP3 Server (Version 1.020h) ready.
 +OK codebase.com.au POP MDaemon 9.6.1 ready <MDAEMON-F200707220122.AA2235837MD8039@codebase.com.au>
 +OK Cubic Circle's v1.31 1998/05/13 POP3 ready <0c9300004104a246@www.dvdld.co.za>
@@ -402,9 +403,9 @@ matched against these patterns to fingerprint POP3 servers.
 +OK POP3 www.happytails2u.com 2004.89 server ready
 +OK POP3 www.homebasedwizard.com 2004.89 server ready
 +OK POP3 www.webmail.imperioe.com 2004.89 server ready
-+OK qxztmail POP3 server (STD Ymailserver v1.8 POP3) ready 
++OK qxztmail POP3 server (STD Ymailserver v1.8 POP3) ready
 +OK Radish (Version 3.0.0-b021) ready
-+OK ready  
++OK ready
 +OK ready  <11514.1185210732@freedom.concept69.de>
 +OK ready  <14026.1184992338@s076-129.ub.firstserver.ne.jp>
 +OK ready  <16013.1185110479@p1.in11.squarestart.ne.jp>
@@ -417,7 +418,7 @@ matched against these patterns to fingerprint POP3 servers.
 +OK recvmail/he.net POP3 Server
 +OK refinanceloanjones.com POP3 Server (Version 1.020h) ready.
 +OK samare.it POP MDaemon 6.8.5 ready <MDAEMON-F200707220351.AA513460MD5338@samare.it>
-+OK server POP3 server (DeskNow POP3 Server 1.0) ready 
++OK server POP3 server (DeskNow POP3 Server 1.0) ready
 +OK silexaviacion.com POP3 Server (Version 1.020h) ready.
 +OK simple-photography.com POP3 Server (Version 1.020h) ready.
 +OK Solid POP3 server ready

data/xml/smb_native_os.xml

@@ -139,24 +139,24 @@
    </fingerprint>
 
    <!-- TODO: Need an example string -->
-   <fingerprint pattern="^Windows \(R\) Storage Server 2008 (\w+|\w+ \w+|\w+ \w+ \w+) (\d+) (Service Pack \d+)$">
+   <fingerprint pattern="^Windows \(R\) Storage Server 2008 (?:\w+|\w+ \w+|\w+ \w+ \w+) (\d+) (Service Pack \d+)$">
       <description>Windows Server 2008 Storage (SP)</description>
       <param pos="0" name="os.certainty" value="1.0"/>
       <param pos="0" name="os.vendor" value="Microsoft"/>
       <param pos="0" name="os.product" value="Windows Server 2008"/>
       <param pos="0" name="os.edition" value="Storage"/>
-      <param pos="2" name="os.build"/>
-      <param pos="3" name="os.version"/>
+      <param pos="1" name="os.build"/>
+      <param pos="2" name="os.version"/>
    </fingerprint>
 
    <!-- TODO: Need an example string -->
-   <fingerprint pattern="^Windows \(R\) Storage Server 2008 (\w+|\w+ \w+|\w+ \w+ \w+) (\d+)$">
+   <fingerprint pattern="^Windows \(R\) Storage Server 2008 (?:\w+|\w+ \w+|\w+ \w+ \w+) (\d+)$">
       <description>Windows Web Server 2008 Storage</description>
       <param pos="0" name="os.certainty" value="1.0"/>
       <param pos="0" name="os.vendor" value="Microsoft"/>
       <param pos="0" name="os.product" value="Windows Server 2008"/>
       <param pos="0" name="os.edition" value="Storage"/>
-      <param pos="3" name="os.build"/>
+      <param pos="1" name="os.build"/>
    </fingerprint>
 
    <fingerprint pattern="^Windows Server 2008 HPC Edition (\d+) (Service Pack \d+)$">
@@ -337,25 +337,25 @@
       <param pos="2" name="os.build"/>
    </fingerprint>
 
-   <fingerprint pattern="^Windows MultiPoint Server 2012 (\w+|\w+ \w+|\w+ \w+ \w+) (\d+) (Service Pack \d+)$">
+   <fingerprint pattern="^Windows MultiPoint Server 2012 (?:\w+|\w+ \w+|\w+ \w+ \w+) (\d+) (Service Pack \d+)$">
       <description>Windows MultiPoint Server 2012 (SP)</description>
-      <example>Windows MultiPoint Server 2012 Premium 9201 Service Pack 1</example>
+      <example os.build="9201" os.version="Service Pack 1">Windows MultiPoint Server 2012 Premium 9201 Service Pack 1</example>
       <param pos="0" name="os.certainty" value="1.0"/>
       <param pos="0" name="os.vendor" value="Microsoft"/>
       <param pos="0" name="os.product" value="Windows Server 2012"/>
       <param pos="0" name="os.edition" value="MultiPoint"/>
-      <param pos="2" name="os.build"/>
-      <param pos="3" name="os.version"/>
+      <param pos="1" name="os.build"/>
+      <param pos="2" name="os.version"/>
    </fingerprint>
 
-   <fingerprint pattern="^Windows MultiPoint Server 2012 (\w+|\w+ \w+|\w+ \w+ \w+) (\d+)$">
+   <fingerprint pattern="^Windows MultiPoint Server 2012 (?:\w+|\w+ \w+|\w+ \w+ \w+) (\d+)$">
       <description>Windows MultiPoint Server 2012</description>
-      <example>Windows MultiPoint Server 2012 Premium 9200</example>
+      <example os.build="9200">Windows MultiPoint Server 2012 Premium 9200</example>
       <param pos="0" name="os.certainty" value="1.0"/>
       <param pos="0" name="os.vendor" value="Microsoft"/>
       <param pos="0" name="os.product" value="Windows Server 2012"/>
       <param pos="0" name="os.edition" value="MultiPoint"/>
-      <param pos="2" name="os.build"/>
+      <param pos="1" name="os.build"/>
    </fingerprint>
 
    <!-- TODO: Detect vendor, distribution, and package versions -->

data/xml/smtp_banners.xml

@@ -15,7 +15,7 @@ These XML files are used in this order:
    smtp_turn.xml
    smtp_rset.xml
    smtp_quit.xml
-   
+
 The system or service fingerprint with the highest certainty overwrites the others.
 -->
 
@@ -55,17 +55,19 @@ The system or service fingerprint with the highest certainty overwrites the othe
          AnalogX proxy
          http://www.analogx.com/contents/download/network/proxy.htm
       </description>
+      <example host.name="192.168.1.1" service.version="4.15">192.168.1.1 SMTP AnalogX Proxy 4.15 (Release) ready</example>
       <param pos="0" name="service.vendor" value="AnalogX"/>
       <param pos="0" name="service.family" value="Proxy"/>
       <param pos="0" name="service.product" value="Proxy"/>
-      <param pos="1" name="service.version"/>
+      <param pos="2" name="service.version"/>
+      <param pos="1" name="host.name"/>
    </fingerprint>
 
    <fingerprint pattern="^ArGoSoft Mail Server, Version [^ ]+ \(([^ ]+\.[^ ]+\.[^ ]+\.[^ ]+)\) *$">
       <description>
          ArGoSoft Mail Server is fully functional STMP/POP3/Finger server for Windows 95/98/NT/2000.
          http://www.argosoft.com/applications/mailserver/
-         Example: 220 ArGoSoft Mail Server, Version 1.4 (1.4.0.3)      
+         Example: 220 ArGoSoft Mail Server, Version 1.4 (1.4.0.3)
       </description>
       <param pos="0" name="service.vendor" value="ArGoSoft"/>
       <param pos="0" name="service.family" value="Mail Server"/>
@@ -124,7 +126,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
       <param pos="0" name="service.version" value="4"/>
    </fingerprint>
 
-   <fingerprint pattern="^([\*20 ]+)$">
+   <fingerprint pattern="^[\*20 ]+$">
       <description>
          Cisco PIX firewall: PIX sits between an internal SMTP server and the rest of the world.
 
@@ -275,7 +277,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
       <param pos="0" name="service.product" value="IIS"/>
       <param pos="3" name="service.version"/>
       <param pos="1" name="host.name"/>
-      <param pos="2" name="system.time"/>      
+      <param pos="2" name="system.time"/>
       <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
       <param pos="0" name="os.vendor" value="Microsoft"/>
       <param pos="0" name="os.family" value="Windows"/>
@@ -330,7 +332,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
       <param pos="1" name="host.name"/>
    </fingerprint>
 
-   <fingerprint pattern="^([^ ]+) +SMTP/smap Ready\.$">
+   <fingerprint pattern="^(?:[^ ]+) +SMTP/smap Ready\.$">
       <description>
          TIS FWTK and derivatives
          http://www.tis.com/research/software/
@@ -418,11 +420,12 @@ The system or service fingerprint with the highest certainty overwrites the othe
          Syntegra/CDC IntraStore TurboSendmail, part of the IntraStore server which runs on
          the following platforms ONLY: Linux, HP-UX, Solaris, AIX, and Windows NT/2000
          see http://www.cdc.com for more information
-         example: 220 tigger.disneyonline.com (IntraStore TurboSendmail) ESMTP Service ready
       </description>
+      <example host.name="192.168.1.1">192.168.1.1 (IntraStore TurboSendmail) ESMTP Service ready</example>
       <param pos="0" name="service.vendor" value="BT"/>
       <param pos="0" name="service.family" value="IntraStore"/>
       <param pos="0" name="service.product" value="IntraStore"/>
+      <param pos="1" name="host.name"/>
    </fingerprint>
 
    <fingerprint pattern="^([^ ]+) \(Mail-Max Version (\d+\.\d+\.\d+\.\d+), (.+, .+)\) ESMTP Mail Server Ready. *$">
@@ -436,7 +439,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
       <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
       <param pos="1" name="host.name"/>
       <param pos="2" name="service.version"/>
-      <param pos="3" name="system.time"/>         
+      <param pos="3" name="system.time"/>
    </fingerprint>
 
    <fingerprint pattern="^([^ ]+) \(Mail-Max Version (\d+\.\d+), (.+, .+)\) ESMTP Mail Server Ready. *$">
@@ -450,7 +453,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
       <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
       <param pos="1" name="host.name"/>
       <param pos="2" name="service.version"/>
-      <param pos="3" name="system.time"/>         
+      <param pos="3" name="system.time"/>
    </fingerprint>
 
    <fingerprint pattern="^([^ ]+) +MailSite ESMTP Receiver Version ([^ ]+\.[^ ]+\.[^ ]+\.[^ ]+) Ready *$">
@@ -491,7 +494,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) +ESMTP MDaemon ([^ ]+\.[^ ]+\.[^ ]+) UNREGISTERED; *(.+) *$">
       <description>
-         MDaemon mail server 
+         MDaemon mail server
          220 foo.bar ESMTP MDaemon 4.0.5 UNREGISTERED; Sat, 06 Oct 2001 09:10:56 +0400
       </description>
       <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -511,7 +514,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) +ESMTP MDaemon ([^ ]+\.[^ ]+\.[^ ]+); *(.+) *$">
       <description>
-         MDaemon mail server 
+         MDaemon mail server
          220 foo.bar ESMTP MDaemon 4.0.2; Sat, 06 Oct 2001 01:46:44 -0500
       </description>
       <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -530,7 +533,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) +ESMTP MDaemon ([^ ]+\.[^ ]+\.[^ ]+) ready *$">
       <description>
-         MDaemon mail server 
+         MDaemon mail server
          220 foo.bar ESMTP MDaemon 3.5.7 ready
       </description>
       <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -547,7 +550,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) +ESMTP service ready \[[0-9]+\] MDaemon v([^ ]+\.[^ ]+) ([^ ]+) *$">
       <description>
-         MDaemon mail server 
+         MDaemon mail server
          220 foo.bar.com ESMTP service ready [1] MDaemon v2.84 R
       </description>
       <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -565,7 +568,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) +ESMTP service ready \[[0-9]+\] using MDaemon v([^ ]+\.[^ ]+\.[^ ]+) ([^ ]+) *$">
       <description>
-         MDaemon mail server 
+         MDaemon mail server
          220 foo.bar.com ESMTP service ready [1] using MDaemon v3.0.3 R
       </description>
       <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -583,7 +586,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) +ESMTP service ready \[[0-9]+\] MDaemon v([^ ]+\.[^ ]+) ([^ ]+) ([^ ]+) *$">
       <description>
-         MDaemon mail server 
+         MDaemon mail server
          220 foo.bar.com ESMTP service ready [1] MDaemon v2.7 SP5 R
       </description>
       <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -602,7 +605,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) +ESMTP service ready \[[0-9]+\] MDaemon v([^ ]+)\.([^ ]+)\.([^ ]+)\.([^ ]+) ([^ ]+) *$">
       <description>
-         MDaemon mail server 
+         MDaemon mail server
          220 foo.bar.com ESMTP service ready [1] MDaemon v2.8.7.0 R
       </description>
       <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -623,7 +626,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) +ESMTP service ready \[[0-9]+\] \(MDaemon v([^ ]+\.[^ ]+) ([^ ]+) ([^ ]+)\) *$">
       <description>
-         MDaemon mail server 
+         MDaemon mail server
          220 foo.bar.com ESMTP service ready [2] (MDaemon v2.7 SP4 R)
       </description>
       <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -642,7 +645,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) +ESMTP service ready \[[0-9]+\] \(MDaemon v([^ ]+\.[^ ]+) ([^ ]+) ([^ ]+) ([^ ]+)\) *$">
       <description>
-         MDaemon mail server 
+         MDaemon mail server
          220 foo.bar.com ESMTP service ready [1] (MDaemon v2.5 rB b1 32-T)
       </description>
       <param pos="0" name="service.vendor" value="Alt-N"/>
@@ -700,7 +703,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
       <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy  HH:mm:ss zzz"/>
       <param pos="1" name="service.version"/>
       <param pos="2" name="service.version.version"/>
-      <param pos="3" name="service.version.version.version"/>         
+      <param pos="3" name="service.version.version.version"/>
       <param pos="4" name="mercur.os.info"/>
       <param pos="5" name="system.time"/>
    </fingerprint>
@@ -797,7 +800,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) Lotus SMTP MTA Service Ready *$">
       <description>
-         Lotus Notes 4 SMTP MTA      
+         Lotus Notes 4 SMTP MTA
       </description>
       <param pos="0" name="service.vendor" value="Lotus"/>
       <param pos="0" name="service.family" value="Lotus Domino"/>
@@ -808,7 +811,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) ESMTP Service \(Lotus Domino Release (\d+\.\d+\.\w+)\) ready at (.+) *$">
       <description>
-         Lotus Domino 5 SMTP MTA 
+         Lotus Domino 5 SMTP MTA
          220 foo.bar.com ESMTP Service (Lotus Domino Release 5.0.5) ready at Wed, 19 Dec 2001 19:54:55 -0500
       </description>
       <param pos="0" name="service.vendor" value="Lotus"/>
@@ -822,7 +825,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) ESMTP Service \(Lotus Domino Release (\d+\.\w+)\) ready at (.+) *$">
       <description>
-         Lotus Domino 5 SMTP MTA 
+         Lotus Domino 5 SMTP MTA
          example: 220 foo.bar.com ESMTP Service (Lotus Domino Release 5.0a) ready at Wed, 20 Jun 2001 08:59:17 +0200
       </description>
       <param pos="0" name="service.vendor" value="Lotus"/>
@@ -836,17 +839,17 @@ The system or service fingerprint with the highest certainty overwrites the othe
 
    <fingerprint pattern="^([^ ]+) ESMTP Service \(Lotus Domino Release (\d+\.\d+\.\w+) \(Intl\)\) ready at (.+) *$">
       <description>
-         Lotus Domino 5 SMTP MTA, International product version      
+         Lotus Domino 5 SMTP MTA, International product version
          example: 220 foo.bar.com ESMTP Service (Lotus Domino Release 5.0.5 (Intl)) ready at Tue, 6 Feb 2001 18:54:23 -0500
       </description>
       <param pos="0" name="service.vendor" value="Lotus"/>
       <param pos="0" name="service.family" value="Lotus Domino"/>
       <param pos="0" name="service.product" value="Lotus Domino"/>
       <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
-      <param pos="0" name="notes.intl" value="yes"/>         
+      <param pos="0" name="notes.intl" value="yes"/>
       <param pos="1" name="host.name"/>
       <param pos="2" name="service.version"/>
-      <param pos="3" name="system.time"/>            
+      <param pos="3" name="system.time"/>
    </fingerprint>
 
    <fingerprint pattern="^([^ ]+) ESMTP Service \(Lotus Domino Build (\d+\.\d+)\) ready at (.+) *$">
@@ -894,10 +897,10 @@ The system or service fingerprint with the highest certainty overwrites the othe
          versions 3.x and earlier of NTMail http://www.gordano.com (it was called Internet Shopper's something or other)
          example: 220 mail.Networkengineering WindowsNT SMTP Server v3.03.0018/1.aio1/SP ESMTP ready at Wed, 25 Jul 2001 23:03:11 -0400
          example: 220 mars.wvwc.edu WindowsNT SMTP Server v3.03.0018/1.ajhf/SP ESMTP ready at Thu, 29 Oct 1998 18:01:30 -0500
-         example: 220 mail.someisp.net WindowsNT SMTP Server v3.03.0017/1.aihl/SP ESMTP ready at Sun, 6 Jun 1999 10:39:30 -0400 
+         example: 220 mail.someisp.net WindowsNT SMTP Server v3.03.0017/1.aihl/SP ESMTP ready at Sun, 6 Jun 1999 10:39:30 -0400
          example: 220 nt03s02.switchlink.be WindowsNT SMTP Server v3.03.0014/1.aiss/SP ESMTP ready at Fri, 17 Apr 1998 16:59:04 +0100
          example: 220 www.afsc.org WindowsNT SMTP Server v3.03.0017/1.abkz/SP ESMTP ready at Mon, 2 Oct 2000 11:50:29 -0400
-         example: 220 wwmerchant.osopinion.com WindowsNT SMTP Server v3.03.0017/4c.adur/SP ESMTP ready at Fri, 26 Mar 1999 13:20:30 -0700 
+         example: 220 wwmerchant.osopinion.com WindowsNT SMTP Server v3.03.0017/4c.adur/SP ESMTP ready at Fri, 26 Mar 1999 13:20:30 -0700
          example: 220 digital-hoon.tecdm.dmi.co.kr WindowsNT SMTP Server v3.02.07/2c.aaaj ready at Thu, 5 Dec 1996 22:46:12 +0000
       </description>
       <param pos="0" name="service.vendor" value="Gordano"/>
@@ -1012,31 +1015,16 @@ The system or service fingerprint with the highest certainty overwrites the othe
       <param pos="1" name="host.name"/>
    </fingerprint>
 
-   <fingerprint pattern="^([^ ]+) ESMTP server \(Post\.Office v([^ ]+\.[^ ]+\.[^ ]+) release (.+) ID# ([^ ]+)\) ready (.+) *$">
+   <fingerprint pattern="^([^ ]+) ESMTP server \(Post\.Office v([^ ]+) release (.+) ID# ([^ ]+)\) ready (.+) *$">
       <description>
          Post.Office (3 version numbers)
-         example: 220 birg.connect.co.at ESMTP server (Post.Office v3.1 release PO205e ID# 0-42000U100L2S100) ready Tue, 6 Feb 2001 19:38:32 +0100
       </description>
+      <example host.name="192.168.1.1" service.version="3.1" postoffice.build="PO205e" postoffice.id="0-42000U100L2S100" system.time="Tue, 6 Feb 2001 19:38:32 +0100">192.168.1.1 ESMTP server (Post.Office v3.1 release PO205e ID# 0-42000U100L2S100) ready Tue, 6 Feb 2001 19:38:32 +0100</example>
       <param pos="0" name="service.family" value="Post.Office"/>
       <param pos="0" name="service.product" value="Post.Office"/>
-      <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
-      <param pos="1" name="host.name"/>
       <param pos="2" name="service.version"/>
-      <param pos="3" name="postoffice.build"/>
-      <param pos="3" name="postoffice.id"/>
-      <param pos="4" name="system.time"/>
-   </fingerprint>
-
-   <fingerprint pattern="^([^ ]+) ESMTP server \(P|post\.O|office v([^ ]+\.[^ ]+) release (.+) ID# ([^ ]+)\) ready (.+) *$">
-      <description>
-         Post.Office (2 version numbers)
-         example: 220 birg.connect.co.at ESMTP server (Post.Office v3.1 release PO205e ID# 0-42000U100L2S100) ready Tue, 6 Feb 2001 19:38:32 +0100
-      </description>
-      <param pos="0" name="service.family" value="Post.Office"/>
-      <param pos="0" name="service.product" value="Post.Office"/>
       <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
       <param pos="1" name="host.name"/>
-      <param pos="2" name="service.version"/>
       <param pos="3" name="postoffice.build"/>
       <param pos="4" name="postoffice.id"/>
       <param pos="5" name="system.time"/>
@@ -1079,7 +1067,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
       <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
       <param pos="1" name="host.name"/>
       <param pos="2" name="service.version"/>
-      <param pos="3" name="sendmail.hpux.phne.version"/>         
+      <param pos="3" name="sendmail.hpux.phne.version"/>
       <param pos="4" name="sendmail.config.version"/>
       <param pos="5" name="system.time"/>
    </fingerprint>
@@ -1527,7 +1515,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
    <!-- these suckers can have LOTS of version numbers -->
    <fingerprint pattern="^([^ ]+) -- Server ESMTP \(Sun Internet Mail Server sims\.([^\.]+\.[^\.]+\.[^\.]+\.[^\.]+\.[^\.]+\.[^\.]+\.[^\.]+)\)$">
       <description>
-      220 mercury.doc.ntu.ac.uk -- Server ESMTP (Sun Internet Mail Server sims.4.0.1999.06.13.00.20)      
+      220 mercury.doc.ntu.ac.uk -- Server ESMTP (Sun Internet Mail Server sims.4.0.1999.06.13.00.20)
       </description>
       <param pos="0" name="service.vendor" value="Sun"/>
       <param pos="0" name="service.family" value="Internet Mail Server"/>
@@ -1604,7 +1592,7 @@ The system or service fingerprint with the highest certainty overwrites the othe
       <param pos="0" name="service.product" value="VOPMail"/>
       <param pos="1" name="host.name"/>
       <param pos="2" name="service.version"/>
-   </fingerprint>   
+   </fingerprint>
 
    <fingerprint pattern="^([^ ]+) VPOP3 SMTP Server Ready *$">
       <description>
@@ -1718,12 +1706,12 @@ The system or service fingerprint with the highest certainty overwrites the othe
       <param pos="0" name="service.family" value="ZMailer"/>
       <param pos="0" name="service.product" value="ZMailer"/>
       <param pos="0" name="system.time.format" value="EEE, dd MMM yyyy HH:mm:ss zzz"/>
-      <param pos="0" name="zmailer.ident" value="yes"/>         
+      <param pos="0" name="zmailer.ident" value="yes"/>
       <param pos="1" name="host.name"/>
       <param pos="2" name="service.version"/>
       <param pos="3" name="service.version.version"/>
       <param pos="4" name="system.time"/>
-    </fingerprint>   
+    </fingerprint>
 
    <fingerprint pattern="^([^ ]+) E?SMTP(?: Ready\.?)?$">
      <description>