From 237b0ca9e0069234904a384d7408eba4e895e80a Mon Sep 17 00:00:00 2001 From: fyodor Date: Wed, 10 May 2006 18:33:41 +0000 Subject: [PATCH] Doug's latest changes --- nmap-service-probes | 546 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 447 insertions(+), 99 deletions(-) diff --git a/nmap-service-probes b/nmap-service-probes index f0d737462..856dbbe4a 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -18,9 +18,9 @@ # license conditions of your contributions, just say so when you send # them. # -# This collection of probe data is (C) 2003 by Insecure.Com LLC It is -# available for free use by open source software under the terms of -# the GNU General Public License. We also license the data to +# This collection of probe data is (C) 2003-2006 by Insecure.Com LLC +# It is available for free use by open source software under the terms +# of the GNU General Public License. We also license the data to # selected commercial/proprietary vendors under less restrictive # terms. Contact sales@insecure.com for more information. # @@ -49,7 +49,12 @@ match aplus m|^\x01\xff\0\xff\x01\x1d\0\xfd\0\n\x03\x05A\+ API \(([\d.]+)\) - CC # arkstats (part of arkeia-light 5.1.12 Backup server) on Linux 2.4.20 match arkstats m|^\0`\0\x03\0\0\0\x1810\x000\x000\x00852224\0\0\0\0\0\0\0\0\0\0\0| p/Arkeia arkstats/ match artsd m|^MCOP\0\0\0.\0\0\0\x01\0\0\0\x10aRts/MCOP-([\d.]+)\0\0\0\0|s p/artsd/ i/MCOP $1/ + +# Asterisk call manager - port 5038 +match asterisk m|^Asterisk Call Manager/([\d.]+)\r\n| p/Asterisk Call Manager/ v/$1/ + match audit m|^Visionsoft Audit on Demand Service\r\nVersion: ([\d.]+)\r\n\r\n| p/Visionsoft Audit on Demand Service/ v/$1/ o/Windows/ +match avg m|^220-AVG7 Anti-Virus daemon mode scanner\r\n220-Program version ([\d.]+), engine (\d+)\r\n220-Virus Database: Version ([\d/.]+) [\d-]+\r\n| p/AVG daemon mode/ v/$1 engine $2/ i/Virus DB $3/ match backdoor m|^220 jeem\.mail\.pv ESMTP\r\n| p/Jeem backdoor/ i/**BACKDOOR**/ o/Windows/ match backdoor m|^\r\nUser Access Verification\r\n\r\nYour PassWord:| p/Jeem backdoor/ i/**BACKDOOR**/ o/Windows/ @@ -61,6 +66,9 @@ match backdoor m|^=+\n= +RBackdoor ([\d.]+) | p/RBackdoor/ v/$1/ i/**BACKDOOR**/ match backdoor m|^220 Windrone Server \(Win32\)\r\n$| p/NerdBot backdoor/ i/**BACKDOOR**/ o/Windows/ match backdoor m|^Zadej heslo:$| p/Czech "zadej heslo" backdoor/ i/**BACKDOOR**/ o/Windows/ match backdoor m|^220 Reptile welcomes you\.\.\r\n| p/Darkmoon backdoor "reptile" ftpd/ i/**BACKDOOR**/ o/Windows/ +match backdoor m|^Sifre_EDIT$| p/ProRat trojan/ i/**BACKDOOR**/ o/Windows/ +match backdoor m|^MZ\x90\0\x03\0\0\0\x04\0\0\0\xff\xff\0\0\xb8\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\xd0\0\0\0\x0e\x1f\xba\x0e\0\xb4\t\xcd!\xb8\x01L\xcd!This program cannot be run in DOS mode\.| p/Korgo worm/ i/**BACKDOOR**/ o/Windows/ +match backdoor m|^\xfa\xcb\xd9\xd9\xdd\xc5\xd8\xce\xd6| p/Theef trojan/ i/**BACKDOOR**/ o/Windows/ match bf2rcon m|^### Battlefield 2 ModManager Rcon v([\d.]+)\.\n### Digest seed: \w+\n\n| p/Battlefield 2 ModManager Remote Console/ v/$1/ @@ -89,6 +97,9 @@ match chat-ctl m|^InfoChat Server v([\d.]+) Remote Control ready\n\r| p/InfoChat match chess m=^\n\r _ __ __ __ \n\r \| \| / /__ / /________ ____ ___ ___ / /_____ \n\r \| \| /\| / / _ \\/ / ___/ __ \\/ __ `__ \\/ _ \\ / __/ __ \\\n\r= p/Lasker Internet Chess server/ # Citrix, Metaframe XP on Windows match citrix-ica m|^\x7f\x7fICA\0\x7f\x7fICA\0| p/Citrix Metaframe XP ICA/ o/Windows/ +# Citrix MetaFrame XP 1.0 implimented with ClassLink 2000 on NT4 +match citrix-ima m|^'\0\0\0\x81\0\0\0\x01| p/Citrix Metaframe XP IMA/ o/Windows/ + match clsbd m|^\0\0\0\x10ClsBoolVersion 1$| p/Cadence IC design daemon/ match codeforge m|^CFMSERV\(1\)\n| p/CodeForge IDE/ match concertosendlog m|^Concerto Software\r\n\r\nEnsemblePro SendLog Server - Version (\d[-.\w]+)\r\n\r\nEnter Telnet Password\r\n#> | p/Concerto Software EnsemblePro CRM software SendLog Server/ v/$1/ @@ -155,6 +166,7 @@ match directupdate m|^OK Welcome <[\d.]+> on DirectUpdate engine VER=\[([\d.]+) match dnsix m|^DNSIX$| match dragon m|^UNAUTHORIZED\n\r\n\r$| p/Dragon realtime shell/ +match drweb m|^0 PROTOCOL 2 2 AGENT,CONSOLE,INSTALL,CRYPT(,COMP)?\r\n| p/DrWeb/ match eftserv m|^\?\x008 \xc3p EFTSRV1 ([\d.]+) | p/Ingenico EFTSRVd/ v/$1/ o/Windows/ match eggdrop m=^\r\n\r\n([-`|.\w]+) \(Eggdrop v(\d[-.\w+]+) +\([cC]\) *1997.*\r\n\r\n= p/Eggdrop irc bot console/ v/$2/ i/botname: $1/ @@ -192,7 +204,7 @@ match ftp m|^220 ([-/.+\w]+) IBM TCP/IP f\xfcr OS/2 - FTP-Server [Vv]er \d+:\d+: match ftp m|^220 ([-/.+\w]+) Lexmark ([-/.+\w ]+) FTP Server (\d[-.\w]+) ready\.\r\n| p/Lexmark printer ftpd/ v/$2/ i/Lexmark $3/ h/$1/ d/printer/ #atch ftp m|^220 LXK14ED59 Lexmark Optra SC 1275 FTP Server ([\d.]+) ready\.\r\n| p/Lexmark Optra SC 1275 ftpd/ v/$1/ d/printer/ match ftp m|^220 Internet Rex (\d[-.\w ]+) \(([-/.+\w]+)\) FTP server awaiting your command\.\r\n| p/Internet Rex ftpd/ v/$1/ i/$2/ -match ftp m|^220 ([-.+\w]+) FTP server \(Version (\d[-.\w]+)\(([^\)]+)\) [A-Z][a-z][a-z] [A-Z].*200\d\) ready\.\r\n| p/HP-UX ftpd/ h/$1/ v/$2/ i/$3/ o/HP-UX/ +match ftp m|^220 ([-.+\w]+) FTP server \(Version (\d[-.\w]+)\([^\)]+\) [A-Z][a-z][a-z] [A-Z].*200\d\) ready\.\r\n| p/HP-UX ftpd/ h/$1/ v/$2/ o/HP-UX/ match ftp m|^530 Connection refused, unknown IP address\.\r\n$| p/Microsoft IIS ftpd/ i/IP address rejected/ o/Windows/ match ftp m|^220 PizzaSwitch FTP server ready\r\n| p/Xylan PizzaSwitch ftpd/ match ftp m|^220 ([-.+\w]+) IronPort FTP server \(V(\d[-.\w]+)\) ready\.\r\n| p/IronPort mail appliance ftpd/ h/$1/ v/$2/ @@ -223,7 +235,7 @@ match ftp m|^220 AXIS ([-.\w]+) FTP Network Print Server V(\d[-.\w]+) [A-Z][a-z] match ftp m|^220 AXIS ([\d\w]+)V(\d\S+) (.*?) ready\.\n| p/AXIS $1 Webcam/ v/$2/ i/$3/ d/webcam/ match ftp m|^220 Axis (\d+) Network Camera (\d\S+) (.*?) ready\.\n| p/Axis $1 Webcam/ v/$2/ i/$3/ d/webcam/ match ftp m|^220 AXIS (\w+) Network Camera (\d\S+) \(.*\) ready\.\r\n| p/Axis $1 Webcam/ v/$2/ d/webcam/ -match ftp m|^220 AXIS (\d+) Video Server (\d\S+) (.*?) ready\.| p/AXIS $1 Video Server/ v/$2/ i/$3/ +match ftp m|^220 AXIS ([+\d]+) Video Server ?(\d\S+) (.*?) ready\.| p/AXIS $1 Video Server/ v/$2/ i/$3/ match ftp m|^220-Cerberus FTP Server Personal Edition\r\n220-UNREGISTERED\r\n| p/Cerberus FTP Server/ i/Personal Edition; Unregistered/ o/Windows/ match ftp m|^220-Welcome to Cerberus FTP Server\r\n220 Created by Grant Averett\r\n| p/Cerberus ftpd/ o/Windows/ match ftp m|^220 FTP print service:V-(\d[-.\w]+)/Use the network password for the ID if updating\.\r\n| p/Brother printer ftpd/ v/$1/ d/printer/ @@ -258,9 +270,11 @@ match ftp m/^220 FTP Server \[([\w-_.]+)\]\r\n/ p/ProFTPD/ o/Unix/ h/$1/ match ftp m|^220 ([\w-_.]+) FTP server ready\r\n| p/ProFTPD/ o/Unix/ h/$1/ match ftp m/^220.*ProFTP[dD].*Server ready/ p/ProFTPD/ o/Unix/ match ftp m|^220 ProFTP Server Ready\r\n| p/ProFTPD/ o/Unix/ +match ftp m|^220 ProFTP Ready\r\n| p/ProFTPD/ o/Unix/ match ftp m|^220 Welcome @ my\.ftp\.org\r\n$| p/ProFTPD/ o/Unix/ match ftp m|^220-.*\r\n220 ProFTPD ([\d.]+) Server|s p/ProFTPD/ v/$1/ o/Unix/ match ftp m|^220 .* FTP Server \(ProFTPD ([\d.]+) on Red Hat linux ([\d.]+)\) ready\.\r\n| p/ProFTPD/ v/$1/ i/RedHat $2/ o/Linux/ +match ftp m|^220 ProFTP-Server auf ([\w-_.]+)\r\n| p/ProFTPD/ i/German/ o/Unix/ # Hope these aren't too general -Doug match ftp m|^220 ([\w-_.]+) FTP server ready!\r\n| p/ProFTPD/ o/Unix/ h/$1/ match ftp m|^220 FTP Server ready\.\r\n$| p/ProFTPD/ o/Unix/ @@ -402,15 +416,20 @@ match ftp m|^220 AXIS StorPoint CD E100 CD-ROM Server V([\d.]+) .* ready\.\r\n| match ftp m|^220 Qtopia ([\d.]+) FTP Server\n| p/Qtopia ftpd/ v/$1/ d/PDA/ match ftp m|^220[ -]Gene6 FTP Server v([\d.]+) \(Build \d+\).* ready\.\.\.\r\n| p/Gene6 ftpd/ v/$1/ o/Windows/ match ftp m|^220 G6 FTP Server v([\d.]+) \(beta (\d+)\) ready \.\.\.\r\n| p/Gene6 ftpd/ v/$1 beta $2/ o/Windows/ +match ftp m|^220 ([\w-_.]+) by G6 FTP Server ready \.\.\.\r\n| p/Gene6 ftpd/ h/$1/ o/Windows/ match ftp m|^220 sftpd/([\d.]+) Server \[[\w-_.]+\]\r\n| p/sftpd/ v/$1/ match ftp m|^220-TYPSoft FTP Server ([\d.]+) ready\.\.\.\r\n| p/TYPSoft ftpd/ v/$1/ o/Windows/ match ftp m|^220 Welcome to Pablo's FTP Server\r\n| p/Pablo's ftpd/ o/Windows/ match ftp m|^220 PowerLogic FTP Server ready\.\r\n| p/PowerLogic embedded device ftpd/ d/specialized/ match ftp m|^220 INTERMEC 540\+/542\+ FTP Printer Server V([\d.]+) .* ready\.\r\n| p|Intermec 540+/542+ printer ftpd| v/$1/ o/printer/ match ftp m|^220 EthernetBoard OkiLAN 8100e Ver ([\d.]+) FTP server\.\r\n| p/OkiLAN 8100e print server/ v/$1/ d/print server/ +match ftp m|^220 OKI-([\w+]+) Version ([\d.]+) ready\.\r\n| p/OkiData $1 printer ftpd/ v/$2/ d/printer/ # SpeedStream 5660 ADSL modem/router match ftp m|^220 VxWorks \(ENI-ftpd ([\d.]+)\) FTP server ready\r\n| p/SpeedStream 5660 ADSL router/ i|Runs ENI-ftpd/$1 on VxWorks| d/router/ -match ftp m|^220--------------------------------------------------------------------------------\r\n220-This is the \"Banner\" message for the Mac OS X Server's FTP server process\.\r\n.*220 ([\w-_.]+) FTP server \(Version: Mac OS X Server ([\d.]+) - \+GSSAPI\) ready\.\r\n|s p/Mac OS X Server ftpd/ i/MacOS X $2/ h/$1/ + +match ftp m|^220--------------------------------------------------------------------------------\r\n220-This is the \"Banner\" message for the Mac OS X Server's FTP server process\.\r\n.*220 ([\w-_.]+) FTP server \(Version: Mac OS X Server ([\d.]+) - \+GSSAPI\) ready\.\r\n|s p/Mac OS X Server ftpd/ i/MacOS X $2/ h/$1/ o/Mac OS X/ +match ftp m|^220--------------------------------------------------------------------------------\r\n220-This is the \"Banner\" message for the Mac OS X Server's FTP server process\.\r\n| p/Mac OS X Server ftpd/ o/Mac OS X/ + match ftp m|^220 Welcome to U\.S\.Robotics SureConnect ADSL Ethernet/USB Router update FTP server v([\d.]+)\.\r\n| p/USR SureConnect ADSL router ftpd/ v/$1/ d/router/ match ftp m|^220-Welcome to Xerver Free FTP Server ([\d.]+)\.\r\n220-\r\n220-You can login below now\.\r\n220 Features: \.\r\n| p/Xerver Free ftpd/ v/$1/ match ftp m|^220 ([\w-_.]+) FTP server \(tnftpd (\d+)\) ready\.\r\n| p/tnftpd/ v/$2/ h/$1/ @@ -436,6 +455,8 @@ match ftp m|^220 Server 47 FTP service\. Welcome\.\r\n| p/bftpd/ o/Unix/ match ftp m%^220-loading\.\.\r\n220-\| W e L c O m E @ SFXP\|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\|\r\n% p/SwiftFXP/ match ftp m|^220 Z-FTP\r\n| p/Z-FTPd/ match ftp m|^220 DELL1700n Dell Laser Printer 1700n FTP Server ([\w.]+) ready\.\r\n| p/Dell 1700n laser printer ftpd/ v/$1/ d/printer/ +match ftp m|^220 Dell Laser Printer 3100cn\r\n| p/Dell 3100cn laser printer ftpd/ d/printer/ +match ftp m|^220 \w+ Dell Laser Printer M5200 FTP Server ([\d.]+) ready\.\r\n| p/Dell Laser Priner M5200 ftpd/ v/$1/ d/printer/ match ftp m|^220 Plan 9 FTP server ready\r\n| p/Plan 9 ftpd/ o/Plan9/ match ftp m=^220-\+----------------------\[ UNREGISTERED VERSION \]-----------------------\+\r\n220-\| This site is running unregistered copy of RaidenFTPD ftp server \+\r\n= p/RaidenFTPd/ i/Unregistered/ o/Windows/ match ftp m|^220.*\r\n220 ([\w-_.]+) FTP server \(Version: Mac OS X Server ([\d.]+) - \+GSSAPI\) ready\.\r\n|s p/MacOS X Server ftpd/ i/MacOS X Server $2/ h/$1/ @@ -467,6 +488,18 @@ match ftp m|^220 Blue Coat FTP Service\r\n| p/Blue Coat ftpd/ match ftp m|^220 Homer Ftp Server\r\n| p/Homer ftpd/ o/Windows/ match ftp m|^220 Personal FTP Server ready\r\n| p/Personal FTPd/ o/Windows/ match ftp m|^220 \w+ Lexmark T642 FTP Server ([\w-_.]+) ready\.\r\n| p/Lexmark T642 printer ftpd/ i/Firmware $1/ d/printer/ +match ftp m|^431 Could not initialize SSL connection\r\n| p/FileZilla ftpd/ i/Mandatory SSL/ o/Windows/ +match ftp m|^220-InterVations FileCOPA FTP Server Version ([\d.]+) .*\r\n220 Trial Version\. (\d+) days remaining\r\n| p/InterVations FileCOPA ftpd/ v/$1/ i/Trial: $2 days left/ o/Windows/ +match ftp m|^220 cab Mach4/300 FTP Server ready\.\r\n| p/CAB MACH4 label printer ftpd/ d/printer/ +match ftp m|^220 (KM[\w+]+) FTP server \(KM FTPD version ([\d.]+)\) ready\.\r\n| p/Konica Minolta $1 ftpd/ v/$2/ d/printer/ +match ftp m|^220 Golden FTP Server ready v([\d.]+)\r\n| p/Golden ftpd/ v/$1/ o/Windows/ +match ftp m|^220 ITC Version ([\d.]+) of [\d-]+ X Kyocera UIO UMC 10base OK \r\n| p/X Kyocera UIO UMC 10base print server ftpd/ v/$1/ d/print server/ +match ftp m|^220 ActiveFax Version ([\d.]+) \(Build (\d+)\) - .*\r\n| p/ActiveFax ftpd/ v/$1 build $2/ +match ftp m|^220-Welcome to CrushFTP!\r\n220 CrushFTP Server Ready\.\r\n| p/CrushFTPd/ +match ftp m|^220 DPO-7300 FTP Server ([\d.]+) ready\.\n| p/NetSilicon DPO-7300 ftpd/ v/$1/ +match ftp m|^220 Welcome to WinFtp Server\.\r\n| p/WinFtpd/ o/Windows/ +match ftp m|^220 IBM TCP/IP for OS/2 - FTP Server ver ([\d:.]+) on .* ready\.\r\n| p|IBM OS/2 ftpd| v/$1/ o|OS/2| +match ftp m|^220 AudioVAULT FTP server\r\n| p/AudioVault ftpd/ o/Windows/ match ftp-proxy m|^220 Ftp service of Jana-Server ready\r\n| p/JanaServer ftp proxy/ o/Windows/ match ftp-proxy m|^220 FTP Gateway at Jana Server ready\r\n| p/JanaServer ftp proxy/ o/Windows/ @@ -479,7 +512,8 @@ match ftp-proxy m|^220 Secure Gateway FTP server ready\.\r\n| p/Symantec Enterpr match ftp-proxy m/^220-Sidewinder ftp proxy\. You must login to the proxy first/ p/Sidewinder FTP proxy/ match ftp-proxy m/^220-\r\x0a220-Sidewinder ftp proxy/s p/Sidewinder FTP proxy/ match ftp-proxy m|^220 webshield2 FTP proxy ready\.\r\n| p/Webshield2 FTP proxy/ o/Windows/ -match ftp-proxy m|^220 WinProxy FTP Gateway ready, enter username@host\[:port\]\r\n| p/WinProxy FTP Gateway/ o/Windows/ +match ftp-proxy m|^220 WinProxy FTP Gateway ready, enter username@host\[:port\]\r\n| p/WinProxy FTP proxy/ o/Windows/ +match ftp-proxy m|^220 WinProxy \(Version ([^)]+)\) ready\.\r\n| p/WinProxy FTP proxy/ v/$1/ o/Windows/ match ftp-proxy m|^220 Proxy602 Gateway ready, enter user@host\[:port\]\r\n| p/Proxy602 ftp proxy/ d/firewall/ match ftp-proxy m|^220 Java FTP Proxy Server \(usage: USERID=user@site\) ready\.\r\n| p/Java FTP Proxy/ match ftp-proxy m|^220 ([\w-_.]+) FTP proxy \(Version V([\d.]+)\) ready\.\r\n| p/Generic FTP proxy/ v/$2/ h/$1/ @@ -487,6 +521,7 @@ match ftp-proxy m|^220 CoolProxy FTP server & firewall\r\n| p/CoolProxy ftp prox match ftp-proxy m|^220 Finjan SurfinGate Proxy - Server Ready\.\r\n| p/Finjan SurfinGate ftp proxy/ match ftp-proxy m|^220 ([\w-_.]+) \(NetCache\) .*\r\n| p/NetApp NetCache ftp proxy/ h/$1/ match ftp-proxy m|^220 Welcome to ([\w-_.]+) Ftp Proxy Service\.\r\n| p/Proxy Suite ftp proxy/ h/$1/ +match ftp-proxy m|^220 Hi! Welcome on UserGate!\r\n| p/UserGate ftpd/ o/Windows/ # TODO kerio? #match ftp m|^421 Service not available \(The FTP server is not responding\.\)\n$| v/unknown FTP server//service not responding/ @@ -511,6 +546,7 @@ match gkrellm m|^\nClient limit exceeded\.\n| p/GKrellM System Monitor/ match gkrellm m|^\nConnection not allowed from .*\n| p/GKrellM System Monitor/ match gopher m|^3Connection to 207\.250\.128\.187 is denied -- no authorization\.\r\n$| +match g6-remote m|^200 1400\r\n$| p/G6 ftpd remote admin/ o/Windows/ # Returns ASCII data in the following format: # |HardDrive1DevName|HardDrive1HardwareID|HardDrive1Temp|TempUnit| @@ -518,6 +554,8 @@ match gopher m|^3Connection to 207\.250\.128\.187 is denied -- no authorization\ match hddtemp m+^\|/dev/[hs]d\w\|+ p/hddtemp hard drive info server/ match hddtemp m+^\|$+ p/hddtemp hard drive info server/ +match hpiod m|^msg=MessageError\nresult-code=5\n$| p/HP Linux Imaging and Printing System/ + # And now for some SORRY web servers that just blurt out an http "response" upon connection!!! match http m|^HTTP/1\.1 200 OK\r\nContent-type: text/html\r\nExpires: .*\r\nDate: .*\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\nJAP\n| p/Java Anonymous Proxy/ match http m|^HTTP/1.0 500\r\nContent-type: text/plain\r\n\r\nNo Scan Capable Devices Found\r\n| p/HP Embedded Web Server remote scan service/ i/no scanner found/ d/printer/ @@ -530,6 +568,8 @@ match http m|^HTTP/1\.1 \d\d\d .*\r\nContent-Type: text/plain\r\nServer: WPA/([\ match http m|^HTTP/1\.0 503 R\r\nContent-Type: text/html\r\n\r\nBusy$| p/D-Link router http config/ d/router/ match http m|^501 Not Implemented\n

501 Not Implemented

\nThe server has not implemented your request type\.
\n\r\n$| p/Hummingbird Document Manager httpd/ match http m|^HTTP/1\.0 200 OK\r\nContent-Type: text/html\r\n\r\n\n\n
  • \n[^<]+\n
    • \nNice\n
      • \nNumber: \d+
      \nProgramArguments\n
        \n
      1. String: [^<]+
        2. \n| p/Apple lanuchd_debug httpd/ o/Mac OS X/ +match http m|^HTTP/1\.1 200 OK\r\nServer: Motion/([\d.]+)\r\n| p/Motion Camera httpd/ v/$1/ +match http m|^HTTP/1\.0 200 OK\r\nContent-Type: text/html\r\n\r\n\n\n
        • \ncom\.apple\.KernelEventAgent\n| p/Apple launchd_debugd httpd/ o/Mac OS X/ match hp-gsg m|^220 JetDirect GGW server \(version (\d[.\d]+)\) ready\r\n| p/HP JetDirect Generic Scan Gateway/ v/$1/ d/printer/ match hylafax m|^220 ([-.\w]+) server \(HylaFAX \(tm\) Version (\d[-.\w]+)\) ready\.\r\n$| p/HylaFAX/ h/$1/ v/$2/ o/unix/ @@ -557,8 +597,10 @@ match imap m|^\* OK ([-.\w]+) IMAP4rev1 MDaemon (\d[-.\w]+) ready\r\n| p/Alt-N M match imap m|^\* OK ([-.\w]+) IMAP4rev1 MDaemon (\d[-.\w]+) listo\r\n| p/Alt-N MDaemon imapd/ v/$2/ h/$1/ i/Spanish/ o/Windows/ # Dovecot IMAP Server - http://dovecot.procontrol.fi/ match imap m|^\* OK [Dd]ovecot ready\.\r\n| p/Dovecot imapd/ -match imap m|^\* OK \[CAPABILITY IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL\+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS [^\]]+\] IMAP ready\.\r\n| p/Dovecot imapd/ +match imap m|^\* OK \[CAPABILITY IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL\+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS [^\]]+\]| p/Dovecot imapd/ +#match imap m|^\* OK \[CAPABILITY IMAP4rev1 SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL\+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS [^\]]+\] MyIMAP server ready\.\r\n| p/Dovecot imapd/ match imap m|^\* OK \[[^\[]+\] Dovecot ready\.\r\n| p/Dovecot imapd/ +match imap m|^\* OK Welcome to [^.]+\. Dovecot ready\.\r\n| p/Dovecot imapd/ match imap m|^\* OK.*?Courier-IMAP ready\. Copyright 1998-(\d+) Double Precision, Inc\. See COPYING for distribution information\.\r\n| p/Courier Imapd/ i/released $1/ match imap m|^\* OK \[CAPABILITY IMAP4rev1 .*?Courier-IMAP ready\. Copyright 1998-(\d+) Double Precision, Inc\. See COPYING for distribution information\.\r\n| p/Courier IMAP4rev1 Imapd/ i/released $1/ match imap m|^\* OK CommuniGate Pro IMAP Server ([-.\w]+) at ([-.\w]+) ready\r\n$| p/CommuniGate Pro imapd/ h/$1/ v/$2/ @@ -576,10 +618,12 @@ match imap m|^\* OK Microsoft Exchange Server ([\d]+) IMAP4rev1 server version ( match imap m|^\* OK Der Microsoft Exchange Server \(IMAP4rev1, Version (\d[-.\w]+) \([-.\w]+\)\) steht zur Verf\xfcgung\.\r\n| p/Microsoft Exchange 2000 IMAP4rev1 server/ v/$1/ o/Windows/ i/German/ match imap m|^\* OK Der Microsoft Exchange Server 2003 IMAP4rev1-Server, Version ([\d.]+) \(([\w-_.]+)\), steht zur Verf\xfcgung\.\r\n| p/Microsoft Exchange 2003 IMAP4rev1 server/ v/$1/ h/$2/ o/Windows/ i/German/ match imap m|^\* OK Microsoft Exchange IMAP4rev1 kiszolg\xe1l\xf3 verzi\xf3 (\d[-.\w]+) \(([-.\w]+)\) k\xe9sz\r\n| p/Microsoft Exchange Server/ v/$1/ o/Windows/ h/$2/ i/Hungarian/ +match imap m|^\* OK Server Microsoft Exchange IMAP4rev1 verze ([\d.]+) \(([\w-_.]+)\) je p\xf8ipraven\.\r\n| p/Microsoft Exchange Server/ v/$1/ o/Windows/ h/$2/ i/Czech/ match imap m|^\* OK \[CAPABILITY (IMAP4 )?IMAP4REV1 .*IMAP4rev1 (200\d\.[-.\w]+) at| p/UW Imapd/ v/$2/ match imap m|^\* OK ([-.\w]+) Cyrus IMAP4 v([-.\w\+]+) server ready\r\n| p/Cyrus IMAP4/ h/$1/ v/$2/ match imap m|^\* OK ([-.\w]+) Cyrus IMAP4 v([-.\w\+]+)-Red Hat [-.\w\+]+ server ready\r\n| p/Cyrus IMAP4/ h/$1/ v/$2/ i/RedHat/ o/Linux/ +match imap m|^\* OK ([-.\w]+) Cyrus IMAP4 v([\w_.]+)-OS X ([\d.]+) server ready\r\n| p/Cyrus IMAP4/ v/$2/ h/$1/ i/Mac OS X $3/ o/Mac OS X/ match imap m|^\* OK ([-.\w]+) Cyrus IMAP4 Murder v([-.\w]+) server ready\r\n| p/Cyrus IMAP4 Murder/ h/$1/ v/$2/ match imap m|^\* OK Welcome to Binc IMAP v(\d[-.\w]+)| p/Binc IMAPd/ v/$1/ match imap m|^\* OK ([-.\w]+) IMAP4rev1 AppleMailServer (\d[-.\w]+) ready\r\n| p/AppleMailServer imapd/ h/$1/ v/$2/ @@ -600,6 +644,7 @@ match imap m|^\* OK IMAP ([\w-_.]+) \(Version ([\w-.]+)\)\r\n| p/SurgeMail imapd match imap m|^\* OK Samsung Contact IMAP server ([\d.]+) ready on ([\w-_.]+)\r\n| p/Samsung contact imapd/ v/$1/ h/$2/ match imap m|^\* OK \[([\w-_.]+)\] IMAP4rev1 Mercury/32 v([\w.]+) server ready\.\r\n| p|Mercury/32 imapd| v/$2/ h/$1/ o/Windows/ match imap m|^\* OK \[CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL\+ NAMESPACE UIDPLUS CHILDREN BINARY LANGUAGE XSENDER X-NETSCAPE XSERVERINFO AUTH=PLAIN\] ([\w-_.]+) IMAP4 service \(Sun Java\(tm\) System Messaging Server ([\w. ]+) \(built .*\)\)\r\n| p/Sun Java System Messaging Server imapd/ v/$2/ h/$1/ +match imap m|^\* OK \[CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL\+ NAMESPACE UIDPLUS CHILDREN BINARY LANGUAGE XSENDER X-NETSCAPE XSERVERINFO AUTH=PLAIN STARTTLS\] Messaging Multiplexor \(Sun Java\(tm\) System Messaging Server (\d[\w-_.]+) \(built .*\)\)\r\n| p/Sun Java System Messaging Multiplexor imapd/ v/$1/ match imap m|^\* OK ([\w-_.]+) IMAP4 service \(iPlanet Messaging Server ([\w. ]+) \(built .*\)\)\r\n| p/Sun iPlanet Messaging Server imapd/ v/$2/ i/HotFix $3/ h/$1/ match imap m|^\* OK Anonymous Mail Server v([\d.]+) IMAP4rev1 .*\r\n| p/Anonymous Mail Server imapd/ v/$1/ match imap m|^\* OK ([\w-_.]+) ModusMail IMAP4 Server ([\d.]+) ready\r\n| p/ModusMail imapd/ v/$2/ h/$1/ p/Windows/ @@ -614,6 +659,8 @@ match imap m|^\* OK IMAP4rev1 SmarterMail\r\n| p/SmarterMail imapd/ o/Windows/ match imap m|^\* OK Scalix IMAP server ([\d.]+) ready on bustest\.oz\r\n| p/Scalix imapd/ v/$1/ match imap m|^\* OK .* GoMail V([\w-_.]+) IMAP4rev1| p/GoMail mass mailing plugin imapd/ v/$1/ o/Windows/ match imap m|^\* OK IMAP4 ready! [\w-_.]+ Winmail Mail Server MagicWinmail Extend IMAP 101\r\n| p/Winmail imapd/ o/Windows/ +match imap m|^\* OK ([\w-_.]+) IMAP4rev1 Mailtraq \(([\d.]+)\) ready\r\n| p/Mailtraq imapd/ v/$2/ h/$1/ o/Windows/ +match imap m|^\* OK CALLPILOT CallPilot IMAP4rev1 v([\d.]+) server ready\r\n| p/Nortel CallPilot imapd/ v/$1/ d/telecom-misc/ # Fairly General match imap m|^\* OK IMAP4rev1 server ready at \d\d/\d\d/\d\d \d\d:\d\d:\d\d \r\n| p/MailEnable Professional imapd/ o/Windows/ @@ -624,6 +671,8 @@ softmatch imap m/^\* OK ([-.\w]+) [-.\w,:+ ]+imap[-.\w,:+ ]+\r\n$/i h/$1/ softmatch imap m/^\* OK [-.\w,:+ ]+imap[-.\w,:+ ]+\r\n$/i match imap-proxy m|^\* OK IMAP4 proxy ready\r\n| p/imap proxy/ +match imap-proxy m|^\* BYE PGP Universal no imap4 service here\r\n| p/PGP Universal imap proxy/ i/disabled/ +match imap-proxy m|^\* OK PGP Universal IMAP4rev1 service ready \(proxied server greeted us with: ([^)]+)\)\r\n| p/PGP Universal imap proxy/ i/Banner: $1/ # Cyrus IMSPD match imsp m|^\* OK Cyrus IMSP version (\d[-.\w]+) ready\r\n$| p/Cyrus IMSPd/ v/$1/ @@ -650,6 +699,9 @@ match irc m|^ERROR :Trying to reconnect too fast\.\r\n| p/Hybrid ircd/ # Hybrid-IRCD 7.0 on Linux 2.4 match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* Found your hostname\r\nNOTICE AUTH :\*\*\* Got Ident response\r\n| p/Hybrid ircd/ match irc m|^ERROR :Closing Link: \[[\d.]+\] \(Throttled: Reconnecting too fast\) -Email ([\w-_.]+@[\w-_.]+) for more information\.| p/Unreal ircd/ i/Admin email $1/ +# Sometimes multiple emails are specified, bad emails, etc +match irc m|^ERROR :Closing Link: \[[\d.]+\] \(Throttled: Reconnecting too fast\) -Email .* for more information\.| p/Unreal ircd/ i/Admin email $1/ + match irc m|^ERROR :Closing Link: \[[\d.]+\] \(Too many unknown connections from your IP\)\r\n| p/Unreal ircd/ # No, Thomas Graf, this isn't leet :) @@ -689,6 +741,7 @@ match irc-proxy m|^:.*!pb@lam3rz\.de NOTICE \* :pb([-.\w]+)\r\n| p/psyBNC/ v/$1/ match irc-proxy m|^:.*!psyBNC@lam3rz\.de NOTICE \* :| p/psyBNC/ match irc-proxy m|^:sbnc!sbnc@sbnc\.soohrt\.org NOTICE \* :Wellcum\r\n| p/sbnc/ match irc-proxy m|^NOTICE AUTH :\*\*\* .*\r\nNOTICE AUTH :\*\*\* \[BNC ([\d.]+) | p/BNC irc-proxy/ v/$1/ +match irc-proxy m|^:Notice!notice@shroudbnc\.org NOTICE \* :\*\*\* shroudBNC([\d.]+) \$Revision: (\d+) \$| p/ShroudBNC/ v/$1 rev $2/ match iscsi m|^\x1b\[2JStarWind iSCSI Target v([\d.]+) \(Build 0x\w+, Win32, Alcohol Edition\)\r\n| p/StarWind iSCSI/ v/$1/ o/Windows/ @@ -740,18 +793,18 @@ match netrek m|^<>============================================================== match ndmp m|^\x80\0\0L\0\0\0\0C\x88\xd7\xcb\0\0\0\0\0\0\x05\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x04\0\0\0%Connected to BlueArc NDMP session \d+\n\0\0\0| p/BlueArc ndmpd/ -match mldonkey m|^.*\0\0\0\x06\0Donkey\x01\x0c\0\./donkey\.ini\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/MLdonkey multi-network P2P GUI port/ -match mldonkey m|^\xff\xfd\x1f[\r\n* ]+Welcome to MLdonkey \r\n| p/MLdonkey multi-network P2P GUI port/ -match mldonkey m|^\xff\xfd\x1f\n\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\n Welcome to MLdonkey chrooted| p/MLdonkey multi-network P2P GUI port/ i/chrooted/ -match mldonkey m|^\xff\xfd\x1f ?Welcome to MLdonkey ?\n\x1b\[34mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n> | p/MLdonkey multi-network P2P server control port/ -match mldonkey m|^\xff\xfd\x1fWelcome to MLDonkey ([\d.]+)\n\x1b\[34mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n> | p/MLdonkey multi-network P2P server control port/ v/$1/ -match mldonkey m|^\xff\xfd\x1f\n\x1b\[34mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n> | p/MLdonkey multi-network P2P server control port/ -match mldonkey m|^\xff\xfd\x1fWelcome to MLdonkey, visit http://mldonkey\.dyndns\.info for new Versions\n\x1b\[34mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n> | p/MLdonkey multi-network P2P server control port/ -match mldonkey m|^\xff\xfd\x1f([^']+)'s mlDonkey\n\x1b\[34mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n>| p/MLdonkey multi-network P2P server control port/ i/name $1/ - -match mldonkey m|^ADDDOWNLOAD\(\d+\)\nhash\(\d+\)\nstate\([\w ]+\)\ntransmit\(\d+\)\nsize\(\d+\)\nfile\(\w+\)\nshared\(\d+\)\nthroughput\(\d+\)\nelapsed\(\d+\)\n;| p/MLdonkey multi-network P2P server information port/ -match mldonkey m|^[\x00-\x10]\0\0\0\0\0[\x1a-\x1f]\0\0\0| p/MLdonkey multi-network P2P server/ -match mldonkey m|^Telnet connection from [\d.]+ rejected \(see allowed_ips setting\)\n| p/MLdonkey multi-network P2P server control port/ i/IP disallowed/ +match donkey m|^.*\0\0\0\x06\0Donkey\x01\x0c\0\./donkey\.ini\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/MLdonkey multi-network P2P GUI port/ +match donkey m|^\xff\xfd\x1f[\r\n* ]+Welcome to MLdonkey \r\n| p/MLdonkey multi-network P2P GUI port/ +match donkey m|^\xff\xfd\x1f\n\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\n Welcome to MLdonkey chrooted| p/MLdonkey multi-network P2P GUI port/ i/chrooted/ +match donkey m|^\xff\xfd\x1f ?Welcome to MLdonkey ?\n\x1b\[34mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n> | p/MLdonkey multi-network P2P server control port/ +match donkey m|^\xff\xfd\x1fWelcome to MLDonkey ([\d.]+)\n\x1b\[3.mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n> | p/MLdonkey multi-network P2P server control port/ v/$1/ +match donkey m|^\xff\xfd\x1f\n\x1b\[34mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n> | p/MLdonkey multi-network P2P server control port/ +match donkey m|^\xff\xfd\x1fWelcome to MLdonkey, visit http://mldonkey\.dyndns\.info for new Versions\n\x1b\[34mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n> | p/MLdonkey multi-network P2P server control port/ +match donkey m|^\xff\xfd\x1f([^']+)'s mlDonkey\n\x1b\[34mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n>| p/MLdonkey multi-network P2P server control port/ i/name $1/ +match donkey m|^ADDDOWNLOAD\(\d+\)\nhash\(\d+\)\nstate\([\w ]+\)\ntransmit\(\d+\)\nsize\(\d+\)\nfile\(\w+\)\nshared\(\d+\)\nthroughput\(\d+\)\nelapsed\(\d+\)\n;| p/MLdonkey multi-network P2P server information port/ +match donkey m|^[\x00-\x10]\0\0\0\0\0[\x1a-\x1f]\0\0\0| p/MLdonkey multi-network P2P server/ +match donkey m|^Telnet connection from [\d.]+ rejected \(see allowed_ips setting\)\n| p/MLdonkey multi-network P2P server control port/ i/IP disallowed/ +match donkey m|^HTTP/1\.1 404 Not Found\r\nDate: .*\r\nServer: eserver ([\d.]+)\r\nAccept-Ranges: bytes\r\nContent-Type: text/html\r\nContent-Length: \d+\r\n\r\n404 File not found - eserver is not a HTTP server| p/Lugdunum eserver/ v/$1/ # Monopoly game server match monopd m|^.*\n| p/monopd/ v/$1/ o/Unix/ @@ -796,7 +849,7 @@ match nntp m|^nnrpd: invalid option -- S\nUsage error\.\n| p/INN NNTPd/ i/broken match nntp m|^502 You have no permission to talk\. Goodbye.\r\n$| p/INN NNTPd/ i/unauthorized/ match nntp m|^200 ([-.\w]+) NNTP Service Ready - ([-.\w]+@[-.\w]+) \(DIABLO (\d[-.\w ]+)\)\r\n| p/Diablo NNTP service/ h/$1/ v/$3/ i/Admin: $2/ match nntp m|^200 NNTP Service (\d[-.\w ]+) Version: (\d[-.\w ]+) Posting Allowed \r\n| p/Microsoft NNTP Service/ v/$2/ i/posting ok/ o/Windows/ -match nntp m|^200 ([-.\w]+) DNEWS Version (\d[-.\w]+).*posting OK \r\n| p/Netwinsite DNEWS/ h/$1/ v/$2/ i/posting OK/ +match nntp m|^200 ([-.\w]+) DNEWS Version *(\d[-.\w]+).*posting OK \r\n| p/Netwinsite DNEWS/ h/$1/ v/$2/ i/posting OK/ match nntp m|^200 Leafnode NNTP Daemon, version (\d[-.\w]+) running at| p/Leafnode NNTPd/ v/$1/ match nntp m|^200 Lotus Domino NNTP Server for ([-./\w]+) \(Release (\d[-.\w]+), .*\) - Not OK to post\r\n$| p/Lotus Domino nntpd/ v/$2/ i/posting denied/ o/$1/ match nntp m|^200 Lotus Domino NNTP Server for ([-./\w]+) \(Release (\d[-.\w]+), .*\) - OK to post\r\n$| p/Lotus Domino nntpd/ v/$2/ i/posting ok/ o/$1/ @@ -828,11 +881,16 @@ match nntp m|^200 nntp//rss v([\d.]+) news server ready\r\n| p|nntp//rss nntpd| match nntp m|^200 Hi, you can post \(sn version ([\w.]+)\)\r\n| p/sn nntpd/ v/$1/ i/posting ok/ match nntp m|^200 ([\w-_.]+) NNTP Service Ready, posting permitted\r\n| p/JAMES nntpd/ h/$1/ i/posting ok/ match nntp m|^200 Jana news server ready - posting allowed\r\n| p/Jana nntpd/ i/posting ok/ o/Windows/ -match nntp m|^200 NNTP server NOFFLE ([\d.]+)\r\n| p/NOFFLE nntpd/ v/$1/ +match nntp m|^200 NNTP server NOFFLE ([\w.]+)\r\n| p/NOFFLE nntpd/ v/$1/ match nntp m|^200 Servizio NNTP [\d.]+ Version: ([\d.]+) Posting Allowed \r\n| p/Servizio nntpd/ v/$1/ i/posting ok/ match nntp m|^502 Could not get your access name\. Goodbye\.\r\n| p/inn2 nntpd/ i/unauthorized/ match nntp m|^201 NNTP server ready \(no posting\)\r\n502 No permission\r\n| p/Symantic Enterprise Firewall nntpd/ i/unauthorized/ d/firewall/ match nntp m|^502 ([\w-_.]+): Transfer permission denied to [\d.]+ - [\w-_.@]+ \(DIABLO ([\w-_.]+)\)\r\n| p/Diablo nntpd/ v/$2/ h/$1/ o/Unix/ +match nntp m|^200 ([\w-_.]+) - colobus ([\d.]+) ready - \(posting ok\)\.\r\n| p/Colobus nntpd/ v/$1/ i/posting ok/ +match nntp m|^200 Welcome to .* \(Typhoon v([\d.]+)\)\r\n| p/Typhoon nntpd/ v/$1/ +match nntp m|^200 Kerio MailServer ([\d.]+) NNTP server ready\r\n| p/Kerio MailServer nntpd/ v/$1/ + +match nntp-proxy m|^200 CCProxy NNTP Service\r\n| p/CCProxy NNTP proxy/ o/Windows/ softmatch nntp m|^200 [-\[\]\(\)!,/+:<>@.\w ]*nntp[-\[\]\(\)!,/+:<>@.\w ]*\r\n$| @@ -850,6 +908,7 @@ match p4d m|^..\0\0\0xfiles\0\x01\0\0\x005\0server\0\x01\0\0\x003\0server2\0\x02 match poweroff m|^201 Welcome to Poweroff ([\d.]+) created by Jorgen Bosman\r\n| p/Poweroffd/ v/$1/ o/Windows/ match pksd m|^usage: [/\w]*/etc/pksd\.conf conf_file\n$| p/PGP Public Key Server/ i/broken/ +match pioneer-game m|^welcome to the pioneers-meta-server version ([\d.]+)\n| p/Pioneer game meta server/ v/$1/ # UW POP2 server on Linux 2.4.18 match pop2 m|^\+ POP2 [-\[\].\w]+ v([-.\w]+) server ready\r\n$| p/UW POP2 server/ v/$1/ @@ -864,6 +923,7 @@ match pop3 m|^\+OK POP3 POPFile \(v(\d[-.\w]+)\) server ready\r\n| p/popfile pop match pop3 m|^\+OK ([-.+\w]+) NetMail POP3 Agent \$Re..sion: ([\d.]+) \$\r\n| p/Novell NetMail pop3d/ h/$1/ v/$2/ o/Unix/ match pop3 m|^\+OK ([-.+\w]+) Merak (\d[-.\w]+) POP3 | p/Merak mail server pop3d/ h/$1/ v/$2/ o/Windows/ match pop3 m|^\+OK \]-:\^:-\[ \]-:\^:-\[ POP3| p/Merak Mail Server pop3d/ o/Windows/ +match pop3 m|^\+OK ([\w-_.]+) [\w-_.]+ Mail Server ([\d.]+) POP3 .*\d:\d\d:\d\d \+| p/Merak Mail Server pop3d/ v/$2/ h/$1/ o/Windows/ # Mercury/32 3.32 pop3 Server module on Windows XP match pop3 m|^\+OK <\d{6,10}\.\d{4,6}@([-.+\w]+)>, POP3 server ready\.\r\n| p|Mercury/32 pop3d| o|Windows| h|$1| # gnu/mailutils pop3d 0.3.2 on Linux @@ -912,7 +972,8 @@ match pop3 m|^\+OK Lotus Notes POP3 server version Release ([-.\w]+) ready on | match pop3 m|^\+OK POP3 hotwayd v(\d[-.\w]+) -> The POP3-HTTPMail Gateway\.| p/hotwayd pop3d/ v/$1/ match pop3 m|^\+OK ([-.\w]+) POP3 service \(Netscape Messaging Server (\d[^(]+) \(built ([\w ]+)\)\)\r\n| p/Netscape Messenging Server pop3/ h/$1/ v/$2/ i/built on $3/ match pop3 m/^\+OK ([-.\w]+) Cyrus POP3 v(\d[-.\w]+) server ready , MercuryP/NLM v(\d[-.\w]+) ready.\r\n$| p/Mercury POP3 server/ v/$1/ o/Netware/ match pop3 m|^\+OK Microsoft Windows POP3 Service Version 1.0 <| p/Microsoft Windows 2003 POP3 Service/ v/1.0/ o/Windows 2000/ match pop3 m|^\+OK POP3 ([-.\w]+) v?(200\d\.[-.\w]+) server ready\r\n| p/UW Imap pop3d/ h/$1/ v/$2/ -match pop3 m|^\+OK POP3 v([\d.]+) server ready <[\w.]+@([\w-_.]+)>\r\n| p/UW Imap pop3d/ v/$1/ h/$2/ +match pop3 m|^\+OK POP3 v?([\d.]+) server ready <[\w.]+@([\w-_.]+)>\r\n| p/UW Imap pop3d/ v/$1/ h/$2/ match pop3 m|^\+OK POP3 \[([\w-_.]+)\] v([\d.]+) server ready\r\n| p/UW Imap pop3d/ h/$1/ v/$2/ match pop3 m|^\+OK POP3 server ready <\w{11}>\r\n$| p/WebSTAR pop-3 server/ match pop3 m|^\+OK Kerio MailServer (\d[-.\w]+) POP3 server ready <([-.\w@:]+)>\r\n$| p/Kerio MailServer POP3 Server/ v/$1/ i/$2/ @@ -993,6 +1057,7 @@ match pop3 m|^\+OK <[\d.]+@([\w-_.]+)> \[XMail ([\d.]+) POP3 Server\] service re match pop3 m|^\+OK <[\d.]+@([\w-_.]+)> \[XMail ([\d.]+) \(Linux/Ix86\) POP3 Server\] service ready; | p/XMail pop3d/ v/$2/ h/$1/ o/Linux/ match pop3 m|^\+OK Samsung Contact POP3 interface ready on: ([\w-_.]+)\r\n| p/Samsung Contact pop3d/ h/$1/ match pop3 m|^\+OK ([\w-_.]+) POP3 service \(Sun Java\(tm\) System Messaging Server ([\d.]+) \(built .*\) <| p/Sun Java System Messaging Server pop3d/ v/$2/ h/$1/ +match pop3 m|^\+OK Messaging Multiplexor \(Sun Java\(tm\) System Messaging Server (\d[\w-_.]+) \(built .*\)\)\r\n| p/Sun Java System Messaging Multiplexor pop3d/ v/$1/ match pop3 m|^\+OK POP3 Greetings from minipop ([\d.]+) <[\d.]+@([\w-_.]+)>\r\n| p/minipop pop3d/ v/$1/ h/$2/ match pop3 m|^\+OK Hermes ([\w. ]+) POP3 Ready\. <[\d.]+@([\w-_.]+)>\r\n| p/Hermes pop3d/ v/$1/ h/$2/ o/Windows/ match pop3 m|^\+OK ModusMail POP3 Server ([\d.]+) Ready <[\d.]+@([\w-_.]+)>\r\n| p/ModusMail pop3d/ v/$1/ h/$2/ o/Windows/ @@ -1007,6 +1072,8 @@ match pop3 m|^\+OK Hi\r\n| p/Zoe Java pop3d/ match pop3 m|^\+OK Pop server at ([\w-_.]+) starting\.\r\n| p/BorderWare firewall pop3d/ h/$1/ d/firewall/ match pop3 m|^\+OK localhost Winmail Mail Server POP3 ready\r\n| p/Winmail pop3d/ o/Windows/ match pop3 m|^\+OK Welcome to ([\w-_.]+), with Ability Mail Server ([\d.]+) by Code-Crafters\.\r\n| p/Code-Crafters pop3d/ v/$2/ h/$1/ o/Windows/ +match pop3 m|^\+OK DAWKCo POP3 Server v([\w-_.]+) ready <| p/DAWKCo pop3d/ v/$1/ o/Windows/ +match pop3 m|^\+OK Welcome to ([\w-_.]+), powered by Ocean Mail Server ([\d.]+) <[\d.]+@[\w-_.]+>\r\n| p/Ocean Mail Server pop3d/ v/$2/ h/$1/ o/Windows/ # These are fairly general match pop3 m|^\+OK POP3 Server ready\r\n$| p/zpop3d/ @@ -1023,6 +1090,9 @@ match pop3 m|^\+OK ready <[\d.]+@([\w-_.]+)>\r\n| p/qpopper/ h/$1/ match pop3 m|^\+OK Scalix POP3 interface ready on: ([\w-_.]+)\r\n| p/Scalix pop3d/ h/$1/ match pop3 m|^\+OK ([\w-_.]+) .* GoMail V([\d.]+) POP3| p/GoMail mass mailing plugin pop3d/ v/$2/ h/$1/ o/Windows/ match pop3 m|^\+OK POP3 Welcome to ([\w-_.]+) using the Internet Anywhere Mail Server Version: ([\d.]+)\. Build: (\d+) by True North Software, Inc\.| p/True North Internet Anywhere pop3d/ v/$2 build $3/ h/$1/ o/Windows/ +match pop3 m|^\+OK Authorized Users Only! \(([\w-_.]+)\)\r\n| p/Microsoft Exchange pop3d/ h/$1/ o/Windows/ +match pop3 m|^\+OK Welcome to mpopd V([\d.]+)\.\.\.\. :\)\r\n| p/mpopd perl pop3d/ v/$1/ +match pop3 m|^\+OK POP3 thats cool man\r\n| p/Mozilla Thunderbird webmail plugin pop3d/ match pop3-proxy m|^\+OK POP3 AnalogX Proxy (\d[-.\w]+) \(Release\) ready\.\n$| p/AnalogX POP3 proxy/ v/$1/ match pop3-proxy m/^\+OK CCProxy (\S+) POP3 Service Ready\r\n/ p/CCProxy pop3d/ v/$1/ @@ -1035,13 +1105,17 @@ match pop3-proxy m|^\+OK POP3 \(Spampal\) server ready \(USER command must inclu match pop3-proxy m|^\+OK Mirapoint POP3PROXY ([\w-.]+) server ready\r\n| p/Mirapoint pop3 proxy/ v/$1/ match pop3-proxy m|^\+OK AVG POP3 Proxy Server Beta - ([\d/.]+) \[[\d.]+\]\r\n| p/AVG pop3 proxy/ v/$1 Beta/ o/Windows/ match pop3-proxy m|^\+OK AVG POP3 Proxy Server ([\d/.]+) \[[\d.]+\]\r\n| p/AVG pop3 proxy/ v/$1/ o/Windows/ +match pop3-proxy m|^-ERR AVG POP3 Proxy Server: Cannot connect to the mail server!\r\n| p/AVG pop3 proxy/ i/broken/ o/Windows/ match pop3-proxy m|^\+OK FreePOPs/([\d.]+) pop3 server ready\r\n| p/FreePOPs pop3 proxy/ v/$1/ match pop3-proxy m|^\+OK POP3 Spam Inspector Spam Filter Gateway Version ([\d.]+) Ready\.\r\n| p/Spam Inspector pop3 proxy/ v/$1/ o/Windows/ match pop3-proxy m|^\+OK MailMarshal\(([\d.]+)\) POP3 server ready <[\d.]+@([\w-_.]+)>\r\n| p/MailMarshal pop3d/ v/$1/ h/$2/ match pop3-proxy m|^\+OK HTML2POP3 server ready \(([\d.]+)\)\r\n| p/HTML2POP3 pop3 proxy/ v/$1/ match pop3-proxy m|^\+OK ([\w-_.]+) POP3 proxy ready\r\n| p/pop3gwd pop3 proxy/ h/$1/ -match pop3-proxy m|^\+OK AVG POP3 Proxy Server <[\d.]+@([\w-_.]+)> ([\d.]+)/[\d.]+ \[[\d.]+\]\r\n| p/GriSoft anti-virus pop3 proxy/ v/$2/ h/$1/ o/Windows/ +match pop3-proxy m|^\+OK AVG POP3 Proxy Server <[\d.]+@([\w-_.]+)> ([\d.]+)/[\d.]+ \[[\d/.]+\]\r\n| p/GriSoft anti-virus pop3 proxy/ v/$2/ h/$1/ o/Windows/ match pop3-proxy m|^\+OK InterScan VirusWall POP3 Proxy\r\n| p/InterScan VirusWall pop3 proxy/ o/Windows/ +match pop3-proxy m|^\+OK WinProxy POP3 Proxy Ready\r\n| p/WinProxy pop3 proxy/ o/Windows/ +match pop3-proxy m|^\+OK MrPostman webmail proxy ready\r\n| p/MrPostman webmail pop3 proxy/ +match pop3-proxy m|^\+OK (.*) \(PGP Universal service is proxying this connection\)\r\n| p/PGP Universal pop3 proxy/ i/Proxied greeting: $1/ # http://echelon.pl/pubs/poppassd.html # you give it username, present password and new password, and @@ -1049,6 +1123,7 @@ match pop3-proxy m|^\+OK InterScan VirusWall POP3 Proxy\r\n| p/InterScan VirusWa # poppassd 1.8.1 match pop3pw m|^200 ([-.\w]+ )?poppassd v(\d[-.\w]+) hello, who are you\?\r\n| p|Poppassd| v|$2| i|http://echelon.pl/pubs/poppassd.html| match pop3pw m|^200 poppassd hello, who are you\?\r\n| p/poppassd/ +match pop3pw m|^200 hello there, who are you\?\r\n| p/poppassd/ match pop3pw m|^200 poppassd v([\w.]+) for Digital Unix with C2 security Hello, who are you\?\r\n| p/poppassd/ i/Digital Unix with C2 security/ v/$1/ o/DIGITAL UNIX/ match pop3pw m|^200 courierpassd v(\d[-.\w]+) hello, who are you\?\r\n| p/Courierpassd pop3 password change daemon/ match pop3pw m|^200 ([-.+\w]+) MercuryW PopPass server ready\.\r\n| p|Mercury/32 poppass service| o|Windows| h|$1| @@ -1139,8 +1214,17 @@ match shell m|^\x01remshd: getservbyname\n$| p/HP-UX Remshd/ o/HP-UX/ # Backdoor shell! match shell m|^(ba)?sh-\d\.\d\d# $| p/ROOT SHELL/ +match satstrat m|^VERSION ([\d.]+)\r\nJOIN 0\r\nNICK 0 !SaCkS\r\nJOIN 1\r\n| p/SatStrat/ v/$1/ +match securepath m|^GENERAL: \d+ \d+\n$| p/HP StorageWorks SecurePath/ o/Windows/ +match service-monitor m|^\0\0\0\x18\0\0..\0\0..\xff\xff\xff\xff\xff\xff\xff\xff\0\0\0\x02\0\0\0\0\0\0\0\x15spectrum\0spectrum\0\0\0\0| p/CA Spectrum/ + # good SMTP banner regexps can be found here: # http://www.tty1.net/smtp-survey/measurement_en.html + +# Goes at the top because some general match lines (Exim) +# will match the replayed greeting of the proxied server! +match smtp-proxy m|^220 ([\w-_.]+) PGP Universal service ready \(proxied server greeted us with: (.*)\)\r\n| p/PGP Universal smtp proxy/ h/$1/ i/Proxied greeting: $2/ + match smtp m|^220 ([-/.+\w]+) MailGate ready for ESMTP on | p/MailGate smtpd/ h/$1/ o/Windows/ match smtp m|^220 ([-/.+\w]+) SMTP ready to roll\r\n| p/Hotmail Popper hotmail to smtp gateway/ h/$1/ match smtp m|^220 ([-/.+\w]+) AvMailGate-(\d[-.\w]+)\r\n| p/AvMailGate smtp anti-virus mail gateway/ h/$1/ v/$2/ @@ -1193,6 +1277,7 @@ match smtp m/^220 ([-.+\w]+) ESMTP Server \(Microsoft Exchange Internet Mail Ser match smtp m|^220 \+OK Microsoft Exchange SMTP server version ([\d.]+)\r\n| p/Microsoft Exchange/ v/$1/ o/Windows/ match smtp m|^220[\s-](\S+) E?SMTP Sendmail (\d[^; ]+)| p/Sendmail/ h/$1/ v/$2/ o/Unix/ match smtp m|^220[\s-](\S+) E?SMTP Sendmail AIX([\d.]+)/(\d[^; ]+)| p/Sendmail/ h/$1/ v/$3/ i/AIX $2/ o/AIX/ +match smtp m|^220[\s-](\S+) E?SMTP Sendmail AIX([\d.]+)/UCB (\d[^; ]+);| p/Sendmail/ h/$1/ v/$3/ i/AIX $2/ o/AIX/ match smtp m|^220[\s-](\S+) Sendmail (SMI-\S+) ready at .*\r\n$| p/Sendmail/ h/$1/ v/$2/ o/Unix/ match smtp m|^220[\s-]([\w-_.]+) Sendmail (\S+) ready at .*\r\n| p/Sendmail/ h/$1/ v/$2/ o/Unix/ match smtp m/^220[- ]([^\r\n]+) ESMTP Exim (V?\d\S+)/ p/Exim smtpd/ h/$1/ v/$2/ @@ -1354,9 +1439,20 @@ match smtp m|^220-([\w-_.]+) ESMTP .* GoMail V([\d.]+);| p/GoMail mass mailing p match smtp m|^220 [\w-_.]+ Winmail Mail Server ESMTP ready\r\n| p/Winmail smtpd/ o/Windows/ match smtp m|^220 ([\w-_.]+) ESMTP \(Code-Crafters Ability Mail Server ([\d.]+)\)\r\n| p/Code-Crafters Ability smtpd/ v/$2/ h/$1/ o/Windows/ match smtp m|^220 ([\w-_.]+) SMTP Welcome to the Internet Anywhere Mail Server Version: ([\d.]+)\. Build: (\d+) by True North Software, Inc\.\r\n| p/True North Internet Anywhere smtpd/ v/$2/ i/Build $3/ h/$1/ o/Windows/ +# Notice the ; immediatley after the host +match smtp m|^220 ([\w-_.]+); .* \+\d+\r\n| p/Webwasher CSM Suite smtpd/ h/$1/ +match smtp m|^451 Temporary local problem - please try later\r\n| p/Qmail smtpd/ +match smtp m|^220 ([\w-_.]+) Miralix SMSGwSMTP Ready\r\n| p/Miralix SMTP2SMS Gateway/ h/$1/ o/Windows/ +match smtp m|^554 Please check your SMTP server is set to smtp\.wanadoo\.co\.uk\. Further help is available at| i/Wanadoo blocks smtp - NOT A REAL smtpd!/ +match smtp m|^220 ([\w-_.]+) V([\d-_.]+), OpenVMS V([\d.]+) Alpha ready at .* \r\n| p/OpenVMS smtpd/ v/$2/ h/$1/ i/OpenVMS $3/ o/OpenVMS/ +match smtp m|^220 rblsmtpd\.local\r\n| p/rblsmtpd wrapped smtpd/ i/Connecting from banned IP/ +match smtp m|^220 Welcome to the Advanced SMTP Server\r\n| p/SoftStack Advanced smtpd/ o/Windows/ +match smtp m|^220 SurgeSMTP \(Version ([\w-_.]+)\) http://surgemail\.com\r\n| p/Netwin Surgemail smtpd/ v/$1/ +match smtp m|^220 HMailServer ESMTP\r\n| p/HMailServer smtpd/ o/Windows/ +match smtp m|^220 SMTP-Server The Croatian Classic Hamster Ver\. [\d.]+ \(Podverzija ([\d.]+)\)\r\n| p/Classic Hamster smtpd/ v/$1/ i/Croatian/ +match smtp m|^220 I, CALLPILOT\[[\d.]+\], speak ESMTP\. Talk to me\.\r\n| p/Nortel CallPilot imapd/ d/telecom-misc/ -# Fairly general -# Giving problems: +# Giving problems: added a better match line to the Help probe -Doug #match smtp m|^220 ([\w-_.]+) ESMTP ([^;]+); [A-Z][a-z][a-z], .*\r\n| p/Merak Mail Server smtpd/ h/$1/ o/Windows/ match smtp-proxy m|^220 ([\w-_.]+) SMTP/DeleGate/([\d.]+) ready at .*\r\n| p/DeleGate smtpd/ v/$2/ h/$1/ @@ -1370,13 +1466,15 @@ match smtp-proxy m|^220 ([\w-_.]+) Welcome SpamFilter for ISP SMTP Server v([\d. match smtp-proxy m|^220 Welcome to the 1st SMTP Server\r\n| p/1st SMTP relay/ o/Windows/ match smtp-proxy m|^421 proxyplus\.universe SMTP server\. Insecure access - terminating\.\r\n| p/Proxyplus smtp proxy/ i/Access denied/ o/Windows/ match smtp-proxy m|^220 AVG ESMTP Proxy Server Beta - ([\d./]+) \[[\d.]+\]\r\n| p/GriSoft anti-virus smtp proxy/ v/$1/ o/Windows/ -match smtp-proxy m|^220 AVG ESMTP Proxy Server ([\d./]+) \[[\d.]+\]\r\n| p/GriSoft anti-virus smtp proxy/ v/$1/ o/Windows/ +match smtp-proxy m|^220 AVG ESMTP Proxy Server ([\d./]+) \[[\d./]+\]\r\n| p/GriSoft anti-virus smtp proxy/ v/$1/ o/Windows/ match smtp-proxy m|^554 ([\d.]+) ([\w-_.]+) No mail service\r\n| p/Symantec SGS smtp proxy/ v/$1/ h/$2/ match smtp-proxy m|^220 ([\w-_.]+) ESMTP Scalix SMTP Relay ([\d.]+); .*\r\n| p/Scalix smtp relay/ v/$2/ h/$1/ match smtp-proxy m|^220 Traffic Inspector SMTP Gate \(SPAM protected\), ver\. ([\d.]+), ready at.*\r\n| p/Smart-Soft spam filtering smtp-proxy/ v/$1/ o/Windows/ match smtp-proxy m|^220 mailwall SMTP Server \(Ikarus MailWall by David Grabenweger\) ready\r\n| p/Ikarus MailWall smtp-proxy/ +match smtp-proxy m|^220 ([\w-_.]+) ESMTP - eXpurgate ([\d.]+) \(| p/eXpurgate smtp proxy/ v/$2/ h/$1/ +match smtp-proxy m|^220 CCProxy ([\d.]+) SMTP Service Ready\(Unregistered\)\r\n| p/CCProxy smtp proxy/ v/$1/ i/Unregistered/ o/Windows/ -match fw1-topology m|^Q\0\0\0$| p/Checkpoint FW1 Topology/ d/firewall/ +match fw1-topology m|^[QY]\0\0\0$| p/Checkpoint FW1 Topology/ d/firewall/ softmatch smtp m|^220[\s-].*?E?SMTP[^\r]*\r\n| @@ -1388,6 +1486,7 @@ match snpp m|^220 ([-.\w]+) SNPP server \(HylaFAX \(tm\) Version ([-.\w]+)\) rea match snpp m|^220 QuickPage v(\d[-.\w]+) SNPP server ready at | p/QuickPage SNPP/ v/$1/ match sourceoffice m|^200\r\nProtocol-Version:(\d[.\d]+)\r\nMessage-ID:\d+\r\nDatabase .*\r\nContent-Length:\d+\r\n\r\n(\w:\\.*ini)\r\n\r\n| p/Sourcegear SourceOffSite/ i/Protocol $1; INI file: $2/ +match sourceoffice m|^250\r\nProtocol-Version:(\d[.\d]+)\r\nMessage-ID:\d+\r\nDatabase .*\r\nContent-Length:\d+\r\nKey Length:(\d+)\r\n\r\n.*(\w:\\.*ini)\r\n\r\n|s p/Sourcegear SourceOffSite/ i/Protocol $1; Key len: $2; INI file: $3/ match ssh m|^\0\0\0\$\0\0\0\0\x01\0\0\0\x1bNo host key is configured!\n\r!\"v| p/Foundry Networks switch sshd/ i/broken: No host key configured/ match ssh m|^SSH-(\d[\d.]+)-SSF-(\d[-.\w]+)\n| p/SSF French SSH/ v/$2/ i/protocol $1/ @@ -1408,6 +1507,7 @@ match ssh m|^SSH-(\d[.\d]+)-Cisco-(\d[.\d]+)\n$| p/Cisco SSH/ v/$2/ i/protocol $ match ssh m|^\r\nDestination server does not have Ssh activated\.\r\nContact Cisco Systems, Inc to purchase a\r\nlicense key to activate Ssh\.\r\n| p/Cisco CSS SSH/ i/Unlicensed/ match ssh m|^SSH-(\d[.\d]+)-SSH Protocol Compatible Server SCS (\d[-.\w]+)\n| p/NetScreen SCS sshd/ v/$2/ i/protocol $1/ match ssh m|^SSH-(\d[.\d]+)-VShell_(\d[._\d]+) VShell\r\n$| p/VanDyke VShell/ v/$SUBST(2,"_",".")/ i/protocol $1/ +match ssh m|^SSH-2\.0-0\.0 \r\n| p/VanDyke VShell/ i/version info hidden/ match ssh m/^SSH-([.\d]+)-(\d[-.\w]+) sshlib: WinSSHD (\d[-.\w]+)\r\n/ p/Bitvise WinSSHD/ v/$3/ i/protocol $1/ o/Windows/ match ssh m/^SSH-([.\d]+)-(\d[-.\w]+) sshlib: WinSSHD\r\n/ p/Bitvise WinSSHD/ i/protocol $1; server version hidden/ o/Windows/ # Cisco VPN 3000 Concentrator @@ -1420,7 +1520,7 @@ match ssh m|^SSH-1\.5-FucKiT RootKit by Cyrax\n| p/FucKiT RootKit sshd/ i/protoc match ssh m|^SSH-2\.0-dropbear_([\w.]+)\r\n| p/Dropbear sshd/ v/$1/ i/protocol 2.0/ match ssh m|^Access to service sshd from [\w-_.]+@[\w-_.]+ has been denied\.\r\n| p/libwrap'd OpenSSH/ i/Access denied/ match ssh m|^SSH-2\.0-FortiSSH_([\d.]+)\n| p/FortiSSH/ v/$1/ i/protocol 2.0/ -match ssh m|^SSH-2\.0-cryptlib\r\n| p/APC AOS cryptlib sshd/ i/protocol 2.0/ o/AOS/ +match ssh m|^SSH-([\d.]+)-cryptlib\r?\n| p/APC AOS cryptlib sshd/ i/protocol $1/ o/AOS/ match ssh m|^SSH-2\.0-1\.0 Radware SSH \r\n| p/Radware sshd/ i|protocols 1.0/2.0| d/firewall/ match ssh m|^SSH-1\.5-By-ICE_4_All \( Hackers Not Allowed! \)\n| p/ICE_4_All backdoor sshd/ i/protocol 1.5/ match ssh m|^SSH-2\.0-mpSSH_([\d.]+)\n| p/mpSSH/ v/$1/ i/protocol 2.0/ @@ -1434,6 +1534,10 @@ match ssh m|^SSH-2\.0-RomCliSecure_([\d.]+)\r\n| p/Adtran Netvanta RomCliSecure match ssh m|^SSH-2\.0-([\d.]+) sshlib: GlobalScape\r\n| p/GlobalScape CuteFTP sshd/ v/$1/ o/Windows/ match ssh m|^SSH-2\.0-APSSH_([\w.]+)\n| p/APSSHd/ v/$1/ i/protocol 2.0/ match ssh m|^SSH-2\.0-Twisted\r\n| p/Kojoney SSH honeypot/ i/protocol 2.0/ +match ssh m|^SSH-2\.0-Mocana SSH \r\n| p/Mocanada embedded SSH/ i/protocol 2.0/ +match ssh m|^SSH-1\.99-InteropSecShell_([\d.]+)\n| p/InteropSystems SSH/ v/$1/ i/protocol 1.99/ o/Windows/ +match ssh m|^SSH-2\.0-WeOnlyDo(-wodFTPD)? ([\d.]+)\r\n| p/WeOnlyDo sshd/ v/$2/ i/protocol 2.0/ o/Windows/ +match ssh m|^SSH-2\.0-PGP\n| p/PHP Universal sshd/ i/protocol 2.0/ softmatch ssh m/^SSH-([.\d]+)-/ i/protocol $1/ @@ -1537,6 +1641,8 @@ match telnet m/^\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03Ambit Cable Rout match telnet m|^\xff\xfc\x01\r\nHP JetDirect\r\n\r\nPlease type \"?\" for HELP, or \"/\" for current settings\r\n> $| p/HP JetDirect telnetd/ d/printer/ match telnet m/^\n\rVina Technologies (.*) \((\d[-.\w]+ build \d+)\)/ p/Vina Technologies $1 telnetd/ v/$2/ match telnet m/^\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\x1b\[0m\x1b\[1;1H\x1b\[2J\rD\r \n\r (DES-.*) Command Line Interface\n\r\n/ p/D-Link $1 telnetd/ +match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\x1b\[0m\x1b\[2J\x1b\[0m\x1b\[2J\x1b\[21;1H\x1b\[0m\*+\x1b\[22;1H\x1b\[0mMessage Area:\x1b\[24;1H\x1b\[7mCTRL\+R = Refresh +\x1b\[9;16H\x1b\[0mDES-3624 Stackable Fast Ethernet Switch Console Management\x1b| p/D-Link DES-3624 switch telnetd/ d/switch/ + match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfc\x1f\n\r\n\rUser Access Verification\n\r\n\r\n\r\n\r\n\rShell version (\d\S+).*Maipu Communication Technology Co\./ p/Maipu Router/ i/shell v$1/ d/router/ match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03\x1b.*Intel Corporation, ([-+. \w()]+)/s p/Intel telnetd/ i/on $1/ match telnet m|^\r\nFlowPoint/(.*) Ready\r\n.*\xff\xfb\x01\xff\xfb| p/Flowpoint telnet/ i/on $1/ @@ -1593,7 +1699,8 @@ match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\r\n\r\nWelcome to Print Ser match telnet m|^\x1b\[0m\x1b\[2J\x1b\[01;28HCONEXANT SYSTEMS, INC\.\x1b\[02;19H ACCESS RUNNER ADSL CONSOLE PORT\x1b\[24;01H>>>\x1b\[24;01HLOGON PASSWORD>\x1b\[02;53H3\.\d+\x1b\[24;17H\x1b\[24;17H\x1b\[24;17H\x1b\[24;17H| p/Conexant Access Runner adsl router telnetd/ d/router/ match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\r\n\r\nWelcome on (.*)\r\n\r\n\r\nUsername: | p/Cisco Router 2621 telnetd/ i/Banner: $1/ match telnet m|^\xff\xfb\x01\xff\xfd\x18\nTelnet Service on the PrintServer\n\n\rPassword: | p|Hawking/TRENDnet Print Server telnetd| d/print server/ -match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\n\r\n Welcome to OpenVMS \(TM\) Alpha Operating System, Version V([\d.]+) \r\n\r\n\rUsername: | p/OpenVMS telnetd/ o/OpenVMS $1/ +match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\n\r\n Welcome to OpenVMS \(TM\) Alpha Operating System, Version V([\d.]+) \r\n\r\n\rUsername: | p/OpenVMS telnetd/ i/OpenVMS $1/ o/OpenVMS/ +match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03\xff\xfd\x18\xff\xfd\x1f\xff\xfd \xff\xfd!\x07\r\n\r\n Welcome to OpenVMS \(TM\) Alpha Operating System, Version V([\w-_.]+) \r\n\r\n\rUsername: | p/OpenVMS telnetd/ i/OpenVMS $1/ o/OpenVMS/ match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\x1b\[0;37;40m\x1b\[2J\x1b\[0;37;40m\x1b\[1m\x1b\[5;27HVertical Horizon Stack Manager\x1b\[0;37;40m\x1b\[1m\x1b\[10;26HEnterasys Networks, Incorporated| p/Enterasys Vertical Horizon Manager/ d/switch/ match telnet m|^\xff\xfd\($| p|IBM OS/390 or SNA telnetd| match telnet m|^\xff\xfb\r\nRemotelyAnywhere Telnet Server v([\d.]+)\r\n.*\r\n\r\n([\w-_. ]+) login\r\nuser name: | p/RemotelyAnywhere telnetd/ v/$1/ i/Name $2/ o/Windows/ @@ -1742,8 +1849,10 @@ match telnet m|^Sorry telnet connections not permitted\.\n$| p/Aruba router teln match telnet m|^\r\nSorry, this system is engaged\.\r\n$| p/DirecWay satellite router telnetd/ d/router/ match telnet m|^\xff\xfd\x01\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\nBusyBox on \(none\) login: | p/BusyBox telnetd/ match telnet m|^\xff\xfd\x01\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\nBusyBox on ([\w-_.]+) login: | p/BusyBox telnetd/ h/$1/ +match telnet m|^\xff\xfd\x01\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\n\r\nBusyBox v([\d.]+) \(| p/BusyBox telnetd/ v/$1/ match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\x1b\(B\x1b\)0\x1b\[2J\x1b\[H\x1b\[m\x0f\x1b\[10;32H\x0e \x1b\[11;32H lq\x0f\x1b\[1mLogin\x0e\x1b\[mqqqqqqqqk\x1b\[12;32H x\x1b\[13C x\x1b\[13;32H mqqqqqqqqqqqqqqj\x1b\[12;34H| p/Adtran Atlass 500 T1 router telnetd/ d/router/ match telnet m|^\xff\xfb\x01\xff\xfd\x1fHummingbird Ltd\., Windows NT, Telnetd \((\w+) Version ([\d.]+)\)\r\n\r\nlogin: | p/Hummingbird windows telnetd/ v/$2/ h/$1/ o/Windows/ +match telnet m|^\xff\xfb\x01Hummingbird Communications Ltd\., Windows NT, Telnetd Version ([\d.]+) \(([\w-_.]+)\)\r\n\r\n login: | p/Hummingbird windows telnetd/ v/$1/ h/$2/ o/Windows/ match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\nUser Access Verification\r\n\r\nPlease Enter Login Name: | p/Foundry FastIron switch telnetd/ d/switch/ match telnet m|^\xff\xfd\x01\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\r\n\x1b\[\?3l\x1b\[2JPlease enter your user name and password!! \r\n\r\nLogin:| p/Hawking Technology print server telnetd/ d/print server/ match telnet m|^\xff\xfb\x01\r\nD-Link Access Point login: | p/D-Link Access Point telnetd/ d/router/ @@ -1763,16 +1872,38 @@ match telnet m|^TELNET server version ([\d.]+) ready at \r\n\r\r\npassword: \xff match telnet m|^\xff\xfb\x01\r\n#-+\r\n# Tasman Networks Inc\. Telnet Login\r\n#| p/Tasman Networks router telnetd/ d/router/ match telnet m|^\n\r\n\rHi! I am your Net Tamagotchi! I love you!!| p/Net Tamagotchi telnetd/ match telnet m|^\xff\xfd\x03\xff\xfb\x01\r\n\r\n\t\t Welcome to P330\r\n\t\tSW version ([\d.]+)\r\n\r\n\r\nLogin: | p/Avaya P330 switch telnetd/ v/$1/ d/switch/ +match telnet m|^\xff\xfd\x03\xff\xfb\x01\r\n\r\n\t\tWelcome to P333R\r\n\t\tSW version ([\d.]+)\r\n\r\n\r\nLogin: | p/Avaya P333R switch telnetd/ v/$1/ d/switch/ match telnet m|^\xff\xfb\x01\xff\xfd\x01\xff\xfb\x03\xff\xfd\x03\xff\xfb\x05\xff\xfd\x05\xff\xfd\x1fSpeedStream Telnet Server\r\n\r\n\r\nlogin: | p/SpeedStream router telnetd/ d/router/ match telnet m|^\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\r\n\r\n\rwelcome on your dreambox! - Kernel (\d[\w.]+) \([\d:]+\)\.\r\n\r([\w-_.]+) login: | p/Dreambox DVB telnetd/ d/media device/ i/Kernel $1/ h/$2/ match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x1f\r\n\x1b\[34;1m \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \r\n\x1b\[34;1m| p/SAP J2EE engine telnetd/ match telnet m|^\xff\xfe\"\xff\xfb\x01 \x1b\[H\x1b\[J\x1b\[3;1HCB-1000 S/N: (\d+)\x1b\[3;56HSymbol Technologies, Inc\.\x1b\[4;1HVersion ([\w-_.]+)\x1b\[4;44HEthernet HW address ([\w:]+)\x1b\[21;1H| p/Symbol CB-1000 bridge telnetd/ v/$2/ i/SN $1; MAC $3/ d/bridge/ match telnet m|^StoneGate firewall \([\d.]+\) \n\rSG login: | p/StoneGate firewall telnetd/ d/firewall/ - +match telnet m|^\xff\xfb\x01\x1b\[2J\x1b\[0m\x1b\[1;1H\n\r\x1b\[2;1H\n\r\x1b\[3;1H\n\r\x1b\[4;1H\n\r\x1b\[5;1H\n\r\x1b\[6;1H\n\r\x1b\[7;1H\n\r\x1b\[8;1H\n\r\x1b\[9;1H\n\r\x1b\[10;1H\n\r\x1b\[11;1H\n\r\x1b\[12;1H\n\r\x1b\[13;1H\n\r\x1b\[14;1H\n\r\x1b\[15;1H\n\r\x1b\[16;1HEnter Ctrl-Y to begin\.\x1b\[18;3H\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\x1b\[19;3H\*\*\* Ethernet Switch 460-24T-PWR | p/Nortel 460-24T-PWR switch telnetd/ d/switch/ +match telnet m|^\xff\xfb\x01\x1b\[2J\x1b\[0m\x1b\[1;1H \n\r\x1b\[2;1H\n\r\x1b\[3;1H\n\r\x1b\[4;1H\n\r\x1b\[5;1H\n\r\x1b\[6;1H\n\r\x1b\[7;1H\n\r\x1b\[8;1H\n\r\x1b\[9;1H\n\r\x1b\[10;1H\n\r\x1b\[11;1H\n\r\x1b\[12;1H\n\r\x1b\[13;1H\n\r\x1b\[14;1H\n\r\x1b\[15;1H\n\r\x1b\[16;1HEnter Ctrl-Y to begin\.\x1b\[18;3H\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\x1b\[19;3H\*\*\* BayStack 420 | p/BayStack 420 switch telnetd/ d/switch/ +match telnet m|^200 Hamster Remote Control, Hamster-Playground Vr\. ([\d.]+)\r\n| p/Hamster-Playground telnetd/ v/$1/ o/Windows/ +match telnet m=^\xff\xfb\x01\x1b\[2J\x1b\[H\x1b\[2J\x1b\[H\x1b\[1;12H----------------------------------------------------------\x1b\[2;11H\|\x1b\[16CCisco VG248 \(= p/Cisco VG248 telnetd/ d/VoIP adapter/ +match telnet m|^\xff\xfb\x03\xff\xfb\x01\x1b\[\?25h\x1b\[2J\x1b\[0;0H\x1b<\r\nRemote Access Controller/Modular Chassis \(DRAC/MC\)\r\nCopyright \(C\) 2000-2004 Dell Inc\.| p|Dell DRAC/MC telnetd| d/remote management/ +match telnet m|^\xff\xfd\x03\xff\xfb\x01\xff\xfb\x03IB-21E Ver ([\d.]+) TELNET server\.\r\0\nCopyright \(C\) 2001-2003 KYOCERA CORPORATION\r\0\n| p/Kyocera IB-21E telnetd/ v/$1/ d/print server/ +match telnet m|^\xff\xfb\x03\xff\xfb\x01\r\n\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\r\n\* Welcome to D-Link Print Server \*\r\n\* Telnet Console \*\r\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\r\n\r\nServer Name : ([\w-_.]+)\0\0\0\0\0\0\r\nServer Model : (DP-[\w+]+)\0| p/D-Link $2 print server telnetd/ h/$1/ d/print server/ +match telnet m|^\xff\xfe\0\xff\xfc\0\xff\xfe\x01\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\n\n\rLocal User Access Verification: \n\n\rLogin: | p/Allied Telesyn switch telnetd/ d/switch/ +match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\n\r\n\x1b\[H\x1b\[JWelcome at ActiveFax Server\.\r\n\r\n| p/ActiveFax telnetd/ +match telnet m|^\xff\xfb\x03\xff\xfb\x01\xff\xfb\x01\xff\xfb\x03\r\n\r\nLogin: $| p/ActionTec DSL router/ d/broadband router/ +match telnet m|^\xff\xfc\x01PCS-G70 Telnet Server\r\nlogin: | p/Sony PCS-G70 telnetd/ +match telnet m|^\xff\xfb\x01\xff\xfb\x03RemoteX Telnet Server V([\d.]+)\n\r\n\rc:\\>| p/RemoteX telnetd/ v/$1/ d/game console/ +match telnet m|^\xff\xfd\x01\xff\xfd!\xff\xfb\x01\xff\xfb\x03 ADSL Router\r\nLogin name: | p/BT Voyager ADSL router telnetd/ d/broadband router/ +match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\n\r +\*+\n\r +Welcome to ZXDSL 831\n\r +\*+\n\r\n\rZTE Corporation, Software Release VIK-([\w-_.]+)\n\r| p/Zyxel ZXDSL 831 telnetd/ v/$1/ d/broadband router/ +match telnet m|^\r\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\r\* HiPath (\d+) Telnet \*\n\r| p/Siemens HiPath $1 telnetd/ d/firewall/ +match telnet m%^\xff\xfe\x01\r\n\r\n\+=+\+\r\n\| +\[ MGE UPS SYSTEMS SNMP/Web agent Configuration menu \]% p/MGE UPS telnetd/ d/power-device/ +match telnet m|^\xff\xfd\x01\xff\xfd!\xff\xfb\x01\xff\xfb\x03root@HD:/# | p/utelnetd/ i/**NO PASSWORD**/ o/Unix/ +match telnet m|^\xff\xfb\x01\xff\xfd\x01\xff\xfe\x01\xff\xfd\x03\xff\xfb\x03\*+\r\n\r\nThis session allows you to set the TCPIP parameters for your\r\nDell Laser Printer ([\w+]+) Ethernet internal network device| p/Dell Laser printer $1 telnetd/ d/printer/ +match telnet m|^\xff\xfb\"\xff\xfb\x03\xff\xfb\x01\xff\xfb\0\xff\xfd\0\n\r\nWelcome to the PDP-10 simulator\r\n\n| p/PDP-10 simulator telnetd/ +match telnet m|^\xff\xfb\x01\(Enable\) Password\? | p/Enterasys gated config telnetd/ d/router/ +match telnet m|^\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\r\nWelcome to Linux \(ZEM200\) for arca\r\n\rKernel ([\w-_.]+) on an arca \r\n\rZEM200 login: | p/ZEM200 biometric device config telnetd/ i/Linux $1/ o/Linux/ d/specialized/ match telnet-proxy m|^nodnsquery/[\d.]+ is not authorized to use the telnet proxy\r\n| p/Gauntlet telnet proxy/ match telnet-proxy m|^Eingabe Servername\[:Port\] : | p/JanaServer telnet proxy/ i/German/ match telnet-proxy m|^\xff\xfb\x01\xff\xfb\x03Telnet Gateway ready=enter computer name to connect to\.\\x0d\\x0a\\xd\\xahost\[:port\]: \r\n| p/602LAN Suite telnet proxy/ o/Windows/ +match telnet-proxy m|^\r\n\r\nEnter computer name to connect to\.\r\ne\.g\. \"NetCom\.com\"| p/WinProxy telnet proxy/ o/Windows/ match telnet-ssl m|^\xff\xfd.$| p|telnetd-ssl| @@ -1788,6 +1919,9 @@ match tinc m|^0 \w+ 17\n| p/tinc vpn daemon/ match time m|^[\xc4-\xcc]...$| i/32 bits/ match time m|^[\xc4-\xcc]....\0\0\0$| i/64 bits/ +# Need more examples... -Doug +match timeedit m|^\0\0\0H\0\0\0\x02\x0fTimeEdit131\.| p/Evolvera TimeEdit/ v/1.3.1/ + # Tiny Personal Firewall 2.0 match tinyfw m|^\x0f\0\n\0\x01\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xc0\x0ef7\xbb\x9bS\xfc\x86\xe4\x7f\x18\xb8\x97\x06 | p/Tiny Personal Firewall/ v/2.0/ @@ -1809,6 +1943,7 @@ match vnc m|^RFB 003\.00(\d)\n\0\0\0\0\0\0\0\x1aToo many security failures$| p/V match vnc m|^RFB 003.130\n$| p/VNC/ i/unofficial protocol 3.130/ match vnc m|^RFB 003\.88[89]\n$| p/Apple remote desktop vnc/ o/Mac OS X/ match vnc m|^RFB 000\.000\n$| p/Ultr@VNC Repeater/ +match vnc m|^RFB 003\.00(\d)\n\0\0\0\0\0\0\0jServer license key is missing, invalid or has expired\.\nVisit http://www\.realvnc\.com to purchase a licence\.| p/RealVNC/ i/Unlicensed, protocol 3.$1/ match vtun m|^VTUN server ver +(\d[-.\w /]+)\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Vtun Virtual Tunnel/ v/$1/ match vtun m|^VTUN server ver \. (\d[-.\w /]+)\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Vtun Virtual Tunnel/ v/$1/ @@ -1828,7 +1963,10 @@ match xinetd m=^([\w-_.]+ (tcp|udp) \d{1,5}\n)+= p/xinetd service display/ o/Uni match xfce-session m|^\0\x01\0.\0\0\0\0$| p/XFCE Session Manager/ match xmailctl m|^\+\d+ <[\d.]+@[\d.]+> XMail ([\d.]+) \(Linux/Ix86\) CTRL Server; .*\r\n| p/XMail CTRL Server/ v/$1/ o/Linux/ match xmailctl m|^\+\d+ <[\d.]+@[\d.]+> XMail ([\d.]+) CTRL Server; .*\r\n| p/XMail CTRL Server/ v/$1/ -match xmbmon m|^TEMP0 : [\d.]+\nTEMP1 : [\d.]+\nTEMP2 : [\d.]+\nFAN0 : [\d.]+\nFAN1 : [\d.]+\nFAN2 : [\d.]+\n| p/Mother Board Monitor/ +match xmbmon m|^TEMP0 +: +[\d.]+\nTEMP1 +: +[\d.]+\nTEMP2 +: +[\d.]+\nFAN0 +: +[\d.]+\nFAN1 +: +[\d.]+\nFAN2 +: +[\d.]+\n| p/Mother Board Monitor/ +match xine-remote m|^([\w-_.]+) xine-ui ([\d.]+) remote server\. Nice to meet you\.\n| p/Xine-UI remote control/ v/$1/ + +match yiff m|^\0\0\0\n\0\x03\0\0\0\0$| p/YIFF network sound server/ match zebra m|^\r\nHello, this is zebra \(version (\d[-.\w]+)\)\.\r\nCopyright 1996-20| p/GNU Zebra routing software/ v/$1/ match zebra m|^\r\nHello, this is zebra \(version (\d[-.\w]+)\)\.\r\nCopyright 200\d| p/GNU Zebra routing software/ v/$1/ @@ -1851,7 +1989,7 @@ match smtp m|^220 PostCast SMTP server.*\r\n$| p/PostCast SMTP server/ match omapi m|^\0\0\0d\0\0\0\x18$| p/ISC (BIND|DHCPD) OMAPI/ match openvpn m|^\0\x0e@........\0\0\0\0\0\0\x0e@| p/OpenVPN/ -match openvpn m|^\0\*@n.*\0\0\0\0\0\0\*@n|s p/OpenVPN/ +match openvpn m|^\0\*@.*\0\0\0\0\0\0\*@|s p/OpenVPN/ match osiris m|^\x80[=+:]\x01\x03\x01\0.\0\0\0\x10\0|s p/osiris host IDS agent/ match svnserve m|^\( success \( \d \d \( ANONYMOUS \) \( | p/Subversion/ @@ -1880,7 +2018,7 @@ match domain m|^\x80\xf0\x80\x12\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAAAA ##############################NEXT PROBE############################## Probe TCP GenericLines q|\r\n\r\n| rarity 1 -ports 21,23,35,43,79,98,110,113,119,199,214,264,449,505,510,540,587,616,628,666,731,1000,1040-1043,1080,1212,1220,1248,1302,1400,1432,1467,1501,1666,2010,2024,2600,3000,3005,3128,3310,3333,3940,5000,5400,5432,5555,5570,6112,6667-6670,7144,7145,7780,8000,8138,9801,11371,11965,11211,13720,15000,19150,26214,26470,31416,30444,56667 +ports 21,23,35,43,79,98,110,113,119,199,214,264,449,505,510,540,587,616,628,666,731,782,1000,1040-1043,1080,1212,1220,1248,1302,1400,1432,1467,1501,1666,2010,2024,2600,3000,3005,3128,3310,3333,3940,5000,5400,5432,5555,5570,6112,6667-6670,7144,7145,7780,8000,8138,9801,11371,11965,11211,13720,15000,19150,26214,26470,31416,30444,56667 match abc m|^Feedback\nError=You need unique ID to command ABC!| p/ABC Torrent http interface/ match antivir m|^\0\0\x80\0$| p/drweb anti-virus/ @@ -1888,8 +2026,12 @@ match as-servermap m|^-\0\0\0\0$| p|IBM OS/400 as-servermapd| d|OS/400| match biff m|^Message received\n$| p/NotifyMail biffd/ match biff m|^Use of uninitialized value in transliteration \(tr///\) at /var/jchkmail/user-filter| p/Joe's j-chkmail biffd/ match bitdefender-ctl m|^\(null\) 500 Internal Error\n\(null\) 500 Internal Error\n$| p/Bitdefender Remote Admin Console/ + # bnetd (PvPGN BnetD Mod version 1.5.0) on Debian GNU/Linux (sid) match bnetd m|^BOT or Telnet Connection from \[[\d.]+\]\r\n\r\nEnter your account name and password\.\r\nSorry, there is no guest account\.\r\n\r\nUsername: | p/PvPGN BnetD Mod/ v/1.5.0/ + +match bnetd m|^Connection from \[[\d.]+\]\r\n\r\nEnter your account name and password\.\r\nSorry, there is no guest account\.\r\n\r\nUsername: | p/bnetd/ + # bnetd server 0.4.25 on Linux match bnetd m|^Username: $| p/bnetd open source Blizzard Battlenet server/ match boinc m|^\n\x03$| p/Boinc GUI RPC port/ @@ -1900,6 +2042,7 @@ match boinc m|^\n(\d+)\n400 Bad Request\r\n| p/OpenPGP Public Key Server/ v/$1/ @@ -1967,12 +2111,14 @@ match http m|^HTTP/1\.1 401 Unauthorized\r\nConnection: close\r\nContent-Length: match http m|^HTTP/1\.1 501 Not Implemented\r\nCache-Control: no-cache, must-revalidate, max-age=0\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: \d+\r\nConnection: close\r\n\r\n

          Not Implemented

          Whatever the heck you just requested, I can't generate\.| p/darkstat network analyzer httpd/ o/Unix/ match http m|^\xff\xf0 400 Bad Request\r\n\r\n400 Bad Request\r\n

          400 Bad Request

          | p/HP JetDirect printer embedded httpd/ d/printer/ match http m|^HTTP/1\.0 400 Bad Request\r\n.*This is a WebSEAL error message template file\.|s p/Tivoli Access Manager WebSEAL httpd/ -match http m|^UNKNOWN 400 Bad Request\r\nServer: thttpd/([\d.]+) \w+\r\n| p/thttpd/ v/$1/ +# Keep this above the more general thttpd match below. -Doug +match http m|^UNKNOWN 400 Bad Request\r\nServer: thttpd\r\n.*\n\tError.*Your request has bad syntax or is inherently impossible to satisfy|s p/Linksys NSLU2/ i/embedded thttpd/ d/storage-misc/ +match http m|^UNKNOWN 400 Bad Request\r\nServer: thttpd/([\w.]+) \w+\r\n| p/thttpd/ v/$1/ match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: UnrealEngine UWeb Web Server Build (\d+)\r\n|s p/Unreal Tournament http admin/ v/Build $1/ match http m|^HTTP/1\.0 405 Method Not Allowed\r\nAllow: GET, HEAD\r\n\r\n405 Method Not Allowed\r\n\r\n| p|D-Link printer/webcam http config| match http m|^HTTP/1\.0 400 Bad Request\r\nServer: WDaemon/([\d.]+)\r\n| p/World Client WDaemon httpd/ v/$1/ o/Windows/ match http m|^HTTP/1\.0 \d\d\d .*\nAccept: text/html\nConnection: close\n\n\n\n
          \nPunkBuster Server WebTool for ([\w-_.]+)| p/PunkBuster web admin/ i/Game: $1/ -match http m|^HTTP/1\.0 400 Bad Request\r\nServer: MpSconServer/([\d.]+)\r\n| p/ZebraNet print server MpSconServer httpd/ v/$1/ d/print server/ +match http m|^HTTP/1\.0 400 Bad Request\r\nServer: MpSconServer/([\d.]+)\r\n| p/ZebraNet print server httpd/ i/MpSconServer $1/ d/print server/ match http m|^HTTP/1\.1 \d\d\d .*\r\n\r\n.*var l1=\"([^"]+)\"\n.*document\.write\(\"D-Link DI-\"\+l1\)|s p/D-Link DI-$1 router http config/ d/router/ match http m|^HTTP/1\.0 400 bad http request\r\ndate: .*\r\nserver: SAP Web Application Server\r\n| p/SAP Web Application Server/ match http m|^HTTP/1\.0 200 OK\r\nContent-type: text/html; charset=UTF-8\r\nPragma: no-cache\r\nWindow-target: _top\r\n| p/Symantec AntiVirus Scan Engine http config/ @@ -1980,6 +2126,8 @@ match http m|^HTTP/1\.0 400 Bad Request\r\nServer: QTSS ([\d.]+) Admin Server/([ match http m|^HTTP/1\.0 400 Bad Request 2\r\nContent-Type: text/html\r\n\r\n

          HTTP/1\.0 400 Bad Request 2

          \r\n$| p/WatchGuard Firebox http config/ d/firewall/ match http m|^HTTP/1\.0 400 Bad Request\r\nContent-Type: text/html\r\n\r\n400 Bad Request400 Bad Request$| p|Generic router http config| d/router/ match http m|^HTTP/1\.1 \d\d\d .*\nWWW-Authenticate: Basic realm=\"Anti-Spam SMTP Proxy \(ASSP\) Configuration\"\nContent-type: text/html\n\n

          Unauthorized

          \n\n| p/ASSP Anti-Spam Proxy http config/ +match http m|^HTTP/1\.0 400 Bad Request\r\nConnection: close\r\nServer: HttpServer/([\d.]+)\r\nDate: .*\r\nContent-Type: text/html\r\n\r\nError:
          \n

          Server Error: 400 Bad Request

          \r\n

          URL parsing error

          | p/Cisco ONS MSPP httpd/ i/HttpServer $1/ +match http m|^HTTP/1\.0 500 no query\r\n\r\n$| p/pkspxy/ match icecast m|^HTTP/1\.0 200 OK\r\nServer: icecast/(\d[-.\w]+)\r\n| p|Shoutcast/Icecast streaming audio| v|$1| @@ -2087,13 +2235,14 @@ match solfe m|^\x02\0\x01\xfb\xff\xfb\xff\xff\xff\xff\xffNOSUP| p/HP PNM Solid F match sstp m|^SSTP/([\d.]+) 400 Bad Request\r\n\r\n\0$| p/Sakura Script Transfer Protocol/ i/Protocol $1/ match smux m|^A\x01\x02$| p/Linux SNMP multiplexer/ o/Linux/ -# This could go into the null probe, but the problem is that it is a prefix +# This could go into the null probe, but the problem is that it is a prefix # of what other routers (at least HP JetDirect printer telentd) send. # And at least the JD sends the string below first, before it send the # rest in other packets. So it is best to capture this one here in # GenericLines. -match telnet m|^\xff\xfb\x03\xff\xfb\x01$| p/Nokia M1112 router telnetd/ d/router/ +# Removed because of too many conflicts! +#match telnet m|^\xff\xfb\x03\xff\xfb\x01$| p/Nokia M1112 router telnetd/ d/router/ # Solaris 9 match uucp m|^login: Please enter user name: Password: $| p/Solaris uucpd/ o/Solaris/ @@ -2101,8 +2250,10 @@ match uucp m|^login: Please enter user name: Password: $| p/Solaris uucpd/ o/Sol match uucp m|^login: Password: Login incorrect\.$| p/SunOS uucpd/ o/SunOS/ match ups m|^32\r $| p/Cyber Power PowerPanelPlus UPS Server/ o/Windows/ match whois m|^% No entries found for the selected source\(s\)\.\n$| p/Merit IRRD whoisd/ -match whois m|^Process query: ''\nQuery recognized as IP\.\nQuerying ([\w\d-_.]+):(\d+) with whois\.\n\n| p/gwhois/ i/Uses $1:$2/ +match whois m|^Process query: ''\nQuery recognized as IP(v4)?\.\nQuerying ([\w\d-_.]+):(\d+) with whois\.\n\n| p/gwhois/ i/Uses $2:$3/ match whois m|^Process query: ''\nQuery recognized as IP\.\n| p/gwhois/ +match whois m|^%rwhois V-[\w:.-]+ ([\w-_.]+) \(by Network Solutions, Inc\. V-([\d.]+)\)\n| p/rwhois/ v/$2/ h/$1/ + match wincomm m|^128 System Incompatible Windows Communicator client or server version\r\n128 System Incompatible Windows Communicator client or server version\r\n| p/Windows Communicator/ match zebedee m|^\x02\x01$| p/Zebedee encrypted tunnel/ @@ -2140,6 +2291,8 @@ match telnet m|^\xff\xfb\x01\r\n\r\nlogin: \r\n\r\n\r\r\npassword: $| p/Welltech match telnet m|^\xff\xfb\x03\xff\xfb\x01\xff\xfb\x1f\xff\xfd\x18Avocent CPS-810 S/W Version ([\d.]+)\r\nUsername: \r\nPassword: \r\nInvalid Login\r\nUsername: | p/Avocent CPS-810 serial port server telnetd/ v/$1/ d/specialized/ match telnet m|^\xff\xfb\x01\xff\xfb\x03\nGestetner Maintenance Shell\. \n\rUser access verification\.\n\rPassword:| p/Gestetner DSm622 maintenance telnetd/ d/printer/ match telnet m|^\xff\xfb\x01\xff\xfb\x03\nNRG Maintenance Shell\. \n\rUser access verification\.\n\rPassword:| p/NRG maintenance telnetd/ d/printer/ +match telnet m|^\xff\xfb\x01\xff\xfb\x03\nRICOH Maintenance Shell\. \n\rUser access verification\.\n\rPassword:| p/RICOH maintenance telnetd/ d/printer/ +match telnet m|^\r\nPress return:\*\*\*\*\r\nEnter Password:| p/IPSentry telnetd/ o/Windows/ match transbase m|^\0\0\+\x04\0\0\0@TransBase Multiplexer error report:\nIllegal request| p/Transbase Database/ @@ -2198,7 +2351,7 @@ match finger m|^That user does not want to be fingered\.\n$| p/ffingerd/ # OpenBSD 2.3 match finger m|^finger: GET: no such user\.\nfinger: /: no such user\.\nfinger: HTTP/1\.0: no such user\.\n$| p|BSD/Linux fingerd| # Linux port of in.fingerd from OpenBSD network tools - started with -w to show welcome banner -match finger m|^\r\nWelcome to Linux version (\d[-.\w]+) at ([-.\w]+) !\r\n\n.*(\d+) user.*\n\r\nfinger: GET: no such user\.\nfinger: /: no such user\.\nfinger: HTTP/1\.0: no such user\.\n| p/OpenBSD fingerd/ i/ported to Linux; $2 users logged in/ o/Linux version $1/ h/$2/ o/Linux/ +match finger m|^\r\nWelcome to Linux version (\d[-.\w]+) at ([-.\w]+) !\r\n\n.*\n\r\nfinger: GET: no such user\.|s p/OpenBSD fingerd/ i/ported to Linux; $2 users logged in/ o/Linux version $1/ h/$2/ o/Linux/ # Redhat Linux from finger-server-0.17-9 RPM match finger m|^finger: GET: no such user.\r\nfinger: /: no such user.\r\nfinger: HTTP/1.0: no such user.\r\n$| p/Linux fingerd/ o/Linux/ # NetBSD 1.6ZA (berkeley fingerd 8.1 sibling) @@ -2277,6 +2430,8 @@ match http-mgmt m|^HTTP/1\.1 200 OK\r\nServer: Virata-EmWeb/R6_2_1\r\nContent-Ty match http-mgmt m|^HTTP/1\.1 200 OK\r\nServer: Virata-EmWeb/R6_0_1\r\n-ransfer-Encoding: chunked\r\nContent-Type: text/html\r\nExpires: .*\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n\n\nMoved| p/HP Color LaserJet 3500/ i/Virata embedded httpd 6.2.1/ d/printer/ match http m|^HTTP/1\.1 301 Resource Moved\r\nCONTENT-LENGTH: 0\r\nEXPIRES: .*\r\nLocation: /hp/device/this\.LCDispatcher\r\nCACHE-CONTROL: no-cache\r\nSERVER: HP-ChaiSOE/([\d.]+)\r\n-ONNECTION: Keep-Alive\r\n\r\n| p/hp color LaserJet 4650/ i/HP-ChaiSOE $1/ d/printer/ +match http m|^HTTP/1\.1 200 OK\r\nServer: Virata-EmWeb/R([\d_]+)\r\n.*\n\n\n HP Color LaserJet 2840 /|s p/HP Color LaserJet 2840 http config/ i/Virata httpd $1/ d/printer/ +match http m|^HTTP/1\.1 200 OK\r\nServer: Virata-EmWeb/R([\d_]+)\r\n.*\n\n<title>HP Officejet Pro K550\n|s p/HP OfficeJet Pro K550 http config/ i/Virata httpd $1/ d/printer/ match http m|^HTTP/1\.0 200 OK\nServer: stats\.mod/(\d[-.\w]+)\n| p/Eggdrop stats.mod web statistics module/ v/$1/ match http m|^HTTP/1\.1 200 OK\r\nServer: PPR-httpd/(\d[-.\w]+)\r\n| p/PPR print spooling daemon ppradmin/ v/$1/ @@ -2321,7 +2476,8 @@ match http m|^HTTP/1\.0 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"PR20 # 3Com OfficeConnect 812 Router telnetd match http m|^HTTP/1\.0 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"OCR-([-.\w]+)\"\r\nContent-Type: text/html\r\nServer: Allegro-Software-RomPager/(\d[-.\w]+)\r\n| p/3Com OfficeConnect Router webadmin/ i/Embedded Allegro-Software-RomPager $2; OfficeConnect OCR-$1/ d/router/ match http m|^HTTP/1\.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"APC Management Card\"\r\nContent-Type: text/html\r\nServer: Allegro-Software-RomPager/ ?([\w.]+)\r\n\r\n| p/APC Management Web Server/ i/Allegro RomPager $1/ d/power-device/ -match http m|^HTTP/1\.0 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"PDU\"\r\nServer: Allegro-Software-RomPager/ ?([\w.]+)\r\n\r\n\n\nProtected Object\n\n\n

          Protected Object

          \nThis object on the MasterSwitch Web Server is protected\.| p/APC masterswitch web server/ i/Allegro RomPager $1/ d/power-device/ +match http m|^HTTP/1\.0 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"PDU\"\r\nServer: Allegro-Software-RomPager/ ?([\w.]+)\r\n\r\n\n\nProtected Object\n\n\n

          Protected Object

          \nThis object on the MasterSwitch Web Server is protected\.| p/APC masterswitch http config/ i/Allegro RomPager $1/ d/power-device/ +match http m|^HTTP/1\.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"MasterSwitch Plus\"\r\nContent-Type: text/html\r\nServer: Allegro-Software-RomPager/ ?([\w.]+)\r\n\r\n\n\nProtected Object.*This object on the APC Management Web Server is protected\.|s p/APC masterswitch http config/ i/Allegro RomPager $1/ d/power-device/ match http m|^HTTP/1\.0 200 OK\r\nPragma: no-cache\r\nContent-Type: text/html\r\n\r\n\n.*\n.*\n|s p/3Com OfficeConnect router webadmin/ i/3Com` $1/ d/router/ match http m|^HTTP/1\.0 200 OK\r\nContent-Type: text/html\r\n.*\r\nServer: Allegro-Software-RomPager/ ?([\w.]+)\r\n\r\n\n\n\n\n\n\nSummit Management Interface|s p/Summit Management Interface/ i/Allegro RomPager $1/ match http m|^HTTP/1\.1 200 OK\r\nContent-Type: text/html\r\n.*Server: Allegro-Software-RomPager/([\w.]+)\r\n\r\n\n\n\n\n\n([^&\r\n]+) - Status|s p/Roku Sound Bridge Web Interface/ i/Allegro RomPager $1; Name $2/ @@ -2349,7 +2505,8 @@ match http m|^HTTP/1\.0 401 Unauthorized\r\nDate: .*\r\nContent-Type: text/html\ match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: DHost/(\d[-.\w]+) HttpStk/(\d[-.\w]+)\r\n| p/Novell eDirectory DHOST httpd/ v/$1/ i/HttpStk: $2; used by iMonitor/ o/Unix/ match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: 3ware/(\d[-.\w]+)\r\n| p/3Ware web interface/ v/$1/ i/RAID storage/ match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Cherokee/(\d[-.\w]+)\r\n| p/Cherokee httpd/ v/$1/ -match http m|^HTTP/1\.0 200 OK\r\nServer: HomeSeer\r\n| p/HomeSeer Home Control Web Interface/ +match http m|^HTTP/1\.0 200 OK\r\nServer: HomeSeer\r\n| p/HomeSeer Home Control Web Interface/ o/Windows/ +match http m|^HTTP/1\.0 401 \r\nWWW-Authenticate: Basic realm=\"HomeSeer\d+\"\r\n\r\n| p/HomeSeer Home Control Web Interface/ o/Windows/ # Multitech MultiVoip 410 VoIP gateway match http m|^HTTP/1\.1 200 OK\r\nServer: RTXCweb Software (\d[-.\w]+)\r\nDate: .*\r\nContent-type: text/html\r\n\r\n\r\n\r\n\r\n\r\n