From 6c6a6ac62cb60546e30e278277a6fc9f927af27c Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Tue, 3 Nov 2015 00:28:35 +0000
Subject: [PATCH] New probe and matches to detect NJE:
 http://seclists.org/nmap-dev/2015/q4/75

---
 nmap-service-probes | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/nmap-service-probes b/nmap-service-probes
index c5710ab14..2103073c2 100644
--- a/nmap-service-probes
+++ b/nmap-service-probes
@@ -14273,3 +14273,20 @@ match ssl m=^\x16\x03[\0-\x03]..\x02\0\0.\x03[\0-\x03].*\x16\x03[\0-\x03]\0.\x0c
 
 # SSLv3 - TLSv1.2 Alert
 match ssl m|^\x15\x03[\0-\x03]\0\x02[\x01\x02].$|s
+
+##############################NEXT PROBE##############################
+# Queries z/OS Network Job Entry
+# Sends an NJE Probe with the following information (text is converted to EBCDIC):
+# TYPE        = OPEN
+# OHOST       = FAKE
+# RHOST       = FAKE
+# RIP and OIP = 0.0.0.0
+# R           = 0
+# Based on http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hasa600/init.htm
+Probe TCP NJE q|\xd6\xd7\xc5\xd5@@@@\xc6\xc1\xd2\xc5@@@@\0\0\0\0\xc6\xc1\xd2\xc5@@@@\0\0\0\0\0|
+rarity 9
+ports 175
+sslports 2252
+# If the port supports NJE it will respond with either a 'NAK' or 'ACK' in EBCDIC
+match nje m|^\xd5\xc1\xd2| p/IBM Network Job Entry (JES)/
+match nje m|^\xc1\xc3\xd2| p/IBM Network Job Entry (JES)/