nmap/nmap-service-probes

# Nmap service detection probe list -*- mode: fundamental; -*-
# $Id$ 
#
# This is a database of custom probes and expected responses that the
# Nmap Security Scanner ( http://www.insecure.org/nmap/ ) uses to
# identify what services (eg http, smtp, dns, etc.) are listening on
# open ports.  Contributions to this database are welcome.  We hope to
# create an automated submission system (as with OS fingerprints), but
# for now you can email fyodor any new probes you develop so that he
# can include them in the main Nmap distributon.  By sending new
# probe/matches to Fyodor or one the insecure.org development mailing
# lists, it is assumed that you are transfering any and all copyright
# interest in the data to Fyodor so that he can modify it, relicense
# it, incorporate it into programs, etc. This is important because the
# inability to relicense code has caused devastating problems for
# other Free Software projects (such as KDE and NASM).  Nmap will
# always be available Open Source.  If you wish to specify special
# license conditions of your contributions, just say so when you send
# them.
#
# This collection of probe data is (C) 2003 by Insecure.Com LLC It is
# available for free use by open source software under the terms of
# the GNU General Public License.  We also license the data to
# selected commercial/proprietary vendors under less restrictive
# terms.  Contact sales@insecure.com for more information.
#
# For details on how Nmap version detection works, why it was added,
# the grammar of this file, and how to detect and contribute new
# services, see our paper at
# http://www.insecure.org/nmap/versionscan.html .

# The Exclude directive takes a comma separated list of ports.
# The format is exactly the same as the -p switch.
Exclude T:9100

# This is the NULL probe that just compares any banners given to us
##############################NEXT PROBE##############################
Probe TCP NULL q||
# Wait for at least 6 seconds for data.  It used to be 5, but some
# smtp services have lately been instituting an artificial pause (see
# FEATURE('greet_pause') in Sendmail, for example)
totalwaitms 6000
match acap m|^\* ACAP \(IMPLEMENTATION \"CommuniGate Pro ACAP (\d[-.\w]+)\"\) | p/CommuniGate Pro ACAP server/ i/for mail client preference sharing/ v/$1/
match aim m|^\*\x01..\0\x04\0\0\0\x01$|s p/Pyboticide AIM chat filter/
# AMANDA index server 2.4.2p2 on Linux 2.4
match amanda m|^220 ([-.\w]+) AMANDA index server \((\d[-.\w ]+)\) ready\.\r\n| p/Amanda backup system index server/ v/$2/ h/$1/ o/Unix/
# arkstats (part of arkeia-light 5.1.12 Backup server) on Linux 2.4.20
match arkstats m|^\0`\0\x03\0\0\0\x1810\x000\x000\x00852224\0\0\0\0\0\0\0\0\0\0\0| p/Arkeia arkstats/
match backdoorjeam m|^220 jeem\.mail\.pv ESMTP\r\n| p/Jeem backdoor/ i/**BACKDOOR**/
# Bittorrent Client 3.2.1b on Linux 2.4.X
match bittorent m|^\x13BitTorrent protocol\0\0\0\0\0\0\0\0| p/Bittorrent P2P client/
# BMC Software Patrol Agent 3.45
match bmc-softwarepatrol m|^\0\0\0\x17i\x02\x03..\0\x05\x02\0\x04\x02\x04\x03..\0\x03\x04\0\0\0\0\x01\x01\0| p/BMC Software Patrol Agent/
match chargen m|^!"#\$%\&'\(\)\*\+,-\./0123456789:;<=>\?\@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_`abcdefgh\r\n"#\$%\&'\(\)\*\+,-\./0123456789:;<=>\?\@ABCDEF| p/Linux chargen/ o/Linux/
# Redhat 7.2, xinetd 2.3.7 chargen
match chargen m|^\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_`abcdefghijklmnopq\r\n\+,-\./| p/xinetd chargen/ o/Unix/
# Sun Solaris 9; Windows
match chargen m|^\ !"#\$%&'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_|
# Mandrake Linux 9.2, xinetd 2.3.11 chargen
match chargen m|NOPQRSTUVWXYZ\[\\\]\^_`abcdefghijklm| p/xinetd chargen/ o/Unix/
# Citrix, Metaframe XP on Windows
match citrix-ica m|^\x7f\x7fICA\0\x7f\x7fICA\0| p/Citrix Metaframe XP ICA/ o/Windows/
match concertosendlog m|^Concerto Software\r\n\r\nEnsemblePro SendLog Server - Version (\d[-.\w]+)\r\n\r\nEnter Telnet Password\r\n#> | p/Concerto Software EnsemblePro CRM software SendLog Server/ v/$1/
match concertotimesync m|^Concerto Software\r\n\r\nContactPro TimeSync Server - Version (\d[-.\w]+)\r\n\r\nEnter Telnet Password\r\n#> | p/Concerto Software EnsemblePro CRM software TimeSync Server/ v/$1/
# CompTek AquaGateKeeper (Telephony package) http://aqua.comptek.ru
match H.323/Q.931 m|^\x03\0\0.*@| p/CompTek AquaGateKeeper/
match cvspserver m|^no repository configured in /| p/CVS pserver/ i/broken/
match cvspserver m|^/usr/sbin/cvs-pserver: line \d+: .*cvs: No such file or directory\n| p/CVS pserver/ i/broken/
match cvsup m|^OK \d+ \d+ ([-.\w]+) CVSup server ready\n| p/CVSup/ v/$1/
match damewaremr m|^0\x11\0\0\0..\0......\r@\0\0\0\0\0\0\0\0\x01\0\0\0\x01\0\0\0\0\0\0\0.\0\0\0$|s p/DameWare Mini Remote Control/ o/Windows/
# Linux
match daytime m|^[0-3]\d [A-Z][A-Z][A-Z] 20\d\d \d\d:\d\d:\d\d \S+\r\n|
# OpenBSD 3.2
match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\r\n|
# Solaris 8,9
match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\n\r| p/Sun Solaris daytime/ o/Solaris/
# Windows daytime
match daytime m|^\d+:\d\d:\d\d [AP]M \d+/\d+/200\d\n$| p/Microsoft Windows USA daytime/ o/Windows/
# Windows daytime - UK english I think (no AM/PM)
match daytime m|^\d\d:\d\d:\d\d \d\d.\d\d.200\d\n$| p/Microsoft Windows International daytime/ o/Windows/
# daytime on Windows 2000 Server
match daytime m|^.... \d{1,2}:\d{1,2}:\d{1,2} 200\d-\d{1,2}-\d{1,2}\n$| p/Microsoft Windows daytime/ o/Windows/
# Windows NT daytime
match daytime m|^[A-Z][a-z]+day, [A-Z][a-z]+ \d{1,2}, 200\d \d{1,2}:\d\d:\d\d\n\0$| p/Microsoft Windows daytime/ o/Windows/
# Windows 2000 Adv Server sp-4 daytime
match daytime m|^[A-Z][a-z][a-z] [A-Z][a-z][a-z] \d{1,2} \d{1,2}:\d{1,2}:\d{1,2} 200\d\n| p/Microsoft Windows daytime/ o/Windows/
# Windows 2003 Server daytme
match daytime m|^\d{1,2}\.\d{1,2}\.\d{1,2} \d\d/\d\d/200\d\n| p/Microsoft Windows daytime/ o/Windows/
# Windows 2000 Prof. Central European format
match daytime m|^\d{1,2}:\d\d:\d\d \d{1,2}\.\d{1,2}\.200\d\n$| p/Microsoft Windows daytime/ o/Windows/

# Windows International daytime
match daytime m|^\d\d:\d\d:\d\d \d\d.\d\d.200\d\n$| p/Microsoft Windows International daytime/ o/Windows/
# New Zealand format daytime - Windows 2000
match daytime m|^[01]\d:\d\d:\d\d [AP]M [0-3]\d/[01]\d/0\d\n$| p/Microsoft Windows daytime/ i/New Zealand style/ o/Windows/
# HP-UX B.11.00 A inetd daytime
match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} \d\d:\d\d:\d\d [A-Z]+ 200\d\r\n$| p/HP-UX daytime/ o/HP-UX/
# Tardis 2000 v1.4 on NT
match daytime m|^^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} \d\d:\d\d:\d\d 200\d $| p/Tardis 2000 daytime/

# TrueTime nts100 running WxWorks
match daytime m|^[A-Z][a-z]{2}, [A-Z][a-z]{2} \d{1,2}, 200\d, \d\d:\d\d:\d\d-UTC$| p/Truetime nts100/

# Cisco router daytime
match daytime m|^[A-Z][a-z]+day, [A-Z][a-z]+ \d{1,2}, 200\d \d\d:\d\d:\d\d-MET(-DST)?\r\n| p/Cisco router daytime/ o/IOS/

match dict m|^530 access denied\r\n$| p/dictd/ i/access denied/
match dict m|^220 ([-.\w]+) dictd ([-.\w/]+) on ([-.+ \w]+) <auth\.mime>| p/dictd/ h/$1/ v/$2/ o/$3/
match directconnect m/^\$MyNick ([-.\w]+)|\$Lock/ p/Direct Connect P2P/ i/User: $1/ o/Windows/
match eggdrop m=^\r\n\r\n([-`|.\w]+)  \(Eggdrop v(\d[-.\w]+) +\([cC]\) *1997.*\r\n\r\n= p/Eggdrop irc bot console/ v/$2/ i/botname: $1/
# This fallback is because many people customize their eggdrop
# banners.  This rule should always be well below the detailed rule
# above.
match eggdrop m|Copyright \(C\) 1997 Robey Pointer\r\n.*Eggheads| p/Eggdrop IRC bot console/
match finger m|\r\n {4}Line {5,8}User {6,8}Host\(s\) {13,18}Idle +Location\r\n| p/Cisco fingerd/ o/IOS/ d/router/
match ftp m|^220 ([-/.+\w]+) FTP server \(SecureTransport (\d[-.\w]+)\) ready\.\r\n| p/Tumbleweed SecureTransport ftpd/ h/$1/ v/$2/
match ftp m|^220 3Com 3CDaemon FTP Server Version (\d[-.\w]+)\r\n| p/3Com 3CDaemon ftpd/ v/$1/
# GuildFTP 0.999.9 on Windows
match ftp m|^220-GuildFTPd FTP Server \(c\) \d\d\d\d(-\d\d\d\d)?\r\n220-Version (\d[-.\w]+)\r\n| p/Guild ftpd/ v/$2/ o/Windows/
match ftp m|^220-.*\r\n220 Please enter your name:\r\n| p/GuildFTPd/ o/Windows/
# Medusa Async V1.21 [experimental] on Linux 2.4
match ftp m|^220 ([-/.+\w]+) FTP server \(Medusa Async V(\d[^\)]+)\) ready\.\r\n| p/Medusa Async ftpd/ h/$1/ v/$2/
match ftp m|^220 ([-/.+\w]+)\((\d[-.\w]+)\) FTP server \(EPSON ([^\)]+)\) ready\.\r\n| p/Epson printer ftpd/ h/$1/ v/$2/ i/Epson $3/ d/printer/
match ftp m|^220 ([-/.+\w]+) IBM TCP/IP for OS/2 - FTP Server [Vv]er \d+:\d+:\d+ on [A-Z]| p|IBM OS/2 ftpd| h/$1/ o|OS/2|
match ftp m|^220 ([-/.+\w]+) IBM TCP/IP f\xfcr OS/2 - FTP-Server [Vv]er \d+:\d+:\d+ .* bereit\.\r\n| p|IBM OS/2 ftpd| h/$1/ o|OS/2| i/German/
match ftp m|^220 ([-/.+\w]+) Lexmark ([-/.+\w ]+) FTP Server (\d[-.\w]+) ready\.\r\n| p/Lexmark printer ftpd/ v/$2/ i/Lexmark $3/ h/$1/ d/printer/
#atch ftp m|^220 LXK14ED59 Lexmark Optra SC 1275 FTP Server ([\d.]+) ready\.\r\n| p/Lexmark Optra SC 1275 ftpd/ v/$1/ d/printer/
match ftp m|^220 Internet Rex (\d[-.\w ]+) \(([-/.+\w]+)\) FTP server awaiting your command\.\r\n| p/Internet Rex ftpd/ v/$1/ i/$2/
match ftp m|^220 ([-.+\w]+) FTP server \(Version (\d[-.\w]+)\(([^\)]+)\) [A-Z][a-z][a-z] [A-Z].*200\d\) ready\.\r\n| p/HP-UX ftpd/ h/$1/ v/$2/ i/$3/ o/HP-UX/
match ftp m|^530 Connection refused, unknown IP address\.\r\n$| p/Microsoft IIS ftpd/ i/IP address rejected/ o/Windows/
match ftp m|^220 PizzaSwitch FTP server ready\r\n| p/Xylan PizzaSwitch ftpd/
match ftp m|^220 ([-.+\w]+) IronPort FTP server \(V(\d[-.\w]+)\) ready\.\r\n| p/IronPort mail appliance ftpd/ h/$1/ v/$2/
match ftp m|^220 WFTPD (\d[-.\w]+) service \(by Texas Imperial Software\) ready for new user\r\n| p/Texas Imperial Software WFTPD/ v/$1/ o/Windows/
match ftp m|^220.*\r\n220 WFTPD (\d[-.\w]+) service \(by Texas Imperial Software\) ready for new user\r\n|s p/Texas Imperial Software WFTPD/ v/$1/ o/Windows/
match ftp m|^220 ([-.+\w]+) FTP server \(Version (MICRO-[-.\w:#+ ]+)\) ready\.\r\n| p/Bay Networks MicroAnnex terminal server ftpd/ h/$1/ v/$2/ d/terminal server/
match ftp m|^220 ([-.+\w]+) FTP server \(Digital UNIX Version (\d[-.\w]+)\) ready\.\r\n| p/Digital UNIX ftpd/ h/$1/ v/$2/ o/Unix/ o/DIGITAL UNIX/
match ftp m|^220 ([-.+\w]+) FTP server \(Version [\d.]+\+Heimdal (\d[-+.\w ]+)\) ready\.\r\n| p/Heimdal Kerberized ftpd/ h/$1/ v/$2/ o/Unix/
match ftp m|^500 OOPS: (could not bind listening IPv4 socket)\r\n$| p/vsftpd/ i/broken: $1/ o/Unix/
match ftp m|^500 00PS: vsftpd: (.*)\r\n| p/vsftpd/ i/broken: $1/ o/Unix/
match ftp m|^220-QTCP at ([-.\w]+)\r\n220| p|IBM OS/400 FTPd| o|OS/400| h/$1/
match ftp m|^220[- ]FileZilla Server version (\d[-.\w ]+)\r\n| p/FileZilla ftpd/ v/$1/ o/Windows/
match ftp m|^220 ([\w-_.]+) running FileZilla Server version (\d[-.\w ]+)\r\n| p/FileZilla ftpd/ v/$2/ h/$1/ o/Windows/
match ftp m|^220 FTP Server - FileZilla\r\n| p/FileZilla ftpd/ o/Windows/
match ftp m|^220-Welcome to ([A-Z]+) FTP Service\.\r\n220 All unauthorized access is logged\.\r\n| p/FileZilla ftpd/ h/$1/ o/Windows/
match ftp m|^220.*\r\n220[- ]FileZilla Server version (\d[-.\w ]+)\r\n|s p/FileZilla ftpd/ v/$1/ o/Windows/
# Netgear RP114 switch with integrated ftp server
# Netgear RP114
match ftp m|^220 ([-\w]+)? FTP version 1\.0 ready at | p/Netgear broadband router ftpd/ v/1.0/ d/router/
match ftp m|^220 ([-.\w]+) FTP server \(GNU inetutils (\d[-.\w ]+)\) ready\.\r\n| p/GNU Inetutils FTPd/ v/$2/ h/$1/
match ftp m|^220 .* \(glftpd (\d[-.0-9a-zA-Z]+)_(\w+)(\+TLS)?\) ready\.\r\n| p/glFTPd/ v/$1/ i/$2/ o/Unix/
match ftp m|^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+)_(\w+) Linux\+TLS\) ready\.?\r\n| p/glFTPd/ v/$1/ i/$2/ o/Linux/
match ftp m|^220 .* \(glFTPd (\d[-.0-9a-zA-Z]+) Linux\+TLS\) ready\.\r\n| p/glFTPd/ v/$1/ o/Linux/
match ftp m|^220 ([-.\w]+) FTP server \(FirstClass v(\d[-.\w]+)\) ready\.\r\n| p/FirstClass FTP server/ h/$1/ v/$2/
match ftp m|^220 ([-.\w]+) FTP server \(Compaq Tru64 UNIX Version (\d[-.\w]+)\) ready\.\r\n| p/Compaq Tru64 ftp server/ h/$1/ v/$2/ o/Tru64 UNIX/
match ftp m|^220 AXIS ([-.\w]+) FTP Network Print Server V(\d[-.\w]+) [A-Z][a-z]| p/Axis network print server ftpd/ v/$2/ i/Model $1/ d/print server/
match ftp m|^220 AXIS ([\d\w]+)V(\d\S+) (.*?) ready\.\n| p/AXIS $1 Webcam/ v/$2/ i/$3/ d/webcam/
match ftp m|^220 Axis (\d+) Network Camera (\d\S+) (.*?) ready\.\n| p/Axis $1 Webcam/ v/$2/ i/$3/ d/webcam/
match ftp m|^220 AXIS (\w+) Network Camera (\d\S+) \(.*\) ready\.\r\n| p/Axis $1 Webcam/ v/$2/ d/webcam/
match ftp m|^220 AXIS (\d+) Video Server (\d\S+) (.*?) ready\.| p/AXIS $1 Video Server/ v/$2/ i/$3/
match ftp m|^220-Cerberus FTP Server Personal Edition\r\n220-UNREGISTERED\r\n| p/Cerberus FTP Server/ i/Personal Edition; Unregistered/ o/Windows/
match ftp m|^220-Welcome to Cerberus FTP Server\r\n220 Created by Grant Averett\r\n| p/Cerberus ftpd/ o/Windows/
match ftp m|^220 FTP print service:V-(\d[-.\w]+)/Use the network password for the ID if updating\.\r\n| p/Brother printer ftpd/ v/$1/ d/printer/
match ftp m|^220- APC FTP server ready\.\r\n220 \r\n$| p/APC ftp server/ d/power device/
match ftp m|^220 ([-\w]+) FTP server \(Version (\d.[.\d]+) ([A-Z][a-z]{2} [A-Z][a-z]{2} [0-9]+ [0-9:]+ .* [21][0-9]+)\) ready\.\r\n| p/HP-UX 10.x ftpd/ h/$1/ v/$2/ o/HP-UX/ i/$3/
match ftp m|^220 ([-\w]+) FTP server \(Version (\d[-.\w]+) [A-Z][a-z]{2} [A-Z][a-z]{2} .*\) ready\.\r\n| p/AIX ftpd/ h/$1/ v/$2/ o/AIX/
match ftp m|^220[- ]Roxen FTP server running on Roxen (\d[-.\w]+)/Pike (\d[-.\w]+)\r\n| p/Roxen ftp server/ v/$1/ i/Pike $2/
# Debian packaged oftpd 0.3.6-51 on Linux 2.6.0-test4 Debian
match ftp m|^220 Service ready for new user\.\r\n| p/oftpd/ o/Unix/
# Mac OS X Client 10.2.6 built-in ftpd
match ftp m|^220[ -].*FTP server \(lukemftpd (\d[-. \w]+)\) ready\.\r\n|s p/LukemFTPD/ v/$1/ i/Mac OS X uses lukemftpd derivative/
match ftp m/^220.*Microsoft FTP Service \(Version (\d[^)]+)/ p/Microsoft ftpd/ v/$1/ o/Windows/
# This lame version doesn't give a version number
# Windows 2003
match ftp m/^220[ -]Microsoft FTP Service\r\n/ p/Microsoft ftpd/ o/Windows/
match ftp m/^220[ -]Serv-U FTP[ -]Server v(\d\S+) ... WinSock ...../ p/Serv-U ftpd/ v/$1/ o/Windows/
match ftp m|^220-Serv-U FTP Server for Winsock\r\n| p/Serv-U ftpd/ o/Windows/
match ftp m/^220-Sambar FTP Server Version (\d\S+)\x0d\x0a/ p/Sambar ftpd/ v/$1/
# Sambar server V5.3 on Windows NT
match ftp m|^220-FTP Server ready\r\n220-Use USER user@host for native FTP proxy\r\n220 Your FTP Session will expire after 300 seconds of inactivity\.\r\n| p/Sambar ftpd/
match ftp m/^220 JD FTP Server Ready/ p/HP JetDirect ftpd/ d/print server/
match ftp m/^220.*Check Point FireWall-1 Secure FTP server running on/s p/Check Point Firewall-1 ftpd/ d/firewall/
match ftp m/^220[- ].*FTP server \(Version (wu-[-.\w]+)/s p/WU-FTPD/ v/$1/ o/Unix/
match ftp m|^220-\r\n220 ([-.\w]+) FTP server \(Version ([-.+\w()]+)\) ready\.\r\n$| p/WU-FTPD/ h/$1/ v/$2/ o/Unix/
match ftp m|^220 ([-.\w]+) FTP server \(Version ([-.+\w()]+)\) ready\.\r\n$| p/WU-FTPD/ h/$1/ v/$2/ o/Unix/

# ProFTPd 1.2.5
match ftp m|^220  Server \(ProFTPD\) \[([-.\w]+)\]\r\n| p/ProFTPd/ h/$1/ o/Unix/
match ftp m/^220 ProFTPD (\d\S+) Server/ p/ProFTPD/ v/$1/ o/Unix/
match ftp m/^220 FTP Server \[([\w-_.]+)\]\r\n/ p/ProFTPD/ o/Unix/ h/$1/
match ftp m|^220 ([\w-_.]+) FTP server ready\r\n| p/ProFTPD/ o/Unix/ h/$1/
match ftp m/^220.*ProFTP[dD].*Server ready/ p/ProFTPD/ o/Unix/
match ftp m|^220 ProFTP Server Ready\r\n| p/ProFTPD/ o/Unix/
match ftp m|^220 Welcome @ my\.ftp\.org\r\n$| p/ProFTPD/ o/Unix/
match ftp m|^220-.*\r\n220 ProFTPD ([\d.]+) Server|s p/ProFTPD/ v/$1/ o/Unix/
match ftp m|^220 .* FTP Server \(ProFTPD ([\d.]+) on Red Hat linux ([\d.]+)\) ready\.\r\n| p/ProFTPD/ v/$1/ i/RedHat $2/ o/Linux/
# Hope these aren't too general -Doug
match ftp m|^220 ([\w-_.]+) FTP server ready!\r\n| p/ProFTPD/ o/Unix/ h/$1/
match ftp m|^220 FTP Server ready\.\r\n$| p/ProFTPD/ o/Unix/

match ftp m/^220.*NcFTPd Server / p/NcFTPd/ o/Unix/
match ftp m/^220.*FTP server \(SunOS 5\.([789])\) ready/ p/Sun Solaris $1 ftpd/ o/Solaris/
match ftp m/^220.*FTP server \(SunOS (\S+)\) ready/ p/Sun SunOS ftpd/ v/$1/ o/Solaris/
match ftp m/^220-([-.\w]+) IBM FTP.*(V\d+R\d+)/ p|IBM OS/390 ftpd| h/$1/ v/$2/ o|OS/390|
match ftp m|^220-IBM FTP, .*\.\r\n220 Connection will close if idle for more than 120 minutes\.\r\n| p|IBM OS/390 ftpd| o|OS/390|
match ftp m/^220 VxWorks \((\d[^)]+)\) FTP server ready/ p/VxWorks ftpd/ v/$1/ o/VxWorks/
match ftp m/^220 VxWorks \(VxWorks(\d[^)]+)\) FTP server ready/ p/VxWorks ftpd/ v/$1/ o/VxWorks/
match ftp m|^220 VxWorks FTP server \(VxWorks ([\d.]+) - Secure NetLinx version \(([\d.]+)\)\) ready\.\r\n| p|AMX NetLinx A/V control system ftpd| v/$2/ i/VxWorks $1/ o/VxWorks/ d/media device/
match ftp m|^220 ABB Robotics FTP server \(VxWorks ([\d.]+) rev ([\d.]+)\) ready\.\r\n| p/ABB Robotics ftpd/ i/VxWorks $1 rev $2  **A ROBOT**/ o/VxWorks/ d/specialized/

# Pure-ftpd
match ftp m/^220.*Welcome to .*Pure-?FTPd (\d\S+\s*)/ p/PureFTPd/ v/$1/
match ftp m/^220.*Welcome to .*Pure-?FTPd[^(]+\r\n/ p/PureFTPd/
match ftp m|^220.*Bienvenue sur .*Pure-?FTPd.*\r\n| p/PureFTPd/ i/French/
match ftp m/^220.*Bienvenue sur .*Pure-?FTPd (\d[-.\w]+)/ p/PureFTPd/ v/$1/ i/French/
match ftp m|^220.*Velkommen til .*Pure-?FTPd.*\r\n| p/PureFTPd/ i/Danish/
match ftp m|^220.*Bem-vindo.*Pure-?FTPd.*\r\n| p/PureFTPd/ i/Portugese/
# pure-ftpd 1.0.12 on Linux 2.4
match ftp m|^220[- ]FTP server ready\.\r\n.*214 Pure-FTPd - http://pureftpd\.org/?\r\n|s p/Pure-FTPd/
# OpenBSD 3.4 beta running Pure-FTPd 1.0.16 with SSL/TLS
match ftp m|^220---------- Welcome to Pure-FTPd \[privsep\] \[TLS\] ----------\r\n220-You are user number| p/Pure-FTPd/ i|with SSL/TLS|
match ftp m|^220---------- .* Pure-FTPd ----------\r\n220-| p/Pure-FTPd/
match ftp m|^220-.*214 Pure-FTPd - http://pureftpd\.org/\r\n|s p/Pure-FTPd/

match ftp m/^220 ready, dude \(vsFTPd (\d[0-9.]+): beat me, break me\)\r\n/ p/vsFTPd/ v/$1/ o/Unix/
match ftp m/^220 \(vsFTPd ([-.\w]+)\)\r\n$/ p/vsFTPd/ v/$1/ o/Unix/
match ftp m/^220 TYPSoft FTP Server (\d\S+) ready\.\.\.\r\n/ p/TYPSoft ftpd/ v/$1/ o/Windows/
match ftp m/^220-MegaBit Gear (\S+).*FTP server ready/ p/MegaBit Gear ftpd/ v/$1/
match ftp m/^220.*WS_FTP Server (\d\S+)/ p/WS FTPd/ v/$1/ o/Windows/
match ftp m/^220 Features: a p \.\r\n$/ p/Publicfile ftpd/ o/Unix/
match ftp m/^220 ([-.\w]+) FTP server \(Version (\S+) VFTPD, based on Version (\S+)\) ready\.\r\n$/ p/Virtual FTPD/ h/$1/ v/$2/ i/based on $2/ o/Unix/
match ftp m|220 ([-.\w]+) FTP server \(Version (\S+)/OpenBSD, linux port (\S+)\) ready\.\r\n| p/OpenBSD ftpd/ h/$1/ v/$2/ i/Linux port $2/ o/Linux/
match ftp m|^220 ([-.\w]+) FTP server \(Version (\S+)/OpenBSD/Linux-ftpd-([-.\w]+)\) ready.\r\n$| p/OpenBSD ftpd/ h/$1/ v/$2/ i/Linux port $2/ o/Linux/
match ftp m/^220 Interscan Version ([-\w.]+)/i p/Interscan Viruswall ftpd/ v/$1/
match ftp m|^220 InterScan FTP VirusWall NT (\d[-.\w]+) \(([-.\w]+) Mode\), Virus scan (\w+)\r\n$| p/Interscan VirusWall NT/ v/$1/ i/Virus scan $3; $2 mode/ o/Windows/
match ftp m|^220 ([-.\w]+) FTP server \(Version ([-.\w]+)/OpenBSD\) ready\.\r\n$| p/OpenBSD ftpd/ h/$1/ v/$2/ o/OpenBSD/
match ftp m|^220 ([-.\w]+) FTP server \(Version (6.0\w+)\) ready.\r\n| p/FreeBSD ftpd/ h/$1/ v/$2/ o/FreeBSD/
match ftp m|^220  FTP server \(Version ([\w.]+)\) ready\.\r\n| p/FreeBSD ftpd/ v/$1/ o/FreeBSD/
# Trolltech Troll-FTPD 1.28 (Only runs on Linux)
match ftp m|^220-Setting memory limit to 1024\+1024kbytes\r\n220-Local time is now \d+:\d+ and the load is [.\d]+\.\r\n220 You will be disconnected after \d+ seconds of inactivity.\r\n$| p/Trolltech Troll-FTPd/ o/Linux/

match ftp m|^220  FTP server \(Hummingbird Ltd\. \(HCLFTPD\) Version (7.1.0.0)\) ready\.\r\n$| p/Hummingbird FTP server/ v/$1/
match ftp m|^220  FTP server \(Hummingbird Communications Ltd\. \(HCLFTPD\) Version ([\d.]+)\) ready\.\r\n| p/Hummingbird FTP server/ v/$1/

match ftp m|^220- .*\n220 ([-.\w]+) FTP server \(Version (.*)\) ready\.\r\n|s p/BSD ftpd/ h/$1/ v/$2/
match ftp m|^220 ArGoSoft FTP Server for Windows NT/2000/XP, Version [\d.]+ \(([\d.]+)\)\r\n| p/ArGoSoft ftpd/ v/$1/ o/Windows/
# Xitami FTPd
match ftp m|^220- \r\n.*www\.imatix\.com --\r\n|s p/Xitami ftpd/
match ftp m|^220- Welcome to this Xitami FTP server, running version ([\d\w.]+) of Xitami\. \n You are user number (\d+) of a permitted (\d+) users\.| p/Xitami ftpd/ v/$1/ i|$2/$3 users|
# Xitami FTPd
match ftp m|^220- \r\n.*www\.imatix\.com --\r\n|s p/Xitami ftpd/
match ftp m|^220- Welcome to this Xitami FTP server, running version ([\d\w.]+) of Xitami\. \n You are user number (\d+) of a permitted (\d+) users\.| p/Xitami ftpd/ v/$1/ i|$2/$3 users|

# Netware 6 - NWFTPD.NLM FTP Server Version 5.01w
match ftp m|^220 Service Ready for new User\r\n$| p/Netware NWFTPD/
match ftp m|^220-LRN\r\n220 Service Ready for new User\r\n| p/Netware NWFTPD/
match ftp m|^220 ([-\w]+) FTP server \(NetWare (v[\d.]+)\) ready\.\r\n$| p/Novell Netware ftpd/ h/$1/ v/$2/ o/NetWare/
match ftp m|220  FTP Server for NW 3.1x, 4.xx  \((v1.10)\), \(c\) 199[0-9] HellSoft\.\r\n$| p/HellSoft FTP server for Netware 3.1x, 4.x/ v/$1/
match ftp m|^220 ([-.\w]+) MultiNet FTP Server Process V(\S+) at .+\r\n$| p/DEC OpenVMS MultiNet FTPd/ h/$1/ v/$2/
match ftp m|^220-\r\n220 ([-.\w]+) FTP server \(NetBSD-ftpd ([-.\w]+)\) ready.\r\n$| p/NetBSD ftpd/ h/$1/ v/$2/ o/NetBSD/
match ftp m|^220 ([-.\w]+) Network Management Card AOS v([-.\w]+) FTP server ready.\r\n$| p/APC AOS ftpd/ v/$2/ i/on APC $1 network management card/ d/power device/ o/AOS/
# G-Net BB0060 ADSL Modem - the ftpd might be by "GlobespanVirata" as that
# is what the telnetd on this device said.
match ftp m|^220 FTP Server \(Version 1.0\) ready.\r\n$| p/G-Net DSL Modem ftpd/ v/1.0/ d/broadband router/
# HP-UX B.11.00
match ftp m|^220 ([-.\w ]+) FTP server \(Version (1.1.2[.\d]+) [A-Z][a-z]{2} [A-Z][a-z]{2} .*\) ready.\r\n| p/HP-UX ftpd/ h/$1/ v/$2/ o/HP-UX/
# 220 mirrors.midco.net FTP server ready.
# WarFTP Daemon 1.70 on Win2K
match ftp m=^220-.*\r\n(220-|)    WarFTPd (\d[-.\w]+) \([\w ]+\) Ready\r\n=s p/WarFTPd/ v/$2/
match ftp m|^220 ([-.+\w]+) FTP SERVICE ready\r\n500 Please enter a command\. Dunno how to interperet empty lines\.\.\.\r\n500 Please enter a command\. Dunno how to interperet empty lines\.\.\.\r\n$| p/WarFTPd/ h/$1/ o/Windows/
match ftp m|^220 Welcome to Windows FTP Server| p|Windows Ftp Server| i|Not from Microsoft - http://srv.nease.net/|
# UnixWare 7.11
match ftp m|^220 ([\w-_.]+) FTP server \(BSDI Version ([\w.]+)\) ready\.\r\n| p|BSDI/Unixware ftpd| v/$2/ h/$1/
match ftp m|^220  FTP server \(Hummingbird Ltd\. \(HCLFTPD\) Version ([\d.]+)\) ready\.\r\n| p/Hummingbird ftpd/ v/$1/
match ftp m|^220 OpenFTPD server ready\. .*\.\r\n| p/OpenFTPD/
match ftp m|^220 ([\w\d-_.]+) FTP server \(NetBSD-ftpd 200\d+\) ready\.\r\n| p/NetBSD ftpd/ o/NetBSD/
match ftp m|^220-\r\n    Your connection logged!\r\n220 ([\w\d-_.]+) FTP server \(NetBSD-ftpd 200\d+\) ready\.\r\n| p/NetBSD ftpd/ o/NetBSD/ i/Connection logged/
match ftp m|^220 CommuniGate Pro FTP Server ([\d.]+) ready\r\n| p/Communigate Pro ftpd/ v/$1/
match ftp m|^220 CommuniGate Pro FTP Server ready\r\n| p/Communigate Pro ftpd/
match ftp m|^421 Sorry you are not welcomed on this server\.\r\n$| p/BulletProof ftpd/ i/Banned/ o/Windows/
match ftp m|^(220.*\r\n)?220 [Ee]valine FTP server \(Version:  Mac OS X|s p/Evaline ftpd/ o/Mac OS X/
match ftp m|^220 WinGate Engine FTP Gateway ready\r\n| p/WinGate ftpd/ o/Windows/
match ftp m|^220 Welcome to Quick 'n Easy FTP Server\r\n| p/Quick 'n Easy ftpd/ o/Windows/
match ftp m|^421 Too many connections for this IP address, please try again later\.\r\n| p/Quick 'n Easy ftpd/ o/Windows/
match ftp m|^220 Tornado-vxWorks \(VxWorks([\d.]+)\) FTP server ready\r\n| p/Tornado vxWorks ftpd/ v/$1/
match ftp m|^220 [\w-_.]+ FTP server \(UNIX\(r\) System V Release 4\.0\) ready\.\r\n| p/UNIX System V Release 4.0 ftpd/
match ftp m|^220 ([\w-_.]+) FTP Server \(Oracle XML DB/Oracle9i Enterprise Edition Release ([\d.]+) - Production\) ready\.\r\n| p/Oracle Enterprise XML DB ftpd/ v/$2/ h/$1/
match ftp m|^220 ([\w-_.]+) FTP Server \(Oracle XML DB/Oracle Database 10g Enterprise Edition Release ([\d.]+) - Production\) ready\.\r\n| p/Oracle 10g Enterprise XML DB ftpd/ v/$2/ h/$1/
match ftp m|^220 ([\w-_.]+) FTP Server \(Oracle XML DB/Personal Oracle9i Release ([\d.]+) - Production\) ready\.\r\n| p/Personal Oracle XML DB ftpd/ v/$1/ h/$1/
match ftp m|^220 ([\w-_.]+) PacketShaper FTP server ready\.\r\n| p/PacketShaper ftpd/ h/$1/ o/Windows/
match ftp m|^220 Axis 2100 Network Camera ([\d.]+) .* ready\.\r\n| p/Axis 2100 Network Camera ftpd/ v/$1/ d/webcam/
match ftp m|^220 AXIS 205 version ([\d.]+) \(.*\) ready\.\r\n| p/AXIS 205 Network Video ftpd/ v/$1/ d/webcam/
match ftp m|^220 WfFTP server\(([\w.]+)\) ready\.\r\n| p/Nortel WfFTP/ v/$1/ d/router/
match ftp m|^220- (.*) WAR-FTPD ([\d-.]+) Ready\r\n220 Please enter your user name\.\r\n| p/WAR-FTPD/ v/$2/ i/Name $1/ o/Windows/
match ftp m|^220 Canon EB-65 FTP Print Server V([\d.]+) .* ready\.\r\n| p/Canon EB-65 FTP Print Server/ v/$1/ d/print server/
match ftp m|^500 OOPS: .*\r\n$| p/vsftpd/ i/Misconfigured/ o/Unix/
match ftp m|^500 OOPS: vsftpd: both local and anonymous access disabled!\r\n| p/vsftpd/ i/Access denied/ o/Unix/
match ftp m|^220 FTP Version ([\d.]+) on MPS100\r\n| p/Lantronix MPS100 ftpd/ v/$1/ d/print server/
match ftp m|^220 bftpd ([\d.]+) at ([\w-_.]+) ready\.?\r\n| p/bftpd/ v/$1/ h/$2/
match ftp m|^220 RICOH Aficio 1045 FTP server \(([\d.]+)\) ready\.\r\n| p/RICOH Aficio 1045 ftpd/ v/$1/ d/print server/
match ftp m|^220 Welcome to Code-Crafters Ability FTP Server\.\r\n| p/Code-Crafters Ability ftpd/ o/Windows/
match ftp m|^220 Welcome to Code-Crafters - Ability Server ([\d.]+)\.| p/Code-Crafters Ability ftpd/ v/$1/ o/Windows/
match ftp m|^220 ([\w-_.]+)           FTP server \(ARM_BE - V([\w.]+)\) ready\.\r\n| p/NetComm NS4000 Network Camera/ h/$1/ i/ARM_BE $2/ d/webcam/
match ftp m|^220 MikroTik FTP server \(MikroTik v([\d.]+)\) ready\r\n| p/MikroTik router ftpd/ v/$1/ d/router/
match ftp m|^220 NetPresenz v([\d.]+) \(Unregistered\) awaits your command\.\r\n| p/NetPresenz/ v/$1/ i/Unregistered/ o/MacOS/
match ftp m|^220 LP-8900-\w+ FTP server \(OEM FTPD version ([\d.]+)\) ready\.\r\n| p/EPSON Network Print Server ftpd/ i/runs OEM FTPD $1/ d/print server/
match ftp m|^220 StylusPhoto750-AF6788 FTP server \(OEM FTPD version ([\d.]+)\) ready\.\r\n| p/Epson StylusPhoto750 ftpd/ i/runs OEM FTPD $1/ d/print server/
match ftp m|^220 AL-C900-BB0200 FTP server \(OEM FTPD version ([\d.]+)\) ready\.\r\n| p/Epson AcuLaser C900 printer ftpd/ i/runs OEM FTPD $1/ d/printer/
match ftp m|^220 FTP Version ([\d.]+) on MSS100\r\n| p/Lantronix MSS100 serial interface ftpd/ v/$1/ d/specialized/
match ftp m|^503 Service Unavailable\r\n\r\n\0$| p/NFR BackOfficer Friendly ftp honeypot/
match ftp m|^220 Matrix FTP server \(Server \w+#\d\) ready\.\r\n| p/Matrix ftpd/
match ftp m|^220 Titan FTP Server ([\d.]+) Ready\.\r\n| p/Titan ftpd/ v/$1/ o/Windows/
match ftp m|^421-\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+=\+\r\n421-The evaluation period for this Titan FTP Server has expired\.\r\n| p/Titan ftpd/ i/Evaluation period expired/ o/Windows/
match ftp m|^220 ioFTPD \[www: http://www\.ioftpd\.com\] - \[version: ([\w-_. ]+)\] server ready\.\r\n| p/ioFTPD/ v/$1/ o/Windows/
match ftp m|^220 CesarFTP ([\w.]+) Server Welcome !\r\n| p/CesarFTPd/ v/$1/ o/Windows/
match ftp m|^220 CesarFTP ([\w.]+) \xb7\xfe\xce\xf1\xc6\xf7\xbb\xb6\xd3\xad !\r\n| p/CesarFTPd/ v/$1/ i/Chinese/ o/Windows/
match ftp m|^220-This site is running the BisonWare BisonFTP server product V([\d.]+)\r\n| p/BisonWare BisonFTPd/ v/$1/ o/Windows/
match ftp m=^220-Welcome to XBOX FileZilla( \(XBMC\)|)\r\n220-version: XBFileZilla version ([\d.]+), \(based on FileZilla Server ([\d.]+)\)\r\n220 http://sourceforge\.net/projects/xbfilezilla\r\n= p/XBFileZilla/ v/$2/ i/Based on FileZilla $3/
match ftp m|^220 Session will be terminated after 600 seconds of inactivity\.\r\n| p/Cisco 3000 VPN ftpd/ o/IOS/ d/security-misc/
match ftp m|^220-SlimFTPd ([\d.]+), by WhitSoft Development \(www\.whitsoftdev\.com\)\r\n| p/SlimFTPd/ v/$1/ o/Windows/
match ftp m|^220 BlackMoon FTP Server Version ([\d.]+ Release \d+) - Build \d+\. Free Edition\. Service Ready\r\n| p/BlackMoon ftpd/ v/$1/ o/Windows/
match ftp m|^220 netapp ftp server\r\n| p/netapp ftpd/
match ftp m|^220 Oracle Internet File System FTP Server ready\r\n| p/Oracle Internet File System ftpd/
match ftp m|^220 RICOH Aficio (\w+) FTP server \(([\d.]+)\) ready\.\r\n| p/Ricoh Aficio $1 printer ftpd/ v/$2/ d/printer/
match ftp m|^220 NRG 2205/2238/2212 FTP server \(([\d.]+)\) ready\.\r\n| p|NRG 2205/2238/2212 copier ftpd| v/$1/ d/printer/
match ftp m|^500 Sorry, no server available to handle request on 66\.90\.74\.155\.\r\n| p/proftpd/ i/Misconfigured/
match ftp m|^220 mandelbrot FTP server \(Version ([\d.]+) \(NeXT ([\d.]+)\) .*\) ready\.\r\n| p/mandelbrot ftpd/ v/$1/ i/NeXT $2/ o/NeXTStep/
# Microsoft Windows .NET Enterprise Server (build 3604-3790)
match ftp m|^220 Net Administration Divisions FTP Server Ready\.\.\.\r\n| p/Net Administration Divisions ftpd/
match ftp m|^220-\r\n220-\r\n220 Please enter your user name\.\r\n| p/MoreFTPd/
match ftp m|^220 ([\w-_.]+) FTP server \(OSF/1 Version ([\d.]+)\) ready\.\r\n| p|OSF/1 ftpd| i|OSF/1 $2| h/$1/ o/Unix/
match ftp m|^220 AXIS StorPoint CD E100 CD-ROM Server V([\d.]+) .*  ready\.\r\n| p/AXIS StorPoint E100 CD-ROM Server ftpd/ v/$1/ d/storage-misc/
match ftp m|^220 Qtopia ([\d.]+) FTP Server\n| p/Qtopia ftpd/ v/$1/ d/PDA/
match ftp m|^220 Gene6 FTP Server v([\d.]+)  \(Build \d+\).* ready\.\.\.\r\n| p/Gene6 ftpd/ v/$1/ o/Windows/
match ftp m|^220 G6 FTP Server v([\d.]+) \(beta (\d+)\) ready \.\.\.\r\n| p/Gene6 ftpd/ v/$1 beta $2/ o/Windows/
match ftp m|^220 sftpd/([\d.]+) Server \[[\w-_.]+\]\r\n| p/sftpd/ v/$1/
match ftp m|^220-TYPSoft FTP Server ([\d.]+) ready\.\.\.\r\n| p/TYPSoft ftpd/ v/$1/ o/Windows/
match ftp m|^220 Welcome to Pablo's FTP Server\r\n| p/Pablo's ftpd/ o/Windows/
match ftp m|^220 PowerLogic FTP Server ready\.\r\n| p/PowerLogic embedded device ftpd/ d/specialized/
match ftp m|^220 INTERMEC 540\+/542\+ FTP Printer Server V([\d.]+) .* ready\.\r\n| p|Intermec 540+/542+ printer ftpd| v/$1/ o/printer/
match ftp m|^220 EthernetBoard OkiLAN 8100e Ver ([\d.]+) FTP server\.\r\n| p/OkiLAN 8100e print server/ v/$1/ d/print server/
# SpeedStream 5660 ADSL modem/router
match ftp m|^220 VxWorks \(ENI-ftpd ([\d.]+)\) FTP server ready\r\n| p/SpeedStream 5660 ADSL router/ i|Runs ENI-ftpd/$1 on VxWorks| d/router/
match ftp m|^220--------------------------------------------------------------------------------\r\n220-This is the \"Banner\" message for the Mac OS X Server's FTP server process\.\r\n.*220 ([\w-_.]+) FTP server \(Version:  Mac OS X Server ([\d.]+) - \+GSSAPI\) ready\.\r\n|s p/Mac OS X Server ftpd/ i/MacOS X $2/ h/$1/
match ftp m|^220 Welcome to U\.S\.Robotics SureConnect ADSL Ethernet/USB Router update FTP server v([\d.]+)\.\r\n| p/USR SureConnect ADSL router ftpd/ v/$1/ d/router/
match ftp m|^220-Welcome to Xerver Free FTP Server ([\d.]+)\.\r\n220-\r\n220-You can login below now\.\r\n220 Features: \.\r\n| p/Xerver Free ftpd/ v/$1/
match ftp m|^220 ([\w-_.]+) FTP server \(tnftpd (\d+)\) ready\.\r\n| p/tnftpd/ v/$2/ h/$1/
match ftp m|^220 ([\w-_.]+) FTP server \(LundFTPD ([\d.]+) .*\) ready\.\r\n| p/LundFTPd/ v/$2/ h/$1/
match ftp m|^220 HD316\r FTP server\(Version([\d.]+)\) ready\.\r\n| p/Panasonic HD316 Digital Disk Recorder/ v/$1/ d/storage-misc/
match ftp m=^220 \w+ IBM Infoprint (Color |)(\d+) FTP Server ([\d.]+) ready\.\r\n= p/IBM Inforprint $1$2 ftpd/ v/$3/ d/printer/
match ftp m|^220 ShareIt FTP Server ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt ftpd/ v/$1/ d/PDA/
match ftp m|^220 StnyFtpd 0wns j0\n$| p/Unknown ftp backdoor/
match ftp m|^220 ISOS FTP Server for Upgrade Purpose \(([\d.]+)\) ready\r\n| p/Billion 741ge ADSL router/ v/$1/ d/router/
match ftp m|^220 PV11 FTP Server ready\r\n| p/Unknown wireless acces point ftpd/ i/Runs Phar Lap RTOS/ d/router/
match ftp m|^220 Alize Session Manager FTP Server\r\n| p/Alcatel OmniPCX ftpd/ d/PBX/
match ftp m|^220-FTP Server ready\r\n220-Welcome to the Sambar FTP Server\r\r\n| p/Sambar ftpd/
match ftp m|^220 SINA FTPD \(Version ([\d-.]+)\).*\r\n| p/Sina ftpd/ v/$1/
match ftp m|^220 DataHive FTP Server ([\d.]+) Ready\.\r\n| p/DataHive ftpd/ v/$1/
match ftp m|^220--- AlterVista FTP, based on Pure-FTPd --\r\n| p/AlterVista ftpd/ i/Based on Pure-ftpd/
match ftp m|^220 Welcome to the ADI Convergence Galaxy update FTP server v([\d.]+)\.\r\n| p/ADI Convergence Galaxy update ftpd/ v/$1/
match ftp m|^421 You are not permitted to make this connection\.\r\n| p/Symantec Raptor Firewall ftpd/ d/firewall/
match ftp m|^220 copier2FTP server ready\.\r\n| p/Konica Minolta Di3510 Copier ftpd/ d/printer/
match ftp m|^220 DrayTek FTP version ([\d.]+)\r\n| p/DrayTek Vigor router ftpd/ v/$1/ d/router/
match ftp m|^220 ([\w-_.]+) FTP server ready \(mod_ftpd/([\d.]+)\)\r\n| p/mod_ftpd/ v/$2/ h/$1/
match ftp m|^220 The Avalaunch FTP system -- enter user name\r\n| p/Avalaunch ftpd/ i/XBox/
match ftp m|^220 Server 47 FTP service\. Welcome\.\r\n| p/bftpd/ o/Unix/
match ftp m%^220-loading\.\.\r\n220-\|           W e L c O m E @ SFXP\|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\|\r\n% p/SwiftFXP/
match ftp m|^220 Z-FTP\r\n| p/Z-FTPd/
match ftp m|^220 DELL1700n Dell Laser Printer 1700n FTP Server ([\w.]+) ready\.\r\n| p/Dell 1700n laser printer ftpd/ v/$1/ d/printer/
match ftp m|^220 Plan 9 FTP server ready\r\n| p/Plan 9 ftpd/ o/Plan9/
match ftp m=^220-\+----------------------\[ UNREGISTERED VERSION \]-----------------------\+\r\n220-\|   This site is running unregistered copy of RaidenFTPD ftp server   \+\r\n= p/RaidenFTPd/ i/Unregistered/ o/Windows/
match ftp m|^220.*\r\n220 ([\w-_.]+) FTP server \(Version:  Mac OS X Server ([\d.]+) - \+GSSAPI\) ready\.\r\n|s p/MacOS X Server ftpd/ i/MacOS X Server $2/ h/$1/
match ftp m|^220 Fastream NETFile FTP Server( Ready)?\r\n| p/Fastream NETFile FTPd/ o/Windows/

match ftp-proxy m|^220 Ftp service of Jana-Server ready\r\n| p/JanaServer ftp proxy/
match ftp-proxy m|^220 FTP Gateway at Jana Server ready\r\n| p/JanaServer ftp proxy/
match ftp-proxy m|^220 ([-.\w]+) FTP proxy \(Version (\d[-.\w]+)\) ready\.\r\n| p/Guantlet FTP proxy/ v/$1/
# Frox FTP Proxy (frox-0.6.5) on Linux 2.2.X - http://frox.sourceforge.net/
match ftp-proxy m|^220 Frox transparent ftp proxy\. Login with username\[@host\[:port\]\]\r\n| p/Frox ftp proxy/
match ftp-proxy m|^501 Proxy unable to contact ftp server\r\n| p/Frox ftp proxy/
match ftp-proxy m|^220 ([-.+\w]+) FTP AnalogX Proxy (\d[-.\w]+) \(Release\) ready\r\n| p/AnalogX FTP proxy/ h/$1/ v/$2/
match ftp-proxy m|^220 Secure Gateway FTP server ready\.\r\n| p/Symantec Enterprise Firewall FTP proxy/ d/firewall/
match ftp-proxy m/^220-Sidewinder ftp proxy\.  You must login to the proxy first/ p/Sidewinder FTP proxy/
match ftp-proxy m/^220-\r\x0a220-Sidewinder ftp proxy/s p/Sidewinder FTP proxy/
match ftp-proxy m|^220 webshield2 FTP proxy ready\.\r\n| p/Webshield2 FTP proxy/ o/Windows/
match ftp-proxy m|^220 WinProxy FTP Gateway ready, enter username@host\[:port\]\r\n| p/WinProxy FTP Gateway/ o/Windows/
match ftp-proxy m|^220 Proxy602 Gateway ready, enter user@host\[:port\]\r\n| p/Proxy602 ftp proxy/ d/firewall/
match ftp-proxy m|^220 Java FTP Proxy Server \(usage: USERID=user@site\) ready\.\r\n| p/Java FTP Proxy/
match ftp-proxy m|^220 ([\w-_.]+) FTP proxy \(Version V([\d.]+)\) ready\.\r\n| p/Generic FTP proxy/ v/$2/ h/$1/
match ftp-proxy m|^220 CoolProxy FTP server & firewall\r\n| p/CoolProxy ftp proxy/ o/Windows/
# TODO kerio?
#match ftp m|^421 Service not available \(The FTP server is not responding\.\)\n$| v/unknown FTP server//service not responding/
match vdr m|220(\S+) SVDRP VideoDiskRecorder (\d[^\;]+);| p/VDR/ h/$1/ v/$2/ d/media device/

softmatch ftp m/^220 [-.\w ]+ftp.*\r\n$/i
softmatch ftp m/^220-[-.\w ]+ftp.*\r\n220/i
softmatch ftp m/^220[- ].*ftp server.*\r\n/i
softmatch ftp m/^220-\r?\n220 - ftp/i

match fw1-rlogin m|^\0Check Point FireWall-1 authenticated RLogin server running on ([-.\w]+)\r\n\r| p/Check Point FireWall-1 authenticated RLogin server/ i/$1/
match gnats m|^200 ([-.\w]+) GNATS server (\d[-.\w]+) ready\.\r\n| p/GNATS bugtracking system/ h/$1/ v/$2/
# Returns ASCII data in the following format:
# |HardDrive1DevName|HardDrive1HardwareID|HardDrive1Temp|TempUnit|
# |HardDrive2DevName|HardDrive2HardwareID|HardDrive2Temp|TempUnit|
match hddtemp m+^\|/dev/hd\w\|+ p/hddtemp hard drive info server/
# And now for some SORRY web servers that just blurt out an http "response" upon connection!!!
match http m|^HTTP/1\.1 200 OK\r\nContent-type: text/html\r\nExpires: .*\r\nDate: .*\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n<HTML><TITLE>JAP</TITLE>\n| p/Java Anonymous Proxy/
match http m|^HTTP/1.0 500\r\nContent-type: text/plain\r\n\r\nNo Scan Capable Devices Found\r\n| p/HP Embedded Web Server remote scan service/ i/no scanner found/ d/printer/
# SMC Barricade 7004ABR
match http m|^HTTP/1\.0 301 Moved\r\nLocation: http://\d+\.\d+\.\d+\.\d+:88\r\n| p/SMB Barricade broadband router/ i/simply redirects to real web admin port 88/ d/router/
match hp-gsg m|^220 JetDirect GGW server \(version (\d[.\d]+)\) ready\r\n| p/HP JetDirect Generic Scan Gateway/ v/$1/ d/printer/
match hylafax m|^220 ([-.\w]+) server \(HylaFAX \(tm\) Version (\d[-.\w]+)\) ready\.\r\n$| p/HylaFAX/ h/$1/ v/$2/ o/unix/
# Hylafax 4.1.6 on Linux 2.4
match hylafax m|^130 Warning, client address \"[\d.]+\" is not listed for host name \"([-.\w]+)\"\.\r\n| p/HylaFAX/ i/IP unauthorized/ h/$1/
match ichat m|^\r\n                                Welcome To\r\n                             ichat ROOMS (\d[-.\w]+)\r\n==| p|^iChat Rooms| v|$1|
match ident m|^flock\(\) on closed filehandle .*midentd| p/midentd/ i/broken/
match ident m|^nullidentd -- version (\d[-.\w]+)\nCopyright | p/Nullidentd/ v/$1/ i/broken/

match imap m|^\* OK ([-/.+\w]+) Solstice \(tm\) Internet Mail Server \(tm\) (\d[-.\w]+) IMAP4 service - at | p/Sun Solstice Internet Mail Server imapd/ h/$1/ v/$2/ o/Unix/
match imap m|^\* OK GroupWise IMAP4rev1 Server Ready\r\n| p/Novell GroupWise imapd/ o/Unix/
match imap m|^\* OK dbmail imap \(protocol version 4r1\) server (\d[-.\w]+) ready to run\r\n| p/DBMail imapd/ v/$1/ i/imapd version may differ from overal dbmail version number/
match imap m|^\* OK ([-.+\w]+) NetMail IMAP4 Agent server ready | p/Novell NetMail imapd/ h/$1/ o/Unix/
match imap m|^\* OK IMAP4 Server \(IMail (\d[-.\w]+)\)\r\n| p/IMail imapd/ v/$1/
match imap m|^\* OK Merak (\d[-.\w]+) IMAP4rev1 | p/Merak Mail Server imapd/ v/$1/ o/Windows/
match imap m|^\* OK ([-.+\w]+) IMAP4rev1 Mercury/32 v(\d[-.\w]+) server ready\.\r\n| p|Mercury/32 imapd| h/$1/ v/$2/ o/Windows/
match imap m|^\* OK ([-.\w]+) IMAP4 service \(Netscape Messaging Server (\d[-.\w ]+) \(built ([\w ]+)\)\)\r\n| p/Netscape Messaging Server Imapd/ h/$1/ v/$2/ i/built $3/
match imap m|^\* OK \[CAPABILITY .*\] ([-.\w]+) IMAP4rev1 (20[\w.]+) at | p/UW imapd/ h/$1/ v/$2/
match imap m|^\* OK eXtremail V(\d[-.\w]+) release (\d+) IMAP4 server started\r\n| p/eXtremail IMAP server/ v/$1.$2/
match imap m|^\* OK ([-.\w]+) NetMail IMAP4 Agent server ready <.*>\r\n| p/Novell Netmail imapd/ h/$1/ o/Unix/
# Alt-N MDaemon 6.5.1 imap server on Windows XP
match imap m|^\* OK ([-.\w]+) IMAP4rev1 MDaemon (\d[-.\w]+) ready\r\n| p/Alt-N MDaemon imapd/ v/$2/ h/$1/
# Dovecot IMAP Server - http://dovecot.procontrol.fi/
match imap m|^\* OK dovecot ready\.\r\n| p/Dovecot imapd/
match imap m|^\* OK.*?Courier-IMAP ready\. Copyright 1998-(\d+) Double Precision, Inc\.  See COPYING for distribution information\.\r\n| p/Courier Imapd/ i/released $1/
match imap m|^\* OK \[CAPABILITY IMAP4rev1 .*?Courier-IMAP ready\. Copyright 1998-(\d+) Double Precision, Inc\.  See COPYING for distribution information\.\r\n| p/Courier IMAP4rev1 Imapd/ i/released $1/
match imap m|^\* OK CommuniGate Pro IMAP Server ([-.\w]+) at ([-.\w]+) ready\r\n$| p/CommuniGate Pro imapd/ h/$1/ v/$2/
# W-Imapd-SSL v2001adebian-6
match imap m|^\* OK \[CAPABILITY IMAP4REV1 X-NETSCAPE LOGIN-REFERRALS STARTTLS AUTH=LOGIN\](\S+) IMAP4rev1 ([-.\w]+) at| p/UW-Imapd-SSL/ h/$1/ v/$2/
match imap m|^\* OK Domino IMAP4 Server Release (\d[-.\w]+) +ready| p/Lotus Domino imapd/ v/$1/
match imap m|^\* OK Microsoft Exchange IMAP4rev1 server version ([-.\w]+) | p/Microsoft Exchange IMAP4rev1 server/ v/$1/ o/Windows/
match imap m|^\* OK Microsoft Exchange 2000 IMAP4rev1 server version (\d[-.\w]+) \([-.\w]+\) ready\.\r\n| p/Microsoft Exchange 2000 IMAP4rev1 server/ v/$1/ o/Windows/
match imap m|^\* OK \[CAPABILITY IMAP4REV1 .*IMAP4rev1 (200\d\.[-.\w]+) at| p/UW Imapd/ v/$1/
match imap m|^\* OK ([-.\w]+) Cyrus IMAP4 v([-.\w\+]+) server ready\r\n| p/Cyrus IMAP4/ h/$1/ v/$2/
match imap m|^\* OK ([-.\w]+) Cyrus IMAP4 Murder v([-.\w]+) server ready\r\n| p/Cyrus IMAP4 Murder/ h/$1/ v/$2/
match imap m|^\* OK Welcome to Binc IMAP v(\d[-.\w]+)| p/Binc IMAPd/ v/$1/
match imap m|^\* OK ([-.\w]+) IMAP4rev1 AppleMailServer (\d[-.\w]+) ready\r\n| p/AppleMailServer imapd/ h/$1/ v/$2/
match imap m|^\* BYE Connection refused\r\n| p/Microsoft Exchange IMAP server/ i/refused/ o/Windows/
match imap m/^\* OK IMAP4rev1 Server Classic Hamster (Vr.|Version) [\d.]+ \(Build ([\d.]+)\) greets you!\r\n/ p/Classic Hamster imapd/ v/$2/ o/Windows/
match imap m|^\* OK ([\w-_.]+) Oracle Email Server esimap\t([\d.]+) \t  is ready\r\n| p/Oracle imapd/ v/$2/ h/$1/

softmatch imap m/^\* OK [-.\w,:+ ]+imap[-.\w,:+ ]+\r\n$/i

# Cyrus IMSPD
match imsp m|^\* OK Cyrus IMSP version (\d[-.\w]+) ready\r\n$| p/Cyrus IMSPd/ v/$1/
match imap m|^\* OK Microsoft Exchange Server ([\d]+) IMAP4rev1 server version (\d[-.\w]+) \([-.\w]+\) ready\.\r\n| p/Microsoft Exchange Server $1/ v/$2/ o/Windows/

# ircd-hybrid 7 on Linux
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* Got Ident response\r\nNOTICE AUTH :\*\*\* Couldn't look up your hostname\r\n$| p/Hybrid ircd/
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* Found your hostname\r\n$| p/Hybrid ircd/

# Hybrid6/PTlink6.15.0 ircd on Linux
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Found your hostname\r\n$| p/Hybrid ircd/
# ircd 2.8/hybrid-6.3.1 on Linux
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* No Ident response\r\nNOTICE AUTH :\*\*\* Found your hostname\r\n$| p/Hybrid ircd/
# ircd-hybrid-7.0 - apparently upset because Nmap reconnected too fast
match irc m|^ERROR :Trying to reconnect too fast\.\r\n| p/Hybrid ircd/
# Hybrid-IRCD 7.0 on Linux 2.4
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* Found your hostname\r\nNOTICE AUTH :\*\*\* Got Ident response\r\n| p/Hybrid ircd/
# dircproxy 1.0.3 on Linux 2.4.x
match irc-proxy m|^:dircproxy NOTICE AUTH :Looking up your hostname\.\.\.\r\n:dircproxy NOTICE AUTH :Got your hostname\.\r\n| p/dircproxy/
# dirkproxy (modificated dircproxy)
match irc-proxy m|^:dirkproxy NOTICE AUTH :Looking up your hostname\.\.\.\r\n:dirkproxy NOTICE AUTH :Got your hostname\.\r\n| p/dirkproxy/
# Unreal IRCD Server version 3.2 beta 17
match irc m|(^:[-.\w]+) NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\n| p/Unreal ircd/ h/$1/
# dancer-ircd 1.0.31+maint8-1
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking ident\r\nNOTICE AUTH :\*\*\* No identd \(auth\) response\r\nNOTICE AUTH :\*\*\* Found your hostname\r\n$| p/Dancer ircd/
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Found your hostname, welcome back\r\nNOTICE AUTH :\*\*\* Checking ident\r\nNOTICE AUTH :\*\*\* No identd \(auth\) response\r\n| p/Dancer ircd/
match irc m|^NOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* Got ident response\r\n| p/ircu Undernet IRCd/
# Bitlbee ircd 0.80
match irc m|(^:[-.\w]+) NOTICE AUTH :BitlBee-IRCd initialized, please go on\r\n| p/BitlBee IRCd/ h/$1/
# PTlink6.15.2 on Linux 2.4
match irc m|^NOTICE AUTH :\*\*\* Hostname lookup disabled, using your numeric IP\r\nNOTICE AUTH :\*\*\* Checking Ident\r\n| p/PTlink ircd/
match irc m|(^:[-.+\w]+) NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\n:[-.+\w]+ NOTICE AUTH :\*\*\* Checking Ident\n:[-.+\w]+ NOTICE AUTH :\*\*\* Found your hostname\n| p/Bahamut Dalnet ircd/ i/derived from DreamForge and Hybrid/ h/$1/
match irc-proxy m|^:Welcome!psyBNC@lam3rz\.de NOTICE \* :psyBNC([-.\w]+)\r\n| p/psyBNC/ v/$1/
# ISS RealSecure Server Sensor for Windows 6.5 on Windows NT 4.0 Server SP6a
# ISS RealSecure ServerSensor 7.0 on Windows 2000 Server
# ISS RealSecure Server Sensor 6.0 on Windows NT 4.0 Server SP6a
# ISS RealSecure Server Sensor 7.0 issdaemon on Microsoft Windows NT Workstation with SP6a
match issrealsecure m|^\0\0\0.\x08\x01\x03\x01\0.\x02\0\0..\0\0.\0\0\0..\0\0\x80\x04..\0.\0\xa0|s p/ISS RealSecure IDS/ o/Windows/
match issrealsecure m|^\0\0\0.\x08\x01\x04\x01\0..\0\0..\0\0.\0\0\0..\0\0\x80\x04..\0.\0\xa0\0\0\0\0\0.\0\0\xa4\0\0|s p/ISS RealSecure IDS ServerSensor/ v/6.0 - 7.0/ o/Windows/
# I've only seen 1 example of the following. Probably not general enough
match issrealsecure m|^\0\0\x01/\x08\x01\x03\x01\x01'\x04\0\0\0\x18\0\0\xa4\0\0\0f\x02\0\0\x80\x04\x06\0\0\x80\0\xa05Microsoft Enhanced RSA and AES Cryptographic Provider|s p/ISS Realsecure Workgroup Manager/ o/Windows/
match klogin m|^\x01klogind: (All authentication systems disabled; connection refused)\.\.\r\n| p/MIT Kerberos klogin/ i/broken - $1/
match lmtp m|^220 ([-.\w]+) LMTP Cyrus v(\d[-.\w]+) ready\r\n| p/Cyrus Imap Daemon LMTP/ h/$1/ v/$2/
# LSMS VPN Firewall GUI admin port
# LSMS Redundancy port
match lucent-fwadm m|^0001;2$| p/Lucent Secure Management Server/
match meetingmaker m/^\xc1,$/ p/Meeting Maker calendaring/
match melange m|^\+\+\+Online\r\n>> Melange Chat Server \(Version (\d[-.\w]+)\), Apr-25-1999\r\n\nWelcome | p/Melange Chat Server/ v/$1/
# lopster 1.2.0.1 on Linux 1.1
match mserv m|^200 Mserv (\d[-.\w]+) \(c\) James Ponder 2000 - Type: USER <username>\r\n\.\r\n| p/Mserv music server/ v/$1/

softmatch napster m|^1$|

match netrek m|^<>=======================================================================<>\n  Pl: Rank       Name             Login      Host name                Type\n| p/Netrek game server player information interface/

match mldonkey m|^\x06\0\0\0\0\0\x10\0\0\0-\0\0\0\x14\0\x02\0\0\0\x06\0Donkey\x01\x0c\0\./donkey\.ini\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x11\x02\0\0\x13\0\r\x02\n\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\n                         Welcome to MLdonkey          \n| p/MLdonkey multi-network P2P GUI port/
match mldonkey m|^\xff\xfd\x1f\r\r\r\r\r\r\r\r\r\r\r\r\r\n\r\r\r\r\r\r\r\r\r\r\r\r\r\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\r\r\r\r\r\r\r\r\r\r\r\r\r\n\r\r\r\r\r\r\r\r\r\r\r\r\r\n                         Welcome to MLdonkey          \r\r\r\r\r\r\r\r\r\r\r\r\r\n| p/MLdonkey multi-network P2P GUI port/
match mldonkey m|^\xff\xfd\x1fWelcome to MLdonkey\n\x1b\[34mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n> | p/MLdonkey multi-network P2P server control port/

# Microsoft ActiveSync Version 3.7 Build 3083 (It's used for syncing
# my ipaq it disapears when you remove the ipaq.)
match msactivesync m|^\x16\0\x01\0\$\0U\0P\0T\0O\0D\0A\0T\0E\0\$\0\0\0$| p/Microsoft ActiveSync/ o/Windows/
match mud m|^\n\r\xff\xfbUDo you want ANSI color\? \(Y/n\) $| p|ROM-based MUD| i|http://rrp.rom.org/|

match mysql m/^.\0\0\0\xffj\x04Host .* is not allowed to connect to this MySQL server$/ p/MySQL/ i/unauthorized/
match mysql m|^.\0\0\0\xffi\x04Host .* is blocked because of many connection errors\.| p/MySQL/ i/blocked - too many connection errors/
# MySQL 4.0.13
match mysql m/^.\0\0\0...Al sistema '[-.\w]+' non e` consentita la connessione a questo server MySQL$/ p/MySQL/
match mysql m/^.\0\0\0.(3\.[-.\w]+)\0.*\x08\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0$/s p/MySQL/ v/$1/
match mysql m/^.\0\0\0\n(3\.[-.\w]+)\0...\0/s p/MySQL/ v/$1/
# r(null,2B,"'\0\0\0\n4.0.13\0\xdf\xbc\x02\0SC7)fHu5\0, \x08\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0")
match mysql m/^.\0\0\0\n(4\.[-.\w]+)\0...\0/s p/MySQL/ v/$1/

match ncacn_http m|^ncacn_http/([\d.]+)$| p/Microsoft Windows RPC over HTTP/ v/$1/ o/Windows/
# NCD Thinstar 300 running NCD Software 2.31 build 6
match ncd-diag m|^WinCE/WBT Diagnostic port\n\rSerial Number: (\w+)  MAC Address: 0000(\w+)\s+.*CPU info: ([ -.+\w/ ]+)\r\n.*(Windows CE Kernel[-.+:\w ]+)\r|s p|NCD Thinster Terminal Diagnostic port| i|Serial# $1; MAC: $2; CPU: $3; $4|

match netdevil m|^pass_pleaz$| p/Net-Devil backdoor/ i/**TROJAN**/ o/Windows/
match netsaint m|^Sorry, you \(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\) are not among the allowed hosts\.\.\.\n$| p/Netsaint status daemon/
# I love this service:
match netstat m|^Active Internet connections \(.*\)\nProto Recv-Q Send-Q Local Address           Foreign Address         State      \n| o/Linux/
match netstat m|^netstat: invalid option -- f\nusage: netstat \[-veenNcCF\]| p/Linux netstat/ i/broken/ o/Linux/

match netbus m|^NetBus ([\d.]+).*\r$| p/NetBus trojan/ v/$1/ o/Windows/

match nntp m|^nnrpd: invalid option -- S\nUsage error\.\n| p/INN NNTPd/ i/broken/
match nntp m|^502 You have no permission to talk\.  Goodbye.\r\n$| p/INN NNTPd/ i/unauthorized/
match nntp m|^200 ([-.\w]+) NNTP Service Ready - ([-.\w]+@[-.\w]+) \(DIABLO (\d[-.\w ]+)\)\r\n| p/Diablo NNTP service/ h/$1/ v/$3/ i/Admin: $2/
match nntp m|^200 NNTP Service (\d[-.\w ]+) Version: (\d[-.\w ]+) Posting Allowed \r\n| p/Microsoft NNTP Service/ v/$2/ i/posting ok/ o/Windows/
match nntp m|^200 ([-.\w]+) DNEWS Version  (\d[-.\w]+).*posting OK \r\n| p/Netwinsite DNEWS/ h/$1/ v/$2/ i/posting OK/
match nntp m|^200 Leafnode NNTP Daemon, version (\d[-.\w]+) running at| p/Leafnode NNTPd/ v/$1/
match nntp m|^200 Lotus Domino NNTP Server for ([-./\w]+) \(Release (\d[-.\w]+), .*\) - Not OK to post\r\n$| p/Lotus Domino nntpd/ v/$2/ i/posting denied/ o/$1/
match nntp m|^200 Lotus Domino NNTP Server for ([-./\w]+) \(Release (\d[-.\w]+), .*\) - OK to post\r\n$| p/Lotus Domino nntpd/ v/$2/ i/posting ok/ o/$1/

match nntp m|^200 NNTP Service 5\.00\.0984 Version: (5\.0\.2159.1) Posting Allowed \r\n| p/Microsoft NNTP Service/ v/$1/ i/posting OK/ o/Windows 2000/
match nntp m|^200 NNTP Service Microsoft\xae Internet Services (\d[-.\w]+) Version: (\d[-.\w]+) Posting Allowed \r\n| p/Microsoft NNTP Service $1/ v/$2/ i/posting OK/ o/Windows/
match nntp m|^502 Connection refused\r\n| p/Microsoft NNTP Service/ i/refused/ o/Windows/
# Windows NT 4.0 SP5-SP6 
match nntp m|^200 Microsoft Exchange Internet News Service Version (5\.5\.[.\d]+) \(posting allowed\)\r\n| p/Microsoft Exchange Internet News Service/ v/$1/ i/posting allowed/ o/Windows/
#match nntp m|^200 ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w]+) ready \(posting ok\)\.\r\n| v/InterNetNews (INN)/$2/posting ok/ h/$1/
match nntp m|^200 ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(posting ok\)\.\r\n| p/InterNetNews (INN)/ h/$1/ v/$2/ i/posting ok/
match nntp m|^200 ArGoSoft News Server for WinNT/2000/XP v ([\d.]+) ready\r\n| p/ArGoSoft nntpd/ v/$1/ o/Windows/
match nntp m|^400 No space left on device writing SMstore file -- throttling\r\n| p/InterNetNews (INN)/ i/HDD full/
match nntp m/^200 NNTP-Server Classic Hamster (Vr\.|Version) \d[-.\w ]+ \(Build (\d[-.\w ]+)\) \(post ok\) says: Hi!\r\n/ p/Classic Hamster NNTPd/ v/$2/ i/posting ok/ o/Windows/
# Netware News Server
match nntp m|^200 ([\w.-_]+) NetWare-News-Server/([\d.]+) 'LDNUM' NNRP ready \(posting ok\)\.\r\n| p/NetWare nntpd/ v/$2/ h/$1/
match nntp m|^200 Leafnode NNTP daemon, version ([\w.]+) at ([\w-_.]+) \r\n| p/Leafnode nntpd/ v/$1/ h/$2/
match nntp m|^20\d ([\w.-_]+) NNTPCache server V([\d.]+) \[see www\.nntpcache\.org\]| p/NNTPCache/ v/$2/ h/$1/
match nntp m|^502 access denied <[\w-_.]+@[\w-_.]+>, you do not have connect permissions in the nntpcache\.access file\.\r\n| p/NNTPCache/ i/Access denied/

softmatch nntp m|^200 [-\[\]\(\)!,/+:<>@.\w ]*nntp[-\[\]\(\)!,/+:<>@.\w ]*\r\n$|

# Windows 2000 Server Windows Media Unicast Service (NsUnicast) - Nsum.exe
match nsunicast m|^4\0\0\0V4\x12\0\0\0\0\0\0\0\0\x004\0\0\0\x04\0\xf0\0\xd3\x07\t\0.\0.\0.\0.\0.\0..\0\0\0\0.\0\0\0.\0\0\0\x02\0|s p/Microsoft Windows Media Unicast Service/ i/nsum.exe/ o/Windows/
match nsunicast m|^[4f]\0\0\0V4\x12\0\0\0\0\0\0\0\0\x00[4f]\0\0\0.\0\xf0\0\xd3\x07\t\0.\0.\0.\0.\0.\0..\0\0\0\0.\0\0\0..\0\0.\0|s p/Microsoft Windows Media Unicast Service/ i/nsum.exe/ o/Windows/

match pcanywheredata m/^\0X\x08\0\}\x08\r\n\0\.\x08.*\.\.\.\r\n/s p/PCAnywhere/ o/Windows/

match pbmasterd m|^pbmasterd(\d[-.\w]+)@[-.+\w]+: | p/Symark Power Broker pbmasterd/ v/$1/ i/privilege separation software/
match pblocald m|^pblocald(\d[-.\w]+)@[-.+\w]+: | p/Symark Power Broker pblocald/ v/$1/ i/privilege separation software/
match pksd m|^usage: [/\w]*/etc/pksd\.conf conf_file\n$| p/PGP Public Key Server/ i/broken/

# UW POP2 server on Linux 2.4.18
match pop2 m|^\+ POP2 [-\[\].\w]+ v(20[-.\w]+) server ready\r\n$| p/UW POP2 server/ v/$1/

# Novell Groupwise 6.0.1
match pop3 m|^\+OK GroupWise POP3 server ready\r\n$| p/Novell GroupWise pop3d/ o/Unix/
match pop3 m|^\+OK Ready when you are <200\d+\.| p/Hotmail Popper hotmail to pop3 gateway/
match pop3 m|^\+OK Internet Rex POP3 server ready <| p/Internet Rex Pop3 server/
match pop3 m|^\+OK DBMAIL pop3 server ready to rock <| p/DBMail pop3d/
match pop3 m|^\+OK POP3 POPFile \(v(\d[-.\w]+)\) server ready\r\n| p/popfile pop3d/ v/$1/
# Dots in Revision to prevent MY CVS from screwing it up
match pop3 m|^\+OK ([-.+\w]+) NetMail POP3 Agent \$Re..sion: ([\d.]+) \$\r\n| p/Novell NetMail pop3d/ h/$1/ v/$2/ o/Unix/
match pop3 m|^\+OK ([-.+\w]+) Merak (\d[-.\w]+) POP3 | p/Merak mail server pop3d/ h/$1/ v/$2/
# Mercury/32 3.32 pop3 Server module on Windows XP
match pop3 m|^\+OK <\d{6,10}\.\d{4,6}@([-.+\w]+)>, POP3 server ready\.\r\n| p|Mercury/32 pop3d| o|Windows| h|$1|
# gnu/mailutils pop3d 0.3.2 on Linux
match pop3 m|^\+OK POP3 Ready <\d{3,6}\.1[012]\d{8}@([-.\w]+)>\r\n| p|GNU mailutils pop3d| h|$1|
# Solid POP3 Server 0.15 on Linux 2.4
match pop3 m|^\+OK Solid POP3 server ready\r\n| p/Solid pop3d/
match pop3 m|^\+OK Solid POP3 server ready <\d{3,6}\.1[012]\d{8}@([-.\w]+)>\r\n| p/Solid pop3d/ h/$1/
# Cyrus POP3 v2.0.16
match pop3 m|^\+OK ([-.\w]+) Cyrus POP3 v(\d[-.\w\+]+) server ready ?\r\n| p/Cyrus POP3/ h/$1/ v/$2/
match pop3 m|^\+OK ([-.\w]+) Cyrus POP3 Murder v(\d[-.\w\+]+) server ready ?\r\n| p/Cyrus POP3 Murder/ h/$1/ v/$2/
#  pop3d (GNU Mailutils 0.3) on Linux 2.4
match pop3 m|^\+OK POP3 Ready <\d{3,6}\.1[012]\d{8}@(\w+)>\r\n| p/GNU Mailutils pop3d/ h/$1/
# Solid POP3 Server 0.15_1 on FreeBSD
match pop3 m|^\+OK ([\w\d-_]+\.[\w\d-_.]+) POP3 <\d{3,6}\.1[012]\d{8}@[-.\w]+>\r\n| p/Solid pop3d/ h/$1/
#  pop3d (GNU Mailutils 0.3) on Linux 2.4
match pop3 m|^\+OK POP3 Ready <\d{3,6}\.1[012]\d{8}@\w+>\r\n| p/GNU Mailutils pop3d/
# dovecot 0.99.10 on Linux 2.4
match pop3 m|^\+OK [Dd]ovecot ready\.\r\n| p/Dovecot pop3d/
# teapop 0.3.5 on Linux 2.4
match pop3 m|^\+OK Teapop \[v?(\d[-.\w ]+)\] - Teaspoon stirs around again .*\r\n| p/Teapop pop3d/ v/$1/
# Qpopper v4.0.5 on Linux 2.4.19
match pop3 m|^\+OK ready  \r\n$| p/Qpopper pop3d/
# Jana Server 1.45 on WIn98
match pop3 m|^\+OK POP3 server ready <Jana-Server>\r\n| p/Jana POP3 server/ o/Windows/
match pop3 m|^\+OK AppleMailServer (\d[-.\w]+) POP3 server at ([-.\w]+) ready <\d| p/AppleMailServer pop3d/ h/$1/ v/$2/
match pop3 m|\+OK <10\d+\.\d+@([-.\w]+)> \[XMail (\d[-.\w]+) \(([-./\w]+)\) POP3 Server\] service ready; | p/XMail pop3 server/ h/$1/ v/$2/ o/$3/
# Mail-Enable pop3 server 1.704
match pop3 m|^\+OK Welcome to MailEnable POP3 Server| p/MailEnable POP3 Server/
match pop3 m|^\+OK ([-.\w]+) running Eudora Internet Mail Server (\d[-.\w]+) <.*>\r\n| p/Eudora Internet Mail Server pop3d/ h/$1/ v/$2/
# Qpopper 4.0.3 on Linux
# QPopper 4.0.4 FreeBSD
match pop3 m|^\+OK ready  <\d{1,5}\.10\d{8}@([-.\w]+)>\r\n| p/Qualcomm Qpopper pop3d/ h/$1/
match pop3 m|^\+OK POP3 Welcome to GNU POP3 Server Version (\d[-.\w]+) <.*>\r\n| p/GNU POP3 Server/ v/$1/
match pop3 m|^\+OK eXtremail V(\d[-.\w]+) release (\d+) POP3 server ready <[\d.]+@([\w-_.]+)>\r\n| p/eXtremail pop3d/ v/$1 rel$2/ h/$3/
match pop3 m|^\+OK eXtremail V(\d[-.\w]+) release (\d+) rev(\d+) POP3 server ready <[\d.]+@([\w-_.]+)>\r\n| p/eXtrememail pop3d/ v/$1 rel$2 rev$3/ h/$4/
match pop3 m|^\+OK POP3 Welcome to vm-pop3d (\d[-.\w]+) <.*>\r\n| p/vm-pop3d/ v/$1/ i/derived from gnu-pop3d/
# tpop3d v1.4.2 on Linux - http://www.ex-parrot.com/~chris/tpop3d/
match pop3 m|^\+OK <[\da-f]{32}@([-.\w]+)>\r\n| p/tpop3d/ h/$1/
match pop3 m|^\+OK UCB based pop server \(version (\d[-.\w]+) at sionisten\) starting\.\r\n| p/Heimdal kerberized pop3/ v/$1/ i/UCB-pop3 derived/
# VPOP3 (Virtual POP3 server) 2.0.0d on Windows 2000
match pop3 m|^\+OK VPOP3 Server Ready <.*>\r\n| p/PSCS VPop3/
match pop3 m|^\+OK Lotus Notes POP3 server version ([-.\w]+) ready .* on ([^/]+)/([^\.]+)\.\r\n| p/Lotus Domino POP3 server/ v/$1/ i/CN=$2;Org=$3/
match pop3 m|^\+OK Lotus Notes POP3 server version ([-.\w]+) ready on | p/Lotus Domino POP3 server/ v/$1/
match pop3 m|^\+OK POP3 hotwayd v(\d[-.\w]+) -> The POP3-HTTPMail Gateway\.| p/hotwayd pop3d/ v/$1/
match pop3 m|^\+OK ([-.\w]+) POP3 service \(Netscape Messaging Server (\d[^(]+) \(built ([\w ]+)\)\)\r\n| p/Netscape Messenging Server pop3/ h/$1/ v/$2/ i/built on $3/
match pop3 m/^\+OK ([-.\w]+) Cyrus POP3 v(\d[-.\w]+) server ready </ p/Cyrus pop3d/ h/$1/ v/$2/
match pop3 m|^\+OK ([-.\w]+) Cyrus POP3 v(\d[-.\w]+)-Red Hat [\d-.]+ server ready <| h/$1/ v/$2/ i/Red Hat/ o/Linux/
match pop3 m/^\+OK X1 NT-POP3 Server ([-\w.]+) \(IMail ([^)]+)\)\r\n/ p/IMail pop3d/ h/$1/ v/$2/
match pop3 m/^\+OK POP3 \[cppop (\d[^]]+)\] at \[/ p/cppop pop3d/ v/$1/
match pop3 m|^\+OK POP3 ([\w-_.]+) \[cppop (\d[^]]+)\] at \[| p/cppop pop3d/ v/$2/ h/$1/

# MS Exchange
match pop3 m|^\+OK Microsoft Exchange Server 2003 POP3 server version ([\d.]+) \(([\w-_.]+)\) ready\.\r\n| p/MS Exchange 2003 pop3d/ v/$1/ h/$2/ o/Windows/
match pop3 m/^\+OK Microsoft Exchange 2000 POP3 server version (\S+).* ready\.\r\n/ p/MS Exchange 2000 pop3d/ v/$1/ o/Windows/
match pop3 m/^\+OK Microsoft Exchange POP3 server version (\S+) ready\r\n/ p/MS Exchange pop3d/ v/$1/ o/Windows/
match pop3 m|^\+OK Microsoft Exchange POP3 server version ([\d.]+) ready  <[\d.]+@([\w-_.]+)>\r\n| p/MS Exchange pop3d/ v/$1/ h/$2/ o/Windows/
match pop3 m/^\+OK Der Microsoft Exchange POP3-Server \(Version ([\d\.]+)\) ist betriebsbereit\.\r\n/ p/MS Exchange pop3d/ v/$1/ i/German/ o/Windows/
match pop3 m|^\+OK Der Microsoft Exchange Server 2003 POP3-Server, Version ([\d.]+) \(([\w-_.]+)\), steht zur Verf\xfcgung\.\r\n| p/MS Exchange 2003 pop3d/ v/$1/ h/$2/ i/German/
match pop3 m/\+OK Microsoft Exchange POP3-server versie ([\d.]+) is gereed\.\r\n/ p/MS Exchange pop3d/ v/$1/ i/Dutch/
match pop3 m|\+OK \xd1\xe5\xf0\xe2\xe5\xf0 Microsoft Exchange POP3 \xe2\xe5\xf0\xf1\xe8\xe8 ([\d.]+)  \xe3\xee\xf2\xee\xe2\r\n| p/MS Exchange pop3d/ v/$1/ i/Unknown language/
match pop3 m|\+OK Microsoft Exchange POP3 kiszolg\xe1l\xf3 verzi\xf3 ([\d.]+) k\xe9sz\r\n| p/MS Exchange pop3d/ v/$1/ i/Hungarian/

match pop3 m/^\+OK QPOP \(version ([^)]+)\) at .*starting\./ p/Qpop pop3d/ v/$1/
match pop3 m/^\+OK QPOP Modified by Compaq \(version ([^)]+)\) at .*starting\./ p/QPop pop3d/ v/$1/
match pop3 m/^\+OK Qpopper .*\(version ([^)]+)\) at .*starting\./ p/Qpopper pop3d/ v/$1/
match pop3 m/^\+OK ([-.\w]+) POP3 server \(Netscape Mail Server v(\d[-.\w])\) ready/ p/Netscape Mail Server pop3d/ h/$1/ v/$2/
match pop3 m/^\+OK Cubic Circle's v(\d[-.\w]+) .* POP3 ready/ p/Cubic Circle Cucipop pop3d/ v/$1/
match pop3 m/^\+OK ArGoSoft Mail Server Freeware, Version \S+ \(([^)]+)\)\r\n$/ p/ArGoSoft freeware pop3d/ v/$1/
match pop3 m|^\+OK ArGoSoft Mail Server, Version [-.\w]+ \(([-.\w]+)\)\r\n$| p/ArGoSoft Mail Server pop3d/ v/$1/
match pop3 m|^\+OK ArGoSoft Mail Server Pro for WinNT/2000/XP, Version [-.\w]+ \(([-.\w]+)\)\r\n$| p/ArGoSoft Mail Server Pro pop3d/ v/$1/ o/Windows/
match pop3 m|^\+OK ([\w-.]+) ArGoSoft Mail Server Pro for WinNT/2000/XP, Version [\d.]+ \(([\d.]+)\)\r\n| p/ArGoSoft Pro/ v/$2/ h/$1/ o/Windows/
match pop3 m/^\+OK ([-.\w]+) Execmail POP3 \((\d[^)]+)\)/ p/Execmail pop3d/ h/$1/ v/$2/
match pop3 m/^\+OK MailSite POP3 Server (\S+) Ready </ p/MailSite pop3d/ v/$1/
match pop3 m/^\+OK ([-.\w]+) POP MDaemon (\S+) ready <MDAEMON/ p/MDaemon pop3d/ h/$1/ v/$2/
# qmail-pop3d 1.03-1
match pop3 m/^\+OK <\d{1,5}\.10\d{8}@[-.\w]+>\r\n$/ p/qmail-pop3d/ o/Unix/
# Courier Pop3 courier-pop3d-0.42.0-1.7.3
match pop3 m|^\+OK Hello there\.\r\n$| p/Courier pop3d/
match pop3 m/^\+OK ([-.\w]+) VisNetic.MailServer.v([-.\w]+) POP3 / p/VisNetic MailServer pop3d/ h/$1/ v/$2/
match pop3 m/^\+OK ([-.\w]+) POP3 server \(Post\.Office v([-.\w]+) release ([-.\w]+) with ZPOP version ([-.\w]+)\) ready / p|Post.Office pop3d| h|$1| v|$2 release $3| i|w/ZPOP $4|
match pop3 m/^\+OK CommuniGate Pro POP3 Server ([-.\w]+) ready/ p/CommuniGate Pro/ v/$1/
match pop3 m|^\+OK CommuniGate Pro POP3 Server ready <[\d.]+@([\w-_.]+)>\r\n| p/CommuniGate Pro/ h/$1/
match pop3 m/^\+OK\r\n$/ p/Openwall popa3d/
match pop3 m|^\+OK ([-.\w]+) MultiNet POP3 Server Process V(\S+) at| p/DEC OpenVMS MultiNet pop3d/ h/$1/ v/$2/
match pop3 m|^\+OK <.*>, MercuryP/NLM v(\d[-.\w]+) ready.\r\n$| p/Mercury POP3 server/ v/$1/ o/Netware/
match pop3 m|^\+OK Microsoft Windows POP3 Service Version 1.0 <| p/Microsoft Windows 2003 POP3 Service/ v/1.0/ o/Windows 2000/
match pop3 m|^\+OK POP3 ([-.\w]+) v?(200\d\.[-.\w]+) server ready\r\n| p/UW Imap pop3d/ h/$1/ v/$2/
match pop3 m|^\+OK POP3 v([\d.]+) server ready <[\w.]+@([\w-_.]+)>\r\n| p/UW Imap pop3d/ v/$1/ h/$2/
match pop3 m|^\+OK POP3 \[([\w-_.]+)\] v([\d.]+) server ready\r\n| p/UW Imap pop3d/ h/$1/ v/$2/
match pop3 m|^\+OK POP3 server ready <\w{11}>\r\n$| p/WebSTAR pop-3 server/
match pop3 m|^\+OK Kerio MailServer (\d[-.\w]+) POP3 server ready <([-.\w@:]+)>\r\n$| p/Kerio MailServer POP3 Server/ v/$1/ i/$2/
match pop3 m/^\+OK POP3-Server Classic Hamster (Vr\.|Version) [\d.]+ \(Build ([\d.]+)\) greets you! <.*>\r\n/ p/Classic Hamster pop3d/ v/$2/ o/Windows/
match pop3 m|^\+OK Stalker POP3 Server ([\w.]+) at ([\w-_.]+) ready <.*>\r\n| p/Stalker pop3d/ v/$1/ h/$2/ o/Mac OS/
match pop3 m|^\+OK ([\w-_.]+) POP3 service \(iPlanet Messaging Server ([\w-_.\s]+) \(built .*\)\)\r\n| p/iPlanet pop3d/ v/$2/ h/$2/
match pop3 m|^\+OK Messaging Multiplexor \(iPlanet Messaging Server ([\w-_.\s]+) \(built .*\)\)\r\n| p/iPlanet messaging multiplexor/ v/$1/
match pop3 m|^\+OK WinGate Engine POP3 Gateway ready\r\n| p/WinGate pop3d/ o/Windows/
match pop3 m|^\+OK ([\w-_.]+) Oracle Email Server espop3\t([\d.]+) \t  is ready\r\n| p/Oracle pop3d/ v/$2/ h/$1/
match pop3 m|^\+OK InterMail POP3 server ready\.\r\n| p/InterMail pop3d/
match pop3 m|^\+OK WinRoute Pro ([\d.]+) POP3 server ready <[\w-_.]+@unspecified.host>\r\n| p/WinRoute Pro pop3/ v/$1/
match pop3 m|^\+OK WinRoute Pro ([\d.]+) POP3 server ready <[\w-_.]+@([\w-_.]+)>\r\n| p/WinRoute Pro pop3/ v/$1/ h/$2/
match pop3 m|^\+OK ([\w-_.]+) POP3 server \(Netscape Messaging Server - Version ([\d.]+)\) ready .*\r\n| p/Netscape Messaginging Server pop3d/ v/$2/ h/$1/
match pop3 m|^\+OK [\w-_.]+ PopMax version ([\d. ]+) POP3 Mail Server Ready, Willing, and Waiting\r\n| p/MailMax PopMax pop3d/ v/$1/ o/Windows/
match pop3 m|^\+OK POP3 Welcome to GNU POP3 ([\d-.]+) <[\d.]+@([\w-_.]+)>\r\n| p/GNU POP3/ v/$1/ h/$2/
match pop3 m|^\+OK popserver ([\d.]+) pop3 server ready\r\n| p/LiberoPops pop3d/ v/$1/
match pop3 m|^\+OK ([\w-_.]+) POP3 server \(JAMES POP3 Server ([\d.]+)\) ready \r\n| p/JAMES pop3d/ v/$2/ h/$1/
match pop3 m|^\+OK ([\w-_.]+) NetMail POP3 Agent \$R...sion:   ([\d.]+)  \$\r\n| p/NetMail pop3d/ v/$2/ h/$1/
match pop3 m|^\+OK POP3 server ready \(Worldmail ([\d.]+)\) <[\w.]+@([\w-_.]+)>\r\n| p/Eudora Worldmail pop3d/ v/$1/ h/$2/ o/Windows/
match pop3 m|^\+OK ([\w-_.]+) POP MDaemon ([\d.]+) listo <MDAEMON-[\w.]+@[\w-_.]+>\r\n| p/MDaemon pop3d/ v/$2/ h/$1/ o/Windows/
match pop3 m|^\+OK ([\w-_.]+) POP3 WorkgroupMail ([\d.]+) .*\r\n| p/WorkgroupMail pop3d/ v/$2/ h/$1/ o/Windows/
match pop3 m|^\+OK POP3 server ready \(LSMTP v([\w.]+)\) <[\w.]+@([\w-_.]+)>\r\n| p/LSMTP pop3d/ v/$1/ h/$2/
match pop3 m|^\+OK ([\w-_.]+) Mirapoint POP3 ([\d.]+) server ready\r\n| p/Mirapoint RazorGate pop3d/ v/$2/ h/$1/ d/security-misc/
match pop3 m|^\+OK K9 - ([\d.]+) - http://keir\.net ready <[\w.]+>\r\n| p/K9 pop3d from keir.net/ v/$1/ o/Windows/
match pop3 m|^\+OK MERCUR POP3-Server \(v([\d.]+) \w+\) for Windows NT ready <[\d.]+@([\w-_.]+)>\r\n| p/MERCUR pop3d/ v/$1/ i/Windows NT/ o/Windows/
match pop3 m|^\+OK POP3 server ready QuickMail Pro Server for MacOS ([\d.]+) <[\w.]+@([\w-_.]+)>\r\n| p/QuickMail Pro pop3d/ v/$1/ h/$2/ o/Mac OS/
match pop3 m|^\+OK ready\r\n| p/602LAN Suite pop3/ o/Windows/
match pop3 m|^\+OK DvISE Mail Access Server Server ready \(Tobit Software, Germany\)\r\n| p/DvISE pop3d/
match pop3 m|^\+OK POP3 ([\w-_.]+) \(Version ([\w-.]+)\) http://surgemail\.com\r\n| p/SurgeMail pop3d/ v/$2/ h/$1/
match pop3 m|^\+OK ([\w-_.]+) running Eudora Internet Mail Server X ([\d.]+) <| p/Eudora Internet Mail Server X/ v/$2/ h/$1/ o/Mac OS X/
match pop3 m|^\+OK <[\d.]+@([\w-_.]+)> \[XMail ([\d.]+) POP3 Server\] service ready; | p/XMail pop3d/ v/$2/ h/$1/
match pop3 m|^\+OK <[\d.]+@([\w-_.]+)> \[XMail ([\d.]+) \(Linux/Ix86\) POP3 Server\] service ready; | p/XMail pop3d/ v/$2/ h/$1/ o/Linux/
match pop3 m|^\+OK Samsung Contact POP3 interface ready on: ([\w-_.]+)\r\n| p/Samsung Contact pop3d/ h/$1/
match pop3 m|^\+OK ([\w-_.]+) POP3 service \(Sun Java\(tm\) System Messaging Server ([\d.]+) \(built .*\) <| p/Sun Java System Messaging Server pop3d/ v/$2/ h/$1/
match pop3 m|^\+OK POP3 Greetings from minipop ([\d.]+) <[\d.]+@([\w-_.]+)>\r\n| p/minipop pop3d/ v/$1/ h/$2/
match pop3 m|^\+OK Hermes ([\w. ]+) POP3 Ready\. <[\d.]+@([\w-_.]+)>\r\n| p/Hermes pop3d/ v/$1/ h/$2/ o/Windows/
match pop3 m|^\+OK ModusMail POP3 Server ([\d.]+) Ready <[\d.]+@([\w-_.]+)>\r\n| p/ModusMail pop3d/ v/$1/ h/$2/
match pop3 m|^\+OK ([\w-_.]+) POP3 server \(DeskNow POP3 Server ([\d.]+)\) ready \r\n| p/DeskNow pop3d/ v/$2/ h/$1/
match pop3 m|^\+OK POP3 SINA \(([\d-.]+)\) Server Ready\r\n| p/SINA pop3d/ v/$1/
match pop3 m|^\+OK ([\w-_.]+) SpearMail POP3 server ready\r\n| p/Spearmail pop3d/ h/$1/ o/Windows/
match pop3 m|^\+OK \]-:\^:-\[ \]-:\^:-\[ POP3| p/Merak Mail Server pop3d/ o/Windows/
match pop3 m|^\+OK SCO POP3 server \(version ([\w-.]+)\) at ([\w-_.]+) starting\.\r\n| p/SCO pop3d/ v/$1/ h/$2/ o/SCO UNIX/
match pop3 m|^\+OK POP3 on WebEasyMail \[([\d.]+)\] ready\.  http://www\.51webmail\.com\r\n| p/WebEasyMail pop3d/ v/$1/
match pop3 m|^\+OK \(POP3\) hMailServer ([\w-.]+)\r\n| p/hMailServer pop3d/ v/$1/ o/Windows/
match pop3 m|^\+OK Hi\r\n| p/Zoe Java pop3d/

# These are fairly general
match pop3 m|^\+OK POP3 Server ready\r\n$| p/zpop3d/
match pop3 m|^\+OK POP3 server ([\w-_.]+) ready <[\d.]+@[\w-_.]+>\r\n| p/BVRP Software SLMAIL pop3d/ h/$1/
match pop3 m|^\+OK ([\w-_.]+) POP3 Server \(Version ([\w.]+)\) ready at <.*>\r\n| p/BSD-based in.pop3d/ v/$2/ h/$1/
match pop3 m|^\+OK popd-([\d.]+) ready \r\n| p/FreeBSD popd/ v/$1/
match pop3 m|^\+OK POP3 server at ([\w-_.]+) ready <[\d.]+@| p/FirstClass pop3d/ h/$1/
match pop3 m|^\+OK POP3 Server OK <[\d.]+@([\w-_.]+)>\r\n| p/Communigate Pro pop3d/ h/$1/
match pop3 m|^-ERR Permission denied - closing connection\.\r\n$| p/Classic Hamster pop3d/ i/Permission denied/ o/Windows/
match pop3 m|^\+OK ([\w-_.]+) <[\d.]+@[\w-_.]+>\r\n| p/IA MailServer pop3d/ h/$1/ o/Windows/
match pop3 m|^\+OK <[\d.]+@([\w-_.]+)>\r\n| p/qmail pop3d/ h/$1/
match pop3 m|^\+OK POP3 server ready <[\d.]+@([\w-_.]+)>\r\n| p/MailMax pop3/ h/$1/ o/Windows/
match pop3 m|^\+OK ready  <[\d.]+@([\w-_.]+)>\r\n| p/qpopper/ h/$1/

match pop3-proxy m|^\+OK POP3 AnalogX Proxy (\d[-.\w]+) \(Release\) ready\.\n$| p/AnalogX POP3 proxy/ v/$1/
match pop3-proxy m/^\+OK CCProxy (\S+) POP3 Service Ready\r\n/ p/CCProxy pop3d/ v/$1/
match pop3-proxy m/^Proxy\+ POP3 server\. Insecure access - terminating\.\r\n/ p/Proxy+ pop3d/
match pop3-proxy m|^\+OK TrendMicro IMSS (\d[-.\w ]+) POP3 Proxy at ([-.\w]+)\r\n| p/TrendMicro IMSS virus scanning POP3 proxy/ h/$1/ v/$2/
match pop3-proxy m|^\+OK Proxy-POP server \(DeleGate/([\d.]+) by ysato AT delegate DOT org\) at ([\w-_.]+) starting\.\r\n| p/DeleGate pop3 proxy/ v/$1/ h/$2/
match pop3-proxy m|^\+OK Jana-Server POP3 ready <[\w.]+@([\w-_.]+)>\r\n| p/Jana-Server pop3 proxy/ h/$1/ o/Windows/
match pop3-proxy m|^\+OK POP3 Y(ahoo)?POPs! proxy ready\r\n| p/YahooPOPs! pop3 proxy/
match pop3-proxy m|^\+OK POP3 \(Spampal\) server ready \(USER command must include mailserver name\)\r\n| p/Spampal pop3 proxy/ o/Windows/
match pop3-proxy m|^\+OK Mirapoint POP3PROXY ([\w-.]+) server ready\r\n| p/Mirapoint pop3 proxy/ v/$1/
match pop3-proxy m|^\+OK AVG POP3 Proxy Server Beta - ([\d/.]+) \[[\d.]+\]\r\n| p/AVG pop3 proxy/ v/$1 Beta/ o/Windows/
match pop3-proxy m|^\+OK AVG POP3 Proxy Server ([\d/.]+) \[[\d.]+\]\r\n| p/AVG pop3 proxy/ v/$1/ o/Windows/
match pop3-proxy m|^\+OK FreePOPs/([\d.]+) pop3 server ready\r\n| p/FreePOPs pop3 proxy/ v/$1/
match pop3-proxy m|^\+OK POP3 Spam Inspector Spam Filter Gateway Version ([\d.]+) Ready\.\r\n| p/Spam Inspector pop3 proxy/ v/$1/ o/Windows/
match pop3-proxy m|^\+OK MailMarshal\(([\d.]+)\) POP3 server ready <[\d.]+@([\w-_.]+)>\r\n| p/MailMarshal pop3d/ v/$1/ h/$2/
match pop3-proxy m|^\+OK HTML2POP3 server ready \(([\d.]+)\)\r\n| p/HTML2POP3 pop3 proxy/ v/$1/
match pop3-proxy m|^\+OK ([\w-_.]+) POP3 proxy ready\r\n| p/pop3gwd pop3 proxy/ h/$1/

softmatch pop3 m|^\+OK [-\[\]\(\)!,/+:<>@.\w ]+\r\n$|

# http://echelon.pl/pubs/poppassd.html
# you give it username, present password and new password, and
# it changes the password of the user.
# poppassd 1.8.1
match pop3pw m|^200 ([-.\w]+ )?poppassd v(\d[-.\w]+) hello, who are you\?\r\n| p|Poppassd| v|$2| i|http://echelon.pl/pubs/poppassd.html|
match pop3pw m|^200 poppassd hello, who are you\?\r\n| p/poppassd/
match pop3pw m|^200 poppassd v([\w.]+) for Digital Unix with C2 security Hello, who are you\?\r\n| p/poppassd/ i/Digital Unix with C2 security/ v/$1/ o/DIGITAL UNIX/
match pop3pw m|^200 courierpassd v(\d[-.\w]+) hello, who are you\?\r\n| p/Courierpassd pop3 password change daemon/
match pop3pw m|^200 ([-.+\w]+) MercuryW PopPass server ready\.\r\n| p|Mercury/32 poppass service| o|Windows| h|$1|
match pop3pw m|^200 X1 NT-PWD Server ([-.+\w]+) \(IMail (\d[-.\w]+)\)\r\n| p/IPSwitch Imail pop3 password change daemon/ h/$1/ v/$2/ o/Windows/
match pop3pw m|^200 CommuniGate Pro PWD Server (\d[-.\w]+) ready <| p/CommuniGate Pro pop3 password change daemon/ v/$1/
match pop3pw m|^\+OK ApplePasswordServer (\d[-.\w]+) password server at | p/ApplePasswordServer pop3 password change daemon/ v/$1/
match pop3pw m|^200 Stalker Internet Password Server ready\. V\.([\w.]+)\r\n| p/Stalker Mail Server password change daemon/ v/$1/ o/Mac OS/
match pop3pw m|^550 Login failed - already \d+/\d+ users connected sorry \(use G_CON_PERIP_EXCEPT to bypass\) \(IP=[\d.]+\)\r\n| p/Qualcomm poppassd/ i/Maximum users connected/
match pop3pw m|^200 hello and welcome to SchoolsNET SINA poppassd \[([\d-.]+)\]\r\n| p/SINA pop3pw/ v/$1/

match pmud m|^pmud (\d[-.\w]+) \d+\n| p|pmud| i|http://sf.net/projects/apmud|
match printer m|^lpd \[@([-.\w]+)\]: Print-services are not available to your host \([-.\w]+\)\.\n| p/BSD lpd/ i/Unauthorized host/ h/$1/
# BSD lpr/lpd line printer spooling system (lpr v1:2000.05.07) on Linux 2.6.0-test5
match printer m|([-.\w]+): lpd: Your host does not have line printer access\n| p|BSD/Linux lpd| h|$1| i|access denied|
# Linux 2.4.18 lpr 2000.05.07-4.2
match printer m|^lpd: Host name for your address \(\d+\.\d+\.\d+\.\d+\) unknown\n$| p/Linux lpd/ i/client IP must resolve/ o/Linux/
match printer m|^([/\w]+/)?lpd: (.*)\n| p/lpd/ i/error: $2/

# Windows QOTD service only has 12 quotes.  Found on Windows XP in
# %systemroot%\system32\drivers\etc\quotes
match qotd m/^"(My spelling is Wobbly\.|Man can climb to the highest summits,|In Heaven an angel is nobody in particular\.|Assassination is the extreme form of censorship\.|When a stupid man is doing|We have no more right to consume happiness without|We want a few mad people now.|The secret of being miserable is to have leisure to|Here's the rule for bargains:|Oh the nerves, the nerves; the mysteries of this machine called man|A wonderful fact to reflect upon,|It was as true as taxes is\.)/ p/Windows qotd/ o/Windows/
match qotd m/^"(Mi ortograf\xeda tiembla\. Es bueno revisarla,|un hombre puede escalar a las m\xe1s altas cumbre|Algo maravilloso a poner de manifiesto:|Cuando un necio hace algo de lo que se aveg\xfcenza,|En el cielo, un \xe1ngel no es nadie en concreto|Traigamos unos cuantos locos ahora\.|Era tan verdad como los impuestos\. Y no|Hay libros cortos que, para entenderlos como se merecen,|La prosperidad hace amistades, y la adversidad las|El uso principal de un PC es confirmar la ley de|Quedarse en lo conocido por miedo a lo desconocido,|Cuando las leyes son injustas, no obligan en el fuero|Magia equivale a cualquier avance en la ciencia\.|Vale mejor consumir vanidades de la vida,)/ p/Windows qotd/ i/Spanish/ o/Windows/
# Some Italian qotds start with a space instead of a "
match qotd m/^.(Voce dal sen fuggita|Semel in anno licet insanire|Cosa bella e mortal passa e non dura|Quando uno stupido compie qualcosa di cui si vergogna,|Se tu pagare come dici tu,|Fatti non foste a viver come bruti,|Sperare senza far niente e` come)/ p/Windows qotd/ i/Italian/ o/Windows/
match qotd m/^"(Prazos longos sao f\xa0ceis de subscrever\.|Deus, para a felicidade do homem, inventou a f\x82 e o amor\.|Ao vencido, \xa2dio ou compaixao, ao vencedor, as batatas\.|Quem nao sabe que ao p\x82 de cada bandeira p\xa3blica,|Nao te irrites se te pagarem mal um benef\xa1cio; antes cair|A vida, como a antiga Tebas, tem cem portas\.)/ p/Windows qotd/ i/Portugese/ o/Windows/
# The German version doesn't start with "
match qotd m/^(Wer wirklich Autorit\xe4t hat, wird sich nicht scheuen,|Moral ist immer die Zuflucht der Leute,|Beharrlichkeit wird zuweilen mit Eigensinn|Wer den Tag mit Lachen beginnt, hat ihn|Wenn uns keine Ausweg mehr bleibt,|Gesichter sind die Leseb\xfccher des Lebens|Grosse Ereignisse werfen mitunter ihre Schatten|Dichtung ist verpflichtet, sich nach den|Ohne Freihet geht das Leben|Liebe ist wie ein Verkehrsunfall\. Man wird angefahren)/ p/Windows qotd/ i/German/ o/Windows/
match qotd m/^"(Clovek ma tri cesty, jak moudre jednat\. Nejprve premyslenim|Co je vubec hodno toho, aby to bylo vykonano,|Fantazie je dulezitejsi nez vedeni\.|Potize narustaji, cim vice se clovek blizi|Kdo nezna pristav, do ktereho se chce plavit,|Lidske mysleni ztraci smysl,|Nikdo nevi, co muze vykonat,|Nic neprekvapi lidi vice nez zdravy rozum|Zadny cil neni tak vysoky,)/ p/Windows qotd/ o/Windows/ i/Czech/

match quagga m|^\r\nHello, this is quagga \(version (\d[-.\w]+)\)\.\r\nCopyright 1996-200| p/Quagga routing software/ v/$1/ i/Derivative of GNU Zebra/

match razor2 m|^sn=\w&srl=\d+&ep4=[-\w]+&a=\w&a=\w+\r\n$| p/Vipul's Razor2 anti-spam service/
# Remote Console via RCONJ - RCONJ is a java utility that allows one
# to remote console into a Novell server. It uses 2034 (unsecure) or
# 2036 (secure) by default but can be changed.
# The unknown token looks like it might be signifigant but I can't
# find any protocol descriptions. -Doug
match rconj m|^\0.\0\x01\0\0\0\0.*\x0b\0\0\0\0([\w-_]+)\x00437|s p/Novell rconj/ i/Unknown token: $1/ o/Unix/

match resvc m|^\{0000004c\} NODEINFO \(5\) \{38\}Version: (\d[-.\w ]+) Microsoft Routing Server ready\r\n  | p/Microsoft Exchange routing server/ v/$1/ o/Windows/

# RedHat 7.3 - rsync server version 2.5.4  protocol version 26
# Redhat Linux 7.1
# rsync 2.5.5-0.1 with custom banner on Debian Woody
match rsync m|^@RSYNCD: (\d+)| i/protocol version $1/


# Simple Asynchronous File Transfer (SAFT)
match saft m|^220 ([\w-.]+) SAFT server \(sendfiled ([\w.]+) on ([\w]+)\) ready\.\r\n| p/sendfiled/ v/$2/ h/$1/ o/$3/


match sdmsvc m|^[\xaa\xff]$| p/LANDesk Software Distribution/ i/sdmsvc.exe/ o/Windows/
# http://www.ietf.org/internet-drafts/draft-martin-managesieve-04.txt
match sieve m|^NO Fatal error: Error initializing actions\r\n$| p|Cyrus timsieved| i|included w/cyrus imap|
match sieve m|^\"IMPLEMENTATION\" \"Cyrus timsieved v(\d[-.\w]+)\"\r\n| p|Cyrus timsieved| i|included w/cyrus imap|
match sftp m|^\+Shiva SFTP Service\0$| p/Shiva LanRover SFTP service/
# HP-UX B.11.00 A 9000/785
match shell m|^\x01remshd: getservbyname\n$| p/HP-UX Remshd/ o/HP-UX/

# good SMTP banner regexps can be found here:
# http://www.tty1.net/smtp-survey/measurement_en.html
match smtp m|^220 ([-/.+\w]+) SMTP AnalogX Proxy (\d[-.\w]+) \(Release\) ready\r\n| p/AnalogX SMTP proxy/ h/$1/ v/$2/  
match smtp m|^220 ([-/.+\w]+) MailGate ready for ESMTP on | p/MailGate smtpd/ h/$1/ o/Windows/
match smtp m|^220 ([-/.+\w]+) SMTP ready to roll\r\n| p/Hotmail Popper hotmail to smtp gateway/ h/$1/
match smtp m|^220 ([-/.+\w]+) AvMailGate-(\d[-.\w]+)\r\n| p/AvMailGate smtp anti-virus mail gateway/ h/$1/ v/$2/
match smtp m|^220 ([-/.+\w]+) Internet Rex ESMTP daemon at your service\.\r\n| p/Internet Rex smtpd/ h/$1/
match smtp m|^220 ([-.+\w]+) ESMTP NetIQ MailMarshal \(v(\d[-.\w]+)\) Ready\r\n| p/MailMarshal/ h/$1/ v/$2/
# I think the revision number is different than the official product version number
# Dots in Revision to prevent MY CVS from screwing it up
match smtp m|^220 ([-.+\w]+) Novonyx SMTP ready \$Re..sion: *([\d.]+) *\$\r\n| p|Novonyx Novell NetMail smtpd| h|$1| v|$2|
match smtp m|^554-([-.+\w]+)\.us\r\n554 Access denied\r\n$| p/IronPort appliance mail rejector/ h/$1/
match smtp m|^220 eSafe@([-.+\w]+) Service ready\r\n| p/eSafe mail gateway/ h/$1/
match smtp m|^220 (\S+) ESMTP Merak (\d[^;]+);| p/Merak Mail Server smtpd/ h/$1/ v/$2/ o/Windows/
match smtp m|^220.*?MERCUR SMTP[\s-]Server \(v([^)]+)\) for ([-.\w ]+) ready at | p/LAN-ACES MERCUR smtp server/ v/$1/ o/$2/
match smtp m|^220 ([-.+\w]+) MasqMail (\d[-.\w]+) ESMTP\r\n| p/MasqMail smtpd/ h/$1/ v/$2/
# Cisco NetWorks ESMTP server IOS (tm) 5300 Software (C5300-IS-M) on Cisco 5300 Access Server
match smtp m|^220 ([-.+\w]+) Cisco NetWorks ESMTP server\r\n| p/Cisco IOS NetWorks smtp server/ h/$1/ d/terminal server/ o/IOS/
match smtp m|^220 ([-.+\w]+) Mercury/32 v(\d[-.\w]+) ESMTP server ready\.\r\n| p|Mercury/32 smtpd| h|$1| v|$2| o|Windows|
# Canon ImageRunner SMTP server (network scanner/copier/printer)
match smtp m|^220 Canon[-.\w]+ ESMTP Ready\r\n| p/Canon printer smtp server/ d/printer/
match smtp m|^220 .*?eSafe E?SMTP Service (\d\S+) ready| p/eSafe mail gateway/ v/$1/
match smtp m|^220 .*?eSafe E?SMTP Service ready| p/eSafe mail gateway/
match smtp m|^520 Connection not authorised from this address\.\r\n| p|Mercury smtpd| i|Connection not authorised|
# Exim 3.36 on Linux 2.4 blocking the given IP
match smtp m|^554 SMTP service not available\r\n$| p/Exim smtpd/ i/Serviced refused (IP block)/
# Jana Server 1.45 on Win98
match smtp m|^220 Jana-Server Simple Mail Transfer Service ready\r\n| p/Jana mail server/ o/Windows/
match smtp m|^220 <10\d+\.\d+@([-.\w]+)> \[XMail (\d[-.\w]+) \(([-./\w]+)\) ESMTP Server\] service ready; | p/XMail SMTP server/ h/$1/ v/$2/ i/on $3/
match smtp m|^220 ([-.\w]+) FirstClass ESMTP Mail Server v(\d[-.\w]+) ready\r\n| p/FirstClass SMTP server/ h/$1/ v/$2/
match smtp m|^220 ([-.\w]+) AppleMailServer (\d[-.\w]+) SMTP Server Ready\r\n| p/AppleMailServer/ h/$1/ v/$2/
match smtp m|^220 ([-.\w]+) ESMTP CommuniGate Pro (\d[-.\w]+)\r\n| p/Communigate Pro SMTP/ h/$1/ v/$2/
match smtp m|^220[- ]([-.\w]+) MailSite ESMTP Receiver Version (\d[-.\w]+) Ready\r\n| p/Rockliffe MailSite/ h/$1/ v/$2/
match smtp m|^220 ([-.\w]+) eXtremail V(\d[-.\w]+) release (\d+) ESMTP server ready \.\.\.\r\n| p/eXtremail smtpd/ h/$1/ v/$2.$3/
match smtp m|^220 Welcome to ([-.\w]+) - VisNetic MailScan ESMTP Server BUILD (\d[-.\w]+)\r\n| p/VisNetic MailScan ESMTP server/ h/$1/ v/$2/
# HP Service Desk 4.5 SMTP Server
match smtp m|^220 ([-.\w]+) service desk (\d[-.\w]+) SMTP Service Ready for input\.\r\n| p/HP Service Desk SMTP server/ h/$1/ v/$2/
# VPOP3 SMTP server 2.0.0d
match smtp m|^220 ([-.\w]+) VPOP3 SMTP Server Ready\r\n| p/PSCS VPOP3 mail server/ h/$1/
# CommuniGate Pro 4.1.3 on Mac OS X 10.2.6
match smtp m|^220 ([-.\w]+) ESMTP CommuniGate Pro (\d[-.\w]+) is glad to see you!\r\n| p/CommuniGate Pro mail server/ h/$1/ v/$2/
match smtp m|^220[ -]([-.\w]+) ESMTP MDaemon (\d[-.\w]+); | p/Alt-N MDaemon mail server/ h/$1/ v/$2/
match smtp m/^220 ([-.+\w]+) \(IMail ([^)]+)\) NT-ESMTP Server/ p/IMail NT-ESMTP/ h/$1/ v/$2/ o/Windows/
match smtp m/^220 X1 NT-ESMTP Server ([-.+\w]+) \(IMail ([^)]+)\)\r\n/ p/IMail NT-ESMTP/ h/$1/ v/$2/ o/Windows/
match smtp m/^220-([-.+\w]+) Microsoft SMTP MAIL ready at.*Version: ([-\w.]+)\r\n/ p/Microsoft SMTP/ h/$1/ v/$2/ o/Windows/
match smtp m/^220 ([-.+\w]+) Microsoft ESMTP MAIL Service, Version: ([-\w.]+) ready/ p/Microsoft ESMTP/ h/$1/ v/$2/ o/Windows/
match smtp m/^220 ([-.+\w]+) ESMTP Server \(Microsoft Exchange Internet Mail Service ([-\w.]+)\) ready/ p/Microsoft Exchange/ h/$1/ v/$2/ o/Windows/
match smtp m|^220([\s-]\S+) E?SMTP Sendmail (\d[^; ]+)| p/Sendmail/ h/$1/ v/$2/ o/Unix/
match smtp m|^220([\s-]\S+) Sendmail (SMI-\S+) ready at .*\r\n$| p/Sendmail/ h/$1/ v/$2/ o/Unix/
match smtp m/^220([- ][^\r\n]+) ESMTP Exim (V?\d\S+)/ p/Exim smtpd/ h/$1/ v/$2/
match smtp m/^220 CheckPoint FireWall-1 secure ESMTP server\r\n$/ p/Checkpoint FireWall-1 smtpd/ d/firewall/
match smtp m/^220 CheckPoint FireWall-1 secure SMTP server\r\n$/ p/Checkpoint FireWall-1 smtpd/ d/firewall/
match smtp m|^220 ([-.+\w]+) running IBM AS/400 SMTP V([\w]+)| p|IBM AS/400 smtpd| h|$1| v|$2|
match smtp m|^220 ([-.+\w]+) ESMTP MailEnable Service, Version: (\d[.\w]+)-- ready at | p/MailEnable smptd/ h/$1/ v/$2/
match smtp m/^220 ([-.+\w]+) ESMTP Mail Enable SMTP Service, Version: (\d[\w.]+)-- ready at/ p/MailEnable smptd/ h/$1/ v/$2/
match smtp m/^220 ([-.+\w]+) ESMTP CPMTA-([-.+\w]+) - NO UCE\r\n/ p/CPMTA/ h/$1/ v/$2/ i/qmail-derived/
match smtp m|^220 ([-.+\w]+) SMTP/smap Ready\.\r\n| p/Smap/ i/from firewall toolkit/ h/$1/
match smtp m|^220 ([-.+\w]+) ESMTP service \(Netscape Messaging Server ([-.+ \w]+) \(built| p/Netscape Messaging Server/ h/$1/ v/$2/
match smtp m|^220-InterScan Version (\S+) .*Ready\r\n220 ([-.+\w]+) NTMail \(v([-.+\w]+)/.* ready| p/Trend Micro InterScan/ h/$1/ v/$2/ i/on NTMail $3/ o/Windows/
match smtp m|^220 ([-.\w]+) InterScan VirusWall NT ESMTP (\d[-.\w]+) \(build (\d+)\) ready at | p/Trend Micro InterScan VirusWall SMTP/ h/$1/ v/$2 build $3/  o/Windows/
match smtp m|^220 ([-.+\w]+) GroupWise Internet Agent (\S+) .*Novell, Inc\..*Ready\r\n| p/Novell GroupWise/ h/$1/ v/$2/
match smtp m|^220 \S+ \S+ ESMTP receiver fssmtpd(\d+) ready| p/fssmtpd/ v/$1/
match smtp m/Failed to open configuration file.*exim/ p/Exim smtpd/ i/broken/
match smtp m/^220 Trend Micro ESMTP ([-.+\w]+) ready\.\r\n$/ p/Trend Micro ESMTP/ v/$1/
match smtp m|^220 Matrix SMTP Mail Server v([\w.]+) on <MATRIX_([\w]+)> Simple Mail Transfer Service Ready\r\n| p/Matrix SMTP Mail Server/ v/$1/ i/on Matrix $2/

match smtp m|^220(\S+) WebShield SMTP V(\d\S.*?) Network Associates, Inc\. Ready at| p/Network Associates WebShield/ h/$1/ v/$2/
match smtp m|^220(\S+) WebShielde(\w+)/SMTP Ready.| p/WebShielde$2 smtpd/ h/$1/
match smtp m|^220 ([-.+\w]+) ESMTP MailMasher ready to boogie\r\n| p/MailMasher smtpd/ h/$1/
# 220 example.com ESMTP Postfix (2.0.13) (Mandrake Linux)
match smtp m|^220 ([-.\w]+) ESMTP Postfix \(([-.\w]+)\) \(([-.\w ]+)\)| p/Postfix smtpd/ h/$1/ v/$2/ i/$3/
# postfix 1.1.11-0.woody2
match smtp m|^220([\s-]\S+) ESMTP Postfix| p/Postfix smtpd/ h/$1/
match smtp m|^220 [\*\d\ ]{10,300}\r\n| p|Cisco PIX sanatized smtpd| d|firewall|
match smtp m|^220 ArGoSoft Mail Server Pro for WinNT/2000/XP, Version ([-.\w]+) \(([-.\w]+)\)\r\n| p/ArGoSoft Mail Server Pro/ v/$1/ i/$2/ o/Windows/
match smtp m|^220 ([\w-.]+) ArGoSoft Mail Server Pro for WinNT/2000/XP, Version [\d.]+ \(([\d.]+)\)\r\n| p/ArGoSoft Mail Server Pro/ v/$2/ h/$1/ o/Windows/
match smtp m|^220 ([\w-.]+) ArGoSoft Mail Server, Version [\d.]+ \(([\d.]+)\)\r\n| p/ArGoSoft Mail Server/ v/$2/ h/$1/
match smtp m|^220 ([-.\w]+) ESMTP server \(Post.Office v([-.\w]+) release ([-.\w]+) ID# | p/Post.Office/ h/$1/ v/$2 release $3/
match smtp m|^220 ([-.\w]+) ESMTP VisNetic.MailServer.v([-.\w]+); | p/VisNetic MailServer/ h/$1/ v/$2/
# CommuniGate Pro 4.0.5
match smtp m|^220 ([-.\w]+) ESMTP Service. Welcome.\r\n$| p/CommuniGate Pro smtpd/ h/$1/
match smtp m|^220 ([-.\w]+) Process Software ESMTP service V([-.\w]+) ready| p/Process Software smtpd/ h/$1/ v/$2/ o/OpenVMS/
match smtp m|^220 ([-.\w]+) Mercury (\d[-.\w]+) ESMTP server ready\.\r\n$| p/Mercury Mail smtpd/ h/$1/ v/$2/
match smtp m|^220 ([-.\w]+) ESMTP Service \(Lotus Domino Release (\d[-.\w]+)\) ready at | p/Lotus Domino smtpd/ h/$1/ v/$2/
match smtp m|^220 ([-.\w]+) WebSTAR Mail Simple Mail Transfer Service Ready\r\n| p/WebSTAR SMTP server/ h/$1/
match smtp m|^220 ([-.\w]+) Lotus SMTP MTA Service Ready\r\n$| p/Lotus Notes SMTP/ h/$1/
match smtp m|^220 ([-.\w]+) SMTP NAVGW (\d[-.\w]+);| p/Norton Antivirus Gateway NAVGW/ h/$1/ v/$2/
match smtp m|^220 ([-.\w]+) Kerio MailServer (\d[-.\w]+) ESMTP ready\r\n$| p/Kerio MailServer/ h/$1/ v/$2/
match smtp m|^220 YSmtp(\S+) ESMTP service ready| p/Yahoo! smtpd/ h/$1/
match smtp m|^220(\S+) GMX Mailservices ESMTP| p/GMX smtpd/ h/$1/
match smtp m|^220(\S+) ESMTP MailMax (\d[-.\w\d]+)| p/MailMax smtpd/ h/$1/ v/$2/
match smtp m|^220(\S+) ESMTP WEB.DE V([^\s\;]+)| p/Web.de smtpd/ h/$1/ v/$2/
match smtp m|^relaylock: Error: PRODUCT_ROOT_D not defined\nrelaylock: Error: PRODUCT_ROOT_D not defined\n1\n$| p/Plesk relaylock smtp wrapper/ i/broken/
match smtp m|^220 Compuserve Office Mail Service \(lnxc-(\d+)\) ESMTP| p/Compuserve smtpd/ v/$1/
match smtp m|^220 Welcome to Nemesis ESMTP server on \S+| p/Nemesis smtpd/
match smtp m|^220 Welcome to the INDY SMTP Server\r\n$| p/INDY smtpd/
match smtp m|^220 Postini E?SMTP (\d+) [\w\d_\+-]+ ready| p/Postini smtpd/ v/$1/
match smtp m|^220 ([\w\d-]+)\.hotmail\.com Sending unsolicited commercial| p/Hotmail smtpd/ h/$1/
match smtp m|^220([-\s]\S+) \(IntraStore TurboSendmail\) E?SMTP Service ready| p/TurboSendmail smtpd/ h/$1/
match smtp m|^220([-\s]\S+) E?SMTP Mirapoint (\d[^\;]+);| p/Mirapoint smtpd/ h/$1/ v/$2/
match smtp m|^220([-\s]\S+) Trend Micro InterScan Messaging Security Suite, Version: (\d\S+) ready| p/Trend Micro InterScan smtpd/ h/$1/ v/$2/
match smtp m|^220([-\s]\S+).*?Server ESMTP \(iPlanet Messaging Server (\d[^\(\)]+)| p/Sun iPlanet smtpd/ h/$1/ v/$2/
match smtp m|^220([-\s]\S+) running Eudora Internet Mail Server X (\d\S+)| p/Eudora smtpd/ h/$1/ v/$2/
match smtp m|^220(\S+) - Maillennium E?SMTP| p/Maillennium smtpd/ h/$1/
match smtp m|^220 (\S+).*?SMTP \(Sun Internet Mail Server sims.(\d[^\)]+)\)| p/Sun sims smtpd/ h/$1/ v/$2/
match smtp m|^220(\S+) ESMTP qpsmtpd (\d\S+) ready;| p/qpsmtpd/ h/$1/ v/$2/
match smtp m|^220(\S+) ESMTP XWall v(\d\S+)| p/XWall smtpd/ h/$1/ v/$2/
match smtp m|^220(\S+) ESMTP Service \(Worldmail (\d[^\)]+)\) ready| p/Worldmail smtpd/ h/$1/ v/$2/
match smtp m|^220(\S+) eMail Sentinel (\d+) ESMTP Service ready| p/eMail Sentinel smtpd/ v/$1/
match smtp m|^220(\S+) ESMTP mxl_mta-(\d[^\;]+);| p/mxl smtpd/ h/$1/ v/$2/
match smtp m|^220(\S+) -- Server ESMTP \(SUN JES MTA 6\.x\)| p/SUN JES smtpd/ h/$1/ v/6.x/
match smtp m|^220(\S+) Service ready by DvISE PostMan \((\d+)\) ESMTP Server| p/DvISE PostMan smtpd/ h/$1/ v/$2/
match smtp m|^220(\S+) F-Secure Anti-Virus for Internet Mail ready| p/F-Secure AV SMTP Proxy/ h/$1/
match smtp m|^220(\S+) Welcome to SpamFilter for ISP SMTP Server v(\d\S+)| p/LogSat SMTP Proxy/ h/$1/ v/$2/
match smtp m|^220-TrendMicro IMSS SMTP proxy\r\n| p/TrendMicro SMTP Proxy/
match smtp m|^220(\S+) ESMTP server \(InterMail v(\S+)| p/InterMail smtpd/ h/$1/ v/$2/
match smtp m|^220(\S+) -- Server ESMTP \(Sun Java System Messaging Server (\d[^\(\)]+)| p/SUN JSMS smtpd/ h/$1/ v/$2/
match smtp m|^220 jMailer SMTP Server\r\n$| p/jMailer smtpd/
match smtp m/^220[- ][^ ]+ Smail-([^ ]+) .*ESMTP/s p/Smail-ESMTP/ v/$1/
match smtp m/^220[- ][^ ]+ Smail-([^ ]+) / p/Smail/ v/$1/
match smtp m|^220 \[([\w-_.]+)\] ESMTP amavisd-new service ready\r\n| p/amavisd smtpd/ h/$1/
match smtp m/^220 SMTP-Server Classic Hamster (Vr\.|Version) [\d.]+ \(Build ([\d.]+)\)\r\n/ p/Classic Hamster smtpd/ v/$2/ o/Windows/
match smtp m|^220-Stalker Internet Mail Server V.([\w.]+) is ready\.\r\n| p/Stalker smtpd/ v/$1/ o/Mac OS/
match smtp m|^220 ([\w-_.]+) ESMTP MailMax ([\d.]+) [A-Z][a-z][a-z].*\r\n| p/MailMax smtpd/ v/$2/ h/$1/ o/Windows/
match smtp m|^220 ([\w-_.]+) running IBM MVS SMTP CS V2R10 on .*\r\n| p/IBM MVS smtpd/ h/$1/ o/MVS/
match smtp m|^220 [\w-_]+ ESMTP ([\w-_.]+) \(Debian/GNU\)\r\n| p/Postfix smtpd/ h/$1/ o/Linux/
match smtp m|^220 ([\w-_.]+) ESMTP Oracle Email Server SMTP Inbound Server\t([\d.]+) \t  Ready\r\n| p/Oracle smtpd/ v/$2/ h/$1/



softmatch smtp m|^220[\s-].*?E?SMTP[^\r]*\r\n|

match snpp m|^220 ([-.\w]+) SNPP server \(HylaFAX \(tm\) Version ([-.\w]+)\) ready.\r\n| p/HylaFAX SNPP/ h/$1/ v/$2/
match snpp m|^220 QuickPage v(\d[-.\w]+) SNPP server ready at | p/QuickPage SNPP/ v/$1/

match sourceoffice m|^200\r\nProtocol-Version:(\d[.\d]+)\r\nMessage-ID:\d+\r\nDatabase .*\r\nContent-Length:\d+\r\n\r\n(\w:\\.*ini)\r\n\r\n| p/Sourcegear SourceOffSite/ i/Protocol $1; INI file: $2/

match ssh m|^\0\0\0\$\0\0\0\0\x01\0\0\0\x1bNo host key is configured!\n\r!\"v| p/Foundry Networks switch sshd/ i/broken: No host key configured/
match ssh m|^SSH-(\d[\d.]+)-SSF-(\d[-.\w]+)\n| p/SSF French SSH/ v/$2/ i/protocol $1/
match ssh m|^SSH-(\d[\d.]+)-lshd_(\d[-.\w]+) lsh - a free ssh\r\n\0\0| p/lshd secure shell/ v/$2/ i/protocol $1/
match ssh m/^SSH-([.\d]+)-OpenSSH[_-]([\S ]+)/ p/OpenSSH/ v/$2/ i/protocol $1/
match ssh m/^SSH-([.\d]+)-Sun_SSH_(\S+)/ p/SunSSH/ v/$2/ i/protocol $1/
match ssh m/^SSH-([.\d]+)-meow roototkt by rebel/ p/meow SSH ROOTKIT/ i/protocol $1/
match ssh m/^SSH-([.\d]+)-(\d+\.\d+\.\d+) SSH Secure Shell/ p/F-Secure SSH Secure Shell/ v/$2/ i/protocol $1/
match ssh m|^sshd: SSH Secure Shell (\d[-.\w]+) on ([-.\w]+)\nSSH-(\d[.\d]+)-| p/F-Secure SSH Secure Shell/ v/$1/ i/on $2; protocol $3/
match ssh m|^sshd: SSH Secure Shell (\d[-.\w]+) \(([^\r\n\)]+)\) on ([-.\w]+)\nSSH-(\d[.\d]+)-| p/F-Secure SSH Secure Shell/ v/$1/ i/$2; on $3; protocol $4/
match ssh m|^sshd2\[\d+\]: .*\r\nSSH-(\d[\d.]+)-(\d[-.\w]+) SSH Secure Shell \(([^\r\n\)]+)\)\r\n| p/F-Secure SSH Secure Shell/ v/$2/ i/protocol $1/
match ssh m/^SSH-([.\d]+)-(\d+\.\d+\.[-.\w]+)/ p/SSH/ v/$2/ i/protocol $1/
# Akamai hosted systems tend to run this - found on www.microsoft.com
match ssh m|^SSH-(\d[.\d]*)-AKAMAI-I\n$| p/Akamai-I SSH/ i/protocol $1/
match ssh m|^SSH-(\d[.\d]*)-Server-V\n$| p/Akamai-I SSH/ i/protocol $1/
match ssh m|^SSH-(\d[.\d]*)-Server-VI\n$| p/Akamai-I SSH/ i/protocol $1/
match ssh m|^SSH-(\d[.\d]+)-Cisco-(\d[.\d]+)\n$| p/Cisco SSH/ v/$2/ i/protocol $1/
match ssh m|^SSH-(\d[.\d]+)-SSH Protocol Compatible Server SCS (\d[-.\w]+)\n| p/NetScreen SCS sshd/ v/$2/ i/protocol $1/
match ssh m|^SSH-(\d[.\d]+)-VShell_(\d[._\d]+) VShell\r\n$| p/VanDyke VShell/ v/$SUBST(2,"_",".")/ i/protocol $1/
match ssh m/^SSH-([.\d]+)-(\d[-.\w]+) sshlib: WinSSHD (\d[-.\w]+)\r\n/ p/Bitvise WinSSHD/ v/$3/ i/protocol $1/
# Cisco VPN 3000 Concentrator
# Cisco VPN Concentrator 3005 - Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.1.B Jun 20 2003
match ssh m/^SSH-([.\d]+)-OpenSSH\n$/ p/OpenSSH/ i/protocol $1/ d/terminal server/
match ssh m/^SSH-([.\d]+)-([.\d]+) Radware\n$/ p/Radware Linkproof SSH/ v/$2/ i/protocol $1/ d/terminal server/
match ssh m|^SSH-1\.5-X\n| p/Cisco VPN Concentrator SSHd/ i/protocol 1.5/ d/terminal server/
match ssh m|^SSH-([\d.]+)-NetScreen\r\n| p/NetScreen sshd/ i/protocol $1/ d/firewall/
softmatch ssh m/^SSH-([.\d]+)-/

# Redhat Linux 7.1 - HAHAHAHAHAHA!!!! I love this service :) 
match systat m|^USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND\n| p/Linux systat/ o/Linux/

# Draytek Vigor 2600 aDSL router
match telnet m|^\xff\xfd\x18\xff\xfb\x01\n\r\n\rPassword: | p/Draytek Vigor aDSL router telnetd/  d/broadband router/
# IBM Infoprint 12 printer with JetDirect
match telnet m|^\xff\xfc\x01\r\nPlease type \[Return\] two times, to initialize telnet configuration\r\nFor HELP type \"\?\"\r\n> | p/HP JetDirect printer telnetd/ d/printer/
# HP JetDirect 300X print server
match telnet m|^\xff\xfc\x01\r\nHP JetDirect\r\n\r\nPassword:$| p/HP JetDirect printer telnetd/ d/printer/
# IBM High Performace Switch - Model 8275-416, Software version 1.1, Manufacturer IBM068
match telnet m|^\x1b\[1;1H\x1b\[2J\x1b\[8;38H\x1b\[1;1H\x1b\[2;1H\(C\) Copyright IBM Corp\. 1999\x1b\[3;1HAll Rights Reserved\.| p/IBM switch telnetd/
match telnet m|^\x1b\[H\x1b\[2JYou have connected to a FirstClass System\. Please login\.\.\.\r\nUserID: | p/FirstClass messaging system telnetd/
# Cisco Catalyst management console
# 3Com 3Com SuperStack II Switch 3300
match telnet m|^\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01| i|Usually a Cisco/3com switch| d|switch|
match telnet m|^\xff\xfb\x03\xff\xfb\x01\r\nSun\(tm\) Advanced Lights Out Manager (\d[-.\w]+) \(v(\d+)\)\r\n\r\nPlease login: | p/Sun Advanced Lights Out Manager/ v/$1/ i/on Sun v$2; for remote system control/ d/remote management/
# Epson Stylus Color 900N telnet
match telnet m|^\xff\xfb\x01\xff\xfb\x01Connected to [-/.+\w]+!\r\n\r\nPassword: | p/Epson printer telnetd/ d/printer/
# This one may not technically be considered telnet protocol, but you seem to use it via telnet
match telnet m|^220 SL4NT viewer service ready\r\n250 Currently connected channels: | p/Netal SLANT viewer/
match telnet m|^\xff\xfb\x03\xff\xfb\0\xff\xfb\0\xff\xfd\0\xff.*\r\rFrontDoor (\d[-.\w]+)/|s p/FrontDoor FIDONet Mailer telnetd/ v/$1/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\nOK\r\n$| p/Motorola Vanguard router telnetd/ d/router/
match telnet m|^\xff\xfb\x03\xff\xfd\x03\xff\xfc\x06.*\nPrecidia Technologies\r\n([-.+\w]+) Remote Configuration\r\n\nPassword\? |s p/Precidia serial2ethernet gateway telnetd/ i/model $1/
match telnet m|^\xff\xfb\x01.*\n\rWelcome to the Xylan PizzaSwitch! Version (\d[-.\w]+)\n\rlogin   : |s p/Xylan PizzaSwitch telnetd/ v/$1/ d/switch/
# Bay Networks Accelar 1100 (version 2.0.5.5) switch
match telnet m|^\xff\xfb\x01\r\n\r\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\r\r\* Bay Networks,Inc\..*(Accelar [-.+\w]+).*Software Release (\d[-.\w]+) |s p/Bay Networks Accelar switch telnetd/ v/$2/ i/$1/ d/switch/
match telnet m|^\xff\xfb\x01\r\n\r\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\r\r\* Nortel Networks,Inc\..*\n\r\r\* Passport ([-.\w]+) .*\r\* Software Release (\d[-.\w]+) |s p/Nortel Networks Passport switch telnetd/ v/$2/ i/Passport $1/ d/switch/
# NCD Thinstar 300 running NCD Software 2.31 build 6
match telnet m|^\xff\xfb\x03\xff\xfd\x03\xff\xfb\x01WinCE/WBT Command Shell Version (\d[-.\w]+)\r\nSerial Number: (\w+)  MAC Address: 0000(\w+)\r\nUUID: [-\w]+\r\nPassword: | p/NCD Thinster terminal command shell/ v/$1/ i/Serial# $2; MAC $3/ d/terminal/
# Netopia 4542 aDSL router telnetd
match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\x1b\[2J\x1b\[Hname:| p/Netopia aDSL router telnetd/ d/broadband router/

# NetportExpress PRO/100 3 port print server
match telnet m|^\xff\xfb\x01\r\nNetportExpress\(tm\) ([-/.+\w]+)\r\n.*\r\n\r\nlogin: | p/Intel NetportExpress print server telnetd/ i/Model $1/ d/print server/
# 3Com OfficeConnect 812 Router telnetd
match telnet m|^login: \xff\xfd\x03\xff\xfb\x03\xff\xfb\x01| p/3Com OfficeConnect router telnetd/ d/router/
# Nortel Networks Instant Internet 100
match telnet m|^\xff\xfb\x01\r\npassword: | p/Nortel Networks Instant Internet broadband router telnetd/ d/broadband router/
# Network Appliance ONTAP 6.3.3 telnet
match telnet m|^\xff\xfb\x01\xff\xfd\x18\xff\xfd#| p/Network Appliance Ontap telnetd/
# Netgear RP114 broadband router
match telnet m|^\xff\xfb\x03\xff\xfb\x01\r\nPassword: | p/Netgear broadband router admin telnetd/ d/broadband router/
match telnet m|\xff\xfd\x18\xff\xfb\x01\x1b\[2J\x1b\[\?7l\x1b.*HP ([-.\w]+) ProCurve Switch ([-.\w]+)\r\n\rFirmware revision ([-.\w]+)\r\n\r\r| p/HP ProCurve Switch telnetd/ i/Model: $2; Firmware: $3/
match telnet m|^Check Point FireWall-1 Client Authentication Server running on [-.\w]+\r\n\r\xff\xfb\x01\xff\xfe\x01\xff\xfb\x03User: | p/Check Point FireWall-1 Client Authenticaton Server/
# Enterasys XP-8600 running E9.0.5.0
match telnet m|^\xff\xfb\x03\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x05\xff\xfd!| p/Enterasys XSR Security Router telnetd/ d/router/
# Windows 2000 telnetd
match telnet m|^\xff\xfd%\xff\xfb\x01\xff\xfd\x03\xff\xfd\x1f\xff\xfd\0\xff\xfb\0$| p/Microsoft Windows 2000 telnetd/ o/Windows 2000/
match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfd\x1f\xff\xfd\0\xff\xfb\0Microsoft \(R\) Windows \(TM\) Version (\d[-.\w]+) \(Build (\d+)\)\r\nWelcome to Microsoft Telnet Service \r\nTelnet Server Build (\d[-.\w]+)\n\rlogin: | p/Microsoft Windows telnetd/ v/$3/ i/OS version $1 build $2/ o/Windows/
# Windows XP telnetd
match telnet m|^\xff\xfd%\xff\xfb\x01\xff\xfb\x03\xff\xfd'\xff\xfd\x1f\xff\xfd\0\xff\xfb\0| p/Microsoft Windows XP telnetd/ o/Windows XP/
# IRIX 6.5.18f telnetd
match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd\$| p/IRIX telnetd/ v/6.X/ o/IRIX/
# OS 400 V4R4M0
# OS/400 V5R1M0
match telnet m|^\xff\xfd'\xff\xfd\x18$| p|IBM OS/400 telnetd| o|OS/400|
# JetDirect Model: J4169A Firmware: L.21.11
match telnet m|^\xff\xfb\x03\xff\xfb\x01\x07HP JetDirect\r\nPassword is not set\r\n| p/HP JetDirect printer telnetd/ i/No password/ d/printer/
# HP Jetdirect telnet with password protection
match telnet m|^\xff\xfb\x03\xff\xfb\x01\x07HP JetDirect\r\n\r\nEnter username: | p/HP JetDirect printer telnetd/ d/printer/
# HP MPE/iX 5.5 on HP 3000 telnet service
match telnet m|^\xff\xfd\x03\xff\xfb\x01\xff\xfd!| p|HP MPE/iX telnetd|
# Brother 1870N Printer
match telnet m|^\x1b\[2J\x1b\[1;1f\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03| p/Brother printer telnetd/ d/printer/
# AIX 4.3.3.0
match telnet m|^\xff\xfe%\xff\xfd\x18$| p/AIX telnetd/ o/AIX/
match telnet m|^\r\nEfficient ([-.\w ]+) Router \(([-.\d/]+)\) v(\d[-.\w]+) Ready\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\xff\xfe\x01Login: | p/Efficient router telnetd/ v/$3/ i/Model $1 - $2/ d/router/
# http://mldonkey.berlios.de/
# mldonkey-2.5-3 telnet port
match telnet m|^\xff\xfd\x1f\n\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\n                         Welcome to MLdonkey          \n| p/MLdonkey multi-network P2P admin port/
match telnet m|^\r\nRaptor Firewall Secure Gateway\.\r\n| p/Symantec Raptor firewall secure gateway telnetd/
match telnet m|^\r\nSynchronet BBS for Win32  Version (\d[-.\w]+)\r\n| p/Synchronet BBS/ v/$1/ i/on Win32/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\nlogin: $| p/Orinoco WAP telnetd/
match telnet m|^\xff\xfd\x03\xff\xfb\x01\xff\xfb\x03\x1b\[1;1H\x1b\[2K\x1b\[2;1H\x1b\[2K\x1b\[3;1H\x1b.*Nortel Networks.*BayStack ([-.\w]+).*Versions: ([.: \w]+)|s p/Nortel Networks telnetd/ i/Baystack $1; Versions: $2/
match telnet m|^\xff\xfb\x01\n\r\n.*Bay Networks (Bay[-.: \w]+)\n\r|s p/Bay Networks telnetd/ i/$1/
match telnet m/^Check Point FireWall-1 authenticated Telnet server running on/ p/Check Point Firewall-1 telnetd/
match telnet m/^\r\nSpeedStream ([^(\r\n]+) \(.*\) v(\S+) Ready\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfd/ p/SpeedStream $1/ v/$2/
# Alcatel SpeedTouch 510 ADSL router - Admin Interface, version 4.0.2.0.0
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfb\x01\xff\xfb\x03Username : | p/Alcatel SpeedTouch DSL router admin interface/ d/broadband router/
match telnet m/^\r\nRaptor Firewall Secure Gateway\.\r\n\r\nAccess denied\.\r\n/ p/Symantec Raptor Firewall Secure Gateway telnetd/ i/Access Denied/
match telnet m/^\*\*\*\*\*\*\* System Image Boot \*\*\*\*\*\*\*\n\r\n\rVina Technologies (.*) \((\d[-.\w]+ build \d+)\)\n\r/ p/Vina Technologies $1 telnetd/ v/$2/
match telnet m/^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\x1b\[0m\x1b\[2J\x1b\[01;00H\r\0Gigalink ([-+ \w]+)/ p/Gigalink telnetd/ i/on $1/
match telnet m/^\xff\xfb\x03\xff\xfb.*D-Link.*Telnet Console.*Model\s+: ([-+\w]+)/s p/D-Link telnetd/ i/on $1/
match telnet m|^\xff\xfb\x01\x1b\[0m\x1b\[2J\x1b\[0m\x1b\[9;20HCopyright\(C\) 1995-99 D-Link Systems Inc\.\x1b\[13;30HUser Name\x1b\[14;30HPassword\x1b\[23;10HMAC Address:\x1b\[8;29H([-.\w]+) Console Program\x1b\[13;41H| p/D-Link switch admin interface/ i/D-Link $1/
match telnet m/^\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03Ambit Cable Router\r\n\r\nLogin: / p/Ambit Cable Router telnetd/ d/broadband router/
match telnet m|^\xff\xfc\x01\r\nHP JetDirect\r\n\r\nPlease type \"?\" for HELP, or \"/\" for current settings\r\n> $| p/HP JetDirect telnetd/ d/printer/
match telnet m/^\n\rVina Technologies (.*) \((\d[-.\w]+ build \d+)\)/ p/Vina Technologies $1 telnetd/ v/$2/
match telnet m/^\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\x1b\[0m\x1b\[1;1H\x1b\[2J\rD\r           \n\r             (DES-.*) Command Line Interface\n\r\n/ p/D-Link $1 telnetd/
match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfc\x1f\n\r\n\rUser Access Verification\n\r\n\r\n\r\n\r\n\rShell version (\d\S+).*Maipu Communication Technology Co\./ p/Maipu Router/ i/shell v$1/ d/router/
match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03\x1b.*Intel Corporation, ([-+. \w()]+)/s p/Intel telnetd/ i/on $1/
match telnet m|^\r\nFlowPoint/(.*) Ready\r\n.*\xff\xfb\x01\xff\xfb| p/Flowpoint telnet/ i/on $1/
match telnet m/Welcome to Tenor Multipath Switch Telnet Server.*Type: (\S+)/s p/Tenor telnetd/ v/$1/ i/on Multipath Switch/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\x0d\x0a\x0d\x0aCisco\x20Systems.*Console/Telnet Access of the ([-. \w]+) for Configuration Purposes|s p/Cisco $1 telnetd/
# Cisco 350 Series Wireless AP 11.05
match telnet m|^\xff\xfb\x01\n\r\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08                           \x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08| p/Cisco WAP telnetd/ d/WAP/
# Cisco 678 DSL router
match telnet m|^\r\n\r\nUser Access Verification\r\nPassword:\xff\xfb\x01$| p/Cisco DSL router telnetd/ d/broadband router/
#  Cisco 2900 Catalyst switch, IOS 12.0(5)XU
# Cisco 3600 router running IOS 12.X
# Cisco 2600 IOS 12.0
match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f.*User Access Verification\r\n\r\n(Username|Password): $/s p/Cisco telnetd/ o/IOS 12.X/ d/switch/
# Cisco Pix 501 PIX IOS 6.3(1) telnet
match telnet m/^\xff\xfb\x03\xff\xfb\x01\xff\xfb\x03\xff\xfb\x01.*\r\nUser Access Verification\r\n\r\nPassword: /s p/Cisco telnetd/ o/IOS 6.X/ d/firewall/
# Cisco Catalyst 6509 - WS-C6509 Software, Version NmpSW: 5.5(1)
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\r\n\r\nCisco Systems Console\r\n| p/Cisco Catalyst switch telnetd/ d/switch/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\r\n\r\nPassword required, but none set\r\n| p/Cisco router telnetd/ i/password required but not set/ d/router/
match telnet m|^Access not permitted\. Closing connection\.\.\.\n$|s p/Cisco catalyst switch telnetd/ i/access denied/ d/switch/
match telnet m|^\xff\xfd\x18$| p/Cisco microswitch telnetd/ d/switch/
# OpenBSD 2.3
# FreeBSD 5.1
match telnet m|^\xff\xfd%$| p/BSD-derived telnetd/
# Solaris 9
match telnet m|^\xff\xfd\x18\xff\xfd\x1f\xff\xfd#\xff\xfd'\xff\xfd\$$| p/Sun Solaris telnetd/ o/Solaris/
# Redhat Linux 7.3 telnet
match telnet m|\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'$| p/Linux telnetd/ o/Linux/
match telnet m|^\xff\xfb\x01\n\rUser Name : $| p/APC network management card telnetd/ d/power device/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03\n\rUser Name : | p|APC telnetd| i|Power/UPS device| d|power device|
# G-Net BB0060 ADSL Modem
match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\n\r                         \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\r.*GlobespanVirata Inc\., Software Release ([-.\w]+)\n\r|s p/GlobespanVirata telnetd/ v/$1/ d/broadbrand router/
# HP-UX B.11.00 A
match telnet m|^\xff\xfd\$$| p/HP-UX telnetd/ o/HP-UX/
# Cayman-DSL Model 3220-H, DMT-ADSL (Alcatel) OS version 6.3.0
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfe\x01\n\rlogin: $| p/Cayman-DSL router telnetd/ d/broadband router/
# Blue Coat Port 80 Security Appliance  Model: Blue Coat SG400  Software Version: SGOS 2.1.6044 Software Release id: 19480 Service Pack 4
# Maybe I should call this SGOS telnetd instead
match telnet m|^\xff\xfb\x03\xff\xfb\x01\xff\xfd\x1f\r\n\r\nUsername: $| p/Blue Coat telnetd/
match telnet m|^\xff\xfb\x01@ Userid: | p/Shiva LanRover telnetd/
# Netscreen ScreenOS 4.0.1r1.0 telnetd on a netscreen 5XT running firmware 4.0.1r1.0
match telnet m|^\xff\xfd\x18\xff\xfb\x01(\xff\xfe\x01)?(\xff.\x03)?[\w ]*Remote Management Console\r\n(\r\n)?login: $| p/Netscreen ScreenOS telnetd/ d/firewall/

# Note that openwall telnetd is derived from OpenBSD telnetd
match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfd\$$| p|Openwall GNU/*/Linux telnetd| o|Linux|
match telnet m|^\xff\xfc\x01\r\nHP JetDirect\r\n\r\nPlease type \"\?\" for HELP, or \"/\" for current settings\r\n> $| p/HP Jet Direct printer telnetd/ d/printer/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\nAXIS (\S+) TELNET| p/AXIS Webcam/ v/$1/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\r\n\r\nTelebit\'s NetBlazer Version (\S+)\r\n| p/Telebit NetBlazer/ v/$1/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03.*?FORE\x20Systems,\x20FORE\x20ES-2810.*?Version (\d[\d\.-]+)| p/FORE Systems ES-2810/ v/$1/
match telnet m|^\xff\xfb\x03\xff\xfb\x01.*ForeRunner ES-3810.*Enter Username: | p/FORE Systems ES-3810/
match telnet m|^\xff\xfb\x01\r\nCopyright \(C\) 1999 by  Extreme Networks\r\r\n| p/Extreme Networks telnetd/
match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03.*?ES-1000\x20Fast\x20Ethernet\x20Switch\x20Console| p/Marconi ES-1000/
match telnet m|^\xff\xfb\x01login:\x20$| p/telnet/ i/generic/
match telnet m|^\xff\xfb\x01\xff\xfd\x01\xff\xfb\x03\xff\xfd\x03\xff\xfb\x05\xff\xfd\x05Welcome to ([\w-_]+) Debug Terminal - \d*\n\r\n\r\n\rlogin:| p/hp StorageWorks SSL1016 tape autoloader/ i/Name: $1/
match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\r\n\r\nWelcome to Print Server\r\n\r\nPS>| p/Micronet SP733/ d/Print Server/
match telnet m|^\x1b\[0m\x1b\[2J\x1b\[01;28HCONEXANT SYSTEMS, INC\.\x1b\[02;19H ACCESS RUNNER ADSL CONSOLE PORT\x1b\[24;01H>>>\x1b\[24;01HLOGON PASSWORD>\x1b\[02;53H3\.27\x1b\[24;17H\x1b\[24;17H\x1b\[24;17H\x1b\[24;17H| p/MICRONET SP3356/ d/router/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\r\n\r\nWelcome on (.*)\r\n\r\n\r\nUsername: | p/Cisco Router 2621/ i/Banner: $1/
match telnet m|^\xff\xfb\x01\xff\xfd\x18\nTelnet Service on the PrintServer\n\n\rPassword: | p/Hawking Print Server telnetd/ d/print server/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\n\r\n Welcome to OpenVMS \(TM\) Alpha Operating System, Version V([\d.]+)    \r\n\r\n\rUsername: | p/OpenVMS telnetd/ o/OpenVMS $1/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\x1b\[0;37;40m\x1b\[2J\x1b\[0;37;40m\x1b\[1m\x1b\[5;27HVertical Horizon Stack Manager\x1b\[0;37;40m\x1b\[1m\x1b\[10;26HEnterasys Networks, Incorporated| p/Enterasys Vertical Horizon Manager/ d/switch/
match telnet m|^\xff\xfd\($| p|IBM OS/390 telnet| o|OS/390|
match telnet m|^\xff\xfb\r\nRemotelyAnywhere Telnet Server v([\d.]+)\r\n.*\r\n\r\n([\w-_. ]+) login\r\nuser name: | p/RemotelyAnywhere telnetd/ v/$1/ i/Name $2/ o/Windows/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\nRICOH Maintenance Shell\.   ([\w:]+)\n\rUser access verification\.\n\rPassword:| p/RICHOH Maintenance telnetd/ i/MAC $1/ d/print server/
match telnet m|^\r\nVxWorks login: \xff\xfb\x01$| p/VxWorks telnetd/ o/VxWorks/


# tinc 1.0.2-2 on Linux
match tinc m|^0 \w+ 17\n| p/tinc vpn daemon/
match time m|^[\xc0-\xc5]...$|
# Tiny Personal Firewall 2.0
match tinyfw m|^\x0f\0\n\0\x01\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xc0\x0ef7\xbb\x9bS\xfc\x86\xe4\x7f\x18\xb8\x97\x06 | p/Tiny Personal Firewall/ v/2.0/
# Kerio Personal Firewall 4.02 on Windows 2000, 4.0.11 on W2K SP4+ too (port 44xxx)
match keriopfservice m|^\x12\0\x03\0\x04\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Kerio PF 4 Service/ i/maybe 4.0.2-11/
# Kerio PF 4.0.11 unregistered - GUI process (Port 1027-1200,44xxx? RPC?) on MS W2K SP4+
match keriopfgui m|^\x12\0\r\0\x03\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x9a\x20\xd0Z\x1e\x1b\xa3\*\xf2\xdd\xe2\(\xc3sp&\xda\xe4Yp\xdbET\xf9\x8cc\xc24\*Y\xbe\xb3\xba\xd6%\xf5\xb668\xad\xab>@D<\x01<i\x80O>\xdd>\)\xdb\x18\xf55\xd1\xba\x96\x1c\x17\x17\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01\0\x01| p/Kerio PF 4 GUI/ i/maybe 4.0.11/
# Kerio Personal Firewall 2.1.4 on Windows
# Tiny Personal Firewall 2.0
# Kerio Personal Firewall, Firewall engine version 2.1.5 Driver version 3.0.0 on WinXP
match tinyfw m|^\x0f\0\n\0\x01\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Kerio Personal Firewall/ v/2.1.X/ i/or Tiny Personal Firewall/
match ssl/vmware-auth m|^220 VMware Authentication Daemon Version (\d[-.\w]+): SSL Required\r\n| p/VMware Authentication Daemon/ v/$1/
match vnc m|^RFB 003.00(\d)\n$| p/VNC/ i/protocol 3.$1/
match vtun m|^VTUN server ver (\d[-.\w /]+)\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Vtun Virtual Tunnel/ v/$1/
match vtun m|^VTUN server ver \. (\d[-.\w /]+)\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Vtun Virtual Tunnel/ v/$1/

# http://www.3w.net/lan/faq.html
match websense-eim m|^\x96\xfeS\xab$| p/Websense EIM/

match winshell m/^Microsoft Windows ((2000)|(XP)|(NT 4\.0)) \[Version ([\d.]+)\]\r\n\(C\) Copyright 1985-20\d\d Microsoft Corp\.\r\n\r\n/ p/Microsoft Windows $1 $5 cmd.exe/ o/Windows/

# CcXstream Media Server 1.0.15 on Linux - Uses XBMSP (X-Box Media Streaming Protocol)
match xbmsp m|^XBMSP-1\.0 1\.0 CcXstream Media Server (\d[-.\w]+)\n| p/CcXstream Media Server/ v/$1/
# XFCE Desktop Version 3.99.4 From Gentoo 1.4 Ebuild on Linux 2.4.6
match xfce m|^\0\x01\0@\0\0\0\0| p/XFCE Desktop/


match zebra m|^\r\nHello, this is zebra \(version (\d[-.\w]+)\)\.\r\nCopyright 1996-20| p/GNU Zebra routing software/ v/$1/
match zebra m|^\r\nHello, this is zebra \(version (\d[-.\w]+)\)\.\r\nCopyright 200\d| p/GNU Zebra routing software/ v/$1/

match pcp m|^\0\0\0\x14\0\0p\0\0\0..\0\0\0\0\x02\x01\0\0| p/SGI Performance Co-Pilot/

match smtp m|^220 SPAM, we hates it.\r\n| p/Barracuda Spam firewall/

# 13720/tcp
match bprd m|^\0\0\0\x0eEXIT STATUS 23$| p/Veritas Netbackup/
# 13782/tcp
match bpcd m|^gethostbyaddr: [\w ]+\n$| p/Veritas Netbackup/ i/refused/

# PostCast SMTP server 2.6.0 ( http://www.postcastserver.com/ )
match smtp m|^220 PostCast SMTP server.*\r\n$| p/PostCast SMTP server/

match omapi m|^\0\0\0d\0\0\0\x18$| p/ISC (BIND|DHCPD) OMAPI/
match svnserve m|^\(\x20success\x20\(\x201\x202\x20\(\x20ANONYMOUS\x20\)\x20\(\x20edit-pipeline\x20\)\x20\)\x20\)\x20$| p/Subversion/
match icecreamd m|^[\x14-\x1f]\0\0\0$| p/icecreamd/
match apc-agent m|^\xac\xed\0\x05$| p/APC PowerChute agent/ d/power device/
# OpenH323 Gatekeeper 2.0.3
match afs3-fileserver m|^\xff\xfd\x03\xff\xfb\x05Version:\r\nGatekeeper\(GNU\) Version\(([\d.]+)\) Ext\(.*\) Build\(.*\) Sys\(Linux .*\)\r\n\r\n| p/OpenH323 Gatekeeper/ v/$1/ o/Linux/

match wingate-control m|^.\x01.[\x02\x03]\x01\d+\0$| p/WinGate Administration/ o/Windows/
# Wingate redir: Probably not general enough
match wingate m|^\0\n\0\0\x02\0\0\0\x01\0$| p/WinGate transparent redirection/ o/Windows/
match mail-admin m|^OK0100 eXtremail V([\d.]+) release (\d+) REMote management \.\.\.\r\n| p/eXtremail remote management/ v/$1 release $2/
match pppd m|^SuSE Meta pppd \(smpppd\), Version ([\d.]+)\r\n| p/SuSE Meta pppd/ v/$1/ o/Linux/

##############################NEXT PROBE##############################
Probe TCP GenericLines q|\r\n\r\n|
ports 21,23,43,98,110,113,119,199,505,540,628,1040,1248,1467,1501,2010,3128,3333,5000,5432,5555,6112,6667-6670,8000,11965,30444

# bnetd (PvPGN BnetD Mod version 1.5.0) on Debian GNU/Linux (sid)
match bnetd m|^BOT or Telnet Connection from \[127\.0\.0\.1\]\r\n\r\nEnter your account name and password\.\r\nSorry, there is no guest account\.\r\n\r\nUsername: | p/PvPGN BnetD Mod/ v/1.5.0/
match bnetd m|^Username: $| p/bnetd open source Blizzard Battlenet server/
# bnetd server 0.4.25 on Linux
# Cisco PIX 501 running PIX IOS 6.3(1)
match ciscopsdm m|^\xc0\0\x01\0....\0\0\0\x03| p/Cisco PIX Secure Database Manager/ d/firewall/ o/IOS/
match crossmatchverifier m|^Idle\r\n$| p/Cross Match Technologies Verifier fingerprint capture control port/
# I think this type of eggdrop banner is only used when customized or such.
match eggdrop m|^\r\nNickname\.\r\nSorry, that nickname format is invalid\.\r\n$| p/Eggdrop irc bot console/

# Alcatel Speedtouch ADSL Router
match ftp m|^220 Inactivity timer = \d+ seconds\. Use 'site idle <secs>' to change\.\r\n221 Goodbye \(badly formated command seen\)\.  You uploaded 0 and downloaded 0 kbytes\.\r\n221 Goodbye \(badly formated command seen\)\.  You uploaded 0 and downloaded 0 kbytes\.\r\n$| p/Alcatel Speedtouch aDSL router ftpd/ d/broadband router/
# bftpd 1.0.22 on Linux 2.4
match ftp m|^220 \r\n500 Unknown command: \"\"\r\n500 Unknown command: \"\"\r\n$| p/bftpd/
# Multitech MultiVoip 410 VoIP gateway
match ftp m|^220 Service ready\r\n500 Unsupported command\r\n$| p/Multitech MultiVoip 410 VoIP gateway ftpd/ d/VoIP adapter/
# NetportExpress PRO/100 3 port print server
match ftp m|^220 FTP server ready\.\r\n530 access denied\.\r\n| p/Intel NetportExpress print server ftpd/ d/print server/
# D-Link Print Server internal FTP daemon (Firmware version 1.38) - D-Link Print Server DP-101
match ftp m|^220 FTP server ready\.\r\n501 Command not supported\.\r\n$| p/D-Link Printer Server ftpd/ d/print server/
match ftp m|^220 ([-.\w]+) FTP server ready\.\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n$| p/Solaris ftpd/ h/$1/ o/Solaris/
# vsftpd (Very Secure FTP Daemon) 1.0.0 on linux with custom ftpd_banner
# We'll have to see if this match is unique enough
match ftp m|^220 .*\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n|s p/vsFTPd/ i/customized banner/
match ftp m|^220 ([-.\w]+) FTP Server ready \.\.\.\r\n530 \r  : User not logged in\. Please login with USER and PASS first\.\r\n530 \r  : User not logged in\. Please login with USER and PASS first\.\r\n$| p/Bulletproof ftp server/ o/Windows/ h/$1/
# BulletProof FTP 2.21 on Windows 2000 Server
match ftp m|^220 ftp\r\n$| p/Bulletproof ftp server/ o/Windows/
match ftp m|^220 FTP server ready\.\r\n200 NOOP command successful\.\r\n| p/Tektronix Phaser ftpd/ d/printer/
match ftp m|^220 \"Welcome to Bot FTP service\.\"\r\n331 Please specify the password\.\r\n230 Login successful\. Have fun\.\r\n| p/Unknown trojan ftpd/
match ftp m|^220 OK\n226 OK\n| p/Sasser worm minimal ftpd/ o/Windows/
match ftp m|^220 FTPd ([\d.]+)\r\n500 Bad command\r\n| p/USR8022 router ftpd/ v/$1/ d/router/
match ftp m|^220 Telindus FTP server ready\.\r\n502 Command not implemented\.\r\n502 Command not implemented\.\r\n| p/Telindus ftpd/ d/router/

# GKrellM System Monitor 2.1.15 on Linux
match gkrellm m|^<error>\nBad connect string!| p/GKrellM System Monitor/

# Some web servers don't give a 'Server: ' line for the Get request, but do for this probe.
match http m|^HTTP/1\.1 400 .*\r\nServer: Microsoft-IIS/(\d[-.\w]+)\r\n| p/Microsoft IIS webserver/ v/$1/ o/Windows/
# Icecast version: 1.9+2.0alphasn
match http m|^HTTP/1\.0 401 Authentication Required\r\nWWW-Authenticate: Basic realm=\"Icecast2 Server\"\r\n\r\nYou need to authenticate\r\n| p/Icecast streaming media server/
# Network Flight Recorder v3.2 on Solaris 8 (sparc)
match http m|^HTTP/1\.0 400 Bad request\r\n\r\n$| p/Network Flight Recorder IDS/
# Cisco 350 Series 802.11 AP
match http m|^HTTP/1\.0 400 Bad Request\r\nServer: thttpd/(\d[-.\w ]+)\r\n| p/thttpd/ v/$1/ d/WAP/
# OpenPGP Public Key Server 0.9.6
match http m|^HTTP/1\.0 400 Bad Request\r\nServer: pks_www/([\d.]+)\r\nContent-type: text/html\r\n\r\n<HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY></BODY>\r\n| p/OpenPGP Public Key Server/ v/$1/

match icecast m|^HTTP/1\.0 200 OK\r\nServer: icecast/(\d[-.\w]+)\r\n| p|Shoutcast/Icecast streaming audio| v|$1|

# slident 0.0.19
match ident m|^0, 0: ERROR: UNKNOWN-ERROR\n$| p/slident/
# mlidentd 1.1 on Linux
match ident m|^0,0:ERROR:UNKNOWN-ERROR\r\n$| p/mlidentd/
# OpenBSD 3.2 identd
# May apply to Linux too -- need to investigate further.
match ident m|^0 , 0 : ERROR : UNKNOWN-ERROR\r\n$| p/OpenBSD identd/ o/OpenBSD/
# FreeBSD 4.8-RC inetd internal identd
match ident m|^0 , 0 : ERROR : INVALID-PORT\r\n$| p/FreeBSD identd/ o/FreeBSD/
# pidentd-3.1a19-157
match ident m|^ : ERROR : UNKNOWN-ERROR\r\n$| p/pidentd/
match ident m|^0, 0 : ERROR : X-INVALID-REQUEST\r\n$| p/Minidentd/
# http://packages.debian.org/unstable/net/ident2.html
match ident m|^0 , 0 : ERROR : INVALID-PORT\r\n0 , 0 : ERROR : INVALID-PORT\r\n$| p/Ident2/
# midentd 2.3.1 on Linux
match ident m|^0, 0 : ERROR : INVALID-PORT\r\n| p/midentd/
#midentd 2.1 on Linux 2.4.21
match ident m|^0,0 : ERROR : INVALID-PORT\r\n| p/midentd/

# Broken inetd configuration
# <27>Dec 19 17:37:37 inetd\[28433\]: execv /usr/openv/netbackup/bin/bpjava-msvc: No such file or directory
match inetd m|^<\d+>[A-Z][a-z][a-z] +\d+ \d+:\d+:\d+ inetd\[\d+\]: execv (/[-.\\/\w]+): (\w[\s-\w.,]+)$| p/inetd/ i/failed to exec $1: $2/

# Diverse IRC bot
match ircbot m|^ \r\nSorry, that nickname format is invalid\.\r\r\n$| p/Diverse IRC bot/
# Part of Linux net-snmp-5.0.6-17
match linuxconf m|^500 access denied: Check networking/linuxconf network access\r\n$| p/Linuxconf/ i/Access denied/ o/Linux/
# Linuxconf 1.26r4
match linuxconf m|^500 access denied: Check config/networking/misc/linuxconf network access\r\n<p>\r\nBy default,| p/Linuxconf/ i/Access denied/
# Netsaint Status Daemon 2.15
match netsaint m|^Unknown command\n$| p/Netsaint Status Daemon/
# NSClient - http://nsclient.ready2run.nl/
match nsclient m|^ERROR:Wrong password$| p/Netsaint Windows Client/

match omniback m|^HP OpenView OmniBack II ([-.\w]+): INET, | p/HP OpenView OmniBack/ v/$1/
# Mercury/32 3.32 PH Server module on Windows XP
match ph-addressbook m|^598::Command not recognized\.\r\n598::Command not recognized\.\r\n$| p|Mercury/32 PH addressbook server| o|Windows|

match pop3 m|^\+OK POP3 ([-.+\w]+) v(\d[-.\w]+) server ready\r\n| p/ipop3d/ h/$1/ v/$2/
# iopd 2003debian0.0304182231-1
match pop3 m|^\+OK POP3 \[([-.\w]+)\] v(200[-.\w]+) server ready\r\n-ERR Null command\r\n-ERR Null command\r\n| p/ipopd/ h/$1/ v/$2/
# Solid POP3d 0.15
match pop3 m|^\+OK Solid POP3 server ready\r\n-ERR unknown command\r\n-ERR unknown command\r\n$| p/Solid POP3d/
# OS 400 V4R4M0
match pop3 m|^\+OK POP3 server ready\r\n-ERR invalid command\r\n$| p/IBM OS 400 pop3d/ o|OS/400|
# mailgate v3.5.177 on Win2K
match pop3 m|^\+OK pop server ready\r\n$| p/MailGate pop3d/ o/Windows/
# Perdition
match pop3-proxy m|^\+OK POP3 Ready ([\w-_.]+) \w+\r\n-ERR Null command, mate\r\n| p/Perdition pop3 proxy/ h/$1/

# Postgres 7.1.3
match postgresql m|^EInvalid packet length\0$| p/PostgreSQL DB/
# postgresql-7.2.3-5.73; linux 2.4.20-18.7 redhat 7.3
match postgresql m|^EFATAL 1:  invalid length of startup packet\n\0| p/PostgreSQL DB/
# Postfix qmqpd on Linux 2.4
match qmqp m|^58:Dnetstring format error while receiving QMQP packet header,$| p/Postfix qmqpd/ i/Quick Mail Queueing Protocol/
# Ximian Red Carpet Daemon 1.4.4 on RedHat Linux 9.0
match redcarpet m|^Status: 400 Bad Request\r\nContent-Length: 0\r\n\r\n| p/Ximian Red Carpet Daemon/

match smux m|^A\x01\x02$| p/Linux SNMP multiplexer/ o/Linux/
# Solaris 9
match uucp m|^login: Please enter user name: Password: $| p/Solaris uucpd/ o/Solaris/
match ups m|^32\r $| p/Cyber Power PowerPanelPlus UPS Server/ o/Windows/
match whois m|^%  No entries found for the selected source\(s\)\.\n$| p/Merit IRRD whoisd/
match whois m|^Process query: ''\nQuery recognized as IP\.\nQuerying ([\w\d-_.]+):(\d+) with whois\.\n\n| p/gwhois/ i/Uses $1:$2/
match whois m|^Process query: ''\nQuery recognized as IP\.\n| p/gwhois/
match zebedee m|^\x02\x01$| p/Zebedee encrypted tunnel/

match bmc-perform-service m|^SDPACK$| p/BMC Perform Service Daemon/
# Grisoft AVG antivirus server (distributing virus database updates)
match http m|HTTP/1\.0 \d\d\d [\w ]+\r\nServer: GRISOFT-AVG TCP Server/(\d[-.\w]+) .*\r\n| p/Grisoft AVG TCP Server/ v/$1/

# Ubicom embedded ( http://www.ubicom.com/home.htm )
match http m|^HTTP/1\.1 400 Bad Request\r\nCache-control: no-cache\r\nServer: Ubicom/(\d[-.\w ]+)\r\n| p/Ubicom embedded HTTP server/ v/$1/

match nntp m|^200 Coruscant BBS News \(Synchronet NNTP Service v(\d[-.\w ]+)\)\r\n| p/Synchronet NNTP Service/ v/$1/

# wesnotd multiplayer network daemon (http://www.wesnoth.org/)
match wesnotd m|^\0\0\0\x16\0\0\0\x1f\x02version\0\x040\..\..\0\0\x02mustlogin\0x05\x01\0| p/wesnotd/

# SHOUTcast Distributed Network Audio: www.shoutcast.com
match shoutcast m|^ICY 200 OK\r\n.*SHOUTcast Distributed Network Audio Server/([\w\d]+).v([\d.]+).*icy-name:(.*?)\r\n|s p/SHOUTcast server ($1)/ v/$2/ i/Name: $3/
match shoutcast m|^ICY 200 OK\r\n.*SHOUTcast Distributed Network Audio Server/([\w\d]+).v([\d.]+)|s p/SHOUTcast server ($1)/ v/$2/
match shoutcast m|^ICY 401 Service Unavailable\r\n.*SHOUTcast Distributed Network Audio Server/([\w\d]+) v([\d.]+)|s p/SHOUTcast server ($1)/ v/$2/

match bitkeeper m|^ERROR-Try help\nERROR-Try help\n$| p/Bitkeeper/
match webcache m|^HTTP/1\.0 400 Bad Request\r\nExpires: .*\r\nContent-Type: text/html\r\n\r\n<html>\n<head><title>Bad formed request or url</title>\n| p/webcache/
# Novell ZENworks for Desktops Imaging Proxy 4.01.03
# Not sure if this is netware specific (linux too?) -Doug
match zenimaging m|^\xff\xff\xfb&$| p/Novell ZENworks Imaging Proxy/

match ajp12 m|^Status: 400 Bad Request\r\nServlet-Error: Malformed data sent to JServ\r\n\r\n$| p/Jserv/

match nuttcp m|^KO\nnuttcp-t: v([\d.]+): error scanning parameters\nmay be using older client version than server\n\r\nKO\n| p/nuttcp network throughput tester/ v/$1/


##############################NEXT PROBE##############################
Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n|
ports 70,79,80-85,88,113,139,143,280,497,515,540,554,620,631,783,993,995,1220,1503,2030,3052,3128,3372,3531,3689,5000,5432,5800-5803,5900,6346,6699,7070,8000-8010,8080-8085,8880-8888,9090,9999,10000,10005,11371,13722,15000,40193,4711
sslports 443

# Kerio PF 4.0.11 unregistered - Service process (Port 44xxx?) on MS W2K SP4+
match keriopfservice m|^(HTTP/1\.0) 200 OK\r\nServer: Kerio Personal Firewall\r\n| p/Kerio PF 4 Service/ i/$1/

match backupexecra m|^\xf6\xff\xff\xff\x10\0\0\0\0\0\0\0\0\0\0\0$| p/Veritas BackupExec Remote Agent/

match dantzretrospect m|^\0\xca\0\0\0\0\0\x04\0\0\0\0$| p/Dantz Retrospect/ v/6.0/
match dnet-keyproxy m|^HTTP/1\.0 302 Found\r\nLocation: http://www\.distributed\.net/\r\n\r\n$| p/Distributed.Net HTTP Keyproxy/

# Digital UNIX 5.6
match finger m|^Login name: /         \t\t\tIn real life: \?\?\?\r\n\r\nLogin name: GET       \t\t\tIn real life: \?\?\?\r\n\r\nLogin name: HTTP/1\.0  \t\t\tIn real life: \?\?\?\r\n$| p/Digital UNIX fingerd/ o/DIGITAL UNIX/
# Internet Rex v2.67 Beta 1a
match finger m|^No such user No such user N\n$| p/Internet Rex finger server/
# FreeBSD 4.9-STABLE /usr/libexec/fingerd/
match finger m|^finger: /: no such user\r?\nfinger: GET: no such user\r?\nfinger: HTTP/1\.0: no such user\r?\n$| p/FreeBSD fingerd/ o/FreeBSD/
# Bay Networks Micro Annex Comm. Server R10.0
match finger m|^No such activity\.\r\n$| p/Bay Networks Micro Annex terminal server fingerd/
# Mercury/32 3.32 Finger Server module on Windows XP
match finger m|^GET / HTTP/1\.0 is not known at this site\.\r\n$| p|Mercury/32 fingerd| o|Windows|
# ffingerd 1.28
match finger m|^That user does not want to be fingered\.\n$| p/ffingerd/
# Finger 0.17 from debian linux (which is from Linux netkit I believe)
# OpenBSD 2.3
match finger m|^finger: GET: no such user\.\nfinger: /: no such user\.\nfinger: HTTP/1\.0: no such user\.\n$| p|BSD/Linux fingerd|
# Linux port of in.fingerd from OpenBSD network tools - started with -w to show welcome banner
match finger m|^\r\nWelcome to Linux version (\d[-.\w]+) at ([-.\w]+) !\r\n\n.*(\d+) user.*\n\r\nfinger: GET: no such user\.\nfinger: /: no such user\.\nfinger: HTTP/1\.0: no such user\.\n| p/OpenBSD fingerd/ i/ported to Linux; $2 users logged in/ o/Linux version $1/ h/$2/ o/Linux/
# Redhat Linux from finger-server-0.17-9 RPM
match finger m|^finger: GET: no such user.\r\nfinger: /: no such user.\r\nfinger: HTTP/1.0: no such user.\r\n$| p/Linux fingerd/ o/Linux/
# NetBSD 1.6ZA (berkeley fingerd 8.1 sibling)
match finger m|^finger: GET: no such user\nfinger: /: no such user\nfinger: HTTP/1\.0: no such user\n$| p/NetBSD fingerd/
# Solaris 9
match finger m|^Login       Name               TTY         Idle    When    Where\r\nGET                   \?\?\?\r\n/                     \?\?\?\r\nHTTP/1\.0              \?\?\?\r\n$| p/Sun Solaris fingerd/ o/Solaris/
# mlfingerd 1.1
match finger m|^Information for user 'GET\+20\+2F\+20HTTP\+2F1\.0':\r\nUnknown user\.\r\n$| p/mlfingerd/
# SGI IRIX 6.5.18f finger
match finger m|^Login name: GET       \t\t\tIn real life: \?\?\?\r\n$| p/SGI IRIX fingerd/ o/IRIX/
# Windows fingerd
match finger m|^No such user\n$| p/Windows fingerd/ o/Windows/

match gnutella m|^HTTP/1\.[01] 404 Not Found\r\nServer: gtk-gnutella/(\d[-.\w]+) \(([^\)\r\n]+)\)\r\n| p/gtk-gnutella P2P client/ v/$1/ i/$2/
# LimeWire 3.5.8 on Suse Linux 8.1
match gnutella m|^HTTP/1\.1 406 Not Acceptable\r\n$| p/LimeWire Gnutella P2P client/
match gnutella m|^HTTP/1\.0 200\r\nServer: Mutella\r\n| p/Mutella Gnutella P2P client/
match gnutella m|^HTTP/1\.1 404 Not Found\r\nServer: giFT-Gnutella/(\d[-.\w]+)\r\n| p/GiFT P2P client gnutella module/ v/$1/
match gnutella m|^HTTP/1\.1 200 OK\r\n.*\r\nServer: Shareaza (\d\S+)|s p/Shareaza/ v/$1/
match gnutella m|^HTTP/1\.1 \d\d\d .*\r\n.*Server: BearShare ([\d.]+)\r\n|s p/BearShare Gnutella P2P client/ v/$1/
match gopher m|^HTTP/1\.0 200 Ok\r\nMIME-Version: 1\.0\r\nServer: GopherWEB/(\d[-.\w]+)\r\n| p/Internet Gopher Server/ i/Gopher+ protocol; GopherWeb $1/

match http m|^HTTP/1\.0 401 Unauthorized\r\nPragma: no-cache\r\nContent-type: text/html\r\nWWW-Authenticate: Basic realm=\"Login to the Router Web Configurator\"\r\n\r\n<html>\n  <head>\n  <title>401 Unauthorized</title>\n  </head>\n<body>\n\n<div align=\"center\">| p/Draytek Vigor aDSL router webadmin/ d/broadband router/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: webfs/(\d[-.\w]+)\r\n| p/WebFS httpd/ v/$1/
match http m|^HTTP/1\.0 200 OK\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\nContent-Length: \d+\r\n\r\n<HTML>\n<!-- Copyright IBM Corporation, 1999 -->\n<HEAD>\n<META HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html; charset=| p/IBM switch webadmin/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: WebCam2000/(\d[-.\w]+) \(([-/.+\w]+); www\.stratoware\.com/webcam2000/\)\r\n| p/Webcam2000 httpd/ v/$1/ i/$2/
match http m|^HTTP/1\.0 404 Not Found\r\nDate: .*\r\nServer: BWS/1\.0b3\r\n\r\n| p/Corel Paradox relational database web interface/ v/9.X/ i/Embedded BWS 1.0b3/
match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\r\nServer: WebSite/(\d[-.\w]+)\r\n| p/Deerfield VisNetic WebSite Professional/ v/$1/
match http m|^HTTP/1\.0 \d\d\d\r\nServer: Statistics Server (\d[-.\w]+)\r\n| p/DeepMetrix Statistics Server/ v/$1/
match http m|^HTTP/1\.0 400 Bad Request\r\nServer: OfficeScan Client\r\nContent-Type: text/plain\r\nAccept-Ranges: bytes\r\nContent-Length: 4\r\n\r\nFail$| p/Trend Micro OfficeScan antivirus update client/
match http m|^HTTP/1\.1 200 OK\r\nContent-Type: text/html\r\nDate: Tue, 07 Oct 2003 12:26:05 GMT\r\nAllow: GET, HEAD\r\nServer: Spyglass_MicroServer/(\d[-.\w]+)\r\n\r\n<html>\n\n<head>\n\n<title>.*PhaserLink| p/Tektronix Phaser printer webadmin/ i/Ebedded Spyglass MicroServer $1/ d/printer/
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: 3Com/v(\d[-.\w]+)\r\nWWW-Authenticate:Basic realm=\"device\"\r\n| p/3Com switch webadmin/ v/$1/
match http m|^HTTP/1\.0 401 Unauthorized\nDate: .*\nServer: Acme\.Serve/v(\d[-.\w ]+)\nConnection: close\nExpires: .*\nWWW-Authenticate: Basic realm=\"PowerChute network shutdown\"\n|s p/APC Powerchute UPS web management/ i/Embedded Acme.Serv $1/ d/power device/
match http m|^HTTP/1\.0 302 Found\r\nLocation: /index\.htm\r\n\r\n| p/Alcatal Speedtouch aDSL router webadmin/ d/broadband router/
match http m|^HTTP/1\.0 404 Not Found\r\nServer: pks_www/(\d[-.\w]+)\r\n| p/OpenPGP public key server/ v/$1/
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: Apache/0\.6\.5\r\nPragma: no-cache\r\nContent-type: text/html\r\nWWW-Authenticate: Basic realm=\"System Setup\"\r\n| p/BenQ AWL wireless router webadmin/ d/broadband router/
# Orinoco bg-2000 Access Point
match http m|^HTTP/1\.1 401 Unauthorized\r\nServer: Agranat-EmWeb/R5_2_6\r\nWWW-Authenticate: Basic realm=\"gateway\"\r\n| p/Orinoco WAP webadmin/ i/Embedded webserver: Agranat-EmWeb 5.2.6/
# ORiNOCO AP-600
match http m|^HTTP/1\.1 401 Unauthorized\r\nServer: Virata-EmWeb/R5_3_0\r\nWWW-Authenticate: Basic realm=\"Access-Product\"\r\n| p/Orinoco WAP webadmin/ i/Embedded webserver: Virata-EmWeb 5.3.0/

# HP Printers
match http-mgmt m|^HTTP/1\.1 200 OK\r\nServer: Agranat-EmWeb/R5_2_6\r\nContent-Type: text/html;charset=ISO-8859-1\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n<HTML> \n<HEAD>\n<TITLE> | p/HP LaserJet/ i/Embedded webserver: Agranat-EmWeb 5.2.6/ d/printer/
match http-mgmt m|^HTTP/1\.1 200 OK\r\nServer: Virata-EmWeb/R6_2_1\r\nContent-Type: text/html;charset=ISO-8859-1\r\nExpires: .*\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n<!DOCTYPE html\nPUBLIC | p/HP LaserJet/ i/Embedded webserver: Agranat-EmWeb 6.2.1/ d/printer/
match http-mgmt m|^HTTP/1\.1 200 OK\r\nServer: Virata-EmWeb/R6_2_1\r\nContent-Type: text/html;charset=utf-8\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n<!--  DOCTYPE tag is included to support the XHTML  -->\n<!DOCTYPE html\n   PUBLIC | p/HP LaserJet/ i/Embedded webserver: Agranat-EmWeb 6.2.1/ d/printer/
match http-mgmt m|^HTTP/1\.1 200 OK\r\nServer: Virata-EmWeb/R6_0_1\r\n-ransfer-Encoding: chunked\r\nContent-Type: text/html\r\nExpires: .*\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n\n\n<!DOCTYPE html\nPUBLIC| p/HP JetDirect/ i/Embedded webserver: Virata-EmWeb 6.0.1/
match http-mgmt m|^HTTP/1\.1 301 Moved Permanently\r\nServer: Virata-EmWeb/R6_2_1\r\nLocation: https://([\d.]+)/\r\nContent-Type: text/html\r\nContent-Length: 90\r\n\r\n<HEAD><TITLE>Moved</TITLE></HEAD><BODY>| p/HP Color LaserJet 3500/ i/Virata embedded httpd 6.2.1/ d/printer/
match http m|^HTTP/1\.1 301 Resource Moved\r\nCONTENT-LENGTH: 0\r\nEXPIRES: .*\r\nLocation: /hp/device/this\.LCDispatcher\r\nCACHE-CONTROL: no-cache\r\nSERVER: HP-ChaiSOE/([\d.]+)\r\n-ONNECTION: Keep-Alive\r\n\r\n| p/hp color LaserJet 4650/ i/HP-ChaiSOE $1/ d/printer/


# HP Printers
match http-mgmt m|^HTTP/1\.1 200 OK\r\nServer: Agranat-EmWeb/R5_2_6\r\nContent-Type: text/html;charset=ISO-8859-1\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n<HTML> \n<HEAD>\n<TITLE> | p/HP LaserJet/ i/Embedded webserver: Agranat-EmWeb 5.2.6/ d/printer/
match http-mgmt m|^HTTP/1\.1 200 OK\r\nServer: Virata-EmWeb/R6_2_1\r\nContent-Type: text/html;charset=ISO-8859-1\r\nExpires: .*\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n<!DOCTYPE html\nPUBLIC | p/HP LaserJet/ i/Embedded webserver: Agranat-EmWeb 6.2.1/ d/printer/
match http-mgmt m|^HTTP/1\.1 200 OK\r\nServer: Virata-EmWeb/R6_2_1\r\nContent-Type: text/html;charset=utf-8\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n<!--  DOCTYPE tag is included to support the XHTML  -->\n<!DOCTYPE html\n   PUBLIC | p/HP LaserJet/ i/Embedded webserver: Agranat-EmWeb 6.2.1/ d/printer/
match http-mgmt m|^HTTP/1\.1 200 OK\r\nServer: Virata-EmWeb/R6_0_1\r\n-ransfer-Encoding: chunked\r\nContent-Type: text/html\r\nExpires: .*\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n\n\n<!DOCTYPE html\nPUBLIC| p/HP JetDirect/ i/Embedded webserver: Virata-EmWeb 6.0.1/ d/printer/
match http-mgmt m|^HTTP/1\.1 301 Moved Permanently\r\nServer: Virata-EmWeb/R6_2_1\r\nLocation: https://([\d.]+)/\r\nContent-Type: text/html\r\nContent-Length: 90\r\n\r\n<HEAD><TITLE>Moved</TITLE></HEAD><BODY>| p/HP Color LaserJet 3500/ i/Virata embedded httpd 6.2.1/ d/printer/
match http m|^HTTP/1\.1 301 Resource Moved\r\nCONTENT-LENGTH: 0\r\nEXPIRES: .*\r\nLocation: /hp/device/this\.LCDispatcher\r\nCACHE-CONTROL: no-cache\r\nSERVER: HP-ChaiSOE/([\d.]+)\r\n-ONNECTION: Keep-Alive\r\n\r\n| p/hp color LaserJet 4650/ i/HP-ChaiSOE $1/ d/printer/

match http m|^HTTP/1\.0 200 OK\nServer: stats\.mod/(\d[-.\w]+)\n| p/Eggdrop stats.mod web statistics module/ v/$1/
match http m|^HTTP/1\.1 200 OK\r\nServer: PPR-httpd/(\d[-.\w]+)\r\n| p/PPR print spooling daemon ppradmin/ v/$1/
match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nServer: RAC_ONE_HTTP (\d[-.\w]+)\r\n| p/Dell Embedded Remote Access card webserver/ v/$1/ d/terminal server/
match http m|^HTTP/1\.0 200 OK\r\nContent-Type: text/html\r\n\r\n<HTML>\r\n<HEAD>\r\n<TITLE>EpsonNet WebAssist Rev\.(\d[-.\w]+)</TITLE>| p/EpsonNet WebAssist printer configuration/ v/$1/ d/printer/
match http m|^HTTP/1\.0 200 OK\r\nContent-Type: text/html\r\n\r\n<HTML><HEAD><META HTTP-EQUIV=\"Content-type\" CONTENT=\"text/html; charset=iso-8859-1\">\r\n<TITLE>Lexmark ([-/.+\w]+)</TITLE>| p/Lexmark printer webadmin/ i/Lexmark $1/ d/printer/
match http m|^HTTP/1\.0 200 OK\nServer: III (\d[-.\w]+)\n| p/Innovative Interfaces Innopac httpd/ v/$1/
match http m|^HTTP/1\.0 401 Unauthorized\r\nContent-type: text/html\r\nWWW-Authenticate: Basic realm=\"CISCO_WEB\"\r\n| p/Cisco DSL router webadmin/  d/broadband router/
match http m|^HTTP/1\.1 200 OK\r\nContent-Type: text/html\r\n.*Server: Allegro-Software-RomPager/([\w.]+)\r\n\r\n<HTML>\n<HEAD>\n<TITLE>Cisco Systems, Inc\.</TITLE>.*Cisco IP Phone (\d+)|s p/Cisco IP Phone $2/ i/Allegro RomPager $1/ d/VoIP phone/
match http m|^HTTP/1\.0 \d\d\d .*\r\nRAKeepAliveHeader: \.\r\n| p/RemotelyAnywhere remote PC management webserver/
match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\r\nServer: Ipswitch-IMail/(\d[-.\w]+)\r\n| p/IPSwitch IMail web service/
match http m|^HTTP/1\.0 200 OK\r\nContent-type: text/html\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n<html><head><title>Authentication Form</title></head><BODY BGCOLOR=\"#000000\" TEXT=\"#00FF00\"><p><h3 align=left><font face=\"arial,helvetica\">Client Authentication Remote Service</font>| p/Check Point Firewall-1 Client Authentication webserver/
match http m|^HTTP/1\.0 404 Not Found\r\nDate: .*\r\nServer: Check Point SVN foundation\r\n| p/Check Point Firewall-1 SVN foundation service/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: HP-UX_Apache-based_Web_Server/(\d[-.\w]+) (.*)\r\n| p/HP-UX httpd/ v/$1/ i/Apache derived; $2/ o/HP-UX/
match http m|^HTTP/1\.1 302 Moved\r\nContent-type: text/html\r\nConnection: close\r\nLocation: /1[012]\d{8}/l\r\n\r\n<H1>Document| p/Novell NetMail ModWeb webmail/
match http m/^GIF89a\xa8\0-\0\xf7\0\0\x03\x03\x03\x83\x83\x83\xc4\xc4\xc4\xfe\x02\x02\xc9\x85c\x85|\xb5\xe2\xe2\xe2\xca\xa2\x8e\xd4RRCCC\xdeb\"\xa5\xa5\xa5\xe7\xc5/ p/Tweak XP web advertisement blocker/
# Management interface for Xerox Phaser printers. 
match http m|^HTTP/1\.1 200 OK\r\nContent-Type: text/html\r\nDate: .*\r\nExpires: .*\r\nLast-Modified: .*\r\nPragma: no-cache\r\nServer: Allegro-Software-RomPager/(\d[-.\w]+)\r\n\r\n<HTML>\n<!--Copyright \(c\) Xerox Corporation | p/Xerox printer webadmin/ i/Embedded Allegro-Software-RomPager $1/ d/printer/
match http m|^HTTP/1\.1 200 OK\r\nContent-Type: text/html\r\nDate: .*\r\nExpires: .*\r\nLast-Modified: .*\r\nPragma: no-cache\r\nServer: Allegro-Software-RomPager/(\d[-.\w]+)\r\n\r\n<html>\n<head>\n<title>\nHome - \nPhaser (\w+)</title>\n|s p/Xerox printer webadmin/ i/Printer $2; Embedded Allegro-Software-RomPager $1/ d/printer/
match http m|^HTTP/1\.0 302 Moved Temporarily\r\nserver: IronPort httpd/(\d[-.\w]+)\r\n| p/IronPort mail appliance admin websever/ v/$1/
match http m|^HTTP/1\.1 200 OK\r\nServer: Virata-EmWeb/R(\d[-.\w]+)\r\nContent-Type: text/html\r\nExpires: .*\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n\n<html>\n<head><title>(CopperJet [-.+\w ]+)</title>| p/Allied Data CopperJet aDSL modem/ i/Embedded Virata-EmWeb $1; $2/ d/broadband router/
match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\nServer: dhttpd/(\d[-.\w]+)\r\n| p/dhttpd/ v/$1/
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: Snap Appliance, Inc\./(\d[-.\w]+)\r\n| p/Snap Appliance storage system webadmin/ v/$1/
match http m|^HTTP/1\.0 200 OK\r\nPragma: no-cache\r\nContent-Type: text/html\r\n\r\n<HTML>\n<FRAMESET COLS=\"105,\*\" FRAMEBORDER=NO BORDER=0\nFRAMESPACING=0>\n<FRAME SRC=\"/side\.html\" SCROLLING=NO>\n<FRAME SRC=\"/startupdata\.html\">\n</FRAMESET>\n</HTML>\n$| p/Motorola cable modem webadmin/
match http m|^HTTP/1\.0 200 OK\nDate: .*\nServer: Intel NetportExpressPro/(\d[-.\w]+)\n| p/Intel NetportExpress Pro print server webadmin/ v/$1/ d/print server/
match http m|^HTTP/1\.0 200 Ok\r\nContent-Type: text/html; charset=\"utf-8\"\r\n\r\n<HTTP>\r\n<HEAD>\r\n  <TITLE>MythTV Status</TITLE>| p/MythTV Linux PVR webadmin/ o/Linux/
match http m|^HTTP/1\.0 302 Found\r\nLocation: http://[-.+\w]+:32\d\d\d/\r\n\r\n$| p/Sun Solaris Management Console/ i/Runs Tomcat webserver/ o/Solaris/
# Cyclades PR2000 Router
match http m|^HTTP/1\.0 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"PR2000 - Login\"\r\nContent-Type: text/html\r\nServer: Allegro-Software-RomPager/ ?([\w.]+)\r\n\r\n.*</H1>This object on the Cyclades PR2000 - RomPager server is protected|s p/Cyclades PR2000 Router/ i/Allegro RomPager $1/ d/router/
# 3Com OfficeConnect 812 Router telnetd
match http m|^HTTP/1\.0 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"OCR-([-.\w]+)\"\r\nContent-Type: text/html\r\nServer: Allegro-Software-RomPager/(\d[-.\w]+)\r\n| p/3Com OfficeConnect Router webadmin/ i/Embedded Allegro-Software-RomPager $2; OfficeConnect OCR-$1/ d/router/
match http m|^HTTP/1\.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"APC Management Card\"\r\nContent-Type: text/html\r\nServer: Allegro-Software-RomPager/ ?([\w.]+)\r\n\r\n| p/APC Management Web Server/ i/Allegro RomPager $1/ d/power device/
match http m|^HTTP/1\.0 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"PDU\"\r\nServer: Allegro-Software-RomPager/ ?([\w.]+)\r\n\r\n<HTML>\n<HEAD>\n<TITLE>Protected Object</TITLE>\n</HEAD>\n<BODY BGCOLOR=\"WHITE\">\n<H1>Protected Object</H1>\nThis object on the MasterSwitch Web Server is protected\.| p/APC masterswitch web server/ i/Allegro RomPager $1/ d/power device/
match http m|^HTTP/1\.0 200 OK\r\nPragma: no-cache\r\nContent-Type: text/html\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.0 Transitional//EN\">\n.*<META NAME=Copyright CONTENT=\"Copyright \(c\) 2003 3Com Corporation\. All Rights Reserved\.\">\n.*<META http-equiv=\"3Cnumber\" content=\"([-.\w]+)\">\n|s p/3Com OfficeConnect router webadmin/ i/3Com` $1/ d/router/
match http m|^HTTP/1\.0 200 OK\r\nContent-Type: text/html\r\n.*\r\nServer: Allegro-Software-RomPager/ ?([\w.]+)\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML//EN\">\n\n<html>\n\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; iso-8859-1\">\n<title>Summit Management Interface</title>|s p/Summit Management Interface/ i/Allegro RomPager $1/
match http m|^HTTP/1\.1 200 OK\r\nContent-Type: text/html\r\n.*Server: Allegro-Software-RomPager/([\w.]+)\r\n\r\n\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.01 Transitional//EN\">\n<html>\n<head>\n<title>\nSoundBridge&nbsp;- Status</title>|s p/Roku Sound Bridge Web Interface/ i/Allegro RomPager $1/

match http m|^HTTP/1\.0 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"\r\n\r\n<title>401 Unauthorized</title><body><h1>401 Unauthorized</h1></body>| p/Acer Warplink Firewall Router webadmin/ d/router/
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: httpd\r\nDate: Fri, 09 Jan 1970 11:48:03 GMT\r\nWWW-Authenticate: Basic realm=\"Sitecom WL-([-.\w]+)\"\r\n| p/Sitecom webadmin/ i/Sitecom WL-$1/ d/WAP/
match http m|^HTTP/1\.0 200 OK\r\nDate: .*\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.0 Transitional//EN\"><html><body bgcolor=\"#C0C0C0\" text=\"#000000\" vlink=\"#800080\" link=\"#0000FF\"><P><h1>TempTrax Digital Thermometer</h1>| p/SensaTronics TempTrax Digital Thermometer/ d/specialized/
match http m|^HTTP/1\.1 401 Unauthorised\r\nServer: Zeus/(\d[-.\w]+)\r\n.*WWW-Authenticate: basic realm=\"Zeus Admin Server\"\r\n|s p/Zeus httpd Admin Server/ v/$SUBST(1,"_",".")/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Zeus/(\d[-.\w]+)\r\n| p/Zeus httpd/ v/$1/
match http m|^HTTP/1\.0 404 File not Found\r\nServer: SPiN ChatSystem/(\d[-.\w]+)\r\n| p/SPiN web chat system/ v/$1/
# Netgear FR114P Firewall Router
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: IP_SHARER WEB (\d[-.\w]+)\r\nWWW-Authenticate: Basic realm=\"(FR[-.\w+]+)\"\r\n| p/Netgear FR-series firewall router webadmin/ i/Model $2; Embedded webserver: IP_SHARED WEB $1/ d/router/
# Netgear FR314 Firewall Router
match http m|^HTTP/1\.0 200 OK\r\nServer: NETGEAR Firewall\r\n| p/Netgear FR-series firewall router webadmin/ d/router/
# Netgear FVS318 Firewall/Router
match http m|^HTTP/1\.0 200 OK\r\nServer: Netgear\r\nContent-Type: text/html\r\nPragma: no-cache\r\nLast Modified: .*\r\nConnection: close\r\n\r\n<html>\r\t<head>\r\t\t<meta http-equiv=\"content-type\" content=\"text/html;charset=ISO-8859-1\">\r\t\t<title>\r\t\t\tNETGEAR Router \r| p/Netgear router webadmin/ d/router/
# Netgear RP614 firmware version 4.12
match http m|^HTTP/1\.0 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"(RP\d+)\"\r\nServer: Embedded HTTPD v(\d[-.\w]+), | p/Netgear router webadmin/ i/Netgear $1; Delta Networks Embedded HTTPd $2/ d/broadband router/
# CiscoSecure ACS 3.1 on Windows 2000 Server
# Cisco Secure ACS for Windows 2000
match http m|^HTTP/1\.0 200 OK\r\nContent-Type: text/html\r\nContent-length: .*\r\n\r\n<html>\r\n<head>\r\n<title>CiscoSecure ACS Login</title>| p/Cisco Secure ACS web interface/ o/Windows/
# Pix Device Manager (PDM) version 3.01
match http m|^HTTP/1\.0 401 Unauthorized\r\nDate: .*\r\nContent-Type: text/html\r\nExpires: .*\r\nWWW-Authenticate: Basic realm=\"PIX\"| p/Cisco PIX Device Manager/ d/firewall/

match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: DHost/(\d[-.\w]+) HttpStk/(\d[-.\w]+)\r\n| p/Novell eDirectory DHOST httpd/ v/$1/ i/HttpStk: $2; used by iMonitor/ o/Unix/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: 3ware/(\d[-.\w]+)\r\n| p/3Ware web interface/ v/$1/ i/RAID storage/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Cherokee/(\d[-.\w]+)\r\n| p/Cherokee httpd/ v/$1/
match http m|^HTTP/1\.0 200 OK\r\nServer: HomeSeer\r\n| p/HomeSeer Home Control Web Interface/
# Multitech MultiVoip 410 VoIP gateway
match http m|^HTTP/1\.1 200 OK\r\nServer: RTXCweb Software (\d[-.\w]+)\r\nDate: .*\r\nContent-type: text/html\r\n\r\n<html>\r\n<head>\r\n<META HTTP-EQUIV=\"PRAGMA\" CONTENT=\"NO-CACHE\">\r\n<META HTTP-EQUIV=\"EXPIRES\" CONTENT=\"-1\">\r\n<script language = \"Javascript\">\r\nvar title_string = \" v \[Firmware - [\w ]+\]| p/Multitech MultiVoip VoIP gateway web interface/ i/Embedded webserver: RTXCweb $1/ d/VoIP adapter/
# NetComm NB1300 ADSL Modem/Router

match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: WindWeb/(\d[-.\w]+)\r\nConnection: close\r\nWWW-Authenticate: Basic realm=\"([-./\w ]+)\"\r\nContent-Type: text/html\r\n\r\n| p/$2 router/ i/runs WindWeb $1/ d/broadband router/
#atch http m|^HTTP/1\.1 \d\d\d .*\r\nServer: WindWeb/(\d[-.\w]+)\r\nConnection: close\r\nWWW-Authenticate: Basic realm=\"([-./\w ]+)\"\r\nContent-Type: text/html\r\n\r\nWeb Server Error Report:<HR>\n<H1>Server Error: 403 Forbidden</H1>\r\n<P><HR><H2>Access denied</H2><P><P><HR><H1>/doc/index\.htm</H1><P>

match http m|^HTTP/1\.0 200 OK\r\nServer: SimpleServer:WWW/(\d[-.\w]+)\r\n| p/AnalogX SimpleServer httpd/ v/$1/ o/Windows/
# Xitami - Try to match PHP first!
match http m|^HTTP/1\.[01] \d\d\d .*\r\nContent-Length: \d+\r\nX-Powered-By: ([-/.\w ]+)\r\nContent-Type: .*\r\nServer: Xitami\r\n| p/Xitami httpd/ i/$1/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Xitami\r\n|s p/Xitami httpd/
match http-admin m|^ERROR: Malformed startup string$| p/Xitami httpd admin port/
match http m|^HTTP/1\.1 500 Server Error\r\nConnection: close\r\nContent-Length: \d+\r\nDate: .*\r\nServer: Radio UserLand/(\d[.\w ]+)-([-.\w ]+)\r\n\r\n| p/Radio Userland blog server/ v/$1/ i/$2/ 
match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nServer: CANON HTTP Server Ver(\d[-.\w ]+)\r\n| p/Canon printer web interface/ v/$1/
match http m|^HTTP/1\.1 302 Moved Temporarily\r\nPragma: no-cache\r\nLocation: /servlet/nodeinfo/\r\nExpires: .*\r\nCache-Control: post-check=0, pre-check=0\r\nConnection: close\r\nContent-type: \r\nServer: Fred (\d[-.\w]+) \(build (\d+)\) HTTP Servlets\r\n\r\n| p/Freenet Fred anonymous P2P/ v/$1 build $2/
match http m|^HTTP/1\.0 200 Ok\r\nServer: diva_httpd\r\n| p/Eicon Diva ISDN card configuration server/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Resin/(\d[-.\w]+)\r\n| p/Caucho Resin JSP engine/ v/$1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nMIME-Version: 1\.0\r\nServer: linuxconf/(\d[-.\w]+)\r\n| p/Linuxconf web configuration server/ v/$1/ o/Linux/
match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\r\nServer: TinyWeb/(\d[-.\w]+)\r\n| p/Tinyweb httpd/ v/$1/ i/on Windows/
match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\r\nServer: WebSitePro/(\d[-.\w]+)\r\n| p/O'Reilly WebSite Pro/ v/$1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Lucent Security Management Admin Server \r\n| p/Lucent Security Management Admin Server/ i/Lucent VPN Firewall/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: thttpd/(\d[-.\w]+) (\w+)\r\n| p/thttpd/ v/$1 $2/
match http m|^HTTP/1\.1 .*\r\nDate: .*\r\nServer: FirstClass/(\d[-.\w]+)\r\n| p/FirstClass webserver/ v/$1/
match http m|^HTTP/1\.1 400 Bad request\r\nServer: Citrix Web PN Server\r\n| p/Citrix Metafrme ICA Browser/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: HP-ChaiServer/(\d[-.\w]+)\r\nContent-length: 0\r\n\r\n|s p/HP JetDirect printer webadmin/ i/HP-ChaiServer $1/ d/printer/
# mldonkey-2.5-3 http port on Linux 2.4.21
match http m|^HTTP/1\.0 200 OK\r\nServer: MLdonkey\r\n.*\r\n\r\n<html>\n<head>\n\n<title>MLdonkey: Web Interface</title>\n|s p/MLdonkey multi-network P2P web interface/
# Docupoint Discovery 3.0(Apache) on Windows 2000 Professional
match http m|^<html>\r<head><title>Docupoint Discovery</title>\r<META HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html; CHARSET=UTF-8\">\r| p/Docupoint Discovery search engine/
match http m|^HTTP/1\.0 200 OK\r\n.*\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1\.1//EN\" \"http://www\.w3\.org/TR/xhtml11/DTD/xhtml11\.dtd\">\n<html><head><title>BitTorrent download info</title></head>\n<body>\n<h3>BitTorrent download info</h3>\n<ul>\n<li><strong>tracker version:</strong> (\d[-.\w]+)</li>|s p/BitTorrent P2P tracker/ v/$1/ i/bttrack.py/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: eMule\r\n.*<title>eMule (\d[-.\w]+) |s p/eMule P2P/ v/$1/
# Network Associates EPO 3.0
match http m|^HTTP/1\.0 200 OK\r\nServer: Agent-ListenServer-HttpSvr/1\.0\r\n.*<ComputerName>([-.\w]+)</ComputerName>|s p/Network Associates ePolicy Orchestrator/ i/Computername: $1/
match http m|^HTTP/1\.0 403 Forbidden\r\nServer: Agent-ListenServer-HttpSvr/1\.0\r\n| p/Network Associates ePolicy Orchestrator/

match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Debut/(\d[-.\w]+)\r\n| p|Brother printer webadmin| i|Embedded server: Debut $1| d|printer|
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: kpf\r\n| p/KDE Public Fileserver/
match http m|^HTTP/1\.1 200 OK\r\nServer: Netscape-FastTrack/(\d[-.\w]+)\r\n| p/Sun Iplanet webserver/ v/$1/
match http m|^HTTP/1\.0 200 OK\r\nDate: .*\r\nServer: dwhttpd/(\d[-.\w]+) \(([^\r\n\)]+)\)\r\nContent-type: text/html\r\n\r\n  \n  \t<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3\.2//EN\">\n  <HTML>\n    <HEAD>\n      \n      <TITLE>AnswerBook2: Personal Library</TITLE>\n| p/Sun AnswerBook2 webserver/ v/$1/ i/$2/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: enCoreXpress/(\d[-.\w]+)\r\n|s p|enCoreXpress MOO| i|http://lingua.utdallas.edu/encore|
# Lispweb 2.0 Allegro Common Lisp.
match http m|^HTTP/1\.0 \d\d\d .*\nMime-Version: .*\nServer: LispWeb (\d[-.\w]+) \(acl\)\n| p/Lispweb httpd/ v/$1/
# World Client for MDaemon (www.altn.com) on Windows 2000
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: WDaemon/(\d[-.\w]+)\r\n| p/Alt-N MDaemon World Client webmail/ v/$1/
# pop3proxy web interface from spambayes 1.0a5 on Linux
match http m|^HTTP/1\.1 \d\d\d .*\r\nConnection: close\r\nContent-Type: text/html\r\nDate: .*\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.01 Transitional//EN\">\r\n<html>\r\n<head>\r\n<title id=\"title\">Home</title>\r\n<meta content=\"no-cache\" http-equiv=\"Pragma\"/>\r\n<meta content=\"no-cache\" http-equiv=\"Cache\"/>\r\n| p/Spambayes pop3proxy web interface/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Zope/\((?:Zope )?([\d\w][^\,\)]+),?\s*([^\)]+)\)\S*\s+([^\r]+)\r\n|s p/Zope/ v/$1/ i/$2; $3/
# Oracle XML Database - SuSe Linux 8.1 Personal, Linux 2.4.19, Oracle9i Database
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Oracle XML DB/(Oracle[\w]+ Enterprise Edition Release) (\d[-.\w]+) |s p/Oracle XML DB webserver/ v/$2/ i/$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Oracle9iAS \((\d[-.\w]+)\) Containers for J2EE\r\n| p/Oracle 9iAS J2EE webserver/ v/$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nAllow: .*\r\nServer: Oracle9iAS-Web-Cache/(\d[-.\w]+)\r\n| p/Oracle 9iAS Web Cache/ v/$1/
# ntop - lots of submissions
match ntop-http m|^HTTP/1\.0 \d\d\d .*\nServer: ntop/(\d[-.\w]+) [^\r\n]*\([\w\d-]*linux[\w\d-]*\)\r?\n|s p/Ntop web interface/ v/$1/ o/Linux/
match ntop-http m|^HTTP/1\.0 \d\d\d .*\nServer: ntop/(\d[-.\w]+) \([\w\d-.]*freebsd[\w\d-.]*\)\r?\n|s p/Ntop web interface/ v/$1/ o/FreeBSD/
match ntop-http m|^HTTP/1\.0 \d\d\d .*\nServer: ntop/(\d[-.\w]+) \(([-.\w]+)\)\n|s p/Ntop web interface/ v/$1/ i/$2/
match ntop-http m|^HTTP/1\.0 \d\d\d .*\nServer: ntop/(\d[-.\w]+) \([^\)\r]+\)\r\n|s p/Ntop web interface/ v/$1/
match ntop-http m|^HTTP/1\.0 \d\d\d .*\r\n.*Server: ntop/([\d.]+)|s p/Ntop web interface/ v/$1/
match ntop-http m|^HTTP/1\.0 401 Unauthorized to access the document\nWWW-Authenticate: Basic realm=\"ntop HTTP server\"\n| p/Ntop web interface/

match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apt-proxy (\d[-.\w]+)\r\n|s p/Debian Apt-proxy/ v/$1/
match http m|^HTTP/1\.0 404 NON-EXISTENT BACKEND\r\n\r\n$| p/Debian Apt-proxy/ i/Broken: no backend/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: mini_httpd/(\d[-.\w]+) | p/Mini_httpd/ v/$1/
# HP ProCurve Switch 2650 / Firmware revision H.07.32
match http m|^HTTP/1\.1 401 Unauthorized\r\nServer: eHTTP v(\d[-.\w]+)\r\nConnection: close\r\nWWW-Authenticate: Basic realm=\"HP ([-.\w]+)\"\r\n\r\n| p/HP webadmin/ i/HP $2; embedded eHTTP $1/
match http m|^HTTP/1\.0 200 OK\r\nServer: eHTTP v(\d[-.\w]+)\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: \d+\r\n\r\n<html> \n<head>\n    <title> \n    HP ProCurve Switch (\d[-.\w]+) \n| p/HP ProCurve Switch webadmin/ i/ProCurve $2; embedded eHTTP $1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Sun-ONE-Application-Server/(\d[-.\w]+)\r\n| p/SunONE Application Server/ v/$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: SunONE WebServer (\d[-.\w]+)\r\n| p/SunONE WebServer/ v/$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: IBM_HTTP_Server/(\d[-.\w]+) +(Apache/)?(\d[-.\w]+) \(([^\r\n]+)\)\r\n|i p/IBM HTTP Server/ v/$1/ i/Derived from Apache $3; $4/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: IBM_HTTP_Server/(\d[-.\w]+) +(Apache/)?(\d[-.\w]+)\r\n|i p/IBM HTTP Server/ v/$1/ i/Derived from Apache $3/
# D-Link DWL-1000AP webadmin
match http m|^HTTP/1\.0 200 OK\r\nServer: PSIWBL/(\d[-.\w]+)\r\nDate: .*Title: www\r\n\r\n<HTML>\n <HEAD>\n   <meta http-equiv=\"Refresh\" content=\"0; url=/startup/startup\.shtml\">\n </HEAD>\n <BODY>\n </BODY>\n</HTML>$|s p/D-Link web admin server/ i/Embedded webserver: PSIWBL $1/
# D-Link DWL-900AP+ WAP
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: Embedded HTTP Server (\d[-.\w]+) *\r\nWWW-Authenticate: Basic realm=\"DWL-([-+.\w]+)\"\r\n| p/D-Link web admin server/ i/Embedded HTTP Server $1; D-Link DWL-$2/
# D-Link DWL-1000AP Wireless Access Point
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: PSIWBL/(\d[-.\w]+)\r\nDate: .*\r\nWWW-Authenticate: Basic realm=\"Enter Password \(Leave User Name Empty\)\"\r\n| p/D-Link web admin server/ i/Embedded webserver: PSIWBL $1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\r\nServer: WhatsUp_Gold/(\d[-.\w]+)\r\n| p/IPswitch Whats Up Gold/ v/$1/
match http m|^HTTP/1\.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"(MR[-.\w]+)\"\r\nContent-Type: text/html\r\nServer: ZyXEL-RomPager/(\d[-.\w]+)\r\n\r\n| p|NetGear webadmin| i|NetGear $1 WAP/Router; Embedded webserver: ZyXEL-RomPager $2| d|WAP|
match http m|^HTTP/1\.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"(R[PT][-.\w]+)\"\r\nContent-Type: text/html\r\nServer: ZyXEL-RomPager/(\d[-.\w]+)\r\n\r\n| p|NetGear webadmin| i|NetGear $1 router; Embedded webserver: ZyXEL-RomPager $2| d|router|
# Netgear MR814 wireless router remote administration, Firmware 4.13 Aug 20 2003
match http m|^HTTP/1\.0 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"(MR[-.+\w]+)\"\r\nServer: Embedded HTTPD v(\d[-.\w]+), (.*)\r\n| p/NetGear MR-series WAP/ i/$1; Embedded HTTPD $2, $3/ d/WAP/
match http m|^HTTP/1\.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"Prestige ([-.\w ]+)\"\r\nContent-Type: text/html\r\nServer: ZyXEL-RomPager/(\d[-.\w ]+)\r\n\r\n| p|ZyXEL Prestige webadmin| v|$2| i|Prestige model $1|
match http m|^HTTP/1\.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"Prestige ([-.\w ]+)\"\r\nContent-Type: text/html\r\nServer: RomPager/(\d[-.\w ]+) ([-./\w]+)\r\n\r\n| p|ZyXEL Prestige webadmin| v|$2| i|Prestige model $1; $3|
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Roxen/(\d[-.\w]+)\r\n|s p/Roxen webserver/ v/$1/
# A-link (Avaks) Hasbani Web Server on RoadRunner 44b ADSL Router
match http m|^HTTP/1\.1 403 Forbidden\r\nServer: WindWeb/(\d[-.\w]+)\r\nConnection: close\r\nWWW-Authenticate: Basic realm=\"Home Gateway\"\r\nContent-Type: text/html\r\n\r\nHasbani Web Server| p/A-link Hasbani webadmin/ i/Runs WindWeb $1 embedded httpd; Often a DSL router/ d/broadband router/
# Sambar Server V5.3 on Windows NT
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: SAMBAR\r\n| p/Sambar webserver/
match http m|^HTTP/1\.1 .*\r\nDate: .*\r\nServer: aEGiS_nanoweb/(\d[-.\w]+) \(([^\)]+)\)\r\n| p/AEGiS Nanoweb httpd/ v/$1/ i/$2/
match http m|^HTTP/1\.1 404 Not Found\r\nDate: .*\r\nServer: Unknown/0\.0 UPnP/1\.0 Virata-EmWeb/([-.\w]+)\r\n| p/ReplayTV web interface/ i/runs Virata-EmWeb $1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: WebLogic WebLogic Server (\d[-.\w]+( SP\d+)?) +\w\w\w|s p/WebLogic applications server/ v/$1/
# Samba 3.0.0rc4-Debian
match http m|^HTTP/1\.0 401 Authorization Required\r\nWWW-Authenticate: Basic realm=\"SWAT\"\r\n| p/Samba SWAT administration server/
match http m|^HTTP/1\.0 200 OK\r\nConnection: close\r\nDate: .*\r\nExpires: .*\r\nContent-type: text/html\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3\.2//EN\">\n<HTML>\n<HEAD>\n<TITLE>Samba Web Administration Tool</TITLE>| p/Samba SWAT administration server/
match http m|^HTTP/1\.0 403 Forbidden\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n<HTML><HEAD><TITLE>403 Forbidden</TITLE></HEAD><BODY><H1>403 Forbidden</H1>Samba is configured to deny access from this client\n<br>Check your \"hosts allow\" and \"hosts deny\" options in smb\.conf <p></BODY></HTML>\r\n\r\n$| p/Samba SWAT administration server/ i/Access denied/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: icecast/(\d[-.\w]+)\r\n| p/Icecast streaming media server/ v/$1/
match http m|^HTTP/1\.0 200 OK\r\nServer: HP-Web-Server-(\d[-.\w]+)\r\n.*<!-- framework\.ini ([A-Z]:\\[-.\w \\]+)-->|s p/HP Web Jetwebadmin/ v/$1/ i/framework.ini: $2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: HP Web Jetadmin/(\d[-.\w]+) (.*)\r\n| p/HP Web Jetadmin print server/ v/$1/ i/$2/ d/print server/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: HP-Web-JetAdmin-(\d[-.\w]+)\r\n| p/HP Web Jetadmin print server/ v/$1/ d/print server/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Tomcat Web Server/(\d[-.\w ]+) \( ([^)]+) \)\r\n|s p/Apache Tomcat webserver/ v/$1/ i/$2/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Tomcat Web Server/(\d[-.\w ]+)\r\n\r\n|s p/Apache Tomcat webserver/ v/$1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServlet-Engine: Tomcat Web Server/(\d[-.\w]+) \(([^\)]+)\)\r\n|s p/Apache Tomcat webserver/ v/$1/ i/$2/
match 3dm-http m|^HTTP/1\.0 200 OK\r\nServer: 3ware/(\d[-.\w]+)\r\n.*<title>3ware 3DM - No remote access</title>|s p/3Ware 3DM Raid Daemon/ v/$1/ i/Access denied/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: publicfile| p/publicfile httpd/
match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+) ([^\r\n]+)|s p/Apache httpd/ v/$1/ i/$2/
match http m|^HTTP/1\.[01].*Server: Apache/([\d\.-\w]+)\s*\r?\n|s p/Apache httpd/ v/$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache/(\d[-.\w]+)\r\n.*X-Powered-By: ([^\r\n]+)\r\n|s p/Apache httpd/ v/$1/ i/$2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache/(\d[-.\w]+)\r\n|s p/Apache httpd/ v/$1/
# apache 1.3.26-0woody3 or Apache 2.0.45
match http m|^HTTP/1\.[01] \d\d\d.*\r\nDate: .*\r\nServer: Apache\r\n| p/Apache httpd/
match http m|^HTTP/1\.[01] \d\d\d.*\r\nDate: .*\r\nServer: Apache +\(([^\r\n\)]+)\)\r\n| p/Apache httpd/ i/$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: IBM_HTTP_Server/(\d[-.\w]+) (Apache/.*)\r\n| p/IBM HTTP Server/ v/$1/ i/Based on $2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Apache-AdvancedExtranetServer/(\d[-.\w]+) \(Mandrake Linux/[-.\w]+\) (.*)\r\n| p/Apache Advanced Extranet Server httpd/ v/$1/ o/Mandrake Linux/ i/$2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Apache-AdvancedExtranetServer/(\d[-.\w]+) \(Mandrake Linux/[-.\w]+\)\r\n| p/Apache Advanced Extranet Server httpd/ v/$1/ o/Mandrake Linux/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Apache-AdvancedExtranetServer/(\d[-.\w]+) \(Linux-Mandrake/[-.\w]+\)\r\n| p/Apache Advanced Extranet Server httpd/ v/$1/ o/Mandrake Linux/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Apache-AdvancedExtranetServer/(\d[-.\w]+)\r\n| p/Apache Advanced Extranet Server httpd/ v/$1/ o/Mandrake Linux/
match http m|^HTTP/1.[10] \d\d\d.*\r\nDate:.*\r\nServer: Stronghold/([-.\w]+) Apache/([-.\w]+)| p/Apache Stronghold httpd/ v/$1/ i/based on Apache $2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache Tomcat/(\d[-.\w]+)|s p/Apache Tomcat/ v/$1/
match http m|^HTTP/1\.1 \d\d\d.*\r\nServer: Apache[- ]Coyote/(\d[-\d.]+)\r\n|s p|Apache Tomcat/Coyote JSP engine| v|$1|
match http m|^HTTP/1\.1.*\r\nServer: Netscape-Enterprise/([-.\w]+)\r\n| p/Netscape Enterprise httpd/ v/$1/
# Citrix NFuse 2.0 on MS IIS 5.0
match http m|^HTTP/1\.[01].*\r\nServer: Microsoft-IIS/([-.\w]+)\r\n.*\r\nContent-Location: http://[^/]+/nfuse.htm\r\n.*\r\n---- NFuse ([-.\w]+) \(Build |s p/Citrix NFuse/ v/$2/ i/Microsoft IIS $1/ o/Windows/
match http m|^HTTP/1\.[01].*\r\nServer: Microsoft-IIS/([-.\w]+)\r\n|s p/Microsoft IIS webserver/ v/$1/ o/Windows/
match http m|^HTTP/1\.0 200 OK\r\nDate: .+\r\nServer: Tomcat/([-.\w]+)\r\nContent-Type: text/html\r\nContent-Length: \d+\r\nServlet-Engine: Tomcat/[-.\w]+ \(Java ([-.\w]+); SunOS ([-.\w]+) (\w+); java\.vendor=Sun Microsystems Inc\.\)\r\n| p/Solaris management console server/ i/Java $2; Tomcat $1/ o/SunOS $3 $4/
match http m|^HTTP/1\.1 200 OK\r\n.+Server: CommuniGatePro/([-.\w]+)\r\n|s p/CommuniGate Pro httpd/ v/$1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\r\nServer: DSS ([-.\w]+) Admin Server/([-.\w]+)| p/DarwinStreamingServer/ v/$1/ i/Admin Server $2/
match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\r\nServer: QTSS (\d[-.\w]+) Admin Server/(\d[-.\w]+)\r\n| p/Apple QTSS Admin Server/ v/$2/ i/from QTSS $2/
match http m|^HTTP/1\.0 200 OK\r\nServer: fnord/(\d[-.\w]+)\r\n| p/Fnord httpd/ v/$1/
match http m|^HTTP/1\.0 404 Not Found\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n<title>Not Found</title>This host is not served here\.$| p/Fnord httpd/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: MiniServ/0.01\r\n|s p/Webmin httpd/
match http m|^HTTP/1.1 200 OK\r\nServer: NetWare-Enterprise-Web-Server/([-.\w]+)\r\n| p/Novell Netware enterprise web server/ v/$1/ o/NetWare/
match http m|^HTTP/1.1 302 Object Moved Temporarily\r\nServer: NetWare HTTP Stack\r\n| p/Novell Netware HTTP Stack/ i/HTTPSTK.NLM/ o/NetWare/
match http m|^HTTP/1.1 \d\d\d [\w ]+\r\nServer: NetWare HTTP Stack\r\n| p/Novell Netware HTTP Stack/ i/HTTPSTK.NLM/

match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: HTTPd-WASD/([-.\w]+) OpenVMS/VAX\r\n| p|HTTPd-WASD| v|$1| i|on OpenVMS/VAX)|

match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Lotus-Domino/Release-(\d[-.\w]+)\r\n| p/Lotus Domino httpd/ v/$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Lotus-Domino/(\d[-.\w]+)\r\n| p/Lotus Domino httpd/ v/$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Lotus-Domino(/0)?\r\n| p/Lotus Domino httpd/
# G-Net BB0060 ADSL Modem (I'm not sure this is GlobespanVirata, but that is
# what the telnetd on this device said).
match http m|^HTTP/1.1 302 Document Follows\r\nLocation: /hag/pages/home.ssi\r\n\r\n$| p/GlobespanVirata httpd/ i/on broadband router/
match http m|^HTTP/1.0 200 OK\r\nServer:HTTP/1.0\r\n.*<title>Hewlett Packard</title>|s p/HP Jetdirect httpd/
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: EHTTP/([.\d]+)\r\nWWW-Authenticate: Basic realm=\"HP ([-.\w]+)\"\r\n| p/HP printer EHTTP admin server/ v/$1/ i/HP $2 printer/ d/printer/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Virata-EmWeb/([-.\w]+)\r\n.*\r\n\r\n\n<!--\nFile name: index\.html\n\nThis is the 'parent' file that calls the individual child frames\. \nThis is the file that is first accessed when the user types http://<ipaddress> \nin the browser toolbar\. \n\nThe UI Architecture consists of a total of 4 frames\. This file calls 3 high-level |s p/HP LaserJet printer webadmin/ i/Virata-EmWeb embedded server $1/ d/printer/
match http m|^HTTP/1\.0 \d{3} .*\r\nServer: CompaqHTTPServer/([.\w\d]+)\r\n|s p/Compaq Insight Manager HTTP server/ v/$1/
match http m|^HTTP/1\.1 401 Authorization Required\r\nWWW-Authenticate: Basic realm="Linksys ([-.A-Z\d/ ]+)"\r\n| p/Linksys router web admin server/ i/device model $1/ d/router/
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: httpd\r\nDate: .*\r\nWWW-Authenticate: Basic realm=\"Cisco 32R54G\"\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n| p/Linksys wireless-G router/ v/WRT54G/ d/router/

match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Insight Manager (\d)\r\n\r\n|s p/Compaq Insight Manager/ v/$1/
match http m|^HTTP/1\.1 200 OK\r\nContent-Length: \d+\r\nConnection: close\r\nPragma: no-cache\r\nCache-Control: no-cache, no-store, must-revalidate\r\nExpires: 0\r\nContent-Type: text/html\r\n\r\n| p/GNU Httptunnel/
# Blue Coat Port 80 Security Appliance Model: Blue Coat SG400 Software Version: SGOS 2.1.6044 Software Release id: 19480 Service Pack 4
match http m|^HTTP/1\.0 301 Moved Permanently\r\nLocation: /Secure/Local/console/index\.htm\r\n\r\n$| p/Blue Coat Security Appliance HTTP admin interface/
match http m|^HTTP/1\.0 400 Bad Request\r\nServer: AkamaiGHost\r\n| p|AkamaiGHost| i|Akamai's HTTP Acceleration/Mirror service|
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Netscape-Enterprise/([-.\w]+)\r\n| p/Netscape Enterprise webserver/ v/$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Netscape-Enterprise/([-. \w]+)\r\n| p/Netscape Enterprise webserver/ v/$1/
match http m|^HTTP/1\.0 \d\d\d .*\nDate: .*\nServer: NCSA/(1\.\d)\n| p/NCSA httpd/ v/$1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Netscape-FastTrack/(\d[-.\w]+)\r\n| p/Netscape FastTrack web server/ v/$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: (Oracle[-.\w/]+) Oracle HTTP Server ([-.\w]+)|s p/Oracle HTTP Server/ v/$1/ i/$2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Oracle HTTP Server Powered by Apache\r\n|s p/Oracle HTTP Server Powered by Apache/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Oracle HTTP Server Powered by Apache/([-.\w]+)\r\n|s p/Oracle HTTP Server Powered by Apache/ v/$1/
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: Embedded HTTP Server (\d[.\d]+)\r\nWWW-Authenticate: Basic realm=\"([-+.\w]+)\"\r\nConnection:| p/D-Link Embedded HTTP Server/ v/$1/ i/on D-Link $2/
match http m|^HTTP/1\.0 200 OK\r\nContent-Type: text/html\r\n.*Pragma: no-cache\r\nServer: Allegro-Software-RomPager/ ?([\w.]+)\r\n\r\n<HTML><head>\n<META HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html; charset=iso-8859-1\">\n<TITLE></TITLE></HEAD><frameset framespacing=\"0\" BORDER=\"false\" frameborder=\"0\" rows=\"90,\*\">\n  <frame NAME=\"fLogo\" scrolling=\"no\" noresize src=\"/html/Hlogo\.html\"|s p/D-Link DSL-300g or g+/ i/Allegro RomPager $1/ d/broadband router/
match http m|^HTTP/1\.0 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"IntelEmbeddedWeb@Express460T\"\r\nContent-Type: text/html\r\nServer: Allegro-Software-RomPager/([\w.]+)\r\n| p/Intel 460T Standalone Switch/ i/Allegro RomPager $1/
# Some D-Link Switches
match http m|^HTTP/1\.0 200 OK\r\nContent-Type: text/html\r\n.*Server: Allegro-Software-RomPager/ ?([\w.]+)\r\n\r\n.*DES-(\d+) Web Management|s p/D-Link DES-$2 Switch/ i/Allegro RomPager $1/
match http m|^HTTP/1\.0 200 OK\r\nContent-Type: text/html\r\n.*Server: Allegro-Software-RomPager/ ?([\w.]+)\r\n\r\n.*<TITLE>.*?(DES-\d+).*?</TITLE>|s p/D-Link $2 Switch/ i/Allegro RomPager $1/

# iCal 3.6
match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nMIME-Version: 1\.0\r\nServer: Wapapi/1\.1\r\nContent-Type: text/html\r\nContent-Length: \d+\r\n\r\n<html>\r\n<head><title>iCal Tutorial:  Introduction</title></head>| p/Brown Bear iCal web calendar/

match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: (Virata-EmWeb/R6_0_1)\r\nWWW-Authenticate: Basic realm=\"Administration Tools\"\r\n\r\n401 Unauthorized\r\n$| p/Netscreen administrative web server/ i/runs $1/ d/firewall/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: (Virata-EmWeb/R6_0_1)\r\nContent-Type: text/html\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n.*<link rel=\"SHORTCUT ICON\" href=\"/favicon\.ico\">\n\n<title>Login</title>|s p/Netscreen administrative web server/ i/runs $1/ d/firewall/
match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nServer: (Web/R[\d_]+)\r\n.*Content-Type: text/html\r\n.*\r\n\r\n<html>\n<head>\n\n<script language=\"javascript\">\n|s p/Netscreen administrative web server/ i/runs $1/ d/firewall/

# Phaser860 Printer
match http m|^HTTP/1\.1 404 Not Found\r\nDate: .*\r\nAllow: GET, HEAD\r\nServer: Spyglass_MicroServer/(\d[-.\w]+)\r\nContent-Type: text/html\r\nContent-Length: \d+\r\n\r\n<HTML><HEAD><TITLE>Not Found</TITLE></HEAD>\r\n<BODY>The requested URL was not found\.</BODY></HTML>\r\n| p/Spyglass MicroServer embedded webserver/ v/$1/ d/printer/
# Cisco Catalyst 3500-XL switch IOS 12.0(5)XU
match http m|^HTTP/1\.0 401 Unauthorized\r\nDate: .*\r\nContent-type: text/html\r\nExpires: .*\r\nWWW-Authenticate: Basic realm=\"level 15 access\"\r\n\r\n<HEAD><TITLE>Authorization Required</TITLE></HEAD><BODY><H1>Authorization Required</H1>Browser not authentication-capable or authentication failed\.</BODY>\r\n\r\n$| p/Cisco IOS administrative webserver/ d/switch/ o/IOS/
# Cisco 828 G.SHDSL
match http m|^HTTP/1\.0 200 OK\r\nDate: .*\r\nServer: cisco-IOS/(\d[-.\w ]+) HTTP-server/(\d[-().\w ]+)\r\n| p/Cisco IOS administrative webserver/ v/$2/ o/IOS $1/
# Xerox Document Centre (DocuCentre) 425
match http m|^HTTP/1\.1 200 OK\r\nContent-Length: \d+\r\nContent-Type: text/html\r\nDate: .*\r\nAllow: GET, HEAD\r\nServer: Xerox_MicroServer/([-.\w]+)\r\nExpires: .*\r\nCache-Control: no-cache\r\n\r\n<HTML>\n<HEAD>\n<TITLE>([-.+ \w]+)</TITLE>| p/Xerox MicroServer httpd/ v/$1/ i/on $2/
match http m|^HTTP/1\.1 200 OK\r\nContent-Length: \d+\r\nContent-Type: text/html\r\nDate: .*\r\nAllow: GET, HEAD\r\nServer: Xerox_MicroServer/([-.\w]+)\r\n| p|Xerox MicroServer httpd| v|$1| i|usually a printer/copier|
match http m|^HTTP/1\.1 200 OK\r\nContent-Type: text/html\r\nDate: .*\r\nAllow: GET, HEAD\r\nServer: Spyglass_MicroServer/(\d[-.\w]+)\r\nLast-Modified: .*\r\nExpires: .*\r\nPragma: no-cache\r\n\r\n\n<html> \n<head>\n   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">\n   <meta name=\"keywords\" content=\"printer; embedded web server; int| p/Spyglass MicroServer/ v/$1/ i/embedded in printer/ d/printer/
match http m|^HTTP/1\.0 500 Internal Server Error\r\nServer: Cougar (\d[-.\w]+)\r\n\r\n$| p/Microsoft Windows Media Server/ v/$1/ o/Windows/
match http m|^HTTP/1\.0 200 OK\r\nContent-Type: video/x-ms-asf\r\nCache-Control: max-age=0, no-cache\r\nServer: Cougar/(\d[-.\w]+)\r\n| p/Microsoft Windows Media Server/ v/$1/ o/Windows/
match http m|^HTTP/1\.[01] \d\d\d .*Server: NetApp/(\d[-.\w]+)\r\n|s p/NetApp filer httpd/ v/$1/
match http m|^HTTP/1\.0 200 OK\r\nServer: RapidLogic/(\d[.\d]+)\r\nMIME-version: 1\.0\r\nContent-type: text/html\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.0 Frameset//EN\"\r\n\t\t\t\"http://www\.w3\.org/TR/REC-html40/frameset\.dtd\">\r\n<HTML>\r\n<HEAD>\r\n\t<TITLE>Netopia Router Web </TITLE>| p/Netopia RapidLogic admin server/ v/$1/ d/router/
match http m|^HTTP/1\.1 200 OK\r\nServer: WebSTAR/(\d[-.()\w]+) ID/| p/WebSTAR httpd/ v/$1/
match http m|^HTTP/1\.1 401 Unauthorized\r\nServer: Agranat-EmWeb/R5_2_6\r\nWWW-Authenticate: Basic realm=\"accessPoint\"\r\n\r\n401 Unauthorized\r\n$| p/Orinoco AP-200 webadmin/ i/Embedded Agrant-EmWeb R5_2_6/
match http m|^HTTP/1\.0 404 NO_STREAM_FOUND\r\nConnection: close\r\n\r\n$| p/Chain Cast P2P streaming service/
match http m|^HTTP/1\.0 400 Bad Request\r\nServer: Rex/(9\.0\.0\.\d+)\r\n| p|Chain Cast support service| v|Rex/$1|
match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\r\nServer: Boa/(\d[-.\w]+)\r\n| p/Boa HTTPd/ v/$1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: (\d[-.\w]+)\r\n.*<title>GNUMP3d |s p/GNUMP3d streaming server/ v/$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Jetty/(\d[-.\w]+) \(([^)]+)\)\r\n| p/Jetty httpd/ v/$1/ i/$2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: WebSphere Application Server/(.+)\r\n| p/IBM WebSphere Application Server/ v/$1/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: JRun Web Server\r\n| p/JRun Web Server/

match http m|^401 Access denied\r\nWWW-Authenticate: Negotiate \r\nContent-length: 0\r\n\r\n| p/Microsoft IIS 5.0 WebDAV/ i/access denied/ o/Windows/

match http m|^HTTP/1\.1 200 OK\r\nContent-Type: text/html\r\n.*Server: RomPager/([\w.]+) UPnP/([\w.]+)\r\n\r\n\n<html><head>.*<title>ZyXEL Prestige Router</title>|s p/ZyXEL Prestige Router/ i/Allegro RomPager $1; UPnP $2/ d/router/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: RomPager/([-.\w/ ]+)\r\n|s p/Embedded Allegro RomPager webserver/ v/$1/ i/ZyXEL ZyWALL 2/

match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: IDSL MailGate (\d[-.\w]+)\r\n| p/MailGate web proxy/ v/$1/
match http m|^HTTP/1\.0 \d\d\d .*<TITLE>The AXIS 200 Home|s p/AXIS 200/ d/webcam/

match http m|^HTTP/1\.[01] 200 OK\nServer: Anti-Web V([\d.]+) \(([\w .-]+)\)\n| p/Anti-Web httpd/ v/$1/ i/Quote: $2/
match http m|^HTTP/1\.0 200 OK\r\nServer: ArGoSoft Mail Server Pro for WinNT/2000/XP, Version [\d.]+ \(([\d.]+)\)\r\n| p/ArGoSoft Mail Server Pro httpd/ v/$1/ o/Windows/
match http m|^HTTP/1\.0 400 Bad Request\r\nConnection: Close\r\n\r\n<HTML><HEAD>\n<TITLE>ERROR: The requested URL could not be retrieved</TITLE>\n</HEAD><BODY>\n<H2>The requested URL could not be retrieved</H2>\n<HR>\n<P>\nWhile trying to retrieve the URL:\n| p/WebSense http filter/
# Lantronix ThinWeb Manager
match http m|^HTTP/1\.0 200 OK\r\nServer: Gordian Embedded([\d.]+)\r\nContent-type: text/html\r\n.*\r\n\r\n\n<HTML>\n<HEAD>\n<TITLE>Lantronix ThinWeb Manager ([\d.]+): Home</TITLE>\n|s p/Lantronix ThinWeb Manager/ v/$2/ i/Gordian Embedded $1/

match http m|^HTTP/1\.1 302 Found\r\nDate: .*\r\nLocation: /iw/webdesk/login/\r\nX-Cache: MISS from .*\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n| p/Interwoven TeamSite/
match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nServer: OpenSA/([\d.]+) / Apache/([\d.]+) \((\w*)\) mod_ssl/([\d.]+) OpenSSL/([\d.]+)\r\n.*<LINK REL=\"SHORTCUT ICON\" HREF=\"http://([\w.-_]+)/iss\.ico\">\r\n<TITLE> System Scanner Vista Welcome Page </TITLE>\r\n|s p/ISS System Scanner Vista/ i|OpenSA/$1 Apache/$2 mod_ssl/$4 OpenSSL/$5| o/$3/ h/$6/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: BaseHTTP/([\d.]+) Python/([\d.]+) edna/([\d.]+)\r\n| p/Edna Streaming MP3 Server/ v/$3/ i|BaseHTTP/$1 Python/$2|
match http m|^HTTP/1\.0 400 Bad Request\r\nServer: Speed Touch WebServer/([\d.]+)\r\nContent-type: text/html\r\nContent-length: \d*\r\n\r\nHTTP/1\.0 400 Bad Request\r\n: Invalid or incomplete request\.\r\n\r\n| p/Alcatel Speedtouch aDSL router httpd/ v/$1/ d/router/
# Management Interface for Netscape FastTrack web server 2.01
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Netscape-Administrator/([\d.]+)\r\n| p/Netscape FastTrack Administrator/ v/$1/
# Siemens SpeedStream 2-port SS2601 Router
match http m|^HTTP/1\.0 200 Document follows\r\nServer: IP_SHARER WEB ([\d.]+)\r\nContent-type: text/html\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.0 Transitional//EN\">\n\n<html><head><title>Setup</title>| p/Siemens SpeedStream SS2601/ i/IP_SHARER WEB $1/ d/router/

match http m|^HTTP/1\.1 \d\d\d .*\r\nWWW-Authenticate: Basic realm=\"InterMapper\"\r\n.*\r\nServer: InterMapper/([\d.]+)\r\n|s p/InterMapper Network Monitor httpd/ v/$1/
match http m|^HTTP/1\.0 200 OK\r\n.*\r\nServer: ZOT-PS-13/([\d.]+)\r\n|s p/Hawking Print Server httpd/ v/$1/ d/print server/
match http m|^HTTP/1\.0 302 Temporarily Moved\nLocation: /winamp\?page=main\nConnection: close\nContent-type: text/html\n\n<html>\n<head>\n<title>Winamp Web Interface</title>| p/Winamp Web Interface/
match http m|^HTTP/1\.[01] \d\d\d .*\r\n.*Server: Lasso/([\d.]+)\r\n\r\n|s p/Lasso httpd/ v/$1/
match http m|^HTTP/1\.0 200 OK\r\nServer: BaseHTTP/([\d.]+) Python/([\d.]+)\r\nDate: .*\r\nContent-Type: text/html\r\n\r\n<html><head><title>Roundup trackers index</title></head>\n<body><h1>Roundup trackers index</h1>| p/Roundup issue tracker/ i|BaseHTTP/$1 Python/$2|
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: fwlogwatch ([\d.]+) 200\d/\d\d/\d\d \(C\) Boris Wesslowski, RUS-CERT\r\n| p/fwlogwatch/ v/$1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nConnection: close\r\nServer: GNUMP3d ([\d.]+)\r\n| p/GNUMP3d/ v/$1/
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: IP_SHARER WEB ([\d.]+)\r\nWWW-Authenticate: Basic realm=\"NeedPassword\"\r\nContent-type: text/html\r\n\r\n401 Unauthorized| p/Sitecom DC-202/ i/IP_SHARER embedded httpd $1/ d/router/
match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nServer: HTTP/x\.y\.z \(Unix\) PHP/x\.y\.z mod_ssl/x\.y\.z SSL/x\.y\.z\r\nLast-Modified: .*\r\nETag: \".*\"\r\nAccept-Ranges: bytes\r\nContent-Length: .*\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n<HTML>\n<HEAD>\n<TITLE>Loading\.\.\.</TITLE>\n| p/Coldfusion httpd/ i/SSL support/ o/Unix/
match http m|^HTTP/1\.0 200 OK\r\nContent-Length: \d+\r\nContent-Type: text/html\r\nServer: SIMS/([\w.]+)\r\n\r\n<HTML>\r<HEAD>\r  <TITLE>Stalker Internet Mail Server: Setup Entrance</TITLE>\r</HEAD>\r<BODY BGCOLOR=white>\r\r<H2><TABLE WIDTH=\"100%\" BORDER=0 CELLSPACING=0 CELLPADDING=0>\r<TR>\r<TD><H3><IMG SRC=\"/Icon\.gif\" ALIGN=MIDDLE>([\w-_.]+)</H3>| p/Stalker Mail Server web config/ v/$1/ h/$2/ o/Mac OS/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache  -OOPS Development Organization-\r\n.*X-Powered-By: ([^\r\n]+)\r\n|s p/Apache - OOPS Devel Org/ i/$1/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache  -OOPS Development Organization-\r\n|s p/Apache - OOPS Devel Org/ i/$1/
match http m|^HTTP/1\.0 200 OK\nDATE: .*\nPragma: no-cache\nServer: Delta UPSentry\n| p/Sentry Bulldog UPS httpd/
match http m|^HTTP/1\.0 \d\d\d .*Server: Gatling/([\d.]+)\r\n|s p/Gatling httpd/ v/$1/
# PolyCom ViewStation 128
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Viavideo-Web\r\n|s v/PolyCom ViewStation/ d/webcam/
match http m|^HTTP/1\.1 400 Malformed Request\r\nServer: WinGate ([\d.]+) \(Build 995\)\r\n| p/WinGate httpd/ v/$1/ o/Windows/
match http m|^HTTP/1\.0 \d\d\d .*\nDate: .*\nMIME-version: [\d.]+\nServer: Micro-HTTP/([\d.]+)\nContent-type: text/html\n.*Copyright Tektronix, Inc\.|s p/Tektronix printer httpd/ d/printer/ i|Micro-HTTP/$1|
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: IBM HTTP Server/([\w]+)\r\n| p/IBM httpd/ v/$1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: SAlive/ ([\d.]+)\r\n|s p/Servers Alive network monitor/ v/$1/ o/Windows/
match http m|^HTTP/1\.0 200 OK\r\nContent-Type:text/html\r\nContent-Length:\d+\r\n\n\n<HTML>\n<HEAD>\n<TITLE>Not Supported</TITLE>\n</HEAD>\n<body>\n\n<H1 ALIGN=CENTER>The Command sent is not Supported</H1>\n\n\n</BODY>\n</HTML>\n\n\0\0| p/NetWare FTP stats httpd/
match http m|^HTTP/1\.1 \d\d\d .*\r\n.*Server: Abyss/([\d.]+) \(Win32\) AbyssLib/([\d.]+)\r\n\r\n|s p/Abyss httpd/ v/$1/ i|AbyssLib/$2| o/Windows/


# No more HTTP softmatch because many services that I don't think are
# best classified 'http' use http-like semantics (for example UPnP,
# some https servers, etc).  Maybe I should make softmatch allow
# future services that start with the service name, and relable all of
# those.  Shrug.  For now it is gone.
# softmatch http m|^HTTP/1.[01] \d\d\d|

# While this response looks like a web admin port, I think the same port is used for the primary
# proxy functionality.  This is version 3.0 final on Linux.
match http-proxy m|^HTTP/1\.1 401 Unauthorized\r\nConnection: closed\r\nContent-Length: \d+\r\nWWW-Authenticate: Basic realm=\"WebWasher configuration\"\r\n| p/WebWasher filtering proxy/
# MiddleMan filtering proxy server v1.5.2
# Middleman 1.8.3
match http-proxy m|^HTTP/1\.1 404 Not Found\r\nContent-Type: text/html\r\nContent-Length: 463\r\nConnection: close\r\nProxy-Connection: close\r\n\r\n<html><head><title>File not found</title></head><!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.01 Transitional//EN\">\n<body text=\"#000000\" bgcolor=\"#99AABB\"| p/Middleman filtering web proxy/
match http-proxy m|^HTTP/1\.0 \d\d\d .*\r\nServer: WWWOFFLE/(\d[-.\w]+)\r\n| p/WWWOFFLE caching webproxy/ v/$1/
match http-proxy m|^HTTP/1\.1 400 Host Not Found\r\nContent-type: text/html\r\nConnection: close\r\n\r\n<html><head><title>The Proxomitron Reveals\.\.\.</title>| p/Proxomitron universal web filter/
match http-proxy m|^HTTP/1\.0 400 Bad Request\r\nDate: .*\r\n\r\n<html><body>.*<font color=\"#FF0000\">Proxy</font><font color=\"#0000FF\">\+</font> (\d[-.\w]+) \(Build #(\d+)\), Date: |s p/Fortech Proxy+/ v/$1 Build $2/
match http-proxy m|^HTTP/1\.0 \d\d\d .*\r\nServer: Jana-Server/(\d[-.\w]+)\r\n| p/JanaServer webproxy/ v/$1/
match http-proxy m|^HTTP/1\.0 400 Bad Request\nContent-Type: text/html\n\n<HTML><HEAD><TITLE>DansGuardian - | p/DansGuardian HTTP proxy/
match http-proxy m|^HTTP/1\.0 400 Bad Request\r\nServer: FreeProxy/(\d[-.\w]+)\r\n| p/FreeProxy/ v/$1/
# EZproxy for Linux 2.2d GA (2003-09-01) - http://www.usefulutilities.com
match http-proxy m|HTTP/1\.0 \d\d\d .*\r\nServer: EZproxy\r\n|s p/EZproxy web proxy/
# http://bfilter.sourceforge.net/
match http-proxy m|^HTTP/1\.0 400 Bad Request\r\n.*\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4\.01 Transitional//EN\">\r\n<html>\r\n<head>\r\n  <title>BFilter Error</title>|s p/Bfilter webproxy/
match http-proxy m|^HTTP/1\.0 \d\d\d .*\r\nServer: tinyproxy/(\d[-.\w]+)\r\n| p/Tinyproxy/ v/$1/
# MS ISA Server 2000 enterprise edition on windows 2000 advanced server
match http-proxy m|^HTTP/1\.1 502 Proxy Error \( The Uniform Resource Locator \(URL\) does not use a recognized protocol\. Either the protocol is not supported or the request was not typed correctly\. Confirm that a valid protocol is in use \(for example, HTTP for a Web request\)\.  \)\r\nVia:1\.1| p/Microsoft ISA Server http proxy/ o/Windows/
# Privoxy 3.0.0 Filtering Web Proxy - http://www.privoxy.org
match http-proxy m|^HTTP/1\.0 400 Invalid header received from browser\r\n\r\n$| p|Junkbuster/Privoxy webproxy|
match http-proxy m|^HTTP/1\.0 400 Invalid header received from browser\n\n| p/Junkbuster webproxy/
match http-proxy m|^HTTP/1\.0 \d\d\d .*Server: NetCache \(NetApp/(\d[-.\w]+)\)\r\n|s p/NetApp NetCache proxy/ v/$1/
# Squid 2.5.STABLE3 on NetBSD 1.6ZA
match http-proxy m|^HTTP/1\.0 \d\d\d .*\r\nServer: [sS]quid/([-.\w]+)\r\n| p/Squid webproxy/ v/$1/
match http-proxy m|^HTTP/1\.0 \d\d\d .*\r\nServer: [sS]quid\r\n| p/Squid webproxy/

# Blue Coat Port 80 Security Appliance  Model: Blue Coat SG400 Software Version: SGOS 2.1.6044 Software Release id: 19480 Service Pack 4
match http-proxy m|^HTTP/1\.1 504 Gateway Time-out\r\nConnection: close\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nContent-Length: 2976\r\nContent-Type: text/html\r\n\r\n<DIV class=Section1> \n\t\t<P class=MsoNormal| p/Blue Coat Security Appliance http proxy/
match http-proxy m|^HTTP/1.0 200 OK\r\nServer: MS-MFC-HttpSvr/1.0\r\nDate: Wed, 13 Aug 2003 01:58:26 GMT\r\n\r\n<html><h1>http://| p/Surfcontrol SuperScout Web Filter/ o/Windows/
match http-proxy m|^HTTP/1\.0 400 Cache Detected Error\r\nDate: .*\r\nContent-Type: text/html\r\nVia: 1\.0 ([-.\w]+) \(NetCache NetApp/([-.\w]+)\)\r\n\r\n| p/NetApp NetCache web proxy/ h/$1/ v/$2/

# Novell BorderManager HTTP-Proxy
match http-proxy m|^HTTP/1\.0 403 Forbidden\r\nContent-Length: \d+\r\n\r\n<html>\n\t<head>\n<title>BorderManager Information Alert</title></head>| p/Novell BorderManager HTTP-Proxy/
match http-proxy m|^HTTP/1\.0 400 Bad Request\r\nContent-type: text/html\r\n\r\n<html><head><title>InterScan Error</title></head>\r\n<body><h2>InterScan Error</h2>\r\nInterScan HTTP Version ([\w-_.]+) \$Date:| p/InterScan Interscan VirusWall/ v/$1/
# iPlanet-Web-Proxy-Server 3.6
match http-proxy m|^HTTP/1\.0 \d\d\d .*\r\nProxy-agent: iPlanet-Web-Proxy-Server/([\d.]+)\r\n|s p/iPlanet web proxy/ v/$1/


# gidentd 0.4.5 on Linux 2.4.X
match ident m|^0, 0 : ERROR : INVALID-PORT\r\n$| p/gidentd/
match ident m|^GET / HTTP/1\.0 : USERID : UNIX : ([-.\w]+)\r\n : USERID : UNIX : [-.\w]+\r\n| p/Nullidentd/ i/Claimed user: $1/
match ident m|^GET / HTTP/1\.0 : USERID : UNIX : ([-.\w]+)\r\n$| p/Liedentd/ i/Claimed user: $1/
# pidentd 2.81
match ident m|^0 , 0 : ERROR : X-INVALID-REQUEST\r\n$| p/pidentd/
# pidentd 3.1a25 on Linux 2.4.20 (SuSE 8.2)
match ident m|^GET : ERROR : UNKNOWN-ERROR\r\n$| p/pidentd/
match ident m|^0, 0 : ERROR : INVALID-AUTH-REQ-INFO : CAPABILITY=USER-INTERACTION : AUTH-MECH=KEBEROS_V4\r\n$| p/Stanford PC-leland identd/
# fair-identd-20000201
# pidentd-2.8.5-3
match ident m|^0 , 0 : ERROR : UNKNOWN-ERROR\r\n$| p/pidentd/ i/could be fair-identd/
# identd 1.1 on Linux 2.4.21
# linux-identd 1.2 - http://www.fukt.bth.se/~per/identd
match ident m|^GET / HTTP/1\.0 : ERROR : INVALID-PORT\r\n : ERROR : INVALID-PORT\r\n$| p/Linux-identd/ o/Linux/
# uw-imap 2003debian0.0304182231-1
match imap m|^\* OK \[CAPABILITY IMAP4REV1 X-NETSCAPE LOGIN-REFERRALS STARTTLS LOGINDISABLED\] \[[-.\w]+\] IMAP4rev1 (200[-.\w]+) at .*\r\nGET BAD Command unrecognized/login please: /\r\n\* BAD Null command\r\n| p/UW-Imap/
match imap m|^\* OK \[[-.+\w]+\] IMAP4rev1 v1(\d[-.\w]+) server ready\r\n| p/UW-Imap/ v/1$1/
match imap m|^\* OK ([-.+\w]+) IMAP4rev1 v1(\d[-.\w]+) server ready\r\n| p/UW-Imap/ h/$1/ v/1$2/
# gnu/mailutils imap4d 0.3.2 on Linux
match imap m|^\* OK IMAP4rev1\r\nGET BAD  Invalid command\r\n\* BAD  Null command\r\n$| p/GNU Mailutils imapd/
# Cyrus IMAP 2.1.14
match ssl/imap m|^\* BYE Fatal error: tls_start_servertls\(\) failed\r\n$| p/Cyrus imapd/

# Server: CUPS/1.1
match ipp m|^HTTP/1\.0.*Server: CUPS/(\S+)|s p/CUPS $1/
match ipp m|^lpd \[@[-.\w]+\]: Host name for your address \([:.\d]+\) is not known\n$| p/CUPS/
match irc m|^:Default-Chat-Community 421 \* GET :Unknown command\r\n| p/Microsoft Exchange 2000 Server Chat Service/ o/Windows/

# Jabber 1.4.2
match jabber m|^<stream:error>Invalid XML</stream:error>$| p/Jabber instant messaging server/
match kazaa-http m|^HTTP/1\.0 404 Not Found\r?\nX-Kazaa-Username: ([-.+\w]+)\r\nX-Kazaa-Network: ([-.\w]+)\r\n| p/KaZaA P2P client/ i/username: $1; network: $2/
match kazaa-peerpoint m|^HTTP/1\.0 404 Not Found\n\r\n$| p/KaZaA P2P client Peer Point Manager/
match msdtc m|^...\0..$|s p/Microsoft Distributed Transaction Coordinator/ o/Windows/
match msdtc m|^ERROR\n$|s p/Microsoft Distributed Transaction Coordinator/ i/error/ o/Windows/

# MLDonkey 2.5
match napster m|^1INVALID REQUEST$| p/MLDonkey multi-network P2P client/
match napster m|^1$| p/Lopster Napster P2P client/
match bittorent-tracker m|HTTP/1\.1 404 Not Found\r\nServer: MLdonkey\r\nConnection: close\r\nContent-Type: application/x-bittorrent\r\nContentlength: 0\r\n\r\n| p/MLDonkey multi-network P2P client/

match netbios-ssn m/^\x83\0\0\x01\x82|\x8f$/
match netwareip m|^\xfb\xff\xfe\xff\xfb\xff\xfe\xff\xfb\xff\xfe\xff$| p|Novell Netware/IP| o|NetWare|

match omninames m|^GIOP\x01\0\x01\x06\0\0\0\0$| p/omniORB omniNames/ i/Corba naming service/
# Oracle MTS Recovery Service 9.2.0.1 on Windows 2000 Professional
match oracle-mts m|^HTTP/1\.0 200 OK\r\nContent-length: 7\r\n\r\nunknown$| p/Oracle MTS Recovery Service/

match ssl/pop3 m|^-ERR \[SYS/PERM\] Fatal error: tls_start_servertls\(\) failed\r\n$| p/Cyrus pop3sd/
match ssl/pop3 m|^-ERR Fatal error: pop3s: required OpenSSL options not present\r\n| p/Cyrus pop3sd/
# Postgresql-server-7.3.2-3
match postgresql m|^EFATAL:  invalid length of startup packet\n\0$| p/PostgreSQL/
# Netware 6 NetWare/IP

match rendezvous m|^HTTP/1\.1 400 Bad Request\r\nDate: .*\r\nDAAP-Server: iTunes/(\d[-.\w]+) \((.*)\)\r\n| p/Apple iTunes/ v/$1/ i/on $2/

match rtsp m|^RTSP/1.0 400 Bad Request\r\nServer: DSS/([-.\w]+) \[(v\d+)]-(\w+)\r\n| p/DarwinStreamingServer/ v/$1/ i/$2 on $3/
match rtsp m|^RTSP/1\.0 400 Bad Request\r\nServer: QTSS/(\d[\d.]+ \[v\d+\]-Win32)\r\nCseq: \r\n| p/Apple QuickTime Streaming Server/ v/$1/ o/Windows/
match rtsp m|^RTSP/1\.0 400 Bad Request\r\nServer: QTSS/(\d[-.\w]+) \(Build/([\d.]+); Platform/([-.\w]+)\)\r\nCseq: \r\nConnection: Close\r\n\r\n$| p/Apple QuickTime Streaming Server/ v/$1 build $2/ i/$3/
match rtsp m|^RTSP/1\.0 505 Protocol Version Not Supported\r\nDate: .*\r\nServer: WMServer/(\d[-.\w]+)\r\n\r\n$| p/Microsoft Windows Media Server/ v/$1/ o/Windows/

match slimp3 m|^GET %2f HTTP%2f1\.0\n$| p|SliMP3 MP3 player| i|http://www.slimdevices.com|
# spamd 2.20-1woody
match spamd m|^SPAMD/1\.0 76 Bad header line: GET / HTTP/1\.0\r\r?\n| p/SpamAssassin spamd/
# Windows XP 8/2003
match upnp m|^HTTP/1.1 400 Bad Request\r\n\r\n$| p/Microsoft Windows UPnP/ o/Windows/
match upnp m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\r\nConnection: close\r\nServer: Microsoft-Windows-NT/(\d[-.\w]+) UPnP/(\d[-.\w]+) UPnP-Device-Host/(\d[-.\w]+)\r\n| p/Microsoft UPnP/ v/$2/ i/UPnP Device Host: $3/ o/Windows NT $1/
# UUCP 1.06.2 on Linux 2.4.X
# Taylor UUCP 1.06.2 on Slackware
match uucp m|^login: Password:$| p/Taylor uucpd/

# Veritas Netbackup client v.3.4
# Veritas Netbackup 4.5 Java listener
match netbackup m|^1000      2\n43\nunexpected message received\n$| p/Veritas Netbackup java listener/
# Veritas Backup Exec 9.0 on Windows
match backupexec m|^\x80\0\0\$\0\0\0\x01[\x3F-\x4B]...\0\0\0\0\0\0\x05\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x03\0\0\0\0| p/Veritas Backup Exec/ v/9.0/

# RealVNC 4.0b4
match vnc-http m|^HTTP/1\.1 200 OK\r\nServer: RealVNC/(\d[-.\w]+)\r\n.*<APPLET CODE=vncviewer/VNCViewer\.class ARCHIVE=vncviewer\.jar\r?\n *WIDTH=(\d+) HEIGHT=(\d+)>\r?\n<PARAM name=\"port\" value=\"(\d+)\">\r?\n</APPLET>|s p/RealVNC/ v/$1/ i/Resolution $2x$3; VNC TCP port: $4/
# RealVNC Unknown Version
match vnc-http m|^HTTP/1\.0 200 OK\n\n<HTML><TITLE>VNC desktop</TITLE>\n<APPLET CODE=vncviewer\.class ARCHIVE=vncviewer\.jar WIDTH=(\d+) HEIGHT=(\d+)>\n<param name=PORT value=(\d+)></APPLET></HTML>\n| p/RealVNC/ i/Resolution $1x$2; VNC TCP port: $3/
# TightVNC Server version 1.2.2 HTTP on Windows 2000 SP2
match vnc-http m|^HTTP/1\.0 200 OK\n\n<HTML><TITLE>TightVNC desktop \[([-.\w]+)\]</TITLE>\n<APPLET CODE=vncviewer\.class ARCHIVE=vncviewer\.jar WIDTH=(\d+) HEIGHT=(\d+)>\n<param name=PORT value=(\d+)>| p/TightVNC/ v/1.2.2/ i/Resolution $2x$3; VNC TCP port: $4/ h/$1/
# Tightvnc-1.2.3
match vnc-http m|^HTTP/1\.0 404 Not found\n\n<HEAD><TITLE>File Not Found</TITLE></HEAD>\n<BODY><H1>File Not Found</H1></BODY>\n$| p/TightVNC/
# Tightvnc 1.2.3
match vnc-http m|^HTTP/1\.0 200 OK\n\n<HTML><TITLE>TightVNC desktop \[([-.\w]+)\]</TITLE>\n<APPLET CODE=VncViewer\.class ARCHIVE=VncViewer\.jar WIDTH=(\d+) HEIGHT=(\d+)>\n<param name=PORT value=(\d+)>| p/TightVNC/ v/1.2.3/ i/User: $1; Resolution $2x$3; VNC TCP port: $4/
# TightVNC 1.2.6
match vnc-http m|^HTTP/1\.0 200 OK\n\n<HTML>\n  <HEAD><TITLE>TightVNC desktop \[[-.\w]+\]| p/TightVNC/
# TightVNC 1.2.8
match vnc-http m|^HTTP/1\.0 200 OK[\r\n]*.*<!-- \n     index\.vnc - default HTML page for TightVNC Java viewer applet, to be\n     used with Xvnc\. On any file ending in \.vnc, the HTTP server embedded in\n     Xvnc will substitute the following variables when preceded by a dollar:\n     USER, DESKTOP, DISPLAY, APPLETWIDTH, APPLETHEIGHT, WIDTH, HEIGHT, PORT,\n.*<TITLE>\n(\w+)'s X desktop.*<APPLET CODE=VncViewer\.class ARCHIVE=VncViewer\.jar\n        WIDTH=(\d+) HEIGHT=(\d+)>\n<param name=PORT value=(\d+)>\n\n</APPLET>|s p/TightVNC/ v/1.2.8/ i/User: $1; Resolution $2x$3; VNC TCP port: $4/
# TightVNC 1.2.9
match vnc-http m|^HTTP/1\.0 200 OK\n.*<HTML><HEAD><TITLE>Remote Desktop</TITLE></HEAD>\n<BODY>\n<APPLET CODE=VncViewer\.class ARCHIVE=VncViewer\.jar WIDTH=(\d+) HEIGHT=(\d+)>\n\t<param name=PORT value=(\d+)>\n</APPLET>\n</BODY></HTML>\n|s p/TightVNC/ v/1.2.9/ i/Resolution $1x$2; VNC TCP port $3/
# NetWare VNCServer
match vnc-http m|^HTTP/1\.0 200 OK\n.*<!-- \r\n     index\.vnc - default HTML page for TightVNC Java viewer applet, to be.*<TITLE>\r\n([\d\w]+) - NetWare VNCServer desktop.*<APPLET CODE=VncViewer\.class ARCHIVE=VncViewer\.jar\r\n *WIDTH=(\d+) HEIGHT=(\d+)>\r\n<param name=PORT value=(\d+)>|s p/NetWare VNC Desktop/ i/User: $1; Resolution $2x$3; VNC TCP port: $4/
# WinVNC 3.3.7 Build Mar 5 2003
match vnc-http m|^HTTP/1\.0 200 OK\r\n\r\n<HTML><TITLE>VNC desktop \[([-.\w]+)\]</TITLE>\n<APPLET CODE=vncviewer\.class ARCHIVE=vncviewer\.jar WIDTH=(\d+) HEIGHT=(\d+)>\n<param name=PORT value=(\d+)| p/WinVNC/ v/3.3.7/ i/Server: $1; Resolution $2x$3; VNC TCP port: $4/
# WinVNC 3.3.3
# Tight VNC 1.5.2
match vnc-http m|^HTTP/1\.0 200 OK\n\n<HTML><TITLE>VNC desktop \[([-.\w]+)\]</TITLE>\n<APPLET CODE=vncviewer\.class ARCHIVE=vncviewer\.jar WIDTH=(\d+) HEIGHT=(\d+)>\n<param name=PORT value=(\d+)></APPLET></HTML>\n$| p/WinVNC/ i/Server: $1; Resolution $2x$3; VNC TCP port: $4; May be standard or TightVNC/
# Ultr@VNC Win32 v1.0.9 - HTTP
match vnc-http m|^HTTP/1\.0 200 OK\n\n<HTML>\n  <HEAD><TITLE>Ultr@VNC Desktop \[[-. \w]+\] ------- Ultr@VNC Home Page is  http://ultravnc\.sf\.net -------</TITLE></HEAD>\n  <BODY>\n  <SPAN style='position: absolute; top:0px;left:0px'>\n    <APPLET CODE=VncViewer\.class ARCHIVE=VncViewer\.jar WIDTH=(\d+) HEIGHT=(\d+)>\n      <PARAM NAME=PORT VALUE=(\d+)>\n      <PARAM NAME=ENCODING VALUE=Tight>\n    </APPLET>  </SPAN>\n  </BODY>\n| p/Ultr@VNC/ i/Resolution $1x$2; VNC TCP port: $3/
# VNC to java display applet over http. Final AT&T release
match vnc-http m|^HTTP/1\.0 200 OK[\r\n]+.*<!-- index\.vnc - default html page for Java VNC viewer applet.*<TITLE>\n([\w\d]+)'s X desktop.*<APPLET CODE=vncviewer\.class ARCHIVE=vncviewer\.jar.*WIDTH=(\d+).*HEIGHT=(\d+).*name=PORT value=(\d+)|s p/AT&T VNC/ i/User $1; Resolution $2x$3; VNC TCP port $4/
# KDE Built-in VNC Server
match vnc-http m|^HTTP/1\.0 200 OK\n.*<HTML><HEAD><TITLE>(.*)'s desktop</TITLE></HEAD>\n<BODY>\n<APPLET CODE=[vV]nc[vV]iewer\.class ARCHIVE=[vV]nc[vV]iewer\.jar WIDTH=(\d+) HEIGHT=(\d+)>\n\t<param name=PORT value=(\d+)>\n</APPLET>\n</BODY></HTML>\n|s p/KDE Built-in VNC/ i/User $1; Resolution $2x$3; VNC TCP port: $4/

match xml-rpc m|^HTTP/1\.0 400 Bad Request\r\nServer: Apache XML-RPC (\d[-.\w ]+)\r\n\r\nMethod GET not implemented \(try POST\)$| p/Apache XML-RPC/ v/$1/

match wsmserver m|^Language received from client: GET\nSetlocale: C\n$| p/AIX Web-based System Manager/ o/AIX/
match http m|^HTTP/1\.0\x20250\x20Ok\r\n.*\r\n\r\n.*<title>PowerMTA monitoring</title>|s p/Port25 PowerMTA web monitor/

# Kerio MailServer 5.7.9, 5.7.10
match http m|^HTTP/1\.1 302 Redirected\r\nConnection: close\r\nContent-Length: 0\r\nLocation: /login\r\n\r\n$| p/Kerio MailServer Webmail/
match http m|^HTTP/1\.0\x20250\x20Ok\r\n.*\r\n\r\n.*<title>PowerMTA monitoring</title>|s p/Port25 PowerMTA web monitor/
# Dell OpenManage Version 3.5.0 on MS Windows 2000 server / PowerEdge 6400/700
match http m|^HTTP/1\.1 200 OK\r\nConnection: Close\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n<html>\r\n    <head>\r\n        <script language=\"javascript\">\r\n\t\t\t\t\tif| p/Dell Openmanage Server Administrator/ i/PowerEdge/
# ASPI server (www.aspi.cz) on Solaris 6666/tcp
match aspi m|^HTTP/1\.0 404 Not Found\r\nDate: .*\r\nServer: ByllSoftware Gurda/([\d.]+)\r\n| p/ASPI server/ v/$1/ o/Solaris/
match sunscreen-adm m|^\x01\0\0\0\0\0\0\0T\x03\0\0\0\0\0\x01\x1e\0\0\0\0\0\0;\0\0\0\0\0\0\0\0Error: incompatible with administration server \(version (\d[-.\w ]*)\)\nc\0\0\0\0\0\0\0\0\0\0\x01\0\0\0\0$| p/SunScreen Remote Administration server/ v/$1/

# PopChartServer
match http m|^HTTP/1\.0 200 OK\r\n.*Server: PopChartServer ([\d.]+)\r\n|s p/PopChart Pro/ v/$1/
match http m|^HTTP/1\.0 200 OK\r\n.*Server: CordaServer \(PopChartServer compatible\) ([\d.]+)\r\n|s p/CordaServer/ v/$1/

match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: WebSTAR/([\d.]+) ID/\d+\r\n|s p/WebSTAR/ v/$1/




##############################NEXT PROBE##############################
Probe TCP HTTPOptions q|OPTIONS / HTTP/1.0\r\n\r\n|
ports 80,5232,6000,10000
# IRIX 6.5.18f Distributed GL Daemon dgld
match dgld m|^OPTI$| p/IRIX Distributed GL Daemon/ o/IRIX/
# Webmaster Conferenceroom 1.8.9.1 IRC Server
match irc m|(^:[-.\w]+) 421 \* OPTIONS :Unknown command\r\n| p/Webmaster Conferenceroom IRC server/ h/$1/
#  cgi-httpd from shttpd-0.53 on FreeBSD
match http m|^HTTP/1\.0 501 method not implemented\r\nServer: cgi-httpd\r\n| p/shttpd cgi-httpd/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: WebSphere Application Server/(.+)\r\n| p/IBM WebSphere Application Server/ v/$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Oracle HTTP Server Powered by Apache\r\n|s p/Oracle HTTP Server Powered by Apache/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: webfs/(\d[-.\w]+)\r\n| p/WebFS httpd/ v/$1/

# HP OpenView ITO agent (probably version 7.25) on Windows, port 381
match http m|^HTTP/1\.1 \d\d\d .*\r\nserver: BBC \d[-.\w]+; com\.hp\.openview\.Coda \d[-.\w]+\r\n\r\n| p/HP OpenView ITO agent - Coda/

# HP JetDirect Card in a LaserJet printer
match http-mgmt m|^HTTP/1\.1 501 Unknown or unimplemented http action\r\nMIME-Version: 1\.0\r\nServer: HP-ChaiServer/([\d.]+)\r\nContent-length: \d+\r\nContent-Type: text/html\r\n\r\n<TITLE>Request Not Implemented</TITLE><P><B>Cannot process request, not implemented at server\.</B></P><P>Unknown or unimplemented http action| p/HP JetDirect Card in a LaserJet printer/ i/HP-ChaiServer Embedded VM $1/ d/printer/

# HP JetDirect Card in a LaserJet printer
match http-mgmt m|^HTTP/1\.1 501 Unknown or unimplemented http action\r\nMIME-Version: 1\.0\r\nServer: HP-ChaiServer/([\d.]+)\r\nContent-length: \d+\r\nContent-Type: text/html\r\n\r\n<TITLE>Request Not Implemented</TITLE><P><B>Cannot process request, not implemented at server\.</B></P><P>Unknown or unimplemented http action| p/HP JetDirect Card in a LaserJet printer/ i/HP-ChaiServer Embedded VM $1/ d/printer/

# Zero One Technology ( http://www.01tech.com/ ) print servers embedded HTTP service
match http m|^HTTP/1\.\d\x20200\x20OK\r\nDate:\x20.*\r\nMIME-version:\x201\.\d\r\nServer:\x20ZOT-PS-(\d+)/(\d[-.\w]+)\r\n| p/Zero One Technology print server model $1 HTTP server/ v/$2/ d/print server/

match kmldonkey m|^HTTP/1\.1 400 Bad Request\r\nServer: KMLDonkey/(\d\S+)| p/KMLDonkey/ v/$1/

# webmin version 1.090 on Mandrake 8.2 - not sure why it's not picked up by the getreq probe
match http m|^HTTP/1\.0 400 Bad Request\r\nServer: MiniServ/([\d.]+)\r\n.*\r\n<h1>Error - Bad Request</h1>\n|s p/webmin/ i|MiniServer/$1|

##############################NEXT PROBE##############################
Probe TCP RTSPRequest q|OPTIONS / RTSP/1.0\r\n\r\n|
match rtsp m|^RTSP/1\.0 200 OK\r\nCSeq: 0\r\nDate: .*\r\nServer: RealServer Version (\d[-.\w]+) \(win32\)\r\n| p/Realserver RTSP/ v/$1/ o/Windows/
match rtsp m|^RTSP/1\.0 200 OK\r\n.*Server: RealMedia EncoderServer Version (\d[-.\w]+) \(win32\)\r\n|s p/RealMedia EncoderServer/ v/$1/ o/Windows/
match rtsp m|^RTSP/1\.0 200 OK\r\n.*Server: RealServer Version (\d[-.\w]+) \(([-.+\w]+)\)\r\n|s p/RealOne Server/ v/$1/ i/$2/
# APC PowerChute Business Edition Agent 6.1.0.0 on Windows 2000 Server
match powerchute m|^RTSP/1\.0 400 Bad request\r\nContent-type: text/html\r\n\r\n| p/APC PowerChute Agent/ d/power device/
match msdtc m|^ERROR\n$|s p/Microsoft Distributed Transaction Coordinator/ i/error/ o/Windows/

# HP OpenView ITO agent (probably version 7.25) on Windows, port 383
match http m|^HTTP/1\.1 \d\d\d .*\r\nserver: BBC \d[-.\w]+; com\.hp\.openview\.bbc\.LLBserver \d[-.\w]+\r\n\r\n|s p/HP OpenView ITO agent - LLB server/

# This probe sends an RPC "Null command" to the port for service
# 100000 (portmapper).
# Some of these numbers are abitrary (such as ID).  I could consider
# adding an \R escape in the string logic to provide a random byte.
# This would make IDS detection and such a bit harder.  On the other
# hand, that would make the response a little harder to recognize too.
##############################NEXT PROBE##############################
Probe TCP RPCCheck q|\x80\0\0\x28\x72\xFE\x1D\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xA0\0\x01\x97\x7C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|
ports 81,111,199,514,544,1433,4045,4999,32750-32810,38978
# Microsoft SQLServer 6.5 on WinNT 4.0 SP6a
# Microsoft SQL Server 6.5 on WinNT 4.0
match ms-sql-s m|^\x04\x01\0C..\0\0\xaa\0\0\0/\x0f\xa2\x01\x0e.. Login failed\r\n\x14Microsoft SQL Server\0\0\0\xfd\0\xfd\0\0\0\0\0\x02$| p/Microsoft SQLServer/ v/6.5/ o/Windows/
match rpc m|^\x80\0\0\x18\x72\xFE\x1D\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01|
match rpc m|^\x80\0\0\x20\x72\xFE\x1D\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x02|
# Vmware ESX 1.5.x Client Agent for Linux -- WAIT - I think this is erronous and is actually smux
# HP-UX 11 SNMP Unix Multiplexer (smux)
match smux m|^A\x01\x02$| p/HP-UX smux/ i/SNMP Unix Multiplexer/ o/HP-UX/
# Network Appliance ONTAP 6.3.3 shell
match shell m|^\x01Permission denied\.\n$| p/Network Appliance Ontap rshd/
# HP-UX 11 Kerberized 'rsh' (v5)
match kshell m|^\x01remshd: connect: Connection refused\n$| p/HP-UX kerberized rsh/ o/HP-UX/
# Tumbleweed SecureTransport 4.1.1 Transaction Manager Non-Secure Port on Solaris
match securetransport m|^\xde\xad\xbe\xef\x04\0\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x1fem\.requestparserparser\.InvError| p/Tumbleweed SecureTransport Transaction Manager Non-Secure Port/
# ED2KLink Server v1.12 (Build 1014 or later)
match ed2klink m|^\x16\x15\x16\x16\x16\x12XW\]$| p/ED2KLink Server/


##############################NEXT PROBE##############################
Probe UDP RPCCheck q|\x72\xFE\x1D\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xA0\0\x01\x97\x7C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|
ports 88,111,517,518,4045,32750-32810,38978
match rpc m|^\x72\xFE\x1D\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01|
match rpc m|^\x72\xFE\x1D\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x02|
# OpenAFS 1.2.10 on Linux 2.4.22
match kerberos-sec m|^\x04\n\0\0\0\0\0\0\0\0\0\0\x04code = 4: packet version number unknown\0| p/OpenAFS/
# talk-server-0.17 (linux), ports 517-518/udp
match talk m|^\x01\xfe\x05\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Talk server/
# Mandrake Linux 9.2, xinetd 2.3.11 chargen
match chargen m|NOPQRSTUVWXYZ\[\\\]\^_`abcdefghijklm|

# Windows qotd service. Same as the TCP version. It's only in this
# Probe because this is the first UDP Probe that nmap tries.
match qotd m/^"(My spelling is Wobbly\.|Man can climb to the highest summits,|In Heaven an angel is nobody in particular\.|Assassination is the extreme form of censorship\.|When a stupid man is doing|We have no more right to consume happiness without|We want a few mad people now.|The secret of being miserable is to have leisure to|Here's the rule for bargains:|Oh the nerves, the nerves; the mysteries of this machine called man|A wonderful fact to reflect upon,|It was as true as taxes is\.)/ p/Windows qotd/ o/Windows/
match qotd m/^"(Mi ortograf\xeda tiembla\. Es bueno revisarla,|un hombre puede escalar a las m\xe1s altas cumbre|Algo maravilloso a poner de manifiesto:|Cuando un necio hace algo de lo que se aveg\xfcenza,|En el cielo, un \xe1ngel no es nadie en concreto|Traigamos unos cuantos locos ahora\.|Era tan verdad como los impuestos\. Y no|Hay libros cortos que, para entenderlos como se merecen,|Quedarse en lo conocido por miedo a lo desconocido,|La prosperidad hace amistades, y la adversidad las|El uso principal de un PC es confirmar la ley de|Quedarse en lo conocido por miedo a lo desconocido,|Cuando las leyes son injustas, no obligan en el fuero|Magia equivale a cualquier avance en la ciencia\.|Vale mejor consumir vanidades de la vida,)/ p/Windows qotd/ i/Spanish/ o/Windows/
# Some Italian qotds start with a space instead of a "
match qotd m/^.(Voce dal sen fuggita|Semel in anno licet insanire|Cosa bella e mortal passa e non dura|Quando uno stupido compie qualcosa di cui si vergogna,|Se tu pagare come dici tu,|Fatti non foste a viver come bruti,|Sperare senza far niente e` come)/ p/Windows qotd/ i/Italian/ o/Windows/
match qotd m/^"(Prazos longos sao f\xa0ceis de subscrever\.|Deus, para a felicidade do homem, inventou a f\x82 e o amor\.|Ao vencido, \xa2dio ou compaixao, ao vencedor, as batatas\.|Quem nao sabe que ao p\x82 de cada bandeira p\xa3blica,|Nao te irrites se te pagarem mal um benef\xa1cio; antes cair|A vida, como a antiga Tebas, tem cem portas\.)/ p/Windows qotd/ i/Portugese/
# The German version doesn't start with "
match qotd m/^(Wer wirklich Autorit\xe4t hat, wird sich nicht scheuen,|Moral ist immer die Zuflucht der Leute,|Beharrlichkeit wird zuweilen mit Eigensinn|Wer den Tag mit Lachen beginnt, hat ihn|Wenn uns keine Ausweg mehr bleibt,|Gesichter sind die Leseb\xfccher des Lebens|Grosse Ereignisse werfen mitunter ihre Schatten|Dichtung ist verpflichtet, sich nach den|Ohne Freihet geht das Leben|Liebe ist wie ein Verkehrsunfall\. Man wird angefahren)/ p/Windows qotd/ i/German/
match qotd m/^"(Clovek ma tri cesty, jak moudre jednat\. Nejprve premyslenim|Co je vubec hodno toho, aby to bylo vykonano,|Fantazie je dulezitejsi nez vedeni\.|Potize narustaji, cim vice se clovek blizi|Kdo nezna pristav, do ktereho se chce plavit,|Lidske mysleni ztraci smysl,|Nikdo nevi, co muze vykonat,|Nic neprekvapi lidi vice nez zdravy rozum|Zadny cil neni tak vysoky,)/ p/Windows qotd/ o/Windows/ i/Czech/

##############################NEXT PROBE##############################
Probe UDP DNSVersionBindReq q|\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03|
ports 53,2967
# Allow 3-12 character version numbers
match domain m|\x07version\x04bind.*[\x03-\x14]([-\w._ ]{3,20})$|s p/ISC Bind/ v/$1/
match domain m|\x07version\x04bind.*[\x03-\x14]BIND ([-\w._]{3,20})$|s p/ISC Bind/ v/$1/
# ISC Bind 9.1.3
match domain m|\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x01\0| p/ISC Bind/ v/9.X/
# Tinydns 1.05
match domain m|^\0\x06\x81\x81\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| p/TinyDNS/
# Microsoft DNS Windows 2000, SP4
match domain m|^\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| p/Microsoft DNS/ o/Windows/
# MyDNS 0.10.0 on Linux
match domain m|^\0\x06\x81\x04\0\0\0\0\0\0\0\0$| p/MyDNS/
# PowerDNS 2.9.11
match domain m|\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x01\0\0\0\x05\0UTServed by POWERDNS ([\d.]+) | p/PowerDNS/ v/$1/

# Symantec Antivirus (rtvscan.exe)
match symantec-av m|^\0\x06\x01\x01\0\x10..........$| p/Symantec rtvscan antivirus/

# pdnsd 1.1.8b1
match domain m|^\0\x06\x81\x84\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| p/pdnsd/

match domain m|\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x1b\x1arbldnsd ([\d.]+) | p/rbldnsd/ v/$1/

##############################NEXT PROBE##############################
Probe TCP DNSVersionBindReq q|\0\x1E\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03|
ports 53,512,513,543,544,1521,2105,2967,6543
match domain m|\x07version\x04bind.*[\x03-\x14]([-\w._ ]{3,20})$|s p/ISC Bind/ v/$1/
match domain m|\x07version\x04bind.*[\x03-\x14]BIND ([-\w._]{3,20})$|s p/ISC Bind/ v/$1/
# ISC Bind 9.1.3
match domain m|\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x01\0| p/ISC Bind/ v/9.X/
# ISC BIND 8.2.7-REL
match domain m|\x07version\x04bind\0\0\x10\0\x03\x07VERSION\x04BIND\0\0\x10\0\x03\0\0\0\0\0| p/ISC Bind/ v/8.X/
# pdnsd 1.1.7a, 1.1.8b1
# http://www.phys.uu.nl/~rombouts/pdnsd.html
match domain m|^\0\x1e\0\x06\x81\x84\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| p/pdnsd/
# Windows 2000 SP4
match domain m|^\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| p/Microsoft DNS/ o/Windows/
# Novell 5.1 DNS Server
# Bind 4.9.7-REL on OpenBSD
match domain m|^\0\x1e\0\x06\x81\x82\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| p/ISC Bind/ v/4.X/
# PowerDNS 2.9.6 on FreeBSD
# PowerDNS 2.9.8 Linux
match domain m|^\0.\0\x06\x85\0\0\x01\0\x01\0\0\0\0\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x01\0\0\0\x05\0..Served by POWERDNS (\d[-.\w]+) |s p/PowerDNS/ v/$1/
# Symantec Enterprise Firewall 6.5.2 DNS proxy on Win2K
match domain m|^\0\x1e\0\x06\x81\x85\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| p/Symantec Enterprise Firewall DNS proxy/
match exec m|^\x01Login incorrect\.\n$|
# HP-UX B.11.00 A
match exec m|^\x01rexecd: Login incorrect.\n$| p/HP-UX rexecd/ o/HP-UX/
match exec m|^\x01rexecd: [-\d]+ The login is not correct\.\n| p/AIX rexecd/ o/AIX/
# MyDNS 0.10.0 on Linux
match domain m|^\0\x0c\0\x06\x81\x04\0\0\0\0\0\0\0\0$| p/MyDNS/

# Digital UNIX V4.0F login
match login m|^\x01Permission denied: Error 0$| p/Digital UNIX login/ o/Digital UNIX/
# RedHat 7.3 - Oracle TNS Listener Oracle 8.1.7
# Oracle 8.1.6.1.0 on Linux 2.2.X
match oracle-tns m|^\0\x1c\0\0\x04\x01\0\0\0X\0\0| p/Oracle TNS Listener/

# OpenBSD 2.3
# Solaris 9
match rlogin m|^\x01rlogind: Permission denied\.\r\n$|
# HP-UX 11 Kerberized rlogin
match klogin m|^\x01rlogind: Login Incorrect\.\r\n$| p/HP-UX kerberized rlogin/ o/HP-UX/
# Solaris Kerberos authenticated login
match klogin m|^\x01rlogind: Kerberos authentication failed\.\r\n| p/Solaris kerberized rlogin/ o/Solaris/
# Solaris Kerberos authenticated remote shell
match kshell m|^\x01rshd: Authentication failed: Bad sendauth version was sent\n| p/Solaris kerberised rsh/ o/Solaris/
match ssc-agent m|^\0\x1e\0\x06\0\t\0\0$| p/Novell Netware ssc-agent/ o/NetWare/
# http://www.apcupsd.com/ - apcupsd 3.8.5-1.3 on Linux 2.4.X
match apcnisd m|^\0\x11Invalid command\n\0\0\0$| p/apcupsd/

match klogin m|^\x01krlogind: Kerberos Authentication Failed\.\r\n\0| p/AIX kerberized rlogin/ o/AIX/
match kshell m|^\x01rshd: [-\d]+ The host name for your address is not known\.\n| p/AIX (kerberized?) rshd/ o/AIX/

# 13724/tcp
match vnetd m|^1\0$| p/Veritas Netbackup Network Utility/

# Sun Cobalt Adaptive Firewall 1.7-0
match pafserver m|^\0&\xeb\xefTQM\xee\[B| p/Sun Cobalt Adaptive Firewall/ o/Sun Cobalt Linux/

# RSA SecureID Ace Server 5
match sdlog m|^\0\0\0\x01\0\x17\0\x14\0\x06\0\0\0\x01\0\0\0\0\0\0$| p/RSA SecureID Ace Server/

# Sun Cobalt Adaptive Firewall 1.7-0
match pafserver m|^\0&\xeb\xefTQM\xee\[B| p/Sun Cobalt Adaptive Firewall/ o/Sun Cobalt Linux/

# DNS Server status request: http://www.crynwr.com/crynwr/rfc1035/rfc1035.html
##############################NEXT PROBE##############################
Probe UDP DNSStatusRequest q|\0\0\x10\0\0\0\0\0\0\0\0\0|
ports 53,135
match domain m|^\0\0\x90\x04\0\0\0\0\0\0\0\0|
# This one below came from 2 tested Windows XP boxes
match msrpc m|^\x04\x06\0\0\x10\0\0\0\0\0\0\0|

# DNS Server status request: http://www.crynwr.com/crynwr/rfc1035/rfc1035.html
##############################NEXT PROBE##############################
Probe TCP DNSStatusRequest q|\0\x0C\0\0\x10\0\0\0\0\0\0\0\0\0|
ports 53,6050,41523
match domain m|^\0\x0C\0\0\x90\x04\0\0\0\0\0\0\0\0|
# ARCserve Client Agent v4.0d for Solaris 2.x(Running on SunOS 5.8Generic_108528-13 sun4u)
match arcserve m|^\0\0s\0\0\0\0\0$| p/ARCserve Client Agent/ i/backup software/
# ARCServe Win32 Client Agent v4.0
match arcserve m|^h\0\0\0\0\0\0\0$| p/ARCserve Client Agent/ i/backup software/
# ARCserver Client Agent Discovery service on W2K3
match arcserve m|^([\w\d_-]+)\0$| p/ARCserve Discovery/ h/$1/


##############################NEXT PROBE##############################
Probe UDP NBTStat q|\x80\xf0\0\x10\0\x01\0\0\0\0\0\0\x20\x43\x4bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0\x21\0\x01|
ports 137
# NBT Response starts with a header:  
# The following fields are each 2 bytes: transaction ID; Flags; question count; answer count; name service count; additional record count
# Next comes 34 bytes NUL-terminaed name
# then comes 2 byte fields: question type; question clss
# 4 byte TTL
# 2 byte rdata length
# 1 byte number of names
### -- End of header
# Next comes the given number of nbnames - each are a 15 byte name (space padded) followed by a one byte service type, and then 16 BIT flags
### -- End of name table - finally comes the footer:
# 48 - Adapter address (eg MAC addy)
# 8 bit fields: major version; minor version
# 16 bit fields: duration; frmps received; frmps transmitted; iframe receive errors; transmit aborts
# 32 bit fields: trasnmitted; received
# The remaining fields are all 16-bits: iframe transmit errors; number of receive buffers; tl_timeouts; tl_timeouts; free ncbs; ncbs; 
#                                       max_ncbs; number of transmit buffers; max datagram; pending sessions; max sessions; packet_sessions

# I'm not convinced that these next 4 work on a very wide variety of
# machines.  I think most of the real matching comes in the next block.
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...(\w{1,15}) *\0\x04\0(\w{1,15}) *\0\x84\0\w{1,15} *\x03\x04\0\w{1,15} *\x04\0\w{1,15} *\x1e\x84\0\w{1,15} *\x1d\x04\0\x01\x02__MSBROWSE__\x02\x01\x84\0(\w{1,15}) *\x03|s p/Microsoft Windows XP netbios-ssn/ i/workgroup: $2 user: $3/ o/Windows XP/ h/$1/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...(\w{1,15}) *\0\x04\0(\w{1,15}) *\0\x84\0\w{1,15} *\x03\x04\0\w{1,15} *\x04\0\w{1,15} *\x1e\x84\0\w{1,15} *\x1d\x04\0\x01\x02__MSBROWSE__\x02\x01\x84\0\0|s p/Microsoft Windows XP netbios-ssn/ i/workgroup: $2/ o/Windows XP/ h/$1/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...(\w{1,15}) *\0\x04\0(\w{1,15}) *\0\x84\0\w{1,15} *\x03\x04\0\w{1,15} *\x04\0(\w{1,15}) *\x03\x04\0\w{1,15} *\x1e\x84\0|s p/Microsoft Windows XP netbios-ssn/ i/workgroup: $2 user: $3/ o/Windows XP/ h/$1/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...(\w{1,15}) *\0\x04\0(\w{1,15}) *\0\x84\0\w{1,15} *\x03\x04\0\w{1,15} *\x04\0\w{1,15} *\x1e\x84\0|s p/Microsoft Windows XP netbios-ssn/ i/workgroup: $2/ o/Windows XP/ h/$1/

# It would be really nice if we could get username and/or OS
# information from this.  But it is quite hard to parse out the proper
# information unambiguously, especially with just regular expressions.
# But it certainly would be nice to get more info:
#
# nbtstat
#
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0\0..([\w\-]{1,15}) *\0D\0.*\0([\w\-]{1,15}) *\0\xc4\0|s p/Microsoft Windows netbios-ssn/ i/workgroup: $2/ o/Windows/ h/$1/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0\0..([\w\-]{1,15}) *\0D\0([\w\-]{1,15}) *\0\xc4\0|s p/Microsoft Windows netbios-ssn/ i/workgroup: $2/ o/Windows/ h/$1/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0\0...*\0([\w\-]{1,15}) *\0D\0.*\0([\w\-]{1,15}) *\0\xc4\0|s p/Microsoft Windows netbios-ssn/ i/workgroup: $2/ o/Windows/ h/$1/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0\0...*\0([\w\-]{1,15}) *\0D\0([\w\-]{1,15}) *\0\xc4\0|s p/Microsoft Windows netbios-ssn/ i/workgroup: $2/ o/Windows/ h/$1/
# Windows NT 4.0 SP6a
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...([\w\-]{1,15}).*\04\0([\w\-]{1,15}) *\0\x84\0|s p/Microsoft Windows NT netbios-ssn/ i/workgroup: $2/ o/Windows NT/ h/$1/
#
# Samba has a version too
# nmbd version 2.2.7 on Linux 2.4.20
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...([\w\-]{1,15}).*\x04\0([\w\-]{1,15}) *\x1e\x84\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|s p/Samba nmbd/ i/workgroup: $2/ h/$1/

##############################NEXT PROBE##############################
Probe UDP Help q|help\r\n\r\n|
ports 7,13,37
match chargen m|@ABCDEFGHIJKLMNOPQRSTUVWXYZ|
match echo m|^help\r\n\r\n$|
# Solaris 8, 9
match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\n\r| p/Sun Solaris daytime/ o/Solaris/
# Mandrake Linux 9.2, xinetd daytime
match daytime m|^[0-3]\d [A-Z][A-Z][A-Z] 20\d\d \d\d:\d\d:\d\d \S+\r\n|
# Will last until 0xC5FFFFFF, in April 2005 - need to shift in advance.
match time m|^[\xc0-\xc5]...$|
# Solaris Internet Name Server (42/udp), see ien116.txt
match nameserver m|^help\r\n\r\n\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01| p/Solaris Internet Name Server/ i/IEN 116/ o/Solaris/
match nameserver m|^\x03\x03\x02$| p/Solaris Internet Name Server/ i/IEN 116/ o/Solaris/
match nameserver m|^\0\x06\x01\0\0\x01\0\0\x03\x03\x02$| p/Solaris Internet Name Server/ i/IEN 116/ o/Solaris/

match http m|^HTTP/1\.0 \d{3} .*\r\nServer: CompaqHTTPServer/([.\w\d]+)\r\n|s p/Compaq Insight Manager HTTP server/ v/$1/

##############################NEXT PROBE##############################
Probe TCP Help q|HELP\r\n|
ports 1,7,21,25,79,113,2401,2627
sslports 465
totalwaitms 7500

# CVSD (cvs chrooting service for pserver) cvsd 0.9.18
# CVS 1.11.5 pserver
match cvspserver m|^cvs \[pserver aborted\]: bad auth protocol start: HELP\r\n\n$| p/cvs pserver/
# CVSNT pserver
match cvspserver m|^cvs \[server aborted\]: bad auth protocol start: HELP\r\n$| p/CVSNT pserver/
match cvspserver m|^cvs \[server aborted\]: bad auth protocol start: HELP\r\nerror  \n$| p/CVSNT pserver/
# Concurrent Versions System (CVS) 1.10.7 (client/server)
match cvspserver m|^cvs-pserver \[pserver aborted\]: bad auth protocol start: HELP\r\n\n| p/cvs pserver/
match echo m|^HELP\r\n$|
# ProFTPD 1.2.5
match ftp m|^220 ([-.\w]+) FTP server ready\.\r\n214-The following commands are recognized \(\* =>'s unimplemented\)\.\r\n USER    PASS    ACCT\*   CWD     XCWD    CDUP    XCUP    SMNT\*   \r\n QUIT    REIN\*   PORT    PASV    TYPE    STRU    MODE    RETR    \r\n STOR    STOU\*   APPE    ALLO\*   REST    RNFR    RNTO    ABOR    \r\n DELE    MDTM    RMD     XRMD    MKD     XMKD    PWD     XPWD    \r\n SIZE    LIST    | p/ProFTPD/ v/1.2.5/ h/$1/ o/Unix/
# ProFTPD 1.2.6
match ftp m|^220 ([-.\w]+) FTP server ready\.\r\n214-The following commands are recognized \(\* =>'s unimplemented\)\.\r\n214-USER    PASS    ACCT\*   CWD     XCWD    CDUP    XCUP    SMNT\*   \r\n214-QUIT    REIN\*   PORT    PASV    EPRT    EPSV    TYPE    STRU    \r\n214-MODE    RETR    STOR    STOU    APPE    ALLO\*   REST    RNFR    \r\n214-RNTO    ABOR    DELE    MDTM    RMD     XRMD    MKD     XMKD| p/ProFTPD/ v/1.2.6/ h/$1/ o/Unix/
match ftp m|^220 ([-.\w]+ )?FTP [sS]erver ready\.?\r\n214-The following commands are recognized \(\* =>'s unimplemented\)\.\r\n214-USER    PASS    ACCT\*   CWD     XCWD    CDUP    XCUP    SMNT\*   \r\n214-QUIT    REIN\*   PORT    PASV    EPRT    EPSV    TYPE    STRU    \r\n214-MODE    RETR    STOR    STOU    APPE    ALLO\*   REST    RNFR    \r\n214-RNTO    ABOR    DELE    MDTM    RMD     XRMD    MKD     XMKD| p/ProFTPD/ v/1.2.6/ h/$1/ o/Unix/
# ProFTPD 1.2.8
# proftpd 1.2.9 rc1
match ftp m@^220 .*\r\n214-The following commands are recognized \(\* =>'s unimplemented\)\.\r\n(214-| )USER    PASS    ACCT\*   CWD     XCWD    CDUP    XCUP    SMNT\*   \r\n(214-| )QUIT    REIN\*   PORT    PASV    TYPE    STRU    MODE    RETR    \r\n(214-| )STOR    STOU    APPE    ALLO\*   REST    RNFR    RNTO    ABOR    \r\n(214-| )DELE    MDTM    RMD     XRMD    MKD     XMKD    PWD     XPWD    \r\n(214-| )SIZE@ p/ProFTPD/ v/1.2.8 - 1.2.9/ o/Unix/
match ftp m@^220 .*\r\n214-The following commands are recognized \(\* =>'s unimplemented\)\.\r\n(214-| )USER    PASS    ACCT\*   CWD     XCWD    CDUP    XCUP    SMNT\*   \r\n(214-| )QUIT    REIN\*   PORT    PASV    EPRT    EPSV    TYPE    STRU    \r\n(214-| )MODE    RETR    STOR    STOU    APPE    ALLO\*   REST    RNFR    \r\n(214-| )RNTO    ABOR    DELE    MDTM    RMD     XRMD    MKD     XMKD    \r\n(214-| )PWD     XPWD    SIZE    LIST    NLST    SITE    SYST    STAT    \r\n@ p/ProFTPD/ v/1.2.8 - 1.2.9/ o/Unix/
# proftpd 1.2.9rc1 on linux 2.4.19
match ftp m|220 localhost FTP server ready\r\n214-The following commands are recognized \(\* =>'s unimplemented\)\.\r\n214-USER    PASS    ACCT\*   CWD     XCWD    CDUP    XCUP    SMNT\*   \r\n214-QUIT    REIN\*   PORT    PASV    TYPE    STRU    MODE    RETR    \r\n214-STOR    STOU    APPE    ALLO\*   REST    RNFR    RNTO    ABOR    \r\n214-DELE| p/ProFTPD/ v/1.2.9rc1/ o/Unix/
# proftpd 1.2.10
match ftp m|^220 .*\r\n214-The following commands are recognized \(\* =>'s unimplemented\):\r\n CWD     XCWD    CDUP    XCUP    SMNT\*   QUIT    PORT    PASV    \r\n EPRT    EPSV    ALLO\*   RNFR    RNTO    DELE    MDTM    RMD     \r\n XRMD    MKD     XMKD    PWD     XPWD    SIZE    SYST    HELP    \r\n NOOP    FEAT    OPTS    AUTH\*?   CCC\*    CONF\*   ENC\*    MIC\*    \r\n PBSZ\*?   PROT\*?   TYPE    STRU    MODE    RETR    STOR    STOU    \r\n|s p/ProFTPD/ v/1.2.10/
match ftp m|^220 .*\r\n214-The following commands are recognized \(\* =>'s unimplemented\):\r\n CWD     XCWD    CDUP    XCUP    SMNT\*   QUIT    PORT    PASV    \r\n EPRT    EPSV    ALLO\*   RNFR    RNTO    DELE    MDTM    RMD     \r\n XRMD    MKD     XMKD    PWD     XPWD    SIZE    SYST    HELP    \r\n|s p/ProFTPD/

# Solaris 8 ftpd
match ftp m|^220 ([-.+\w]+) FTP server \(.*\) ready\.\r\n214-The following commands are recognized:\r\n   USER    EPRT    STRU    MAIL\*   ALLO    CWD     STAT\*   XRMD \r\n   PASS    LPRT    MODE    MSND\*   REST\*   XCWD    HELP    PWD \r\n   ACCT\*   EPSV    RETR    MSOM\*   RNFR    LIST    NOOP    XPWD \r\n   REIN\*   LPSV    STOR    MSAM\*   RNTO    NLST    MKD     CDUP \r\n| p/Sun Solaris ftpd/ h/$1/ o/Solaris/
# Phaser860 printer
match ftp m|^220 FTP server ready\.\r\n214- The following commands are recognized \(\* =>'s unimplemented\)\.\r\n   USER    PORT    STOR    MSAM\*   RNTO\*   NLST\*   MKD\*    CDUP\*   EPLF\*\r\n   PASS    PASV\*   APPE\*   MRSQ\*   ABOR    SITE\*   XMKD\*   XCUP\*\r\n   ACCT\*   TYPE    MLFL\*   MRCP\*   DELE    SYST    RMD\*    STOU \r\n   SMNT\*   STRU    MAIL\*   ALLO\*   CWD\*    STAT    XRMD\*   SIZE\*\r\n   REIN\*   MODE    MSND\*   REST\*   XC| p/Phaser printer ftpd/ d/printer/
# bsd-ftpd 0.3.3 (port of OpenBSD ftp server) on Linux 2.4.20
match ftp m|^220 ([-.\w]+) FTP server ready\.\r\n214- The following commands are recognized \(\* =>'s unimplemented\)\.\r\n   USER    PORT    TYPE    MLFL\*   MRCP\*   DELE    SYST    RMD     STOU \r\n   PASS    LPRT    STRU    MAIL\*   ALLO    CWD     STAT    XRMD    SIZE \r\n   ACCT\*   EPRT    MODE    MSND\*   REST    XCWD    HELP    PWD     MDTM \r\n   SMNT\*   PASV    RETR    MSOM\*   RNFR    LIST    NOOP    XPWD \r| p/bsd-ftpd/ o/Linux/ h/$1/
# Rhinosoft Serv-U FTP v.4.1 build 4.1.0.0 on Windows XP
match ftp m|^220 .*\r\n214- The following commands are recognized \(\* => unimplemented\)\.\r\n   USER    PORT    RETR    ALLO    DELE    SITE    XMKD    CDUP    FEAT\r\n   PASS    PASV    STOR    REST    CWD     STAT    RMD     XCUP    OPTS\r\n   ACCT    TYPE    APPE    RNFR    XCWD    HELP    XRMD    STOU    AUTH\r\n   REIN    STRU    SMNT    RNTO    LIST    NOOP    PWD     SIZE    PBSZ\r\n| p/Rhinosoft Serv-U FTP/
# BulletProof FTP server 2.15 on Windows XP
match ftp m|^220 .*\r\n530 Please login with USER and PASS first\.\r\n$| p/BulletProof FTPd/ o/Windows/
# SGI IRIX 6.5.18f ftpd
match ftp m|^220 ([-.\w]+) FTP server ready\.\r\n214- The following commands are recognized \(\* =>'s unimplemented\)\.\r\n   USER    PORT    STOR    MSAM\*   RNTO    NLST    MKD     CDUP \r\n   PASS    PASV    APPE    MRSQ\*   ABOR    SITE    XMKD    XCUP \r\n   ACCT\*   TYPE    MLFL\*   MRCP\*   DELE    SYST    RMD     STOU \r\n   SMNT\*   STRU    MAIL\*   ALLO    CWD     STAT    XRMD    SIZE \r\n   REIN\*   MODE    MSND\*   REST    XCWD    HELP    PWD     MDTM \r\n   QUIT    RETR    MSOM\*   RNFR    LIST    NOOP    XPWD \r\n214 Direct comments to | p/SGI IRIX ftpd/ h/$1/ o/IRIX/
match ftp m|^421 Server is temporarily unavailable - please try again later\.\r\n421 Service closing control connection\.\r\n| p/Serv-U ftpd/ i/Server temporarily unavailable/ o/Windows/
# FreeBSD 4.10 ftpd
match ftp m|^220 FTP server ready\.\r\n214- The following commands are recognized \(\* =>'s unimplemented\)\.\r\n   USER    PORT    TYPE    MLFL\*   MRCP\*   DELE    SYST    RMD     STOU \r\n   PASS    LPRT    STRU    MAIL\*   ALLO    CWD     STAT    XRMD    SIZE \r\n   ACCT\*   EPRT    MODE    MSND\*   REST    XCWD    HELP    PWD     MDTM \r\n   SMNT\*   PASV    RETR    MSOM\*   RNFR    LIST    NOOP    XPWD \r\n   REIN\*   LPSV    STOR    MSAM\*   RNTO    NLST    MKD     CDUP \r\n   QUIT    EPSV    APPE    MRSQ\*   ABOR    SITE    XMKD    XCUP \r\n214 End\.\r\n| p/FreeBSD ftpd/
match ftp m|^220 .*\r\n214-CesarFTP server ([\w.]+) supports the following commands:\r\n| p/CesarFTPd/ v/$1/
match ftp m|^220 Private ftp server, anonymous login not allowed\.\r\n214-The following commands are recognized:\r\n   USER   PASS   QUIT   CWD    PWD    PORT   PASV   TYPE\r\n   LIST   REST   CDUP   RETR   STOR   SIZE   DELE   RMD \r\n   MKD    RNFR   RNTO   ABOR   SYST   NOOP   APPE   NLST\r\n   MDTM   XPWD   XCUP   XMKD   XRMD   NOP    EPSV   EPRT\r\n   AUTH   ADAT   PBSZ   PROT   FEAT   MODE   OPTS   HELP\r\n214 Have a nice day\.\r\n| p/FileZilla ftpd/ i/No anon login/ o/Windows/
# OpenVMS 7.3-1
match ftp m|^220 ([\w-_.]+) FTP Server \(Version ([\d.]+)\) Ready\.\r\n214-The following commands are recognized:\r\n   USER    TYPE    RETR    RNFR    NLST    PWD     ALLO    EPSV \r\n   PASS    STRU    STOR    RNTO    CWD     CDUP    SYST    QUIT \r\n   SITE    PORT    STOU    DELE    MKD     NOOP    STAT    HELP \r\n   MODE    EPRT    APPE    LIST    RMD     ABOR    PASV \r\n214 End of Help\.\r\n| p/OpenVMS ftpd/ v/$2/ h/$1/

match ftp m|^220 Speak friend, and enter\r\n214-\r\n  ftpd\.bin - Round-robin File Transfer Server, version ([\w.]+)\r\n| p/ftpd.bin round-robin file server/ v/$1/
match ftp m|^220 FTP server ready\.  \r\n214-Ethernet Interface\r\n    \r\n    To access help, cd to the help directory then enter a \"dir\" command\.\r\n    \r\n    \r\n| p/QMS Magicolor 2200 DeskLaser printer ftpd/ d/printer/
match ftp m|^220 FTPU ready\.\r\n500 Sorry, no such command\.\r\n| p/NetGear DG632 router ftpd/ d/router/
match ftp m|^220 ([\w-_.]+) FTP server \(UNIX_SV ([\d.]+)\) ready\.\r\n214-The following commands are recognized \(\* =>'s unimplemented\)\.\r\n   USER    PORT    STOR    MSAM\*   RNTO    NLST    MKD     CDUP \r\n   PASS    PASV    APPE    MRSQ\*   ABOR    SITE    XMKD    XCUP \r\n   ACCT\*   TYPE    MLFL\*   MRCP\*   DELE    SYST    RMD     STOU \r\n   SMNT\*   STRU    MAIL\*   ALLO    CWD     STAT    XRMD    SIZE \r\n   REIN\*   MODE    MSND\*   REST    XCWD    HELP    PWD     MDTM \r\n   QUIT    RETR    MSOM\*   RNFR    LIST    NOOP    XPWD \r\n| p/WU-FTPd/ i/UNIX_SV $2/ h/$1/ o/Unix/

match finger m|^iFinger v(\d[-.\w]+)\n\n| p/IcculusFinger/ v/$1/

match ident m|^HELP : USERID : UNIX : trilluser\r\n$| p/Trillian identd/
# Internet Rex v2.29
match ident m|^\d+, \d+ : USERID : UNIX : [-.@\w]+\r\n| p/Internet Rex identd/
# Symantec Enterprise Firewall 6.5.2 SMTP proxy on Windows 2000
match smtp m|^220 ([-.+\w]+) Generic SMTP handler\r\n214 Help not supported by this implementation\r\n$| p/Symantec Enterprise Firewall smtp proxy/ h/$1/
# Lotus Notes Domino 6.1 smtp server on Win2K
match smtp m|^220 Welcome to ([-.+\w]+) ESMTP Server at .*\r\n214-Enter one of the following commands:\r\n214-HELO EHLO MAIL RCPT DATA RSET NOOP QUIT\r\n214 HELP VRFY EXPN STARTTLS \r\n$| p/Lotus Notes Domino smtpd/ h/$1/
match smtp m|^220.*?\n214-Commands supported:\r\n214-    HELO EHLO MAIL RCPT DATA(?: ETRN)?(?: AUTH)?\r\n214     NOOP QUIT RSET HELP \r\n$| p/Exim smtpd/ v/3.X/
match smtp m|^220.*?ESMTP.*\n214-Commands supported:\r\n214 AUTH (?:STARTTLS )?HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP\r\n$| p/Exim smtpd/ v/4.X/

match smtp m|^220([\s-]\S+) ESMTP ?\r\n214[- ]qmail home page: http://pobox.com/~djb/qmail.html| p/qmail smtpd/ h/$1/ o/Unix/
match smtp m|^220([\s-]\S+) ESMTP ?\r\n214[- ]qmail home page: http://pobox\.com/~djb/qmail\.html\r\n214[- ]qmail-ldap patch home page: http://www\.nrg4u\.com\r\n| p/qmail-ldap smtpd/ h/$1/ o/Unix/
match smtp m|^220[\s-].*?ESMTP\r\n214 netqmail home page: http://qmail\.org/netqmail\r\n| p/netqmail smtpd/ v/1.04/ o/Unix/
# VirusBuster MailShield for SMTP. Version 1.15.030 on Linux 2.4
match smtp m|^220 ([-.\w]+) SMTP version 1\.00;\r\n214 We strongly advise you to study of the RFC821\.\.\.\r\n$| p/VirusBuster MailShield for SMTP/ o/$1/
# Postfix 1.1.12, 1.1.13, 2.0.9, 2.0.16
match smtp m|^220 .*\r\n502 Error: command not implemented\r\n$| p/Postfix smtpd/
# Courier ESMTP courier-0.42.0-1.7.3
match smtp m|^220 ([-.\w]+) ESMTP\r\n502 ESMTP command error\r\n$| p/Courier smtpd/ h/$1/
match smtp m|214-2\.0\.0 This is sendmail version (\S+)\r?\n214-2\.0\.0 Topics:|s p/Sendmail/ v/$1/ o/Unix/
match smtp m|^220(\S+) E?SMTP Sendmail;| p/Sendmail/ h/$1/ o/Unix/
match smtp m|^220.* Sendmail (\d[-.\w]+) -- HELP not implemented\r\n|s p/Sendmail/ v/$1/ o/Unix/
match smtp m|^220.*214-This is America Online mail version [vV](\S+)|s p/AOL smtpd/ v/$1/
match smtp m|^220.*214 2\.0\.0 http://www\.google\.com/search.*RFC\+2821\s*\r?\n|s p/Google smtpd/
match smtp m|^220.*214 SMTP server comments and bug reports to: \<zmhacks\@nic.funet.fi\>|s p/ZMailer smtpd/
match smtp m|^220.*500 MessageWall: Unrecognized command|s p/MessageWall SMTP proxy/
match smtp m|^220.*500 Unknown or unimplemented command|s p/MIMEsweeper SMTP proxy/
match smtp m|^220.*214 See http\:\/\/www\.messagelabs\.com\/support|s p/MessageLabs smtpd/
match smtp m|^220(\S+) ESMTP Service\r\n502 5\.3\.0 Sendmail Xserve -- HELP not implemented\r\n$| p/Xserve smtpd/ h/$1/ o/Unix/
# Doesn't look like we can always get the host from the following:
match smtp m|^220 .*\r\n214-Commands Supported:\r\n214-HELO EHLO AUTH HELP QUIT MAIL NOOP RSET RCPT DATA ETRN VRFY STARTTLS\r\n214-Copyright \(c\) 1995-200\d, Stalker Software, Inc\.\r\n| p/Communigate Pro smtpd/
match smtp m|^220 Jana-Server ESMTP Service ready\r\n214- Jana Server ([\w.]+)\r\n| p/Jana mail server/ v/$1/ o/Windows/


match tcpmux m|^(sgi_[-.\w]+\r\n([-.\w]+\r\n)*)$| p/SGI IRIX tcpmux/ i/Available services: $SUBST(1, "\r\n", ",")/ o/IRIX/
# Written in 1986.  More info at 
# http://ftp.rge.com/pub/X/X11R5/contrib/xwebster.README
match webster m/^DICTIONARY server protocol:\r\n\r\nContact name is/ p/Webster dictionary server/

##############################NEXT PROBE##############################
Probe TCP SSLSessionReq q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0|
ports 427,443,444,548,636,1241,1311,2000,8009

# Apple Filing Protocol (AFP) over TCP on Mac OS X
match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0\x01.\0\0\0\0\0.\0.\0.\0.\x80\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x05\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 2.2; Mac OS X 10.1.*/
match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0..\0\0\0\0\0.\0.\0.\0.\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x06\x06AFP3\.1\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.2.*;/
match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0..\0\0\0\0\0.\0.\0.\0.\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x03\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.3.*;/
match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0..\0\0\0\0\0.\0.\0.\0.\x87\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2\x04\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.2; Max OS X 10.4.*;/
# OpenSSL/0.9.7aa
match ssl m|^\x16\x03\0\0J\x02\0\0F\x03\0| p/OpenSSL/
# Microsoft-IIS/5.0 - note that OpenSSL must go above this one because this is more general
match ssl m|^\x16\x03\0..\x02\0\0F\x03\0|s p/Microsoft IIS SSL/ o/Windows/
# Novell Netware 6 Enterprise Web server 5.1 https
# Novell Netware Ldap over SSL or enterprise web server 5.1 over SSL
match ssl m|^\x16\x03\0\0:\x02\0\x006\x03\0| p/Novell Netware SSL/ o/NetWare/
# Cisco IDS 4.1 Appliance
match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0\xd10:\xbd\\\x8e\xe3\x15\x1c\x0fZ\xe4\x04\x87\x07\xc0\x82\xa9\xd4\x0e\x9c1LXk\xd1\xd2\x0b\x1a\xc6/p\0\0\n\0\x16\x03\0\x026\x0b\0\x022\0| p/Cisco IDS SSL/ d/fireall/
# Nessus server sometimes gives this answer
match ssl m|^\x15\x03\0\0\x02\x02\($| p/Nessus security scanner/ 
# Other Nessus instances look like this:
match ssl m|^\x16\x03\x01\0J\x02\0\0F\x03\x01\?| p/Nessus security scanner/
# PGP Corporation Keyserver Web Console 7.0 - custom Apache 1.3
# PGP LDAPS Keyserver 8.X
match ssl m|^\x16\x03\0\0\+\x02\0\0'\x03\0...\?|s p/PGP Corporation product SSL/
# Unreal IRCd SSL
# RemotelyAnywhere
match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0\?|
# Timbuktu Pro 6.0.3 on Mac OS X 10.2.6
match svrloc m|^\x02\x02\0\0\x12\0\0\0\0\0\0\0\0\x02en\0\x02$| p/Apple slpd/ o/Mac OS/
# Tumbleweed SecureTransport 4.1.1 Transaction Manager Secure Port on Solaris
# Dell Openmanage
match ssl m|^\x15\x03[\x01\x00]\0\x02\x01\0$| p/multi-vendor SSL/

# SMB Negotiate Protocol
##############################NEXT PROBE##############################
Probe TCP SMBProgNeg q|\0\0\0\xa4\xff\x53\x4d\x42\x72\0\0\0\0\x08\x01\x40\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x40\x06\0\0\x01\0\0\x81\0\x02PC NETWORK PROGRAM 1.0\0\x02MICROSOFT NETWORKS 1.03\0\x02MICROSOFT NETWORKS 3.0\0\x02LANMAN1.0\0\x02LM1.2X002\0\x02Samba\0\x02NT LANMAN 1.0\0\x02NT LM 0.12\0|
ports 42,88,135,139,445,1031,1112,5555,5600,27000

# I hate making it this general, but it seems like the only pattern
# that matches everything. -Doug
match flexlm m|^W.-60\0|s p/FlexLM license manager/

# Windows 2000 Server Kerberos
# Windows Server 2003 kerberos
match kerberos-sec m/^\0\0\0\0$/ p/Microsoft Windows kerberos-sec/ o/Windows/
# Windows XP SP1
match microsoft-ds m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0.\n\0\x01\0\x04\x11\0\0\0\0\x01\0\0\0\0\0\xfd\xe3\0\0| p/Microsoft Windows XP microsoft-ds/ o/Windows XP/
match microsoft-ds m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0.2\0\x01\0\x04A\0\0\0\0\x01\0\0\0\0\0\xfd\xf3\0\0| p/Microsoft Windows 2000 microsoft-ds/ o/Windows 2000/
# Microsoft Windows 2003
match microsoft-ds m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0.2\0\x01\0\x04.\0\0\0\0\x01\0\0\0\0\0\xfd\xf3\x01\0|s p/Microsoft Windows 2003 microsoft-ds/ o/Windows 2003/
# Microsoft Windows 2000 Server
# Microsoft Windows 2000 Server SP4
match microsoft-ds m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0.[}2]\0\x01\0\x04A\0\0\0\0\x01\0\0\0\0\0\xfd[\xe3\xf3]\0\0|s p/Microsoft Windows 2000 microsoft-ds/ o/Windows 2000/
# Microsoft Windows XP SP1
# Windows 2000
match msrpc m|^\x05\0\r\x03\x10\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\0\0\0$| p/Microsoft Windows RPC/ o/Windows/
# Windows 2000 Advanced Server c:\winnt\system32\Mstask.exe
match mstask m|^\x05\0\r\x03\x10\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0...|s p/Microsoft mstask/ i/task server - c:\winnt\system32\Mstask.exe/ o/Windows/
# Microsoft Windows 2000
# samba-2.2.7-5.8.0 on RedHat 8
# samba-2.2.7a-8.9.0 on Red Hat Linux 7.x
match netbios-ssn m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x06\0.*\W([-.\w]+)\0$|s p/Samba smbd/ i/workgroup: $1/
# Samba 2.999+3.0.alpha21-5 on Linux
# Samba 3.0.0rc4-Debian
match netbios-ssn m+^\0\0\0.\xffSMBr\0\0\0\0\x88\x01.\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x06\0.*([^\0]|([^-A-Z0-9]\0))(([-\w]\0){2,50})+s p/Samba smbd/ v/3.X/ i/workgroup: $P(3)/
# Samba 2.2.8a on Linux 2.4.20
match netbios-ssn m|^\x83\0\0\x01\x81$| p/Samba smbd/
# DAVE 4.1 enhanced windows networks services for Mac on Mac OS X
match netbios-ssn m|^\0\0\0.\xffSMBr\x02\0Y\0\x98\x01.\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\0\x07\0|s p/Thursby DAVE Windows filesharing/ i/Runs on Macintosh systems/ o/Mac OS/
# Windows 98
match netbios-ssn m|^\x83\0\0\x01\x8f$| p/Microsoft Windows 98 netbios-ssn/ o/Windows 98/
# Netware might just be using Samba?
match netbios-ssn m|^\0\0\0M\xffSMBr\0\0\0\0\x80\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0\x032\0\x01\0\xff\xff\0\0\0\0\x01\0| p/Netware 6 SMB Services/
# Network Appliance ONTAP 6.3.3 netbios-ssn
match netbios-ssn m/^\0\0\0.\xffSMBr\0\0\0\0\x98\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0.*([^\0]|([^-A-Z0-9]\0))(([-\w]\0){2,50})/s p/Network Appliance Ontap smbd/ i/workgroup: $P(3)/
# HP OpenView Storage Data Protector A.05.10 on Windows 2000
# Hewlett Packard Omniback 4.1 on Windows NT
match omniback m|^\0\0\0.\xff\xfe1\x005\0\0\0 \0\x07\0\x01\0\[\x001\x002\0:\x001\0\]\0\0\0 \0\x07\0\x02\0\[\x002\x000\x000\x003\0\]\0\0\0 |s p/HP OpenView Omniback/ o/Windows/
# HP OpenView Storage Data Protector A.05.10 on Linux
match omniback m|^\0\0\0.15\0 \x07\x01\[12:1\]\0 \x07\x02\[2003\]\0 \x07\x0510\d+\0 INET\0 |s p|HP OpenView Omniback/Data Protector| o|UNIX|
match serversettingsd m|^\0\0\x004main\0\0\x01\0\0\0\0\x0c\0\0\0\0\0\0\0\x0c\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0quit\xff\xff\xff\xffcrpt$| p/Apple serversettingsd administration daemon/ o/Mac OS X/
match symantec-esm m|^\0\x01#$| p/Symantec Enterprise Security Manager/
# Windows 2000 Server Wins name resolution service
# Windows NT 4.0 Wins
match wins m|^\0\0\0\x1e\xffS\xad\x80\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\x07\xe9\0\0\0\x01\0\0\x81\0\x02| p/Microsoft Windows Wins/ o/Windows/

match sap-its m|^\0\0\0\x0c\x01\x03\0\0\0\0\x071\0\0\0\0\0\0\x071Content-Type:\x20\x20text/html;\x20charset=Windows-1250\r\n\r\n<!--\r\n\x20This\x20page\x20was\x20created\x20by\x20the\x20\r\n\x20SAP\x20Internet\x20Transaction\x20Server\x20\(ITS,\x20Version\x20,\x20Build\x20,\x20Virtual\x20Server\x20\)\r\n| p/SAP Internet Transaction Server/

# From xlsclients
##############################NEXT PROBE##############################
Probe TCP X11Probe q|\x6C\0\x0B\0\0\0\0\0\0\0\0\0|
ports 497,5302,6000-6020,7100,8000
# retroclient 6.5.108 on Linux
match dantzretrospect m|^\0\xca\0\0\0\0\0\x04\0\0\0\0\0\0\x02\($| p/Dantz Retrospect backup client/
match font-service m|^\0\0\x02\0\0\0\0\0\0\0\0\0\x06\0\0\0\0@\x0c\0p\x17\0\0X Consortium\x01\n\x01\0\x05\0\0\0....\0\0..\0\0\0\0$|s p/Sun Solaris fs.auto/ o/Solaris/
match font-service m|^\0\0\x02\0\0\0\0\0\0\0\0\0\x0e\0\0\0\0 \*\0.\x19\0\0The XFree86 Project[-.\w() ]+..\x01\n\x01\0\x05\0\0\0....\0\0..\0\0\0|s p/XFree86 X Font Server/ o/Unix/
match networkaudio m|^\0\x19\x02\0\x02\0\x07\0Protocol version mismatch\0\0\0\0\0\0\0$| p|Network Audio System|
match networkaudio m|^\0\x19\x02\0\x02\0\x07\0Protocol version mismatch\0/\0\0\0\0\0$| p|Network Audio System|
match X11 m|^\x01\0\x0b\0\0\0H\0\n\x19\0\0\0\0..\xff\xff\?\0\0\x01\0\0\x16\0\xff\xff\x01\x04\x01\x01  \x08.\0...Sun Microsystems, Inc\.\0\0\x01\x01|s p/XSun Solaris X11 server/
match X11 m|^\0\x2D\x0B\0\0\0\x0C\0| i/access denied/ o/Solaris/
# I think the below means access denied (no authentication protocol 
# specified?) or is it a problem w/my probe that I should fix?
match X11 m|^\0\x16\x0b\0\0\0\x06\0No protocol specified\x0a..$|s i/access denied/ o/Unix/
match X11 m|^\x01\0\x0b\0\0\0.\0....\0\0.*The XFree86 Project, Inc|s p/XFree86/ i/open/ o/Unix/
match X11 m|^\x01\0\x0b\0\0\0.....\x02\0\0..\xff\xff\x1f\0\0\x01\0\0.\0\xff\xff\x01\x07\0\0  \x08\xff....Gentoo Linux \(XFree86 (\d[^)]+)\)\0\0|s p/XFree86/ v/$1/ i/Gentoo Linux/ o/Linux/
match X11 m|^\x01\0\x0b\0\0\0.....\x02\0\0..\xff\xff\x1f\0\0\x01\0\0\.\0\xff\xff\x01.*Mandrake Linux \(XFree86 (\d[^\)]+)\)\0\0|s p/XFree86/ v/$1/ i/Mandrake Linux/ o/Linux/
match X11 m|^\x01\0\x0b\0\0\0.....\x02\0\0..\xff\xff\x1f\0\0\x01\0\0.\0\xff\xff\x01.*Mandrake Linux \(XFree86 (\d[^\)]+)\)\0?\x01\x01|s p/XFree86/ v/$1/ i/Mandrake Linux/ o/Linux/
match X11 m|^\x01\0\x0b\0\0\0\x4C\0\xA0\xE0\x63\x02\0\0| i/open/
# StarNet X-Win32 v5.4 on Windows XP
match X11 m|^\x01\0\x0b\0\0\x009\0..\0\0\0\0.\0\xff\xff\?\0\0\x01\0\0\x1c\0\xff\xff\x01\x07\x01\x01\x08\x10\x08....\0StarNet Communications Corp\.\x01\x01|s p/StarNet X-Win32/ o/Windows/
match X11 m|^\x01\0\x0b\0\0\0=\0\x01\0\0\0\0\0\xc0\x06\xff\xff\?.*\0DECWINDOWS Digital Equipment Corporation Digital UNIX V(\d[-.\w]+)\0\0\x01\x01|s p/Digital UNIX X-Window/ v/$1/ i/Version is X Server and not of Digital UNIX/ o/DIGITAL UNIX/
# tightvnc 1.2.3 Xvnc
# Tightvnc 3.3.3 Xvnc
match X11 m|^\x01\0\x0b\0\0\0%\0\x04\r\0\0\0\0\x80.\xff\xff\?\0\0\x01\0\0\x1b\0\xff\xff\x01\x02\0\0  \x08\xff...\x08AT&T Laboratories Cambridge\0| p/Xvnc/

# Exceed X server for Win32
match X11 m|^\x01\0\x0b\0\0\0.\0..\0\0\0\0..\xff\xff\?\0\x01\0\0\0.\0\xff\xff.\x04\x01\x01\x08 \x08\xfe...\0Hummingbird Ltd\.\x01\x01 \0..\0\0\x08\x08 \0..\0\0\x0c\x0c \0..\0\0\x18  \0..\0\0.\0\0\0|s p/Hummingbird Exceed X server/ v/8.X or 9.X/ o/Windows/
match X11 m|^\x01\0\x0b\0\0\0.\0..\0\0\0\0..\xff\xff\?\0\x01\0\0\0.\0\xff\xff\x01\x04\x01\x01\x08 \x08\xfe...\0Hummingbird Communications Ltd\.\0\x01\x01 ...\0\0\x08\x08 ...\0\0\x0c\x0c ...\0\0\x18  ...\0\0.\0\0\0 \0\0\0\xff\xff\xff\0\0\0\0\0|s p/Hummingbird Exceed X server/ v/7.X/ o/Windows/
match X11 m|^\x01\0\x0b\0\0.....\0\0\0\0..\xff\xff\?\0\x01\0\0\0.\0\xff\xff\x01.\x01\x01\x08 \x08\xfe...\0Hummingbird Communications Ltd\..\x01\x01|s p/Hummingbird Exceed X server/ v/6.X/ o/Windows/
# General catch-alls
match X11 m|^\x01\0\x0b\0\0.....\0\0\0\0..\xff\xff\?\0\x01\0\0..\0\xff\xff......\x08\xfe...\0Hummingbird Communications Ltd\.|s p/Hummingbird Exceed X server/ o/Windows/
match X11 m|^\x01\0\x0b\0\0.....\0\0\0\0..\xff\xff\?\0\x01\0\0..\0\xff\xff......\x08\xfe...\0DECWINDOWS compatibility\. Hummingbird Communications Ltd\.|s p/Hummingbird Exceed X server/ i/DECWINDOWS compatibility/ o/Windows/

# HP MC/ServiceGuard for Linux A.11.14.02
match X11 m|^\0\0\0\x01\0\0\0\x0c\0\0\0\0$| p|HP MC/ServiceGuard|
match X11 m|^\x01\0\x0b\0\0\0%\0\0\x19\0\0\0\0\0\x01\xff\xff\?\0\0\x01\0\0\x12\0\xff\xff\x01\x02\0\0  \x08\xfe\xba\x1dF\0Labtam Europe Ltd\.\0\0\x01\x01| p/Labtam X-WinPro/
match omninames m|^GIOP\x01\0\x01\x06\0\0\0\0$| p/omniORB omniNames/ i/Corba naming service/

match domain m|^\x80\xf0\x80\x12\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01| p/Microsoft DNS/ o/Windows/
##############################NEXT PROBE##############################
# ftp://ftp.rfc-editor.org/in-notes/rfc1179.txt
Probe TCP LPDString q|\x01default\n|
ports 515
match printer m|^\0$| 
match printer m|^default: unknown printer\n$| p/Solaris lpd/ o/Solaris/
# Redhat Linux 7.3 LPRng-3.8.9
match printer m|^\x01no connect permissions\n$| p/LPRng/
# Microsoft Windows 2000 serverr LPD
match printer m|^\x01\x01$| p/Microsoft lpd/
# Blackbox Terminal Server (IOLAN v4.03.00 a CDi)
# Chase IOLAN terminal server lpd
# Bay Networks MicroAnnex XL  Comm. Server R10.0
match printer m|^\x01$| 
match printer m|^[-.\w]+: lpsched: unknown printer\n$| p/SGI IRIX lprsrv/ o/IRIX/

# Ldap bind request, version 2, null DN, AUTH_TYPE simple, null password
##############################NEXT PROBE##############################
Probe TCP LDAPBindReq q|\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x02\x04\0\x80\0|
ports 256,257,389,3892
sslports 636,637

match fw1-secureremote m|^[AQ]\0\0\0\0\0\0[^\0]| p/Checkpoint Firewall1 SecureRemote/ d/firewall/
match fw1-log m|^\0\0\0\t51000000\0\0\0\0[^\0]| p/Checkpoint Firewall1 logging service/ d/firewall/
# OpenLDAP 2.0.15 on RH Linux 7.3
match ldap m|^0%\x02\x01\x01a \n\x010\x04\0\x04\x19anonymous bind disallowed$| p/OpenLDAP/ i/access denied/
# OpenLDAP 2.1.22 - doesn't by default allow LDAPv2 request
match ldap m|^02\x02\x01\x01a-\n\x01\x02\x04\0\x04&requested protocol version not allowed$| p/OpenLDAP/ v/2.1.X/
# Netware 6
# Macintosh 8
# Win 2000 Advanced server.
match ldap m|^0\x0c\x02\x01\x01a\x07\n\x01\0\x04\0\x04\0| i/Anonymous bind OK/
# MS Windows Win2K SP4 AD server
match ldap m|^0\x84\0\0\0\x10\x02\x01\x01a\x84\0\0\0\x07\n\x01\0\x04\0\x04\0$| p/Microsoft LDAP server/ o/Windows/
# PGP Corporation PGP Keyserver 7.0 (relabeled Freeware PGP Keyserver 2.5.8)
#  PGP LDAP Server 8.x
match ldap m|^0\x17\x02\x01\x01a\x12\n\x01\0\x04\0\x04\x0bPGPError #0$| p/PGP Corp. PGP Keyserver/
# OctetString VDE Enterprise Edition on Linux 2.4
match ldap m|^0\x0e\x02\x01\x01a\t\n\x01\0\x04\0\x04\0\x87\0$| p/OctetString VDE directory service/
# Lotus Notes 6.5.3 LDAP on W2K3, anonymous bind not allowed, port 637 (ssl)
match ldap m|^0\.\x02\x01\x01a\)\n\x010\x04\0\x04\"Failed, anonymous bind not allowed$| p/Lotus Domino 6.x LDAP/ i/access denied/

##############################NEXT PROBE##############################
Probe TCP LANDesk-RC q|\x54\x4e\x4d\x50\x04\0\0\0\x54\x4e\x4d\x45\0\0\x04\0|
ports 1761-1763
# With Host and User currently logged in
match landesk-rc m|^TNMP.\0\0\0TNME.\0\0\0USER.\x08\x04\0\x08\0.{9}\0R\0\x03\0W\0\xff\xff\0.\0\xfd..\0\0\0\0\x02\0\0\0\0\x01\x04\0\0\0\0\0...\0\xb5\x01\xbb\0Desktop Manager (\d\.\d)\0\x02\x04\x01\x02\x01\0\0\W+([-\w]+)\0([-\w]+)\0\0$| p/LANDesk RC/ v/$1/ i/User: $3)/ h/$2/
# With just hostname
match landesk-rc m|^TNMP.\0\0\0TNME.\0\0\0USER.\x08\x04\0\x08\0.{9}\0R\0\x03\0W\0\xff\xff\0.\0\xfd..\0\0\0\0\x02\0\0\0\0\x01\x04\0\0\0\0\0...\0\xb5\x01\xbb\0Desktop Manager (\d\.\d)\0\x02\x04\x01\x02\x01\0\0\W+(\w+)\0\0\0$| p/LANDesk RC/ v/$1/ h/$2/
# Being Controled w/ User
match landesk-rc m|^TNMP.\0\0\0TNME.\0\0\0USER.\x08\x04\0\x08\0.{9}\0R\0\x03\0W\0\xff\xff\0.\0\xfd..\0\0\0\0\x02\0\0\0\0\x01\x04\0\0\0\0\0...\0\xb5\x01\xbb\0Desktop Manager (\d\.\d)\0\x02\x04\x01\x02\x01\0\0\W+([\w.:]+)\W+(\w+)\0(\w+)\0\0$| p/LANDesk RC/ v/$1/ i/User: $4 Controler: $2/ h/$3/
# Being Controled w/o User
#match landesk-rc m|^TNMP.\0\0\0TNME.\0\0\0USER.\x08\x04\0\x08\0.{9}\0R\0\x03\0W\0\xff\xff\0.\0\xfd..\0\0\0\0\x02\0\0\0\0\x01\x04\0\0\0\0\0...\0\xb5\x01\xbb\0Desktop Manager (\d\.\d)\0\x02\x04\x01\x02\x01\0\0\W+([\w.:]+)\W+(\w+)\0(\w+)\0{2,3}$| v/LANDesk RC/$1/Host: $3 Controler: $2/
match landesk-rc m|^TNMP.\0\0\0TNME.\0\0\0USER.\x08\x04\0\x08\0.{9}\0R\0\x03\0W\0\xff\xff\0.\0\xfd..\0\0\0\0\x02\0\0\0\0\x01\x04\0\0\0\0\0...\0\xb5\x01\xbb\0Desktop Manager (\d\.\d)\0\x02\x04\x01\x02\x01\0\0\W+([\w.:]+)\W+(\w+)\0|s p/LANDesk RC/ v/$1/ i/Controler: $2/ h/$3/

match landesk-rc m|^TNMP\x16\0\0\0TNME\x80\0\xfe\xff..([\w.]+):(\d)$| p/LANDesk RC/ i/Busy, From $1 on port 176$2/

# Novell Zen Remote Desktop Several 4.0.X submissions
match landesk-rc m|^\0\x04\0| p/Novell Zen Remote Desktop/ v/4.0.X/
# 6.5.14
match landesk-rc m|^\0\x06\x05| p/Novell Zen Remote Desktop/ v/6.5.X/


##############################NEXT PROBE##############################
Probe TCP TerminalServer q|\x03\0\0\x0b\x06\xe0\0\0\0\0\0|
ports 515,3389
# \x03 is queue status command for LPD service.  Should be terminated
# by \n, but apparently some dumb lpds allow \0.  For now I will keep
# 515 in the common ports line, I suppose
match printer m/^no entries\n$/ p/Xerox LPD/ d/printer/
# Windows 2000 Server
# Windows 2000 Advanced Server
# Windows XP Professional
match microsoft-rdp m|^\x03\0\0\x0b\x06\xd0\0\0\x12.\0$|s p|Microsoft Terminal Service| o|Windows|
match microsoft-rdp m|^\x03\0\0\x17\x08\x02\0\0Z~\0\x0b\x05\x05@\x06\0\x08\x91J\0\x02X$| p/Microsoft Terminal Service/ i/Used with Netmeeting, Remote Desktop, Remote Assistance/ o/Windows/
match teleconference m|^\x03\0\0\x11\x08\x02..}\x08\x03\0\0\xdf\x14\x01\x01$|s p/Microsoft NetMeeting Remote Desktop Service/ o/Windows/

# Netware Create Connection Service request
##############################NEXT PROBE##############################
Probe TCP NCP q|\x44\x6d\x64\x54\0\0\0\x17\0\0\0\x01\0\0\0\0\x11\x11\0\xff\x01\xff\x13|
ports 524
# Netware 5 and 6
# NCP "OK" reply
match ncp m|^\x74\x4e\x63\x50\0\0\0\x10\x33\x33| p/Novell Netware NCP/ o/NetWare/

##############################NEXT PROBE##############################
Probe TCP NotesRPC q|\x3A\x00\x00\x00\x2F\x00\x00\x00\x02\x00\x00\x40\x02\x0F\x00\x01\x00\x3D\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x1F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00|
ports 1352
#match lotusnotes m|^`\0\0\0U\0\0\0\x03\0\0@\x02\x0f\0\x05\x009\x05.....\x03\0\0\0\0\x02\0/\0\x12|s
# Lotus Domino (r) Server (Release 5.0.8 for Windows/32
# Lotus Notes domino 5.0.11
# Lotus Server 6.0.1
# Lotus Domino (r) Server (Release 6.0.1CF1 for Windows/32
match lotusnotes m|^.\0\0\0.\0\0\0\x03\0\0@\x02\x0f\0.*\x03\0\0\0\0\x02\0/\0.\0\0\0\0\0\0\0@\x1f.*CN=([-.\w ]+)/O=([-.\w ]+)[^-.\w ]|s p/Lotus Domino server/ i/CN=$1;Org=$2/

##############################NEXT PROBE##############################
Probe TCP DistCCD q|DIST00000001ARGC00000005ARGV00000002ccARGV00000002-cARGV00000006nmap.cARGV00000002-oARGV00000006nmap.oDOTI00000000|
ports 3632

match distccd m|^DONE00000001STAT00000000SERR00000000SOUT00000000DOTO.*?GCC: ([^\0]+)| p/distccd/ v/v1/ i/$1/
match distccd m|^DONE00000001.*?DOTO00| p/distccd/ v/v1/ i/unknown compiler/

##############################NEXT PROBE##############################
Probe TCP JavaRMI q|\x4a\x52\x4d\x49\0\x02\x4b|

match jrmi m|^N..[0-9.]+\0\0..$| p/Java RMI/

##############################NEXT PROBE##############################
Probe UDP Sqlping q|\x02|
ports 1434
match ms-sql-m m|^\x05..ServerName;([\w\-]+);InstanceName;[\w\-]+;IsClustered;\w{2,3};Version;([\d\.]+);np;.+;tcp;(\d{1,5});| p/Microsoft SQL Server/ v/$2/ i/ServerName: $1; TCPPort: $3/ o/Windows/
match ms-sql-m m|^\x05..ServerName;([\w\-]+);InstanceName;[\w\-]+;IsClustered;\w{2,3};Version;([\d\.]+);tcp;(\d{1,5});np;(.+);$| p/Microsoft SQL Server/ v/$2/ i/ServerName: $1; TCPPort: $3/ o/Windows/

##############################NEXT PROBE##############################
Probe UDP NTPRequest q|\xe3\x00\x04\xfa\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\x4f\x23\x4b\x71\xb1\x52\xf3|
ports 123
match ntp m|^\$[\x01-\x0f]..............................................$|s p/NTP/ v/v4/
match ntp m|^\xe4\0..............................................$|s p/NTP/ v/v4/ i/unsynchronized/
match ntp m|^\x1c[\x01-\x0f]..............................................$|s p/NTP/ v/v3/
# Solaris Internet Name Server (42/udp), see ien116.txt
match nameserver m|^help\r\n\r\n\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01| p/Solaris Internet Name Server/ i/IEN 116/ o/Solaris/

##############################NEXT PROBE##############################
Probe UDP SNMPv1public q|0\x82\0/\x02\x01\0\x04\x06public\xa0\x82\0\x20\x02\x04\x4c\x33\xa7\x56\x02\x01\0\x02\x01\0\x30\x82\0\x10\x30\x82\0\x0c\x06\x08\x2b\x06\x01\x02\x01\x01\x05\0\x05\0|
ports 161
match snmp m|^0.\x02\x01\0\x04\x06public\xa2| p/SNMPv1 server/ i/public/

##############################NEXT PROBE##############################
Probe TCP WMSRequest q|\x01\0\0\xfd\xce\xfa\x0b\xb0\xa0\0\0\0MMS\x14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x12\0\0\0\x01\0\x03\0\xf0\xf0\xf0\xf0\x0b\0\x04\0\x1c\0\x03\0N\0S\0P\0l\0a\0y\0e\0r\0/\09\0.\00\0.\00\0.\02\09\08\00\0;\0 \0{\00\00\00\00\0A\0A\00\00\0-\00\0A\00\00\0-\00\00\0a\00\0-\0A\0A\00\0A\0-\00\00\00\00\0A\00\0A\0A\00\0A\0A\00\0}\0\0\0\xe0\x6d\xdf\x5f|
ports 1549,1755
match shivahose m|^\x02\x06$| i/Shiva network modem access/
#WMS 4.1.0.3927
match wms m|^\x01\0\0.\xce\xfa\x0b\xb0.\0\0\0MMS .\0{7}.{9}\0\0\0\x01\0\x04\0\0\0\0\0\xf0\xf0\xf0\xf0\x0b\0\x04\0\x1c\0\x03\0\0\0\0\0\0\0\xf0\?\x01\0\0\0\x01\0\0\0\0\x80\0\0...\0.\0\0\0\0\0\0\0\0\0\0\0.\0\0\x00(\d)\0\.\x00(\d)\0\.\x00(\d)\0\.\x00(\d)\x00(\d)\x00(\d)\x00(\d)\0\0\0|s p/Microsoft Windows Media Service/ v/$1.$2.$3.$4$5$6$7/ o/Windows/
match wms m|^\x01\0\0.\xce\xfa\x0b\xb0.\0\0\0MMS .\0{7}.{9}\0\0\0\x01\0\x04\0\0\0\0\0\xf0\xf0\xf0\xf0\x0b\0\x04\0\x1c\0\x03\0\0\0\0\0\0\0\xf0\?\x01\0\0\0\x01\0\0\0\0\x80\0\0...\0.\0\0\0\0\0\0\0\0\0\0\0.\0\0\x00(\d)\0\.\x00(\d)\x00(\d)\0\.\x00(\d)\x00(\d)\0\.\x00(\d)\x00(\d)\x00(\d)\x00(\d)\0\0\0|s p/Microsoft Windows Media Service/ v/$1.$2$3.$4$5.$6$7$8$9/ o/Windows/

##############################NEXT PROBE##############################
Probe TCP oracle-tns q|\0Z\0\0\x01\0\0\0\x016\x01,\0\0\x08\0\x7F\xFF\x7F\x08\0\0\0\x01\0 \0:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\04\xE6\0\0\0\x01\0\0\0\0\0\0\0\0(CONNECT_DATA=(COMMAND=version))|
ports 1521,1522,1525,1574
match oracle-tns m|^\0.\0\0\x02\0\0\0.*TNSLSNR for ([-.+/ \w]{2,20}): Version ([-\d.]+) - Production|s p/Oracle TNS Listener/ v/$2 (for $1)/

##############################NEXT PROBE##############################
Probe UDP xdmcp q|\0\x01\0\x02\0\x01\0\0|
ports 177
match xdmcp m/^\0\x01\0\x05..\0\0\0.(.+)\0.(.+)/ p/XDMCP/ v/host $1 willing/ i/Status: $2/ o/Unix/
match xdmcp m/^\0\x01\0\x06..\0.(.+)\0.(.+)/ p/XDMCP/ v/host $1 unwilling/ i/Status: $2/ o/Unix/

##############################NEXT PROBE##############################
# AFS version probing
Probe UDP AFSVersionRequest q|\0\0\x03\xe7\0\0\0\0\0\0\0\x65\0\0\0\0\0\0\0\0\x0d\x05\0\0\0\0\0\0\0\0\0\0|
ports 7001
# OpenAFS
match afs m|^[\d\D]{28}\s*(OpenAFS)\s+([\d\.]+)\s+([^\0]+)\0| p/$1/ v/$2/ i/$3/
match afs m|^[\d\D]{28}\s*(OpenAFS)\s+stable\s+([\d\.]+)\s+([^\0]+)\0| p/$1/ v/$2/ i/$3 stable/
match afs m|^[\d\D]{28}\s*(OpenAFS)([\d\.]{3}[^\s\0]*)\s+([^\0]+)\0| p/$1/ v/$2/ i/$3/
match afs m|^[\d\D]{28}\s*(OpenAFS)([\d\.]{3}[^\s\0]*)\0| p/$1/ v/$2/
# Transarc AFS
match afs m|^[\d\D]{28}\s*Base\sconfiguration\safs([\d\.]+)\s+[^\s\0\;]+[\0\;]| p/Transarc AFS/ v/$1/ i/$2/
# Arla
match afs m|^[\d\D]{28}\s*arla-([\d\.]+)\0| p/Arla/ v/$1/



### do not slow down the scan

#Probe TCP mydoom q|\x0d\x0d|
#ports 3127-3198
#match mydoom m|\x04\x5b\0\0\0\0\0\0| v/MyDoom virus backdoor/v012604//

#Probe TCP WWWOFFLEctrlstat q|WWWOFFLE STATUS\r\n|
#ports 8081
#match http-proxy-ctrl m|^WWWOFFLE Server Status\n-*\nVersion *: (\d.*)\n| v/WWWOFFLE proxy control/$1//

##########################################################################################################
# Cross Match Verifier E TCP/IP fingerprint reader (http://www.crossmatch.com/products_singlescan_vE.html)
# The device runs an embedded Linux
#
#Probe TCP Verifier q|Subscribe\n|
#ports 1500
#totalwaitms 11000
#match crossmatchverifier m/^(Idle|Notify)\r\n$/ v/Cross Match Verifier E fingerprint control///
#
#Probe TCP VerifierAdvanced q|Query\n|
#ports 1501
#match crossmatchverifier m|^Settings\r\nGain\x20(\d+)\r\nContrast\x20(\d+)\r\nTime\x20(\d+)\r\nIllumination\x20(\d+)\r\nProcessed\r\n$|
#v/Cross Match Verifier E fingerprint advanced control///