Sonar / CPE updates (#279)

* Sonar / CPE updates * Filezilla is Windows only * Add CPEs to SSH * More HTTP CPEs * DNS updates * SMTP.. * more smtp * pop * IMAP
rapid7 · Jul 23, 2020 · 7e98af5 · 7e98af5
1 parent 72c173d
commit 7e98af5
Show file tree

Hide file tree

Showing 11 changed files with 226 additions and 20 deletions.
diff --git a/cpe-remap.yaml b/cpe-remap.yaml
@@ -16,6 +16,10 @@ mappings:
       weblogic: weblogic_server
   blue_coat:
     vendor: bluecoat
+  carnegie_mellon_university:
+    vendor: cmu
+    products:
+      cyrus_imap: cyrus_imap_server
   centos:
     vendor: centos
     products:
@@ -32,6 +36,9 @@ mappings:
     vendor: debian
     products:
       linux: debian_linux
+  embedthis:
+    products:
+       goahead_webserver: goahead
   f5:
     vendor: f5
     products:
@@ -41,12 +48,12 @@ mappings:
     vendor: hp
     products:
       ilo: integrated_lights_out
-      lotus_domino: lotus_domino_server
       tru64_unix: tru64
   ibm:
     vendor: ibm
     products:
       lotus_domino: lotus_domino_server
+      ibm_domino: lotus_domino
       os/400: os_400
   jamf:
     products:
@@ -57,6 +64,10 @@ mappings:
       junos_os: junos
   kibana:
     vendor: elasticsearch
+  cz.nic:
+    vendor: knot-dns
+  litespeed_technologies:
+    vendor: litespeedtech
   linux:
     vendor: linux
     products:
@@ -94,6 +105,10 @@ mappings:
     vendor: modwsgi
   mort_bay:
     vendor: mortbay
+  nlnet_labs:
+    vendor: nlnetlabs
+    products:
+      dnsd: name_server_daemon
   net-snmp:
     vendor: net-snmp
     products:

diff --git a/identifiers/hw_family.txt b/identifiers/hw_family.txt
@@ -93,4 +93,4 @@ iPad
 iPad Air
 iPad Pro
 iPad mini
-iPhone
+iPhone
diff --git a/identifiers/hw_product.txt b/identifiers/hw_product.txt
@@ -325,4 +325,4 @@ iPhone X
 iPhone XR
 iPhone XS
 iPhone XS Max
-vManage
+vManage
diff --git a/identifiers/service_product.txt b/identifiers/service_product.txt
@@ -421,6 +421,7 @@ Symantec Endpoint Protection Manager
 Symantec Mail Security for SMTP
 Symantec Messaging Gateway
 TBS FTP Server
+TCP/IP
 TCPIP POP server
 TUX Web Server
 TeamCity
@@ -554,4 +555,3 @@ vsFTPd
 vsFTPd Extended
 z/OS FTP Server
 zFTPServer
-TCP/IP
diff --git a/xml/dns_versionbind.xml b/xml/dns_versionbind.xml
@@ -516,6 +516,7 @@
     <param pos="0" name="service.family" value="NSD"/>
     <param pos="0" name="service.product" value="dnsd"/>
     <param pos="1" name="service.version"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:nlnetlabs:name_server_daemon:{service.version}"/>
   </fingerprint>
 
   <fingerprint pattern="^unbound ([\d.]+)$">
@@ -525,6 +526,7 @@
     <param pos="0" name="service.family" value="Unbound"/>
     <param pos="0" name="service.product" value="unbound"/>
     <param pos="1" name="service.version"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:nlnetlabs:unbound:{service.version}"/>
   </fingerprint>
 
   <fingerprint pattern="^(?i:unbound)$">
@@ -533,6 +535,7 @@
     <param pos="0" name="service.vendor" value="NLnet Labs"/>
     <param pos="0" name="service.family" value="Unbound"/>
     <param pos="0" name="service.product" value="unbound"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:nlnetlabs:unbound:-"/>
   </fingerprint>
 
   <fingerprint pattern="^(?:BIND )?(9.[^-]+(?:-[SP]\d)?)(?:-[\d\.]+)?\+deb10u\d+-Raspbian$">
@@ -583,8 +586,9 @@
     <example service.version="2.5.0-dev">Knot DNS 2.5.0-dev</example>
     <param pos="0" name="service.vendor" value="cz.nic"/>
     <param pos="0" name="service.family" value="Knot"/>
-    <param pos="0" name="service.product" value="DNS"/>
+    <param pos="0" name="service.product" value="Knot DNS"/>
     <param pos="1" name="service.version"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:knot-dns:knot_dns:{service.version}"/>
   </fingerprint>
 
   <fingerprint pattern="^UltraDNS Resolver$">
@@ -754,7 +758,8 @@
     <example>DNSServer</example>
     <param pos="0" name="service.vendor" value="Synology"/>
     <param pos="0" name="service.family" value="DSM"/>
-    <param pos="0" name="service.product" value="DNS"/>
+    <param pos="0" name="service.product" value="DNS Server"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:synology:dns_server:-"/>
     <param pos="0" name="os.device" value="NAS"/>
     <param pos="0" name="os.family" value="Linux"/>
     <param pos="0" name="os.product" value="DSM"/>
@@ -855,9 +860,10 @@
   <fingerprint pattern="^gdnsd$">
     <description>gdnsd</description>
     <example>gdnsd</example>
-    <param pos="0" name="service.vendor" value="Brandon Black"/>
+    <param pos="0" name="service.vendor" value="gdnsd"/>
     <param pos="0" name="service.family" value="gdnsd"/>
     <param pos="0" name="service.product" value="gdnsd"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:gdnsd:gdnsd:-"/>
   </fingerprint>
 
   <fingerprint pattern="^Hi: [\w\.: =]+\d{4}$">

diff --git a/xml/ftp_banners.xml b/xml/ftp_banners.xml
@@ -360,6 +360,7 @@ example.com FTP server (Version:  Mac OS X Server) ready.</example>
     <example service.version="1.0.11">=(&lt;*&gt;)=-.:. (( Welcome to Pure-FTPd 1.0.11 )) .:.-=(&lt;*&gt;)=-</example>
     <example service.version="1.0.11">=(&lt;*&gt;)=-.:. (( Welcome to Pure-FTPd 1.0.11 )) .:.-=(&lt;*&gt;)=-&#13;
 more stuff</example>
+    <param pos="0" name="service.fvendor" value="PureFTPd"/>
     <param pos="0" name="service.family" value="Pure-FTPd"/>
     <param pos="0" name="service.product" value="Pure-FTPd"/>
     <param pos="1" name="service.version"/>
@@ -374,43 +375,77 @@ more stuff</example>
     <example>--------- Welcome to Pure-FTPd [privsep] [TLS] ----------&#13;
 more text</example>
     <param pos="1" name="pureftpd.config"/>
+    <param pos="0" name="service.vendor" value="PureFTPd"/>
     <param pos="0" name="service.family" value="Pure-FTPd"/>
     <param pos="0" name="service.product" value="Pure-FTPd"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:pureftpd:pure-ftpd:-"/>
   </fingerprint>
 
   <fingerprint pattern="^(?:Welcome to )?Pure-FTPd\.?$">
     <description>Basic Pure-FTPd banner, no version</description>
     <example>Welcome to Pure-FTPd</example>
     <example>Pure-FTPd.</example>
+    <param pos="0" name="service.vendor" value="PureFTPd"/>
     <param pos="0" name="service.family" value="Pure-FTPd"/>
     <param pos="0" name="service.product" value="Pure-FTPd"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:pureftpd:pure-ftpd:-"/>
   </fingerprint>
 
   <fingerprint pattern="^=\(.\*.\)=-\.:\. \(\( Welcome to PureFTPd (\d+\..+) \)\) \.:\.-=\(.\*.\)=-" flags="REG_MULTILINE">
     <description>Older Pure-FTPd versions</description>
     <example service.version="1.1.0">=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.1.0 )) .:.-=(&lt;*&gt;)=-</example>
     <example service.version="1.1.0">=(&lt;*&gt;)=-.:. (( Welcome to PureFTPd 1.1.0 )) .:.-=(&lt;*&gt;)=-&#13;
 more text</example>
+    <param pos="0" name="service.vendor" value="PureFTPd"/>
     <param pos="0" name="service.family" value="Pure-FTPd"/>
     <param pos="0" name="service.product" value="Pure-FTPd"/>
     <param pos="1" name="service.version"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:pureftpd:pure-ftpd:{service.version}"/>
   </fingerprint>
 
-  <fingerprint pattern="^Serv-U FTP[ -]Server v(\d+\.\S+)(?: for WinSock)? ready\.*$">
-    <description>Serv-U (only runs on Windows)</description>
+  <!-- CPEs for Serv-U 15.x and above changed to SolarWinds -->
+
+  <fingerprint pattern="^Serv-U FTP Server v(15\.\S+) ready\.\.\.$">
+    <description>SolarWinds Serv-U with version </description>
+    <example service.version="15.1.3.25">Serv-U FTP Server v15.1.3.25 ready...</example>
+    <param pos="0" name="service.vendor" value="SolarWinds"/>
+    <param pos="0" name="service.product" value="Serv-U FTP Server"/>
+    <param pos="0" name="service.family" value="Serv-U"/>
+    <param pos="1" name="service.version"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:solarwinds:serv-u_ftp_server:{service.version}"/>
+  </fingerprint>
+
+  <fingerprint pattern="^Serv-U FTP[ -]Server v(\d+\.\S+) for WinSock ready\.*$">
+    <description>Serv-U Serv-U with version on Windows</description>
     <example service.version="2.5n">Serv-U FTP-Server v2.5n for WinSock ready...</example>
     <example service.version="6.0">Serv-U FTP Server v6.0 for WinSock ready</example>
-    <example service.version="7.2">Serv-U FTP Server v7.2 ready...</example>
-    <param pos="0" name="service.vendor" value="Rhino Software"/>
+    <param pos="0" name="service.vendor" value="Serv-U"/>
     <param pos="0" name="service.product" value="Serv-U"/>
     <param pos="0" name="service.family" value="Serv-U"/>
     <param pos="1" name="service.version"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:serv-u:serv-u:{service.version}"/>
     <param pos="0" name="os.vendor" value="Microsoft"/>
     <param pos="0" name="os.family" value="Windows"/>
     <param pos="0" name="os.product" value="Windows"/>
     <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
   </fingerprint>
 
+  <fingerprint pattern="^Serv-U FTP[ -]Server v(\d+\.\S+) ready\.*$">
+    <description>Serv-U Serv-U with version </description>
+    <example service.version="7.2">Serv-U FTP Server v7.2 ready...</example>
+    <example service.version="14.0">Serv-U FTP Server v14.0 ready...</example>
+    <param pos="0" name="service.vendor" value="Serv-U"/>
+    <param pos="0" name="service.product" value="Serv-U"/>
+    <param pos="0" name="service.family" value="Serv-U"/>
+    <param pos="1" name="service.version"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:serv-u:serv-u:{service.version}"/>
+  </fingerprint>
+
+  <fingerprint pattern="^Welcom to Serv-U FTP Server$">
+    <description>Common FTP banner modification to look like Serv-U -- assert nothing.</description>
+    <example>Welcom to Serv-U FTP Server</example>
+  </fingerprint>
+
   <fingerprint pattern="^zFTPServer v?(\S+), .*ready\.$" flags="REG_ICASE">
     <description>zftpserver (only runs on Windows)</description>
     <example service.version="4.0">zFTPServer v4.0, build 2008-12-24 01:41 ready.</example>
@@ -427,23 +462,28 @@ more text</example>
     <description>vsFTPd (Very Secure FTP Daemon)</description>
     <example service.version="1.1.3">(vsFTPd 1.1.3) host</example>
     <example service.version="2.0.5">(vsFTPd 2.0.5)</example>
+    <param pos="0" name="service.vendor" value="vsFTPd Project"/>
     <param pos="0" name="service.family" value="vsFTPd"/>
     <param pos="0" name="service.product" value="vsFTPd"/>
     <param pos="1" name="service.version"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:vsftpd_project:vsftpd:{service.version}"/>
     <param pos="2" name="host.name"/>
   </fingerprint>
 
   <fingerprint pattern="^ready, dude \(vsFTPd (\d+\..+): beat me, break me\)$">
     <description>vsFTPd (Very Secure FTP Daemon) - break me variant</description>
     <example service.version="1.1.0">ready, dude (vsFTPd 1.1.0: beat me, break me)</example>
+    <param pos="0" name="service.vendor" value="vsFTPd Project"/>
     <param pos="0" name="service.family" value="vsFTPd"/>
     <param pos="0" name="service.product" value="vsFTPd"/>
     <param pos="1" name="service.version"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:vsftpd_project:vsftpd:{service.version}"/>
   </fingerprint>
 
   <fingerprint pattern="^vsFTPd ([\d.]+\+ \(ext\.3\)) ready\.\.\.$">
     <description>vsFTPd (Very Secure FTP Daemon) extended build (vsftpd.devnet.ru)</description>
     <example service.version="2.0.4+ (ext.3)">vsFTPd 2.0.4+ (ext.3) ready...</example>
+    <param pos="0" name="service.vendor" value="vsFTPd Project"/>
     <param pos="0" name="service.family" value="vsFTPd"/>
     <param pos="0" name="service.product" value="vsFTPd Extended"/>
     <param pos="1" name="service.version"/>
@@ -453,8 +493,10 @@ more text</example>
     <description>vsFTPd (Very Secure FTP Daemon) error message</description>
     <example>OOPS: vsftpd: root is not mounted.</example>
     <example>OOPS: cannot read user list file:/etc/vsftpd.user_list</example>
+    <param pos="0" name="service.vendor" value="vsFTPd Project"/>
     <param pos="0" name="service.family" value="vsFTPd"/>
     <param pos="0" name="service.product" value="vsFTPd"/>
+    <param pos="0" name="service.cpe23" value="cpe:/a:vsftpd_project:vsftpd:-"/>
   </fingerprint>
 
   <fingerprint pattern="^FileZilla Server(?: version)? (?:v)?(\d\.[\w.]+(?: beta)?).*$">
@@ -463,9 +505,14 @@ more text</example>
     <example service.version="0.9.13a beta">FileZilla Server version 0.9.13a beta</example>
     <example service.version="0.9.54 beta">FileZilla Server 0.9.54 beta</example>
     <example service.version="0.9.33 beta">FileZilla Server v0.9.33 beta</example>
+    <param pos="0" name="service.vendor" value="Filezilla-Project"/>
     <param pos="0" name="service.family" value="FileZilla FTP Server"/>
     <param pos="0" name="service.product" value="FileZilla FTP Server"/>
     <param pos="1" name="service.version"/>
+    <param pos="0" name="os.vendor" value="Microsoft"/>
+    <param pos="0" name="os.family" value="Windows"/>
+    <param pos="0" name="os.product" value="Windows"/>
+    <param pos="0" name="os.cpe23" value="cpe:/o:microsoft:windows:-"/>
   </fingerprint>
 
   <fingerprint pattern="^\s*APC FTP server ready\.$">