I couldn't find any explanation for the fingerprints parameters names, so I'm raising this here.
In the below example, why is "VxWorks" which is a type of OS is under os.product while other fingerprints have their OS type under os.family? shouldn't this be under os.family as well?
What is the logic behind putting these values under these parameters names? If I'll have to make a guess VxWorks OS family would be something like RTOS (which will include other OS in this family like FreeRTOS and ThreadX)

<fingerprint pattern="IPSSH[-_]([\d\.p]+).*$"> <description>VxWorks with version information</description> <example os.version="6.9.0">IPSSH-6.9.0</example> <param pos="0" name="os.vendor" value="Wind River"/> <param pos="0" name="os.product" value="VxWorks"/> <param pos="1" name="os.version"/> <param pos="0" name="os.cpe23" value="cpe:/o:windriver:vxworks:{os.version}"/> </fingerprint>*

1.3.6.1.2.1.1.2, sysObjectID, is a supported method of fingerprinting through recog with xml/snmp_sysobjid.xml. The descriptions for the values returned by sysObjectID are publicly available to varying degrees but not in a way that is easily consumed by recog.

@hmoore-r7 suggested a parallel Sonar scan for sysDesc and sysObjectID as one way to beef up what is in snmp_sysobjid.xml.

2/23/2015, 1.9.3 will be EOL. Metasploit is also making this change (or maybe they did already -- I don't know for sure).

Recog should drop 1.9.3 support too.

From past experience with recog, using the API against a large dataset gets slow, mostly because all you can do is linear scan all of the signature regexes against every one of your matching items. Each new signature adds linear time to the run.

This might break the more advanced matchers, but if there were a way to do boyer-moore matching or something similar to compile regexes into a single matcher that doesn't have to start over and run multiple passes, like an IDS or DPI device would do, it would probably speed things up a good amount.

https://github.com/rapid7/recog/blob/master/lib/recog/matcher.rb#L26

#101 for an example. It doesn't seem to matter from a Recog perspective whether or not we escape, but given that the Recog data is used in isolation, we should be consistent with our escaping.

Right now Recog is only being tested in Ruby 2.1.5 and JRuby 1.7.x in the Travis-CI builds. Both are quite old (in fact I believe the JRuby version qualifies as ancient). We should add some newer versions to ensure forwards compatibility.

Caveat: Looking into the Travis-CI JRuby issue the other day lead down a rabbit hole that revealed JRuby versions being a pain to deal with currently. Some hoops to jump through could be executing rvm get stable before installing JRuby, or just downloading the JRuby zip from somewhere. Supposedly the docker-based Travis builds have entropy problems that make the rvm route slow still. More investigation is probably required here.

There are currently a lot of C2 floating around , it would be nice to add their JARM fingerprint when possible. I'll try to give it a try this weekend.

Is your feature request related to a problem? Please describe.
Fingerprint elements in fingerprint XML files should always contain examples. Work has been done in previous PRs to settle many broken <example> tags. However, several other <fingerprint> XML elements are missing <example> elements altogether. We should enforce that examples are always present.

Describe the solution you'd like

1. Update all fingerprint files to have an example, even if the data must be mocked (with an XML comment indicating as such).
2. Update fingerprints.xsd after #410 is merged so that minOccurs on <example> is 1 instead of 0: https://github.com/rapid7/recog/blob/master/xml/fingerprints.xsd#L106. With this simple change, once #410 lands the XML schema validation logic in recog_verify should automatically flag any missing example elements as an error (thus, giving developers immediate feedback & ensuring CI PR builds fail if one is not included).

Describe alternatives you've considered
None.

Additional context
Clearing out all warnings & errors from the existing XML fingerprint files should help greatly in enforcing strict standards for new fingerprints that are added, and ultimately ensure recog is kept high quality.

We currently have some of them but are missing many of the language variants from http://osxr.org/mysql/source/sql/share/errmsg-utf8.txt. For the error messages we currently check, make sure all of the supported languages are in Recog.

Specifically, we need to add the missing languages from the following sections:

• ER_HOST_IS_BLOCKED
• ER_HOST_NOT_PRIVILEGED
• ER_CON_COUNT_ERROR
• ER_CANT_CREATE_THREAD

/cc @TomSellers, FYI.

The HTTP server header fingerprints file (xml/http_servers.xml) currently contains 19 patterns that use ((?:\d+\.)+\d+ to match the service version. A successful match of the pattern requires, at a minimum, a major.minor style version number. A major only style version number will fail to match. For example, using the CherryPy pattern we can see the version portion of the pattern requires, at a minimum, a version number that contains two digits separated by a period.

$ echo 'CherryPy/3.1.2' | bin/recog_match.rb xml/http_servers.xml -
MATCH: {"service.vendor"=>"CherryPy", "service.product"=>"CherryPy", "service.family"=>"CherryPy", "service.version"=>"3.1.2", "data"=>"CherryPy/3.1.2"}

$ echo 'CherryPy/3.1' | bin/recog_match.rb xml/http_servers.xml -
MATCH: {"matched"=>"Web server component of CherryPy web application framework.", "service.vendor"=>"CherryPy", "service.product"=>"CherryPy", "service.family"=>"CherryPy", "service.version"=>"3.1", "data"=>"CherryPy/3.1"}

$ echo 'CherryPy/3' | bin/recog_match.rb xml/http_servers.xml -
FAIL: CherryPy/3

I have not fully investigated all of the HTTP server header fingerprints or other fingerprint files, but I think this is an important topic to discuss and determine a best practice for the project. The patterns I introduced in #16 use ((?:\d+\.)*\d+) which allows for flexible version number matching. I prefer more flexible patterns as eases maintenance of the fingerprints to some degree.

We already have Sonar data that can be used as a seed for this.

save following as setup.sh

#!/bin/bash
echo "Installing Recog"
sudo pip install pyyaml
sudo apt install -y ruby-bundler
git clone [email protected]:rapid7/recog.git
cd recog
bundle install
echo "Installation Finished!"
./update_cpes.py 

run setup below!

sudo chmod +x *.sh
./setup_recog.sh

./update_cpes.py

Hi,

It seems a wrong attribute is used in the file ftp_banners.xml, at line 363 of tree state 75e3f80

<param pos="0" name="service.fvendor" value="PureFTPd"/>

It seems that name should be service.vendor in place of service.fvendor (check the "f" letter)

Thierry

Nexpose was unable to fingerprint MariaDB - Enterprise as noted in the log trace below. Looking at the banners.xml file, enterprise is not showing in the list. Below is the fingerprint for Maria DB to hopefully be added in the mysql_banners.xml.

2017-02-15T11:26:26 [INFO] [Thread: xx.x.x:54810/TCP] [Site: Test site] [mysql.banners] Matching against banner: 5.5.5-10.1.21-MariaDB-enterprise
2017-02-15T11:26:26 [INFO] [Thread: x.x.x.x:54810/TCP] [Site: Test site] [mysql.banners] No matching fingerprint found for banner: 5.5.5-10.1.21-MariaDB-enterpris

https://github.com/rapid7/recog/blob/master/xml/mysql_banners.xml

The existing fingerprint is far too loose:

 <fingerprint pattern=".*version=&quot;ntpd ([^ ]+)[^&quot;]+&quot;,\s*processor=&quot;([^ ]+)&quot;,\s*system=&quot;[^ ]+.([^&quot;]+)&quot;" flags="REG_DOT_NEWLINE,REG_ICASE">

When I put this example in, it passes recog_verify but shouldn't:

version="ntpd version = 4.1.0", processor="unknown", system="OpenVMS AXP", leap=0, stratum=4, precision=-11, rootdelay=214.836, rootdispersion=162.916, peer=24756, refid=a.b.c.d, reftime=ffff poll=10, clock=fffff, state=4, offset=39.552, frequency=6.214, jitter=14.150, stability=5.564

(This is in response to @jhart-r7's email from 2015-02-17 to the recog users)

Travis-CI has integration with the Github release mechanism. You can automate it as outlined here http://docs.travis-ci.com/user/deployment/releases/. If you don't want travis-ci doing the releases, you could also just add an action to the release task so that rake release both releases to Github and rubygems.

If you mention a rake task more than once, each block is run in the order it is declared

task :release do
  # first action for `rake release`
end

task :release do
  # second action for `rake release`
end

There may also be separate tasks for each part of rake release, such as tagging and building and pushing to rubygems and github, in which case you can make the Github release be dependent on the push to git task and the current release task dependent on it

task 'release:github' => 'push-to-git' do
  # do stuff with github API
end

task release: 'release:github'

JRuby has been failing for a while. We should fix/update the travis-ci config, remove JRuby from testing, and/or allow it to fail without failing the whole build.

It looks like the travis worker is now defaulting to Java 11 and the JRuby version specified is probably not compatible.

Hi, looks like someone forgot that this device has hw attributes. is that on purpose?

Describe the bug
I noticed deprecated CPEs in the XML fingerprints.

Looking at /xml/http_servers.xml
Definition for IIS 8.5 (for example) includes:

cpe:2.3:a:microsoft:iis:8.5:::::::*

Submit it to NVD:
https://services.nvd.nist.gov/rest/json/cpes/1.0?cpeMatchString=cpe:2.3:a:microsoft:iis:8.5:::::::*

Response is as follows:
{"resultsPerPage":20,"startIndex":0,"totalResults":0,"result":{"dataType":"CPE","feedVersion":"1.0","cpeCount":0,"feedTimestamp":"2021-02-19T03:40","cpes":[]}}

Essentially unrecognized. There was a deprecation window where the service returned a "deprecatedBy" flag that told how to update the CPE.

Using the replacement CPE:
https://services.nvd.nist.gov/rest/json/cpes/1.0?cpeMatchString=cpe:2.3:a:microsoft:internet_information_services:8.5:::::::*

Response:
{"resultsPerPage":20,"startIndex":0,"totalResults":1,"result":{"dataType":"CPE","feedVersion":"1.0","cpeCount":1,"feedTimestamp":"2021-02-19T03:43","cpes":[{"deprecated":false,"cpe23Uri":"cpe:2.3:a:microsoft:internet_information_services:8.5:::::::*","lastModifiedDate":"2018-12-11T18:56Z","titles":[{"title":"Microsoft Internet Information Services (IIS) 8.5","lang":"en_US"}],"refs":[{"ref":"https://www.iis.net/","type":"Product"}],"deprecatedBy":[],"vulnerabilities":[]}]}}

If cpeCount is 0, there is a problem with the CPE. Might also be good to keep an eye on the deprecatedBy response when performing validation checking.

You can pull down the entire CPE 2.3 dictionary for validation checking here: https://nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz

If you decide to stick with CPE 2.2 format, you can validate against the diction located here: https://nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz

Hope this is helpful info. Cheers!

This is an HMI (there is one more in the repo) that is 'HMI controller' yet it is under Os.Device='Monitoring'
Is this intentional or bug? if it's intentional please describe why

The file telnet_banners.xml contains a \u0000 sequence which is invalid for certain Regexp implementations (for example, Go). This should probably be changed to \x00 instead.

Hi
I'm looking at some fingerprints in Recog, and trying to understand what the subversion (x.version.version , x.version.version.version etc) means in the CPE strings.
In all of the CPEs in Recog only the x.version is used. For example: "cpe:/a:ntp:ntp:{service.version}" .
But, if you search on NVD, you can find a lot of examples when concatenating different subversion yields more accurate results.
In this fingerprint for example:

<fingerprint flags="REG_DOT_NEWLINE,REG_ICASE" pattern='^.*version="ntpd ([^ p]+)(:?p[^ "]+)?[^"]+",.*processor="([^ ]+)",.*system="FreeBSD/?(?:[^ ]+-NETSCALER-([^ ]+))"'>
<description>ntpd running on Citrix Netscaler, which is based on FreeBSD</description>
<example os.arch="i386" os.version="9.3" service.version="4.2.6" service.version.version="[email protected]">
      version="ntpd [email protected] Wed Nov 24 15:54:11 UTC 2010 (1)",
      processor="i386", system="FreeBSD/6.3-NETSCALER-9.3", leap=00, stratum=3,
    </example>
<example os.arch="amd64" os.version="10.5" service.version="4.2.6" service.version.version="p3-a">
      version="ntpd 4.2.6p3-a (1)", processor="amd64", system="FreeBSD/8.4-NETSCALER-10.5",
      leap=3, stratum=16, precision=-21, rootdelay=0.000, rootdisp=1264777.230,
    </example>
<param name="service.version" pos="1"/>
<param name="service.version.version" pos="2"/>
<param name="service.vendor" pos="0" value="NTP"/>
<param name="service.product" pos="0" value="NTP"/>
<param name="service.cpe23" pos="0" value="cpe:/a:ntp:ntp:{service.version}"/>
<param name="os.vendor" pos="0" value="Citrix"/>
<param name="os.family" pos="0" value="NetScaler"/>
<param name="os.device" pos="0" value="Network Management Device"/>
<param name="os.product" pos="0" value="NetScaler"/>
<param name="os.arch" pos="3"/>
<param name="os.version" pos="4"/>
</fingerprint>

If I concatenate service.version and service.version.version to the CPE string with colon delimiter, I will get more accurate result, having the "update" field in the CPE as well as the version. (https://nvd.nist.gov/products/cpe/search/results?keyword=cpe%3a%2fa%3antp%3antp%3a4.2.6%3ap1&status=FINAL,DEPRECATED&orderBy=CPEURI&namingFormat=2.2)

So here, one can assume service.version.version matches the "update" field on NVD.

On another example I've found, if one will concatenate both fields, but with dot delimiter instead of colon, the result will be a more precise version.
For example:

<fingerprint pattern="^([^ ]+) GroupWise SMTP/MIME Daemon ([^ ]+\.[^ ]+) v([^ ]+) Ready \(C\).* Novell, Inc\. *$">
<description>Novell GroupWise - versions below 5</description>
<example host.name="foo.bar" service.version="4.1" service.version.version="3">foo.bar GroupWise SMTP/MIME Daemon 4.1 v3 Ready (C)1993, 1996 Novell, Inc.</example>
<param name="service.vendor" pos="0" value="Novell"/>
<param name="service.family" pos="0" value="GroupWise"/>
<param name="service.product" pos="0" value="GroupWise"/>
<param name="host.name" pos="1"/>
<param name="service.version" pos="2"/>
<param name="service.version.version" pos="3"/>
<param name="service.cpe23" pos="0" value="cpe:/a:novell:groupwise:{service.version}"/>
</fingerprint>

Here, when concatenating service.version and service.version.version the result will be "cpe:/a:novell:groupwise:4.1.3" . While this version number specifically doesn't have entries in NVD, if I take the same pattern but with other digits, for example service.version=6.5 & service.version.version=2 so "cpe:/a:novell:groupwise:6.5.2" , it yields different result than using only the first service.version "cpe:/a:novell:groupwise:6.5" on NVD
6.5.2 - https://nvd.nist.gov/products/cpe/search/results?keyword=cpe%3a%2fa%3anovell%3agroupwise%3a6.5.2&status=FINAL,DEPRECATED&orderBy=CPEURI&namingFormat=2.2

6.5 - https://nvd.nist.gov/products/cpe/search/results?keyword=cpe%3a%2fa%3anovell%3agroupwise%3a6.5&status=FINAL,DEPRECATED&orderBy=CPEURI&namingFormat=2.2

So 2 questions raise here:

1. Is the x.version.version (and the other subversion) have a constant meaning on Recog? or they can mean one thing in some cases and other meaning in another? (as can be seen in the examples)
2. Since on Recog, only the x.version is used but the subversion aren't in CPE strings, this might yield wrong result, is that an expected behavior? In the example above, if I would use Recog CPE string I will get results for vulnerabilities for version 6.5 while the actual version is 6.5.2, according to this patterns, so this might be false positive.

Thanks

CRITICAL:root:Expecting exactly 3 arguments; recog XML file, CPE 2.3 XML dictionary, JSON remapping, got 0

its expecting files but dont know what is expected in the file if anything!

[WIP] Issue

Summary

This issue is intended to serve as a point of discussion related to the effort to standardize our handling of the distinguished name values found in x.509 certificate subject and issuer fields. The intent is to arrive at a field ordering that is

• portable across programming languages (at least Java, Python, and Go)
• deterministic even when processing unknown fields

Commentary from HD about handling in Go:

Commentary and example from HD on handling of extra fields in Go:

The relevant Go code for extra name handling:

			oidString := tv.Type.String()
			typeName, ok := attributeTypeNames[oidString]
			if !ok {
				derBytes, err := asn1.Marshal(tv.Value)
				if err == nil {
					s += oidString + "=#" + hex.EncodeToString(derBytes)
					continue // No value escaping necessary.
				}

				typeName = oidString
			}

In practice this looks like:

CN=device.corp.com,OU=VMware Engineering,O=VMware,L=Palo Alto,ST=California,C=US,1.2.840.113549.1.9.1=#0c0f766d636140766d776172652e636f6d

1.2.840.113549.1.9.1 is the OID of the EMAILADDRESS attribute. The value includes the DER bytes, including the Type and Length before the value ([email protected]).

TODO before requesting feedback from others:

• Build simple Python, Ruby, Go, and Rust tools that connect to an HTTP endpoint and emit the certificate with the least amount of processing
• Use the tools above to provide reference examples to show the differences

Examples

Some example subject values that haven't been accounted for in our prior discussions.

unstructuredName

{
  "C": "US",
  "CN": "foo.bar",
  "L": "Palo Alto",
  "O": "VMware, Inc",
  "OU": "VMware ESX Server Default Certificate",
  "ST": "California",
  "emailAddress": "[email protected]",
  "unstructuredName": "1617207215,564d7761726520496e632e"
}

businessCategory, jurisdictionC , jurisdictionL, jurisdictionST

{
  "C": "DE",
  "CN": "foo.bar",
  "L": "Hannover",
  "O": "TUI AG",
  "ST": "Niedersachsen",
  "businessCategory": "Private Organization",
  "jurisdictionC": "DE",
  "jurisdictionL": "Charlottenburg",
  "jurisdictionST": "Berlin",
  "serialNumber": "HRB 000"
}

name

{
  "name": "AR2220-Self-Signed-Certificate-2102352934DMGA000458"
}

description

{
  "CN": "00:09:52:05:b9:73",
  "O": "Auerswald",
  "description": "Vendor=Auerswald;SN=0000000000;MAC=00:00:00:00:00:00;DevClass=PBX;DevTyp=COMpact5200"
}`

From Microsoft Active Directory, DC

{
  "CN": "foo.bar.local",
  "DC": "va",
  "OU": "devices"
}

Proposal: Store hardware serial numbers in hw.serial_number instead of host.id.

In some cases recog is using host.id to store hardware serial numbers when they are captured from banners. I would like to change this, where appropriate, to a new field hw.serial_number. This would make it more clear as to what is being captured and move the data to a more appropriate context (hw).

https://github.com/rapid7/recog/search?q=host.id

In the cases where we have existing vendor specific serial numbers I would duplicate these values in hw.serial_number unless stakeholders indicate that these are not being used at all.

https://github.com/rapid7/recog/search?q=serial_number

Any feedback on this change would be greatly appreciated!

CC: @hdm @dabdine

recog_match can read banners from STDIN or from a file passed on the command line, but assumes that each line of input is a banner. This complicates working with multiline banners, like NTP:

In this case, /tmp/f contains an example NTP fingerprint taken verbatim from our fingerprints:

$  ./bin/recog_match xml/ntp_banners.xml /tmp/f
FAIL: version="ntpd [email protected] Fri Aug  8 04:08:19 PDT 2003 (1)",
FAIL: processor="i386", system="BIG-IPBIG-IP 4.5PTF-0", leap=3, stratum=16,
FAIL: precision=-16, rootdelay=0.000, rootdispersion=103599.120, peer=0,
FAIL: refid=0.0.0.0, reftime=0x00000000.00000000, poll=4,
FAIL: clock=0xd20533b8.903aa79b, state=1, offset=0.000, frequency=0.000,
FAIL: jitter=0.015, stability=0.000

Hi team,

I'm looking to add coverage for MariaDB 0ubuntu0. I working off #155 . From the scan log, we received the following version from the banner request.

Appreciate your guidance. Thank you

Nomatching fingerprint found for banner: 5.5.5-10.0.31-MariaDB-0ubuntu0.16.04.2

Installed software (from Administrative credentials): SoftwareFingerprint [[certainty=1.0][description=Ubuntu mariadb-client-10.0 10.0.31-0ubuntu0.16.04.2][family=null][product=mariadb-client-10.0][softwareClass=null][vendor=Ubuntu][version=10.0.31-0ubuntu0.16.04.2]]

package libmysqlclient20 has source: mysql-5.7
deb:libmysqlclient20 version:5.7.19-0ubuntu0.16.04.1

<fingerprint pattern="^(\d{1,2}\.\d{1,3}\.\d{1,4})-MariaDB-\dubuntu\d\.(\d{1,2}\.\d\d)[\.\d]*(?:-log)?$">
<description>MariaDB MariaDB on Ubuntu 16.04</description> <example service.version="5.7.19" os.version="16.04">5.5.5-10.0.31-MariaDB-0ubuntu0.16.04.2</example> <param pos="1" name="service.version"/> <param pos="0" name="service.vendor" value="Oracle"/> <param pos="0" name="service.family" value="MySQL"/> <param pos="0" name="service.product" value="MySQL"/> <param pos="0" name="os.vendor" value="Ubuntu"/> <param pos="0" name="os.family" value="Linux"/> <param pos="0" name="os.product" value="Linux"/> <param pos="2" name="os.version"/> </fingerprint>

These two files both match against Server headers, but for our purposes the protocols are identical and as such should be using the same fingerprint files. Having them separate is a maintenance headache and can cause misfingerprints on one or the other.

Is your feature request related to a problem? Please describe.
Make it easier for contributors and maintainers to ensure code adheres to a proper style and format.

Describe the solution you'd like
Run RuboCop on push to main branch and on pull requests.

• Add .rubocop.yml configuration to the root directory for controlling RuboCop’s behaviour
• Add workflow .github/workflows/rubocop.yml that runs RuboCop on push and pull_request

Describe alternatives you've considered
None

Additional context
N/A

Hello,

I'm looking to see how we can add coverage for MariaDB Xenial. I did find a fingerprint for a version of MariaDB that are very similar but I'm not familiar with the process of creating it. From the scan log, we received the following version from the banner request.

Any help would be greatly appreciated! Thank you!

Scan log:

No matching fingerprint found for banner: 5.5.5-10.1.23-MariaDB-1~xenial
Installed software (from Administrative credentials): 
SoftwareFingerprint [[certainty=1.0][description=Ubuntu libmysqlclient18 10.1.23+maria-1~xenial][family=null][product=libmysqlclient18][softwareClass=null][vendor=Ubuntu][version=10.1.23+maria-1~xenial]]
package libmysqlclient20 has source: mysql-5.7
deb:libmysqlclient20 version:5.7.19-0ubuntu0.16.04.1

From looking mysql_banner xml file: https://github.com/rapid7/recog/blob/master/xml/mysql_banners.xml

<fingerprint pattern="^(?:\d{1,2}\.\d{1,3}\.[a-f\d]{1,3}-)?(\d{1,2}\.\d{1,3}\.[a-f\d]{1,4})-MariaDB.+~wheezy(?:-log)?$" flags="REG_ICASE">
    <description>MariaDB MariaDB on Debian 7.0 (wheezy)</description>
    <example service.version="5.5.37">5.5.37-MariaDB-1~wheezy-log</example>
    <example service.version="10.0.11">10.0.11-MariaDB-1~wheezy-log</example>
    <example service.version="10.0.14">5.5.5-10.0.14-MariaDB-1~wheezy-log</example>
    <param pos="1" name="service.version"/>
    <param pos="0" name="service.vendor" value="MariaDB"/>
    <param pos="0" name="service.family" value="MySQL"/>
    <param pos="0" name="service.product" value="MariaDB"/>
    <param pos="0" name="os.vendor" value="Debian"/>
    <param pos="0" name="os.family" value="Linux"/>
    <param pos="0" name="os.product" value="Linux"/>
    <param pos="0" name="os.version" value="7.0"/>
  </fingerprint>

Thank you!

Erik Castellanos

There are some regexes using Ruby's \h syntax for hexadecimal values, but in other runtimes \h means horizontal whitespace. These regexes will not match correctly outside of Ruby. Instead we should be using [a-f\d] (unless someone has a better idea).

There should be test coverage to ensure that the regexes are not relying on special Ruby-only features so we can avoid any issues with this in the future.

Examples:
https://github.com/rapid7/recog/blob/master/xml/ftp_banners.xml#L219
https://github.com/rapid7/recog/blob/master/xml/ftp_banners.xml#L1126
https://github.com/rapid7/recog/blob/master/xml/ftp_banners.xml#L1136
https://github.com/rapid7/recog/blob/master/xml/ftp_banners.xml#L1194

As experienced in #74, there is room for improvement as it relates to how fingerprint regular expression flags are handled.

Today, the flags attribute is parsed in such a way that fingerprint authors can use multiple different formats for regular expression flags, and that during recog testing time, the variety of ways in which the flags are specified are normalized to something that Recog, which is written in Ruby, can understand. The issue with this, as we saw in #74, is that if we support multiple methods of specifying the same flag (in this case, REG_MULTILINE is the Java/GNU/perl friendly way and MULTILINE was the Ruby friendly way (per http://ruby-doc.org/core-2.1.1/Regexp.html#method-i-options)), any product that consumes Recog content must also have the same support for multiple methods of specifying options, or Recog itself needs to provide that mechanism.

Further proof of this is still lurking in IGNORECASE, which would still be allowed in current Recog but would break any Java/GNU/Perl implementation because REG_ICASE is the preferred method.

I am thinking we should do one of the following:

1. Pick 1 set of regular expression flags, per the TODO from http://www.rubydoc.info/gems/recog/2.0.7/Recog/Fingerprint/RegexpFactory, such that products consuming recog are responsible for translating Recog's options. Ensure that the Recog tests will properly catch a fingerprint with bad flags.
2. Ditch flags altogether and require that any regular expression "options" be specified in the regular expression itself. For example, rather than pattern="foo" flags="REG_ICASE", use pattern="(?i:foo)". We can automatically convert all of the existing fingerprints with some simple Ruby Regexp code that computes the new pattern with Regexp.new(old_pattern, old_flags).to_s

Is your feature request related to a problem? Please describe.
recog_verify does not produce line numbers, making it difficult to identify which fingerprints are problematic when running the command. For example:

xml/http_servers.xml: WARN: 'Apache' is missing an example that checks for parameter 'service.version' which is derived from a capture group
xml/http_servers.xml: WARN: 'Apache' is missing an example that checks for parameter 'apache.info' which is derived from a capture group
xml/http_servers.xml: WARN: 'Microsoft IIS 1.0 - 4.0 runs on Windows NT 4.0' is missing an example that checks for parameter 'service.version' which is derived from a capture group
xml/http_servers.xml: WARN: 'Microsoft IIS new, unknown Windows version' is missing an example that checks for parameter 'service.version' which is derived from a capture group
xml/http_servers.xml: WARN: 'Microsoft .NET Remoting and Common Language Runtime (CLR)' is missing an example that checks for parameter 'service.component.version' which is derived from a capture group

Describe the solution you'd like
Make recog_verify produce line numbers when it encounters an issue.

Describe alternatives you've considered
None.

https://github.com/rapid7/recog/blob/master/xml/snmp_sysdescr.xml#L2489-2512

Those should be FreeBSD, not Linux.

Also, that second fingerprint is just too loose -- while it is likely correct that anything beginning with FreeBSD is in fact FreeBSD, there is almost certainly more we could get from the fingerprint provided this overly loose regex wasn't there and the match didn't occur.

Describe the bug
bin/recog_standardize crashes when trying to process a file that does not exist.

Sometimes values are added to the identifier files and then they are removed from the fingerprints later without cleaning up the identifier files. bin/recog_standardize doesn't remove orphaned entries.

If, instead, it were to create missing files then that would make it easy for contributors to ensure the accuracy of files in identifiers/ by simply deleting all of the txt files and running the tool with the -w flag.

Additionally, it would be nice to have a flag that just does this for us for any file that recog_standardize is processing.

To Reproduce

$ rm identifiers/vendor.txt 

$ ruby bin/recog_standardize -w xml/*
Traceback (most recent call last):
	2: from bin/recog_standardize:52:in `<main>'
	1: from bin/recog_standardize:10:in `load_identifiers'
bin/recog_standardize:10:in `readlines': No such file or directory @ rb_sysopen - /Users/something/git/recog/identifiers/vendor.txt (Errno::ENOENT)

Expected behavior
recog_standardize creates any missing files

Installing recog version 2.0.6 using the command sudo gem install recog -v '2.0.6' gives the following error:

ERROR:  Error installing recog:
    recog requires Ruby version >= 2.1.

even when Ruby version is >= 2.1.

Here's the output of ruby --version

$ ruby --version
ruby 2.3.0p0 (2015-12-25 revision 53290) [i686-linux]

and the output of gem env

$  gem env
RubyGems Environment:
  - RUBYGEMS VERSION: 2.6.4
  - RUBY VERSION: 2.3.0 (2015-12-25 patchlevel 0) [i686-linux]
  - INSTALLATION DIRECTORY: /home/Spike/.rbenv/versions/2.3.0/lib/ruby/gems/2.3.0
  - USER INSTALLATION DIRECTORY: /home/Spike/.gem/ruby/2.3.0
  - RUBY EXECUTABLE: /home/Spike/.rbenv/versions/2.3.0/bin/ruby
  - EXECUTABLE DIRECTORY: /home/Spike/.rbenv/versions/2.3.0/bin
  - SPEC CACHE DIRECTORY: /home/Spike/.gem/specs
  - SYSTEM CONFIGURATION DIRECTORY: /home/Spike/.rbenv/versions/2.3.0/etc
  - RUBYGEMS PLATFORMS:
    - ruby
    - x86-linux
  - GEM PATHS:
     - /home/Spike/.rbenv/versions/2.3.0/lib/ruby/gems/2.3.0
     - /home/Spike/.gem/ruby/2.3.0
  - GEM CONFIGURATION:
     - :update_sources => true
     - :verbose => true
     - :backtrace => false
     - :bulk_threshold => 1000
  - REMOTE SOURCES:
     - https://rubygems.org/
  - SHELL PATH:
     - /home/Spike/.rbenv/versions/2.3.0/bin
     - /home/Spike/.rbenv/libexec
     - /home/Spike/.rbenv/plugins/ruby-build/bin
     - /home/Spike/.rbenv/plugins/ruby-build/bin
     - /home/Spike/.rbenv/shims
     - /home/Spike/.rbenv/bin
     - /home/Spike/.rbenv/bin
     - /usr/local/bin
     - /usr/bin
     - /bin
     - /usr/local/games
     - /usr/games
     - /home/Spike/.rvm/bin
     - /home/Spike/.rvm/bin

Even the Ruby version for root is 2.3.0

# ruby --version
ruby 2.3.0p0 (2015-12-25 revision 53290) [i686-linux]
# gem env
RubyGems Environment:
  - RUBYGEMS VERSION: 2.5.1
  - RUBY VERSION: 2.3.0 (2015-12-25 patchlevel 0) [i686-linux]
  - INSTALLATION DIRECTORY: /root/.rbenv/versions/2.3.0/lib/ruby/gems/2.3.0
  - USER INSTALLATION DIRECTORY: /root/.gem/ruby/2.3.0
  - RUBY EXECUTABLE: /root/.rbenv/versions/2.3.0/bin/ruby
  - EXECUTABLE DIRECTORY: /root/.rbenv/versions/2.3.0/bin
  - SPEC CACHE DIRECTORY: /root/.gem/specs
  - SYSTEM CONFIGURATION DIRECTORY: /root/.rbenv/versions/2.3.0/etc
  - RUBYGEMS PLATFORMS:
    - ruby
    - x86-linux
  - GEM PATHS:
     - /root/.rbenv/versions/2.3.0/lib/ruby/gems/2.3.0
     - /root/.gem/ruby/2.3.0
  - GEM CONFIGURATION:
     - :update_sources => true
     - :verbose => true
     - :backtrace => false
     - :bulk_threshold => 1000
  - REMOTE SOURCES:
     - https://rubygems.org/
  - SHELL PATH:
     - /root/.rbenv/versions/2.3.0/bin
     - /root/.rbenv/libexec
     - /root/.rbenv/plugins/ruby-build/bin
     - /root/.rbenv/plugins/ruby-build/bin
     - /root/.rbenv/shims
     - /root/.rbenv/bin
     - /usr/local/sbin
     - /usr/local/bin
     - /usr/sbin
     - /usr/bin
     - /sbin
     - /bin

This warning has begun regularly occurring within metasploit framework's msfconsole:

recog-1.0.27/lib/recog/fingerprint/regexp_factory.rb:33: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression

It seems to appear randomly (not necessarily in response to any particular action being done in framework), so it is not clear what to do to reproduce it yet.

A malformatted fingerprints with a pos greater than 0 and a "value" attribute passes the recog_verify.
The fingerprint below passes the verify without an error or warning but is not imported by the protocol-fingerprinter and nexpose.

   <fingerprint pattern="^Darwin (\S*) \S* Darwin Kernel Version 7.(\d+).\d+: .*RELEASE_\S* ?\s* (\S* ?\S*)$">
      <description>Mac OS X 10.3 (Panther)</description>
      <example host.name="mac-10-3-s-u" os.version.version="0">Darwin mac-10-3-s-u 7.0.0 Darwin Kernel Version 7.0.0: Wed Sep 24 15:48:39 PDT 2003; root:xnu/xnu-517.obj~1/RELEASE_PPC Power Macintosh</example>
      <param pos="1" name="host.name"/>
      <param pos="0" name="os.vendor" value="Apple"/>
      <param pos="0" name="os.family" value="Mac OS X"/>
      <param pos="0" name="os.product" value="Mac OS X"/>
      <param pos="0" name="os.device" value="General"/>
      <param pos="3" name="os.arch" value="Power Macintosh"/>
      <param pos="0" name="os.version" value="10.3"/>
      <param pos="2" name="os.version.version"/>
      <param pos="0" name="os.certainty" value="0.9"/>
   </fingerprint>

As indicated by the name, smb_native_os.xml is for fingerprinting devices based on the "native OS" field of the SMB response(s). In trying to provide some testing for rapid7/metasploit-framework#6005, I discovered that the fingerprints in https://github.com/jkennedy-r7/recog/blob/1c7456ae4dec863ddc92566bd6dc816c3af17426/xml/smb_native_os.xml#L387-L426 don't work -- these "banners" seem to be taken from the SMB "native LM" field and will not work. It may be the case that other existing fingerprints in that file are also similarly problematic, but I don't believe so.

Assuming this is correct, we should move them to a new file and add the corresponding improvement to metasploit (rapid7/metasploit-framework#6021)

It looks like the gem version is at 2.1.5, but the github releases/tags doesn't show anything new since 2.1.1. Something change with the deployment process?

cc @jhart-r7

Can you please tell me if it's possible to give nmap xml report to this tool and this project try to recognize the services ?

Decoded example is:
"TiMOS-C-12.0.R12 cpm/hops64 ALCATEL SR 7750 Copyright (c) 2000-2015 Alcatel-Lucent.

Banner Shortened For

Brevity
Login:
"

and when testing on any regex tester seems there is no match...
is there any processing done to the example before testing?

Describe the bug
Invalid URL in README.md for FLAG_MAP documentation

To Reproduce
Steps to reproduce the behavior:

1. go to README.md
2. go to section: Fingerprints
3. Find the line with: See the Recog documentation for FLAG_MAP for more information.
4. Click the link

Expected behavior
working URL in documentation

Today we do some validation like things all over the place, recog_verify, recog_match, some unit tests, some cucumber tests. We should remove anything that is better served in a schema and add it that way instead.

Describe the bug

The recent change to use {0,maxLength} prefixes broke Recog use under Go since 1024 is above the maximum limit of 1000.

To Reproduce

This Go code reproduces the problem with the new fingerprints:

package main

import (
        "regexp"
)

func main() {
        regexp.MustCompile(`^\s{0,1024}APC FTP server ready\.$`)
}

$ go run main.go
panic: regexp: Compile(`^\s{0,1024}APC FTP server ready\.$`): error parsing regexp: invalid repeat count: `{0,1024}`

goroutine 1 [running]:
regexp.MustCompile(0x781970, 0x22, 0xc0000200b8)
        C:/Program Files/Go/src/regexp/regexp.go:311 +0x15f
main.main()
        C:/Users/Developer/go/recog-go/r/t.go:8 +0x3d
exit status 2

To fix the issue, change 0,1024 instances to 0,1000

This is from a known HP-UX system:

host.example.com FTP server (Version 1.1.214.4 Wed Aug 23 03:38:25 GMT 2000) ready.

Unfortunately it is identical in format to one found on an AIX system:

host.example.com FTP server (Version 4.1 Sat Sep 7 14:31:53 CDT 2002) ready.

It isn't currently clear what the product here actually is, but asserting an OS fingerprint from this is definitely not correct.

Hi

I was confused by two fields: hw.device / os.device

seems like they all hold some device information from host

<param pos="0" name="hw.device" value="Printer"/>
<param pos="0" name="os.device" value="Printer"/>

but what different between them ? which one should I use ?

thx

CPE is tagged as 2.3, but is in 2.2 format.

To Reproduce

1. Look at an XML fingerprint file
2. Notice that the tag is cpe23
3. Notice that the actual CPE string has a "cpe:/" in it
4. CPE 2.3 would have a "cpe:2.3:" format

Would recommend changing this to a 2.2 tag, or update the CPE to 2.3