# Nmap service detection probe list -*- mode: fundamental; -*-
# $Id: nmap-service-probes,v 1.20 2003/09/15 07:28:45 fyodor Exp $ 
#
# This is a database of custom probes and expected responses that the
# Nmap Security Scanner ( http://www.insecure.org/nmap/ ) uses to
# identify what services (eg http, smtp, dns, etc.) are listening on
# open ports.  Contributions to this database are welcome.  We hope to
# create an automated submission system (as with OS fingerprints), but
# for now you can email fyodor any new probes you develop so that he
# can include them in the main Nmap distributon.  By sending new
# probe/matches to Fyodor or one the insecure.org development mailing
# lists, it is assumed that you are transfering any and all copyright
# interest in the data to Fyodor so that he can modify it, relicense
# it, incorporate it into programs, etc. This is important because the
# inability to relicense code has caused devastating problems for
# other Free Software projects (such as KDE and NASM).  Nmap will
# always be available Open Source.  If you wish to specify special
# license conditions of your contributions, just say so when you send
# them.
#
# This collection of probe data is (C) 2003 by Insecure.Com LLC It is
# available for free use by open source software under the terms of
# the GNU General Public License.  We also license the data to
# selected commercial/proprietary vendors under less restrictive
# terms.  Contact sales@insecure.com for more information.
#
# For details on how Nmap version detection works, why it was added,
# the grammar of this file, and how to detect and contribute new
# services, see our paper at
# http://www.insecure.org/nmap/versionscan.html .


# This is the NULL probe that just compares any banners given to us
##############################NEXT PROBE##############################
Probe TCP NULL q||
# Wait for at least 5 seconds for data.  Otherwise an Nmap default is used.
totalwaitms 5000

# Linux
match daytime m|^[0-3]\d [A-Z][A-Z][A-Z] 20\d\d \d\d:\d\d:\d\d \S+\r\n|
# OpenBSD 3.2
match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\r\n|
# Solaris 9
match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\n\r| v/Sun Solaris daytime///
# Windows daytime
match daytime m|^\d+:\d\d:\d\d [AP]M \d+/\d+/200\d\n$| v/Microsoft Windows USA daytime///
# HP-UX B.11.00 A inetd daytime
match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} \d\d:\d\d:\d\d [A-Z]+ 200\d\r\n$| v/HP-UX daytime///
# Tardis 2000 v1.4 on NT
match daytime m|^^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} \d\d:\d\d:\d\d 200\d $| v/Tardis 2000 daytime///

match time m|^[\xc0-\xc5]...$|
match chargen m|^!"#\$%\&'\(\)\*\+,-\./0123456789:;<=>\?\@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_`abcdefgh\r\n"#\$%\&'\(\)\*\+,-\./0123456789:;<=>\?\@ABCDEF| v/Linux chargen///
# Sun Solaris 9; Windows
match chargen m|^\ !"#\$%&'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_|

# Windows QOTD service only has 12 services.  Found on Windows XP in
# %systemroot%\system32\drivers\etc\quotes
match qotd m/^"(My spelling is Wobbly\.|Man can climb to the highest summits,|In Heaven an angel is nobody in particular\.|Assassination is the extreme form of censorship\.|When a stupid man is doing|We have no more right to consume happiness without|We want a few mad people now.|The secret of being miserable is to have leisure to|Here's the rule for bargains:|Oh the nerves, the nerves; the mysteries of this machine called man|A wonderful fact to reflect upon,|It was as true as taxes is\.)/ v/Windows qotd///

match ftp m/^220.*Microsoft FTP Service \(Version (\d[^)]+)/ v/Microsoft ftpd/$1//
# This lame version doesn't give a version number
match ftp m/^220 Microsoft FTP Service\r\n$/ v/Microsoft ftpd///
match ftp m/^220 Serv-U FTP Server v(\d\S+) for WinSock ready/ v/Serv-U ftpd/$1//
match ftp m/^220 Serv-U FTP-Server v(\d\S+) for WinSock ready/ v/Serv-U ftpd/$1//
match ftp m/^220-Sambar FTP Server Version (\d\S+)\x0d\x0a/ v/Sambar ftpd/$1//
match ftp m/^220 JD FTP Server Ready/ v/HP JetDirect ftpd///
match ftp m/^220.*Check Point FireWall-1 Secure FTP server running on/s v/Check Point Firewall-1 ftpd///
match ftp-proxy m/^220-Sidewinder ftp proxy\.  You must login to the proxy first/ v/Sidewinder FTP proxy///
match ftp-proxy m/^220-\r\x0a220-Sidewinder ftp proxy/s v/Sidewinder FTP proxy///
match ftp m/^220[- ].*FTP server \(Version (wu-[-.\w]+)/s v/WU-FTPD/$1//
match ftp m|^220-\r\n220 [-.\w]+ FTP server \(Version ([-.+\w()]+)\) ready\.\r\n$| v/WU-FTPD/$1//
match ftp m|^220 [-.\w]+ FTP server \(Version ([-.+\w()]+)\) ready\.\r\n$| v/WU-FTPD/$1//
match ftp m/^220 ProFTPD (\d\S+) Server/ v/ProFTPD/$1//
match ftp m/^220.*ProFTP[dD].*Server ready/ v/ProFTPD///
match ftp m/^220.*NcFTPd Server / v/NcFTPd///
match ftp m/^220.*FTP server \(SunOS 5\.([789])\) ready/ v/Sun Solaris $1 ftpd///
match ftp m/^220.*FTP server \(SunOS (\S+)\) ready/ v/Sun SunOS ftpd/$1//
match ftp m/^220-[-.\w]+ IBM FTP.*(V\d+R\d+)/ v|IBM OS/390 ftpd|$1||
match ftp m/^220 VxWorks \((\d[^)]+)\) FTP server ready/ v/VxWorks ftpd/$1//
match ftp m/^220 VxWorks \(VxWorks(\d[^)]+)\) FTP server ready/ v/VxWorks ftpd/$1//
match ftp m/^220.*Welcome to PureFTPd (\d\S+)/ v/PureFTPd/$1//
match ftp m/^220 ready, dude \(vsFTPd (\d[0-9.]+): beat me, break me\)\r\n/ v/vsFTPd/$1//
match ftp m/^220 \(vsFTPd ([-.\w]+)\)\r\n$/ v/vsFTPd/$1//
match ftp m/^220 TYPSoft FTP Server (\d\S+) ready\.\.\.\r\n/ v/TYPSoft ftpd/$1//
match ftp m/^220-MegaBit Gear (\S+).*FTP server ready/ v/MegaBit Gear ftpd/$1//
match ftp m/^220.*WS_FTP Server (\d\S+)/ v/WS FTPd/$1//
match ftp m/^220 Features: a p \.\r\n$/ v/Publicfile ftpd///
match ftp m/^220 [-.\w]+ FTP server \(Version (\S+) VFTPD, based on Version (\S+)\) ready\.\r\n$/ v/Virtual FTPD/$1/based on $2/
match ftp m|^220 [-.\w]+ FTP server \(Version (\S+)/OpenBSD, linux port (\S+)\) ready\.\r\n| v/OpenBSD ftpd/$1/Linux port $2/
match ftp m|^220 [-.\w]+ FTP server \(Version (\S+)/OpenBSD/Linux-ftpd-([-.\w]+)\) ready.\r\n$| v/OpenBSD ftpd/$1/Linux port $2/
match ftp m/^220 Interscan Version ([-\w.]+)/i v/Interscan Viruswall ftpd/$1//
match ftp m|^220 [-.\w]+ FTP server \(Version ([-.\w]+)/OpenBSD\) ready\.\r\n$| v/OpenBSD ftpd/$1//
match ftp m|^220-Welcome to [A-Z]+ FTP Service\.\r\n220 All unauthorized access is logged\.\r\n$| v/FileZilla ftpd///
match ftp m|^220 [-.\w]+ FTP server \(Version (6.0\w+)\) ready.\r\n| v/FreeBSD ftpd/$1//
# OpenBSD 3.4 beta running Pure-FTPd 1.0.16 with SSL/TLS
match ftp m|^220---------- Welcome to Pure-FTPd \[privsep\] \[TLS\] ----------\r\n220-You are user number| v|Pure-FTPd||with SSL/TLS|
match ftp m|^220---------- Welcome to Pure-FTPd ----------\r\n220-You are user number| v/Pure-FTPd///
# Trolltech Troll-FTPD 1.28 (Only runs on Linux)
match ftp m|^220-Setting memory limit to 1024\+1024kbytes\r\n220-Local time is now \d+:\d+ and the load is [.\d]+\.\r\n220 You will be disconnected after \d+ seconds of inactivity.\r\n$| v/Trolltech Troll-FTPd//on Linux/
# Netware 6 - NWFTPD.NLM FTP Server Version 5.01w
match ftp m|^220 Service Ready for new User\r\n$| v/Netware NWFTPD///
match ftp m|^220 [-.\w]+ MultiNet FTP Server Process V(\S+) at .+\r\n$| v/DEC OpenVMS MultiNet FTPd/$1//
match ftp m|^220-\r\n220 [-.\w]+ FTP server \(NetBSD-ftpd ([-.\w]+)\) ready.\r\n$| v/NetBSD ftpd/$1//
match ftp m|^220 ([-.\w]+) Network Management Card AOS v([-.\w]+) FTP server ready.\r\n$| v/APC AOS ftpd/$2/on APC $1 network management card/
# G-Net BB0060 ADSL Modem - the ftpd might be by "GlobespanVirata" as that
# is what the telnetd on this device said.
match ftp m|^220 FTP Server \(Version 1.0\) ready.\r\n$| v/G-Net DSL Modem ftpd/1.0//
# HP-UX B.11.00
match ftp m|^220 [-.\w ]+ FTP server \(Version (1.1.2[.\d]+) [A-Z][a-z]{2} [A-Z][a-z]{2} .*\) ready.\r\n| v/HP-UX ftpd/$1//
# 220 mirrors.midco.net FTP server ready.
softmatch ftp m/^220 [-.\w ]+ftp.*\r\n$/i
softmatch ftp m/^220-[-.\w ]+ftp.*\r\n220/i

match ssh m/^SSH-([.\d]+)-OpenSSH_(\S+)/ v/OpenSSH/$2/protocol $1/
match ssh m/^SSH-([.\d]+)-Sun_SSH_(\S+)/ v/SunSSH/$2/protocol $1/
match ssh m/^SSH-([.\d]+)-meow roototkt by rebel/ v/meow SSH ROOTKIT//protocol $1/
match ssh m/^SSH-([.\d]+)-(\d+\.\d+\.\d+) SSH Secure Shell/ v/SSH/$2/protocol $1/
match ssh m/^SSH-([.\d]+)-(\d+\.\d+\.[-.\w]+)/ v/SSH/$2/protocol $1/
# Akamai hosted systems tend to run this - found on www.microsoft.com
match ssh m|^SSH-(\d[.\d]*)-AKAMAI-I\n$| v/Akamai-I SSH//protocol $1/
match ssh m|^SSH-(\d[.\d]+)-Cisco-(\d[.\d]+)\n$| v/Cisco SSH/$2/protocol $1/
match ssh m|^SSH-(\d[.\d]+)-SSH Protocol Compatible Server SCS (\d[-.\w]+)\n| v/NetScreen SCS sshd/$2/protocol $1/
softmatch ssh m/^SSH-([.\d]+)-/

match telnet m/^Check Point FireWall-1 authenticated Telnet server running on/ v/Check Point Firewall-1 telnetd///
match telnet m/^\r\nSpeedStream ([^(\r\n]+) \(.*\) v(\S+) Ready\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfd/ v/SpeedStream $1/$2//
match telnet m/^\r\nRaptor Firewall Secure Gateway\.\r\n\r\nAccess denied\.\r\n/ v/Raptor Firewall Secure Gateway telnetd//Access Denied/
match telnet m/^\*\*\*\*\*\*\* System Image Boot \*\*\*\*\*\*\*\n\r\n\rVina Technologies (.*) \((\d[-.\w]+ build \d+)\)\n\r/ v/Vina Technologies $1 telnetd/$2//
match telnet m/^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\x1b\[0m\x1b\[2J\x1b\[01;00H\r\0Gigalink ([-+ \w]+)/ v/Gigalink telnetd//on $1/
match telnet m/^\xff\xfb\x03\xff\xfb.*D-Link.*Telnet Console.*Model\s+: ([-+\w]+)/s v/D-Link telnetd//on $1/
match telnet m/^\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03Ambit Cable Router\r\n\r\nLogin: / v/Ambit Cable Router telnetd///
match telnet m|^"\xff\xfc\x01\r\nHP JetDirect\r\n\r\nPlease type \"?\" for HELP, or \"/\" for current settings\r\n> $| v/HP JetDirect telnetd///
match telnet m/^\n\rVina Technologies (.*) \((\d[-.\w]+ build \d+)\)/ v/Vina Technologies $1 telnetd/$2//
match telnet m/^\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\x1b\[0m\x1b\[1;1H\x1b\[2J\rD\r           \n\r             (DES-.*) Command Line Interface\n\r\n/ v/D-Link $1 telnetd///
match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfc\x1f\n\r\n\rUser Access Verification\n\r\n\r\n\r\n\r\n\rShell version (\d\S+).*Maipu Communication Technology Co\./ v/Maipu Router//shell v$1/
match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03\x1b.*Intel Corporation, ([-+. \w()]+)/s v/Intel telnetd//on $1/
match telnet m|^\r\nFlowPoint/(.*) Ready\r\n.*\xff\xfb\x01\xff\xfb| v/Flowpoint telnet//on $1/
match telnet m/Welcome to Tenor Multipath Switch Telnet Server.*Type: (\S+)/s v/Tenor telnetd/$1/on Multipath Switch/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\x0d\x0a\x0d\x0aCisco\x20Systems.*Console/Telnet Access of the ([-. \w]+) for Configuration Purposes|s v/Cisco $1 telnetd///
# Cisco 678 DSL router
match telnet m|^\r\n\r\nUser Access Verification\r\nPassword:\xff\xfb\x01$| v/Cisco DSL router telnetd///
#  Cisco 2900 Catalyst switch, IOS 12.0(5)XU
# Cisco 3600 router running IOS 12.X
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f.*User Access Verification\r\n\r\nPassword: $|s v/Cisco router telnetd//IOS 12.X/
match telnet m|^Access not permitted\. Closing connection\.\.\.\n$|s v/Cisco catalyst switch telnetd//access denied/
# OpenBSD 2.3
# FreeBSD 5.1
match telnet m|^\xff\xfd%$| v/BSD-derived telnetd///
# Solaris 9
match telnet m|^\xff\xfd\x18\xff\xfd\x1f\xff\xfd#\xff\xfd'\xff\xfd\$$| v/Sun Solaris telnetd///
# Redhat Linux 7.3 telnet
match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'$| v/Linux telnetd///
match telnet m|^\xff\xfb\x01\n\rUser Name : $| v/APC network management card telnetd///
# G-Net BB0060 ADSL Modem
match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\n\r                         \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\r.*GlobespanVirata Inc\., Software Release ([-.\w]+)\n\r|s v/GlobespanVirata telnetd/$1/on broadbrand router/
# HP-UX B.11.00 A
match telnet m|^\xff\xfd\$$| v/HP-UX telnetd///
match telnet m|^\xff\xfd\x18$| v/Cisco microswitch telnetd///
# Cayman-DSL Model 3220-H, DMT-ADSL (Alcatel) OS version 6.3.0
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfe\x01\n\rlogin: $| v/Cayman-DSL router telnetd///
# Blue Coat Port 80 Security Appliance  Model: Blue Coat SG400  Software Version: SGOS 2.1.6044 Software Release id: 19480 Service Pack 4
# Maybe I should call this SGOS telnetd instead
match telnet m|^\xff\xfb\x03\xff\xfb\x01\xff\xfd\x1f\r\n\r\nUsername: $| v/Blue Coat telnetd///
match telnet m|^\xff\xfb\x01@ Userid: | v/Shiva LanRover telnetd///
# Netscreen ScreenOS 4.0.1r1.0 telnetd on a netscreen 5XT running firmware 4.0.1r1.0
match telnet m|^\xff\xfd\x18\xff\xfb\x01\xff\xfe\x01Remote Management Console\r\n\r\nlogin: $| v/Netscreen ScreenOS telnetd///
# Note that openwall telnetd is derived from OpenBSD telnetd
match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfd\$$| v|Openwall GNU/*/Linux telnetd|||
match telnet m|^\xff\xfc\x01\r\nHP JetDirect\r\n\r\nPlease type \"\?\" for HELP, or \"/\" for current settings\r\n> $| v/HP Jet Direct printer telnetd///

match smtp m/^220 [-.+\w]+ \(IMail ([^)]+)\) NT-ESMTP Server/ v/IMail NT-ESMTP/$1//
match smtp m/^220 X1 NT-ESMTP Server [-.+\w]+ \(IMail ([^)]+)\)\r\n/ v/IMail NT-ESMTP/$1//
match smtp m/^220-[-.+\w]+ Microsoft SMTP MAIL ready at.*Version: ([-\w.]+)\r\n/ v/Microsoft SMTP/$1//
match smtp m/^220 [-.+\w]+ Microsoft ESMTP MAIL Service, Version: ([-\w.]+) ready/ v/Microsoft ESMTP/$1//
match smtp m/^220 [-.+\w]+ ESMTP Server \(Microsoft Exchange Internet Mail Service ([-\w.]+)\) ready/ v/Microsoft Exchange/$1//
match smtp m/^220 [-.+\w]+ ESMTP Sendmail (\d[^;]+);/ v/Sendmail/$1//
match smtp m|^220 [-.+\w]+ SMTP Sendmail ([-/.+\w]+)\r\n| v/Sendmail/$1//
match smtp m|^220 [-.+\w]+ Sendmail (SMI-\S+) ready at .*\r\n$| v/Sendmail/$1//
match smtp m/^220[- ][-.+\w]+ ESMTP Exim (\d\S+)/ v/Exim smtpd/$1//
match smtp m/Failed to open configuration file.*exim/ v/Exim smtpd///
match smtp m/^220 CheckPoint FireWall-1 secure ESMTP server\r\n$/ v/Checkpoint FireWall-1 smtpd///
match smtp m/^220 CheckPoint FireWall-1 secure SMTP server\r\n$/ v/Checkpoint FireWall-1 smtpd///
match smtp m|^220 [-.+\w]+ running IBM AS/400 SMTP V([\w]+)| v|IBM AS/400 smtpd|$1||
match smtp m/^220 Trend Micro ESMTP ([-.+\w]+) ready\.\r\n$/ v/Trend Micro ESMTP/$1//
match smtp m/^220 [-.+\w]+ ESMTP Mail Enable SMTP Service, Version: (\d[\w.]+)-- ready at/ v/MailEnable smptd/$1//
match smtp m/^220 [-.+\w]+ ESMTP CPMTA-([-.+\w]+) - NO UCE\r\n/ v/CPMTA/$1/Qmail-derived/
match smtp m|^220 [-.+\w]+ SMTP/smap Ready\.\r\n| v/Smap//from firewall toolkit/
match smtp m|^220 [-.+\w]+ ESMTP service \(Netscape Messaging Server ([-.+ \w]+) \(built| v/Netscape Messaging Server/$1//
match smtp m|^220-InterScan Version (\S+) .*Ready\r\n220 [-.+\w]+ NTMail \(v([-.+\w]+)/.* ready| v/Trend Micro InterScan/$1/on NTMail $2/
match smtp m|^220 [-.+\w]+ GroupWise Internet Agent (\S+) .*Novell, Inc\.  Ready\r\n| v/Novell GroupWise/$1//
match smtp m|^220 Matrix SMTP Mail Server v([\w.]+) on <MATRIX_([\w]+)> Simple Mail Transfer Service Ready\r\n| v/Matrix SMTP Mail Server/$1/on Matrix $2/
match smtp m|^220 Net_sec WebShield SMTP V(\S+) Network Associates, Inc\. Ready at| v/Network Associates WebShield/$1//
match smtp m|^220 [-.+\w]+ ESMTP MailMasher ready to boogie\r\n| v/MailMasher smtpd///
# postfix 1.1.11-0.woody2
match smtp m|^220 [-.\w]+ ESMTP Postfix| v/Postfix smtpd///
match smtp m|^220 \*{10,40}\r\n| v|Cisco PIX sanatized smtpd|||
match smtp m|^220 ArGoSoft Mail Server Pro for WinNT/2000/XP, Version [-.\w]+ \(([-.\w]+)\)\r\n| v/ArGoSoft Mail Server Pro/$1//
match smtp m|^220 [-.\w]+ ESMTP server \(Post.Office v([-.\w]+) release ([-.\w]+) ID# | v/Post.Office/$1 release $2//
match smtp m|^220 [-.\w]+ ESMTP VisNetic.MailServer.v([-.\w]+); | v/VisNetic MailServer/$1//
# CommuniGate Pro 4.0.5
match smtp m|^220 [-.\w]+ ESMTP Service. Welcome.\r\n$| v/CommuniGate Pro smtpd///
match smtp m|^220 [-.\w]+ Process Software ESMTP service V([-.\w]+) ready| v/Process Software smtpd/$1/on OpenVMS/
match smtp m|^220 [-.\w]+ Mercury (\d[-.\w]+) ESMTP server ready\.\r\n$| v/Mercury Mail smtpd/$1//
match smtp m|^220 [-.\w]+ ESMTP Service \(Lotus Domino Release (\d[-.\w]+)\) ready at | v/Lotus Domino smtpd/$1//
match smtp m|^relaylock: Error: PRODUCT_ROOT_D not defined\nrelaylock: Error: PRODUCT_ROOT_D not defined\n1\n$| v/Plesk relaylock smtp wrapper//broken/
match smtp m|^220 [-.\w]+ WebSTAR Mail Simple Mail Transfer Service Ready\r\n| v/WebSTAR SMTP server///
match smtp m|^220 [-.\w]+ Lotus SMTP MTA Service Ready\r\n$| v/Lotus Notes SMTP///
softmatch smtp m|^220 [-.\w ]+SMTP.*\r\n|

match pop3 m/^\+OK X1 NT-POP3 Server [-\w.]+ \(IMail ([^)]+)\)\r\n/ v/IMail pop3d/$1//
match pop3 m/^\+OK POP3 \[cppop (\d[^]]+)\] at \[/ v/cppop pop3d/$1//
match pop3 m/^\+OK Microsoft Exchange 2000 POP3 server version (\S+).* ready\.\r\n/ v/MS Exchange 2000 pop3d/$1//
match pop3 m/^\+OK Microsoft Exchange POP3 server version (\S+) ready\r\n/ v/MS Exchange pop3d/$1//
match pop3 m/^\+OK QPOP \(version ([^)]+)\) at .*starting\./ v/Qpop pop3d/$1//
match pop3 m/^\+OK QPOP Modified by Compaq \(version ([^)]+)\) at .*starting\./ v/QPop pop3d/$1//
match pop3 m/^\+OK Qpopper \(version ([^)]+)\) at .*starting\./ v/Qpopper pop3d/$1//
match pop3 m/^\+OK [-.\w]+ POP3 server \(Netscape Mail Server v(\d[-.\w])\) ready/ v/Netscape Mail Server pop3d/$1//
match pop3 m/^\+OK Cubic Circle's v(\d[-.\w]+) .* POP3 ready/ v/Cubic Circle Cucipop pop3d/$1//
match pop3 m/^\+OK CCProxy (\S+) POP3 Service Ready\r\n/ v/CCProxy pop3d/$1//
match pop3 m/^\+OK ArGoSoft Mail Server Freeware, Version \S+ \(([^)]+)\)\r\n/ v/ArGoSoft freeware pop3d/$1//
match pop3 m/^\+OK [-.\w]+ Execmail POP3 \((\d[^)]+)\)/ v/Execmail pop3d/$1//
match pop3 m/^\+OK MailSite POP3 Server (\S+) Ready </ v/MailSite pop3d/$1//
match pop3 m/^Proxy\+ POP3 server\. Insecure access - terminating\.\r\n/ v/Proxy+ pop3d///
match pop3 m/^\+OK [-.\w]+ POP MDaemon (\S+) ready <MDAEMON/ v/MDaemon pop3d/$1//
# qmail-pop3d 1.03-1
match pop3 m/^\+OK <\d{1,5}\.10\d{8}@[-.\w]+>\r\n$/ v/Qmail-pop3d///
# Courier Pop3 courier-pop3d-0.42.0-1.7.3
match pop3 m|^\+OK Hello there\.\r\n$| v/Courier pop3d///
match pop3 m|^\+OK ArGoSoft Mail Server Pro for WinNT/2000/XP, Version [-.\w]+ \(([-.\w]+)\)\r\n$| v/ArGoSoft Mail Server Pro pop3d/$1//
match pop3 m/^\+OK [-.\w]+ VisNetic.MailServer.v([-.\w]+) POP3 / v/VisNetic MailServer pop3d/$1//
match pop3 m/^\+OK [-.\w]+ POP3 server \(Post\.Office v([-.\w]+) release ([-.\w]+) with ZPOP version ([-.\w]+)\) ready / v|Post.Office pop3d|$1 release $2|w/ZPOP $3|
match pop3 m/^\+OK CommuniGate Pro POP3 Server ([-.\w]+) ready/ v/CommuniGate Pro/$1//
match pop3 m/^\+OK\r\n$/ v/Openwall popa3d///
match pop3 m|^\+OK [-.\w]+ MultiNet POP3 Server Process V(\S+) at| v/DEC OpenVMS MultiNet pop3d/$1//
match pop3 m|^\+OK <.*>, MercuryP/NLM v(\d[-.\w]+) ready.\r\n$| v/Mercury POP3 server/$1/on Novell Netware/
match pop3 m|^\+OK Microsoft Windows POP3 Service Version 1.0 <| v/Microsoft Windows 2003 POP3 Service/1.0//
match pop3 m|^\+OK POP3 [-.\w]+ v(200\d\.[-.\w]+) server ready\r\n| v/UW Imap pop3 server/$1//
match pop3 m|^\+OK POP3 server ready <\w{11}>\r\n$| v/WebSTAR pop-3 server///
softmatch pop3 m|^\+OK [-\[\]\(\)!,/+:<>@.\w ]+\r\n$|

match nntp m|^200 Lotus Domino NNTP Server for UNIX \(Release (\d[-.\w]+), .*\) - Not OK to post\r\n$| v/Lotus Domino nntpd/$1/posting denied/
softmatch nntp m|^200 [-\[\]\(\)!,/+:<>@.\w ]*nntp[-\[\]\(\)!,/+:<>@.\w ]*\r\n$|
# Windows 2000 Server read:
match nntp m|^200 NNTP Service 5\.00\.0984 Version: (5\.0\.2159.1) Posting Allowed \r\n| v/Microsoft NNTP Service/$1/on Windows 2000 Server/
# Windows NT 4.0 SP5-SP6 
match nntp m|^200 Microsoft Exchange Internet News Service Version (5\.5\.[.\d]+) \(posting allowed\)\r\n| v/Microsoft Exchange Internet News Service/$1/posting allowed/
match nntp m|^200 [-.\w]+ InterNetNews NNRP server INN (\d[-.\w]+) ready \(posting ok\)\.\r\n$| v/InterNetNews (INN)/$1/posting ok/
# courier-0.36.1
match imap m|^\* OK Courier-IMAP ready\. Copyright 1998-2001 Double Precision, Inc\.  See COPYING for distribution information\.\r\n$| v/Courier Imap///
# Courier-Imap 1.4.3-2.3
match imap m|^\* OK Courier-IMAP ready\. Copyright 1998-2002 Double Precision, Inc\.  See COPYING for distribution information\.\r\n$| v/Courier Imap///
# Courier IMAP courier-imapd-0.42.0-1.7.3
match imap m|^\* OK \[CAPABILITY IMAP4rev1 NAMESPACE AUTH=CRAM-MD5 AUTH=CRAM-SHA1 CHILDREN IDLE QUOTA SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES UIDPLUS STARTTLS\] Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\.  See COPYING for distribution information\.\r\n| v/Courier IMAP4rev1/0.42.0//
# I could probably save more info and fingerprint this better ... but I'm not
# sure it is quite worth that juts for Courier Imap.
match imap m|^\* OK \[CAPABILITY IMAP4rev1.*Courier-IMAP ready\.| v/Courier Imap///
# Courier IMAP 1.7.2
match imap m|\* OK \[CAPABILITY IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA\] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc.  See COPYING for distribution information.\r\n$| v/Courier IMAP4rev1/1.7.2//
match imap m|^\* OK CommuniGate Pro IMAP Server ([-.\w]+) at [-.\w]+ ready\r\n$| v/CommuniGate Pro imapd/$1//
# W-Imapd-SSL v2001adebian-6
match imap m|^\* OK \[CAPABILITY IMAP4REV1 X-NETSCAPE LOGIN-REFERRALS STARTTLS AUTH=LOGIN\] \S+ IMAP4rev1 ([-.\w]+) at| v/UW-Imapd-SSL/$1//
match imap m|^\* OK Domino IMAP4 Server Release (\d[-.\w]+) +ready| v/Lotus Domino imapd/$1//
match imap m|^\* OK Microsoft Exchange IMAP4rev1 server version ([-.\w]+) | v/Microsoft Exchange IMAP4rev1 server/$1//
match imap m|^\* OK \[CAPABILITY IMAP4REV1 .*IMAP4rev1 (200\d\.[-.\w]+) at| v/UW Imapd/$1//
match imap m|^\* OK [-.\w]+ Cyrus IMAP4 v([-.\w]+) server ready\r\n| v/Cyrus IMAP4 server/$1//
softmatch imap m/^\* OK [-.\w ]+\r\n$/

match ident m|^flock\(\) on closed filehandle .*midentd| v/midentd//broken/
match mysql m/^.\0\0\0\xffj\x04Host .* is not allowed to connect to this MySQL server$/ v/MySQL//unauthorized/
# MySQL 4.0.13
match mysql m/^.\0\0\0...Al sistema '[-.\w]+' non e` consentita la connessione a questo server MySQL$/ v/MySQL///
match mysql m/^.\0\0\0.(3\.[-.\w]+)\0.*\x08\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0$/s v/MySQL/$1//
match mysql m/^.\0\0\0\n(3\.[-.\w]+)\0..\0\0/s v/MySQL/$1//
# r(NULL,2B,"'\0\0\0\n4.0.13\0\xdf\xbc\x02\0SC7)fHu5\0, \x08\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0")
match mysql m/^.\0\0\0\n(4\.[-.\w]+)\0...\0/s v/MySQL/$1//
match mud m|^\n\r\xff\xfbUDo you want ANSI color\? \(Y/n\) $| v|ROM-based MUD||http://rrp.rom.org/|
match winshell m/^Microsoft Windows ((2000)|(XP)|(NT 4\.0)) \[Version ([\d.]+)\]\r\n\(C\) Copyright 1985-20\d\d Microsoft Corp\.\r\n\r\n/ v/Microsoft Windows $1 $5 cmd.exe///
match netsaint m|^Sorry, you \(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\) are not among the allowed hosts\.\.\.\n$| v/Netsaint status daemon///
match ncacn_http m|^ncacn_http/([\d.]+)$| v/ncacn_http/$1//
match issrealsecure m|^\0\0\0\x9d\x08\x01\x03\x01\0\x95\x02\0\0\x03\xe6\0\0\xac\0\0\0f\x04\0\0\x80\x04\0\xef\0\xa8\0\xa06ISS ECNRA Built-In Provider, Strong Encryption Version\0\0\0\0| v/ISS RealSecure///
# TightVNC 1.2.6
match vnc m|^RFB 003.003\n$| v/VNC//protocol 3.3/
match irc-proxy m|^:Welcome!psyBNC@lam3rz\.de NOTICE \* :psyBNC([-.\w]+)\r\n| v/psyBNC/$1//
match hylafax m|^220 [-.\w]+ server \(HylaFAX \(tm\) Version ([\d.]+)\) ready\.\r\n$| v/HylaFAX/$1//
# HP-UX B.11.00 A 9000/785
match shell m|^\x01remshd: getservbyname\n$| v/HP-UX Remshd///
match snpp m|^220 [-.\w]+ SNPP server \(HylaFAX \(tm\) Version ([-.\w]+)\) ready.\r\n| v/HylaFAX SNPP/$1//
match snpp m|^220 QuickPage v(\d[-.\w]+) SNPP server ready at | v/QuickPage SNPP/$1//
# RedHat 7.3 - rsync server version 2.5.4  protocol version 26
match rsync m|^@RSYNCD: (\d+)\n\n$| v///protocol version $1/
# Redhat Linux 7.1
match rsync m|^@RSYNCD: (\d+)\n$| v///protocol version $1/
# Unreal IRCD Server version 3.2 beta 17
match ircd m|^:[-.\w]+ NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\n| v/Unreal IRCD///
match pcanywheredata m/^\0X\x08\0}\x08\x0d\x0a\0\x2e\x08Please press<Enter>...\x0d\x0a/ v/PCAnywhere///
match meetingmaker m/^\xc1,$/ v/Meeting Maker calendaring///
match finger m|^\r\n    Line      User       Host\(s\)              Idle Location\r\n| v/Cisco fingerd//IOS 12.X/
# Windows 2000 Server Windows Media Unicast Service (NsUnicast) - Nsum.exe
match nsunicast m|^4\0\0\0V4\x12\0\0\0\0\0\0\0\0\x004\0\0\0\x04\0\xf0\0\xd3\x07\t\0.\0.\0.\0.\0.\0..\0\0\0\0.\0\0\0.\0\0\0\x02\0|s v/Microsoft Windows Media Unicast Service//nsum.exe/
match nsunicast m|^[4f]\0\0\0V4\x12\0\0\0\0\0\0\0\0\x00[4f]\0\0\0.\0\xf0\0\xd3\x07\t\0.\0.\0.\0.\0.\0..\0\0\0\0.\0\0\0..\0\0.\0|s v/Microsoft Windows Media Unicast Service//nsum.exe/
# Redhat Linux 7.1 - HAHAHAHAHAHA!!!! I love this service :) 
match systat m|^USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND\n| v/Linux systat///
# I love this service too:
match netstat m|^netstat: invalid option -- f\nusage: netstat \[-veenNcCF\]| v/Linux netstat//broken/
match hp-gsg m|^220 JetDirect GGW server \(version (\d[.\d]+)\) ready\r\n| v/HP JetDirect Generic Scan Gateway/$1//
match http m|^HTTP/1.0 500\r\nContent-type: text/plain\r\n\r\nNo Scan Capable Devices Found\r\n| v/HP Embedded Web Server remote scan service//no scanner found/
match dict m|^530 access denied\r\n$| v/dictd//access denied/
match dict m|^220 [-.\w]+ dictd ([-.\w/]+) on ([-.+ \w]+) <auth\.mime>| v/dictd/$1/on $2/
match sftp m|^\+Shiva SFTP Service\0$| v/Shiva LanRover SFTP service///
# Tiny Personal Firewall 2.0
match tinyfw m|^\x0f\0\n\0\x01\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xc0\x0ef7\xbb\x9bS\xfc\x86\xe4\x7f\x18\xb8\x97\x06 | v/Tiny Personal Firewall/2.0//
match sdmsvc m|^[\xaa\xff]$| v/LANDesk Software Distribution//sdmsvc.exe/

##############################NEXT PROBE##############################
Probe TCP GenericLines q|\r\n\r\n|
ports 21,43,98,110,113,199,505,540,1248,5432,6667-6670,30444
# iopd 2003debian0.0304182231-1
match pop3 m|^\+OK POP3 \[[-.\w]+\] v(200[-.\w]+) server ready\r\n-ERR Null command\r\n-ERR Null command\r\n| v/ipopd/$1//
# Solid POP3d 0.15
match pop3 m|^\+OK Solid POP3 server ready\r\n-ERR unknown command\r\n-ERR unknown command\r\n$| v/Solid POP3d///
match http m|^HTTP/1\.1 400 Bad Request\r\nServer: Microsoft-IIS/(\d[-.\w]+)\r\n| v/Microsoft IIS webserver/$1//
# OpenBSD 3.2 identd
# May apply to Linux too -- need to investigate further.
match ident m|^0 , 0 : ERROR : UNKNOWN-ERROR\r\n$| v/OpenBSD identd///
# FreeBSD 4.8-RC inetd internal identd
match ident m|^0 , 0 : ERROR : INVALID-PORT\r\n$| v/FreeBSD identd///
# pidentd-3.1a19-157
match ident m|^ : ERROR : UNKNOWN-ERROR\r\n$| v/pidentd///
match ident m|^0, 0 : ERROR : X-INVALID-REQUEST\r\n$| v/Minidentd///
# Solaris 9
match ftp m|^220 [-.\w]+ FTP server ready\.\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n$| v/Solaris ftpd///
# vsftpd (Very Secure FTP Daemon) 1.0.0 on linux with custom ftpd_banner
# We'll have to see if this match is unique enough
match ftp m|^220 .*\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n| v/vsFTPd///
# Solaris 9
match uucp m|^login: Please enter user name: Password: $| v/Solaris uucpd///
match whois m|^%  No entries found for the selected source\(s\)\.\n$| v/Merit IRRD whoisd///
# Postgres 7.1.3
match postgres m|^EInvalid packet length\0$| v/Postgres DB///
# Ximian Red Carpet Daemon 1.4.4 on RedHat Linux 9.0
match redcarpet m|^Status: 400 Bad Request\r\nContent-Length: 0\r\n\r\n| v/Ximian Red Carpet Daemon///
# NSClient - http://nsclient.ready2run.nl/
match nsclient m|^ERROR:Wrong password$| v/Netsaint Windows Client///
# Diverse IRC bot
match ircbot m|^ \r\nSorry, that nickname format is invalid\.\r\r\n$| v/Diverse IRC bot///
# Part of Linux net-snmp-5.0.6-17
match smux m|^A\x01\x02$| v/Linux SNMP multiplexer///
match linuxconf m|^500 access denied: Check networking/linuxconf network access\r\n$| v///Access denied/

##############################NEXT PROBE##############################
Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n|
ports 79,80-85,88,113,139,143,280,497,515,554,631,783,993,995,1220,5000,5432,5800,5900,7070,8000-8010,8080-8085,8888,40193
sslports 443
# Server: CUPS/1.1
match ipp m|^HTTP/1\.0.*Server: CUPS/(\S+)|s v/CUPS $1///
match ipp m|^lpd \[@[-.\w]+\]: Host name for your address \([:.\d]+\) is not known\n$| v/CUPS///
# My junbuster proxy gives me this.
match http-proxy m|^HTTP/1\.0 400 Invalid header received from browser\n\n| v/Junkbuster webproxy///
# HTTP/1.1 200 OK
# The 's' option below causes . to match newlines (just as in perl)
match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+) ([^\r\n]+)|s v/Apache httpd/$1/$2/
# apache 1.3.26-0woody3 or Apache 2.0.45
match http m|^HTTP/1\.[01] \d\d\d.*\r\nDate: .*\r\nServer: Apache\r\n| v/Apache httpd///
match http m|^HTTP/1.[10] \d\d\d.*\r\nDate:.*\r\nServer: Stronghold/([-.\w]+) Apache/([-.\w]+)| v/Apache Stronghold httpd/$1/based on Apache $2/
match http m|^HTTP/1\.1 \d\d\d.*Server: Apache Coyote/(\d[-\d.]+)\r\n|s v|Apache Tomcat/Coyote|$1||
match http m|^HTTP/1\.1.*\r\nServer: Netscape-Enterprise/([-.\w]+)\r\n| v/Netscape Enterprise httpd/$1//
match http m|^HTTP/1\.1.*\r\nServer: Microsoft-IIS/([-.\w]+)\r\n|s v/Microsoft IIS webserver/$1//
match http m|^HTTP/1\.0 200 OK\r\nDate: .+\r\nServer: Tomcat/([-.\w]+)\r\nContent-Type: text/html\r\nContent-Length: \d+\r\nServlet-Engine: Tomcat/[-.\w]+ \(Java ([-.\w]+); SunOS ([-.\w]+) (\w+); java\.vendor=Sun Microsystems Inc\.\)\r\n| v/Solaris management console server//SunOS $3 $4; Java $2; Tomcat $1/
match http m|^HTTP/1.1 200 OK\r\n.+Server: CommuniGatePro/([-.\w]+)\r\n|s v/CommuniGate Pro httpd/$1//
match http m|^HTTP/1.0 \d\d\d .*\r\nDate: .*\r\nServer: DSS ([-.\w]+) Admin Server/([-.\w]+)| v/DarwinStreamingServer/$1/Admin Server $2/
match http m|^HTTP/1.0 404 Not Found\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n<title>Not Found</title>This host is not served here\.$| v/Fnord httpd///
# Webmin 1.100
match http m|^HTTP/1.0 200 Document follows\r\nDate: .*\r\nServer: MiniServ/0.01\r\n| v/Webmin httpd///
match http m|^HTTP/1.1 200 OK\r\nServer: NetWare-Enterprise-Web-Server/([-.\w]+)\r\n| v/Novell Netware enterprise web server/$1//
match http m|^HTTP/1.1 302 Object Moved Temporarily\r\nServer: NetWare HTTP Stack\r\n| v/Novell Netware HTTP Stack//HTTPSTK.NLM/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: HTTPd-WASD/([-.\w]+) OpenVMS/VAX\r\n| v|HTTPd-WASD|$1|on OpenVMS/VAX)|
match http m|^HTTP/1.1 \d\d\d .*\r\nServer: Lotus-Domino/0\r\n| v/Lotus Domino httpd///
match http m|^HTTP/1.1 \d\d\d .*\r\nServer: Lotus-Domino/Release-(\d[-.\w]+)\r\n| v/Lotus Domino httpd/$1//
# G-Net BB0060 ADSL Modem (I'm not sure this is GlobespanVirata, but that is
# what the telnetd on this device said).
match http m|^HTTP/1.1 302 Document Follows\r\nLocation: /hag/pages/home.ssi\r\n\r\n$| v/GlobespanVirata httpd//on broadband router/
match http m|^HTTP/1.0 200 OK\r\nServer:HTTP/1.0\r\n.*<title>Hewlett Packard</title>|s v/HP Jetdirect httpd///
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: EHTTP/([.\d]+)\r\nWWW-Authenticate: Basic realm=\"HP ([-.\w]+)\"\r\n| v/HP printer EHTTP admin server/$1/HP $2 printer/
match http m|^HTTP/1\.0 \d{3}.*\r\nServer: CompaqHTTPServer/([\.\w]+)\r\n|s v/Compaq Insight Manager/$1//
match http m|^HTTP/1.1 401 Authorization Required\r\nWWW-Authenticate: Basic realm="Linksys ([-A-Z\d/]+)"\r\n| v/Linksys router web admin server//device model $1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Insight Manager (\d)\r\n\r\n|s v/Compaq Insite Manager/$1//
match http m|^HTTP/1\.1 200 OK\r\nContent-Length: \d+\r\nConnection: close\r\nPragma: no-cache\r\nCache-Control: no-cache, no-store, must-revalidate\r\nExpires: 0\r\nContent-Type: text/html\r\n\r\n| v/GNU Httptunnel///
# Blue Coat Port 80 Security Appliance Model: Blue Coat SG400 Software Version: SGOS 2.1.6044 Software Release id: 19480 Service Pack 4
match http m|^HTTP/1\.0 301 Moved Permanently\r\nLocation: /Secure/Local/console/index\.htm\r\n\r\n$| v/Blue Coat Security Appliance HTTP admin interface///
match http m|^HTTP/1\.0 400 Bad Request\r\nServer: AkamaiGHost\r\n| v|AkamiGHost||Akamai's HTTP Acceleration/Mirror service|
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Netscape-Enterprise/([-.\w]+)\r\n| v/Netscape Enterprise webserver/$1//
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Netscape-Enterprise/([-. \w]+)\r\n| v/Netscape Enterprise webserver/$1//
match http m|^HTTP/1\.0 \d\d\d .*\nDate: .*\nServer: NCSA/(1\.\d)\n| v/NCSA httpd/$1//
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Netscape-FastTrack/(\d[-.\w]+)\r\n| v/Netscape FastTrack web server/$1//
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: (Oracle[-.\w/]+) Oracle HTTP Server ([-.\w]+)|s v/Oracle HTTP Server/$1/$2/
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: Embedded HTTP Server (\d[.\d]+)\r\nWWW-Authenticate: Basic realm=\"([-+.\w]+)\"\r\nConnection:| v/D-Link Embedded HTTP Server/$1/on D-Link $2/
# iCal 3.6
match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nMIME-Version: 1\.0\r\nServer: Wapapi/1\.1\r\nContent-Type: text/html\r\nContent-Length: \d+\r\n\r\n<html>\r\n<head><title>iCal Tutorial:  Introduction</title></head>| v/Brown Bear iCal web calendar///
match http m|^HTTP/1\.1 401 Unauthorized\r\nDate: .*\r\nServer: (Virata-EmWeb/R6_0_1)\r\nWWW-Authenticate: Basic realm=\"Administration Tools\"\r\n\r\n401 Unauthorized\r\n$| v/Netscreen administrative web server//runs $1/
# Phaser860 Printer
match http m|^HTTP/1\.1 404 Not Found\r\nDate: .*\r\nAllow: GET, HEAD\r\nServer: Spyglass_MicroServer/(\d[-.\w]+)\r\nContent-Type: text/html\r\nContent-Length: \d+\r\n\r\n<HTML><HEAD><TITLE>Not Found</TITLE></HEAD>\r\n<BODY>The requested URL was not found\.</BODY></HTML>\r\n| v/Spyglass MicroServer embedded webserver/$1//
# Cisco Catalyst 3500-XL switch IOS 12.0(5)XU
match http m|^HTTP/1\.0 401 Unauthorized\r\nDate: .*\r\nContent-type: text/html\r\nExpires: .*\r\nWWW-Authenticate: Basic realm=\"level 15 access\"\r\n\r\n<HEAD><TITLE>Authorization Required</TITLE></HEAD><BODY><H1>Authorization Required</H1>Browser not authentication-capable or authentication failed\.</BODY>\r\n\r\n$| v/Cisco IOS administrative webserver///
# Xerox Document Centre (DocuCentre) 425
match http m|^HTTP/1\.1 200 OK\r\nContent-Length: \d+\r\nContent-Type: text/html\r\nDate: .*\r\nAllow: GET, HEAD\r\nServer: Xerox_MicroServer/([-.\w]+)\r\nExpires: .*\r\nCache-Control: no-cache\r\n\r\n<HTML>\n<HEAD>\n<TITLE>([-.+ \w]+)</TITLE>| v/Xerox Microserver httpd/$1/on $2/
match http m|^HTTP/1\.1 200 OK\r\nContent-Type: text/html\r\nDate: .*\r\nAllow: GET, HEAD\r\nServer: Spyglass_MicroServer/(\d[-.\w]+)\r\nLast-Modified: .*\r\nExpires: .*\r\nPragma: no-cache\r\n\r\n\n<html> \n<head>\n   <meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">\n   <meta name=\"keywords\" content=\"printer; embedded web server; int| v/Spyglass MicroServer/$1/embedded in printer/
match http m|^HTTP/1\.0 500 Internal Server Error\r\nServer: Cougar (\d[-.\w]+)\r\n\r\n$| v/Microsoft Windows Media Server/$1//
match http m|^HTTP/1\.0 200 OK\r\nContent-Type: video/x-ms-asf\r\nCache-Control: max-age=0, no-cache\r\nServer: Cougar/(\d[-.\w]+)\r\n| v/Microsoft Windows Media Server/$1//
match http m|^HTTP/1\.1 \d\d\d .*Server: NetApp/(\d[-.\w]+)\r\n|s v/NetApp filer httpd/$1//
match http m|^HTTP/1\.0 200 OK\r\nServer: RapidLogic/(\d[.\d]+)\r\nMIME-version: 1\.0\r\nContent-type: text/html\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.0 Frameset//EN\"\r\n\t\t\t\"http://www\.w3\.org/TR/REC-html40/frameset\.dtd\">\r\n<HTML>\r\n<HEAD>\r\n\t<TITLE>Netopia Router Web </TITLE>| v/Netopia RapidLogic admin server/$1//
match http m|^HTTP/1\.1 200 OK\r\nServer: WebSTAR/(\d[-.()\w]+) ID/| v/WebSTAR httpd/$1//

# No more HTTP softmatch because many services that I don't think are
# best classified 'http' use http-like semantics (for example UPnP,
# some https servers, etc).  Maybe I should make softmatch allow
# future services that start with the service name, and relable all of
# those.  Shrug.  For now it is gone.
# softmatch http m|^HTTP/1.[01] \d\d\d|
match http-proxy m|^HTTP/1\.0 \d\d\d .*Server: NetCache \(NetApp/(\d[-.\w]+)\)\r\n|s v/NetApp NetCache proxy/$1//
match http-proxy m|^HTTP/1\.0 400 Bad Request\r\nServer: [sS]quid/([-.\w]+)\r\n| v/Squid webproxy/$1//
# Blue Coat Port 80 Security Appliance  Model: Blue Coat SG400 Software Version: SGOS 2.1.6044 Software Release id: 19480 Service Pack 4
match http-proxy m|^HTTP/1\.1 504 Gateway Time-out\r\nConnection: close\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nContent-Length: 2976\r\nContent-Type: text/html\r\n\r\n<DIV class=Section1> \n\t\t<P class=MsoNormal| v/Blue Coat Security Appliance http proxy///
match http-proxy m|^HTTP/1.0 200 OK\r\nServer: MS-MFC-HttpSvr/1.0\r\nDate: Wed, 13 Aug 2003 01:58:26 GMT\r\n\r\n<html><h1>http://| v/Surfcontrol SuperScout Web Filter//Windows/
match http-proxy m|^HTTP/1\.0 400 Cache Detected Error\r\nDate: .*\r\nContent-Type: text/html\r\nVia: 1\.0 [-.\w]+ \(NetCache NetApp/([-.\w]+)\)\r\n\r\n| v/NetApp NetCache web proxy/$1//
# TightVNC 1.2.6
match vnc-http m|^HTTP/1\.0 200 OK\n\n<HTML>\n  <HEAD><TITLE>TightVNC desktop \[[-.\w]+\]| v/TightVNC///
# Tightvnc-1.2.3
match vnc-http m|^HTTP/1\.0 404 Not found\n\n<HEAD><TITLE>File Not Found</TITLE></HEAD>\n<BODY><H1>File Not Found</H1></BODY>\n$| v/TightVNC///
# WinVNC 3.3.7 Build Mar 5 2003
match vnc-http m|^HTTP/1\.0 200 OK\r\n\r\n<HTML><TITLE>VNC desktop \[[-.\w]+\]</TITLE>\n<APPLET CODE=vncviewer\.class ARCHIVE=vncviewer\.jar WIDTH=800 HEIGHT=632>\n<param name=PORT| v/WinVNC/3.3.7//
# WinVNC 3.3.3
match vnc-http m|^HTTP/1\.0 200 OK\n\n<HTML><TITLE>VNC desktop \[[-.\w]+\]</TITLE>\n<APPLET CODE=vncviewer\.class ARCHIVE=vncviewer\.jar WIDTH=1024 HEIGHT=800>\n<param name=PORT value=5917></APPLET></HTML>\n$| v/WinVNC/3.3.3//
match rtsp m|^RTSP/1.0 400 Bad Request\r\nServer: DSS/([-.\w]+) \[(v\d+)]-(\w+)\r\n| v/DarwinStreamingServer/$1/$2 on $3/
match rtsp m|^RTSP/1\.0 400 Bad Request\r\nServer: QTSS/(\d[\d.]+ \[v\d+\]-Win32)\r\nCseq: \r\n| v/Apple Quick Time Streaming Server/$1//
match rtsp m|^RTSP/1\.0 505 Protocol Version Not Supported\r\nDate: .*\r\nServer: WMServer/(\d[-.\w]+)\r\n\r\n$| v/Microsoft Windows Media Server/$1//
# pidentd 2.81
match ident m|^0 , 0 : ERROR : X-INVALID-REQUEST\r\n$| v/pidentd///
match netbios-ssn m/^\x83\0\0\x01\x82|\x8f$/
# spamd 2.20-1woody
match spamd m|^SPAMD/1\.0 76 Bad header line: GET / HTTP/1\.0\r\r\n| v/SpamAssassin spamd///
# Finger 0.17 from debian linux (which is from Linux netkit I believe)
# OpenBSD 2.3
match finger m|^finger: GET: no such user\.\nfinger: /: no such user\.\nfinger: HTTP/1\.0: no such user\.\n$| v|BSD/Linux fingerd|||
# Redhat Linux from finger-server-0.17-9 RPM
match finger m|^finger: GET: no such user.\r\nfinger: /: no such user.\r\nfinger: HTTP/1.0: no such user.\r\n$| v/Linux fingerd///
# Solaris 9
match finger m|^Login       Name               TTY         Idle    When    Where\r\nGET                   \?\?\?\r\n/                     \?\?\?\r\nHTTP/1\.0              \?\?\?\r\n$| v/Sun Solaris fingerd///
# uw-imap 2003debian0.0304182231-1
match imap m|^\* OK \[CAPABILITY IMAP4REV1 X-NETSCAPE LOGIN-REFERRALS STARTTLS LOGINDISABLED\] \[[-.\w]+\] IMAP4rev1 (200[-.\w]+) at .*\r\nGET BAD Command unrecognized/login please: /\r\n\* BAD Null command\r\n| v/UW-Imap///
# Cyrus IMAP 2.1.14
match imaps m|^\* BYE Fatal error: tls_start_servertls\(\) failed\r\n$| v/Cyrus imapd///
match pop3s m|^-ERR \[SYS/PERM\] Fatal error: tls_start_servertls\(\) failed\r\n$| v/Cyrus pop3sd///
# Postgresql-server-7.3.2-3
match postgres m|^EFATAL:  invalid length of startup packet\n\0$| v/Postgresql///
# Netware 6 NetWare/IP
match netwareip m|^\xfb\xff\xfe\xff\xfb\xff\xfe\xff\xfb\xff\xfe\xff$| v|Novell Netware/IP|||
# Windows XP 8/2003
match upnp m|^HTTP/1.1 400 Bad Request\r\n\r\n$| v/Microsoft Windows UPnP///
match irc m|^:Default-Chat-Community 421 \* GET :Unknown command\r\n| v/Microsoft Exchange 2000 Server Chat Service///
match dantz m|^\0\xca\0\0\0\0\0\x04\0\0\0\0$| v/Dantz Retrospect/6.0//

Probe TCP HTTPOptions q|OPTIONS / HTTP/1.0\r\n\r\n|

Probe TCP RTSPRequest q|OPTIONS / RTSP/1.0\r\n\r\n|
match rtsp m|^RTSP/1\.0 200 OK\r\nCSeq: 0\r\nDate: .*\r\nServer: RealServer Version (\d[-.\w]+) \(win32\)\r\n| v/Realserver RTSP/$1/win32/
match rtsp m|^RTSP/1\.0 200 OK\r\n.*Server: RealMedia EncoderServer Version (\d[-.\w]+) \(win32\)\r\n|s v/RealMedia EncoderServer/$1/win32/

# This probe sends an RPC "Null command" to the port for service
# 100000 (portmapper).
# Some of these numbers are abitrary (such as ID).  I could consider
# adding an \R escape in the string logic to provide a random byte.
# This would make IDS detection and such a bit harder.  On the other
# hand, that would make the response a little harder to recognize too.
##############################NEXT PROBE##############################
Probe TCP RPCCheck q|\x80\0\0\x28\x72\xFE\x1D\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xA0\0\x01\x97\x7C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|
ports 111,4045,32750-32810,38978
match rpc m|^\x80\0\0\x18\x72\xFE\x1D\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01|
match rpc m|^\x80\0\0\x20\x72\xFE\x1D\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x02|

##############################NEXT PROBE##############################
Probe UDP RPCCheck q|\x72\xFE\x1D\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xA0\0\x01\x97\x7C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|
ports 111,4045,32750-32810,38978
match rpc m|^\x72\xFE\x1D\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01|
match rpc m|^\x72\xFE\x1D\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x02|

##############################NEXT PROBE##############################
Probe UDP DNSVersionBindReq q|\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03|
ports 53,2967
# Allow 3-12 character version numbers
match domain m|\x07version\x04bind.*[\x03-\x10]([-\w._]{3,16})$|s v/ISC Bind/$1//
# Tinydns 1.05
match domain m|^\0\x06\x81\x81\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| v/TinyDNS///
# Microsoft DNS Windows 2000, SP4
match domain m|^\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| v/Microsoft DNS///
# Symantec Antivirus (rtvscan.exe)
match symantec-av m|^\0\x06\x01\x01\0\x101\x01\xe0\nI\0\xe0\nI\0$| v/Symantec rtvscan antivirus///

##############################NEXT PROBE##############################
Probe TCP DNSVersionBindReq q|\0\x1E\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03|
ports 53,512,513,1521,2967
match domain m|\x07version\x04bind.*[\x03-\x10]([-\w._]{3,16})$|s v/ISC Bind/$1//
# Windows 2000 SP4
match domain m|^\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| v/Microsoft DNS///
# OpenBSD 2.3
# Solaris 9
match rlogind m|^\x01rlogind: Permission denied\.\r\n$|
match exec m|^\x01Login incorrect\.\n$|
# HP-UX B.11.00 A
match exec m|^\x01rexecd: Login incorrect.\n$| v/HP-UX rexecd///
# RedHat 7.3 - Oracle TNS Listener Oracle 8.1.7
match oracle-tns m|^\0\x1c\0\0\x04\x01\0\0\0X\0\0\xc4W\xdc3\x04\xc38\x81\xe00\xe6\x83\x05\xfa\n;$| v/Oracle TNS listener///
match ssc-agent m|^\0\x1e\0\x06\0\t\0\0$| v/Novell Netware ssc-agent///

# DNS Server status request: http://www.crynwr.com/crynwr/rfc1035/rfc1035.html
##############################NEXT PROBE##############################
Probe UDP DNSStatusRequest q|\0\0\x10\0\0\0\0\0\0\0\0\0|
ports 53,135
match domain m|^\0\0\x90\x04\0\0\0\0\0\0\0\0|
# This one below came from 2 tested Windows XP boxes
match msrpc m|^\x04\x06\0\0\x10\0\0\0\0\0\0\0|

# DNS Server status request: http://www.crynwr.com/crynwr/rfc1035/rfc1035.html
##############################NEXT PROBE##############################
Probe TCP DNSStatusRequest q|\0\x0C\0\0\x10\0\0\0\0\0\0\0\0\0|
ports 53
match domain m|^\0\x0C\0\0\x90\x04\0\0\0\0\0\0\0\0|

##############################NEXT PROBE##############################
Probe UDP NBTStat q|\x80\xf0\0\x10\0\x01\0\0\0\0\0\0\x20\x43\x4bAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0\x21\0\x01|
ports 137
# NBT Response starts with a header:  
# The following fields are each 2 bytes: transaction ID; Flags; question count; answer count; name service count; additional record count
# Next comes 34 bytes NUL-terminaed name
# then comes 2 byte fields: question type; question clss
# 4 byte TTL
# 2 byte rdata length
# 1 byte number of names
### -- End of header
# Next comes the given number of nbnames - each are a 15 byte name (space padded) followed by a one byte service type, and then 16 BIT flags
### -- End of name table - finally comes the footer:
# 48 - Adapter address (eg MAC addy)
# 8 bit fields: major version; minor version
# 16 bit fields: duration; frmps received; frmps transmitted; iframe receive errors; transmit aborts
# 32 bit fields: trasnmitted; received
# The remaining fields are all 16-bits: iframe transmit errors; number of receive buffers; tl_timeouts; tl_timeouts; free ncbs; ncbs; 
#                                       max_ncbs; number of transmit buffers; max datagram; pending sessions; max sessions; packet_sessions

# I'm not convinced that these next 4 work on a very wide variety of
# machines.  I think most of the real matching comes in the next block.
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...(\w{1,15}) *\0\x04\0(\w{1,15}) *\0\x84\0\w{1,15} *\x03\x04\0\w{1,15} *\x04\0\w{1,15} *\x1e\x84\0\w{1,15} *\x1d\x04\0\x01\x02__MSBROWSE__\x02\x01\x84\0(\w{1,15}) *\x03| v/Microsoft Windows XP netbios-ssn//host: $1 workgroup: $2 user: $3/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...(\w{1,15}) *\0\x04\0(\w{1,15}) *\0\x84\0\w{1,15} *\x03\x04\0\w{1,15} *\x04\0\w{1,15} *\x1e\x84\0\w{1,15} *\x1d\x04\0\x01\x02__MSBROWSE__\x02\x01\x84\0\0| v/Microsoft Windows XP netbios-ssn//host: $1 workgroup: $2/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...(\w{1,15}) *\0\x04\0(\w{1,15}) *\0\x84\0\w{1,15} *\x03\x04\0\w{1,15} *\x04\0(\w{1,15}) *\x03\x04\0\w{1,15} *\x1e\x84\0| v/Microsoft Windows XP netbios-ssn//host: $1 workgroup: $2 user: $3/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...(\w{1,15}) *\0\x04\0(\w{1,15}) *\0\x84\0\w{1,15} *\x03\x04\0\w{1,15} *\x04\0\w{1,15} *\x1e\x84\0| v/Microsoft Windows XP netbios-ssn//host: $1 workgroup: $2/


# It would be really nice if we could get username and/or OS
# information from this.  But it is quite hard to parse out the proper
# information unambiguously, especially with just regular expressions.
# But it certainly would be nice to get more info:
#
# nbtstat
#
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0\0..([\w\-]{1,15}) *\0D\0.*\0([\w\-]{1,15}) *\0\xc4\0| v/Microsoft Windows netbios-ssn//host: $1 workgroup: $2/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0\0..([\w\-]{1,15}) *\0D\0([\w\-]{1,15}) *\0\xc4\0| v/Microsoft Windows netbios-ssn//host: $1 workgroup: $2/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0\0...*\0([\w\-]{1,15}) *\0D\0.*\0([\w\-]{1,15}) *\0\xc4\0| v/Microsoft Windows netbios-ssn//host: $1 workgroup: $2/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0\0...*\0([\w\-]{1,15}) *\0D\0([\w\-]{1,15}) *\0\xc4\0| v/Microsoft Windows netbios-ssn//host: $1 workgroup: $2/
# Windows NT 4.0 SP6a
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...([\w\-]{1,15}).*\04\0([\w\-]{1,15}) *\0\x84\0| v/Microsoft Windows NT netbios-ssn//host: $1 workgroup: $2/

##############################NEXT PROBE##############################
Probe UDP Help q|help\r\n\r\n|
ports 7
match echo m|^help\r\n\r\n$|
match chargen m|@ABCDEFGHIJKLMNOPQRSTUVWXYZ|

##############################NEXT PROBE##############################
Probe TCP Help q|HELP\r\n|
ports 7,21,25,2401,2627
sslports 465
match echo m|^HELP\r\n$|
match smtp m|^220 [-.\w]+ ESMTP\r\n214 qmail home page: http://pobox.com/~djb/qmail.html| v/Qmail smtpd///
# Postfix 1.1.11.0-woody3
# Postfix 1.1.7-2
match smtp m|^220 [-.\w]+ ESMTP Postfix\r\n$| v/Postfix smtpd///
# Courier ESMTP courier-0.42.0-1.7.3
match smtp m|^502 ESMTP command error\r\n$| v/Courier smtpd///
match smtp m|^220 [-.\w]+ ESMTP Sendmail ([^;]{3,50})| v/Sendmail smtpd/$1//
match smtp m|^214-2\.0\.0 This is sendmail version ([-.\w]+)\r\n214-2\.0\.0 Topics:\r\n214-2\.0\.0| v/Sendmail smtpd/$1//
# CVSD (cvs chrooting service for pserver) cvsd 0.9.18
# CVS 1.11.5 pserver
match cvspserver m|^cvs \[pserver aborted\]: bad auth protocol start: HELP\r\n\n$| v/cvs pserver///
# Concurrent Versions System (CVS) 1.10.7 (client/server)
match cvspserver m|^cvs-pserver \[pserver aborted\]: bad auth protocol start: HELP\r\n\n| v/cvs pserver///
# Written in 1986.  More info at 
# http://ftp.rge.com/pub/X/X11R5/contrib/xwebster.README
match webster m/^DICTIONARY server protocol:\r\n\r\nContact name is/ v/Webster dictionary server///
# Phaser860 printer
match ftp m|^220 FTP server ready\.\r\n214- The following commands are recognized \(\* =>'s unimplemented\)\.\r\n   USER    PORT    STOR    MSAM\*   RNTO\*   NLST\*   MKD\*    CDUP\*   EPLF\*\r\n   PASS    PASV\*   APPE\*   MRSQ\*   ABOR    SITE\*   XMKD\*   XCUP\*\r\n   ACCT\*   TYPE    MLFL\*   MRCP\*   DELE    SYST    RMD\*    STOU \r\n   SMNT\*   STRU    MAIL\*   ALLO\*   CWD\*    STAT    XRMD\*   SIZE\*\r\n   REIN\*   MODE    MSND\*   REST\*   XC$| v/Phaser printer ftpd///

##############################NEXT PROBE##############################
Probe TCP SSLSessionReq q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0|
ports 443,548,636,8009
# OpenSSL/0.9.7aa
match ssl m|^\x16\x03\0\0J\x02\0\0F\x03\0\?| v/OpenSSL///
# Microsoft-IIS/5.0
match ssl m|^\x16\x03\0..\x02\0\0F\x03\0|s v/Microsoft IIS SSL///
# Novell Netware 6 Enterprise Web server 5.1 https
# Novell Netware Ldap over SSL or enterprise web server 5.1 over SSL
match ssl m|^\x16\x03\0\0:\x02\0\x006\x03\0| v/Novell Netware SSL///
# Cisco IDS 4.1 Appliance
match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0\xd10:\xbd\\\x8e\xe3\x15\x1c\x0fZ\xe4\x04\x87\x07\xc0\x82\xa9\xd4\x0e\x9c1LXk\xd1\xd2\x0b\x1a\xc6/p\0\0\n\0\x16\x03\0\x026\x0b\0\x022\0| v/Cisco IDS SSL///
# Apple Filing Protocol (AFP) over TCP on Mac OS X 10.1.5
match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0\x01.\0\0\0\0\0.\0.\0.\0.\x80\xfb.[-.\w]+.*\tMacintosh\x05\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1\x03\tDHCAST128\x10Cleartxt Passwrd\x0fNo User Authent|s v/Apple AFP//protocol 2.2; Mac OS X/


# SMB Negotiate Protocol
##############################NEXT PROBE##############################
Probe TCP SMBProgNeg q|\0\0\0\xa4\xff\x53\x4d\x42\x72\0\0\0\0\x08\x01\x40\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x40\x06\0\0\x01\0\0\x81\0\x02PC NETWORK PROGRAM 1.0\0\x02MICROSOFT NETWORKS 1.03\0\x02MICROSOFT NETWORKS 3.0\0\x02LANMAN1.0\0\x02LM1.2X002\0\x02Samba\0\x02NT LANMAN 1.0\0\x02NT LM 0.12\0|
ports 42,135,139,445
# Windows XP SP1
match microsoft-ds m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0\x03\n\0\x01\0\x04\x11\0\0\0\0\x01\0\0\0\0\0\xfd\xe3\0\0| v/Microsoft Windows XP microsoft-ds///
# Microsoft Windows XP SP1
# Windows 2000
match msrpc m|^\x05\0\r\x03\x10\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\0\0\0$| v/Microsoft Windows msrpc///
# Microsoft Windows 2000
match microsoft-ds m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0.2\0\x01\0\x04A\0\0\0\0\x01\0\0\0\0\0\xfd\xf3\0\0| v/Microsoft Windows 2000 microsoft-ds///
# Microsoft Windows 2003
match microsoft-ds m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0\x032\0\x01\0\x04.\0\0\0\0\x01\0\0\0\0\0\xfd\xf3\x01\0|s v/Microsoft Windows 2003 microsoft-ds///
# samba-2.2.7-5.8.0 on RedHat 8
# samba-2.2.7a-8.9.0 on Red Hat Linux 7.x
match netbios-ssn m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x06\0.*\W(\w+)\0$|s v/Samba smbd//workgroup: $1/
# Netware might just be using Samba?
match netbios-ssn m|^\0\0\0M\xffSMBr\0\0\0\0\x80\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0\x032\0\x01\0\xff\xff\0\0\0\0\x01\0\x84\xdeu\x07\x01\x02\0\0\x80\xaa\xa0\x83{k\xc3\x01\xa4\x01\x08\x08\0\x8a\xffp\xd3\x1d\?\xdbl$| v/Netware 6 SMB Services///
# Windows 2000 Server Wins name resolution service
match wins m|^\0\0\0\x1e\xffS\xad\x80\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\x07\xe9\0\0\0\x01\0\0\x81\0\x02| v/Microsoft Windows 2000 Wins///

# From xlsclients
##############################NEXT PROBE##############################
Probe TCP X11Probe q|\x6C\0\x0B\0\0\0\0\0\0\0\0\0|
ports 6000-6020,7100
match X11 m|^\0\x2D\x0B\0\0\0\x0C\0| v///access denied/
# I think the below means access denied (no authentication protocol 
# specified?) or is it a problem w/my probe that I should fix?
match X11 m|^\0\x16\x0b\0\0\0\x06\0No protocol specified\x0a..$|s v///access denied/
match X11 m|^\x01\0\x0b\0\0\0.\0...\x02\0\0.*The XFree86 Project, Inc|s v/XFree86//open/
match X11 m|^\x01\0\x0b\0\0\0\x4C\0\xA0\xE0\x63\x02\0\0| v///open/
# tightvnc 1.2.3 xvnc
match X11 m|^\x01\0\x0b\0\0\0%\0\x04\r\0\0\0\0\x80\x03\xff\xff\?\0\0\x01\0\0\x1b\0\xff\xff\x01\x02\0\0  \x08\xff@\x0b\x1c\x08AT&T Laboratories Cambridge\0| v/Xvnc///
match font-service m|^\0\0\x02\0\0\0\0\0\0\0\0\0\x06\0\0\0\0@\x0c\0p\x17\0\0X Consortium\x01\n\x01\0\x05\0\0\0....\0\0\0\0\0\0\0\0$|s v/Sun Solaris fs.auto///

# ftp://ftp.rfc-editor.org/in-notes/rfc1179.txt
##############################NEXT PROBE##############################
Probe TCP LPDString q|\x01default\n|
ports 515
match printer m|^\0$|
match printer m|^default: unknown printer\n$| v/Solaris lpd///
# Redhat Linux 7.3 LPRng-3.8.9
match printer m|^\x01no connect permissions\n$| v/LPRng///
# Microsoft Windows 2000 serverr LPD
match printer m|^\x01\x01$| v/Microsoft lpd///

# Ldap bind request, version 2, null DN, AUTH_TYPE simple, null password
##############################NEXT PROBE##############################
Probe TCP LDAPBindReq q|\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x02\x04\0\x80\0|
ports 389
sslports 636
# OpenLDAP 2.0.15 on RH Linux 7.3
match ldap m|^0%\x02\x01\x01a \n\x010\x04\0\x04\x19anonymous bind disallowed$| v/OpenLDAP//access denied/
# Netware 6
# Macintosh 8
# Win 2000 Advanced server.
match ldap m|^0\x0c\x02\x01\x01a\x07\n\x01\0\x04\0\x04\0| v///Anonymous bind OK/
# MS Windows Win2K SP4 AD server
match ldap m|^0\x84\0\0\0\x10\x02\x01\x01a\x84\0\0\0\x07\n\x01\0\x04\0\x04\0$| v/Microsoft LDAP server///

##############################NEXT PROBE##############################
Probe TCP LANDesk-RC q|\x54\x4e\x4d\x50\x04\0\0\0\x54\x4e\x4d\x45\0\0\x04\0|
ports 1761
# With Host and User currently logged in
match landesk-rc m|^TNMP.\0\0\0TNME.\0\0\0USER.\x08\x04\0\x08\0.{9}\0R\0\x03\0W\0\xff\xff\0.\0\xfd..\0\0\0\0\x02\0\0\0\0\x01\x04\0\0\0\0\0...\0\xb5\x01\xbb\0Desktop Manager (\d\.\d)\0\x02\x04\x01\x02\x01\0\0\W+([-\w]+)\0([-\w]+)\0\0$| v/LANDesk RC/$1/Host: $2 User: $3)/
# With just hostname
match landesk-rc m|^TNMP.\0\0\0TNME.\0\0\0USER.\x08\x04\0\x08\0.{9}\0R\0\x03\0W\0\xff\xff\0.\0\xfd..\0\0\0\0\x02\0\0\0\0\x01\x04\0\0\0\0\0...\0\xb5\x01\xbb\0Desktop Manager (\d\.\d)\0\x02\x04\x01\x02\x01\0\0\W+(\w+)\0\0\0$| v/LANDesk RC/$1/Host: $2/
# Being Controled w/ User
match landesk-rc m|^TNMP.\0\0\0TNME.\0\0\0USER.\x08\x04\0\x08\0.{9}\0R\0\x03\0W\0\xff\xff\0.\0\xfd..\0\0\0\0\x02\0\0\0\0\x01\x04\0\0\0\0\0...\0\xb5\x01\xbb\0Desktop Manager (\d\.\d)\0\x02\x04\x01\x02\x01\0\0\W+([\w.:]+)\W+(\w+)\0(\w+)\0\0$| v/LANDesk RC/$1/Host: $3 User: $4 Controler: $2/
# Being Controled w/o User
#match landesk-rc m|^TNMP.\0\0\0TNME.\0\0\0USER.\x08\x04\0\x08\0.{9}\0R\0\x03\0W\0\xff\xff\0.\0\xfd..\0\0\0\0\x02\0\0\0\0\x01\x04\0\0\0\0\0...\0\xb5\x01\xbb\0Desktop Manager (\d\.\d)\0\x02\x04\x01\x02\x01\0\0\W+([\w.:]+)\W+(\w+)\0(\w+)\0{2,3}$| v/LANDesk RC/$1/Host: $3 Controler: $2/
match landesk-rc m|^TNMP.\0\0\0TNME.\0\0\0USER.\x08\x04\0\x08\0.{9}\0R\0\x03\0W\0\xff\xff\0.\0\xfd..\0\0\0\0\x02\0\0\0\0\x01\x04\0\0\0\0\0...\0\xb5\x01\xbb\0Desktop Manager (\d\.\d)\0\x02\x04\x01\x02\x01\0\0\W+([\w.:]+)\W+(\w+)\0|s v/LANDesk RC/$1/Host: $3 Controler: $2/

match landesk-rc m|^TNMP\x16\0\0\0TNME\x80\0\xfe\xff..([\w.]+):(\d)$| v/LANDesk RC//Busy, From $1 on port 176$2/

##############################NEXT PROBE##############################
Probe TCP TerminalServer q|\x03\0\0\x0b\x06\xe0\0\0\0\0\0|
ports 3389
# Windows 2000 Server
# Windows 2000 Advanced Server
match microsoft-rdp m|^\x03\0\0\x0b\x06\xd0\0\0\x12.\0$|s v/Microsoft Terminal Service//Windows 2000 Server/
# I don't know why this stupid service is answering to TerminalServer probe,
# but that has been verified.  I'm not going to add 515 to the TerminalServer
# ports line unless I see more like this.
match lpd m/^no entries\n$/ v/Xerox LPD///

# Netware Create Connection Service request
##############################NEXT PROBE##############################
Probe TCP NCP q|\x44\x6d\x64\x54\0\0\0\x17\0\0\0\x01\0\0\0\0\x11\x11\0\xff\x01\xff\x13|
ports 524
# Netware 5 and 6
# NCP "OK" reply
match ncp m|^\x74\x4e\x63\x50\0\0\0\x10\x33\x33| v/Novell Netware NCP///

##############################NEXT PROBE##############################
Probe TCP NotesRPC q|\x3A\x00\x00\x00\x2F\x00\x00\x00\x02\x00\x00\x40\x02\x0F\x00\x01\x00\x3D\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x1F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00|
ports 1352
match lotusnotes m|^`\0\0\0U\0\0\0\x03\0\0@\x02\x0f\0\x05\x009\x05.....\x03\0\0\0\0\x02\0/\0\x12|s

##############################NEXT PROBE##############################
Probe UDP Sqlping q|\x02|
ports 1434
match ms-sql-m m|^\x05..ServerName;([\w\-]+);InstanceName;[\w\-]+;IsClustered;\w{2,3};Version;([\d\.]+);np;.+;tcp;(\d{1,5});| v/Microsoft SQL Server/$2/ServerName: $1; TCPPort: $3/
match ms-sql-m m|^\x05..ServerName;([\w\-]+);InstanceName;[\w\-]+;IsClustered;\w{2,3};Version;([\d\.]+);tcp;(\d{1,5});np;(.+);$| v/Microsoft SQL Server/$2/ServerName: $1; TCPPort: $3/

Probe TCP WMSRequest q|\x01\0\0\xfd\xce\xfa\x0b\xb0\xa0\0\0\0MMS\x14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x12\0\0\0\x01\0\x03\0\xf0\xf0\xf0\xf0\x0b\0\x04\0\x1c\0\x03\0N\0S\0P\0l\0a\0y\0e\0r\0/\09\0.\00\0.\00\0.\02\09\08\00\0;\0 \0{\00\00\00\00\0A\0A\00\00\0-\00\0A\00\00\0-\00\00\0a\00\0-\0A\0A\00\0A\0-\00\00\00\00\0A\00\0A\0A\00\0A\0A\00\0}\0\0\0\xe0\x6d\xdf\x5f|
ports 1549,1755
#WMS 4.1.0.3927
match wms m|^\x01\0\0.\xce\xfa\x0b\xb0.\0\0\0MMS .\0{7}.{9}\0\0\0\x01\0\x04\0\0\0\0\0\xf0\xf0\xf0\xf0\x0b\0\x04\0\x1c\0\x03\0\0\0\0\0\0\0\xf0\?\x01\0\0\0\x01\0\0\0\0\x80\0\0...\0.\0\0\0\0\0\0\0\0\0\0\0.\0\0\x00(\d)\0\.\x00(\d)\0\.\x00(\d)\0\.\x00(\d)\x00(\d)\x00(\d)\x00(\d)\0\0\0|s v/Microsoft Windows Media Service/$1.$2.$3.$4$5$6$7//
match wms m|^\x01\0\0.\xce\xfa\x0b\xb0.\0\0\0MMS .\0{7}.{9}\0\0\0\x01\0\x04\0\0\0\0\0\xf0\xf0\xf0\xf0\x0b\0\x04\0\x1c\0\x03\0\0\0\0\0\0\0\xf0\?\x01\0\0\0\x01\0\0\0\0\x80\0\0...\0.\0\0\0\0\0\0\0\0\0\0\0.\0\0\x00(\d)\0\.\x00(\d)\x00(\d)\0\.\x00(\d)\x00(\d)\0\.\x00(\d)\x00(\d)\x00(\d)\x00(\d)\0\0\0|s v/Microsoft Windows Media Service/$1.$2$3.$4$5.$6$7$8$9//
match shivahose m|^\x02\x06$| v///Shiva network modem access/

