#  This software was derived from SATAN 1.1.1 by Dan Farmer and Wietse Venema
#  (http://www.porcupine.org/satan).
#
# Rules that deduce new facts from existing data. Each rule is executed once
# for each 'a' SARA record. The rule format is:
#
#	condition TABs fact
#
# The condition is a PERL expression that has full access to the global
# $target..$text variables, to functions, and to everything that has been
# found sofar. The fact is a SARA record. 
#
# Empty lines and text after a "#" character are ignored. Long lines may
# be broken with backslash-newline.
#
#
# version 1, Sun Mar 19 10:32:57 1995, last mod by zen
# version 2, Fri Mar 28 17:00:00 1999, last mod by toddr
# version 3, Sun May 21 23:00:00 2000, last mod by todd
# version 4, Thu Jun 15 08:00:00 2000, last mod by todd
# version 5, Tue Sep 12 20:00:00 2000, last mod by todd
# version 6, Wed Jun 27 10:00:00 2001, last mod by todd
# version 7, Wed Jan 16 10:00:00 2001, last mod by todd
# version 8, Thu Apr  4 10:00:00 2002, last mod by todd
# version 9, Wed Apr 24 14:00:00 2002, last mod by todd
# version 10, Wed Feb 25 18:00:00 2004, last mod by todd
#

# The green guys
/<TITLE>/i || /<HEAD>/i || /HTTP/i	$target|$service|a|||||offers http:$service 
/offers http:http/			$target|$service|a|||||offers http
/offers https/ && $service_output eq ""	$target|$service|a|g||||offers secure http
/offers gopher/				$target|$service|a|g||||offers gopher
#/offers telnet/ && /\\n/		$target|$service|a|g||||$text
/offers mtp/  && /\\n/			$target|$service|a|||||offers telnet on port 57
/runs NFS/				$target|$service|a|g||||runs NFS
/220 .*ftp server/i && $service ne "ftp"	$target|$service|a|g||||FTP (non-standard port)
/offers nntp/ && /INN 1\.[0-5]/		$target|$service|a|bo|ANY@target|ANY@ANY|inn version|inn vulnerable to buffer overflow
/offers nntp/ && /INN 2\.[0-2] /	$target|$service|a|bo|ANY@target|ANY@ANY|inn version|inn vulnerable to buffer overflow
/offers nntp/ && /INN 2\.2\.[1-2]/	$target|$service|a|bo|ANY@target|ANY@ANY|inn version|inn vulnerable to buffer overflow

/offers xdmcp/				$target|$service|a|g||||offers xdmcp
/NIS server/				$target|$service|a|g||||NIS server
/offers simap/				$target|$service|a|g||||offers simap
/offers uucp/ && /login/		$target|$service|a|zwoi|ANY@$target|ANY@$target|doubtful Internet services|uucp should not be on the Internet
#
# Assume rexd is insecure without even trying
#
/runs rexd/ && /(?!world)/	$target|assert|a|us|ANY@$target|ANY@ANY|REXD access|rexd is vulnerable

# SENDMAIL SECTION ;-)
#
# Exim MTA
/SMTP Exim ([\d\.]+)/ && $1 < 3.34 \
	$target|smtp|a|zcio|ANY@$target|ANY@$target|sendmail version|possible vulnerability in Exim

# assume berkeley versions of sendmail < 8.8.5 are hosed:
# handled in sendmail.sara
 
# other sendmail versions

# HP
/HP Sendmail \(1\.37\.109\.11/ \
		$target|assert|a|bo|ANY@$target|ANY@$target|Sendmail vulnerabilities|Sendmail version buffer overflow

#
# Generic (or derived from) BSD; should have something >= 5.60
/[Ss]endmail (5\.60)/ && $1 <= 5.60 \
		$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|Sendmail pre 5.61

#
# Sequent/DYNIX; if <= 5.65, broken...
/[Ss]endmail (5\.65)/ && $1 <= 5.65 && /DYNIX/ \
		$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|DYNIX Sendmail, pre 5.65

# POP2 servers
/OK/ && /offers pop-2/		$target|pop-2|a|zwoi|ANY@$target|ANY@$target|pop version|pop version may be vulnerable to buffer overflow
#
# OTHER PROBLEMS
#
# Hacker program bnc (irc proxy)
#
/NOTICE/ && /quote PASS/i	$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised (bnc at $port).

/NOTICE/ && /Welcome/ && /pb/	$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised (pb at $service).

/EliteWarez/			$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised (xdcc at $service).  

/220[- ]Serv-U FTP Server/ && $service ne "ftp"	$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised (Serv-U  at $service).
/421 Server is offline/ && $service ne "ftp"	$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised (svchost at $service). 

/220 More 0wnage/ && $service ne "ftp"		$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised (svchost at $service).

/220 / && $service eq "420:TCP" 		$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised (svchost at $service).


/: command not found\\n/	$target|$service|a|us|ANY@$target|ANY@$target|backdoor found|Probable backdoor found (binshell at $service)

/Microsoft Windows/ && /Copyright/	$target|$service|a|us|ANY@$target|ANY@$target|backdoor found|Probable Windows backdoor found (cmd.exe at $service)
 
#  Look for fraggle/chargen exploit
/chargen\:UDP/		$target|DOS|a|zcio|ANY@$target|ANY@$target|Possible DoS problem|Is your host a DoS threat?

# a modem on a port?  Surely you jest...
/AT\\[nr].*OK\\[nr]/	$target|assert|a|rs|ANY@$target|ANY@$target|unrestricted modem|Unrestricted modem on the Internet
# Lo0k for automounter vulnerability
/runs automounter/	$target|amd|a|zcio|ANY@$target|ANY@$target|automounter version|automounter version may be vulnerable to buffer overflow

# Look for sgi fam vulnerability
/runs sgi_fam/		$target|sgi_fam|a|zcio|ANY@ANY|ANY@ANY|sgi fam version|sgi fam version may be vulnerable to buffer overflow

# Look for SGI objectserver
/offers 5135:UDP/	$target|objectserver|a|zcio|ANY@$target|ANY@$target|objectserver vulnerability|objectserver daemon may be vulnerable

# Look for sgi pmcd (co-pilot) vulnerability
/offers rwhois/		$target|rwhois|a|zcio|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that rwhois should be running

# Look for old nisd vulnerability
/runs nisd/		$target|nisd|a|zcio|ANY@ANY|ANY@ANY|nisd version|nisd version may be vulnerable to buffer overflow

# Look for possible vulnerable kerberos vulnerabilities
/offers klogin/		$target|kerberos|a|zcio|ANY@ANY|ANY@ANY|possible kerberos vulnerability|kerberos authentication may be vulnerable to buffer overflow attacks
/offers klogin/		$target|kerberos|a|zcio|ANY@ANY|ANY@ANY|possible kerberos vulnerability|kerberos authentication may be vulnerable to buffer overflow attacks
/offers kpop/		$target|kerberos|a|zcio|ANY@ANY|ANY@ANY|possible kerberos vulnerability|kerberos authentication may be vulnerable to buffer overflow attacks

# Look for Back Orifice and NetBus
#/NetBus/		$target|backdoor|a|ycio|ANY@ANY|ANY@ANY|possible backdoor found|Possible Windows NetBus detected
#/offers 1243:TCP/	$target|backdoor|a|ycio|ANY@ANY|ANY@ANY|possible backdoor found|Possible Windows Subseven backdoor found
#/offers 4089:TCP/	$target|backdoor|a|ycio|ANY@ANY|ANY@ANY|possible backdoor found|Possible Windows Subseven backdoor found
#/offers 4090:TCP/	$target|backdoor|a|ycio|ANY@ANY|ANY@ANY|possible backdoor found|Possible Windows Subseven backdoor found
#/offers 20034:TCP/	$target|backdoor|a|ycio|ANY@ANY|ANY@ANY|possible backdoor found|Possible Windows Netbus-2 detected
/offers 31337:UDP/	$target|backdoor|a|ycio|ANY@ANY|ANY@ANY|possible backdoor found|Possible Windows Back Orifice detected
/offers 31785:TCP/	$target|backdoor|a|ycio|ANY@ANY|ANY@ANY|possible backdoor found|Possible Windows Hack a Tack backdoor found
# New buffer overflow exploits
/offers 5135:UDP/	$target|objectserver|a|ycio|ANY@ANY|ANY@ANY|Possible IRIX ObjectServer Vulnerability|Possible IRIX Objectserver Vulnerability

#  Site Unique
/offers tacacs/ || /offers 49:TCP/			$target|tacacs|a|zcio|ANY@ANY|ANY@ANY|tacacs server|Verify TACACS patches and workarounds


/offers 5631:TCP/ && /Please press \<Enter\>.../	$target|pcanywhere|a|zcio|ANY@ANY|ANY@ANY|remote control server|Verify good passwords on pcanywhere

/offers 5632:TCP/ && /Please press \<Enter\>.../	$target|pcanywhere|a|zcio|ANY@ANY|ANY@ANY|remote control server|Verify good passwords on pcanywhere

/offers 407:TCP/	$target|timbuktu|a|zcio|ANY@ANY|ANY@ANY|remote control server|Verify the use and configuration of timbuktu

/offers telnet/ && /Catalyst/i && /Cisco/	$target|telnet|a|zcio|ANY@ANY|ANY@ANY|cisco catalyst version| Enable access may be possible w/o password

/offers ms-wbt-server/	$target|ms-wbt|a|zcio|ANY@ANY|ANY@ANY|MS Terminal Server|Possible vulnerability in MS Terminal Server

/offers 33567/ || /offers 60008/	$target|$service|a|ycio|ANY@ANY|ANY@ANY|possible backdoor found| Lion worm may be present

$service ne ssh && /SSH-/		$target|$service|a|us|ANY@ANY|ANY@ANY|backdoor found|SSH found on non-standard port ($service)

/offers dtspc/				$target|$service|a|ycio|ANY@ANY|ANY@ANY|dtspc version [CA-2002-01]|dtspc may be vulnerable to buffer overflow

/offers 8009:TCP/			$target|$service|a|zcio|ANY@ANY|ANY@ANY|possible Netware vulnerability|Possible Netware Remote Manager vulnerability

#/offers 5900:TCP/ && /RFB [0-9]+.[0-9]/		$target|$service|a|ycio|ANY@ANY|ANY@ANY|VNC Running|Possible VNC backdoor running

/runs kcms_serverd/			$target|$service|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that kcms_severd should be running
/runs cachefsd/				$target|$service|a|ycio|ANY@ANY|ANY@ANY|Doubtful Internet service [CA-2002-11]|confirm that cachefsd is patched (Solaris 2.5.1-2.8)
/runs gssd/				$target|$service|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that gssd should be running 
/runs rquotad/				$target|$service|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that  rquotad should be running
/runs walld/				$target|$service|a|ycio|ANY@ANY|ANY@ANY|Doubtful Internet service [CA-2002-10]|confirm that walld patched under Sol 2.51-2.8 
/runs sprayd/				$target|$service|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that sprayd should be running
#
#  P2P Stuff
/offers 8888:TCP/			$target|napster|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that napster should be running (port 8888)
/offers 8875:TCP/			$target|napster|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that napster should be running (port 8875)
/offers 6699:TCP/			$target|napster|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that napster should be running (port 6699)
/offers 4661:TCP/			$target|edonkey|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that edonkey should be running (port 4661)
/offers 4662:TCP/			$target|edonkey|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that edonkey should be running (port 4662)
/offers 4665:UDP/			$target|edonkey|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that edonkey should be running (port 4665)
/offers 6345:UDP/			$target|gnutella|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that Gnutella should be running (port 6345)
/offers 6346:UDP/			$target|gnutella|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that Gnutella should be running (port 6346)
/offers 6347:UDP/			$target|gnutella|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that Gnutella should be running (port 6347)
/offers 6348:UDP/			$target|gnutella|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that Gnutella should be running (port 6348)
/offers 6349:UDP/			$target|gnutella|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that Gnutella should be running (port 6349)
/for current settings/			$target|telnet|a|us|ANY@ANY|ANY@ANY|No Password for JetDirect|Provide a password to JetDirect
/User Name : /     			$target|telnet|a|zcio|ANY@ANY|ANY@ANY|APC password check|Confirm that default password not loaded 

# Time dependent:  Age to brown after a period of time:

# XFS (Font Server): Downgrade on 1 Mar 04
/offers xfs/				$target|$service|a|ycio|ANY@ANY|ANY@ANY|Font server [CA-2002-34]|X font server may be vulnerable to buffer overflow

