#  This software was derived from SATAN 1.1.1 by Dan Farmer and Wietse Venema
#  (http://www.porcupine.org/satan).
#
# Rules that deduce new facts from existing data. Each rule is executed once
# for each 'a' SARA record. The rule format is:
#
#	condition TABs fact
#
# The condition is a PERL expression that has full access to the global
# $target..$text variables, to functions, and to everything that has been
# found sofar. The fact is a SARA record. 
#
# Empty lines and text after a "#" character are ignored. Long lines may
# be broken with backslash-newline.
#
#
# version 1, Sun Mar 19 10:32:57 1995, last mod by zen
# version 2, Fri Mar 28 17:00:00 1999, last mod by toddr
# version 3, Sun May 21 23:00:00 2000, last mod by todd
# version 4, Thu Jun 15 08:00:00 2000, last mod by todd
# version 5, Tue Sep 12 20:00:00 2000, last mod by todd
# version 6, Wed Jun 27 10:00:00 2001, last mod by todd
# version 7, Wed Jan 16 10:00:00 2001, last mod by todd
# version 8, Thu Apr  4 10:00:00 2002, last mod by todd
# version 9, Wed Apr 24 14:00:00 2002, last mod by todd
# version 10, Wed Feb 25 18:00:00 2004, last mod by todd
# version 11, Thu Oct 7 21:00:00 2004, last mod by todd
# version 12, Sun Oct 17 22:00:00 2005, last mod by todd

# The green guys
/<TITLE>/i || /<HEAD>/i || /HTTP/	$target|$service|a|||||offers http:$service 
/offers http:http/			$target|$service|a|||||offers http
/offers https/ && $service_output eq ""	$target|$service|a|g||||offers secure http
/offers gopher/				$target|$service|a|g||||offers gopher
#/offers telnet/ && /\\n/		$target|$service|a|g||||$text
/offers mtp/  && /\\n/			$target|$service|a|||||offers telnet on port 57
/runs NFS/				$target|$service|a|g||||runs NFS
/220 .*ftp server/i && $service ne "ftp"	$target|$service|a|g||||FTP (non-standard port)
/offers nntp/ && /INN 1\.[0-5]/		$target|$service|a|bo|ANY@target|ANY@ANY|inn version|inn vulnerable to buffer overflow
/offers nntp/ && /INN 2\.[0-2] /	$target|$service|a|bo|ANY@target|ANY@ANY|inn version|inn vulnerable to buffer overflow
/offers nntp/ && /INN 2\.2\.[1-2]/	$target|$service|a|bo|ANY@target|ANY@ANY|inn version|inn vulnerable to buffer overflow

/offers xdmcp/				$target|$service|a|g||||offers xdmcp
/NIS server/				$target|$service|a|g||||NIS server
/offers simap/				$target|$service|a|g||||offers simap
/offers uucp/ && /login/		$target|$service|a|zwoi|ANY@$target|ANY@$target|Doubtful Internet service|confirm that uucp should be running
#
# Assume rexd is insecure without even trying
#
# SENDMAIL SECTION ;-)
#
# Exim MTA
/SMTP Exim ([\d\.]+)/ && $1 < 4.32 \
	$target|smtp|a|zcio|ANY@$target|ANY@$target|sendmail version|possible vulnerability in Exim

# assume berkeley versions of sendmail < 8.8.5 are hosed:
# handled in sendmail.sara
 
# other sendmail versions

# Generic (or derived from) BSD; should have something >= 5.60
/[Ss]endmail (8\.13\.[0-9]+)/ && $1 <= 8.13.5 \
		$target|assert|a|rs|ANY@$target|ANY@$target|sendmail version|Rpossible race condition in sendmail

#

#
# OTHER PROBLEMS
#
# Hacker program bnc (irc proxy)
#
/NOTICE/ && /quote PASS/i	$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised: bnc on port $port

/NOTICE/ && /Welcome/ && /pb/	$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised: pb on port $service

/EliteWarez/			$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised: xdcc on port $service  

/220[- ]Serv-U FTP Server/ && $service ne "ftp"	$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised: Serv-U  on port $service
/$421 Server is offline/ && $service ne "ftp"	$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised: svchost on port $service 

/220 More 0wnage/ && $service ne "ftp"		$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised: svchost on port $service

/220 / && $service eq "420:TCP" 		$target|$service|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised: svchost on port $service

/: command not found\\n/	$target|$service|a|us|ANY@$target|ANY@$target|backdoor found|System may be compromised: binshell on port $service

/Microsoft Windows/ && /Copyright/	$target|$service|a|us|ANY@$target|ANY@$target|backdoor found|Probable Windows backdoor found: cmd.exe on port $service
 
#  Look for fraggle/chargen exploit
/chargen\:UDP/		$target|DOS|a|zcio|ANY@$target|ANY@$target|Possible DoS problem|Is your host a DoS threat?

# a modem on a port?  Surely you jest...
/AT\\[nr].*OK\\[nr]/	$target|assert|a|rs|ANY@$target|ANY@$target|unrestricted modem|Unrestricted modem on the Internet
# Look for sgi pmcd (co-pilot) vulnerability
/offers rwhois/		$target|rwhois|a|zcio|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that rwhois should be running


/offers 5631:TCP/ && /Please press \<Enter\>.../	$target|remote control server|a|zcio|ANY@ANY|ANY@ANY|remote control server|Verify good passwords on pcanywhere

/offers 5632:TCP/ && /Please press \<Enter\>.../	$target|remote control server|a|zcio|ANY@ANY|ANY@ANY|remote control server|Verify good passwords on pcanywhere

/offers 407:TCP/	$target|timbuktu|a|zcio|ANY@ANY|ANY@ANY|remote control server|Verify good passwords on timbuktu

$service ne ssh && /SSH-/		$target|$service|a|us|ANY@ANY|ANY@ANY|hacker program found|System may be compromised: SSH on non standard port $service

/runs kcms_serverd/			$target|$service|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that kcms_severd should be running
/runs cachefsd/				$target|$service|a|ycio|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that cachefsd is patched (Solaris 2.5.1-2.8)
/runs gssd/				$target|$service|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that gssd should be running 
/runs rquotad/				$target|$service|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that  rquotad should be running
/runs walld/				$target|$service|a|ycio|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that walld should be running 
/runs sprayd/				$target|$service|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that sprayd should be running
#
#  P2P Stuff
/offers 8888:TCP/			$target|napster|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that napster should be running (port 8888)
/offers 8875:TCP/			$target|napster|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that napster should be running (port 8875)
/offers 6699:TCP/			$target|napster|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that napster should be running (port 6699)
/offers 4661:TCP/			$target|edonkey|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that edonkey should be running (port 4661)
/offers 4662:TCP/			$target|edonkey|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that edonkey should be running (port 4662)
/offers 4665:UDP/			$target|edonkey|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that edonkey should be running (port 4665)
/offers 6345:UDP/			$target|gnutella|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that Gnutella should be running (port 6345)
/offers 6346:UDP/			$target|gnutella|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that Gnutella should be running (port 6346)
/offers 6347:UDP/			$target|gnutella|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that Gnutella should be running (port 6347)
/offers 6348:UDP/			$target|gnutella|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that Gnutella should be running (port 6348)
/offers 6349:UDP/			$target|gnutella|a|zwoi|ANY@ANY|ANY@ANY|Doubtful Internet service|confirm that Gnutella should be running (port 6349)
/for current settings/			$target|telnet|a|us|ANY@ANY|ANY@ANY|No Password for JetDirect|Provide a password to JetDirect
/User Name : /     			$target|telnet|a|zcio|ANY@ANY|ANY@ANY|APC password check|Confirm that default password not loaded 

# Time dependent:  Age to brown after a period of time:


# Basic test for MSDTC Vulnerability (MS05-051)
/offers 3372:TCP/			$target|msdtc|a|ycio|ANY@ANY|ANY@ANY|Potentially vulnerable MSDTC|MSDTC may be vulnerable to buffer overflow
