#  This software was derived from SATAN 1.1.1 by Dan Farmer and Wietse Venema
#  (http://www.porcupine.org/satan).
#
#
# Rules that specify what probes to try next. Each rule is applied once
# to every 'a' SARA record. Format of this file is:
#
#	condition TABs target tool tool-arguments
#
# Empty lines and text after a "#" character are ignored. Long lines may
# be broken with backslash-newline.
#
# The condition is a PERL expression, with full access to the global
# $target..$text variables and to everything else that has been found out
# sofar. The target is the host that the tool is aimed at. A "*" before
# the tool argument list is a hack that specifies that tool arguments
# should be ignored when looking for duplicate tool invocations.
#
# When the condition is satisfied, the tool is executed as:
#
#	tool tool-arguments target
#
# The $junk variable is available for temporary results (wow!).
#
# The software keeps track of already executed tool invocations.
#
# version 2, Mon Mar 27 20:42:15 1995, last mod by wietse
#

#
# Output from the rpcinfo probe. Tools will be executed only when
# permitted by attack level constraints.
#
$service eq "mountd"				$target "showmount.sara"
$service eq "mountd"				$target "nfs-chk.sara" "-t $short_timeout"
$service eq "ypserv"				$target "ypbind.sara"
$service eq "rexd"				$target "rex.sara"
$service eq "rusersd"				$target "rusers.sara"
$service eq "rstatd"				$target "rstatd.sara"
$service eq "netstat"				$target "netstat.sara"
$service eq "systat"				$target "systat.sara"

#
# Output from the finger or rusers probe: finger the origin of the login.
#
$severity eq "l" && "$trustee|$trusted" =~ /(.*)@.*@(.*)/ \
					$2 "finger.sara" "-u $1"
#
# Output from the port scanners. Tools will be executed only when
# permitted by the attack level constraints.
#
/ANONYMOUS/				$target "bounce.sara"
$service eq "ssh"			$target "ssh.sara"
$service eq "ftp"			$target "ftp.sara"
$service eq "smtp"			$target "sendmail.sara"
$service eq "smtp"			$target "relay.sara" 
$service eq "domain"			$target "dns-chk.sara"
$service eq "shell"			$target "rsh.sara"
$service eq "shell"			$target "rsh.sara" "-u root"
$service eq "login"			$target "rlogin.sara"
$service eq "exec"			$target "rexec.sara"
$service eq "tftp"			$target "tftp.sara"
$service =~ /X-([0-9]+)/		$target "xhost.sara" "-d $target:$1"
$text =~ /offers http/			$target "http.sara" $service
$service eq "http"			$target "inject.sara"
$service eq "finger"			$target "finger.sara"
$service eq "mysql"			$target "mysql.sara"
$service eq "oracle-tns"		$target "oracletns.sara" "-p 1521"
$service eq "1522"			$target "oracletns.sara" "-p 1522"
$service eq "1523"			$target "oracletns.sara" "-p 1523"
$service eq "ingreslock"		$target "oracletns.sara" "-p 1524"
$service eq "prospero-np"		$target "oracletns.sara" "-p 1525"
$service eq "1526"			$target "oracletns.sara" "-p 1526"
$service eq "1527"			$target "oracletns.sara" "-p 1527"
$service eq "1528"			$target "oracletns.sara" "-p 1528"
$service eq "1529"			$target "oracletns.sara" "-p 1529"

#
#  This is how you would install a SARA extension
#  SARA looks in the facts to see what records designate http
#  servers and will execute this extension at each port that is
#  http enabled
#
$text =~ /offers http/			$target "sample.sara.ext" $service
#
#
$service =~ /imap/			$target "imap.sara" 
$service =~ /pop-3/			$target "pop3.sara"
$service eq "netbios-ssn" || $service eq "microsoft-ds"	$target "smb.sara"
$service eq "netbios-ssn" || $service eq "microsoft-ds"	$target "smb-tng.sara"
$service eq "snmp"			$target "snmpscan.sara"
# Removed due too many false positives
# $service eq "cpq-wbem"			$target "cim.sara"


#
# Output from showmount. The "*" at the beginning of the tool argument
# list is a hack that specifies that tool arguments should be ignored
# when looking for duplicate tool invocations.
#
$trustee =~ /\/export\/root\/(.*)@(.*)/ && ($junk = &fix_hostname($1,$2)) ne ""\
					$target "boot.sara" $junk

#
# Output from the bootparam probe gives us the NIS domain name. With
# ypwhich we can ask the host who its NIS server is.
#
$service eq "boot" && $service_output =~ /domain (\S+)/ \
					$target "ypbind.sara" "-d $1"
$service eq "boot" && $service_output =~ /domain (\S+)/ \
					$target "yp-chk.sara" "$1"
#
# Example of site specific rule; SGI's, for instance, have a "guest", "lp",
# and other account with no password when out-of-the-box from SGI.  Here's
# how you could check for this:
/offers telnet/		$target "login.sara" "-u root $service" 
/offers telnet/		$target "login.sara" "-u guest $service"
/offers telnet/		$target "telnet.sara" "$service"
/IRIX/			$target "login.sara" "-u demos $service" 
/IRIX/			$target "login.sara" "-u EZsetup $service" 
/IRIX/			$target "login.sara" "-u lp $service"
#
#Testing for OS dependent vulnerabilities
/offers ms-rpc/		$target "depends.sara" "ms-rpc"
/offers ms-rpc/		$target "wms.sara"
/offers auditd/		$target "depends.sara" "drat"
/offers 65000:TCP/	$target "depends.sara" "strat"
/offers 60000:TCP/	$target "depends.sara" "t0rn"
/offers 33270:TCP/	$target "depends.sara" "trinity"
/offers asp/		$target "depends.sara" "ramen"
/runs tooltalk/		$target "depends.sara" "tooltalk"
/runs calendar/		$target "depends.sara" "calendar"
/runs sadmind/		$target "depends.sara" "sadmind"
/runs yppasswdd/	$target "depends.sara" "yppasswdd"
/offers printer/	$target "depends.sara" "printer"
$service eq "statd"	$target "depends.sara" "statd"
/runs NFS/		$target "depends.sara" "nfs"
/offers telnet/		$target "depends.sara" "telnet"
/offers boks/		$target "depends.sara" "boks"
$service eq "ssdp"	$target "depends.sara" "ssdp"
/offers ms-sql-[sm]/	$target "mssql.sara" 
/offers netbios-ssn/	$target "depends.sara" "netbios-ssn"
/offers microsoft-ds/	$target "lsass.sara" "microsoft-ds"
/offers microsoft-ds/	$target "pnp.sara"
/offers microsoft-ds/	$target "netapi.sara"
