#
# This module contains SAINT-US code from WWDSI which is regulated in
# accordance with the distribution file LICENSE.WWDSI. 
#
# Rules that deduce new facts from existing data. Each rule is executed once
# for each 'a' SAINT record. The rule format is:
#
#	condition TABs fact
#
# The condition is a PERL expression that has full access to the global
# $target..$text variables, to functions, and to everything that has been
# found sofar. The fact is a SAINT record. 
#
# Empty lines and text after a "#" character are ignored. Long lines may
# be broken with backslash-newline.
#
#
# version 1, Sun Mar 19 10:32:57 1995, last mod by zen
#

# The green guys
/<TITLE>/ || /<HEAD>/ || /HTTP/	$target|$service|a|||||offers http
/offers http/i && $service ne "http"	$target|$service|a|g||||offer http (port $service)
/offers http/i && $service eq "http"	$target|$service|a|g||||offers http

/offers https/ && /(?!TITLE)/	$target|$service|a|g||||offers secure http
/offers gopher/			$target|$service|a|g||||offers gopher
/offers telnet/			$target|$service|a|g||||$text
/offers ftp/ && /FTP/		$target|$service|a|g||||offers ftp
/runs NFS/			$target|$service|a|g||||runs NFS
/offers pop/			$target|$service|a|g||||offers pop
/offers finger/			$target|$service|a|g||||offers finger
/offers smtp/			$target|$service|a|g||||offers smtp
/telnet on port (\d+)/		$target|$service|a|g||||Telnet on port $1
/220.*ftp server/i && $service ne "ftp"	$target|$service|a|g||||FTP (non-standard port)
/offers snmp/			$target|$service|a|g||||offers snmp
/offers nntp/			$target|$service|a|g||||offers nntp
/offers ssh/			$target|$service|a|g||||offers ssh
/offers X/			$target|$service|a|g||||$text
/offers xdmcp/			$target|$service|a|g||||offers xdmcp
/NIS server/			$target|$service|a|g||||NIS server
#
# Assume rexd is insecure without even trying
#
/runs rexd/ && /(?!world)/	$target|assert|a|us|ANY@$target|ANY@ANY|REXD access|rexd is vulnerable

# SENDMAIL SECTION ;-)
#
# assume berkeley versions of sendmail < 8.8.5 are hosed:
/[Ss]endmail 8\.8\.([0-9]+)/i && $1 < 5 \
		$target|assert|a|bo|ANY@$target|ANY@$target|Sendmail vulnerabilities|Sendmail version buffer overflow
#
# other sendmail versions

# HP
/HP Sendmail \(1\.37\.109\.11/ \
		$target|assert|a|bo|ANY@$target|ANY@$target|Sendmail vulnerabilities|Sendmail version buffer overflow

#
# Generic (or derived from) BSD; should have something >= 5.60
/[Ss]endmail (5\.60)/ && $1 <= 5.60 \
		$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|Sendmail pre 5.61

#
# Sequent/DYNIX; if <= 5.65, broken...
/[Ss]endmail (5\.65)/ && $1 <= 5.65 && /DYNIX/ \
		$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|DYNIX Sendmail, pre 5.65

# POP2 servers
/OK/ && /POP/		$target|pop|a|zwoi|ANY@target|ANY@target|pop version|pop version may be vulnerable to buffer overflow
#POP Server with MD5 Authentication
/POP/ && /(?!MD5)/	$target|pop|a|zwoi|ANY@target|ANY@target|POP server|pop receives password in clear
#
# OTHER PROBLEMS
#
# 220 wuarchive.wustl.edu FTP server (Version wu-2.4(1) Mon 
/ftp.*\(version wu-2.([0-9]+)/i && $1 < 4 \
		$target|ftp|a|rs|ANY@$target|ANY@$target|FTP vulnerabilities|WUFtp pre 2.4
#
# Hacker program bnc (irc proxy)
#
/NOTICE/ && /quote PASS/	$target|hacker|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised.

/offers netbios-ssn/ \
		$target|netbios-ssn|a|zwoi|ANY@$target|ANY@$target|netbios over the internet|Is your Netbios secure ?

/offers printer/ \
		$target|printer|a|zwoi|ANY@$target|ANY@$target|lpd over the internet|Is your lpd secure ?

# INND vulnerabilities
/INN/		$target|nntp|a|zwoi|ANY@target|ANY@target|offers nttp|is your nttp secure?

# a modem on a port?  Surely you jest...
/AT\\[nr].*OK\\[nr]/	$target|assert|a|rs|ANY@$target|ANY@$target|unrestricted modem|Unrestricted modem on the Internet
