#
#
# Rules that deduce a CVE number from information in text field
# yes/no refers to whether its in the SANS top 20 list
#
/mountd may be vulnerable/i				yes	1999-0002
/format string vulnerability in tooltalk/i		yes	2001-0717
/tooltalk version may be vulnerable to buffer overflow/i	yes	1999-0003
/imap version may be vulnerable to buffer overflow/i	no	1999-0005 1999-0042
/vulnerable pop3 version: QPopper 2.5 or older$/i	no	1999-0006 2000-0442
/vulnerable pop3 version: QPopper 2.53 or older/i	no	2000-0442
/vulnerable pop3 version: QPopper 3.0b20 or older/i	no	1999-0006 2000-0442
/vulnerable pop3 version: UW 3.3r27 or older/i		no	1999-0042
/vulnerable pop3 version: Mercury 1.48 or older/i	no	2001-0442
/pop version may be vulnerable to buffer overflow/i	no	1999-0006 1999-0042
/SSH 1.2.(\d+) is vulnerable/i && ($1 < 17)		no	1999-0248 1999-0834 2001-0361
/SSH 1.2.(\d+) is vulnerable/i && ($1 == 17)		no	1999-0013 1999-0248 1999-0834 2001-0361
/SSH 1.2.(\d+) is vulnerable/i && ($1 > 17) && ($1<22)	no	1999-0013 1999-0834 2001-0361
/SSH 1.2.(\d+) is vulnerable/i && ($1 >= 22 && $1<24)	no	1999-0834 2001-0361
/SSH 1.2.(\d+) is vulnerable/i && ($1 >= 24)		no	1999-0834 2001-0144 2001-0361
/SSH 1.2.(\d+) may be vulnerable/i && ($1 < 28)		no	1999-0834 2001-0144 2001-0361
/SSH 1.2.(\d+) may be vulnerable/i && ($1 < 32)		no	2001-0144 2001-0361
/OpenSSH (\d+)\.([\d\.]+) may be vulnerable/i && ($1<2 || ($1==2 && $2<3))	no	2001-0144 2001-0816
/OpenSSH (\d+)\.([\d\.]+) may be vulnerable/i && ($1==2 && $2>=3 && $2<9.9)	no	2001-0816
/OSSH 1\.([\d\.]+) may be vulnerable/i && ($1 <= 5.7)	no	2001-0144
/FTP server can do FTP bounce/i				no	1999-0017
/rpc.statd is enabled and may be vulnerable/i		yes	1999-0018 1999-0019 1999-0210 1999-0493 2000-0666
/unauthorized access via web server \(count.cgi\)/i	yes	1999-0021
/unauthorized access via web server \(webdist.cgi\)/i	yes	1999-0039
/INN pre 1.6 buffer overflow/i				no	1999-0043 1999-0100 1999-0705 1999-0868
/INN pre 2.2.3 buffer overflow/i			no	2000-0472
/CGI gives information about system \(nph-test-cgi\)/i	yes	1999-0045
/Vulnerable Sendmail version: 5/i			yes	1999-0131 1999-0203
/Vulnerable Sendmail version: 8\.([0-9]+)/i && $1<6	yes	1999-0129 1999-0131 1999-0203
/Vulnerable Sendmail version: 8\.6$/i			yes	1999-0129 1999-0131 1999-0203 1999-0204
/Vulnerable Sendmail version: 8\.6\.([0-9]+)/i && $1<10	yes	1999-0129 1999-0131 1999-0203 1999-0204
/Vulnerable Sendmail version: 8\.6\.([0-9]+)/i && $1>9	yes	1999-0129 1999-0131
/Vulnerable Sendmail version: 8\.7$/i			yes	1999-0129 1999-0130 1999-0131
/Vulnerable Sendmail version: 8\.7\.([0-9]+)/i && $1<6	yes	1999-0129 1999-0130 1999-0131
/Vulnerable Sendmail version: 8\.7\.([0-9]+)/i && $1>5	yes	1999-0129 1999-0130
/Vulnerable Sendmail version: 8\.8$/i			yes	1999-0129 1999-0130 1999-0206
/Vulnerable Sendmail version: 8\.8\.([0-9]+)/i && $1<2	yes	1999-0129 1999-0130 1999-0206
/Vulnerable Sendmail version: 8\.8\.2$/i		yes	1999-0129 1999-0130
/Vulnerable Sendmail version: 8\.8\.3$/i		yes	1999-0047 1999-0129
/Vulnerable Sendmail version: 8\.8\.4$/i		yes	1999-0047
/unauthorized access via web server \(php.cgi\)/i	yes	1999-0058
/unauthorized access via web server \(phf\)/i		yes	1999-0067
/CGI gives information about system \(test-cgi\)/i	yes	1999-0070
/WUFtp pre 2.4/i					no	1999-0035 1999-0080 1999-0879 1999-0880 1999-0955
/WUFtp 2.4/i						no	1999-0035 1999-0368 1999-0878 1999-0879 1999-0880
/WUFtp 2.5/i						no	1999-0878 1999-0879 1999-0880
/BeroFTP/i						no	1999-0368 1999-0878 1999-0879 1999-0880
/ProFtp 1.2.0pre(\d+)/i && $1 < 2			no	1999-0368 1999-0878 1999-0879 1999-0880 2001-0318 2001-0136
/ProFtp 1.2.0pre(\d+)/i && $1 >= 2			no	2001-0136
/ProFtp 1.2.0rc(\d+)/i && $1 < 3			no	2001-0136 2001-0318
/Sendmail is vulnerable to attack using DEBUG command/i	yes	1999-0095
/Sendmail can write to user files using DECODE/i	yes	1999-0096
/chargen could be used in UDP bomb/i			no	1999-0103
/unauthorized access via web server \(campas\)/i	yes	1999-0146
/unauthorized access via web server \(handler\)/i	yes	1999-0147
/unauthorized access via web server \(aglimpse\)/i	yes	1999-0148
/CGI gives information about system \(wrap/i		yes	1999-0149
/Exports \S+ via portmapper/i				yes	1999-0168
/unauthorized access via web server \(view-source\)/i	yes	1999-0174
/unauthorized access via web server \(webgais\)/i	yes	1999-0176
/cgi-win\/uploader.exe\) is present/i			yes	1999-0177
/cgi-shl\/win-c-sample.exe\) is present/i		yes	1999-0178
/unauthorized access via web server \(websendmail\)/i	yes	1999-0196
/unauthorized access via web server \(jj\)/i		yes	1999-0260
/unauthorized access via web server \(faxsurvey\)/i	yes	1999-0262
/unauthorized access via web server \(htmlscript\)/i	yes	1999-0264
/unauthorized access via web server \(info2www\)/i	yes	1999-0266
/unauthorized access via web server \(pfdispaly/i	yes	1999-0270
/No X server access control/i				no	1999-0526
/Excessive finger information/i				no	1999-0612
/Information from rusersd could help hacker/i		no	1999-0626
/rexd is vulnerable to the world/i			no	1999-0627
/amd may be vulnerable to buffer overflow/i		yes	1999-0704
/nfsd may be vulnerable/i				yes	1999-0832
/buffer overflow in BIND 4\.([\d\.]+)/i && ($1 < 9)	yes	1999-0024 2001-0012
/buffer overflow in BIND 4\.([\d\.]+)/i && ($1 >= 9 && $1 < 9.5)	yes	1999-0009 1999-0010 1999-0024 2001-0011 2001-0012 2001-0013
/buffer overflow in BIND 4\.([\d\.]+)/i && ($1 == 9.5)	yes	1999-0009 1999-0010 1999-0024 1999-0835 1999-0849 1999-0851 2001-0011 2001-0012 2001-0013
/buffer overflow in BIND 4\.([\d\.]+)/i && ($1 == 9.6)	yes	1999-0009 1999-0010 1999-0835 1999-0849 1999-0851 2001-0011 2001-0012 2001-0013
/buffer overflow in BIND 4\.([\d\.]+)/i && ($1 == 9.7)	yes	1999-0849 1999-0851 2001-0011 2001-0012 2001-0013
/buffer overflow in BIND 8\.([\d\.]+)/i && ($1 < 1.2)	yes	1999-0009 1999-0010 1999-0011 1999-0835 1999-0837 1999-0848 1999-0849 1999-0851 2001-0012
/buffer overflow in BIND 8\.([\d\.]+)/i && ($1 == 1.2)	yes	1999-0837 1999-0848 1999-0849 1999-0851 2001-0012
/buffer overflow in BIND 8\.([\d\.]+)/i && ($1 >= 2 && $1 < 2.2)	yes	1999-0833 1999-0835 1999-0837 1999-0848 1999-0849 1999-0851 2000-0887 2001-0010 2001-0012
/buffer overflow in BIND 8\.2\.2$/i			yes	1999-0849 1999-0851 2000-0887 2000-0888 2001-0010 2001-0012
/buffer overflow in BIND 8\.2\.2-P(\d+)/i && ($1 < 2)	yes	1999-0849 1999-0851 2000-0887 2000-0888 2001-0010 2001-0012
/buffer overflow in BIND 8\.2\.2-P(\d+)/i && ($1 >= 2 && $1 < 7)	yes	2000-0887 2000-0888 2001-0010 2001-0012
/buffer overflow in BIND 8\.2\.2-P(\d+)/i && ($1 >= 7)	yes	2001-0010 2001-0012
/CGI gives information about system \(wwwboard/i	yes	1999-0953
/sadmind may be vulnerable to buffer overflow/i		yes	1999-0977
/SGI fam may be vulnerable/i				no	1999-0059
/Possible buffer overflow in Netscape/i			no	1999-0853
/^Buffer overflow in Netscape FastTrack/i				no	1999-0744 1999-0751 1999-0752 1999-0758 1999-0853
/^Buffer overflow in Netscape Enterprise Server ([\d\.]+)/i && $1<=3.5	no	1999-0744 1999-0751 1999-0752 1999-0758 1999-0853
/^Buffer overflow in Netscape Enterprise Server ([\d\.]+)/i && $1>3.5	no	1999-0744 1999-0751 1999-0752 1999-0853
/Calendar Manager service may be vulnerable/i		yes	1999-0320 1999-0696
/AIX ftpd buffer overflow/i				no	1999-0789
/shop\/product.as[pt]\) is present/i			yes	2000-0161
/Compaq Insight Manager is vulnerable/i			yes	1999-0771 1999-0772 2001-0728
/Compaq Insight Manager may be vulnerable/i		yes	1999-0771 1999-0772 2001-0728
/unauthorized access via web server \(infosrch.cgi\)/i	yes	2000-0207
/Possible buffer overflow in UnixWare i2odialogd/i	no	2000-0026
/nisd may be vulnerable to buffer overflow/i		yes	1999-0008
/Possible buffer overflow in IIS 4/i			yes	1999-0874
/ODBC RDS Vulnerability/i				yes	1999-1011
/objectserver daemon may be vulnerable/i		no	2000-0245
/Possible vulnerability in Visual Interdev/i		yes	2000-0260
/guestbook\.pl\) is present/i				yes	1999-0237
/guestbook\.cgi\) is present/i				yes	1999-0237
/excite\) is present/i					yes	1999-0279
/unauthorized access via web server \(imagemap.exe\)/i	yes	1999-0951
/Directory listing through wp tag/i			no	2000-0236
/Is your Kerberos secure/i				no	2000-0389 2000-0390 2000-0391 2001-0036
/emurl\/RECMAN.dll\) is present/i			yes	2000-0397
/unauthorized access via web server \(counterfiglet/i	yes	2000-0424
/unauthorized access via web server \(calendar_admin.pl/i	yes	2000-0432
/unauthorized access via web server \(calendar\/calendar_admin.pl/i	yes	2000-0432
/Gauntlet or WebShield cyberdaemon may be vulnerable/i	no	2000-0437
/w3-msql\/index.html\) is present/i			yes	2000-0012
/unauthorized access via web server \(query/i		yes	2000-0039
/address is a smurf amplifier/i				no	1999-0513
/address is a fraggle amplifier/i			no	1999-0514
/Possible vulnerability in HP OmniBack/i		no	2000-0179
/Possible vulnerability in Openview Node Manager/i	yes	2000-0558
/\(piranha\/secure\/passwd.php3\) is present/i		yes	2000-0322
/JetAdmin vulnerability allows read access/i		no	2000-0443
/buffer overflow in Cmail/i				no	2000-0556 2000-0557
/\(site\/eg\/source.asp\) is present/i			yes	2000-0628
/Possible vulnerability in Big Brother/i		yes	2000-0639 2000-0978
/unauthorized access via web server \(bb-hostsvc.sh\)/i	yes	2000-0638
/\(db2www(.exe)?\) is present/i				yes	2000-0677
/BEA WebLogic pre 5.1.0 SP5/i				no	2000-0682 2000-0683 2000-0684 2000-0685
/BEA WebLogic pre 5.1.0 SP7/i				no	2000-0684 2000-0685
/ntop server allows access/i				no	2000-0705 2000-0706
/\(\/pccsmysqladm\/incs\/dbconnect.inc\) is present/i	yes	2000-0707
/Possible vulnerability in IRIX telnetd/i		no	2000-0733
/Possible buffer overflow in gopher/i			no	2000-0743 2000-0744
/IIS specialized header vulnerability/i			no	2000-0778
/unauthorized access via web server \(netauth.cgi\)/i	yes	2000-0782
/unauthorized access via web server \(webplus/i		yes	2000-0282
/Serv-U FTP 2.(\d+)/i && $1<=4				no	1999-0219 2000-0837 2001-0054
/Serv-U FTP 2.5$/i					no	1999-0219 2000-0837 2001-0054
/Serv-U FTP 2.5a/i					no	1999-0838 2000-0837 2001-0054
/Serv-U FTP 2.5[bcde]/i					no	2000-0837 2001-0054
/Serv-U FTP 2.5[fgh]/i					no	2001-0054
/Performance Copilot may be vulnerable/i		no	2000-0283
/unauthorized access via web server \(YaBB.pl\)/i	yes	2000-0853
/Folder traversal in IIS \(Unicode/i			yes	2000-0884
/Folder traversal in IIS \(Double/i			no	2001-0333
/Filename inspection vulnerability in IIS/i		no	2000-0886
/unauthorized access via web server \(ssi/i		yes	2000-0900
/unauthorized access via web server \(multihtml.pl\)/i	yes	2000-0912
/file read vulnerability in finger/i			no	2000-0915
/http server allows read access/i			no	2000-0920
/Buffer overflow in bftpd (\d+\.\d+)\.?(\d*)/i && $1==1.0 && $2<=11	no	2000-0943
/Possible vulnerability in CFEngine/i			no	2000-0947
/\(search97cgi\/vtopic\) is present/i			yes	2000-1014
/Vulnerability in JRun: \/\/WEB-INF/i			no	2000-1050
/Vulnerability in JRun: SSIFilter/i			no	2000-1051
/Vulnerability in JRun: \/\.\/WEB-INF\/web.xml/i	no	2001-0179
/Possible buffer overflow in iPlanet web server/i	no	2000-1077 2001-0327
/pbserver.dll\) is present/i				yes	2000-1089
/Possible vulnerability in Microsoft Terminal Server/i	no	2000-1149 2001-0663 2001-0716
/possible vulnerability in LPRng/i			yes	2000-0917
/possible vulnerability in Zope (\d+)\.([\d\.]+)/i && (($1==1 && $2<10.4) || ($1==2 && $2<1.2))	no	2000-0062 2000-0483 2000-0725 2001-0128
/possible vulnerability in Zope (\d+)\.([\d\.]+)/i && ($1==1 || ($1==2 && $2<1.7))	no	2000-0483 2000-0725 2001-0128
/possible vulnerability in Zope (\d+)\.([\d\.]+)/i && ($1==1 || ($1==2 && $2<2.1))	no	2000-0725 2001-0128
/possible vulnerability in Zope (\d+)\.([\d\.]+)/i && ($1==1 || ($1==2 && $2<2.5))	no	2001-0128
/Cold Fusion Vulnerabilities from: exampleapp\/docs\/sourcewindow.cfm/i	yes	1999-0922
/Cold Fusion Vulnerabilities from: cfmlsyntaxcheck.cfm/i	yes	1999-0924
/Cold Fusion Vulnerabilities from:.*startstop.html/i	yes	1999-0756
/Possible buffer overflow in OpenServer calserver/i	no	2000-0306
/HP-UX 11.00 ftpd buffer overflow/i			no	2000-0573
/WUFtp 2.6/i						no	2000-0573
/Buffer overflow in Website Pro/i			no	2000-0622
/\(\/dsgw\/bin\/search\) is present/i			yes	2000-1075 2001-0164
/Possible backdoor account in Interbase/i		no	2001-0008
/.nsf vulnerability in Lotus Domino/i			no	2001-0009
/buffer overflow in Lotus Domino 5\.0\.?(\d*)/i && $1<5	no	2000-1047 2001-0130 2001-0260
/buffer overflow in Lotus Domino 5\.0\.5/i		no	2001-0130 2001-0260
/webadmin template access in Lotus Domino/		no	2001-0846
/unauthorized access via web server \(mmstdod.cgi\)/i	yes	2001-0021
/denial of service in IMail ([\d\.]+)/i && $1 <= 6.05	no	2001-0039 2001-0494
/denial of service in IMail ([\d\.]+)/i && $1 == 6.06	no	2001-0494
/Possible buffer overflow in NetBSD ftpd/i		no	2001-0053
/OpenBSD ftpd pre 6.5/i					no	2001-0053
/OpenBSD ftpd 6.5/i					no	2001-0053
/unauthorized access via web server \(bbs_forum.cgi\)/i	yes	2001-0123
/vulnerability in tinyproxy/i				no	2001-0129
/Possible buffer overflow in CUPS/i			no	2001-0194
/vulnerability in icecast/i				no	2001-0197
/\(query.[ai][sd][pq]\) is present/i			yes	2000-0097
/Buffer overflow in Inetserv 3\.0 webmail/i		no	2000-0065
/Cisco web interface allows command execution/i		no	2000-0945
/Cisco web authentication bypass/i			no	2001-0537
/Sun Cluster monitor reveals system info/i		no	2001-0077
/Buffer overflow in VShell 1\.0\.?(\d*)/i && $1<2	no	2001-0155 2001-0156
/Buffer overflow in IIS 5/i				yes	2001-0241 2001-0500
/Vulnerable Bugzilla version: (\d+)\.([\d\.]+)/i && ($1<2 || ($1==2 && $2<14))	yes	2001-0330
/espd may be vulnerable/i				yes	2001-0331
/vulnerable FrontPage Visual Studio extensions/i	yes	2001-0341
/vulnerabilities in Microsoft Telnet Server/i		no	2001-0345 2001-0346 2001-0347 2001-0348 2001-0351
/possible vulnerability in Sun lpd/i			yes	2001-0353
/possible vulnerability in ntpd/i			no	2001-0414
/Squid (\d+)\.(\d+)(\.STABLE)?(\d*) may be vulnerable/i && ($1<2 || ($1==2 && $2<2) || ($1==2 && $2==2 && $4<5))	no	1999-0710 1999-1481 2001-0843
/Squid (\d+)\.(\d+)(\.STABLE)?(\d*) may be vulnerable/i && ($1==2 && $2==2 && $4==5)	no	1999-1481 2001-0843
/Squid (\d+)\.(\d+)(\.STABLE)?(\d*) may be vulnerable/i && (($1==2 && $2==2 && $4>5) || ($1==2 && $2==3) || ($1==2 && $2==4 && $4<3))	no	2001-0843
/HP-UX 10.x ftpd buffer overflow/			no	2000-0699
/Possible vulnerability in Net Tools PKI Server/	no	2000-0739 2000-0740 2000-0741
/SNMP to DMI mapper may be vulnerable/i			yes	2001-0236
/buffer overflow in MERCUR/i				no	2001-0280
/unauthorized access via web server \(\/opendir.php\)/i	yes	2001-0321
/unauthorized access via web server \(cal_make.pl\)/i	yes	2001-0463
/Possible vulnerability in LDAP over SSL/		no	2001-0502
/Authentication flaw in Microsoft mail server/		no	2001-0504
/buffer overflow in telnetd telrcv/			no	2001-0554
/unauthorized access via web server \(viewsrc.cgi\)/i	yes	2001-0630
/Privilege elevation in Sendmail 8\.11/			no	2001-0653
/possible vulnerability in HP-UX rlpdaemon/		yes	2001-0668
/possible vulnerability in BSD lpd/			yes	2001-0670
/possible vulnerability in Exim/			no	2001-0690
/yppasswdd may be vulnerable to buffer overflow/i	yes	2001-0779
/buffer overflow in dtspcd/				yes	2001-0803
/unauthorized access via web server \(htsearch\)/i	yes	2000-0208 2001-0834
/vulnerability in Oracle Web Cache/			no	2001-0836
/vulnerability in Microsoft UPnP/			no	2001-0876 2001-0877
/globbing vulnerability in glftpd/			no	2001-0965
/developers shell in Cisco router/			no	2001-1037 2001-1038
/initial TCP sequence number is predictable/		no	1999-0077
/.HTR filter is enabled/				yes
/unauthorized access via web server/i			yes
/CGI gives information about system/i			yes
/cgi-/i							yes
/\.asp\)/ || /\.dll\)/ || /\.exe\)/			yes
/Cold Fusion/i						yes
/writable share at/i					yes
/readable share at/i					yes
/Guessed password to/i					yes
/Account .* has no password/i				yes
/default password on ZyXEL Prestige/i			yes
/guessable read community/i				yes
/guessable write community/i				yes
/Cisco IOS SNMP access/i				yes
/Sendmail version buffer overflow/i			yes
/DYNIX Sendmail/i					yes
/MS IIS Vulnerability:/i				yes
/DNS may be vulnerable/i				yes
/(rshd|rlogin|rexec) is enabled/i			yes
/rshd trusts the world/i				yes
/user .* trusts the world/i				yes
/possible vulnerability in .*lpd/i			yes
/rpc.walld service may be vulnerable/			yes
/ypbind may be vulnerable/				yes
/cachefsd may be vulnerable/				yes
