#
# Rules that deduce new facts from existing data. Each rule is executed once
# for each 'a' SAINT record. The rule format is:
#
#	condition TABs fact
#
# The condition is a PERL expression that has full access to the global
# $target..$text variables, to functions, and to everything that has been
# found sofar. The fact is a SAINT record. 
#
# Empty lines and text after a "#" character are ignored. Long lines may
# be broken with backslash-newline.
#
#
# version 1, Sun Mar 19 10:32:57 1995, last mod by zen
#
#
# Check for rexec
$service eq "exec"		$target|rexec|a|zwoi|ANY@$target|ANY@$target|rexec on the Internet|rexec is enabled and could help attacker

# SENDMAIL SECTION ;-)
#
# assume berkeley versions of sendmail < 8.8.5 are hosed:
/[Ss]endmail\s+(\S+\s+)?(SMI-)?([0-9])\.([0-9x]+)(\.)?([0-9]*)/ && ($3<8 || ($3==8 && $4<8) || ($3==8 && $4==8 && $6<5)) \
		$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|Vulnerable Sendmail version: $3.$4$5$6
/[Ss]endmail\s+(\S+\s+)?(SMI-)?8\.11(\.)?([0-9]*)/ && $4<6 \
		$target|smtp|a|ype|ANY@$target|ANY@$target|Sendmail vulnerabilities|Privilege elevation in Sendmail 8.11$3$4
/[Ss]endmail\s+(\S+\s+)?(SMI-)?([0-9])\.([0-9x]+)(\.)?([0-9]*)/ && ($3<8 || ($3==8 && $4<11) || ($3==8 && $4==11 && $6<4)) \
		$target|smtp|a|ype|ANY@$target|ANY@$target|signal handling problems|signal handling race condition in Sendmail

# Irix Sendmail
/[Ss]endmail\s+(\d{6}\.)?SGI[\.\-]([0-9])\.([0-9x]+)(\.)?([0-9]*)/ && ($2<8 || ($2==8 && $3<8) || ($2==8 && $3==8 && $5<5)) \
		$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|Vulnerable Sendmail version: $2.$3$4$5

# other sendmail versions

# HP
/HP Sendmail \(1\.37\.109\.11/ \
		$target|assert|a|bo|ANY@$target|ANY@$target|Sendmail vulnerabilities|Sendmail version buffer overflow

#
# Sequent/DYNIX; if <= 5.65, broken...
/[Ss]endmail (5\.[0-9]+)/ && $1 <= 5.65 && /DYNIX/ \
		$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|DYNIX Sendmail, pre 5.65

#
# MMDF smtp servers
/220 \S+ Server SMTP \(/ \
		$target|smtp|a|zcio|ANY@$target|ANY@$target|MMDF vulnerability|possible vulnerability in MMDF

#
# Lotus domino servers
/SMTP.*Lotus Domino Release 5\.0(\.?)(\d*)/i && $2 < 6 \
		$target|smtp|a|bo|ANY@$target|ANY@$target|Lotus Domino SMTP vulnerability|buffer overflow in Lotus Domino 5.0$1$2

#
# MERCUR mail servers
# (Assuming problem still isn't fixed until we hear otherwise)
/220 MERCUR SMTP-Server\s*\(v(\d+)\.(\d+)(\.?)(\d*)/i \
		$target|smtp|a|bo|ANY@$target|ANY@$target|MERCUR vulnerabilities|buffer overflow in MERCUR $1.$2$3$4

#
# Windows 2000 mail servers
/Microsoft ESMTP MAIL Service/ && /Version: 5\.0\.(\d+)\.(\d+)/ && ($1<2195 || ($1==2195 && $2<4905)) \
		$target|smtp|a|zcio|ANY@$target|ANY@$target|Microsoft mail server vulnerabilities|Authentication flaw in Microsoft mail server
/Microsoft ESMTP MAIL Service/ && /Version: 5\.0\.(\d+)\.(\d+)/ && ($1<2195 || ($1==2195 && $2<4905)) \
		$target|smtp|a|dos|ANY@$target|ANY@$target|Microsoft mail server vulnerabilities|denial of service in Windows SMTP service

#
# Alcatel speed touch ADSL modem
/220 Inactivity timer =/	$target|ftp|a|zwoi|ANY@$target|ANY@$target|Alcatel ADSL modem|Alcatel ADSL modem detected

#
# IMail SMTP server
/SMTP.*\(IMail ([\d\.]+)/ && $1 == 6.06 \
		$target|smtp|a|zcio|ANY@$target|ANY@$target|IMail vulnerabilities|possible denial of service in IMail $1
/SMTP.*\(IMail ([\d\.]+)/ && $1 < 6.06 \
		$target|smtp|a|bo|ANY@$target|ANY@$target|IMail vulnerabilities|denial of service in IMail $1
#
# Exim mail server
/SMTP Exim ([\d\.]+)/ && $1 < 3.34 \
		$target|smtp|a|zcio|ANY@$target|ANY@$target|Exim vulnerability|possible vulnerability in Exim 

# POP2 servers (pop3 is checked in bin/pop3.sara)
/OK/ && /pop-2/		$target|pop|a|zwoi|ANY@$target|ANY@$target|pop version|pop version may be vulnerable to buffer overflow

#POP Server with MD5 Authentication
/POP/ && /(?!MD5)/	$target|pop|a|zwoi|ANY@$target|ANY@$target|POP server|pop receives password in clear
#
# FTP problems
#
/ftp.*\(version wu-2.([0-9]+)/i && $1 < 4 \
		$target|ftp|a|rs|ANY@$target|ANY@$target|FTP vulnerabilities|WUFtp pre 2.4
/ftp.*\(version wu-2.([0-9]+)/i && $1 == 4 \
		$target|ftp|a|rs|ANY@$target|ANY@$target|FTP vulnerabilities|WUFtp 2.4
/ftp.*\(version wu-2.([0-9]+)/i && $1 == 5 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|WUFtp 2.5
/ftp.*\(version wu-2.6.0/i  \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|WUFtp 2.6
/220 ProFTPD 1\.2\.(\d+)(rc|pre)?(\d*)/i && $1 < 2 \
		$target|ftp|a|dos|ANY@$target|ANY@$target|FTP vulnerabilities|ProFtp 1.2.$1$2$3
/220 ProFTPD 1\.([0-9]+)/i && $1 < 2 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|ProFtp pre 1.2.0
/FTP server \(BeroFTP/i \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|BeroFTP
/220/ && /Version ([0-6])\.([\d\.]+)\/OpenBSD/ && ($1 < 6 || ($1==6 && $2<5)) \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|OpenBSD ftpd pre 6.5
/220/ && /Version ([0-6])\.([\d\.]+)\/OpenBSD/ && $1 == 6 && $2 == 5 \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP vulnerabilities|OpenBSD ftpd 6.5
/220/ && /\(NetBSD-ftpd (\d+)\)/ && $1 <= 20000723 \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP vulnerabilities|Possible buffer overflow in NetBSD ftpd
/220/ && /FTP server \(Version: (\d+)\.([\d\.]+)([a-z]?)\)/ && ($1 < 7 || ($1==7 && $2<1.0) || ($1==7 && $2==1.0 && !$3)) \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP vulnerabilities|Possible buffer overflow in NetBSD ftpd
/FTP server \(Version 4\.3/ \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|AIX ftpd buffer overflow
/FTP server \(Version 1\.7\.212\.([0-9]+)/i && $1 < 3 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|HP-UX 10.x ftpd buffer overflow
/FTP server \(Version 1\.1\.214\.[0-9]+.*GMT (\d+)/i && $1 < 2000 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|HP-UX 11.00 ftpd buffer overflow
/FTP server \(Version 1\.1\.214\.[0-9]+.*(Jan|Feb|Mar|Apr|May|Jun).*GMT 2000/i \
		$target|ftp|a|bo|ANY@$target|ANY@$target|FTP vulnerabilities|HP-UX 11.00 ftpd buffer overflow
/Serv-U FTP-Server v([\d\.]+)([a-z]?)/i && ($1 < 2.5 || ($1 == 2.5 && $2 !~ /[i-z]/)) \
		$target|ftp|a|uw|ANY@$target|ANY@$target|Serv U vulnerabilities|Serv-U FTP $1$2
/WFTPD 3\.0 service/		$target|ftp|a|zcio|ANY@$target|ANY@$target|WFTPD vulnerabilities|WFTPD Pro 3.0
/WS_FTP Server (\d+)\.([\d\.]+)/ && $1==2 && $2 < 0.4 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|WS FTP vulnerabilities|buffer overflow in WS FTP $1.$2
/bftpd (\d+\.\d+)(\.?)(\d*)/ && $1 == 1.0 && $3 <= 11 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|bftpd vulnerabilities|Buffer overflow in bftpd $1$2$3
/bftpd (\d+\.\d+)(\.?)(\d*)/ && $1 == 1.0 && $3 > 11 \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|bftpd vulnerabilities|Possible buffer overflow in bftpd $1$2$3
/220 SpoonFTP V1\.0\.0\.(\d+)/ && $1 < 13 \
		$target|ftp|a|bo|ANY@$target|ANY@$target|SpoonFTP vulnerabilities|Buffer overflow in SpoonFTP 1.0.0.$1
/220 EFTP Version (\d+\.\d+)\.(\d+)\.(\d+)/ && ($1<2.0 || ($1==2.0 && $2<7) || ($1==2.0 && $2==7 && $3<=337)) \
		$target|ftp|a|bo|ANY@$target|ANY@$target|EFTP vulnerabilities|Buffer overflow in EFTP $1.$2.$3
#
# FTP globbing problems
#
/FTP server \(SunOS (\d+)\.([\d\.]+)\)/i && ($1 < 5 || ($1==5 && $2<=8)) \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in SunOS ftpd
/FTP server ready/i && HOSTTYPE =~ /Irix\s*(\d+\.?\d*)?/i && $1<=6.5 \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in Irix ftpd
/FTP server \(Version 1\.7\.112\.(\d+)/i && $1 < 6 \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in HP-UX ftpd
/FTP server \(Version 1\.7\.212\.(\d+)/i && $1 < 5 \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in HP-UX ftpd
# Must look at date for HP-UX 11 because version numbers are re-used
/FTP server \(Version 1\.1\.214\.\d+.*GMT (\d+)/i && $1 < 2001 \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in HP-UX ftpd
/FTP server \(Version 1\.1\.214\.\d+.*(Jan|Feb|Mar).*GMT 2001/i \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in HP-UX ftpd
/220/ && /Version ([0-6])\.([\d\.]+)\/OpenBSD/ && ($1 < 6 || ($1==6 && $2<=5)) \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in OpenBSD ftpd
/FTP server \(Version [\d\.]+\/OpenBSD\/Linux/i \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible glibc glob vulnerability
/220/ && /\(NetBSD-ftpd (\d+)\)/ && $1 < 20010329 \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in NetBSD ftpd
/220/ && /FTP server \(Version: [0-7]\.\d+/ \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in NetBSD ftpd
/FTP server \(Version [0-6]\.00LS\) ready/ \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in FreeBSD ftpd
/WFTPD ([\d\.]+) service/ && $1 <= 3.0 \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in WFTPD
/\(glftpd 1\.(\d+)/i && $1 < 24 \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in glftpd
/220/ && /FTP server/ && /SCO/ \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in SCO ftpd
/ftp.*\(version wu-2\.([\d\.]+)/i && $1 <= 6.1 && !(/wu-2\.6\.1\((\d+)\)/i && $1 >= 2) \
		$target|ftp|a|zcio|ANY@$target|ANY@$target|FTP filename globbing|Possible globbing vulnerability in wu-ftpd
#
# OTHER PROBLEMS
#

# Hacker program bnc (irc proxy)
/NOTICE/ && /quote PASS/	$target|hacker|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised.

# a modem on a port?  Surely you jest...
/AT\\[nr].*OK\\[nr]/	$target|assert|a|rs|ANY@$target|ANY@$target|unrestricted modem|Unrestricted modem on the Internet

# Look for chargen (udp) as possible fraggle host (Denial of Service)
/chargen:UDP/		$target|DOS|a|zcio|ANY@$target|ANY@$target|packet flooding problems|chargen could be used in UDP bomb

# Linux mountd and nfsd vulnerabilities
/runs mountd/ && HOSTTYPE =~ /Linux/i \
			$target|mountd|a|zcio|ANY@$target|ANY@$target|mountd vulnerabilities|mountd may be vulnerable
/runs nfsd/ && HOSTTYPE =~ /Linux/i \
			$target|nfsd|a|zcio|ANY@$target|ANY@$target|mountd vulnerabilities|nfsd may be vulnerable

# Look for efingerd
/You tried to finger non existant user!!!/ \
			$target|fingerd|a|zcio|ANY@$target|ANY@$target|finger vulnerabilities|efingerd may be vulnerable

# Look for amd vulnerability
/runs amd/		$target|amd|a|zcio|ANY@$target|ANY@$target|amd buffer overflow|amd may be vulnerable to buffer overflow

# Look for SGI vulnerabilities
/runs sgifam/		$target|sgifam|a|yi|ANY@$target|ANY@$target|SGI fam vulnerability|SGI fam may be vulnerable
/runs espd/		$target|espd|a|zcio|ANY@$target|ANY@$target|espd vulnerability|espd may be vulnerable

# Issue SNMP warning
/offers snmp/		$target|snmp|a|zcio|ANY@$target|ANY@$target|SNMP vulnerabilities|SNMP is enabled and may be vulnerable

# Issue RADIUS warning (but not the RADIUS service which
# runs with Windows 2000 Authentication service)
/offers radius/ && HOSTTYPE !~ /Windows/	$target|radius|a|zcio|ANY@$target|ANY@$target|RADIUS vulnerabilities|RADIUS is enabled and may be vulnerable

# Look for SGI objectserver
/offers 5135:UDP/ && HOSTTYPE =~ /IRIX/i \
	$target|objectserver|a|zcio|ANY@$target|ANY@$target|objectserver vulnerability|objectserver daemon may be vulnerable

# Look for SGI Performance Copilot (but not rwhois,
# which runs on the same port number)
/offers 4321:TCP/ && !/rwhois/	$target|pmcd|a|zcio|ANY@$target|ANY@$target|Performance Copilot|SGI Performance Copilot may be vulnerable

# Look for SCO UnixWare i2odialogd
/offers 360:TCP/	$target|i2odialogd|a|zcio|ANY@$target|ANY@$target|UnixWare i2odialogd|Possible buffer overflow in UnixWare i2odialogd

# SCO calserver
/offers 6373:TCP/ && !(HOSTTYPE =~ /OpenServer.*([\d\.]+)/i && $1>5.04) \
	$target|calserver|a|zcio|ANY@$target|ANY@$target|OpenServer calserver|Possible buffer overflow in OpenServer calserver

# CUPS print server
/Server:\s*CUPS\/([\d\.]+)/ && $1 <= 1.1 \
	$target|cups|a|zcio|ANY@$target|ANY@$target|CUPS vulnerabilities|Possible buffer overflow in CUPS

# LDAP vulnerabilities
/offers ssl-ldap/ && (HOSTTYPE eq "Windows" || HOSTTYPE=~ /Windows\s*2000/ || HOSTTYPE =~ /Windows\s*NT\s*5/) \
	$target|ssl-ldap|a|zcio|ANY@$target|ANY@$target|LDAP over SSL|Possible vulnerability in LDAP over SSL
/offers ssl-ldap/ || /offers ldap/ \
	$target|ldap|a|zcio|ANY@$target|ANY@$target|LDAP vulnerabilities|Is your LDAP secure?

# Look for rpc.nisd vulnerability
/runs nisd/		$target|nisd|a|zcio|ANY@$target|ANY@$target|nisd vulnerability|nisd may be vulnerable to buffer overflow

# Look for rsync vulnerability
/@RSYNCD: (\d+)/ && $1<21	$target|rsyncd|a|rs|ANY@$target|ANY@$target|rsyncd vulnerabilities|rsyncd allows remote root access
/@RSYNCD: (\d+)/ && $1>=21 && $1<26	$target|rsyncd|a|zcio|ANY@$target|ANY@$target|rsyncd vulnerabilities|rsyncd may allow remote root access

# Look for Gauntlet/WebShield cyberdaemon vulnerability
/offers 8999:TCP/	$target|cyberdaemon|a|zcio|ANY@$target|ANY@$target|Gauntlet WebShield cyberdaemon|Gauntlet or WebShield cyberdaemon may be vulnerable
/offers 8999:UDP/	$target|cyberdaemon|a|zcio|ANY@$target|ANY@$target|Gauntlet WebShield cyberdaemon|Gauntlet or WebShield cyberdaemon may be vulnerable

# Look for HP Openview vulnerabilities
/offers 2345:TCP/	$target|openview|a|zcio|ANY@$target|ANY@$target|HP Openview vulnerabilities|Possible vulnerability in Openview Node Manager
/offers 5555:TCP/	$target|openview|a|zcio|ANY@$target|ANY@$target|HP Openview vulnerabilities|Possible vulnerability in HP Omniback

# Big Brother web server
/offers 1984:TCP/	$target|bbd|a|zcio|ANY@$target|ANY@$target|http potential problems|Possible vulnerability in Big Brother (bbd)

# Sun Cluster mond server
/Monitor server/ && /offers 12000:TCP/	$target|mond|a|yi|ANY@$target|ANY@$target|Sun Cluster vulnerabilities|Sun Cluster monitor reveals system info

# MDaemon (SMTP, IMAP, POP, etc.)
/\bMDaemon (\d+\.\d+)(\.?)([\d\.]*)/ && ($1 < 3.5 || ($1==3.5 && $3<6)) \
			$target|mdaemon|a|dos|ANY@$target|ANY@$target|MDaemon vulnerabilities|Denial of Service in MDaemon $1$2$3

# XMail
/XMail 0\.(\d+)/i && $1<68 && /CTRL Server/i	$target|xmail|a|bo|ANY@$target|ANY@$target|XMail vulnerabilities|Buffer overflow in XMail 0.$1

# Interbase
/offers 3050:TCP/	$target|interbase|a|zcio|ANY@$target|ANY@$target|Interbase detected|Possible backdoor account in Interbase

# IRIX telnetd
/offers telnet/ && HOSTTYPE =~ /IRIX/i	$target|telnet|a|zcio|ANY@$target|ANY@$target|IRIX telnetd|Possible vulnerability in IRIX telnetd
/telnet on port (\d+)/ && HOSTTYPE =~ /IRIX/i	$target|telnet|a|zcio|ANY@$target|ANY@$target|IRIX telnetd|Possible vulnerability in IRIX telnetd port $1

# Avirt telnet server
/Avirt.*Telnet Server v(\d+)\.([\d\.]+)/ && ($1<4 || ($1==4 && $2<=2)) \
			$target|telnet|a|rs|ANY@$target|ANY@$target|Avirt Gateway vulnerabilities|buffer overflow in Avirt telnet server

# ntp buffer overflow
/offers ntp/ && HOSTTYPE !~ /Windows/	$target|ntp|a|zcio|ANY@$target|ANY@$target|NTP vulnerabilities|Possible vulnerability in ntpd

# rwhoisd format string
/%rwhois/ && /V-1\.5(\.?)(\d[\d\.]*)?([a-z]?)\)/ && $2<=7.2 \
			$target|rwhoisd|a|us|ANY@$target|ANY@$target|RWhois vulnerability|Format string problem in rwhoisd 1.5$1$2$3

# Look for NetBus
# (this and other backdoors are also in backdoors.saint, repeated
# here so it will be found on other ports)
/NetBus/		$target|backdoor|a|ht|ANY@$target|ANY@$target|backdoor found|Possible NetBus backdoor found

# Look for NAI Net Tools PKI server
/offers 444:TCP/	$target|nettools|a|zcio|ANY@$target|ANY@$target|Net Tools PKI Server|Possible vulnerability in Net Tools PKI Server

# Look for Cisco developers shell
/offers 8023:TCP/	$target|cisco|a|ns|ANY@$target|ANY@$target|Cisco developers shell|developers shell in Cisco router

# Look for GNU cfengine daemon
/offers 5308:TCP/	$target|cfd|a|zcio|ANY@$target|ANY@$target|CFEngine detected|Possible vulnerability in CFEngine

# Look for CDE Subprocess Control Service (dtspcd)
/offers 6112:TCP/	$target|dtspcd|a|bo|ANY@$target|ANY@$target|CDE Subprocess Control daemon|possible buffer overflow in dtspcd

# Look for Microsoft Terminal Server
/offers 3389:TCP/	$target|term|a|zcio|ANY@$target|ANY@$target|Microsoft Terminal Server|Possible vulnerability in Microsoft Terminal Server

# Look for Microsoft UPnP
/offers 1900:UDP/	$target|UPnP|a|zcio|ANY@$target|ANY@$target|MS Universal Plug and Play|Possible vulnerability in Microsoft UPnP

# Look for Microsoft SQL Server
/offers 1433:TCP/	$target|sql|a|zcio|ANY@$target|ANY@$target|Microsoft SQL Server|Possible vulnerability in Microsoft SQL Server

# Look for AOL ICQ clients
/offers 5190:TCP/	$target|icq|a|zcio|ANY@$target|ANY@$target|AOL ICQ vulnerability|possible vulnerability in AOL ICQ
/offers 4000:UDP/	$target|icq|a|zcio|ANY@$target|ANY@$target|AOL ICQ vulnerability|possible vulnerability in AOL ICQ

# Look for GNOME libgtop_daemon
/offers 42800:TCP/	$target|libgtop|a|zcio|ANY@$target|ANY@$target|libgtop daemon vulnerability|Possible vulnerability in libgtop daemon

# Look for ISC dhcpd
/offers bootps/ && HOSTTYPE !~ /Windows/	$target|bootps|a|zcio|ANY@$target|ANY@$target|dhcpd vulnerabilities|possible vulnerability in dhcpd

# Look for talk
/offers talk/		$target|talk|a|zwoi|ANY@ANY|ANY@ANY|talk vulnerabilities|talkd is enabled and may be vulnerable
/offers ntalk/		$target|talk|a|zwoi|ANY@ANY|ANY@ANY|talk vulnerabilities|talkd is enabled and may be vulnerable

# Netware Remote Manager
# (also checked in http.saint, in case ostype doesn't work)
/offers 8009:TCP/ && (HOSTTYPE =~ /NetWare 5\.1/i || HOSTTYPE =~ /NetWare 6\.0/i) \
	$target|8009:TCP|a|zcio|ANY@ANY|ANY@ANY|NetWare Remote Manager|possible vulnerability in NetWare Remote Manager

# Look for Microsoft Telnet server
$service eq "telnet" && /NTLM authentication only/ \
	$target|telnet|a|zcio|ANY@$target|ANY@$target|Microsoft Telnet Server|possible vulnerabilities in Microsoft Telnet Server
/Microsoft Telnet Service/ && /Telnet Server Build 5\.00\.([\d\.]+)/ && $1<99204 \
	$target|telnet|a|dos|ANY@$target|ANY@$target|Microsoft Telnet Server|multiple vulnerabilities in Microsoft Telnet Server

# Look for Kerberos
/offers klogin/		$target|kerberos|a|zcio|ANY@$target|ANY@$target|Kerberos detected|Is your Kerberos secure?
/offers kshell/		$target|kerberos|a|zcio|ANY@$target|ANY@$target|Kerberos detected|Is your Kerberos secure?
/offers kpopd/		$target|kerberos|a|zcio|ANY@$target|ANY@$target|Kerberos detected|Is your Kerberos secure?

# Look for vulnerability exploits
/offers ingreslock/	$target|backdoor|a|zcio|ANY@$target|ANY@$target|Vulnerability Exploits|Possible backdoor: ingreslock
/offers 9704:TCP/	$target|backdoor|a|zcio|ANY@$target|ANY@$target|Vulnerability Exploits|Possible backdoor: 9704/TCP

# Look for worms
# (27374 on Windows is SubSeven, not Ramen; see backdoors.saint)
/offers 27374:TCP/ && HOSTTYPE !~ /Windows/	$target|backdoor|a|ht|ANY@$target|ANY@$target|Worm detected|Possible worm detected (Ramen)
/offers 3356[78]:TCP/ || /offers [16]0008:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|Worm detected|Possible worm detected (Lion)
/offers 666:TCP/				$target|backdoor|a|ht|ANY@$target|ANY@$target|Worm detected|Possible worm detected (lprw0rm)
/offers 600:TCP/ || /offers pcserver/		$target|backdoor|a|ht|ANY@$target|ANY@$target|Worm detected|Possible worm detected (sadmind/IIS)
/Windows account guest has no password/i	$target|backdoor|a|ht|ANY@$target|ANY@$target|Worm detected|Guest account is possible sign of worm (Nimda)
/Guessed password to windows account \(guest:/i	$target|backdoor|a|ht|ANY@$target|ANY@$target|Worm detected|Guest account is possible sign of worm (Nimda)
/readable\/writable share at .*\/C\$/i		$target|backdoor|a|ht|ANY@$target|ANY@$target|Worm detected|C\$ share is possible sign of worm (Nimda)

# Look for distributed denial-of-service tools
/offers 27665:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible trinoo master detected
/offers 16660:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible stacheldraht handler detected
/offers 20432:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible shaft handler detected
/offers 6723:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible mstream handler detected
/offers 15104:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible mstream handler detected
/offers 12754:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible mstream handler detected
/offers 33270:TCP/	$target|backdoor|a|ht|ANY@$target|ANY@$target|distributed denial of service|Possible Trinity portshell detected

