#
# Rules that recognize host types from telnet/ftp/smtp banners. These are
# applied to every telnet/ftp/sendmail record. Format of this file is:
#
#	CLASS class_name
#	condition TABs hosttype
#
# Empty lines and text after a "#" character are ignored. Long lines may
# be broken with backslash-newline.
#
# The class_name is used for the first rough breakdown by host type in,
# for example, reports. It should be a major software category.
# 
# The condition is a PERL expression, with full access to the global
# $target..$text variables; HOSTTYPE stands for the current hostname
# info for the target host. UNKNOWN is true when the host type is unknown.
#
# The hosttype field is an expression that evaluates to a host type;
# when it is absent, the value $1 is taken.
#
#
# version 1, Sun Mar 26 18:39:56 1995, last mod by zen
#

#
# Beware: AIX 3.x telnetd claims to be version 3.
#
CLASS AIX
/AIX([0-9]+)/ && length(HOSTTYPE) <= 3				"AIX $1"
/(AIX [.0-9\-\ ]+)/
/AIX Version ([.0-9]+)/						"AIX $1"
/AIX Version ([0-9]) / && length(HOSTTYPE) <= 3			"AIX $1"
UNKNOWN && /(AIX)/

#
# Beware: Ultrix 4.x ftpd claims to be version 4.1.
#
CLASS ULTRIX
/(ultrix [.0-9\ \-]+)/i
/ultrix[\/v ]+([.0-9]+[A-Z]*)/i					"Ultrix $1"
/ultrix version 4/i && length(HOSTTYPE) <= 6			"Ultrix 4"
UNKNOWN && /ultrix/i						"Ultrix"

CLASS VMS
/(VAX\/VMS)/
/(OpenVMS v*[.0-9]+)/
UNKNOWN && /(OpenVMS)/
UNKNOWN && /\b(VAX)\b/
UNKNOWN && /MultiNet/						"VAX/VMS"

#
# The first pattern is good for HP-UX 8.x and 9.x telnetd.
#
CLASS HP
/(HP-UX [AB]*[0-9.\ \-]+)/
/(HP-UX) .+ ([AB1-7]+\.[A-Za-z0-9.]+) /				"$1 $2"
UNKNOWN && /(HP-UX)/
UNKNOWN && /HP Sendmail/					"HP-UX"

#
# What about earlier IRIX versions?
#
CLASS SGI
/(IRIX [.0-9\ \-]+)/
/IRIX System V.3/ && length(HOSTTYPE) <= 4			"IRIX 4"
/IRIX System V.4/ && length(HOSTTYPE) <= 4			"IRIX 5"
/IRIX System V.5/ && length(HOSTTYPE) <= 4			"IRIX 6"
UNKNOWN && /\b(IRIX|SGI)\b/					"IRIX"

#
# SunOS 4.x ftpd and sendmail claim to be version 4.1
# SunOS 5.x ftpd and telnetd claim to be generic SYSV40
# SunOS 5.x will end up as "other" when they replaced sendmail
#
CLASS SUN
/(SunOS [.0-9\ \-]+)/
/(Solaris [.0-9\ \-]+)/
UNKNOWN && /SunOS/						"SunOS"
UNKNOWN && /Solaris/						"SunOS"
/4.1\/SMI-4.1/ && length(HOSTTYPE) <= 5				"SunOS 4"
/SMI-SVR4/ && length(HOSTTYPE) <= 5				"SunOS 5"
UNKNOWN && /FTP server \(Version 5/				"SunOS 5"

#
# Domain/OS ftpd gives more specific version information than telnetd.
#
CLASS APOLLO
/(Domain\/OS sr[.0-9]+)/i && length($1) > length(HOSTTYPE)
UNKNOWN && /(Domain\/OS)/
UNKNOWN && /Apollo/						"Domain/OS"

#
# Beware: NeXTStep 3.x ftp announces itself as NeXT 1.0.
# Beware: NeXTStep 3.x sendmail announces itself as NX5.xx/NX3.0.
#
CLASS NEXT
/NX.*\/NX([0-9]+)/						"NeXTStep $1"
/(NeXTStep [.0-9]+)/
UNKNOWN && /(NeXT)/						"NeXTStep"

#
# Data General
#
CLASS DG/UX
UNKNOWN && /\b(DG\/UX)\b/					$1
/DG\/UX .* Release ([-\/A-Z0-9.]+)/				"DG/UX $1"

#
# Linux
#
CLASS LINUX
/(Linux [0-9.\ \-]+)/
/Linux Release ([0-9.]+)/i					"Linux $1"
UNKNOWN && /Red Hat Linux Release ([0-9]\.[0-9]+)/i		"Red Hat $1"
UNKNOWN && /(Red Hat)/
UNKNOWN && /(Linux)/

# Windows
CLASS WINDOWS
/Windows\s*(for workgroups )?([\d\.]+)/i				"Windows $2"
/Windows NT\s*(\d)/						"Windows NT $1"
UNKNOWN && /Microsoft/						"Windows"
UNKNOWN && /(Windows|OS\/2)/
/(Windows NT)/ && length(HOSTTYPE)<=7
UNKNOWN && /\\131\\000\\000\\001\\143/				"Windows"

#
# 4.4 BSD, BSDI, etc.
#
CLASS 4.4 BSD
/(FreeBSD|NetBSD|OpenBSD|BSDI|HP-BSD) ([.0-9A-Z\ \-]+)/		"$1 $2"
/(OpenBSD) Post ([.0-9A-Z\ \-]+)/				"$1 $2"
# e.g. BSDI BSD/386 1.1
/(BSDI) BSD\/[0-9]+\s([0-9]+)/					"$1 $2"
# e.g. BSDI BSD/OS 2.0
/(BSDI) BSD\/OS\s([0-9.\ \-]+)/					"$1 $2"
/([0-9]+\.[0-9]) (BSD)/						"$2 $1"


#
# Santa Cruz Operation
#
CLASS SCO
/SCO OpenServer Release ([.0-9]+)/				"OpenServer $1"
/OpenServer\(TM\) Release ([.0-9]+)/				"OpenServer $1"
/(OpenServer [.0-9]+)/
/(UnixWare [.0-9]+)/
UNKNOWN && /\b(SCO)\b/

#
# Apple A/UX
#
CLASS A/UX
/A\/UX.([.0-9]+)/						"A/UX $1"
/(A\/UX [.0-9]+)/
UNKNOWN && /(A\/UX)/

#
# Sequent slipped by us!
CLASS Sequent
/(DYNIX\/ptx)/
/DYNIX\(R\) (V[.0-9]+)/						"DYNIX $1"
UNKNOWN && /DYNIX/						"DYNIX"

#
# Sony NEWS-OS
CLASS SONY
/NEWS-OS Release ([.0-9]+)/					"NEWS-OS $1"
UNKNOWN && /(NEWS-OS)/

#
# Missed'em five
#
CLASS SYSTEM V
UNKNOWN && /(System V) Release ([.0-9]+)/			"$1.$2"
UNKNOWN && /(System V[.0-9]*)/
UNKNOWN && /(System V) Release ([0-9]+\.[0-9])/			"$1.$2"

#
# Not really mainstream, but...
#
CLASS OSF
/OSF\/([.0-9]+)/						"OSF $1"
/(OSF[0-9]*) V ([.0-9\ \-]+)/					"$1 $2"
/(Digital UNIX) Version ([.0-9]+)/				"$1 $2"
/(Tru64).*(\d[\w\.]+)/						"$1 $2"
UNKNOWN && /(Tru64)/

#
# Some of these still need some refinement.
#
CLASS other
/broadcast address is/						"Broadcast Address"
UNKNOWN && /Cisco Systems/					"Cisco"
UNKNOWN && /AXIS /						"Axis"
/HP JetDirect/ || /HP printer/ || /HP LaserJet/			"HP printer"
/(MacOS [.0-9\ \-]+)/
/(Macintosh|ConvexOS)/
/VersaTerm/							"Macintosh"
/(Codonics|APS-TI|Cray UNICOS)/
/InfiniteStorage/						"Epoch"
/(PC\/TCP)/
/(NetWare|NEWT)\s*[Vv]*([.0-9]*)/				"$1 $2"
/\b(CMC)\b/
/(Epoch|RTU) /
/(IBM VM|IBM MVS)/
UNKNOWN && /NMAP ([A-Za-z0-9.\-\ \(\)\,\;]+)/

