#
# This module contains SAINT-US code from WWDSI which is regulated in
# accordance with the distribution file LICENSE.WWDSI. 
#
# Rules that deduce new facts from existing data. Each rule is executed once
# for each 'a' SAINT record. The rule format is:
#
#	condition TABs fact
#
# The condition is a PERL expression that has full access to the global
# $target..$text variables, to functions, and to everything that has been
# found sofar. The fact is a SAINT record. 
#
# Empty lines and text after a "#" character are ignored. Long lines may
# be broken with backslash-newline.
#
#
# version 1, Sun Mar 19 10:32:57 1995, last mod by zen
#

# The green guys
/<TITLE>/ || /<HEAD>/ || /HTTP/	$target|$service|a|||||offers http
/offers http/i && $service ne "http" && $service ne "https" && $service ne "wn-http" \
	$target|$service|a|g||||offer http (port $service)
/offers http/i && $service eq "http"	$target|$service|a|g||||offers http

/offers https/ && /(?!TITLE)/	$target|$service|a|g||||offers secure http
/offers gopher/			$target|$service|a|g||||offers gopher
/offers telnet/ && /assword/	$target|$service|a|g||||$text
/offers ftp/ && /FTP/		$target|$service|a|g||||offers ftp
/runs NFS/			$target|$service|a|g||||runs NFS
/offers pop/			$target|$service|a|g||||offers pop
/offers imap/			$target|$service|a|g||||offers imap
/offers finger/			$target|$service|a|g||||offers finger
/offers smtp/			$target|$service|a|g||||offers smtp
/telnet on port (\d+)/		$target|$service|a|g||||Telnet on port $1
/220.*ftp server/i && $service ne "ftp"	$target|$service|a|g||||FTP (non-standard port)
/offers snmp/			$target|$service|a|g||||offers snmp
/offers nntp/			$target|$service|a|g||||offers nntp
/offers ssh/			$target|$service|a|g||||offers ssh
/offers X/			$target|$service|a|g||||$text
/offers xdmcp/			$target|$service|a|g||||offers xdmcp
/NIS server/			$target|$service|a|g||||NIS server
#
# Assume rexd is insecure without even trying
#
/runs rexd/ && /(?!world)/	$target|assert|a|us|ANY@$target|ANY@ANY|REXD access|rexd is vulnerable

# SENDMAIL SECTION ;-)
#
# assume berkeley versions of sendmail < 8.8.5 are hosed:
# handled in sendmail.saint
 
# other sendmail versions

# HP
/HP Sendmail \(1\.37\.109\.11/ \
		$target|assert|a|bo|ANY@$target|ANY@$target|Sendmail vulnerabilities|Sendmail version buffer overflow

#
# Generic (or derived from) BSD; should have something >= 5.60
/[Ss]endmail (5\.60)/ && $1 <= 5.60 \
		$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|Sendmail pre 5.61

#
# Sequent/DYNIX; if <= 5.65, broken...
/[Ss]endmail (5\.65)/ && $1 <= 5.65 && /DYNIX/ \
		$target|assert|a|rs|ANY@$target|ANY@$target|Sendmail vulnerabilities|DYNIX Sendmail, pre 5.65

# POP2 servers
/OK/ && /POP/		$target|pop|a|zwoi|ANY@target|ANY@target|pop version|pop version may be vulnerable to buffer overflow
#POP Server with MD5 Authentication
/POP/ && /(?!MD5)/	$target|pop|a|zwoi|ANY@target|ANY@target|POP server|pop receives password in clear
#
# OTHER PROBLEMS
#
# 220 wuarchive.wustl.edu FTP server (Version wu-2.4(1) Mon 
/ftp.*\(version wu-2.([0-9]+)/i && $1 < 4 \
		$target|ftp|a|rs|ANY@$target|ANY@$target|FTP vulnerabilities|WUFtp pre 2.4
#
# Hacker program bnc (irc proxy)
#
/NOTICE/ && /quote PASS/	$target|hacker|a|ht|ANY@$target|ANY@$target|hacker program found|System may be compromised.

# /offers printer/ \
		$target|printer|a|zwoi|ANY@$target|ANY@$target|lpd over the internet|Is your lpd secure ?


# a modem on a port?  Surely you jest...
/AT\\[nr].*OK\\[nr]/	$target|assert|a|rs|ANY@$target|ANY@$target|unrestricted modem|Unrestricted modem on the Internet

# Looking for unique Windows signature in netbios-ssn
/\\131\\000\\000\\001\\143/	$target|DOS|a|zcio|ANY@$target|ANY@$target|Windows detected|Is your Windows patched for DoS?

# Look for chargen (udp) as possible fraggle host (Denial of Service)
/chargen:UDP/		$target|DOS|a|zcio|ANY@$target|ANY@$target|Possible DoS (fraggle) problem|Is your host a DoS threat?

# Look for new tooltalk vulnerability
/runs tooltalk/		$target|ttdbserverd|a|bo|ANY@$target|ANY@$target|tooltalk version|tooltalk version may be vulnerable to buffer overflow

# Look for Back Orifice and NetBus
/NetBus/		$target|backdoor|a|ht|ANY@$target|ANY@$target|backdoor found|Possible Windows NetBus detected
/offers 31337:UDP/	$target|backdoor|a|ht|Any@$target|ANY@$target|backdoor found|Possible Windows Back Orifice detected
