# Wait for at least 5 seconds for data. Otherwise an Nmap default is used.
totalwaitms 5000
match acap m|^\* ACAP \(IMPLEMENTATION \"CommuniGate Pro ACAP (\d[-.\w]+)\"\) | v/CommuniGate Pro ACAP server//for mail client preference sharing/
match aim m|^\*\x01..\0\x04\0\0\0\x01$|s v/Pyboticide AIM chat filter///
# AMANDA index server 2.4.2p2 on Linux 2.4
match amanda m|^220 [-.\w]+ AMANDA index server \((\d[-.\w ]+)\) ready\.\r\n| v/Amanda backup system index server/$1//
# arkstats (part of arkeia-light 5.1.12 Backup server) on Linux 2.4.20
match arkstats m|^\0`\0\x03\0\0\0\x1810\x000\x000\x00852224\0\0\0\0\0\0\0\0\0\0\0| v/Arkeia arkstats///
match backdoorjeam m|^220 jeem\.mail\.pv ESMTP\r\n| v/Jeem backdoor//**BACKDOOR**/
# Bittorrent Client 3.2.1b on Linux 2.4.X
match bittorent m|^\x13BitTorrent protocol\0\0\0\0\0\0\0\0| v/Bittorrent P2P client///
# BMC Software Patrol Agent 3.45
match bmc-softwarepatrol m|^\0\0\0\x17i\x02\x03..\0\x05\x02\0\x04\x02\x04\x03..\0\x03\x04\0\0\0\0\x01\x01\0| v/BMC Software Patrol Agent///
match chargen m|^!"#\$%\&'\(\)\*\+,-\./0123456789:;<=>\?\@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_`abcdefgh\r\n"#\$%\&'\(\)\*\+,-\./0123456789:;<=>\?\@ABCDEF| v/Linux chargen///
# Redhat 7.2, xinetd 2.3.7 chargen
match chargen m|^\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_`abcdefghijklmnopq\r\n\+,-\./| v/xinetd chargen///
# Sun Solaris 9; Windows
match chargen m|^\ !"#\$%&'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_|
# Mandrake Linux 9.2, xinetd 2.3.11 chargen
match chargen m|NOPQRSTUVWXYZ\[\\\]\^_`abcdefghijklm|
# Citrix, Metaframe XP on Windows
match citrix-ica m|^\x7f\x7fICA\0\x7f\x7fICA\0| v/Citrix Metaframe XP ICA///
match concertosendlog m|^Concerto Software\r\n\r\nEnsemblePro SendLog Server - Version (\d[-.\w]+)\r\n\r\nEnter Telnet Password\r\n#> | v/Concerto Software EnsemblePro CRM software SendLog Server/$1//
match concertotimesync m|^Concerto Software\r\n\r\nContactPro TimeSync Server - Version (\d[-.\w]+)\r\n\r\nEnter Telnet Password\r\n#> | v/Concerto Software EnsemblePro CRM software TimeSync Server/$1//
match cvspserver m|^no repository configured in /| v/CVS pserver//broken/
match cvspserver m|^/usr/sbin/cvs-pserver: line \d+: .*cvs: No such file or directory\n| v/CVS pserver//broken/
match cvsup m|^OK \d+ \d+ ([-.\w]+) CVSup server ready\n| v/CVSup/$1//
match damewaremr m|^0\x11\0\0\0..\0......\r@\0\0\0\0\0\0\0\0\x01\0\0\0\x01\0\0\0\0\0\0\0.\0\0\0$|s v/DameWare Mini Remote Control//Windows/
# Linux
match daytime m|^[0-3]\d [A-Z][A-Z][A-Z] 20\d\d \d\d:\d\d:\d\d \S+\r\n|
# OpenBSD 3.2
match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\r\n|
# Solaris 8,9
match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\n\r| v/Sun Solaris daytime///
# Windows daytime
match daytime m|^\d+:\d\d:\d\d [AP]M \d+/\d+/200\d\n$| v/Microsoft Windows USA daytime///
# Windows daytime - UK english I think (no AM/PM)
match daytime m|^\d{1,2}:\d{1,2}:\d{1,2} \d{1,2}/\d{1,2}/200\d\n$| v/Microsoft Windows daytime///
# Windows International daytime
match daytime m|^\d\d:\d\d:\d\d \d\d.\d\d.200\d\n$| v/Microsoft Windows International daytime///
# New Zealand format daytime - Windows 2000
match daytime m|^[01]\d:\d\d:\d\d [AP]M [0-3]\d/[01]\d/0\d\n$| v/Microsoft Windows daytime//New Zealand style/
# HP-UX B.11.00 A inetd daytime
match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} \d\d:\d\d:\d\d [A-Z]+ 200\d\r\n$| v/HP-UX daytime///
match finger m|\r\n {4}Line {5,8}User {6,8}Host\(s\) {13,18}Idle +Location\r\n| v/Cisco fingerd///
match ftp m|^220 [-/.+\w]+ FTP server \(SecureTransport (\d[-.\w]+)\) ready\.\r\n| v/Tumbleweed SecureTransport ftpd/$1//
match ftp m|^220 3Com 3CDaemon FTP Server Version (\d[-.\w]+)\r\n| v/3Com 3CDaemon ftpd/$1//
# GuildFTP 0.999.9 on Windows
match ftp m|^220-GuildFTPd FTP Server \(c\) 1997-2002\r\n220-Version (\d[-.\w]+)\r\n220 Please enter your name:\r\n| v/Guild ftpd/$1/Windows/
# Medusa Async V1.21 [experimental] on Linux 2.4
match ftp m|^220 [-/.+\w]+ FTP server \(Medusa Async V(\d[^\)]+)\) ready\.\r\n| v/Medusa Async ftpd/$1//
match ftp m|^220 [-/.+\w]+\((\d[-.\w]+)\) FTP server \(EPSON ([^\)]+)\) ready\.\r\n| v/Epson printer ftpd/$1/Epson $2/
match ftp m|^220 [-/.+\w]+ IBM TCP/IP for OS/2 - FTP Server ver \d+:\d+:\d+ on [A-Z]| v|IBM OS/2 ftpd|||
match ftp m|^220 [-/.+\w]+ Lexmark ([-/.+\w]+) FTP Server (\d[-.\w]+) ready\.\r\n| v/Lexmark printerftpd/$2/Lexmark $1/
match ftp m|^220 Internet Rex (\d[-.\w ]+) \(([-/.+\w]+)\) FTP server awaiting your command\.\r\n| v/Internet Rex ftpd/$1/$2/
match ftp m|^220 [-.+\w]+ FTP server \(Version (\d[-.\w]+)\(([^\)]+)\) [A-Z][a-z][a-z] [A-Z].*200\d\) ready\.\r\n| v/HP-UX ftpd/$1/$2/
match ftp m|^530 Connection refused, unknown IP address\.\r\n$| v/Microsoft IIS ftpd//IP address rejected/
match ftp m|^220 PizzaSwitch FTP server ready\r\n| v/Xylan PizzaSwitch ftpd///
match ftp m|^220 [-.+\w]+ IronPort FTP server \(V(\d[-.\w]+)\) ready\.\r\n| v/IronPort mail appliance ftpd///
match ftp m|^220 WFTPD (\d[-.\w]+) service \(by Texas Imperial Software\) ready for new user\r\n| v/Texas Imperial Software WFTPD/$1//
match ftp m|^220 [-.+\w]+ FTP server \(Version (MICRO-[-.\w:#+ ]+)\) ready\.\r\n| v/Bay Networks MicroAnnex terminal server ftpd/$1//
match ftp m|^220 [-.+\w]+ FTP server \(Digital UNIX Version (\d[-.\w]+)\) ready\.\r\n| v/Digital UNIX ftpd/$1//
match ftp m|^220 [-.+\w]+ FTP server \(Version [\d.]+\+Heimdal (\d[-+.\w ]+)\) ready\.\r\n| v/Heimdal Kerberized ftpd/$1//
match ftp m|^500 OOPS: (could not bind listening IPv4 socket)\r\n$| v/vsftpd//broken: $1/
match ftp m|^500 00PS: vsftpd: (.*)\r\n| v/vsftpd//broken: $1/
match ftp m|^220-QTCP at [-.\w]+\r\n220| v|IBM OS/400 FTPd|||
match ftp m|^220-FileZilla Server version (\d[-.\w ]+)\r\n| v/FileZilla ftpd/$1//
# Netgear RP114 switch with integrated ftp server
# Netgear RP114
match ftp m|^220 ([-\w]+)? FTP version 1\.0 ready at | v/Netgear broadband router ftpd/1.0//
match ftp m|^220 [-.\w]+ FTP server \(GNU inetutils (\d[-.\w ]+)\) ready\.\r\n| v/GNU Inetutils FTPd/$1//
match ftp m|^220 .* \(glftpd (\d[-.0-9a-zA-Z]+)_(\w+)(\+TLS)?\) ready\.\r\n| v/glFtpD/$1/platform: $2/
match ftp m|^220 [-.\w]+ FTP server \(FirstClass v(\d[-.\w]+)\) ready\.\r\n| v/FirstClass FTP server/$1//
match ftp m|^220 [-.\w]+ FTP server \(Compaq Tru64 UNIX Version (\d[-.\w]+)\) ready\.\r\n| v/Compaq Tru64 ftp server/$1//
match ftp m|^220 AXIS ([-.\w]+) FTP Network Print Server V(\d[-.\w]+) [A-Z][a-z]| v/Axis network print server ftpd/$2/Model $1/
match ftp m|^220-Cerberus FTP Server Personal Edition\r\n220-UNREGISTERED\r\n| v/Cerberus FTP Server//Personal Edition; Unregistered/
match ftp m|^220-GuildFTPd FTP Server \(c\) 2001\r\n220-Version (\d[-.\w]+)\r\n220 Please enter your name:\r\n| v/GuildFTPd/$1//
match ftp m|^220 FTP print service:V-(\d[-.\w]+)/Use the network password for the ID if updating\.\r\n| v/Brother printer ftpd/$1//
match ftp m|^220- APC FTP server ready\.\r\n220 \r\n$| v|APC ftp server||UPS/Power device|
match ftp m|^220 [-\w]+ FTP server \(Version (\d.[.\d]+) ([A-Z][a-z]{2} [A-Z][a-z]{2} [0-9]+ [0-9:]+ .* [21][0-9]+)\) ready\.\r\n| v/HP-UX 10.x ftpd/$1//
match ftp m|^220 [-\w]+ FTP server \(Version (\d[-.\w]+) [A-Z][a-z]{2} [A-Z][a-z]{2} .*\) ready\.\r\n| v/AIX ftpd/$1//
match ftp m|^220[- ]Roxen FTP server running on Roxen (\d[-.\w]+)/Pike (\d[-.\w]+)\r\n| v/Roxen ftp server/$1/Pike $2/
# Debian packaged oftpd 0.3.6-51 on Linux 2.6.0-test4 Debian
match ftp m|^220 Service ready for new user\.\r\n| v/oftpd///
# ProFTPd 1.2.5
match ftp m|^220 Server \(ProFTPD\) \[[-.\w]+\]\r\n| v/ProFTPd///
# Mac OS X Client 10.2.6 built-in ftpd
match ftp m|^220[ -].*FTP server \(lukemftpd (\d[-. \w]+)\) ready\.\r\n|s v/LukemFTPD/$1/Mac OS X uses lukemftpd derivative/
match ftp m/^220.*Microsoft FTP Service \(Version (\d[^)]+)/ v/Microsoft ftpd/$1//
# This lame version doesn't give a version number
# Windows 2003
match ftp m/^220[ -]Microsoft FTP Service\r\n/ v/Microsoft ftpd///
match ftp m/^220 Serv-U FTP Server v(\d\S+) for WinSock ready/ v/Serv-U ftpd/$1//
match ftp m/^220 Serv-U FTP-Server v(\d\S+) for WinSock ready/ v/Serv-U ftpd/$1//
match ftp m/^220-Sambar FTP Server Version (\d\S+)\x0d\x0a/ v/Sambar ftpd/$1//
# Sambar server V5.3 on Windows NT
match ftp m|^220-FTP Server ready\r\n220-Use USER user@host for native FTP proxy\r\n220 Your FTP Session will expire after 300 seconds of inactivity\.\r\n| v/Sambar ftpd///
match ftp m/^220 JD FTP Server Ready/ v/HP JetDirect ftpd///
match ftp m/^220.*Check Point FireWall-1 Secure FTP server running on/s v/Check Point Firewall-1 ftpd///
match ftp m/^220[- ].*FTP server \(Version (wu-[-.\w]+)/s v/WU-FTPD/$1//
match ftp m|^220-\r\n220 [-.\w]+ FTP server \(Version ([-.+\w()]+)\) ready\.\r\n$| v/WU-FTPD/$1//
match ftp m|^220 [-.\w]+ FTP server \(Version ([-.+\w()]+)\) ready\.\r\n$| v/WU-FTPD/$1//
match ftp m/^220 ProFTPD (\d\S+) Server/ v/ProFTPD/$1//
match ftp m/^220.*ProFTP[dD].*Server ready/ v/ProFTPD///
match ftp m/^220.*NcFTPd Server / v/NcFTPd///
match ftp m/^220.*FTP server \(SunOS 5\.([789])\) ready/ v/Sun Solaris $1 ftpd///
match ftp m/^220.*FTP server \(SunOS (\S+)\) ready/ v/Sun SunOS ftpd/$1//
match ftp m/^220-[-.\w]+ IBM FTP.*(V\d+R\d+)/ v|IBM OS/390 ftpd|$1||
match ftp m/^220 VxWorks \((\d[^)]+)\) FTP server ready/ v/VxWorks ftpd/$1//
match ftp m/^220 VxWorks \(VxWorks(\d[^)]+)\) FTP server ready/ v/VxWorks ftpd/$1//
match ftp m/^220.*Welcome to .*Pure-?FTPd (\d\S+\s*)/ v/PureFTPd/$1//
match ftp m/^220.*Welcome to .*Pure-?FTPd[^(]+\r\n/ v/PureFTPd///
match ftp m/^220.*Bienvenue sur .*Pure-?FTPd (\d[-.\w]+)/ v/PureFTPd/$1//
match ftp m/^220 \(vsFTPd ([-.\w]+)\)\r\n$/ v/vsFTPd/$1//
match ftp m/^220 TYPSoft FTP Server (\d\S+) ready\.\.\.\r\n/ v/TYPSoft ftpd/$1//
match ftp m/^220-MegaBit Gear (\S+).*FTP server ready/ v/MegaBit Gear ftpd/$1//
match ftp m/^220.*WS_FTP Server (\d\S+)/ v/WS FTPd/$1//
match ftp m/^220 Features: a p \.\r\n$/ v/Publicfile ftpd///
match ftp m/^220 [-.\w]+ FTP server \(Version (\S+) VFTPD, based on Version (\S+)\) ready\.\r\n$/ v/Virtual FTPD/$1/based on $2/
match ftp m|220 [-.\w]+ FTP server \(Version (\S+)/OpenBSD, linux port (\S+)\) ready\.\r\n| v/OpenBSD ftpd/$1/Linux port $2/
match ftp m|^220 [-.\w]+ FTP server \(Version (\S+)/OpenBSD/Linux-ftpd-([-.\w]+)\) ready.\r\n$| v/OpenBSD ftpd/$1/Linux port $2/
match ftp m/^220 Interscan Version ([-\w.]+)/i v/Interscan Viruswall ftpd/$1//
match ftp m|^220 InterScan FTP VirusWall NT (\d[-.\w]+) \(([-.\w]+) Mode\), Virus scan (\w+)\r\n$| v/Interscan VirusWall NT/$1/Virus scan $3; $2 mode/
match ftp m|^220 [-.\w]+ FTP server \(Version ([-.\w]+)/OpenBSD\) ready\.\r\n$| v/OpenBSD ftpd/$1//
match ftp m|^220-Welcome to [A-Z]+ FTP Service\.\r\n220 All unauthorized access is logged\.\r\n$| v/FileZilla ftpd///
match ftp m|^220 [-.\w]+ FTP server \(Version (6.0\w+)\) ready.\r\n| v/FreeBSD ftpd/$1//
# OpenBSD 3.4 beta running Pure-FTPd 1.0.16 with SSL/TLS
match ftp m|^220---------- Welcome to Pure-FTPd \[privsep\] \[TLS\] ----------\r\n220-You are user number| v|Pure-FTPd||with SSL/TLS|
match ftp m|^220---------- .* Pure-FTPd ----------\r\n220-| v/Pure-FTPd///
# Trolltech Troll-FTPD 1.28 (Only runs on Linux)
match ftp m|^220-Setting memory limit to 1024\+1024kbytes\r\n220-Local time is now \d+:\d+ and the load is [.\d]+\.\r\n220 You will be disconnected after \d+ seconds of inactivity.\r\n$| v/Trolltech Troll-FTPd//on Linux/
match ftp m|^220 FTP server \(Hummingbird Ltd\. \(HCLFTPD\) Version (7.1.0.0)\) ready\.\r\n$| v/Hummingbird FTP server/$1//
# Netware 6 - NWFTPD.NLM FTP Server Version 5.01w
match ftp m|^220 Service Ready for new User\r\n$| v/Netware NWFTPD///
match ftp m|^220 ([-\w]+) FTP server \(NetWare (v[\d.]+)\) ready\.\r\n$| v/Novell Netware ftpd/$2//
match ftp m|220 FTP Server for NW 3.1x, 4.xx \((v1.10)\), \(c\) 199[0-9] HellSoft\.\r\n$| v/HellSoft FTP server for Netware 3.1x, 4.x/$1//
match ftp m|^220 [-.\w]+ MultiNet FTP Server Process V(\S+) at .+\r\n$| v/DEC OpenVMS MultiNet FTPd/$1//
match ftp m|^220-\r\n220 [-.\w]+ FTP server \(NetBSD-ftpd ([-.\w]+)\) ready.\r\n$| v/NetBSD ftpd/$1//
match ftp m|^220 ([-.\w]+) Network Management Card AOS v([-.\w]+) FTP server ready.\r\n$| v/APC AOS ftpd/$2/on APC $1 network management card/
# G-Net BB0060 ADSL Modem - the ftpd might be by "GlobespanVirata" as that
# is what the telnetd on this device said.
match ftp m|^220 FTP Server \(Version 1.0\) ready.\r\n$| v/G-Net DSL Modem ftpd/1.0//
# HP-UX B.11.00
match ftp m|^220 [-.\w ]+ FTP server \(Version (1.1.2[.\d]+) [A-Z][a-z]{2} [A-Z][a-z]{2} .*\) ready.\r\n| v/HP-UX ftpd/$1//
# 220 mirrors.midco.net FTP server ready.
match ftp m|^220-.*\r\n WarFTPd (\d[-.\w]+) \([\w ]+\) Ready\r\n|s v/WarFTPd/$1//
match ftp m|^220 Welcome to Windows FTP Server| v|Windows Ftp Server||Not from Microsoft - http://srv.nease.net/|
match ftp-proxy m|^220 Ftp service of Jana-Server ready\r\n| v/JanaServer ftp proxy///
match ftp-proxy m|^220 Secure Gateway FTP server ready\.\r\n| v/Symantec Enterprise Firewall FTP proxy///
match ftp-proxy m/^220-Sidewinder ftp proxy\. You must login to the proxy first/ v/Sidewinder FTP proxy///
match ftp-proxy m/^220-\r\x0a220-Sidewinder ftp proxy/s v/Sidewinder FTP proxy///
# TODO kerio?
#match ftp m|^421 Service not available \(The FTP server is not responding\.\)\n$| v/unknown FTP server//service not responding/
softmatch ftp m/^220 [-.\w ]+ftp.*\r\n$/i
softmatch ftp m/^220-[-.\w ]+ftp.*\r\n220/i
softmatch ftp m/^220[- ].*ftp server.*\r\n/i
match fw1-rlogin m|^\0Check Point FireWall-1 authenticated RLogin server running on [-.\w]+\r\n\r| v/Check Point FireWall-1 authenticated RLogin server///
match gnats m|^200 [-.\w]+ GNATS server (\d[-.\w]+) ready\.\r\n| v/GNATS bugtracking system/$1//
match http m|^HTTP/1.0 500\r\nContent-type: text/plain\r\n\r\nNo Scan Capable Devices Found\r\n| v/HP Embedded Web Server remote scan service//no scanner found/
# SMC Barricade 7004ABR
match http m|^HTTP/1\.0 301 Moved\r\nLocation: http://\d+\.\d+\.\d+\.\d+:88\r\n| v/SMB Barricade broadband router//simply redirects to real web admin port 88/
match hp-gsg m|^220 JetDirect GGW server \(version (\d[.\d]+)\) ready\r\n| v/HP JetDirect Generic Scan Gateway/$1//
match hylafax m|^220 [-.\w]+ server \(HylaFAX \(tm\) Version (\d[-.\w]+)\) ready\.\r\n$| v/HylaFAX/$1//
# Hylafax 4.1.6 on Linux 2.4
match hylafax m|^130 Warning, client address \"[\d.]+\" is not listed for host name \"[-.\w]+\"\.\r\n| v/HylaFAX//IP unauthorized/
match ichat m|^\r\n Welcome To\r\n ichat ROOMS (\d[-.\w]+)\r\n==| v|^iChat Rooms|$1||
match ident m|^flock\(\) on closed filehandle .*midentd| v/midentd//broken/
match ident m|^nullidentd -- version (\d[-.\w]+)\nCopyright | v/Nullidentd/$1/broken/
match imap m|^\* OK [-/.+\w]+ Solstice \(tm\) Internet Mail Server \(tm\) (\d[-.\w]+) IMAP4 service - at | v/Sun Solstice Internet Mail Server imapd/$1//
match imap m|^\* OK GroupWise IMAP4rev1 Server Ready\r\n| v/Novell GroupWise imapd///
match imap m|^\* OK dbmail imap \(protocol version 4r1\) server (\d[-.\w]+) ready to run\r\n| v/DBMail imapd/$1/imapd version may differ from overal dbmail version number/
match imap m|^\* OK [-.+\w]+ NetMail IMAP4 Agent server ready | v/Novell NetMail imapd///
match imap m|^\* OK IMAP4 Server \(IMail (\d[-.\w]+)\)\r\n| v/IMail imapd/$1//
match imap m|^\* OK Merak (\d[-.\w]+) IMAP4rev1 | v/Merak Mail Server imapd/$1/Windows/
match imap m|^\* OK [-.+\w]+ IMAP4rev1 Mercury/32 v(\d[-.\w]+) server ready\.\r\n| v|Mercury/32 imapd|$1|Win32|
match imap m|^\* OK [-.\w]+ IMAP4 service \(Netscape Messaging Server (\d[-.\w ]+) \(built ([\w ]+)\)\)\r\n| v/Netscape Messaging Server Imapd/$1/built $2/
match imap m|^\* OK \[CAPABILITY .*\] [-.\w]+ IMAP4rev1 (20[\w.]+) at | v/UW imapd/$1//
match imap m|^\* OK eXtremail V(\d[-.\w]+) release (\d+) IMAP4 server started\r\n| v/eXtremail IMAP server/$1.$2//
match imap m|^\* OK [-.\w]+ NetMail IMAP4 Agent server ready <.*>\r\n| v/Novell Netmail imapd///
# Alt-N MDaemon 6.5.1 imap server on Windows XP
match imap m|^\* OK [-.\w]+ IMAP4rev1 MDaemon (\d[-.\w]+) ready\r\n| v/Alt-N MDaemon imapd/$1//
# Dovecot IMAP Server - http://dovecot.procontrol.fi/
match imap m|^\* OK dovecot ready\.\r\n| v/Dovecot imapd///
# courier-0.36.1
match imap m|^\* OK Courier-IMAP ready\. Copyright 1998-2001 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imap/0.36 - 1.4//
# Courier-Imap 1.4.3-2.3
match imap m|^\* OK Courier-IMAP ready\. Copyright 1998-2002 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imap/1.4 - 2.3//
# Courier Imap 1.7.0 on Linux
# Courier IMAP server 1.6.2 on Linux
match imap m|\* OK Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imap/1.6.X - 1.7.X//
# Courier IMAP courier-imapd-0.42.0-1.7.3
# Courier IMAP 1.7.2
match imap m|^\* OK \[CAPABILITY IMAP4rev1 .*Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier IMAP4rev1/1.7.X//
# courier-imap 2.0.0.20030809
match imap m|^\* OK \[CAPABILITY IMAP4rev1\].*Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier IMAP4rev1/2.0.X//
# Courier IMAP 1.7.2
match imap m|\* OK \[CAPABILITY IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA\] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc. See COPYING for distribution information.\r\n$| v/Courier IMAP4rev1/1.7.2//
match imap m|^\* OK CommuniGate Pro IMAP Server ([-.\w]+) at [-.\w]+ ready\r\n$| v/CommuniGate Pro imapd/$1//
# W-Imapd-SSL v2001adebian-6
match imap m|^\* OK \[CAPABILITY IMAP4REV1 X-NETSCAPE LOGIN-REFERRALS STARTTLS AUTH=LOGIN\] \S+ IMAP4rev1 ([-.\w]+) at| v/UW-Imapd-SSL/$1//
match imap m|^\* OK Domino IMAP4 Server Release (\d[-.\w]+) +ready| v/Lotus Domino imapd/$1//
match imap m|^\* OK Microsoft Exchange IMAP4rev1 server version ([-.\w]+) | v/Microsoft Exchange IMAP4rev1 server/$1//
match imap m|^\* OK Microsoft Exchange 2000 IMAP4rev1 server version (\d[-.\w]+) \([-.\w]+\) ready\.\r\n| v/Microsoft Exchange 2000 IMAP4rev1 server/$1//
match imap m|^\* OK \[CAPABILITY IMAP4REV1 .*IMAP4rev1 (200\d\.[-.\w]+) at| v/UW Imapd/$1//
match imap m|^\* OK [-.\w]+ Cyrus IMAP4 v([-.\w]+) server ready\r\n| v/Cyrus IMAP4 server/$1//
match imap m|^\* OK Welcome to Binc IMAP v(\d[-.\w]+)| v/Binc IMAPd/$1//
match imap m|^\* OK [-.\w]+ IMAP4rev1 AppleMailServer (\d[-.\w]+) ready\r\n| v/AppleMailServer imapd/$1//
match imap m|^\* BYE Connection refused\r\n| v/Microsoft Exchange IMAP server//refused/
softmatch imap m/^\* OK [-.\w,:+ ]+imap[-.\w,:+ ]+\r\n$/i
# Cyrus IMSPD
match imsp m|^\* OK Cyrus IMSP version (\d[-.\w]+) ready\r\n$| v/Cyrus IMSPd/$1//
# ircd-hybrid 7 on Linux
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* Got Ident response\r\nNOTICE AUTH :\*\*\* Couldn't look up your hostname\r\n$| v/Hybrid ircd///
# Hybrid6/PTlink6.15.0 ircd on Linux
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Found your hostname\r\n$| v/Hybrid ircd///
# ircd 2.8/hybrid-6.3.1 on Linux
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* No Ident response\r\nNOTICE AUTH :\*\*\* Found your hostname\r\n$| v/Hybrid ircd///
# ircd-hybrid-7.0 - apparently upset because Nmap reconnected too fast
match irc m|^ERROR :Trying to reconnect too fast\.\r\n| v/Hybrid ircd///
# Hybrid-IRCD 7.0 on Linux 2.4
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* Found your hostname\r\nNOTICE AUTH :\*\*\* Got Ident response\r\n| v/Hybrid ircd///
# dircproxy 1.0.3 on Linux 2.4.x
match irc-proxy m|^:dircproxy NOTICE AUTH :Looking up your hostname\.\.\.\r\n:dircproxy NOTICE AUTH :Got your hostname\.\r\n| v/dircproxy///
# Unreal IRCD Server version 3.2 beta 17
match irc m|^:[-.\w]+ NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\n| v/Unreal ircd///
# dancer-ircd 1.0.31+maint8-1
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking ident\r\nNOTICE AUTH :\*\*\* No identd \(auth\) response\r\nNOTICE AUTH :\*\*\* Found your hostname\r\n$| v/Dancer ircd///
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Found your hostname, welcome back\r\nNOTICE AUTH :\*\*\* Checking ident\r\nNOTICE AUTH :\*\*\* No identd \(auth\) response\r\n| v/Dancer ircd///
match irc m|^:[-.\w]+ NOTICE AUTH :BitlBee-IRCd initialized, please go on\r\n| v/BitlBee IRCd///
# PTlink6.15.2 on Linux 2.4
match irc m|^NOTICE AUTH :\*\*\* Hostname lookup disabled, using your numeric IP\r\nNOTICE AUTH :\*\*\* Checking Ident\r\n| v/PTlink ircd///
match irc m|^:[-.+\w]+ NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\n:[-.+\w]+ NOTICE AUTH :\*\*\* Checking Ident\n:[-.+\w]+ NOTICE AUTH :\*\*\* Found your hostname\n| v/Bahamut Dalnet ircd//derived from DreamForge and Hybrid/
match irc-proxy m|^:Welcome!psyBNC@lam3rz\.de NOTICE \* :psyBNC([-.\w]+)\r\n| v/psyBNC/$1//
match issrealsecure m|^\0\0\0.\x08\x01\x03\x01\0.\x02\0\0..\0\0.\0\0\0..\0\0\x80\x04..\0.\0\xa0|s v/ISS RealSecure IDS//for Windows/
# ISS RealSecure Server Sensor for Windows 6.5 on Windows NT 4.0 Server SP6a
# ISS RealSecure ServerSensor 7.0 on Windows 2000 Server
# ISS RealSecure Server Sensor 6.0 on Windows NT 4.0 Server SP6a
# ISS RealSecure Server Sensor 7.0 issdaemon on Microsoft Windows NT Workstation with SP6a
match issrealsecure m|^\0\0\0.\x08\x01\x04\x01\0..\0\0..\0\0.\0\0\0f.\0\0\x80\x04..\0.\0\xa0\0\0\0\0\0.\0\0\xa4\0\0|s v/ISS RealSecure IDS ServerSensor/6.0 - 7.0/for Windows/
match klogin m|^\x01klogind: (All authentication systems disabled; connection refused)\.\.\r\n| v/MIT Kerberos klogin//broken - $1/
match lmtp m|^220 [-.\w]+ LMTP Cyrus v(\d[-.\w]+) ready\r\n| v/Cyrus Imap Daemon LMTP/$1//
# LSMS VPN Firewall GUI admin port
# LSMS Redundancy port
match lucent-fwadm m|^0001;2$| v/Lucent Secure Management Server///
match meetingmaker m/^\xc1,$/ v/Meeting Maker calendaring///
match melange m|^\+\+\+Online\r\n>> Melange Chat Server \(Version (\d[-.\w]+)\), Apr-25-1999\r\n\nWelcome | v/Melange Chat Server/$1//
# lopster 1.2.0.1 on Linux 1.1
match mserv m|^200 Mserv (\d[-.\w]+) \(c\) James Ponder 2000 - Type: USER <username>\r\n\.\r\n| v/Mserv music server/$1//
softmatch napster m|^1$|
match netrek m|^<>=======================================================================<>\n Pl: Rank Name Login Host name Type\n| v/Netrek game server player information interface///
match mldonkey m|^\x06\0\0\0\0\0\x10\0\0\0-\0\0\0\x14\0\x02\0\0\0\x06\0Donkey\x01\x0c\0\./donkey\.ini\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x11\x02\0\0\x13\0\r\x02\n\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\n Welcome to MLdonkey \n| v/MLdonkey multi-network P2P GUI port///
match mldonkey m|^\xff\xfd\x1f\r\r\r\r\r\r\r\r\r\r\r\r\r\n\r\r\r\r\r\r\r\r\r\r\r\r\r\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\r\r\r\r\r\r\r\r\r\r\r\r\r\n\r\r\r\r\r\r\r\r\r\r\r\r\r\n Welcome to MLdonkey \r\r\r\r\r\r\r\r\r\r\r\r\r\n| v/MLdonkey multi-network P2P GUI port///
match mldonkey m|^\xff\xfd\x1fWelcome to MLdonkey\n\x1b\[34mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n> | v/MLdonkey multi-network P2P server control port///
# Microsoft ActiveSync Version 3.7 Build 3083 (It's used for syncing
# my ipaq it disapears when you remove the ipaq.)
match msactivesync m|^\x16\0\x01\0\$\0U\0P\0T\0O\0D\0A\0T\0E\0\$\0\0\0$| v/Microsoft ActiveSync///
match mud m|^\n\r\xff\xfbUDo you want ANSI color\? \(Y/n\) $| v|ROM-based MUD||http://rrp.rom.org/|
match mysql m/^.\0\0\0\xffj\x04Host .* is not allowed to connect to this MySQL server$/ v/MySQL//unauthorized/
match mysql m|^.\0\0\0\xffi\x04Host .* is blocked because of many connection errors\.| v/MySQL//blocked - too many connection errors/
# MySQL 4.0.13
match mysql m/^.\0\0\0...Al sistema '[-.\w]+' non e` consentita la connessione a questo server MySQL$/ v/MySQL///
match mysql m/^.\0\0\0.(3\.[-.\w]+)\0.*\x08\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0$/s v/MySQL/$1//
match mysql m/^.\0\0\0\n(3\.[-.\w]+)\0...\0/s v/MySQL/$1//
match ncd-diag m|^WinCE/WBT Diagnostic port\n\rSerial Number: (\w+) MAC Address: 0000(\w+)\s+.*CPU info: ([ -.+\w/ ]+)\r\n.*(Windows CE Kernel[-.+:\w ]+)\r|s v|NCD Thinster Terminal Diagnostic port||Serial# $1; MAC: $2; CPU: $3; $4|
match netdevil m|^pass_pleaz$| v/Net-Devil backdoor//Windows **TROJAN**/
match netsaint m|^Sorry, you \(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\) are not among the allowed hosts\.\.\.\n$| v/Netsaint status daemon///
# I love this service:
match netstat m|^Active Internet connections \(servers and established\)\nProto Recv-Q Send-Q Local Address Foreign Address State \n| v/Linux Netstat///
match nntp m|^nnrpd: invalid option -- S\nUsage error\.\n| v/INN NNTPd//broken/
match nntp m|^200 [-.\w]+ NNTP Service Ready - ([-.\w]+@[-.\w]+) \(DIABLO (\d[-.\w ]+)\)\r\n| v/Diablo NNTP service/$2/Admin: $1/
match nntp m|^200 NNTP Service (\d[-.\w ]+) Version: (\d[-.\w ]+) Posting Allowed \r\n| v/Microsoft NNTP Service/$2/posting ok/
match nntp m|^200 [-.\w]+ DNEWS Version (\d[-.\w]+).*posting OK \r\n| v/Netwinsite DNEWS/$1/posting OK/
match nntp m|^200 Leafnode NNTP Daemon, version (\d[-.\w]+) running at| v/Leafnode NNTPd/$1//
match nntp m|^200 Lotus Domino NNTP Server for ([-./\w]+) \(Release (\d[-.\w]+), .*\) - Not OK to post\r\n$| v/Lotus Domino nntpd/$2/on $1; posting denied/
match nntp m|^200 Lotus Domino NNTP Server for ([-./\w]+) \(Release (\d[-.\w]+), .*\) - OK to post\r\n$| v/Lotus Domino nntpd/$2/on $1; posting ok/
match nntp m|^200 NNTP Service 5\.00\.0984 Version: (5\.0\.2159.1) Posting Allowed \r\n| v/Microsoft NNTP Service/$1/posting OK/
match nntp m|^200 NNTP Service Microsoft\xae Internet Services \d[-.\w]+ Version: (\d[-.\w]+) Posting Allowed \r\n| v/Microsoft NNTP Service/$1/posting OK/
match nntp m|^502 Connection refused\r\n| v/Microsoft NNTP Service//refused/
# Windows NT 4.0 SP5-SP6
match nntp m|^200 Microsoft Exchange Internet News Service Version (5\.5\.[.\d]+) \(posting allowed\)\r\n| v/Microsoft Exchange Internet News Service/$1/posting allowed/
#match nntp m|^200 [-.\w]+ InterNetNews NNRP server INN (\d[-.\w]+) ready \(posting ok\)\.\r\n| v/InterNetNews (INN)/$1/posting ok/
match nntp m|^200 [-.\w]+ InterNetNews NNRP server INN (\d[-.\w ]+) ready \(posting ok\)\.\r\n| v/InterNetNews (INN)/$1/posting ok/
# Windows 2000 Server Windows Media Unicast Service (NsUnicast) - Nsum.exe
match nsunicast m|^4\0\0\0V4\x12\0\0\0\0\0\0\0\0\x004\0\0\0\x04\0\xf0\0\xd3\x07\t\0.\0.\0.\0.\0.\0..\0\0\0\0.\0\0\0.\0\0\0\x02\0|s v/Microsoft Windows Media Unicast Service//nsum.exe/
match nsunicast m|^[4f]\0\0\0V4\x12\0\0\0\0\0\0\0\0\x00[4f]\0\0\0.\0\xf0\0\xd3\x07\t\0.\0.\0.\0.\0.\0..\0\0\0\0.\0\0\0..\0\0.\0|s v/Microsoft Windows Media Unicast Service//nsum.exe/
match pcanywheredata m/^\0X\x08\0\}\x08\r\n\0\.\x08.*\.\.\.\r\n/s v/PCAnywhere///
match pbmasterd m|^pbmasterd(\d[-.\w]+)@[-.+\w]+: | v/Symark Power Broker pbmasterd/$1/privilege separation software/
match pblocald m|^pblocald(\d[-.\w]+)@[-.+\w]+: | v/Symark Power Broker pblocald/$1/privilege separation software/
match pksd m|^usage: [/\w]*/etc/pksd\.conf conf_file\n$| v/PGP Public Key Server//broken/
# UW POP2 server on Linux 2.4.18
match pop2 m|^\+ POP2 [-\[\].\w]+ v(20[-.\w]+) server ready\r\n$| v/UW POP2 server/$1//
match pop3 m|^\+OK [-.+\w]+ Merak (\d[-.\w]+) POP3 | v/Merak mail server pop3d/$1//
# Mercury/32 3.32 pop3 Server module on Windows XP
match pop3 m|^\+OK <\d{6,10}\.\d{4,6}@[-.+\w]+>, POP3 server ready\.\r\n| v|Mercury/32 pop3d||Win32|
# gnu/mailutils pop3d 0.3.2 on Linux
match pop3 m|^\+OK POP3 Ready <\d{3,6}\.1[012]\d{8}@[-.\w]+>\r\n| v|GNU mailutils pop3d|||
# Solid POP3 Server 0.15 on Linux 2.4
match pop3 m|^\+OK Solid POP3 server ready <\d{3,6}\.1[012]\d{8}@[-.\w]+>\r\n| v/Solid pop3d///
# Cyrus POP3 v2.0.16
match pop3 m|^\+OK [-.\w]+ Cyrus POP3 v(\d[-.\w]+) server ready\r\n| v/Cyrus pop3d/$1//
# pop3d (GNU Mailutils 0.3) on Linux 2.4
match pop3 m|^\+OK POP3 Ready <\d{3,6}\.1[012]\d{8}@\w+>\r\n| v/GNU Mailutils pop3d///
# dovecot 0.99.10 on Linux 2.4
match pop3 m|^\+OK dovecot ready\.\r\n| v/Dovecot pop3d///
# teapop 0.3.5 on Linux 2.4
match pop3 m|^\+OK Teapop \[v(\d[-.\w ]+)\] - Teaspoon stirs around again .*\r\n| v/Teapop pop3d/$1//
# Qpopper v4.0.5 on Linux 2.4.19
match pop3 m|^\+OK ready \r\n$| v/Qpopper pop3d///
# Jana Server 1.45 on WIn98
match pop3 m|^\+OK POP3 server ready <Jana-Server>\r\n| v/Jana POP3 server//Windows/
match pop3 m|^\+OK AppleMailServer (\d[-.\w]+) POP3 server at [-.\w]+ ready <\d| v/AppleMailServer pop3d/$1//
match pop3 m|\+OK <10\d+\.\d+@[-.\w]+> \[XMail (\d[-.\w]+) \(([-./\w]+)\) POP3 Server\] service ready; | v/XMail pop3 server/$1/on $2/
# Mail-Enable pop3 server 1.704
match pop3 m|^\+OK Welcome to MailEnable POP3 Server\r\n| v/MailEnable POP3 Server///
match pop3 m|^\+OK [-.\w]+ running Eudora Internet Mail Server (\d[-.\w]+) <.*>\r\n| v/Eudora Internet Mail Server pop3d/$1//
# Qpopper 4.0.3 on Linux
# QPopper 4.0.4 FreeBSD
match pop3 m|^\+OK ready <\d{1,5}\.10\d{8}@[-.\w]+>\r\n| v/Qualcomm Qpopper pop3d///
match pop3 m|^\+OK POP3 Welcome to GNU POP3 Server Version (\d[-.\w]+) <.*>\r\n| v/GNU POP3 Server/$1//
match pop3 m|^\+OK eXtremail V(\d[-.\w]+) release (\d+) POP3 server ready <.*>\r\n| v/eXtremail pop3d/$1.$2//
match pop3 m|^\+OK POP3 Welcome to vm-pop3d (\d[-.\w]+) <.*>\r\n| v/vm-pop3d/$1/derived from gnu-pop3d/
# tpop3d v1.4.2 on Linux - http://www.ex-parrot.com/~chris/tpop3d/
match pop3 m|^\+OK <[\da-f]{32}@[-.\w]+>\r\n| v/tpop3d///
match pop3 m|^\+OK UCB based pop server \(version (\d[-.\w]+) at sionisten\) starting\.\r\n| v/Heimdal kerberized pop3/$1/UCB-pop3 derived/
# VPOP3 (Virtual POP3 server) 2.0.0d on Windows 2000
match pop3 m|^\+OK VPOP3 Server Ready <.*>\r\n| v/PSCS VPop3///
match pop3 m|^\+OK Lotus Notes POP3 server version ([-.\w]+) ready .* on ([^/]+)/([^\.]+)\.\r\n| v/Lotus Domino POP3 server/$1/CN=$2;Org=$3/
match pop3 m|^\+OK Lotus Notes POP3 server version ([-.\w]+) ready on | v/Lotus Domino POP3 server/$1//
match pop3 m|^\+OK POP3 hotwayd v(\d[-.\w]+) -> The POP3-HTTPMail Gateway\.| v/hotwayd pop3d/$1//
match pop3 m|^\+OK [-.\w]+ POP3 service \(Netscape Messaging Server (\d[^(]+) \(built ([\w ]+)\)\)\r\n| v/Netscape Messenging Server pop3/$1/built on $2/
match pop3 m/^\+OK [-.\w]+ Cyrus POP3 v(\d[-.\w]+) server ready </ v/Cyrus pop3d/$1//
match pop3 m/^\+OK X1 NT-POP3 Server [-\w.]+ \(IMail ([^)]+)\)\r\n/ v/IMail pop3d/$1//
match pop3 m/^\+OK POP3 \[cppop (\d[^]]+)\] at \[/ v/cppop pop3d/$1//
match pop3 m/^\+OK Microsoft Exchange 2000 POP3 server version (\S+).* ready\.\r\n/ v/MS Exchange 2000 pop3d/$1//
match pop3 m/^\+OK Microsoft Exchange POP3 server version (\S+) ready\r\n/ v/MS Exchange pop3d/$1//
match pop3 m/^\+OK QPOP \(version ([^)]+)\) at .*starting\./ v/Qpop pop3d/$1//
match pop3 m/^\+OK QPOP Modified by Compaq \(version ([^)]+)\) at .*starting\./ v/QPop pop3d/$1//
match pop3 m/^\+OK Qpopper .*\(version ([^)]+)\) at .*starting\./ v/Qpopper pop3d/$1//
match pop3 m/^\+OK [-.\w]+ POP3 server \(Netscape Mail Server v(\d[-.\w])\) ready/ v/Netscape Mail Server pop3d/$1//
match pop3 m/^\+OK Cubic Circle's v(\d[-.\w]+) .* POP3 ready/ v/Cubic Circle Cucipop pop3d/$1//
match pop3 m/^\+OK CCProxy (\S+) POP3 Service Ready\r\n/ v/CCProxy pop3d/$1//
match pop3 m/^\+OK ArGoSoft Mail Server Freeware, Version \S+ \(([^)]+)\)\r\n/ v/ArGoSoft freeware pop3d/$1//
match pop3 m/^\+OK [-.\w]+ Execmail POP3 \((\d[^)]+)\)/ v/Execmail pop3d/$1//
match pop3 m/^\+OK MailSite POP3 Server (\S+) Ready </ v/MailSite pop3d/$1//
# you give it username, present password and new password, and
# it changes the password of the user.
# poppassd 1.8.1
match pop3pw m|^200 ([-.\w]+ )?poppassd v(\d[-.\w]+) hello, who are you\?\r\n| v|Poppassd|$2|http://echelon.pl/pubs/poppassd.html|
match pop3pw m|^200 courierpassd v(\d[-.\w]+) hello, who are you\?\r\n| v/Courierpassd pop3 password change daemon///
match pop3pw m|^200 [-.+\w]+ MercuryW PopPass server ready\.\r\n| v|Mercury/32 poppass service||Win32|
match pop3pw m|^200 X1 NT-PWD Server [-.+\w]+ \(IMail (\d[-.\w]+)\)\r\n| v/IPSwitch Imail pop3 password change daemon/$1/Windows/
match pop3pw m|^200 CommuniGate Pro PWD Server (\d[-.\w]+) ready <| v/CommuniGate Pro pop3 password change daemon/$1//
match pop3pw m|^\+OK ApplePasswordServer (\d[-.\w]+) password server at | v/ApplePasswordServer pop3 password change daemon/$1//
match pmud m|^pmud (\d[-.\w]+) \d+\n| v|pmud||http://sf.net/projects/apmud|
match printer m|^lpd \[@[-.\w]+\]: Print-services are not available to your host \([-.\w]+\)\.\n| v/BSD lpd//Unauthorized host/
# BSD lpr/lpd line printer spooling system (lpr v1:2000.05.07) on Linux 2.6.0-test5
match printer m|[-.\w]+: lpd: Your host does not have line printer access\n| v|BSD/Linux lpd||access denied|
# Linux 2.4.18 lpr 2000.05.07-4.2
match printer m|^lpd: Host name for your address \(\d+\.\d+\.\d+\.\d+\) unknown\n$| v/Linux lpd//client IP must resolve/
match printer m|^([/\w]+/)?lpd: (.*)\n| v/lpd//error: $2/
# Windows QOTD service only has 12 services. Found on Windows XP in
# %systemroot%\system32\drivers\etc\quotes
match qotd m/^"(My spelling is Wobbly\.|Man can climb to the highest summits,|In Heaven an angel is nobody in particular\.|Assassination is the extreme form of censorship\.|When a stupid man is doing|We have no more right to consume happiness without|We want a few mad people now.|The secret of being miserable is to have leisure to|Here's the rule for bargains:|Oh the nerves, the nerves; the mysteries of this machine called man|A wonderful fact to reflect upon,|It was as true as taxes is\.)/ v/Windows qotd///
match quagga m|^\r\nHello, this is quagga \(version (\d[-.\w]+)\)\.\r\nCopyright 1996-200| v/Quagga routing software/$1/Derivative of GNU Zebra/
match razor2 m|^sn=\w&srl=\d+&ep4=[-\w]+&a=\w&a=\w+\r\n$| v/Vipul's Razor2 anti-spam service///
# Remote Console via RCONJ - RCONJ is a java utility that allows one
# to remote console into a Novell server. It uses 2034 (unsecure) or
# 2036 (secure) by default but can be changed.
match rconj m|\0\x04\0\x01\0\0\0\0'_i\?\0\x08\0\x0b\0\0\0\0WABO\x00437| v/Novell rconj///
match resvc m|^\{0000004c\} NODEINFO \(5\) \{38\}Version: (\d[-.\w ]+) Microsoft Routing Server ready\r\n | v/Microsoft Exchange routing server/$1//
# RedHat 7.3 - rsync server version 2.5.4 protocol version 26
# Redhat Linux 7.1
# rsync 2.5.5-0.1 with custom banner on Debian Woody
match rsync m|^@RSYNCD: (\d+)| v///protocol version $1/
match sdmsvc m|^[\xaa\xff]$| v/LANDesk Software Distribution//sdmsvc.exe/
# Tumbleweed SecureTransport 4.1.1 Transaction Manager Secure Port on Solaris
match securetransport m|^\x15\x03\x01\0\x02\x01\0$| v/Tumbleweed SecureTransport Transaction Manager Secure Port///
match smtp m|^220 [-.+\w]+ ESMTP MailEnable Service, Version: (\d[.\w]+)-- ready at | v/MailEnable smptd/$1//
match smtp m/^220 [-.+\w]+ ESMTP Mail Enable SMTP Service, Version: (\d[\w.]+)-- ready at/ v/MailEnable smptd/$1//
match smtp m/^220 [-.+\w]+ ESMTP CPMTA-([-.+\w]+) - NO UCE\r\n/ v/CPMTA/$1/qmail-derived/
match smtp m|^220 [-.+\w]+ SMTP/smap Ready\.\r\n| v/Smap//from firewall toolkit/
match smtp m|^220 [-.+\w]+ ESMTP service \(Netscape Messaging Server ([-.+ \w]+) \(built| v/Netscape Messaging Server/$1//
match smtp m|^220-InterScan Version (\S+) .*Ready\r\n220 [-.+\w]+ NTMail \(v([-.+\w]+)/.* ready| v/Trend Micro InterScan/$1/on NTMail $2/
match smtp m|^220 [-.\w]+ InterScan VirusWall NT ESMTP (\d[-.\w]+) \(build (\d+)\) ready at | v/Trend Micro InterScan VirusWall SMTP/$1 build $2//
match smtp m|^220 [-.+\w]+ GroupWise Internet Agent (\S+) .*Novell, Inc\..*Ready\r\n| v/Novell GroupWise/$1//
match smtp m|^220 Matrix SMTP Mail Server v([\w.]+) on <MATRIX_([\w]+)> Simple Mail Transfer Service Ready\r\n| v/Matrix SMTP Mail Server/$1/on Matrix $2/
match smtp m|^220 [-.\w]+ ESMTP Postfix| v/Postfix smtpd///
match smtp m|^220 \*{10,40}\r\n| v|Cisco PIX sanatized smtpd|||
match smtp m|^220 ArGoSoft Mail Server Pro for WinNT/2000/XP, Version [-.\w]+ \(([-.\w]+)\)\r\n| v/ArGoSoft Mail Server Pro/$1//
match smtp m|^220 [-.\w]+ ESMTP server \(Post.Office v([-.\w]+) release ([-.\w]+) ID# | v/Post.Office/$1 release $2//
match smtp m|^220 [-.\w]+ ESMTP VisNetic.MailServer.v([-.\w]+); | v/VisNetic MailServer/$1//
# CommuniGate Pro 4.0.5
match smtp m|^220 [-.\w]+ ESMTP Service. Welcome.\r\n$| v/CommuniGate Pro smtpd///
match smtp m|^220 [-.\w]+ Process Software ESMTP service V([-.\w]+) ready| v/Process Software smtpd/$1/on OpenVMS/
match smtp m|^220 [-.\w]+ Mercury (\d[-.\w]+) ESMTP server ready\.\r\n$| v/Mercury Mail smtpd/$1//
match smtp m|^220 [-.\w]+ ESMTP Service \(Lotus Domino Release (\d[-.\w]+)\) ready at | v/Lotus Domino smtpd/$1//
match smtp m|^relaylock: Error: PRODUCT_ROOT_D not defined\nrelaylock: Error: PRODUCT_ROOT_D not defined\n1\n$| v/Plesk relaylock smtp wrapper//broken/
match smtp m|^220 [-.\w]+ WebSTAR Mail Simple Mail Transfer Service Ready\r\n| v/WebSTAR SMTP server///
match smtp m|^220 [-.\w]+ Lotus SMTP MTA Service Ready\r\n$| v/Lotus Notes SMTP///
match snpp m|^220 [-.\w]+ SNPP server \(HylaFAX \(tm\) Version ([-.\w]+)\) ready.\r\n| v/HylaFAX SNPP/$1//
match snpp m|^220 QuickPage v(\d[-.\w]+) SNPP server ready at | v/QuickPage SNPP/$1//
match sourceoffice m|^200\r\nProtocol-Version:(\d[.\d]+)\r\nMessage-ID:\d+\r\nDatabase .*\r\nContent-Length:\d+\r\n\r\n(\w:\\.*ini)\r\n\r\n| v/Sourcegear SourceOffSite//Protocol $1; INI file: $2/
match ssh m|^\0\0\0\$\0\0\0\0\x01\0\0\0\x1bNo host key is configured!\n\r!\"v| v/Foundry Networks switch sshd//broken: No host key configured/
match ssh m|^SSH-(\d[\d.]+)-SSF-(\d[-.\w]+)\n| v/SSF French SSH/$2/protocol $1/
match ssh m|^SSH-(\d[\d.]+)-lshd_(\d[-.\w]+) lsh - a free ssh\r\n\0\0| v/lshd secure shell/$2/protocol $1/
match ssh m/^SSH-([.\d]+)-OpenSSH[_-]([\S ]+)/ v/OpenSSH/$2/protocol $1/
match ssh m/^SSH-([.\d]+)-Sun_SSH_(\S+)/ v/SunSSH/$2/protocol $1/
match ssh m/^SSH-([.\d]+)-meow roototkt by rebel/ v/meow SSH ROOTKIT//protocol $1/
match ssh m/^SSH-([.\d]+)-(\d+\.\d+\.[-.\w]+)/ v/SSH/$2/protocol $1/
# Akamai hosted systems tend to run this - found on www.microsoft.com
match ssh m|^SSH-(\d[.\d]*)-AKAMAI-I\n$| v/Akamai-I SSH//protocol $1/
match ssh m|^SSH-(\d[.\d]*)-Server-V\n$| v/Akamai-I SSH//protocol $1/
match ssh m|^SSH-(\d[.\d]*)-Server-VI\n$| v/Akamai-I SSH//protocol $1/
match ssh m|^SSH-(\d[.\d]+)-Cisco-(\d[.\d]+)\n$| v/Cisco SSH/$2/protocol $1/
match ssh m|^SSH-(\d[.\d]+)-SSH Protocol Compatible Server SCS (\d[-.\w]+)\n| v/NetScreen SCS sshd/$2/protocol $1/
match ssh m|^SSH-(\d[.\d]+)-VShell_(\d[._\d]+) VShell\r\n$| v/VanDyke VShell/$SUBST(2,"_",".")/protocol $1/
match ssh m/^SSH-([.\d]+)-(\d[-.\w]+) sshlib: WinSSHD (\d[-.\w]+)\r\n/ v/Bitvise WinSSHD/$3/protocol $1/
# Cisco VPN 3000 Concentrator
# Cisco VPN Concentrator 3005 - Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.1.B Jun 20 2003
match ssh m/^SSH-([.\d]+)-OpenSSH\n$/ v/OpenSSH//protocol $1/
match ssh m/^SSH-([.\d]+)-([.\d]+) Radware\n$/ v/Radware Linkproof SSH/$2/protocol $1/
match ssh m|^SSH-1\.5-X\n| v/Cisco VPN Concentrator SSHd//protocol 1.5/
softmatch ssh m/^SSH-([.\d]+)-/
# Redhat Linux 7.1 - HAHAHAHAHAHA!!!! I love this service :)
match systat m|^USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\n| v/Linux systat///
# Draytek Vigor 2600 aDSL router
match telnet m|^\xff\xfd\x18\xff\xfb\x01\n\r\n\rPassword: | v/Draytek Vigor aDSL router telnetd///
# IBM Infoprint 12 printer with JetDirect
match telnet m|^\xff\xfc\x01\r\nPlease type \[Return\] two times, to initialize telnet configuration\r\nFor HELP type \"\?\"\r\n> | v/HP JetDirect printer telnetd///
# IBM High Performace Switch - Model 8275-416, Software version 1.1, Manufacturer IBM068
match telnet m|^\x1b\[1;1H\x1b\[2J\x1b\[8;38H\x1b\[1;1H\x1b\[2;1H\(C\) Copyright IBM Corp\. 1999\x1b\[3;1HAll Rights Reserved\.| v/IBM switch telnetd///
match telnet m|^\x1b\[H\x1b\[2JYou have connected to a FirstClass System\. Please login\.\.\.\r\nUserID: | v/FirstClass messaging system telnetd///
# Cisco Catalyst management console
# 3Com 3Com SuperStack II Switch 3300
match telnet m|^\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01| v|||Usually a Cisco/3com switch|
match telnet m|^\xff\xfb\x03\xff\xfb\x01\r\nSun\(tm\) Advanced Lights Out Manager (\d[-.\w]+) \(v(\d+)\)\r\n\r\nPlease login: | v/Sun Advanced Lights Out Manager/$1/on Sun v$2; for remote system control/
# Epson Stylus Color 900N telnet
match telnet m|^\xff\xfb\x01\xff\xfb\x01Connected to [-/.+\w]+!\r\n\r\nPassword: | v/Epson printer telnetd///
# This one may not technically be considered telnet protocol, but you seem to use it via telnet
match telnet m|^220 SL4NT viewer service ready\r\n250 Currently connected channels: | v/Netal SLANT viewer///
match telnet m|^\xff\xfb\x03\xff\xfb\0\xff\xfb\0\xff\xfd\0\xff.*\r\rFrontDoor (\d[-.\w]+)/|s v/FrontDoor FIDONet Mailer telnetd/$1//
match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\nOK\r\n$| v/Motorola Vanguard router telnetd///
match telnet m|^Check Point FireWall-1 Client Authentication Server running on [-.\w]+\r\n\r\xff\xfb\x01\xff\xfe\x01\xff\xfb\x03User: | v/Check Point FireWall-1 Client Authenticaton Server///
# Enterasys XP-8600 running E9.0.5.0
match telnet m|^\xff\xfb\x03\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x05\xff\xfd!| v/Enterasys XSR Security Router telnetd///
# Windows 2000 telnetd
match telnet m|^\xff\xfd%\xff\xfb\x01\xff\xfd\x03\xff\xfd\x1f\xff\xfd\0\xff\xfb\0$| v/Microsoft Windows 2000 telnetd///
match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfd\x1f\xff\xfd\0\xff\xfb\0Microsoft \(R\) Windows \(TM\) Version (\d[-.\w]+) \(Build (\d+)\)\r\nWelcome to Microsoft Telnet Service \r\nTelnet Server Build (\d[-.\w]+)\n\rlogin: | v/Microsoft Windows telnetd/$3/OS version $1 build $2/
# Windows XP telnetd
match telnet m|^\xff\xfd%\xff\xfb\x01\xff\xfb\x03\xff\xfd'\xff\xfd\x1f\xff\xfd\0\xff\xfb\0| v/Microsoft Windows XP telnetd///
# IRIX 6.5.18f telnetd
match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd\$| v/IRIX telnetd/6.X//
# OS 400 V4R4M0
# OS/400 V5R1M0
match telnet m|^\xff\xfd'\xff\xfd\x18$| v/IBM OS 400 telnetd///
# JetDirect Model: J4169A Firmware: L.21.11
match telnet m|^\xff\xfb\x03\xff\xfb\x01\x07HP JetDirect\r\nPassword is not set\r\n| v/HP JetDirect printer telnetd//No password/
# HP Jetdirect telnet with password protection
match telnet m|^\xff\xfb\x03\xff\xfb\x01\x07HP JetDirect\r\n\r\nEnter username: | v/HP JetDirect printer telnetd///
# HP MPE/iX 5.5 on HP 3000 telnet service
match telnet m|^\xff\xfd\x03\xff\xfb\x01\xff\xfd!| v|HP MPE/iX telnetd|||
# Brother 1870N Printer
match telnet m|^\x1b\[2J\x1b\[1;1f\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03| v/Brother printer telnetd///
# AIX 4.3.3.0
match telnet m|^\xff\xfe%\xff\xfd\x18$| v/AIX telnetd///
match telnet m/^\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\x1b\[0m\x1b\[1;1H\x1b\[2J\rD\r \n\r (DES-.*) Command Line Interface\n\r\n/ v/D-Link $1 telnetd///
match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfc\x1f\n\r\n\rUser Access Verification\n\r\n\r\n\r\n\r\n\rShell version (\d\S+).*Maipu Communication Technology Co\./ v/Maipu Router//shell v$1/
match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03\x1b.*Intel Corporation, ([-+. \w()]+)/s v/Intel telnetd//on $1/
match telnet m|^\r\nFlowPoint/(.*) Ready\r\n.*\xff\xfb\x01\xff\xfb| v/Flowpoint telnet//on $1/
match telnet m/Welcome to Tenor Multipath Switch Telnet Server.*Type: (\S+)/s v/Tenor telnetd/$1/on Multipath Switch/
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\x0d\x0a\x0d\x0aCisco\x20Systems.*Console/Telnet Access of the ([-. \w]+) for Configuration Purposes|s v/Cisco $1 telnetd///
# Cisco 350 Series Wireless AP 11.05
match telnet m|^\xff\xfb\x01\n\r\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08 \x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08| v/Cisco WAP telnetd///
# Cisco 678 DSL router
match telnet m|^\r\n\r\nUser Access Verification\r\nPassword:\xff\xfb\x01$| v/Cisco DSL router telnetd///
# Cisco 2900 Catalyst switch, IOS 12.0(5)XU
# Cisco 3600 router running IOS 12.X
# Cisco 2600 IOS 12.0
match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f.*User Access Verification\r\n\r\n(Username|Password): $/s v/Cisco telnetd//IOS 12.X/
# Cisco Pix 501 PIX IOS 6.3(1) telnet
match telnet m/^\xff\xfb\x03\xff\xfb\x01\xff\xfb\x03\xff\xfb\x01.*\r\nUser Access Verification\r\n\r\nPassword: /s v/Cisco telnetd//IOS 6.X/
# Cisco Catalyst 6509 - WS-C6509 Software, Version NmpSW: 5.5(1)
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\r\n\r\nCisco Systems Console\r\n\r\n\r\n\r\n\r\nEnter password: | v/Cisco Catalyst switch telnetd///
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\r\n\r\nPassword required, but none set\r\n| v/Cisco router telnetd//password required but not set/
match telnet m|^Access not permitted\. Closing connection\.\.\.\n$|s v/Cisco catalyst switch telnetd//access denied/
match telnet m|^\xff\xfd\x18$| v/Cisco microswitch telnetd///
# OpenBSD 2.3
# FreeBSD 5.1
match telnet m|^\xff\xfd%$| v/BSD-derived telnetd///
# Solaris 9
match telnet m|^\xff\xfd\x18\xff\xfd\x1f\xff\xfd#\xff\xfd'\xff\xfd\$$| v/Sun Solaris telnetd///
# Redhat Linux 7.3 telnet
match telnet m|\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'$| v/Linux telnetd///
match telnet m|^\xff\xfb\x01\n\rUser Name : $| v/APC network management card telnetd///
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03\n\rUser Name : | v|APC telnetd||Power/UPS device|
# Cayman-DSL Model 3220-H, DMT-ADSL (Alcatel) OS version 6.3.0
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfe\x01\n\rlogin: $| v/Cayman-DSL router telnetd///
# Blue Coat Port 80 Security Appliance Model: Blue Coat SG400 Software Version: SGOS 2.1.6044 Software Release id: 19480 Service Pack 4
# Maybe I should call this SGOS telnetd instead
match telnet m|^\xff\xfb\x03\xff\xfb\x01\xff\xfd\x1f\r\n\r\nUsername: $| v/Blue Coat telnetd///
match telnet m|^\xff\xfb\x01@ Userid: | v/Shiva LanRover telnetd///
# Netscreen ScreenOS 4.0.1r1.0 telnetd on a netscreen 5XT running firmware 4.0.1r1.0
match telnet m|^\xff\xfd\x18\xff\xfb\x01\xff\xfe\x01Remote Management Console\r\n\r\nlogin: $| v/Netscreen ScreenOS telnetd///
# Note that openwall telnetd is derived from OpenBSD telnetd
match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfd\$$| v|Openwall GNU/*/Linux telnetd|||
match telnet m|^\xff\xfc\x01\r\nHP JetDirect\r\n\r\nPlease type \"\?\" for HELP, or \"/\" for current settings\r\n> $| v/HP Jet Direct printer telnetd///
# tinc 1.0.2-2 on Linux
match tinc m|^0 \w+ 17\n| v/tinc vpn daemon///
match time m|^[\xc0-\xc5]...$|
# Tiny Personal Firewall 2.0
match tinyfw m|^\x0f\0\n\0\x01\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xc0\x0ef7\xbb\x9bS\xfc\x86\xe4\x7f\x18\xb8\x97\x06 | v/Tiny Personal Firewall/2.0//
# Kerio Personal Firewall 4.02 on Windows 2000, 4.0.11 on W2K SP4+ too (port 44xxx)
match keriopfservice m|^\x12\0\x03\0\x04\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| v/Kerio PF 4 Service//maybe 4.0.2-11/
# Kerio PF 4.0.11 unregistered - GUI process (Port 1027-1200,44xxx? RPC?) on MS W2K SP4+
match keriopfgui m|^\x12\0\r\0\x03\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x9a\x20\xd0Z\x1e\x1b\xa3\*\xf2\xdd\xe2\(\xc3sp&\xda\xe4Yp\xdbET\xf9\x8cc\xc24\*Y\xbe\xb3\xba\xd6%\xf5\xb668\xad\xab>@D<\x01<i\x80O>\xdd>\)\xdb\x18\xf55\xd1\xba\x96\x1c\x17\x17\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01\0\x01| v/Kerio PF 4 GUI//maybe 4.0.11/
# Kerio Personal Firewall 2.1.4 on Windows
# Tiny Personal Firewall 2.0
# Kerio Personal Firewall, Firewall engine version 2.1.5 Driver version 3.0.0 on WinXP
match tinyfw m|^\x0f\0\n\0\x01\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| v/Kerio Personal Firewall/2.1.X/or Tiny Personal Firewall/
match ssl/vmware-auth m|^220 VMware Authentication Daemon Version (\d[-.\w]+): SSL Required\r\n| v/VMware Authentication Daemon/$1//
match vnc m|^RFB 003.00(\d)\n$| v/VNC//protocol 3.$1/
match vtun m|^VTUN server ver (\d[-.\w /]+)\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| v/Vtun Virtual Tunnel/$1//
match vtun m|^VTUN server ver \. (\d[-.\w /]+)\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| v/Vtun Virtual Tunnel/$1//
match winshell m/^Microsoft Windows ((2000)|(XP)|(NT 4\.0)) \[Version ([\d.]+)\]\r\n\(C\) Copyright 1985-20\d\d Microsoft Corp\.\r\n\r\n/ v/Microsoft Windows $1 $5 cmd.exe///
# CcXstream Media Server 1.0.15 on Linux - Uses XBMSP (X-Box Media Streaming Protocol)
match xbmsp m|^XBMSP-1\.0 1\.0 CcXstream Media Server (\d[-.\w]+)\n| v/CcXstream Media Server/$1//
# XFCE Desktop Version 3.99.4 From Gentoo 1.4 Ebuild on Linux 2.4.6
match xfce m|^\0\x01\0@\0\0\0\0| v/XFCE Desktop///
match zebra m|^\r\nHello, this is zebra \(version (\d[-.\w]+)\)\.\r\nCopyright 1996-20| v/GNU Zebra routing software/$1//
match zebra m|^\r\nHello, this is zebra \(version (\d[-.\w]+)\)\.\r\nCopyright 200\d| v/GNU Zebra routing software/$1//
match pcp m|^\0\0\0\x14\0\0p\0\0\0..\0\0\0\0\x02\x01\0\0| v/SGI Performance Co-Pilot///
match smtp m|^220 SPAM, we hates it.\r\n| v/Barracuda Spam firewall///
# 13720/tcp
match bprd m|^\0\0\0\x0eEXIT STATUS 23$| v/Veritas Netbackup///
# 13782/tcp
match bpcd m|^gethostbyaddr: [\w ]+\n$| v/Veritas Netbackup//refused/
# PostCast SMTP server 2.6.0 ( http://www.postcastserver.com/ )
match smtp m|^220 PostCast SMTP server.*\r\n$| v/PostCast SMTP server///
# bnetd (PvPGN BnetD Mod version 1.5.0) on Debian GNU/Linux (sid)
match bnetd m|^BOT or Telnet Connection from \[127\.0\.0\.1\]\r\n\r\nEnter your account name and password\.\r\nSorry, there is no guest account\.\r\n\r\nUsername: | v/PvPGN BnetD Mod/1.5.0//
match bnetd m|^Username: $| v/bnetd open source Blizzard Battlenet server///
# bnetd server 0.4.25 on Linux
# Cisco PIX 501 running PIX IOS 6.3(1)
match ciscopsdm m|^\xc0\0\x01\0....\0\0\0\x03| v/Cisco PIX Secure Database Manager///
match crossmatchverifier m|^Idle\r\n$| v/Cross Match Technologies Verifier fingerprint capture control port///
# I think this type of eggdrop banner is only used when customized or such.
match eggdrop m|^\r\nNickname\.\r\nSorry, that nickname format is invalid\.\r\n$| v/Eggdrop irc bot console///
# Alcatel Speedtouch ADSL Router
match ftp m|^220 Inactivity timer = \d+ seconds\. Use 'site idle <secs>' to change\.\r\n221 Goodbye \(badly formated command seen\)\. You uploaded 0 and downloaded 0 kbytes\.\r\n221 Goodbye \(badly formated command seen\)\. You uploaded 0 and downloaded 0 kbytes\.\r\n$| v/Alcatel Speedtouch aDSL router ftpd///
match ftp m|^220 Service ready\r\n500 Unsupported command\r\n$| v/Multitech MultiVoip 410 VoIP gateway ftpd///
# NetportExpress PRO/100 3 port print server
match ftp m|^220 FTP server ready\.\r\n530 access denied\.\r\n| v/Intel NetportExpress print server ftpd///
# D-Link Print Server internal FTP daemon (Firmware version 1.38) - D-Link Print Server DP-101
match ftp m|^220 FTP server ready\.\r\n501 Command not supported\.\r\n$| v/D-Link Printer Server ftpd///
match ftp m|^220 [-.\w]+ FTP server ready\.\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n$| v/Solaris ftpd///
# vsftpd (Very Secure FTP Daemon) 1.0.0 on linux with custom ftpd_banner
# We'll have to see if this match is unique enough
match ftp m|^220 .*\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n|s v/vsFTPd///
match ftp m|^220 [-.\w]+ FTP Server ready \.\.\.\r\n530 \r : User not logged in\. Please login with USER and PASS first\.\r\n530 \r : User not logged in\. Please login with USER and PASS first\.\r\n$| v/Bulletproof ftp server//Windows/
# BulletProof FTP 2.21 on Windows 2000 Server
match ftp m|^220 ftp\r\n$| v/Bulletproof ftp server//Windows/
# WarFTP Daemon 1.70 on Win2K
match ftp m|^220 [-.+\w]+ FTP SERVICE ready\r\n500 Please enter a command\. Dunno how to interperet empty lines\.\.\.\r\n500 Please enter a command\. Dunno how to interperet empty lines\.\.\.\r\n$| v/WarFTPd//Windows/
# GKrellM System Monitor 2.1.15 on Linux
match gkrellm m|^<error>\nBad connect string!| v/GKrellM System Monitor///
# Some web servers don't gie a 'Server: ' line for the Get request, but do for this probe.
match http m|^HTTP/1\.1 400 .*\r\nServer: Microsoft-IIS/(\d[-.\w]+)\r\n| v/Microsoft IIS webserver/$1//
# Icecast version: 1.9+2.0alphasn
match http m|^HTTP/1\.0 401 Authentication Required\r\nWWW-Authenticate: Basic realm=\"Icecast2 Server\"\r\n\r\nYou need to authenticate\r\n| v/Icecast streaming media server///
# Network Flight Recorder v3.2 on Solaris 8 (sparc)
match http m|^HTTP/1\.0 400 Bad request\r\n\r\n$| v/Network Flight Recorder IDS///
# Cisco 350 Series 802.11 AP
match http m|^HTTP/1\.0 400 Bad Request\r\nServer: thttpd/(\d[-.\w ]+)\r\n| v/thttpd/$1//
match icecast m|^HTTP/1\.0 200 OK\r\nServer: icecast/(\d[-.\w]+)\r\n| v|Shoutcast/Icecast streaming audio|$1||
# slident 0.0.19
match ident m|^0, 0: ERROR: UNKNOWN-ERROR\n$| v/slident///
# mlidentd 1.1 on Linux
match ident m|^0,0:ERROR:UNKNOWN-ERROR\r\n$| v/mlidentd///
# OpenBSD 3.2 identd
# May apply to Linux too -- need to investigate further.
# Kerio PF 4.0.11 unregistered - Service process (Port 44xxx?) on MS W2K SP4+
match keriopfservice m|^(HTTP/1\.0) 200 OK\r\nServer: Kerio Personal Firewall\r\n| v/Kerio PF 4 Service//$1/
match backupexecra m|^\xf6\xff\xff\xff\x10\0\0\0\0\0\0\0\0\0\0\0$| v/Veritas BackupExec Remote Agent///
match dantzretrospect m|^\0\xca\0\0\0\0\0\x04\0\0\0\0$| v/Dantz Retrospect/6.0//
match dnet-keyproxy m|^HTTP/1\.0 302 Found\r\nLocation: http://www\.distributed\.net/\r\n\r\n$| v/Distributed.Net HTTP Keyproxy///
# Digital UNIX 5.6
match finger m|^Login name: / \t\t\tIn real life: \?\?\?\r\n\r\nLogin name: GET \t\t\tIn real life: \?\?\?\r\n\r\nLogin name: HTTP/1\.0 \t\t\tIn real life: \?\?\?\r\n$| v/Digital UNIX fingerd///
# Internet Rex v2.67 Beta 1a
match finger m|^No such user No such user N\n$| v/Internet Rex finger server///
# FreeBSD 4.9-STABLE /usr/libexec/fingerd/
match finger m|^finger: /: no such user\nfinger: GET: no such user\nfinger: HTTP/1\.0: no such user\n$| v/FreeBSD fingerd///
# Bay Networks Micro Annex Comm. Server R10.0
match finger m|^No such activity\.\r\n$| v/Bay Networks Micro Annex terminal server fingerd///
# Mercury/32 3.32 Finger Server module on Windows XP
match finger m|^GET / HTTP/1\.0 is not known at this site\.\r\n$| v|Mercury/32 fingerd||Win32|
# ffingerd 1.28
match finger m|^That user does not want to be fingered\.\n$| v/ffingerd///
# Finger 0.17 from debian linux (which is from Linux netkit I believe)
# OpenBSD 2.3
match finger m|^finger: GET: no such user\.\nfinger: /: no such user\.\nfinger: HTTP/1\.0: no such user\.\n$| v|BSD/Linux fingerd|||
# Linux port of in.fingerd from OpenBSD network tools - started with -w to show welcome banner
match finger m|^\r\nWelcome to Linux version (\d[-.\w]+) at [-.\w]+ !\r\n\n.*(\d+) user.*\n\r\nfinger: GET: no such user\.\nfinger: /: no such user\.\nfinger: HTTP/1\.0: no such user\.\n| v/OpenBSD fingerd//ported to Linux; Linux version $1; $2 users logged in/
# Redhat Linux from finger-server-0.17-9 RPM
match finger m|^finger: GET: no such user.\r\nfinger: /: no such user.\r\nfinger: HTTP/1.0: no such user.\r\n$| v/Linux fingerd///
# NetBSD 1.6ZA (berkeley fingerd 8.1 sibling)
match finger m|^finger: GET: no such user\nfinger: /: no such user\nfinger: HTTP/1\.0: no such user\n$| v/NetBSD fingerd///
# Solaris 9
match finger m|^Login Name TTY Idle When Where\r\nGET \?\?\?\r\n/ \?\?\?\r\nHTTP/1\.0 \?\?\?\r\n$| v/Sun Solaris fingerd///
# mlfingerd 1.1
match finger m|^Information for user 'GET\+20\+2F\+20HTTP\+2F1\.0':\r\nUnknown user\.\r\n$| v/mlfingerd///
# SGI IRIX 6.5.18f finger
match finger m|^Login name: GET \t\t\tIn real life: \?\?\?\r\n$| v/SGI IRIX fingerd///
match gnutella m|^HTTP/1\.[01] 404 Not Found\r\nServer: gtk-gnutella/(\d[-.\w]+) \(([^\)\r\n]+)\)\r\n| v/gtk-gnutella P2P client/$1/$2/
# LimeWire 3.5.8 on Suse Linux 8.1
match gnutella m|^HTTP/1\.1 406 Not Acceptable\r\n$| v/LimeWire Gnutella P2P client///
match gnutella m|^HTTP/1\.0 200\r\nServer: Mutella\r\n| v/Mutella Gnutella P2P client///
match gnutella m|^HTTP/1\.1 404 Not Found\r\nServer: giFT-Gnutella/(\d[-.\w]+)\r\n| v/GiFT P2P client gnutella module/$1//
match http m/^GIF89a\xa8\0-\0\xf7\0\0\x03\x03\x03\x83\x83\x83\xc4\xc4\xc4\xfe\x02\x02\xc9\x85c\x85|\xb5\xe2\xe2\xe2\xca\xa2\x8e\xd4RRCCC\xdeb\"\xa5\xa5\xa5\xe7\xc5/ v/Tweak XP web advertisement blocker///
# Management interface for Xerox Phaser 5400, a laser printer.
match http m|^HTTP/1\.0 200 OK\r\nPragma: no-cache\r\nContent-Type: text/html\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.0 Transitional//EN\">\n.*<META NAME=Copyright CONTENT=\"Copyright \(c\) 2003 3Com Corporation\. All Rights Reserved\.\">\n.*<META http-equiv=\"3Cnumber\" content=\"([-.\w]+)\">\n|s v/3Com OfficeConnect router webadmin//3Com` $1/
match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: httpd\r\nDate: Fri, 09 Jan 1970 11:48:03 GMT\r\nWWW-Authenticate: Basic realm=\"Sitecom WL-([-.\w]+)\"\r\n| v/Sitecom webadmin//Sitecom WL-$1 WAP/
match http m|^HTTP/1\.0 200 OK\r\nDate: .*\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.0 Transitional//EN\"><html><body bgcolor=\"#C0C0C0\" text=\"#000000\" vlink=\"#800080\" link=\"#0000FF\"><P><h1>TempTrax Digital Thermometer</h1>| v/SensaTronics TempTrax Digital Thermometer///
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: DHost/(\d[-.\w]+) HttpStk/(\d[-.\w]+)\r\n| v/Novell eDirectory DHOST httpd/$1/HttpStk: $2; used by iMonitor/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: 3ware/(\d[-.\w]+)\r\n| v/3Ware web interface/$1/RAID storage/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Cherokee/(\d[-.\w]+)\r\n| v/Cherokee httpd/$1//
match http m|^HTTP/1\.0 200 OK\r\nServer: HomeSeer\r\n| v/HomeSeer Home Control Web Interface///
# Multitech MultiVoip 410 VoIP gateway
match http m|^HTTP/1\.1 200 OK\r\nServer: RTXCweb Software (\d[-.\w]+)\r\nDate: .*\r\nContent-type: text/html\r\n\r\n<html>\r\n<head>\r\n<META HTTP-EQUIV=\"PRAGMA\" CONTENT=\"NO-CACHE\">\r\n<META HTTP-EQUIV=\"EXPIRES\" CONTENT=\"-1\">\r\n<script language = \"Javascript\">\r\nvar title_string = \" v \[Firmware - [\w ]+\]| v/Multitech MultiVoip VoIP gateway web interface//Embedded webserver: RTXCweb $1/
# NetComm NB1300 ADSL Modem/Router
match http m|^HTTP/1\.1 401 Unauthorized\r\nServer: WindWeb/(\d[-.\w]+)\r\nConnection: close\r\nWWW-Authenticate: Basic realm=\"([-./\w ]+)\"\r\nContent-Type: text/html\r\n\r\nHasbani Web Server| v/WindWeb embedded webserver/$1/As on NetComm DSL modems; Realm: $2; Calls itself Hasbani Web Server/
match http m|^HTTP/1\.0 200 OK\r\nServer: SimpleServer:WWW/(\d[-.\w]+)\r\n| v/AnalogX SimpleServer httpd/$1/Windows/
match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nServer: CANON HTTP Server Ver(\d[-.\w ]+)\r\n| v/Canon printer web interface/$1//
match http m|^HTTP/1\.1 500 Server Error\r\nConnection: close\r\nContent-Length: \d+\r\nDate: .*\r\nServer: Radio UserLand/(\d[.\w ]+)-([-.\w ]+)\r\n\r\n| v/Radio Userland blog server/$1/platform: $2/
match http m|^HTTP/1\.1 302 Moved Temporarily\r\nPragma: no-cache\r\nLocation: /servlet/nodeinfo/\r\nExpires: .*\r\nCache-Control: post-check=0, pre-check=0\r\nConnection: close\r\nContent-type: \r\nServer: Fred (\d[-.\w]+) \(build (\d+)\) HTTP Servlets\r\n\r\n| v/Freenet Fred anonymous P2P/$1 build $2//
match http m|^HTTP/1\.0 200 OK\r\nServer: MLdonkey\r\n.*\r\n\r\n<html>\n<head>\n\n<title>MLdonkey: Web Interface</title>\n|s v/MLdonkey multi-network P2P web interface///
# Docupoint Discovery 3.0(Apache) on Windows 2000 Professional
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: kpf\r\n| v/KDE Public Fileserver///
match http m|^HTTP/1\.1 200 OK\r\nServer: Netscape-FastTrack/(\d[-.\w]+)\r\n| v/Sun Iplanet webserver/$1//
match http m|^HTTP/1\.0 200 OK\r\nDate: .*\r\nServer: dwhttpd/(\d[-.\w]+) \(([^\r\n\)]+)\)\r\nContent-type: text/html\r\n\r\n \n \t<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3\.2//EN\">\n <HTML>\n <HEAD>\n \n <TITLE>AnswerBook2: Personal Library</TITLE>\n| v/Sun AnswerBook2 webserver/$1/$2/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: enCoreXpress/(\d[-.\w]+)\r\n|s v|enCoreXpress MOO||http://lingua.utdallas.edu/encore|
# World Client for MDaemon (www.altn.com) on Windows 2000
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: WDaemon/(\d[-.\w]+)\r\n| v/Alt-N MDaemon World Client webmail/$1//
# pop3proxy web interface from spambayes 1.0a5 on Linux
match http m|^HTTP/1\.1 \d\d\d .*\r\nConnection: close\r\nContent-Type: text/html\r\nDate: .*\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.01 Transitional//EN\">\r\n<html>\r\n<head>\r\n<title id=\"title\">Home</title>\r\n<meta content=\"no-cache\" http-equiv=\"Pragma\"/>\r\n<meta content=\"no-cache\" http-equiv=\"Cache\"/>\r\n| v/Spambayes pop3proxy web interface///
match http m|^HTTP/1\.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"Prestige ([-.\w ]+)\"\r\nContent-Type: text/html\r\nServer: ZyXEL-RomPager/(\d[-.\w ]+)\r\n\r\n| v|ZyXEL Prestige webadmin|$2|Prestige model $1|
match http m|^HTTP/1\.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm=\"Prestige ([-.\w ]+)\"\r\nContent-Type: text/html\r\nServer: RomPager/(\d[-.\w ]+) ([-./\w]+)\r\n\r\n| v|ZyXEL Prestige webadmin|$2|Prestige model $1; $3|
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Roxen/(\d[-.\w]+)\r\n|s v/Roxen webserver/$1//
# A-link (Avaks) Hasbani Web Server on RoadRunner 44b ADSL Router
match http m|^HTTP/1\.1 403 Forbidden\r\nServer: WindWeb/(\d[-.\w]+)\r\nConnection: close\r\nWWW-Authenticate: Basic realm=\"Home Gateway\"\r\nContent-Type: text/html\r\n\r\nHasbani Web Server| v/A-link Hasbani webadmin//Runs WindWeb $1 embedded httpd; Often a DSL router/
# Sambar Server V5.3 on Windows NT
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: SAMBAR\r\n| v/Sambar webserver///
match http m|^HTTP/1\.1 .*\r\nDate: .*\r\nServer: aEGiS_nanoweb/(\d[-.\w]+) \(([^\)]+)\)\r\n| v/AEGiS Nanoweb httpd/$1/$2/
match http m|^HTTP/1\.1 404 Not Found\r\nDate: .*\r\nServer: Unknown/0\.0 UPnP/1\.0 Virata-EmWeb/([-.\w]+)\r\n| v/ReplayTV web interface//runs Virata-EmWeb $1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: WebLogic WebLogic Server (\d[-.\w]+( SP\d+)?) +\w\w\w|s v/WebLogic applications server/$1//
match http m|^HTTP/1\.0 200 OK\r\nConnection: close\r\nDate: .*\r\nExpires: .*\r\nContent-type: text/html\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3\.2//EN\">\n<HTML>\n<HEAD>\n<TITLE>Samba Web Administration Tool</TITLE>| v/Samba SWAT administration server///
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: icecast/(\d[-.\w]+)\r\n| v/Icecast streaming media server/$1//
match http m|^HTTP/1\.0 200 OK\r\nServer: HP-Web-Server-(\d[-.\w]+)\r\n.*<!-- framework\.ini ([A-Z]:\\[-.\w \\]+)-->|s v/HP Web Jetwebadmin/$1/framework.ini: $2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: HP Web Jetadmin/(\d[-.\w]+) (.*)\r\n| v/HP Web Jetadmin print server/$1/$2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: HP-Web-JetAdmin-(\d[-.\w]+)\r\n| v/HP Web Jetadmin print server/$1//
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Tomcat Web Server/(\d[-.\w ]+) \( ([^)]+) \)\r\n|s v/Apache Tomcat webserver/$1/$2/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Tomcat Web Server/(\d[-.\w ]+)\r\n\r\n|s v/Apache Tomcat webserver/$1//
match http m|^HTTP/1\.0 \d\d\d .*\r\nServlet-Engine: Tomcat Web Server/(\d[-.\w]+) \(([^\)]+)\)\r\n|s v/Apache Tomcat webserver/$1/$2/
match 3dm-http m|^HTTP/1\.0 200 OK\r\nServer: 3ware/(\d[-.\w]+)\r\n.*<title>3ware 3DM - No remote access</title>|s v/3Ware 3DM Raid Daemon/$1/Access denied/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: publicfile| v/publicfile httpd///
match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+) ([^\r\n]+)|s v/Apache httpd/$1/$2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache/(\d[-.\w]+)\r\n.*X-Powered-By: ([^\r\n]+)\r\n|s v/Apache httpd/$1/$2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache/(\d[-.\w]+)\r\n|s v/Apache httpd/$1//
# apache 1.3.26-0woody3 or Apache 2.0.45
match http m|^HTTP/1\.[01] \d\d\d.*\r\nDate: .*\r\nServer: Apache\r\n| v/Apache httpd///
match http m|^HTTP/1\.[01] \d\d\d.*\r\nDate: .*\r\nServer: Apache +\(([^\r\n\)]+)\)\r\n| v/Apache httpd//$1/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: IBM_HTTP_Server/(\d[-.\w]+) (Apache/.*)\r\n| v/IBM HTTP Server/$1/Based on $2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Apache-AdvancedExtranetServer/(\d[-.\w]+) \(Mandrake Linux/[-.\w]+\) (.*)\r\n| v/Apache Advanced Extranet Server httpd/$1/Mandrake Linux; $2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Apache-AdvancedExtranetServer/(\d[-.\w]+) \(Mandrake Linux/[-.\w]+\)\r\n| v/Apache Advanced Extranet Server httpd/$1/Mandrake Linux/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Apache-AdvancedExtranetServer/(\d[-.\w]+) \(Linux-Mandrake/[-.\w]+\)\r\n| v/Apache Advanced Extranet Server httpd/$1/Mandrake Linux/
match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Apache-AdvancedExtranetServer/(\d[-.\w]+)\r\n| v/Apache Advanced Extranet Server httpd/$1/Mandrake Linux/
match http m|^HTTP/1.[10] \d\d\d.*\r\nDate:.*\r\nServer: Stronghold/([-.\w]+) Apache/([-.\w]+)| v/Apache Stronghold httpd/$1/based on Apache $2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache Tomcat/(\d[-.\w]+)|s v/Apache Tomcat/$1//
match http m|^HTTP/1\.1 \d\d\d.*\r\nServer: Apache[- ]Coyote/(\d[-\d.]+)\r\n|s v|Apache Tomcat/Coyote JSP engine|$1||
match http m|^HTTP/1\.1.*\r\nServer: Netscape-Enterprise/([-.\w]+)\r\n| v/Netscape Enterprise httpd/$1//
match http m|^HTTP/1\.0 200 OK\r\nServer: fnord/(\d[-.\w]+)\r\n| v/Fnord httpd/$1//
match http m|^HTTP/1\.0 404 Not Found\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n<title>Not Found</title>This host is not served here\.$| v/Fnord httpd///
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: MiniServ/0.01\r\n|s v/Webmin httpd///
match http m|^HTTP/1.1 200 OK\r\nServer: NetWare-Enterprise-Web-Server/([-.\w]+)\r\n| v/Novell Netware enterprise web server/$1//
match http m|^HTTP/1.1 302 Object Moved Temporarily\r\nServer: NetWare HTTP Stack\r\n| v/Novell Netware HTTP Stack//HTTPSTK.NLM/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: HTTPd-WASD/([-.\w]+) OpenVMS/VAX\r\n| v|HTTPd-WASD|$1|on OpenVMS/VAX)|
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Lotus-Domino/Release-(\d[-.\w]+)\r\n| v/Lotus Domino httpd/$1//
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Lotus-Domino/(\d[-.\w]+)\r\n| v/Lotus Domino httpd/$1//
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Lotus-Domino(/0)?\r\n| v/Lotus Domino httpd///
# G-Net BB0060 ADSL Modem (I'm not sure this is GlobespanVirata, but that is
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Virata-EmWeb/([-.\w]+)\r\n.*\r\n\r\n\n<!--\nFile name: index\.html\n\nThis is the 'parent' file that calls the individual child frames\. \nThis is the file that is first accessed when the user types http://<ipaddress> \nin the browser toolbar\. \n\nThe UI Architecture consists of a total of 4 frames\. This file calls 3 high-level |s v/HP LaserJet printer webadmin//Virata-EmWeb embedded server $1/
match http m|^HTTP/1\.0 \d{3}.*\r\nServer: CompaqHTTPServer/([\.\w]+)\r\n|s v/Compaq Insight Manager/$1//
match http m|^HTTP/1\.1 401 Authorization Required\r\nWWW-Authenticate: Basic realm="Linksys ([-.A-Z\d/ ]+)"\r\n| v/Linksys router web admin server//device model $1/
match http m|^HTTP/1\.1 200 OK\r\nContent-Length: \d+\r\nContent-Type: text/html\r\nDate: .*\r\nAllow: GET, HEAD\r\nServer: Xerox_MicroServer/([-.\w]+)\r\n| v|Xerox MicroServer httpd|$1|usually a printer/copier|
match http m|^HTTP/1\.1 200 OK\r\nContent-Type: text/html\r\nDate: .*\r\nAllow: GET, HEAD\r\nServer: Spyglass_MicroServer/(\d[-.\w]+)\r\nLast-Modified: .*\r\nExpires: .*\r\nPragma: no-cache\r\n\r\n\n<html> \n<head>\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">\n <meta name=\"keywords\" content=\"printer; embedded web server; int| v/Spyglass MicroServer/$1/embedded in printer/
match http m|^HTTP/1\.0 500 Internal Server Error\r\nServer: Cougar (\d[-.\w]+)\r\n\r\n$| v/Microsoft Windows Media Server/$1//
match http m|^HTTP/1\.0 200 OK\r\nContent-Type: video/x-ms-asf\r\nCache-Control: max-age=0, no-cache\r\nServer: Cougar/(\d[-.\w]+)\r\n| v/Microsoft Windows Media Server/$1//
match http m|^HTTP/1\.[01] \d\d\d .*Server: NetApp/(\d[-.\w]+)\r\n|s v/NetApp filer httpd/$1//
match http m|^HTTP/1\.0 200 OK\r\nServer: RapidLogic/(\d[.\d]+)\r\nMIME-version: 1\.0\r\nContent-type: text/html\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.0 Frameset//EN\"\r\n\t\t\t\"http://www\.w3\.org/TR/REC-html40/frameset\.dtd\">\r\n<HTML>\r\n<HEAD>\r\n\t<TITLE>Netopia Router Web </TITLE>| v/Netopia RapidLogic admin server/$1//
match http m|^HTTP/1\.1 200 OK\r\nServer: WebSTAR/(\d[-.()\w]+) ID/| v/WebSTAR httpd/$1//
match http-proxy m|^HTTP/1\.1 404 Not Found\r\nContent-Type: text/html\r\nContent-Length: 463\r\nConnection: close\r\nProxy-Connection: close\r\n\r\n<html><head><title>File not found</title></head><!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4\.01 Transitional//EN\">\n<body text=\"#000000\" bgcolor=\"#99AABB\"| v/Middleman filtering web proxy///
match http-proxy m|^HTTP/1\.0 \d\d\d .*\r\nServer: WWWOFFLE/(\d[-.\w]+)\r\n| v/WWWOFFLE caching webproxy/$1//
match http-proxy m|^HTTP/1\.1 400 Host Not Found\r\nContent-type: text/html\r\nConnection: close\r\n\r\n<html><head><title>The Proxomitron Reveals\.\.\.</title>| v/Proxomitron universal web filter///
match http-proxy m|^HTTP/1\.0 400 Bad Request\r\nDate: .*\r\n\r\n<html><body>.*<font color=\"#FF0000\">Proxy</font><font color=\"#0000FF\">\+</font> (\d[-.\w]+) \(Build #(\d+)\), Date: |s v/Fortech Proxy+/$1 Build $2//
match http-proxy m|^HTTP/1\.0 \d\d\d .*\r\nServer: Jana-Server/(\d[-.\w]+)\r\n| v/JanaServer webproxy/$1//
match http-proxy m|^HTTP/1\.0 400 Bad Request\nContent-Type: text/html\n\n<HTML><HEAD><TITLE>DansGuardian - | v/DansGuardian HTTP proxy///
match http-proxy m|^HTTP/1\.0 400 Bad Request\r\nServer: FreeProxy/(\d[-.\w]+)\r\n| v/FreeProxy/$1//
# EZproxy for Linux 2.2d GA (2003-09-01) - http://www.usefulutilities.com
match http-proxy m|HTTP/1\.0 \d\d\d .*\r\nServer: EZproxy\r\n|s v/EZproxy web proxy///
# http://bfilter.sourceforge.net/
match http-proxy m|^HTTP/1\.0 400 Bad Request\r\n.*\r\n\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4\.01 Transitional//EN\">\r\n<html>\r\n<head>\r\n <title>BFilter Error</title>|s v/Bfilter webproxy///
match http-proxy m|^HTTP/1\.0 \d\d\d .*\r\nServer: tinyproxy/(\d[-.\w]+)\r\n| v/Tinyproxy/$1//
# MS ISA Server 2000 enterprise edition on windows 2000 advanced server
match http-proxy m|^HTTP/1\.1 502 Proxy Error \( The Uniform Resource Locator \(URL\) does not use a recognized protocol\. Either the protocol is not supported or the request was not typed correctly\. Confirm that a valid protocol is in use \(for example, HTTP for a Web request\)\. \)\r\nVia:1\.1| v/Microsoft ISA Server http proxy///
# Privoxy 3.0.0 Filtering Web Proxy - http://www.privoxy.org
match http-proxy m|^HTTP/1\.0 400 Invalid header received from browser\r\n\r\n$| v|Junkbuster/Privoxy webproxy|||
match http-proxy m|^HTTP/1\.0 400 Invalid header received from browser\n\n| v/Junkbuster webproxy///
match http-proxy m|^HTTP/1\.0 \d\d\d .*Server: NetCache \(NetApp/(\d[-.\w]+)\)\r\n|s v/NetApp NetCache proxy/$1//
# Squid 2.5.STABLE3 on NetBSD 1.6ZA
match http-proxy m|^HTTP/1\.0 \d\d\d .*\r\nServer: [sS]quid/([-.\w]+)\r\n| v/Squid webproxy/$1//
# Blue Coat Port 80 Security Appliance Model: Blue Coat SG400 Software Version: SGOS 2.1.6044 Software Release id: 19480 Service Pack 4
match imap m|^\* OK \[CAPABILITY IMAP4REV1 X-NETSCAPE LOGIN-REFERRALS STARTTLS LOGINDISABLED\] \[[-.\w]+\] IMAP4rev1 (200[-.\w]+) at .*\r\nGET BAD Command unrecognized/login please: /\r\n\* BAD Null command\r\n| v/UW-Imap///
match imap m|^\* OK \[[-.+\w]+\] IMAP4rev1 v1(\d[-.\w]+) server ready\r\n| v/UW-Imap/1$1//
match imap m|^\* OK [-.+\w]+ IMAP4rev1 v1(\d[-.\w]+) server ready\r\n| v/UW-Imap/1$1//
# gnu/mailutils imap4d 0.3.2 on Linux
match imap m|^\* OK IMAP4rev1\r\nGET BAD Invalid command\r\n\* BAD Null command\r\n$| v/GNU Mailutils imapd///
# Cyrus IMAP 2.1.14
match imaps m|^\* BYE Fatal error: tls_start_servertls\(\) failed\r\n$| v/Cyrus imapd///
# Server: CUPS/1.1
match ipp m|^HTTP/1\.0.*Server: CUPS/(\S+)|s v/CUPS $1///
match ipp m|^lpd \[@[-.\w]+\]: Host name for your address \([:.\d]+\) is not known\n$| v/CUPS///
match irc m|^:Default-Chat-Community 421 \* GET :Unknown command\r\n| v/Microsoft Exchange 2000 Server Chat Service///
# Jabber 1.4.2
match jabber m|^<stream:error>Invalid XML</stream:error>$| v/Jabber instant messaging server///
match kazaa-http m|^HTTP/1\.0 404 Not Found\r?\nX-Kazaa-Username: ([-.+\w]+)\r\nX-Kazaa-Network: ([-.\w]+)\r\n| v/KaZaA P2P client//username: $1; network: $2/
match kazaa-peerpoint m|^HTTP/1\.0 404 Not Found\n\r\n$| v/KaZaA P2P client Peer Point Manager///
match msdtc m|^...\0..$|s v/Microsoft Distributed Transaction Coordinator///
match msdtc m|^ERROR\n$|s v/Microsoft Distributed Transaction Coordinator//error/
# MLDonkey 2.5
match napster m|^1INVALID REQUEST$| v/MLdonkey multi-network P2P client///
match napster m|^1$| v/Lopster Napster P2P client///
match netbios-ssn m/^\x83\0\0\x01\x82|\x8f$/
match netwareip m|^\xfb\xff\xfe\xff\xfb\xff\xfe\xff\xfb\xff\xfe\xff$| v|Novell Netware/IP|||
match ntop-http m|^HTTP/1\.0 401 Unauthorized to access the document\nWWW-Authenticate: Basic realm=\"ntop HTTP server\"\n| v/Ntop web interface///
match omninames m|^GIOP\x01\0\x01\x06\0\0\0\0$| v/omniORB omniNames//Corba naming service/
# Oracle MTS Recovery Service 9.2.0.1 on Windows 2000 Professional
match oracle-mts m|^HTTP/1\.0 200 OK\r\nContent-length: 7\r\n\r\nunknown$| v/Oracle MTS Recovery Service///
match ssl/pop3 m|^-ERR \[SYS/PERM\] Fatal error: tls_start_servertls\(\) failed\r\n$| v/Cyrus pop3sd///
# Postgresql-server-7.3.2-3
match postgresql m|^EFATAL: invalid length of startup packet\n\0$| v/PostgreSQL///
# Netware 6 NetWare/IP
match rendezvous m|^HTTP/1\.1 400 Bad Request\r\nDate: .*\r\nDAAP-Server: iTunes/(\d[-.\w]+) \((.*)\)\r\n| v/Apple iTunes/$1/on $2/
match rtsp m|^RTSP/1.0 400 Bad Request\r\nServer: DSS/([-.\w]+) \[(v\d+)]-(\w+)\r\n| v/DarwinStreamingServer/$1/$2 on $3/
match rtsp m|^RTSP/1\.0 400 Bad Request\r\nServer: QTSS/(\d[\d.]+ \[v\d+\]-Win32)\r\nCseq: \r\n| v/Apple QuickTime Streaming Server/$1//
match rtsp m|^RTSP/1\.0 400 Bad Request\r\nServer: QTSS/(\d[-.\w]+) \(Build/([\d.]+); Platform/([-.\w]+)\)\r\nCseq: \r\nConnection: Close\r\n\r\n$| v/Apple QuickTime Streaming Server/$1 build $2/Platform: $3/
match rtsp m|^RTSP/1\.0 505 Protocol Version Not Supported\r\nDate: .*\r\nServer: WMServer/(\d[-.\w]+)\r\n\r\n$| v/Microsoft Windows Media Server/$1//
match slimp3 m|^GET %2f HTTP%2f1\.0\n$| v|SliMP3 MP3 player||http://www.slimdevices.com|
# spamd 2.20-1woody
match spamd m|^SPAMD/1\.0 76 Bad header line: GET / HTTP/1\.0\r\r\n| v/SpamAssassin spamd///
# Windows XP 8/2003
match upnp m|^HTTP/1.1 400 Bad Request\r\n\r\n$| v/Microsoft Windows UPnP///
match vnc-http m|^HTTP/1\.0 200 OK\n\n<HTML>\n <HEAD><TITLE>TightVNC desktop \[[-.\w]+\]| v/TightVNC///
# TightVNC 1.2.8
match vnc-http m|^HTTP/1\.0 200 OK\r\n\r\n<!-- \n index\.vnc - default HTML page for TightVNC Java viewer applet, to be\n used with Xvnc\. On any file ending in \.vnc, the HTTP server embedded in\n Xvnc will substitute the following variables when preceded by a dollar:\n USER, DESKTOP, DISPLAY, APPLETWIDTH, APPLETHEIGHT, WIDTH, HEIGHT, PORT,\n.*<TITLE>\n(\w+)'s X desktop.*<APPLET CODE=VncViewer\.class ARCHIVE=VncViewer\.jar\n WIDTH=(\d+) HEIGHT=(\d+)>\n<param name=PORT value=(\d+)>\n\n</APPLET>|s v/TightVNC/1.2.8/User: $1; Resolution $2x$3; VNC TCP port: $4/
match xml-rpc m|^HTTP/1\.0 400 Bad Request\r\nServer: Apache XML-RPC (\d[-.\w ]+)\r\n\r\nMethod GET not implemented \(try POST\)$| v/Apache XML-RPC/$1//
match wsmserver m|^Language received from client: GET\nSetlocale: C\n$| v/AIX Web-based System Manager///
match http m|^HTTP/1\.0\x20250\x20Ok\r\n.*\r\n\r\n.*<title>PowerMTA monitoring</title>|s v/Port25 PowerMTA web monitor///
match http m|^HTTP/1\.0\x20250\x20Ok\r\n.*\r\n\r\n.*<title>PowerMTA monitoring</title>|s v/Port25 PowerMTA web monitor///
# Dell OpenManage Version 3.5.0 on MS Windows 2000 server / PowerEdge 6400/700
match http m|^HTTP/1\.1 200 OK\r\nConnection: Close\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n<html>\r\n <head>\r\n <script language=\"javascript\">\r\n\t\t\t\t\tif| v/Dell Openmanage Server Administrator//PowerEdge/
# ASPI server (www.aspi.cz) on Solaris 6666/tcp
match aspi m|^HTTP/1\.0 404 Not Found\r\nDate: .*\r\nServer: ByllSoftware Gurda/([\d.]+)\r\n| v/ASPI server/$1//
match sunscreen-adm m|^\x01\0\0\0\0\0\0\0T\x03\0\0\0\0\0\x01\x1e\0\0\0\0\0\0;\0\0\0\0\0\0\0\0Error: incompatible with administration server \(version (\d[-.\w ]*)\)\nc\0\0\0\0\0\0\0\0\0\0\x01\0\0\0\0$| v/SunScreen Remote Administration server/$1//
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Oracle HTTP Server Powered by Apache\r\n|s v/Oracle HTTP Server Powered by Apache///
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: webfs/(\d[-.\w]+)\r\n| v/WebFS httpd/$1//
# HP OpenView ITO agent (probably version 7.25) on Windows, port 381
match http m|^HTTP/1\.1 \d\d\d .*\r\nserver: BBC \d[-.\w]+; com\.hp\.openview\.Coda \d[-.\w]+\r\n\r\n| v/HP OpenView ITO agent - Coda///
# Zero One Technology ( http://www.01tech.com/ ) print servers embedded HTTP service
match http m|^HTTP/1\.\d\x20200\x20OK\r\nDate:\x20.*\r\nMIME-version:\x201\.\d\r\nServer:\x20ZOT-PS-(\d+)/(\d[-.\w]+)\r\n| v/Zero One Technology print server model $1 HTTP server/$2//
match domain m|\x07version\x04bind.*[\x03-\x14]([-\w._ ]{3,20})$|s v/ISC Bind/$1//
match domain m|\x07version\x04bind.*[\x03-\x14]BIND ([-\w._]{3,20})$|s v/ISC Bind/$1//
# ISC Bind 9.1.3
match domain m|\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x01\0| v/ISC Bind///
# pdnsd 1.1.7a, 1.1.8b1
# http://www.phys.uu.nl/~rombouts/pdnsd.html
match domain m|^\0\x1e\0\x06\x81\x84\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| v/pdnsd///
# Windows 2000 SP4
match domain m|^\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| v/Microsoft DNS///
# Novell 5.1 DNS Server
# Bind 4.9.7-REL on OpenBSD
match domain m|^\0\x1e\0\x06\x81\x82\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| v/ISC Bind/4.X//
# PowerDNS 2.9.6 on FreeBSD
# PowerDNS 2.9.8 Linux
match domain m|^\0.\0\x06\x85\0\0\x01\0\x01\0\0\0\0\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x01\0\0\0\x05\0..Served by POWERDNS (\d[-.\w]+) |s v/PowerDNS/$1//
# Symantec Enterprise Firewall 6.5.2 DNS proxy on Win2K
match domain m|^\0\x1e\0\x06\x81\x85\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03$| v/Symantec Enterprise Firewall DNS proxy///
match exec m|^\x01Login incorrect\.\n$|
# HP-UX B.11.00 A
match exec m|^\x01rexecd: Login incorrect.\n$| v/HP-UX rexecd///
match exec m|^\x01rexecd: [-\d]+ The login is not correct\.\n| v/AIX rexecd///
# Digital UNIX V4.0F login
match login m|^\x01Permission denied: Error 0$| v/Digital UNIX login///
# RedHat 7.3 - Oracle TNS Listener Oracle 8.1.7
# Oracle 8.1.6.1.0 on Linux 2.2.X
match oracle-tns m|^\0\x1c\0\0\x04\x01\0\0\0X\0\0| v/Oracle Listener///
# OpenBSD 2.3
# Solaris 9
match rlogin m|^\x01rlogind: Permission denied\.\r\n$|
# HP-UX 11 Kerberized rlogin
match klogin m|^\x01rlogind: Login Incorrect\.\r\n$| v/HP-UX kerberized rlogin///
# Solaris Kerberos authenticated login
match klogin m|^\x01rlogind: Kerberos authentication failed\.\r\n| v/Solaris kerberized rlogin///
# Solaris Kerberos authenticated remote shell
match kshell m|^\x01rshd: Authentication failed: Bad sendauth version was sent\n| v/Solaris kerberised rsh///
match ssc-agent m|^\0\x1e\0\x06\0\t\0\0$| v/Novell Netware ssc-agent///
# http://www.apcupsd.com/ - apcupsd 3.8.5-1.3 on Linux 2.4.X
match apcnisd m|^\0\x11Invalid command\n\0\0\0$| v/apcupsd///
match klogin m|^\x01krlogind: Kerberos Authentication Failed\.\r\n\0| v/AIX kerberized rlogin///
match kshell m|^\x01rshd: [-\d]+ The host name for your address is not known\.\n| v/AIX (kerberized?) rshd///
# 13724/tcp
match vnetd m|^1\0$| v/Veritas Netbackup Network Utility///
# DNS Server status request: http://www.crynwr.com/crynwr/rfc1035/rfc1035.html
# The remaining fields are all 16-bits: iframe transmit errors; number of receive buffers; tl_timeouts; tl_timeouts; free ncbs; ncbs;
# max_ncbs; number of transmit buffers; max datagram; pending sessions; max sessions; packet_sessions
# I'm not convinced that these next 4 work on a very wide variety of
# machines. I think most of the real matching comes in the next block.
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...(\w{1,15}) *\0\x04\0(\w{1,15}) *\0\x84\0\w{1,15} *\x03\x04\0\w{1,15} *\x04\0\w{1,15} *\x1e\x84\0\w{1,15} *\x1d\x04\0\x01\x02__MSBROWSE__\x02\x01\x84\0(\w{1,15}) *\x03|s v/Microsoft Windows XP netbios-ssn//host: $1 workgroup: $2 user: $3/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...(\w{1,15}) *\0\x04\0(\w{1,15}) *\0\x84\0\w{1,15} *\x03\x04\0\w{1,15} *\x04\0\w{1,15} *\x1e\x84\0\w{1,15} *\x1d\x04\0\x01\x02__MSBROWSE__\x02\x01\x84\0\0|s v/Microsoft Windows XP netbios-ssn//host: $1 workgroup: $2/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...(\w{1,15}) *\0\x04\0(\w{1,15}) *\0\x84\0\w{1,15} *\x03\x04\0\w{1,15} *\x04\0(\w{1,15}) *\x03\x04\0\w{1,15} *\x1e\x84\0|s v/Microsoft Windows XP netbios-ssn//host: $1 workgroup: $2 user: $3/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...(\w{1,15}) *\0\x04\0(\w{1,15}) *\0\x84\0\w{1,15} *\x03\x04\0\w{1,15} *\x04\0\w{1,15} *\x1e\x84\0|s v/Microsoft Windows XP netbios-ssn//host: $1 workgroup: $2/
# It would be really nice if we could get username and/or OS
# information from this. But it is quite hard to parse out the proper
# information unambiguously, especially with just regular expressions.
# But it certainly would be nice to get more info:
#
# nbtstat
#
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0\0..([\w\-]{1,15}) *\0D\0.*\0([\w\-]{1,15}) *\0\xc4\0|s v/Microsoft Windows netbios-ssn//host: $1 workgroup: $2/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0\0..([\w\-]{1,15}) *\0D\0([\w\-]{1,15}) *\0\xc4\0|s v/Microsoft Windows netbios-ssn//host: $1 workgroup: $2/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0\0...*\0([\w\-]{1,15}) *\0D\0.*\0([\w\-]{1,15}) *\0\xc4\0|s v/Microsoft Windows netbios-ssn//host: $1 workgroup: $2/
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0\0...*\0([\w\-]{1,15}) *\0D\0([\w\-]{1,15}) *\0\xc4\0|s v/Microsoft Windows netbios-ssn//host: $1 workgroup: $2/
# Windows NT 4.0 SP6a
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...([\w\-]{1,15}).*\04\0([\w\-]{1,15}) *\0\x84\0|s v/Microsoft Windows NT netbios-ssn//host: $1 workgroup: $2/
#
# Samba has a version too
# nmbd version 2.2.7 on Linux 2.4.20
match netbios-ns m|^\x80\xf0\x84\0\0\0\0\x01\0\0\0\0 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\0\0...([\w\-]{1,15}).*\x04\0([\w\-]{1,15}) *\x1e\x84\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|s v/Samba nmbd//host: $1 workgroup: $2/
match ftp m|220 localhost FTP server ready\r\n214-The following commands are recognized \(\* =>'s unimplemented\)\.\r\n214-USER PASS ACCT\* CWD XCWD CDUP XCUP SMNT\* \r\n214-QUIT REIN\* PORT PASV TYPE STRU MODE RETR \r\n214-STOR STOU APPE ALLO\* REST RNFR RNTO ABOR \r\n214-DELE| v/ProFTPD/1.2.9rc1//
# Solaris 8 ftpd
match ftp m|^220 [-.+\w]+ FTP server \(.*\) ready\.\r\n214-The following commands are recognized:\r\n USER EPRT STRU MAIL\* ALLO CWD STAT\* XRMD \r\n PASS LPRT MODE MSND\* REST\* XCWD HELP PWD \r\n ACCT\* EPSV RETR MSOM\* RNFR LIST NOOP XPWD \r\n REIN\* LPSV STOR MSAM\* RNTO NLST MKD CDUP \r\n| v/Sun Solaris ftpd///
# Phaser860 printer
match ftp m|^220 FTP server ready\.\r\n214- The following commands are recognized \(\* =>'s unimplemented\)\.\r\n USER PORT STOR MSAM\* RNTO\* NLST\* MKD\* CDUP\* EPLF\*\r\n PASS PASV\* APPE\* MRSQ\* ABOR SITE\* XMKD\* XCUP\*\r\n ACCT\* TYPE MLFL\* MRCP\* DELE SYST RMD\* STOU \r\n SMNT\* STRU MAIL\* ALLO\* CWD\* STAT XRMD\* SIZE\*\r\n REIN\* MODE MSND\* REST\* XC| v/Phaser printer ftpd///
# bsd-ftpd 0.3.3 (port of OpenBSD ftp server) on Linux 2.4.20
match ftp m|^220 [-.\w]+ FTP server ready\.\r\n214- The following commands are recognized \(\* =>'s unimplemented\)\.\r\n USER PORT TYPE MLFL\* MRCP\* DELE SYST RMD STOU \r\n PASS LPRT STRU MAIL\* ALLO CWD STAT XRMD SIZE \r\n ACCT\* EPRT MODE MSND\* REST XCWD HELP PWD MDTM \r\n SMNT\* PASV RETR MSOM\* RNFR LIST NOOP XPWD \r| v/bsd-ftpd//available on Linux/
# Rhinosoft Serv-U FTP v.4.1 build 4.1.0.0 on Windows XP
match ftp m|^220 .*\r\n214- The following commands are recognized \(\* => unimplemented\)\.\r\n USER PORT RETR ALLO DELE SITE XMKD CDUP FEAT\r\n PASS PASV STOR REST CWD STAT RMD XCUP OPTS\r\n ACCT TYPE APPE RNFR XCWD HELP XRMD STOU AUTH\r\n REIN STRU SMNT RNTO LIST NOOP PWD SIZE PBSZ\r\n| v/Rhinosoft Serv-U FTP///
# pure-ftpd 1.0.12 on Linux 2.4
match ftp m|^220[- ]FTP server ready\.\r\n.*214 Pure-FTPd - http://pureftpd\.org/?\r\n|s v/Pure-FTPd///
# BulletProof FTP server 2.15 on Windows XP
match ftp m|^220 .*\r\n530 Please login with USER and PASS first\.\r\n$| v/BulletProof FTPd//Windows/
# SGI IRIX 6.5.18f ftpd
match ftp m|^220 [-.\w]+ FTP server ready\.\r\n214- The following commands are recognized \(\* =>'s unimplemented\)\.\r\n USER PORT STOR MSAM\* RNTO NLST MKD CDUP \r\n PASS PASV APPE MRSQ\* ABOR SITE XMKD XCUP \r\n ACCT\* TYPE MLFL\* MRCP\* DELE SYST RMD STOU \r\n SMNT\* STRU MAIL\* ALLO CWD STAT XRMD SIZE \r\n REIN\* MODE MSND\* REST XCWD HELP PWD MDTM \r\n QUIT RETR MSOM\* RNFR LIST NOOP XPWD \r\n214 Direct comments to | v/SGI IRIX ftpd///
match finger m|^iFinger v(\d[-.\w]+)\n\n| v/IcculusFinger/$1//
match ident m|^\d+, \d+ : USERID : UNIX : [-.@\w]+\r\n| v/Internet Rex identd///
# Symantec Enterprise Firewall 6.5.2 SMTP proxy on Windows 2000
match smtp m|^220 [-.+\w]+ Generic SMTP handler\r\n214 Help not supported by this implementation\r\n$| v/Symantec Enterprise Firewall smtp proxy///
# Lotus Notes Domino 6.1 smtp server on Win2K
match smtp m|^220 Welcome to [-.+\w]+ ESMTP Server at .*\r\n214-Enter one of the following commands:\r\n214-HELO EHLO MAIL RCPT DATA RSET NOOP QUIT\r\n214 HELP VRFY EXPN STARTTLS \r\n$| v/Lotus Notes Domino smtpd///
# Exim 3.33 on FreeBSD
match smtp m|^220 ESMTP\r\n214-Commands supported:\r\n214- HELO EHLO MAIL RCPT DATA ETRN\r\n214 NOOP QUIT RSET HELP \r\n$| v/Exim smtpd/3.33//
# Exim 4.22 with SSL compiled in (STARTTLS) custom banner (runtime configuration option) and VRFY and
# EXPN also disabled in config file
match stmp m|^220 [-/.+\w]+ ESMTP\r\n214-Commands supported:\r\n214 AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP\r\n| v/Exim smtpd///
# Exim 4.20 on Astaro Security Linux gateway/proxy/firewall/router.
match smtp m|^220 [-.\w]+ ESMTP ready\.\r\n214-Commands supported:\r\n214 AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP\r\n$| v/Exim smtpd/4.20//
# Exim 4.0 with exiscan patch and banner removed - Linux 2.1.19 - 2.2.25
match smtp m|^220 .*SMTP Ready\. Expected Helo with a valid domain\.\r\n214-Commands supported:\r\n214 AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP\r\n| v/Exim smtpd/4.0//
match smtp m|^220 .* ESMTP ?\r\n214[- ]qmail home page: http://pobox.com/~djb/qmail.html| v/qmail smtpd///
match smtp m|^220 .* ESMTP ?\r\n214[- ]qmail home page: http://pobox\.com/~djb/qmail\.html\r\n214[- ]qmail-ldap patch home page: http://www\.nrg4u\.com\r\n| v/qmail-ldap smtpd///
match smtp m|^220 [-.\w]+ ESMTP\r\n214 netqmail home page: http://qmail\.org/netqmail\r\n| v/netqmail smtpd/1.04//
# VirusBuster MailShield for SMTP. Version 1.15.030 on Linux 2.4
match smtp m|^220 [-.\w]+ SMTP version 1\.00;\r\n214 We strongly advise you to study of the RFC821\.\.\.\r\n$| v/VirusBuster MailShield for SMTP///
# Postfix 1.1.11.0-woody3
# Postfix 1.1.7-2
match smtp m|^220 [-.\w]+ ESMTP Postfix\r\n$| v/Postfix smtpd/1.X//
# Postfix 1.1.12, 1.1.13, 2.0.9, 2.0.16
match smtp m|^220 .*\r\n502 Error: command not implemented\r\n$| v/Postfix smtpd///
# Courier ESMTP courier-0.42.0-1.7.3
match smtp m|^220 [-.\w]+ ESMTP\r\n502 ESMTP command error\r\n$| v/Courier smtpd///
match smtp m|^220 [-.\w]+ ESMTP Sendmail ([^;]{3,50})| v/Sendmail smtpd/$1//
match smtp m|220.*214-2\.0\.0 This is sendmail version ([-+.\w]+)\r\n214-2\.0\.0 Topics:\r\n214-2\.0\.0|s v/Sendmail smtpd/$1//
match smtp m|^220.* Sendmail (\d[-.\w]+) -- HELP not implemented\r\n|s v/Sendmail/$1//
match tcpmux m|^(sgi_[-.\w]+\r\n([-.\w]+\r\n)*)$| v/SGI IRIX tcpmux//Available services: $SUBST(1, "\r\n", ",")/
# Apple Filing Protocol (AFP) over TCP on Mac OS X 10.1.5
match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0\x01.\0\0\0\0\0.\0.\0.\0.\x80\xfb.([-.\w]+)[^-.\w].*\tMacintosh\x05\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128|s v/Apple AFP//name: $1; protocol 2.2; Mac OS X 10.1.*/
match afp m|^\x01\x03\0\0\xff\xff\xecQ\0\0\x01.\0\0\0\0\0.\0.\0.\0.\x83\xfb.([-.\w]+)[^-.\w].*\tMacintosh\x06\x06AFP3\.1\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1\x04\tDHCAST128| v/Apple AFP//name: $1; protocol 3.1; Mac OS X 10.2.*;/
# OpenSSL/0.9.7aa
match ssl m|^\x16\x03\0\0J\x02\0\0F\x03\0| v/OpenSSL///
# Microsoft-IIS/5.0 - note that OpenSSL must go above this one because this is more general
match ssl m|^\x16\x03\0..\x02\0\0F\x03\0|s v/Microsoft IIS SSL///
# Novell Netware 6 Enterprise Web server 5.1 https
# Novell Netware Ldap over SSL or enterprise web server 5.1 over SSL
match ssl m|^\x16\x03\0\0:\x02\0\x006\x03\0| v/Novell Netware SSL///
# Cisco IDS 4.1 Appliance
match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0\xd10:\xbd\\\x8e\xe3\x15\x1c\x0fZ\xe4\x04\x87\x07\xc0\x82\xa9\xd4\x0e\x9c1LXk\xd1\xd2\x0b\x1a\xc6/p\0\0\n\0\x16\x03\0\x026\x0b\0\x022\0| v/Cisco IDS SSL///
# Nessus server sometimes gives this answer
match ssl m|^\x15\x03\0\0\x02\x02\($| v/Nessus security scanner///
# Other Nessus instances look like this:
match ssl m|^\x16\x03\x01\0J\x02\0\0F\x03\x01\?| v/Nessus security scanner///
match flexlm m|^W.-60\0\0\0......\0\0.\0\0\0\0\0\0\0.\0\0\0.\0\0\0...\0...........\0\0\0\0\0\0|s v/FlexLM license manager///
# Windows 2000 Server Kerberos
# Windows Server 2003 kerberos
match kerberos-sec m/^\0\0\0\0$/ v/Microsoft Windows kerberos-sec///
# Windows XP SP1
match microsoft-ds m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0.\n\0\x01\0\x04\x11\0\0\0\0\x01\0\0\0\0\0\xfd\xe3\0\0| v/Microsoft Windows XP microsoft-ds///
match microsoft-ds m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0.2\0\x01\0\x04A\0\0\0\0\x01\0\0\0\0\0\xfd\xf3\0\0| v/Microsoft Windows 2000 microsoft-ds///
# Microsoft Windows 2003
match microsoft-ds m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0.2\0\x01\0\x04.\0\0\0\0\x01\0\0\0\0\0\xfd\xf3\x01\0|s v/Microsoft Windows 2003 microsoft-ds///
# Microsoft Windows 2000 Server
# Microsoft Windows 2000 Server SP4
match microsoft-ds m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0.[}2]\0\x01\0\x04A\0\0\0\0\x01\0\0\0\0\0\xfd[\xe3\xf3]\0\0|s v/Microsoft Windows 2000 microsoft-ds///
# Microsoft Windows XP SP1
# Windows 2000
match msrpc m|^\x05\0\r\x03\x10\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0\0\0\0$| v/Microsoft Windows msrpc///
# Windows 2000 Advanced Server c:\winnt\system32\Mstask.exe
match mstask m|^\x05\0\r\x03\x10\0\0\0\x18\0\0\0\0\x08\x01@\x04\0\x01\x05\0...|s v/Microsoft mstask//task server - c:\winnt\system32\Mstask.exe/
# Microsoft Windows 2000
# samba-2.2.7-5.8.0 on RedHat 8
# samba-2.2.7a-8.9.0 on Red Hat Linux 7.x
match netbios-ssn m|^\0\0\0.\xffSMBr\0\0\0\0\x88\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x06\0.*\W([-.\w]+)\0$|s v/Samba smbd//workgroup: $1/
# Samba 2.999+3.0.alpha21-5 on Linux
# Samba 3.0.0rc4-Debian
match netbios-ssn m+^\0\0\0.\xffSMBr\0\0\0\0\x88\x01.\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x06\0.*([^\0]|([^-A-Z0-9]\0))(([-\w]\0){2,50})+s v/Samba smbd/3.X/workgroup: $P(3)/
# Samba 2.2.8a on Linux 2.4.20
match netbios-ssn m|^\x83\0\0\x01\x81$| v/Samba smbd///
# DAVE 4.1 enhanced windows networks services for Mac on Mac OS X
match netbios-ssn m|^\0\0\0.\xffSMBr\x02\0Y\0\x98\x01.\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\0\x07\0|s v/Thursby DAVE Windows filesharing//Runs on Macintosh systems/
# Windows 98
match netbios-ssn m|^\x83\0\0\x01\x8f$| v/Microsoft Windows 98 netbios-ssn///
# Netware might just be using Samba?
match netbios-ssn m|^\0\0\0M\xffSMBr\0\0\0\0\x80\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0\x032\0\x01\0\xff\xff\0\0\0\0\x01\0\x84\xdeu\x07\x01\x02\0\0\x80\xaa\xa0\x83{k\xc3\x01\xa4\x01\x08\x08\0\x8a\xffp\xd3\x1d\?\xdbl$| v/Netware 6 SMB Services///
# Network Appliance ONTAP 6.3.3 netbios-ssn
match netbios-ssn m/^\0\0\0.\xffSMBr\0\0\0\0\x98\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\x06\0\0\x01\0\x11\x07\0.*([^\0]|([^-A-Z0-9]\0))(([-\w]\0){2,50})/s v/Network Appliance Ontap smbd//workgroup: $P(3)/
# HP OpenView Storage Data Protector A.05.10 on Windows 2000
# Hewlett Packard Omniback 4.1 on Windows NT
match omniback m|^\0\0\0.\xff\xfe1\x005\0\0\0 \0\x07\0\x01\0\[\x001\x002\0:\x001\0\]\0\0\0 \0\x07\0\x02\0\[\x002\x000\x000\x003\0\]\0\0\0 |s v/HP OpenView Omniback//Windows version/
# HP OpenView Storage Data Protector A.05.10 on Linux
match serversettingsd m|^\0\0\x004main\0\0\x01\0\0\0\0\x0c\0\0\0\0\0\0\0\x0c\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0quit\xff\xff\xff\xffcrpt$| v/Apple serversettingsd administration daemon//Mac OS X/
match symantec-esm m|^\0\x01#$| v/Symantec Enterprise Security Manager///
# Windows 2000 Server Wins name resolution service
# Windows NT 4.0 Wins
match wins m|^\0\0\0\x1e\xffS\xad\x80\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\x07\xe9\0\0\0\x01\0\0\x81\0\x02| v/Microsoft Windows Wins///
match sap-its m|^\0\0\0\x0c\x01\x03\0\0\0\0\x071\0\0\0\0\0\0\x071Content-Type:\x20\x20text/html;\x20charset=Windows-1250\r\n\r\n<!--\r\n\x20This\x20page\x20was\x20created\x20by\x20the\x20\r\n\x20SAP\x20Internet\x20Transaction\x20Server\x20\(ITS,\x20Version\x20,\x20Build\x20,\x20Virtual\x20Server\x20\)\r\n| v/SAP Internet Transaction Server///
match dantzretrospect m|^\0\xca\0\0\0\0\0\x04\0\0\0\0\0\0\x02\($| v/Dantz Retrospect backup client///
match font-service m|^\0\0\x02\0\0\0\0\0\0\0\0\0\x06\0\0\0\0@\x0c\0p\x17\0\0X Consortium\x01\n\x01\0\x05\0\0\0....\0\0..\0\0\0\0$|s v/Sun Solaris fs.auto///
match font-service m|^\0\0\x02\0\0\0\0\0\0\0\0\0\x0e\0\0\0\0 \*\0.\x19\0\0The XFree86 Project[-.\w() ]+..\x01\n\x01\0\x05\0\0\0....\0\0..\0\0\0|s v/XFree86 X Font Server///
match networkaudio m|^\0\x19\x02\0\x02\0\x07\0Protocol version mismatch\0\0\0\0\0\0\0$| v|Network Audio System|||
match networkaudio m|^\0\x19\x02\0\x02\0\x07\0Protocol version mismatch\0/\0\0\0\0\0$| v|Network Audio System|||
match X11 m|^\x01\0\x0b\0\0\0H\0\n\x19\0\0\0\0..\xff\xff\?\0\0\x01\0\0\x16\0\xff\xff\x01\x04\x01\x01 \x08.\0...Sun Microsystems, Inc\.\0\0\x01\x01|s v/XSun Solaris X11 server///
match X11 m|^\0\x2D\x0B\0\0\0\x0C\0| v///access denied/
# I think the below means access denied (no authentication protocol
# specified?) or is it a problem w/my probe that I should fix?
match X11 m|^\0\x16\x0b\0\0\0\x06\0No protocol specified\x0a..$|s v///access denied/
match X11 m|^\x01\0\x0b\0\0\0.\0...\x02\0\0.*The XFree86 Project, Inc|s v/XFree86//open/
match X11 m|^\x01\0\x0b\0\0\0.....\x02\0\0..\xff\xff\x1f\0\0\x01\0\0.\0\xff\xff\x01\x07\0\0 \x08\xff....Gentoo Linux \(XFree86 (\d[^)]+)\)\0\0|s v/XFree86/$1/Gentoo Linux/
match X11 m|^\x01\0\x0b\0\0\0.....\x02\0\0..\xff\xff\x1f\0\0\x01\0\0\.\0\xff\xff\x01.*Mandrake Linux \(XFree86 (\d[^\)]+)\)\0\0|s v/XFree86/$1/Mandrake Linux/
match X11 m|^\x01\0\x0b\0\0\0.....\x02\0\0..\xff\xff\x1f\0\0\x01\0\0.\0\xff\xff\x01.*Mandrake Linux \(XFree86 (\d[^\)]+)\)\0?\x01\x01|s v/XFree86/$1/Mandrake Linux/
match X11 m|^\x01\0\x0b\0\0\0\x4C\0\xA0\xE0\x63\x02\0\0| v///open/
# StarNet X-Win32 v5.4 on Windows XP
match X11 m|^\x01\0\x0b\0\0\x009\0..\0\0\0\0.\0\xff\xff\?\0\0\x01\0\0\x1c\0\xff\xff\x01\x07\x01\x01\x08\x10\x08....\0StarNet Communications Corp\.\x01\x01|s v/StarNet X-Win32///
match X11 m|^\x01\0\x0b\0\0\0=\0\x01\0\0\0\0\0\xc0\x06\xff\xff\?.*\0DECWINDOWS Digital Equipment Corporation Digital UNIX V(\d[-.\w]+)\0\0\x01\x01|s v/Digital UNIX X-Window/$1/Version is X Server and not of Digital UNIX/
# tightvnc 1.2.3 Xvnc
# Tightvnc 3.3.3 Xvnc
match X11 m|^\x01\0\x0b\0\0\0%\0\x04\r\0\0\0\0\x80.\xff\xff\?\0\0\x01\0\0\x1b\0\xff\xff\x01\x02\0\0 \x08\xff...\x08AT&T Laboratories Cambridge\0| v/Xvnc///
# Exceed X server for Win32 8.0.0.0
match X11 m|^\x01\0\x0b\0\0\x00.\0..\0\0\0\0@.\xff\xff\?\0\x01\0\0\0.\0\xff\xff\x01\x04\x01\x01\x08 \x08\xfe..A\0Hummingbird Ltd\.\x01\x01 \0.\x07\0\0\x08\x08 \0.\x07\0\0\x0c\x0c \0.\x07\0\0\x18 \0.\x07\0\0.\0\0\0 \0\0\0\xff\xff\xff\0\0\0\0| v/Hummingbird Exceed X server/8.X//
match X11 m|^\x01\0\x0b\0\0\0.\0..\0\0\0\0..\xff\xff\?\0\x01\0\0\0.\0\xff\xff\x01\x04\x01\x01\x08 \x08\xfe..A\0Hummingbird Communications Ltd\.\0\x01\x01 ...\0\0\x08\x08 ...\0\0\x0c\x0c ...\0\0\x18 ...\0\0.\0\0\0 \0\0\0\xff\xff\xff\0\0\0\0\0|s v/Hummingbird Exceed X server/7.X//
# HP MC/ServiceGuard for Linux A.11.14.02
match X11 m|^\0\0\0\x01\0\0\0\x0c\0\0\0\0$| v|HP MC/ServiceGuard|||
match X11 m|^\x01\0\x0b\0\0\0%\0\0\x19\0\0\0\0\0\x01\xff\xff\?\0\0\x01\0\0\x12\0\xff\xff\x01\x02\0\0 \x08\xfe\xba\x1dF\0Labtam Europe Ltd\.\0\0\x01\x01| v/Labtam X-WinPro///
match omninames m|^GIOP\x01\0\x01\x06\0\0\0\0$| v/omniORB omniNames//Corba naming service/
match shivahose m|^\x02\x06$| v///Shiva network modem access/
#WMS 4.1.0.3927
match wms m|^\x01\0\0.\xce\xfa\x0b\xb0.\0\0\0MMS .\0{7}.{9}\0\0\0\x01\0\x04\0\0\0\0\0\xf0\xf0\xf0\xf0\x0b\0\x04\0\x1c\0\x03\0\0\0\0\0\0\0\xf0\?\x01\0\0\0\x01\0\0\0\0\x80\0\0...\0.\0\0\0\0\0\0\0\0\0\0\0.\0\0\x00(\d)\0\.\x00(\d)\0\.\x00(\d)\0\.\x00(\d)\x00(\d)\x00(\d)\x00(\d)\0\0\0|s v/Microsoft Windows Media Service/$1.$2.$3.$4$5$6$7//
match wms m|^\x01\0\0.\xce\xfa\x0b\xb0.\0\0\0MMS .\0{7}.{9}\0\0\0\x01\0\x04\0\0\0\0\0\xf0\xf0\xf0\xf0\x0b\0\x04\0\x1c\0\x03\0\0\0\0\0\0\0\xf0\?\x01\0\0\0\x01\0\0\0\0\x80\0\0...\0.\0\0\0\0\0\0\0\0\0\0\0.\0\0\x00(\d)\0\.\x00(\d)\x00(\d)\0\.\x00(\d)\x00(\d)\0\.\x00(\d)\x00(\d)\x00(\d)\x00(\d)\0\0\0|s v/Microsoft Windows Media Service/$1.$2$3.$4$5.$6$7$8$9//
