service-probe question: FTP services

[Tom Sellers <nmap () fadedcode net>]

Both of the following lines in nmap-service-probes:

match ftp m|^220 ([-\w]+) FTP server \(Version (\d.[.\d]+) ([A-Z][a-z]{2} [A-Z][a-z]{2} [0-9]+ [0-9:]+ .* [21][0-9]+)\) 
ready\.\r\n| p/HP-UX 10.x ftpd/ h/$1/ v/$2/ o/HP-UX/ i/$3/
match ftp m|^220 ([-\w]+) FTP server \(Version (\d[-.\w]+) [A-Z][a-z]{2} [A-Z][a-z]{2} .*\) ready\.\r\n| p/AIX ftpd/ 
h/$1/ v/$2/ o/AIX/

will match the following FTP banner:

220 mytesthost FTP server (Version 6.1 Mon Oct 18 04:11:03 CDT 2011) ready.

One line indicates HP-UX and the other AIX.  The host I tested against was AIX but
the service fingerprint indicated that it was an HP-UX 10.x machine.  Removing the HP-UX
matchline allowed the fp to match the AIX line.  Should these be changed to indicate
both OSs or just edited to reference a generic ftp server?

Also, the following match line:
match smtp m|^220 $| p/OpenBSD spamd/

will trigger incorrectly on

match ftp m|^220 IB-21E Ver ([\d.]+) FTP server\.\r\n| p/Kyocera IB-21E ftpd/ v/$1/ d/print server/

I have not quite figured out why.  When I remove the OpenBSD spamd entry it fingerprints correctly.

Any thoughts?

Tom Sellers

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org