search

runZeroInc / recog-go

Recog-Go: Pattern Recognition using Rapid7 Recog
Other
101 stars 30 forks source link

recog_match not reporting a match #21

Closed orsaada closed 1 year ago

orsaada commented 1 year ago

I tried to excute the recog_match, but I don't receive a matching one. While the fingerprint seems to contain valid matching regex. go run ./cmd/recog_match /recog/xml "Xerox VersaLink B7030; System 58.21.41, Controller 1.30.2, IOT 54.21.0, ADF 31.16.0, Panel 154.116.11, Boot 11.1.197, RSEP 1.8.15"

hdm commented 1 year ago

can you share the xml fingerprint for comparison?

orworkc commented 1 year ago

After execution of

  1. RECOG_XML=/xml go generate
  2. go run ./cmd/recog_match "/xml" "description"

I left on the xml directory only the specific file I want to execute with https://github.com/rapid7/recog/blob/main/xml/snmp_sysdescr.xml

I don't receive a match result, while the ruby code works as expected (https://github.com/rapid7/recog) e.g. echo -n 'Apache/2.4.38 (Debian)' | bin/recog_match xml/http_servers.xml -

go run ./cmd/recog_match "D:/recog/xml" "Xerox VersaLink B7030; System 58.21.41, Controller 1.30.2, IOT 54.21.0, ADF 31.16.0, Panel 154.116.11, Boot 11.1.197, RSEP 1.8.15" {"fp.certainty":"0.85","matched":"Oracle MySQL (common)","service.cpe23":"cpe:/a:oracle:mysql:1.8.15","service.family":"MySQL","service.product":"MySQL","service.vendor":"Oracle","service.version":"1.8.15"}

pbarry25 commented 1 year ago

Just a couple of datapoints using a clone of the most recent recog-go code and go version 1.20.6 under macOS 12.6.8...

The above example using http_servers.xml seems to be working as-expected for me:

$ cd recog-go/cmd/recog_match
$ go run main.go /Users/userx/code/recog/xml/http_servers.xml "Apache/2.4.38 \(Debian\)"
{"apache.info":"","fp.certainty":"0.85","matched":"Apache","service.cpe23":"cpe:/a:apache:http_server:2.4.38","service.family":"Apache","service.product":"HTTPD","service.vendor":"Apache","service.version":"2.4.38"}
$ go run main.go /Users/userx/code/recog/xml "Apache/2.4.38 \(Debian\)"
{"apache.info":"","fp.certainty":"0.85","matched":"Apache","service.cpe23":"cpe:/a:apache:http_server:2.4.38","service.family":"Apache","service.product":"HTTPD","service.vendor":"Apache","service.version":"2.4.38"}
{"fp.certainty":"0.85","matched":"Debian Linux","os.cpe23":"cpe:/o:debian:debian_linux:-","os.family":"Linux","os.product":"Linux","os.vendor":"Debian"}

But trying examples which use simple, known-to-match patterns in html_title.xml and snmp_sysdescr.xml do not match for me:

$ ./recog_match /Users/userx/code/recog/xml/html_title.xml "Eltex - NTP-2"
$
$ ./recog_match /Users/userx/code/recog/xml "Eltex - NTP-2"
$
$ go run main.go /Users/userx/code/recog/xml/snmp_sysdescr.xml "Prestige 650R-T3"
$
$ go run main.go /Users/userx/code/recog/xml "Prestige 650R-T3"
$

Will add a bit of debug here...

EDIT: looks like the fingerprint() function may be splitting on spaces in an unexpected way (one which leads the above http_server.xml example to still match on just Apache/2.4.38)...

EDIT 2: Fix looks straightforward, PR'ing here...