search

runZeroInc / recog-go

Recog-Go: Pattern Recognition using Rapid7 Recog
Other
101 stars 30 forks source link

xml invalid matching response for specific xmls and missing feature for specific xml files search #23

Open orsaada opened 1 year ago

orsaada commented 1 year ago

Seems like there is a bug in find the matching xml for the following strings. While the ruby project returns a valid finding recog-ruby

1. http_servers.xml

input: Apache/2.4.6 (Red Hat Enterprise Linux)

ruby output: matched"=>"Apache", "service.vendor"=>"Apache", "service.product"=>"HTTPD", "service.family"=>"Apache", "service.version"=>"2.4.6", "service.cpe23"=>"cpe:/a:apache:http_server:2.4.6", "apache.info"=>"(Red Hat Enterprise Linux)", "service.protocol"=>"http", "fingerprint_db"=>"http_header.server", "data"=>"Apache/2.4.6 (Red Hat Enterprise Linux)"

go output: "fp.certainty": "0.85", "os.cpe23": "cpe:/o:redhat:enterprise_linux:-", "os.family": "Linux", "os.product": "Enterprise Linux", "os.vendor": "Red Hat"

2. dns_versionbind.xml

input: PowerDNS Authoritative Server 4.7.3

ruby output: "matched"=>"PowerDNS Authoritative Server: format 2", "service.vendor"=>"PowerDNS", "service.family"=>"PowerDNS", "service.product"=>"Authoritative Server", "service.version"=>"4.7.3", "service.cpe23"=>"cpe:/a:powerdns:authoritative_server:4.7.3", "service.protocol"=>"dns", "fingerprint_db"=>"dns.versionbind", "data"=>"PowerDNS Authoritative Server 4.7.3 (built Apr 25 2023 12:34:07 by root@bh-centos-7.dev.cpanel.net)"

go output: "fp.certainty": "0.85", "os.arch": "PowerPC"

In addition, there is missing feature implementation of searching only in specific xmls, which implemented in the ruby project. The feature should allow a search of a string in specific xml instead of all the xml folder location.

pbarry25 commented 1 year ago

Heyya @orsaada. :wave:

The recog_match utility created when you build this repo does support specifying specific recog XML files (as do the other built recog_XYZ utils in this repo), which does get expected results that match the ruby recog_match utility (in the recog repo) results:

$ echo "Apache/2.4.6 (Red Hat Enterprise Linux)" | ~/go/bin/recog_match /vagrant/recog/xml/http_servers.xml
{"apache.info":"(Red Hat Enterprise Linux)","fp.certainty":"0.85","matched":"Apache","service.cpe23":"cpe:/a:apache:http_server:2.4.6","service.family":"Apache","service.product":"HTTPD","service.vendor":"Apache","service.version":"2.4.6"}

$ echo "PowerDNS Authoritative Server 4.7.3" | ~/go/bin/recog_match /vagrant/recog/xml/dns_versionbind.xml
{"fp.certainty":"0.85","matched":"PowerDNS Authoritative Server: version only","service.cpe23":"cpe:/a:powerdns:authoritative_server:4.7.3","service.family":"PowerDNS","service.product":"Authoritative Server","service.vendor":"PowerDNS","service.version":"4.7.3"}

Does this satisfy your use case? If so, maybe just a bit of improved documentation/usage might be an adequate PR to address this...?