diff --git a/ike-vendor-ids b/ike-vendor-ids index 216eec9..644c98a 100644 --- a/ike-vendor-ids +++ b/ike-vendor-ids @@ -290,11 +290,15 @@ Nortel Contivity ^424e4553000000.. # Observed to be sent from SonicWall Firewalls SonicWall-1 ^5b362bc820f60001 +SonicWall-2 ^5b362bc820f60002 SonicWall-3 ^5b362bc820f60003 +SonicWall-5 ^5b362bc820f60005 SonicWall-6 ^5b362bc820f60006 SonicWall-7 ^5b362bc820f60007 +SonicWall-8 ^5b362bc820f60008 SonicWall-a ^404bf439522ca3f6 SonicWall-b ^da8e937880010000 +SonicWall-c ^5b362bc820f70001 # SSH QuickSec # The VIDs are the MD5 hashes of "SSH Communications Security QuickSec x.y.z" @@ -306,6 +310,10 @@ SSH QuickSec 1.1.2 ^2cdf08e712ede8a5978761267cd19b91 SSH QuickSec 1.1.3 ^59e454a8c2cf02a34959121f1890bc87 SSH QuickSec 2.1.0 ^8f9cc94e01248ecdf147594c284b213b +# Netgear +# The VID is the MD5 hash of "NETGEAR" +Netgear ^dbfb81eb5760b0788562067da102d755 + # VIDs are MD5 hash of: # "IKE Challenge/Response for Authenticated Cryptographic Keys" # "IKE Challenge/Response for Authenticated Cryptographic Keys (Revised)" @@ -409,6 +417,8 @@ strongSwan 4.0.3 ^b181b18e114fc209b3c6e26c3a80718e strongSwan 4.0.2 ^77e8eea6f556a499de3ffe7f7f95661c strongSwan 4.0.1 ^9dbbafcf1db0dd595ae065294003ad3e strongSwan 4.0.0 ^2ce9c946a4c879bf11b50b76cc5692cb +strongSwan 2.8.9 ^0e9e820524932da199a498953afa8a7e +strongSwan 2.8.8 ^8c4a3bcb729b11f703d22a5b39640ca8 strongSwan 2.8.7 ^3a0d4e7ca4e492ed4dfe476d1ac6018b strongSwan 2.8.6 ^fe3f49706e26a9fb36a87bfce9ea36ce strongSwan 2.8.5 ^4c7efa31b39e510432a317570d97bbb9 @@ -450,7 +460,8 @@ strongSwan 2.2.0 ^85b6cbec480d5c8cd9882c825ac2c244 # Observed on several devices. HTTP interface shows that they are XyWALL # I suspect that this VID is an SHA-1 hash of something because of the length ZyXEL ZyWALL Router ^b858d1addd08c1e8adafea150608aa4497aa6cc8 -ZyXEL ZyWall USG 100 ^f758f22668750f03b08df6ebe1d0 +ZyXEL ZyWALL USG 100 ^f758f22668750f03b08df6ebe1d0 +ZyXEL ZyWALL ^625027749d5ab97f5616c1602765cf480a3b7d0b # Microsoft Initial Contact @@ -573,22 +584,47 @@ Openswan 2.1.2 ^4f4555656771407e63636578 Openswan 2.2.0 ^4f4548724b6e5e68557c604f Openswan 2.3.0 ^4f4572696f5c77557f746249 Openswan 2.3.1 ^4f45454355706e735d625c71 +Openswan 2.3.1 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f45436f586c544d46766f54 +Openswan 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f454578616c467b5f6f606d Openswan 2.4.0 ^4f45785c567c6f61507e7864 +Openswan 2.4.0 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f457240604e7f585d6d5869 Openswan 2.4.1 ^4f456e5e4c737d7d62796c51 Openswan 2.4.10 ^4f456971726d54726e464a71 +Openswan 2.4.10 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f4574715e655577567a5f41 Openswan 2.4.11 ^4f4550484948576e64636f6b +Openswan 2.4.11 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f457b64445e664a6355766b Openswan 2.4.12 ^4f456c7c5b79725e4a6a5658 +Openswan 2.4.12 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f45606c50487c5662707575 +Openswan 2.4.12 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f454b427a64597b774d5d40 Openswan 2.4.13 ^4f45445e597f60634770436c +Openswan 2.4.13 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f456b5a5d52605d7a7a6f4e +Openswan 2.4.13 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f456066696a417566514d44 Openswan 2.4.14 ^4f454c4e767d475b775e6f56 +Openswan 2.4.14 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f455a526b5f4c686e534e63 Openswan 2.4.15 ^4f45675d5e5d7f664c604651 +Openswan 2.4.15 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f4540784e47627163627858 +Openswan 2.4.15 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f457d78546050757b707245 Openswan 2.4.2 ^4f45666a6343554b5f7a4062 Openswan 2.4.3 ^4f4547407c7673775449546e +Openswan 2.4.3 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f455b7075417d5959587e46 Openswan 2.4.4 ^4f45565e6441545f4a664642 +Openswan 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f457a7d4646466667725f65 Openswan 2.4.5 ^4f45587d5d4b4b7c61487b7c +Openswan 2.4.5 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f454766754a5b59657b4168 +Openswan 2.4.5 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f456e4d43757f784f704063 +Openswan 2.4.5dr3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f45725c5b754061666c425f Openswan 2.4.6 ^4f45636e6542785f6f6b7257 +Openswan 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f456c4c4f5d5264574e5244 +Openswan 2.4.6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f454e7c454d716b5f4d6c67 +Openswan 2.4.6rc3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f457a7d6d6c5e5441727070 Openswan 2.4.7 ^4f4552756a414d79434d4951 +Openswan 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f455a7e4261425d725c705f Openswan 2.4.8 ^4f457a6d734b6f476273616c +Openswan 2.4.8 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f455d62575860514272754c +Openswan 2.4.8 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f4574514070784e717f5760 Openswan 2.4.9 ^4f45414c5d6a75516450457a +Openswan 2.4.9 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f45534a496f60726b636462 +Openswan 2.4.9 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR ^4f455f5d7b764b67436f4f49 Openswan 2.5.0 ^4f4546477e5e4b5440606859 Openswan 2.5.00 ^4f45495c767449495c5a7350 Openswan 2.5.01 ^4f457260466858434c7e6a45 @@ -629,10 +665,14 @@ Openswan 2.6.17 ^4f4554704245584355764571 Openswan 2.6.18 ^4f457d5a765a404d5b4f5744 Openswan 2.6.19 ^4f456b71484c42504f664d44 Openswan 2.6.20 ^4f4543714271574c644b7a41 +Openswan 2.6.20dr2 ^4f454970424c6d5f4e5b6f59 +Openswan 2.6.20rc1 ^4f4550544259485a67464e66 Openswan 2.6.21 ^4f457e717f6b5a4e727d576b Openswan 2.6.22 ^4f456c6a405d72544d42754d Openswan 2.6.23 ^4f456d406b6753464548407f Openswan 2.6.24 ^4f45557d6068416e77737478 +Openswan 2.6.24rc3 ^4f45694b5146645d6863434c +Openswan 2.6.24rc5 ^4f45445743787f6f78467b4d Openswan 2.6.25 ^4f4543606e547b776f5e5848 Openswan 2.6.26 ^4f45504b7e7a764d4e645f57 Openswan 2.6.27 ^4f456e544e77494c76567e5c @@ -647,17 +687,44 @@ Openswan 2.6.35 ^4f457e487a746b6f69705842 Openswan 2.6.36 ^4f45716c74725d4b5a6c5d5f Openswan 2.6.37 ^4f45755c645c6a795c5c6170 Openswan 2.6.38 ^4f4576795c6b677a57715c73 +Openswan 2.6.38dr2 ^4f454b705270417f765b6b59 +Openswan 2.6.38rc2 ^4f45414f75405b4e6b554a50 Openswan 2.6.39 ^4f456d6470475f6c477d767d +Openswan 2.6.39dr3 ^4f456c4e75416271485b7970 + +# Openswan 2.6.40+ uses "OSW" instead of "OE" as prefix, and the same +# truncated, "ASCIIfied" MD5 hash (only 9 bytes, to keep the same +# total length) +Openswan 2.6.40 ^4f53577666617a6f6355505a +Openswan 2.6.41 ^4f535773786c6a4640545359 +Openswan 2.6.42 ^4f535751624a50497c705f61 +Openswan 2.6.43 ^4f53577b5547416f4c674b64 + +# Openswan 2.6.44+, keeps the prefix "OSW", but the hashed name +# changes from "Openswan" to "Linux Openswan" +Linux Openswan 2.6.44 ^4f53574745627352675b5a51 +Linux Openswan 2.6.45 ^4f53577e7b6566787577466d +Linux Openswan 2.6.46 ^4f535771775064405e494145 +Linux Openswan 2.6.47 ^4f5357584f7a6d66706e7052 +Linux Openswan 2.6.47.1 ^4f53575353637b5979536b4c +Linux Openswan 2.6.48 ^4f53576d77657d7c497e6c7c +Linux Openswan 2.6.49 ^4f5357795f4472657a654753 +Linux Openswan 2.6.50dev1 ^4f53575e5f45464d62615370 + +Openswan Unknown Vsn ^4f5357[[:xdigit:]]{18}$ + +# Libreswan was forked from Openswan 2.6.38, which was forked from +# FreeS/WAN 1.99. This signature was taken from Libreswan 3.3 running +# on Fedora Core 19 x86_64. It appears like the same scheme as +# openswan, using OEN as the prefix. +Libreswan 3.3 LDAP_V3 ^4f454e574547444b6865684a +Libreswan 3.5 ^4f454e5f52685050487b645e +Libreswan 3.5 LDAP_V3 ^4f454e756f6b706a71757d5c # General pattern, must come after specific FreeS/WAN and OpenSwan patterns. +FreeS/WAN or OpenSWAN or Libreswan ^4f454e[[:xdigit:]]{18}$ FreeS/WAN or OpenSWAN ^4f45[[:xdigit:]]{20}$ -#Libreswan was forked from Openswan 2.6.38, which was forked from -#FreeS/WAN 1.99. This signature was taken from Libreswan 3.3 running -#on Fedora Core 19 x86_64. It appears like the same scheme as openswan, -#but I can't seem to tease out the source string syntax just yet. -Libreswan 3.3 ^4f454e574547444b6865684a - # OpenPGP # VID starts with ASCII "OpenPGP". This is generally followed by some extra # data, e.g. "OpenPGP10171", but we don't match that. @@ -744,6 +811,9 @@ StoneGate-02 ^baeb239037e17787d730eed9d95d48aa Symantec-Raptor-v8.1 ^526170746f7220506f77657256706e20536572766572205b56382e315d Symantec-Raptor ^526170746f7220506f77657256706e20536572766572 +# First 9 bytes seem to be random, last six bytes are the string "Teldat" +Teldat ^..................54656c646174 + # Other things I've seen but not fully classified yet. # If anyone can confirm any of these, please let me know. Maybe Cisco IOS ^bdb41038a7ec5e5534dd004d0f91f927