TemplateMan Update [Wed Sep 27 13:29:58 UTC 2023] 🤖

2023-09-27 13:29:58 +00:00 · 2023-09-27 13:29:58 +00:00 · 627e654d30
parent 9cbcb77b26
commit 627e654d30
91 changed files with 234 additions and 254 deletions
--- a/network/backdoor/backdoored-zte.yaml
+++ b/network/backdoor/backdoored-zte.yaml
@ -10,12 +10,12 @@ info:
    - https://www.exploit-db.com/ghdb/7179
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 10.0
+    cvss-score: 10
    cwe-id: CWE-912
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: http.html:"ZTE Corporation"
    verified: true
  tags: edb,network,zte,telnet,backdoor,router
 tcp:
--- a/network/backdoor/vsftpd-backdoor.yaml
+++ b/network/backdoor/vsftpd-backdoor.yaml
@ -7,14 +7,14 @@ info:
  description: VSFTPD 2.3.4 contains a backdoor command execution vulnerability.
  reference:
    - https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/
  remediation: This backdoor was removed on July 3rd, 2011.
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 10.0
+    cvss-score: 10
    cwe-id: CWE-78
  remediation: This backdoor was removed on July 3rd, 2011.
  tags: network,vsftpd,ftp,backdoor
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,vsftpd,ftp,backdoor
 tcp:
  - inputs:
--- a/network/cves/2001/CVE-2001-1473.yaml
+++ b/network/cves/2001/CVE-2001-1473.yaml
@ -5,23 +5,23 @@ info:
  author: iamthefrogy
  severity: high
  description: SSHv1 is deprecated and has known cryptographic issues.
  remediation: Upgrade to SSH 2.4 or later.
  reference:
    - https://www.kb.cert.org/vuls/id/684820
    - https://nvd.nist.gov/vuln/detail/CVE-2001-1473
    - http://www.kb.cert.org/vuls/id/684820
    - https://exchange.xforce.ibmcloud.com/vulnerabilities/6603
  remediation: Upgrade to SSH 2.4 or later.
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
    cvss-score: 7.5
    cve-id: CVE-2001-1473
    cwe-id: CWE-310
    epss-score: 0.00258
    cpe: cpe:2.3:a:ssh:ssh:1.2.24:*:*:*:*:*:*:*
    epss-score: 0.00258
  metadata:
-    max-request: 2
+    max-request: 1
    vendor: ssh
    product: ssh
    vendor: ssh
  tags: cve,cve2001,network,ssh,openssh
 tcp:
  - host:
--- a/network/cves/2015/CVE-2015-3306.yaml
+++ b/network/cves/2015/CVE-2015-3306.yaml
@ -5,24 +5,24 @@ info:
  author: pdteam
  severity: critical
  description: ProFTPD 1.3.5 contains a remote code execution vulnerability via the mod_copy module which allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
  remediation: Upgrade to ProFTPD 1.3.5a / 1.3.6rc1 or later.
  reference:
    - https://github.com/t0kx/exploit-CVE-2015-3306
    - https://www.exploit-db.com/exploits/36803/
    - http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157053.html
    - http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157054.html
    - https://nvd.nist.gov/vuln/detail/CVE-2015-3306
  remediation: Upgrade to ProFTPD 1.3.5a / 1.3.6rc1 or later.
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
    cvss-score: 10
    cve-id: CVE-2015-3306
    cwe-id: CWE-284
    epss-score: 0.97267
    cpe: cpe:2.3:a:proftpd:proftpd:1.3.5:*:*:*:*:*:*:*
    epss-score: 0.97267
  metadata:
-    max-request: 2
+    max-request: 1
    vendor: proftpd
    product: proftpd
    vendor: proftpd
  tags: cve,cve2015,ftp,rce,network,proftpd,edb
 tcp:
  - host:
--- a/network/cves/2016/CVE-2016-2004.yaml
+++ b/network/cves/2016/CVE-2016-2004.yaml
@ -5,25 +5,25 @@ info:
  author: pussycat0x
  severity: critical
  description: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. This vulnerability exists because of an incomplete fix for CVE-2014-2623.
  remediation: |
    Upgrade to the most recent version of HP Data Protector.
  reference:
    - https://www.exploit-db.com/exploits/39858
    - https://nvd.nist.gov/vuln/detail/CVE-2016-2004
    - http://www.kb.cert.org/vuls/id/267328
    - https://www.exploit-db.com/exploits/39858/
    - http://packetstormsecurity.com/files/137199/HP-Data-Protector-A.09.00-Command-Execution.html
  remediation: |
    Upgrade to the most recent version of HP Data Protector.
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-2004
    cwe-id: CWE-306
    epss-score: 0.06793
    cpe: cpe:2.3:a:hp:data_protector:*:*:*:*:*:*:*:*
    epss-score: 0.06793
  metadata:
-    max-request: 2
+    max-request: 1
    vendor: hp
    product: data_protector
    vendor: hp
  tags: cve,cve2016,network,iot,hp,rce,edb
 tcp:
  - host:
--- a/network/cves/2016/CVE-2016-3510.yaml
+++ b/network/cves/2016/CVE-2016-3510.yaml
@ -15,9 +15,9 @@ info:
    cvss-score: 9.8
    cve-id: CVE-2016-3510
    cwe-id: CWE-119
-    epss-score: 0.0162000000
+    epss-score: 0.0162
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
  tags: cve,cve2016,weblogic,t3,rce,oast,deserialization,network
--- a/network/cves/2017/CVE-2017-3881.yaml
+++ b/network/cves/2017/CVE-2017-3881.yaml
@ -6,24 +6,24 @@ info:
  severity: critical
  description: |
    A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.
  remediation: Deactivate a telnet connection or employ Access Control Lists (ACLs) to limit access.
  reference:
    - https://github.com/artkond/cisco-rce
    - https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/
    - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/dos/cisco/ios_telnet_rocem.md
    - https://nvd.nist.gov/vuln/detail/CVE-2017-3881
    - http://www.securitytracker.com/id/1038059
  remediation: Deactivate a telnet connection or employ Access Control Lists (ACLs) to limit access.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-3881
    cwe-id: CWE-20
    epss-score: 0.97332
    cpe: cpe:2.3:o:cisco:ios:*:*:*:*:*:*:*:*
    epss-score: 0.97332
  metadata:
-    max-request: 2
+    max-request: 1
    vendor: cisco
    product: ios
    vendor: cisco
  tags: cve,cve2017,cisco,rce,network,kev,msf
 tcp:
  - host:
--- a/network/cves/2017/CVE-2017-5645.yaml
+++ b/network/cves/2017/CVE-2017-5645.yaml
@ -6,25 +6,25 @@ info:
  severity: critical
  description: |
    In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
  remediation: |
    Consider updating to Log4j 2.15.0 or a newer version, deactivating JNDI lookups, or implementing a Java Agent to safeguard against potentially harmful JNDI lookups.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/log4j/CVE-2017-5645
    - https://nvd.nist.gov/vuln/detail/CVE-2017-5645
    - http://www.openwall.com/lists/oss-security/2019/12/19/2
    - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
    - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
  remediation: |
    Consider updating to Log4j 2.15.0 or a newer version, deactivating JNDI lookups, or implementing a Java Agent to safeguard against potentially harmful JNDI lookups.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-5645
    cwe-id: CWE-502
    epss-score: 0.74805
    cpe: cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
    epss-score: 0.74805
  metadata:
-    max-request: 2
+    max-request: 1
    vendor: apache
    product: log4j
    vendor: apache
  tags: cve,cve2017,vulhub,network,apache,log4j,rce,deserialization,oast,
 variables:
  end: "\r\n"
--- a/network/cves/2018/CVE-2018-2893.yaml
+++ b/network/cves/2018/CVE-2018-2893.yaml
@ -16,9 +16,9 @@ info:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-2893
-    epss-score: 0.973460000
+    epss-score: 0.97346
  metadata:
-    max-request: 2
+    max-request: 1
  tags: cve,cve2018,weblogic,network,deserialization,rce,oracle
 tcp:
--- a/network/cves/2020/CVE-2020-11981.yaml
+++ b/network/cves/2020/CVE-2020-11981.yaml
@ -15,9 +15,9 @@ info:
    cvss-score: 9.8
    cve-id: CVE-2020-11981
    cwe-id: CWE-78
-    epss-score: 0.936930000
+    epss-score: 0.93693
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"redis"
    verified: true
  tags: cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive
--- a/network/cves/2020/CVE-2020-1938.yaml
+++ b/network/cves/2020/CVE-2020-1938.yaml
@ -5,25 +5,25 @@ info:
  author: milo2012
  severity: critical
  description: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
  remediation: https://access.redhat.com/solutions/4851251
  reference:
    - https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
    - https://nvd.nist.gov/vuln/detail/CVE-2020-1938
    - https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E
    - https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E
    - http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
  remediation: https://access.redhat.com/solutions/4851251
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-1938
    cwe-id: CWE-269
    epss-score: 0.97486
    cpe: cpe:2.3:a:apache:geode:1.12.0:*:*:*:*:*:*:*
    epss-score: 0.97486
  metadata:
-    max-request: 4
+    max-request: 1
    vendor: apache
    product: geode
    shodan-query: title:"Apache Tomcat"
    vendor: apache
  tags: cve,cve2020,kev,tenable,apache,lfi,network,tomcat
 tcp:
  - host:
--- a/network/cves/2020/CVE-2020-7247.yaml
+++ b/network/cves/2020/CVE-2020-7247.yaml
@ -6,24 +6,24 @@ info:
  severity: critical
  description: |
    OpenSMTPD versions 6.4.0 - 6.6.1 are susceptible to remote code execution. smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
  remediation: OpenBSD users are recommended to install patches for OpenBSD 6.6
  reference:
    - https://www.openwall.com/lists/oss-security/2020/01/28/3
    - https://nvd.nist.gov/vuln/detail/CVE-2020-7247
    - https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45
    - http://www.openwall.com/lists/oss-security/2020/01/28/3
    - http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html
  remediation: OpenBSD users are recommended to install patches for OpenBSD 6.6
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-7247
    cwe-id: CWE-755
    epss-score: 0.9749
    cpe: cpe:2.3:a:openbsd:opensmtpd:6.6:*:*:*:*:*:*:*
    epss-score: 0.9749
  metadata:
-    max-request: 2
+    max-request: 1
    vendor: openbsd
    product: opensmtpd
    vendor: openbsd
  tags: cve,cve2020,smtp,opensmtpd,network,rce,oast,kev
 tcp:
  - host:
--- a/network/cves/2021/CVE-2021-44521.yaml
+++ b/network/cves/2021/CVE-2021-44521.yaml
@ -5,7 +5,6 @@ info:
  author: Y4er
  severity: critical
  description: 'When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.'
  remediation: 3.0.x users should upgrade to 3.0.26, 3.11.x users should upgrade to 3.11.12, 4.0.x users should upgrade to 4.0.2
  reference:
    - https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44521
@ -13,17 +12,18 @@ info:
    - https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356
    - http://www.openwall.com/lists/oss-security/2022/02/11/4
    - https://thesecmaster.com/how-to-fix-apache-cassandra-rce-vulnerability-cve-2021-44521/
  remediation: 3.0.x users should upgrade to 3.0.26, 3.11.x users should upgrade to 3.11.12, 4.0.x users should upgrade to 4.0.2
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.1
    cve-id: CVE-2021-44521
    cwe-id: CWE-732,CWE-94
    epss-score: 0.01212
    cpe: cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
    epss-score: 0.01212
  metadata:
-    max-request: 2
+    max-request: 1
    vendor: apache
    product: cassandra
    vendor: apache
  tags: cve,cve2021,network,rce,apache,cassandra
 tcp:
  - host:
--- a/network/cves/2022/CVE-2022-0543.yaml
+++ b/network/cves/2022/CVE-2022-0543.yaml
@ -9,24 +9,24 @@ info:
    vulnerability was introduced by Debian and Ubuntu Redis packages that
    insufficiently sanitized the Lua environment. The maintainers failed to
    disable the package interface, allowing attackers to load arbitrary libraries.
  remediation: Update to the most recent versions currently available.
  reference:
    - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
    - https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis
    - https://bugs.debian.org/1005787
    - https://www.debian.org/security/2022/dsa-5081
    - https://lists.debian.org/debian-security-announce/2022/msg00048.html
  remediation: Update to the most recent versions currently available.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2022-0543
    epss-score: 0.97184
    cpe: cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:*
    epss-score: 0.97184
  metadata:
-    max-request: 4
+    max-request: 1
    vendor: redis
    product: redis
    shodan-query: redis_version
    vendor: redis
  tags: cve,cve2022,network,redis,unauth,rce,kev
 tcp:
  - host:
--- a/network/cves/2022/CVE-2022-24706.yaml
+++ b/network/cves/2022/CVE-2022-24706.yaml
@ -6,27 +6,27 @@ info:
  severity: critical
  description: |
    In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
  remediation: |
    Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
  reference:
    - https://www.exploit-db.com/exploits/50914
    - https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit/blob/main/CVE-2022-24706-Exploit.py
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24706
    - http://www.openwall.com/lists/oss-security/2022/04/26/1
    - http://www.openwall.com/lists/oss-security/2022/05/09/1
  remediation: |
    Upgrade to versions 3.2.2 or newer. Starting from CouchDB 3.2.2, the previous default Erlang cookie value "monster" will be rejected upon startup. Upgraded installations will be required to select an alternative value.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-24706
    cwe-id: CWE-1188
    epss-score: 0.97407
    cpe: cpe:2.3:a:apache:couchdb:*:*:*:*:*:*:*:*
    epss-score: 0.97407
  metadata:
-    verified: "true"
+    max-request: 1
    max-request: 2
    vendor: apache
    product: couchdb
    shodan-query: product:"CouchDB"
    vendor: apache
    verified: "true"
  tags: cve,cve2022,network,couch,rce,kev
 variables:
  name_msg: "00156e00050007499c4141414141414041414141414141"
--- a/network/cves/2023/CVE-2023-33246.yaml
+++ b/network/cves/2023/CVE-2023-33246.yaml
@ -6,27 +6,27 @@ info:
  severity: critical
  description: |
    For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
  remediation: Update the RocketMQ application to version 5.1.1
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-33246
    - https://github.com/I5N0rth/CVE-2023-33246
    - http://packetstormsecurity.com/files/173339/Apache-RocketMQ-5.1.0-Arbitrary-Code-Injection.html
    - http://www.openwall.com/lists/oss-security/2023/07/12/1
    - https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp
  remediation: Update the RocketMQ application to version 5.1.1
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-33246
    cwe-id: CWE-94
    epss-score: 0.95581
    cpe: cpe:2.3:a:apache:rocketmq:*:*:*:*:*:*:*:*
    epss-score: 0.95581
  metadata:
-    verified: true
+    fofa-query: protocol="rocketmq"
-    max-request: 2
+    max-request: 1
    vendor: apache
    product: rocketmq
    shodan-query: title:"RocketMQ"
-    fofa-query: protocol="rocketmq"
+    vendor: apache
    verified: true
  tags: cve,cve2023,rocketmq,rce,oast,intrusive,network
 variables:
  part_a: '{{ hex_decode ("000000d2000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f206375726c20") }}'
--- a/network/default-login/ftp-anonymous-login.yaml
+++ b/network/default-login/ftp-anonymous-login.yaml
@ -4,13 +4,13 @@ info:
  name: FTP Anonymous Login
  author: C3l3si4n,pussycat0x
  severity: medium
  reference:
    - https://tools.ietf.org/html/rfc2577
  description: |
    Anonymous FTP access allows anyone to access your public_ftp folder, allowing unidentified visitors to download (and possibly upload) files on your website. Anonymous FTP creates the potential for a security hole for hackers and is not recommended.
-  tags: network,ftp,default-login
+  reference:
    - https://tools.ietf.org/html/rfc2577
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,ftp,default-login
 tcp:
  - inputs:
--- a/network/default-login/ftp-weak-credentials.yaml
+++ b/network/default-login/ftp-weak-credentials.yaml
@ -8,11 +8,11 @@ info:
  reference:
    - https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/ftpserver/security/authentication/
  classification:
    cvss-score: 8.5
    cvss-metrics: 3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
-  tags: network,ftp,default-login,service
+    cvss-score: 8.5
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,ftp,default-login,service
 tcp:
--- a/network/default-login/ldap-anonymous-login.yaml
+++ b/network/default-login/ldap-anonymous-login.yaml
@ -13,9 +13,9 @@ info:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cwe-id: CWE-284
  tags: network,ldap,default-login,tenable
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,ldap,default-login,tenable
 tcp:
  - inputs:
--- a/network/detection/activemq-openwire-transport-detect.yaml
+++ b/network/detection/activemq-openwire-transport-detect.yaml
@ -7,9 +7,9 @@ info:
  description: |
    OpenWire is the native protocol that Apache ActiveMQ uses. It is designed for performance and size on the wire - sacrificing some ease of implementation with higher performance and reduced network bandwidth as a priority.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"ActiveMQ OpenWire transport"
    verified: true
    shodan-query: 'product:"ActiveMQ OpenWire transport"'
  tags: network,activemq,detect
 tcp:
--- a/network/detection/apache-activemq-detect.yaml
+++ b/network/detection/apache-activemq-detect.yaml
@ -7,9 +7,9 @@ info:
  description: |
    Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service client. It provides "Enterprise Features" which in this case means fostering the communication from more than one client or server.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"Apache ActiveMQ"
    verified: true
    shodan-query: 'product:"Apache ActiveMQ"'
  tags: network,activemq,oss,detect
 tcp:
--- a/network/detection/axigen-mail-server-detect.yaml
+++ b/network/detection/axigen-mail-server-detect.yaml
@ -7,10 +7,10 @@ info:
  description: |
    Axigen Mail Server was detected.
  metadata:
    max-request: 2
    verified: true
    fofa-query: app="axigen-Mail-Server"
    max-request: 1
    shodan-query: product:"Axigen"
    verified: true
  tags: network,axigen,detect
 tcp:
--- a/network/detection/cisco-finger-detect.yaml
+++ b/network/detection/cisco-finger-detect.yaml
@ -7,9 +7,9 @@ info:
  description: |
    The finger daemon runs on TCP port 79. The client will (in the case of remote hosts) open a connection to port 79.
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: product:"Cisco fingerd"
    verified: true
  tags: network,finger,detect
 tcp:
--- a/network/detection/clamav-detect.yaml
+++ b/network/detection/clamav-detect.yaml
@ -7,9 +7,9 @@ info:
  description: |
    Clam AntiVirus is a free software, cross-platform antimalware toolkit able to detect many types of malware, including viruses.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: port:3310 product:"ClamAV"
    verified: true
    shodan-query: 'port:3310 product:"ClamAV"'
  tags: network,clamav,detect
 tcp:
--- a/network/detection/cql-native-transport.yaml
+++ b/network/detection/cql-native-transport.yaml
@ -7,9 +7,9 @@ info:
  description: |
    Native transport requests (NTR) are any requests made via the CQL Native Protocol. CQL Native Protocol is the way the Cassandra driver communicates with the server.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: cassandra
    verified: true
    shodan-query: "cassandra"
  tags: network,cassandra,cql,detect
 tcp:
--- a/network/detection/detect-addpac-voip-gateway.yaml
+++ b/network/detection/detect-addpac-voip-gateway.yaml
@ -10,11 +10,10 @@ info:
    - http://www.addpac.com/addpac_eng2/down.php?file=505_f16.pdf
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  tags: network,addpac,apos,voip,detect
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,addpac,apos,voip,detect
 tcp:
  - inputs:
--- a/network/detection/detect-jabber-xmpp.yaml
+++ b/network/detection/detect-jabber-xmpp.yaml
@ -9,11 +9,10 @@ info:
    - https://datatracker.ietf.org/doc/html/rfc6120
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  tags: network,jabber,xmpp,messaging,detect
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,jabber,xmpp,messaging,detect
 tcp:
  - inputs:
--- a/network/detection/dotnet-remoting-service-detect.yaml
+++ b/network/detection/dotnet-remoting-service-detect.yaml
@ -8,12 +8,11 @@ info:
    Microsoft .NET Remoting httpd was detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: product:"MS .NET Remoting httpd"
    verified: true
  tags: network,detect,microsoft
 tcp:
--- a/network/detection/dropbear-cbc-ciphers.yaml
+++ b/network/detection/dropbear-cbc-ciphers.yaml
@ -6,14 +6,14 @@ info:
  severity: low
  description: |
    The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.
  remediation: |
    Disable CBC Ciphers.
  reference: |
    https://www.tenable.com/plugins/nessus/70658
  remediation: |
    Disable CBC Ciphers.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"Dropbear sshd"
    verified: true
    shodan-query: 'product:"Dropbear sshd"'
  tags: network,ssh,dropbear,detect
 tcp:
--- a/network/detection/esmtp-detect.yaml
+++ b/network/detection/esmtp-detect.yaml
@ -10,12 +10,11 @@ info:
    - https://nmap.org/nsedoc/scripts/smtp-open-relay.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: ESMTP
    verified: true
    shodan-query: 'ESMTP'
  tags: network,detect,smtp,mail
 tcp:
--- a/network/detection/expn-mail-detect.yaml
+++ b/network/detection/expn-mail-detect.yaml
@ -6,9 +6,9 @@ info:
  severity: info
  description: |
    The "EXPN" can be used by attackers to learn about valid usernames on the target system. On some SMTP servers, EXPN can be used to show the subscribers of a mailing list subscription lists are generally considered to be sensitive information.
  tags: mail,expn,network,detect
  metadata:
-    max-request: 2
+    max-request: 1
  tags: mail,expn,network,detect
 tcp:
  - inputs:
--- a/network/detection/finger-detect.yaml
+++ b/network/detection/finger-detect.yaml
@ -7,9 +7,9 @@ info:
  description: |
    The finger daemon runs on TCP port 79. The client will (in the case of remote hosts) open a connection to port 79.
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: port:"79" action
    verified: true
  tags: network,finger,detect
 tcp:
--- a/network/detection/gnu-inetutils-ftpd-detect.yaml
+++ b/network/detection/gnu-inetutils-ftpd-detect.yaml
@ -7,9 +7,9 @@ info:
  description: |
    The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"GNU Inetutils FTPd"
    verified: true
    shodan-query: 'product:"GNU Inetutils FTPd"'
  tags: network,ftp,smartgateway,gnu,inetutils,detect
 tcp:
--- a/network/detection/gopher-detect.yaml
+++ b/network/detection/gopher-detect.yaml
@ -8,11 +8,10 @@ info:
    Gopher service was detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  tags: network,gopher,detect
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,gopher,detect
 tcp:
  - inputs:
--- a/network/detection/ibm-d2b-database-server.yaml
+++ b/network/detection/ibm-d2b-database-server.yaml
@ -10,12 +10,11 @@ info:
    - https://nmap.org/nsedoc/scripts/db2-das-info.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: product:"IBM DB2 Database Server"
    verified: true
  tags: network,ibm,database,db,db2,detect
 tcp:
--- a/network/detection/imap-detect.yaml
+++ b/network/detection/imap-detect.yaml
@ -8,12 +8,11 @@ info:
    IMAP was detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: imap
    verified: true
    shodan-query: 'imap'
  tags: network,detect,imap,mail
 tcp:
--- a/network/detection/iplanet-imap-detect.yaml
+++ b/network/detection/iplanet-imap-detect.yaml
@ -8,11 +8,10 @@ info:
    iPlanet Messaging Server IMAP protocol was detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
    max-request: 2
    fofa-query: app="iPlanet-Messaging-Server-5.2" && protocol="imap"
    max-request: 1
  tags: network,imap,detect
 tcp:
--- a/network/detection/microsoft-ftp-service.yaml
+++ b/network/detection/microsoft-ftp-service.yaml
@ -7,9 +7,9 @@ info:
  description: |
    The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: Microsoft FTP Service
    verified: true
    shodan-query: "Microsoft FTP Service"
  tags: network,ftp,microsoft,detect
 tcp:
--- a/network/detection/mikrotik-ftp-server-detect.yaml
+++ b/network/detection/mikrotik-ftp-server-detect.yaml
@ -7,9 +7,9 @@ info:
  description: |
    The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"MikroTik router ftpd"
    verified: true
    shodan-query: 'product:"MikroTik router ftpd"'
  tags: network,ftp,mikrotik,router,detect
 tcp:
--- a/network/detection/mikrotik-routeros-api.yaml
+++ b/network/detection/mikrotik-routeros-api.yaml
@ -8,12 +8,11 @@ info:
    MikroTik RouterOS API was detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: product:"MikroTik RouterOS API Service"
    verified: true
  tags: network,mikrotik,detect
 tcp:
--- a/network/detection/mongodb-detect.yaml
+++ b/network/detection/mongodb-detect.yaml
@ -6,15 +6,14 @@ info:
  severity: info
  description: |
    MongoDB service was detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  reference:
    - https://github.com/orleven/Tentacle
-  tags: network,mongodb,detect
+  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,mongodb,detect
 tcp:
  - inputs:
--- a/network/detection/msmq-detect.yaml
+++ b/network/detection/msmq-detect.yaml
@ -11,10 +11,10 @@ info:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/50da7ea1-eed7-41f9-ba6a-2aa37f5f1e92
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554
  metadata:
    max-request: 2
    verified: true
    shodan-query: MSMQ
    censys-query: services.service_name:MSMQ
    max-request: 1
    shodan-query: MSMQ
    verified: true
  tags: network,msmq,detect
 tcp:
--- a/network/detection/mysql-detect.yaml
+++ b/network/detection/mysql-detect.yaml
@ -8,12 +8,11 @@ info:
    MySQL instance was detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: product:"MySQL"
    verified: true
  tags: network,mysql,db,detect
 tcp:
--- a/network/detection/openssh-detect.yaml
+++ b/network/detection/openssh-detect.yaml
@ -6,19 +6,18 @@ info:
  severity: info
  description: |
    OpenSSH service was detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  reference:
    - http://www.openwall.com/lists/oss-security/2016/08/01/2
    - http://www.openwall.com/lists/oss-security/2018/08/15/5
    - http://seclists.org/fulldisclosure/2016/Jul/51
    - https://nvd.nist.gov/vuln/detail/CVE-2016-6210
    - https://nvd.nist.gov/vuln/detail/CVE-2018-15473
-  tags: seclists,network,ssh,openssh,detect
+  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
  tags: seclists,network,ssh,openssh,detect
 tcp:
  - host:
--- a/network/detection/pgsql-detect.yaml
+++ b/network/detection/pgsql-detect.yaml
@ -11,12 +11,11 @@ info:
    - https://www.postgresql.org/docs/current/client-authentication-problems.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: port:5432 product:"PostgreSQL"
    verified: true
  tags: network,postgresql,db,detect
 tcp:
--- a/network/detection/pop3-detect.yaml
+++ b/network/detection/pop3-detect.yaml
@ -10,12 +10,11 @@ info:
    - https://nmap.org/nsedoc/scripts/pop3-ntlm-info.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: pop3 port:110
    verified: true
    shodan-query: 'pop3 port:110'
  tags: network,detect,pop3,mail
 tcp:
--- a/network/detection/proftpd-server-detect.yaml
+++ b/network/detection/proftpd-server-detect.yaml
@ -7,9 +7,9 @@ info:
  description: |
    The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"ProFTPD"
    verified: true
    shodan-query: 'product:"ProFTPD"'
  tags: network,ftp,proftpd,detect
 tcp:
--- a/network/detection/rabbitmq-detect.yaml
+++ b/network/detection/rabbitmq-detect.yaml
@ -9,9 +9,9 @@ info:
  reference:
    - https://nmap.org/nsedoc/scripts/amqp-info.html
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: product:"RabbitMQ"
    verified: true
  tags: network,rabbitmq,oss,detect
 tcp:
--- a/network/detection/rdp-detect.yaml
+++ b/network/detection/rdp-detect.yaml
@ -8,10 +8,9 @@ info:
    Windows Remote Desktop Protocol was detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
  tags: network,windows,rdp,detect
--- a/network/detection/redis-detect.yaml
+++ b/network/detection/redis-detect.yaml
@ -9,7 +9,7 @@ info:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cwe-id: CWE-200
  metadata:
-    max-request: 4
+    max-request: 1
    shodan-query: product:"redis"
    verified: true
  tags: network,redis,detect
--- a/network/detection/riak-detect.yaml
+++ b/network/detection/riak-detect.yaml
@ -6,9 +6,9 @@ info:
  severity: info
  description: Riak is a distributed NoSQL key-value data store that offers high availability, fault tolerance, operational simplicity, and scalability.
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: product:"Riak"
    verified: true
  tags: network,oss,detect
 tcp:
--- a/network/detection/rpcbind-portmapper-detect.yaml
+++ b/network/detection/rpcbind-portmapper-detect.yaml
@ -8,12 +8,11 @@ info:
  reference: https://book.hacktricks.xyz/pentesting/pentesting-rpcbind
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: port:"111"
    verified: true
  tags: network,rpcbind,portmap,detect
 tcp:
--- a/network/detection/rsyncd-service-detect.yaml
+++ b/network/detection/rsyncd-service-detect.yaml
@ -10,11 +10,10 @@ info:
    - https://linux.die.net/man/1/rsync
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  tags: network,rsyncd,detect
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,rsyncd,detect
 tcp:
  - inputs:
--- a/network/detection/rtsp-detect.yaml
+++ b/network/detection/rtsp-detect.yaml
@ -10,12 +10,11 @@ info:
    https://nmap.org/nsedoc/scripts/rtsp-methods.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: RTSP/1.0
    verified: true
  tags: network,rtsp,detect
 tcp:
--- a/network/detection/samba-detect.yaml
+++ b/network/detection/samba-detect.yaml
@ -8,12 +8,12 @@ info:
  reference:
    - https://www.samba.org/samba/what_is_samba.html
    - https://www.samba.org/samba/history/security.html
  remediation: Always apply the latest security patch.
  classification:
    cwe-id: CWE-200
  remediation: Always apply the latest security patch.
  tags: network,smb,samba,detect
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,smb,samba,detect
 tcp:
  - inputs:
--- a/network/detection/sap-router.yaml
+++ b/network/detection/sap-router.yaml
@ -4,11 +4,11 @@ info:
  name: SAPRouter Detection
  author: randomstr1ng
  severity: info
  tags: network,sap,detect
  description: |
    SAProuter is a software application that provides a remote connection between our customer's network and SAP.
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,sap,detect
 tcp:
  - inputs:
--- a/network/detection/smb-detect.yaml
+++ b/network/detection/smb-detect.yaml
@ -4,11 +4,11 @@ info:
  name: SMB Detection
  author: pussycat0x
  severity: low
  tags: network,windows,smb,service,detect
  description: |
    SMB (Server Message Block) is a network-layered protocol mainly used on Windows for sharing files, printers, and communication between network-attached computers. SMB related vulnerabilities can be levaraged to compromise large-scale systems.
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,windows,smb,service,detect
 tcp:
  - inputs:
--- a/network/detection/smtp-detect.yaml
+++ b/network/detection/smtp-detect.yaml
@ -4,11 +4,11 @@ info:
  name: SMTP Service Detection
  author: pussycat0x
  severity: info
  tags: network,service,smtp,detect
  description: |
    SMTP is part of the application layer of the TCP/IP protocol. Using a process called “store and forward,” SMTP moves your email on and across networks.
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,service,smtp,detect
 tcp:
  - inputs:
--- a/network/detection/sshd-dropbear-detect.yaml
+++ b/network/detection/sshd-dropbear-detect.yaml
@ -7,9 +7,9 @@ info:
  description: |
    Dropbear is a software package written by Matt Johnston that provides a Secure Shell-compatible server and client. It is designed as a replacement for standard OpenSSH for environments with low memory and processor resources, such as embedded systems
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"Dropbear sshd"
    verified: true
    shodan-query: 'product:"Dropbear sshd"'
  tags: network,ssh,dropbear,detect
 tcp:
--- a/network/detection/starttls-mail-detect.yaml
+++ b/network/detection/starttls-mail-detect.yaml
@ -4,11 +4,11 @@ info:
  name: STARTTLS Mail Server Detection
  author: r3dg33k
  severity: info
  tags: mail,starttls,network,detect
  description: |
    STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one.
  metadata:
-    max-request: 2
+    max-request: 1
  tags: mail,starttls,network,detect
 tcp:
  - inputs:
--- a/network/detection/teamspeak3-detect.yaml
+++ b/network/detection/teamspeak3-detect.yaml
@ -7,7 +7,7 @@ info:
  description: |
    ServerQuery is a commandline based administration tool/feature of TeamSpeak 3 server.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"TeamSpeak 3 ServerQuery"
    verified: true
  tags: network,service,teamspeak3,detect
--- a/network/detection/telnet-detect.yaml
+++ b/network/detection/telnet-detect.yaml
@ -7,9 +7,9 @@ info:
  description: |
    Telnet is a network protocol used to virtually access a computer and to provide a two-way, collaborative and text-based communication channel between two machines.
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: port:23 telnet
    verified: true
  tags: network,telnet,detect
 tcp:
--- a/network/detection/totemomail-smtp-detect.yaml
+++ b/network/detection/totemomail-smtp-detect.yaml
@ -4,11 +4,11 @@ info:
  name: Totemomail SMTP Server Detection
  author: princechaddha
  severity: info
  tags: mail,smtp,network,totemomail,detect
  description: |
    Totemomail is a comprehensive email solution designed to address all aspects of digital communication security.
  metadata:
-    max-request: 2
+    max-request: 1
  tags: mail,smtp,network,totemomail,detect
 tcp:
  - inputs:
--- a/network/detection/vmware-authentication-daemon-detect.yaml
+++ b/network/detection/vmware-authentication-daemon-detect.yaml
@ -7,9 +7,9 @@ info:
  description: |
    vmauthd is the VMWare authentication daemon that is included with many VMWare products, including ESX(i), and Workstation.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"VMware Authentication Daemon"
    verified: true
    shodan-query: 'product:"VMware Authentication Daemon"'
  tags: network,vmware,authenticated,detect
 tcp:
--- a/network/detection/vnc-service-detect.yaml
+++ b/network/detection/vnc-service-detect.yaml
@ -7,9 +7,9 @@ info:
  description: A Virtual Network Computing (VNC) service was detected.
  classification:
    cwe-id: CWE-200
  tags: network,vnc,service,detect
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,vnc,service,detect
 tcp:
  - inputs:
--- a/network/detection/xlight-ftp-service-detect.yaml
+++ b/network/detection/xlight-ftp-service-detect.yaml
@ -7,9 +7,9 @@ info:
  description: |
    The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"Xlight ftpd"
    verified: true
    shodan-query: 'product:"Xlight ftpd"'
  tags: network,ftp,xlight,detect
 tcp:
--- a/network/enumeration/mongodb-info-enum.yaml
+++ b/network/enumeration/mongodb-info-enum.yaml
@ -10,12 +10,11 @@ info:
    - https://nmap.org/nsedoc/scripts/mongodb-info.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: mongodb server information
    verified: true
  tags: network,mongodb,enum
 tcp:
--- a/network/enumeration/niagara-fox-info-enum.yaml
+++ b/network/enumeration/niagara-fox-info-enum.yaml
@ -6,12 +6,12 @@ info:
  severity: info
  description: |
    Niagara Fox Protocol is a building automation protocol used between the Niagara software systems by Tridium.
  metadata:
    max-request: 2
    verified: true
    shodan-query: 'product:"Niagara Fox"'
  reference:
    - https://nmap.org/nsedoc/scripts/fox-info.html
  metadata:
    max-request: 1
    shodan-query: product:"Niagara Fox"
    verified: true
  tags: network,fox,niagara,enum
 tcp:
--- a/network/enumeration/psql-user-enum.yaml
+++ b/network/enumeration/psql-user-enum.yaml
@ -9,7 +9,7 @@ info:
  reference:
    - https://medium.com/@netscylla/pentesters-guide-to-postgresql-hacking-59895f4f007
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: port:5432 product:"PostgreSQL"
    verified: "true"
  tags: network,postgresql,db,unauth,enum,psql
--- a/network/enumeration/smtp-commands-enum.yaml
+++ b/network/enumeration/smtp-commands-enum.yaml
@ -9,9 +9,9 @@ info:
  reference:
    - https://nmap.org/nsedoc/scripts/smtp-commands.html
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: smtp
    verified: true
    shodan-query: 'smtp'
  tags: network,enum,smtp,mail
 tcp:
--- a/network/enumeration/smtp/smtp-user-enum.yaml
+++ b/network/enumeration/smtp/smtp-user-enum.yaml
@ -9,7 +9,7 @@ info:
  reference:
    - https://nmap.org/nsedoc/scripts/smtp-enum-users.html
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: smtp
    verified: true
  tags: network,enum,smtp,mail
--- a/network/exposures/cisco-smi-exposure.yaml
+++ b/network/exposures/cisco-smi-exposure.yaml
@ -15,9 +15,9 @@ info:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cwe-id: CWE-200
  tags: network,cisco,smi,exposure
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,cisco,smi,exposure
 tcp:
  - inputs:
--- a/network/exposures/exposed-adb.yaml
+++ b/network/exposures/exposed-adb.yaml
@ -9,9 +9,9 @@ info:
    - https://doublepulsar.com/root-bridge-how-thousands-of-internet-connected-android-devices-now-have-no-security-and-are-b46a68cb0f20
    - https://www.hackeracademy.org/how-to-hack-android-device-with-adb-android-debugging-bridge
    - https://www.securezoo.com/2018/06/thousands-of-android-devices-leave-debug-port-5555-exposed/
  tags: network,adb,rce,android,exposure
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,adb,rce,android,exposure
 tcp:
  - inputs:
--- a/network/exposures/exposed-dockerd.yaml
+++ b/network/exposures/exposed-dockerd.yaml
@ -7,9 +7,9 @@ info:
  description: |
    Docker Daemon exposed on the network map can help remote attacker to gain access to the Docker containers and potentially the host system.
  metadata:
-    max-request: 2
+    max-request: 1
    verified: true
    shodan-query: port:2375 product:"docker"
    verified: true
  tags: network,docker,exposure
 tcp:
--- a/network/exposures/exposed-redis.yaml
+++ b/network/exposures/exposed-redis.yaml
@ -12,7 +12,7 @@ info:
    cvss-score: 7.2
    cwe-id: CWE-306
  metadata:
-    max-request: 4
+    max-request: 1
  tags: network,redis,unauth,exposure
 tcp:
--- a/network/exposures/exposed-zookeeper.yaml
+++ b/network/exposures/exposed-zookeeper.yaml
@ -7,9 +7,9 @@ info:
  description: Apache ZooKeeper was able to be accessed without any required authentication.
  reference:
    - https://zookeeper.apache.org/security.html
  tags: network,zookeeper,unauth,exposure
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,zookeeper,unauth,exposure
 tcp:
  - inputs:
--- a/network/misconfig/apache-dubbo-unauth.yaml
+++ b/network/misconfig/apache-dubbo-unauth.yaml
@ -10,7 +10,7 @@ info:
    - https://dubbo.apache.org/en/docs3-v2/java-sdk/advanced-features-and-usage/security/auth/
  metadata:
    fofa-query: apache dubbo
-    max-request: 2
+    max-request: 1
    verified: true
  tags: network,dubbo,apache,unauth,misconfig
--- a/network/misconfig/apache-rocketmq-broker-unauth.yaml
+++ b/network/misconfig/apache-rocketmq-broker-unauth.yaml
@ -10,7 +10,7 @@ info:
    - https://rocketmq.apache.org/docs/bestPractice/03access
  metadata:
    fofa-query: protocol="rocketmq"
-    max-request: 2
+    max-request: 1
    shodan-query: title:"RocketMQ"
    verified: true
  tags: network,rocketmq,broker,apache,unauth,misconfig
--- a/network/misconfig/clamav-unauth.yaml
+++ b/network/misconfig/clamav-unauth.yaml
@ -8,13 +8,13 @@ info:
    ClamAV server 0.99.2, and possibly other previous versions, allow the execution
    of dangerous service commands without authentication. Specifically, the command 'SCAN'
    may be used to list system files and the command 'SHUTDOWN' shut downs the service.
  metadata:
    max-request: 2
    verified: true
    shodan-query: 'port:3310 product:"ClamAV" version:"0.99.2"'
  reference:
    - https://seclists.org/nmap-dev/2016/q2/201
    - https://bugzilla.clamav.net/show_bug.cgi?id=11585
  metadata:
    max-request: 1
    shodan-query: port:3310 product:"ClamAV" version:"0.99.2"
    verified: true
  tags: network,clamav,unauth,seclists,misconfig
 tcp:
--- a/network/misconfig/clickhouse-unauth.yaml
+++ b/network/misconfig/clickhouse-unauth.yaml
@ -5,9 +5,9 @@ info:
  author: lu4nx
  severity: high
  description: ClickHouse was able to be accessed with no required authentication in place.
  tags: network,clickhouse,unauth,misconfig
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,clickhouse,unauth,misconfig
 tcp:
  - inputs:
--- a/network/misconfig/dropbear-weakalgo.yaml
+++ b/network/misconfig/dropbear-weakalgo.yaml
@ -6,14 +6,14 @@ info:
  severity: low
  description: |
    The SSH key exchange algorithm is fundamental to keep the protocol secure. It is what allows two previously unknown parties to generate a shared key in plain sight, and have that secret remain private to the client and server. Over time, some implementations of this algorithm have been identified as weak or vulnerable.
  remediation: |
    Disable the weak algorithms.
  reference: |
    https://www.virtuesecurity.com/kb/ssh-weak-key-exchange-algorithms-enabled
  remediation: |
    Disable the weak algorithms.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"Dropbear sshd"
    verified: true
    shodan-query: 'product:"Dropbear sshd"'
  tags: network,ssh,dropbear,misconfig
 tcp:
--- a/network/misconfig/dropbear-weakmac.yaml
+++ b/network/misconfig/dropbear-weakmac.yaml
@ -6,14 +6,14 @@ info:
  severity: low
  description: |
    The mac-alg command specifies which MAC algorithms in the SSH client profile for SSH encryption negotiation with an SFTP server when the DataPower Gateway acts as an SFTP client.
  remediation: |
    Disable MD5 and 96-bit MAC algorithms.
  reference: |
    https://www.virtuesecurity.com/kb/ssh-weak-mac-algorithms-enabled
  remediation: |
    Disable MD5 and 96-bit MAC algorithms.
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: product:"Dropbear sshd"
    verified: true
    shodan-query: 'product:"Dropbear sshd"'
  tags: network,ssh,dropbear,misconfig
 tcp:
--- a/network/misconfig/ganglia-xml-grid-monitor.yaml
+++ b/network/misconfig/ganglia-xml-grid-monitor.yaml
@ -7,9 +7,9 @@ info:
  description: Ganglia is a scalable distributed monitoring system for high-performance computing systems such as clusters and Grids.
  reference:
    - http://ganglia.info/
  tags: ganglia,network,misconfig
  metadata:
-    max-request: 2
+    max-request: 1
  tags: ganglia,network,misconfig
 tcp:
  - inputs:
--- a/network/misconfig/memcached-stats.yaml
+++ b/network/misconfig/memcached-stats.yaml
@ -4,11 +4,11 @@ info:
  name: Memcached stats disclosure
  author: pdteam
  severity: low
  tags: network,memcached,misconfig
  description: |
    Memcached stats is used to return server statistics such as PID, version, connections, etc.
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,memcached,misconfig
 tcp:
  - inputs:
--- a/network/misconfig/mongodb-unauth.yaml
+++ b/network/misconfig/mongodb-unauth.yaml
@ -10,9 +10,9 @@ info:
    - https://book.hacktricks.xyz/pentesting/27017-27018-mongodb
    - https://www.mongodb.com/features/mongodb-authentication
  remediation: Enable Authentication in MongoDB
  tags: network,mongodb,unauth,misconfig
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,mongodb,unauth,misconfig
 tcp:
  - inputs:
--- a/network/misconfig/mysql-native-password.yaml
+++ b/network/misconfig/mysql-native-password.yaml
@ -9,11 +9,10 @@ info:
    - https://github.com/Tinram/MySQL-Brute
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  tags: network,mysql,bruteforce,db,misconfig
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,mysql,bruteforce,db,misconfig
 tcp:
  - host:
--- a/network/misconfig/sap-router-info-leak.yaml
+++ b/network/misconfig/sap-router-info-leak.yaml
@ -8,9 +8,9 @@ info:
  reference:
    - https://securityforeveryone.com/tools/saprouter-routing-information-leakage-vulnerability-scanner
    - https://support.sap.com/en/tools/connectivity-tools/saprouter.html
  tags: network,sap,misconfig
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,sap,misconfig
 tcp:
  - inputs:
--- a/network/misconfig/tidb-native-password.yaml
+++ b/network/misconfig/tidb-native-password.yaml
@ -9,9 +9,9 @@ info:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cwe-id: CWE-200
  tags: network,tidb,bruteforce,db,misconfig
  metadata:
-    max-request: 2
+    max-request: 1
  tags: network,tidb,bruteforce,db,misconfig
 tcp:
  - host:
--- a/network/misconfig/tidb-unauth.yaml
+++ b/network/misconfig/tidb-unauth.yaml
@ -6,7 +6,7 @@ info:
  severity: high
  description: TiDB server was able to be accessed because no authentication was required.
  metadata:
-    max-request: 2
+    max-request: 1
    zoomeye-query: tidb +port:"4000"
  tags: network,tidb,unauth,misconfig
--- a/network/misconfig/unauth-psql.yaml
+++ b/network/misconfig/unauth-psql.yaml
@ -9,7 +9,7 @@ info:
  reference:
    - https://www.postgresql.org/docs/9.6/auth-methods.html
  metadata:
-    max-request: 2
+    max-request: 1
    shodan-query: port:5432 product:"PostgreSQL"
    verified: "true"
  tags: network,postgresql,db,unauth,misconfig
--- a/network/vulnerabilities/clockwatch-enterprise-rce.yaml
+++ b/network/vulnerabilities/clockwatch-enterprise-rce.yaml
@ -10,11 +10,11 @@ info:
    - https://blog.grimm-co.com/2021/07/old-dog-same-tricks.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
-    cvss-score: 10.0
+    cvss-score: 10
    cwe-id: CWE-77
  tags: clockwatch,rce,network
  metadata:
-    max-request: 2
+    max-request: 1
  tags: clockwatch,rce,network
 tcp:
  - inputs: