From 4ca4d599997e450822a03c976b8cbf28ffd9ddcd Mon Sep 17 00:00:00 2001
From: Jarcis-cy <ppgiant7@gmail.com>
Date: Fri, 5 Jul 2024 15:07:44 +0800
Subject: [PATCH] =?UTF-8?q?[update]=20=E6=95=B4=E7=90=86=E9=83=A8=E5=88=86?=
 =?UTF-8?q?=E6=8C=87=E7=BA=B9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 finger/ehole/DzzOffice.yml                    | 23 ------------
 finger/manual/web/DzzOffice.yml               | 37 +++++++++++++++++++
 .../web}/Leadsec-Firewall.yml                 |  3 +-
 finger/{ehole => manual/web}/Mattermost.yml   | 11 +++++-
 4 files changed, 48 insertions(+), 26 deletions(-)
 delete mode 100644 finger/ehole/DzzOffice.yml
 create mode 100644 finger/manual/web/DzzOffice.yml
 rename finger/{ehole => manual/web}/Leadsec-Firewall.yml (89%)
 rename finger/{ehole => manual/web}/Mattermost.yml (58%)

diff --git a/finger/ehole/DzzOffice.yml b/finger/ehole/DzzOffice.yml
deleted file mode 100644
index 02bc205..0000000
--- a/finger/ehole/DzzOffice.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-name: fingerprint-yaml-DzzOffice
-manual: false
-detail:
-    fingerprint:
-        name: DzzOffice
-    fofa: header="DzzOffice" || title="DzzOffice"
-transport: http
-rules:
-    r0:
-        request:
-            cache: true
-            method: GET
-            path: /
-            follow_redirects: true
-        expression: response.raw_header.bcontains(bytes("DzzOffice"))
-    r1:
-        request:
-            cache: true
-            method: GET
-            path: /
-            follow_redirects: true
-        expression: response.title_string.contains("DzzOffice")
-expression: r0() || r1()
diff --git a/finger/manual/web/DzzOffice.yml b/finger/manual/web/DzzOffice.yml
new file mode 100644
index 0000000..30470f7
--- /dev/null
+++ b/finger/manual/web/DzzOffice.yml
@@ -0,0 +1,37 @@
+name: fingerprint-yaml-DzzOffice
+manual: false
+detail:
+    fingerprint:
+        name: DzzOffice
+    fofa: product="DzzOffice-产品"
+    cpe: dzzoffice:dzzoffice
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.raw_header.bcontains(bytes("DzzOffice"))
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.title_string.contains("DzzOffice")
+    r2:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.body_string.contains("/static/dzzicon/icon.css")
+    favicon_hash:
+        request:
+            method: GET
+            path: /
+            follow_redirects: false
+        expression: faviconHash(response.getIconContent()) == -1961736892
+expression: r0() || r1() || r2() || favicon_hash()
\ No newline at end of file
diff --git a/finger/ehole/Leadsec-Firewall.yml b/finger/manual/web/Leadsec-Firewall.yml
similarity index 89%
rename from finger/ehole/Leadsec-Firewall.yml
rename to finger/manual/web/Leadsec-Firewall.yml
index c25413c..e12d1c1 100644
--- a/finger/ehole/Leadsec-Firewall.yml
+++ b/finger/manual/web/Leadsec-Firewall.yml
@@ -4,6 +4,7 @@ detail:
     fingerprint:
         name: Leadsec-Firewall
     fofa: title="网御 防火墙"
+    cpe: leadsec:firewall
 transport: http
 rules:
     r0:
@@ -13,4 +14,4 @@ rules:
             path: /
             follow_redirects: true
         expression: response.title_string.contains("网御 防火墙")
-expression: r0()
+expression: r0()
\ No newline at end of file
diff --git a/finger/ehole/Mattermost.yml b/finger/manual/web/Mattermost.yml
similarity index 58%
rename from finger/ehole/Mattermost.yml
rename to finger/manual/web/Mattermost.yml
index f04b777..2c653e9 100644
--- a/finger/ehole/Mattermost.yml
+++ b/finger/manual/web/Mattermost.yml
@@ -3,7 +3,8 @@ manual: false
 detail:
     fingerprint:
         name: Mattermost
-    fofa: header="Mattermost" || title="Mattermost"
+    fofa: product="Mattermost"
+    cpe: mattermost:mattermost
 transport: http
 rules:
     r0:
@@ -20,4 +21,10 @@ rules:
             path: /
             follow_redirects: true
         expression: response.title_string.contains("Mattermost")
-expression: r0() || r1()
+    favicon_hash:
+        request:
+            method: GET
+            path: /
+            follow_redirects: false
+        expression: faviconHash(response.getIconContent()) in [2091779061,-77128220,-940958811,1875634354,1158942057,180508508,-405956582]
+expression: r0() || r1() || favicon_hash()
\ No newline at end of file