├── CHANGELOG ├── HOWTO ├── LICENSE ├── Makefile ├── README ├── WANTED ├── example_traffic └── msn_chat_and_file_transfer.txt ├── extra ├── README ├── audiogalaxy.pat ├── gtalk.pat ├── http-dap.pat ├── http-freshdownload.pat ├── http-itunes.pat ├── httpaudio.pat ├── httpcachehit.pat ├── httpcachemiss.pat ├── httpvideo.pat ├── pressplay.pat ├── quicktime.pat ├── snmp-mon.pat └── snmp-trap.pat ├── file_types ├── README ├── exe.pat ├── flash.pat ├── gif.pat ├── html.pat ├── jpeg.pat ├── mp3.pat ├── ogg.pat ├── pdf.pat ├── perl.pat ├── png.pat ├── postscript.pat ├── rar.pat ├── rpm.pat ├── rtf.pat ├── tar.pat └── zip.pat ├── groups.sh ├── l7-protocols.spec ├── malware ├── README ├── code_red.pat └── nimda.pat ├── protocols ├── 100bao.pat ├── aim.pat ├── aimwebcontent.pat ├── applejuice.pat ├── ares.pat ├── armagetron.pat ├── battlefield1942.pat ├── battlefield2.pat ├── battlefield2142.pat ├── bgp.pat ├── biff.pat ├── bittorrent.pat ├── chikka.pat ├── cimd.pat ├── ciscovpn.pat ├── citrix.pat ├── counterstrike-source.pat ├── cvs.pat ├── dayofdefeat-source.pat ├── dazhihui.pat ├── dhcp.pat ├── directconnect.pat ├── dns.pat ├── doom3.pat ├── edonkey.pat ├── fasttrack.pat ├── finger.pat ├── freenet.pat ├── ftp.pat ├── gkrellm.pat ├── gnucleuslan.pat ├── gnutella.pat ├── goboogy.pat ├── gopher.pat ├── guildwars.pat ├── h323.pat ├── halflife2-deathmatch.pat ├── hddtemp.pat ├── hotline.pat ├── http-rtsp.pat ├── http.pat ├── ident.pat ├── imap.pat ├── imesh.pat ├── ipp.pat ├── irc.pat ├── jabber.pat ├── kugoo.pat ├── live365.pat ├── liveforspeed.pat ├── lpd.pat ├── mohaa.pat ├── msn-filetransfer.pat ├── msnmessenger.pat ├── mute.pat ├── napster.pat ├── nbns.pat ├── ncp.pat ├── netbios.pat ├── nntp.pat ├── ntp.pat ├── openft.pat ├── pcanywhere.pat ├── poco.pat ├── pop3.pat ├── pplive.pat ├── qq.pat ├── quake-halflife.pat ├── quake1.pat ├── radmin.pat ├── rdp.pat ├── replaytv-ivs.pat ├── rlogin.pat ├── rtmp.pat ├── rtp.pat ├── rtsp.pat ├── runesofmagic.pat ├── shoutcast.pat ├── sip.pat ├── skypeout.pat ├── skypetoskype.pat ├── smb.pat ├── smtp.pat ├── snmp.pat ├── socks.pat ├── soribada.pat ├── soulseek.pat ├── ssdp.pat ├── ssh.pat ├── ssl.pat ├── stun.pat ├── subspace.pat ├── subversion.pat ├── teamfortress2.pat ├── teamspeak.pat ├── telnet.pat ├── tesla.pat ├── tftp.pat ├── thecircle.pat ├── tonghuashun.pat ├── tor.pat ├── tsp.pat ├── unknown.pat ├── unset.pat ├── uucp.pat ├── validcertssl.pat ├── ventrilo.pat ├── vnc.pat ├── whois.pat ├── worldofwarcraft.pat ├── x11.pat ├── xboxlive.pat ├── xunlei.pat ├── yahoo.pat └── zmaap.pat └── testing ├── Makefile ├── README ├── data ├── aim-1 ├── aim-2 ├── aim-3 ├── aim-4 ├── aim-5 ├── aim-6 ├── aresdownload-a ├── aresdownload-b ├── aresdownload-c ├── bittorrent-a-1 ├── bittorrent-a-2 ├── bittorrent-a-3 ├── bittorrent-a-4 ├── bittorrent-b-1 ├── bittorrent-b-2 ├── bittorrent-b-3 ├── bittorrent-b-4 ├── chikka-a-1 ├── chikka-a-2 ├── chikka-a-3 ├── chikka-b-1 ├── chikka-b-2 ├── chikka-b-3 ├── chikka-b-4 ├── chikka-b-5 ├── chikka-b-6 ├── chikka-b-7 ├── dce-rpc-spam-a-1 ├── dce-rpc-spam-b-1 ├── dns-1 ├── dns-2 ├── edonkey-tcp-a-1 ├── edonkey-tcp-a-2 ├── edonkey-tcp-b-1 ├── edonkey-tcp-b-2 ├── edonkey-tcp-b-3 ├── edonkey-tcp-b-4 ├── edonkey-tcp-b-5 ├── edonkey-tcp-b-6 ├── edonkey-udp-a-1 ├── edonkey-udp-b-1 ├── ftp-1 ├── ftp-2 ├── ftp-3 ├── ftp-4 ├── ftp-5 ├── gnutella-1 ├── gnutella-2 ├── gnutella-3 ├── gnutella-connect-1 ├── gnutella-connect-2 ├── gnutella-udp-a-1 ├── gnutella-udp-b-1 ├── gnutella-udp-c-1 ├── http-digg-304-1 ├── http-digg-304-2 ├── http-wunderground-1 ├── http-wunderground-2 ├── imap-1 ├── imap-2 ├── imap-3 ├── imap-4 ├── imap-5 ├── imap-6 ├── ipp-1 ├── jabber-1 ├── jabber-2 ├── jabber-3 ├── jabber-4 ├── jabber-5 ├── jabber-6 ├── skypeout-a-1 ├── skypeout-a-2 ├── skypeout-a-3 ├── skypeout-a-4 ├── skypeout-a-5 ├── skypeout-a-6 ├── skypeout-b-1 ├── skypeout-b-2 ├── skypeout-b-3 ├── skypeout-b-4 ├── skypeout-b-5 ├── skypeout-b-6 ├── skypeout-b-7 ├── skypeout-b-8 ├── skypeout-b-9 ├── skypeout-c-1 ├── skypeout-c-2 ├── skypeout-c-3 ├── skypeout-c-4 ├── skypeout-c-5 ├── skypeout-c-6 ├── skypeout-c-7 ├── skypeout-c-8 ├── skypeout-c-9 ├── ssdp-1 ├── ssh-1 ├── ssh-2 ├── ssh-3 ├── ssh-4 ├── ssh-5 ├── ssh-6 ├── stun-1 ├── stun-2 ├── validcertssl-1 ├── validcertssl-2 ├── validcertssl-3 ├── validcertssl-4 ├── validcertssl-5 ├── validcertssl-6 ├── winmx-1 ├── winmx-2 ├── winmx-3 ├── x11-1 ├── x11-2 ├── x11-3 ├── x11-4 ├── x11-5 ├── yahoo-1 ├── yahoo-2 ├── yahoo-3 └── yahoo-4 ├── doallspeeds.sh ├── l7-parse-patterns.cpp ├── l7-parse-patterns.h ├── match-kernel.c ├── randchars.c ├── randprintable.c ├── regexp ├── regerror.c ├── regexp.c ├── regexp.h ├── regmagic.h └── regsub.c ├── test_match.sh ├── test_speed-kernel.c ├── test_speed-userspace.cpp └── timeit.sh /HOWTO: -------------------------------------------------------------------------------- 1 | For general l7-filter HOWTO: http://l7-filter.sf.net/HOWTO 2 | For pattern writing HOWTO: http://l7-filter.sf.net/Pattern-HOWTO 3 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo Nothing to compile, just run \'make install\' 3 | @echo \(This simply copies this directory into $(PREFIX)/etc/l7-protocols \) 4 | install: 5 | mkdir -p $(PREFIX)/etc/l7-protocols 6 | cp -R * $(PREFIX)/etc/l7-protocols 7 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | *** WHAT'S GOING ON? *** 2 | 3 | These are patterns (protocol definitions) for the Linux layer 7 packet 4 | classifier (l7-filter). To use them, you need the kernel and iptables 5 | patches (or l7-filter userspace version) available at 6 | http://sf.net/projects/l7-filter/ . See the HOWTOs. 7 | 8 | To install these patterns into their default location, say "make install". 9 | 10 | For a nice way to view these patterns: http://l7-filter.sf.net/protocols 11 | 12 | More information on the patterns can be found at http://protocolinfo.org 13 | This wiki is intended to make it easy for the community to pool its 14 | knowledge of how to identify network protocols. 15 | 16 | 17 | *** WHAT'S IN HERE? *** 18 | 19 | The patterns in the "protocols" directory are the mainstream ones. They 20 | match protocols like HTTP, FTP, eDonkey2000, Kazaa, and so on. 21 | 22 | "extra" is for patterns of less general interest. 23 | 24 | "malware" contains patterns for viruses and worms. 25 | 26 | "file_types" contains patterns for file types. 27 | 28 | "testing" contains programs for testing the speed & accuracy of the patterns. 29 | 30 | 31 | *** CAN I HELP? *** 32 | 33 | Please report your experience with these patterns at http://protocolinfo.org 34 | Or you can write to: l7-filter-developers@lists.sf.net . (You must subscribe at 35 | http://lists.sourceforge.net/lists/listinfo/l7-filter-developers to post.) 36 | 37 | You can also e-mail Matthew Strait directly at quadong AT users.sf.net 38 | 39 | Please note that many of these patterns were NOT written by experts. So 40 | if you think a pattern is broken and you know better, you may be right! 41 | -------------------------------------------------------------------------------- /WANTED: -------------------------------------------------------------------------------- 1 | Below is a list of protocols that we might want to have. The existence 2 | of a protocol on this list does not mean that we have researched it 3 | extensively (or at all), so some (probably many) may be obsolete, 4 | unpopular, misnamed, redundant, etc. 5 | 6 | Please read HOWTO for information on writing patterns. 7 | 8 | P2P: 9 | MANOLITO (Blubster, Piolet, RockItNet) 10 | PeerCast 11 | IceShare 12 | Freecast 13 | CoolStreaming 14 | Cybersky-TV 15 | ANts P2P 16 | AsagumoWeb 17 | Avalanche (known to be vaporware as of June 2005) 18 | CAKE 19 | Chord 20 | Coral 21 | EarthStation 5 22 | FileTopia 23 | FotoSwap 24 | GNUnet 25 | Groove 26 | iFolder 27 | konspire2b 28 | Madster/Aimster 29 | OpenExt 30 | P-Grid 31 | JXTA 32 | Peersites 33 | MojoNation 34 | Mnet 35 | Octoshape 36 | Solipsis 37 | SPIN 38 | Swarmcast 39 | WASTE 40 | WinNY 41 | Legion 42 | 43 | Chat: 44 | Gadu-gadu - a popular Polish instant messenger protocol 45 | Zephyr 46 | SMS/SMPP 47 | 48 | VoIP: 49 | GameComm - http://www.gamecomm.com/ 50 | Roger Wilco - http://rogerwilco.gamespy.com/ 51 | IPCC? - http://en.wikipedia.org/wiki/FrontRange_Solutions 52 | IAX - http://en.wikipedia.org/wiki/IAX 53 | PeerMe - http://www.peerme.com/ 54 | Megaco (a.k.a. H.248) 55 | MGCP 56 | Skinny Client Control Protocol 57 | MiNET 58 | CorNet-IP 59 | Jajah - http://en.wikipedia.org/wiki/Jajah 60 | 61 | Misc: 62 | LDAP - Lightweight Directory Access Protocol 63 | MS-SQL - Microsoft SQL Mon and Server traffic 64 | NFS - Network File System 65 | RTCP - Real-time control protocol 66 | SunRPC - Sun's Remote Procedure Calls 67 | XDMCP - X-Windows Display Manager Control Protocol 68 | -------------------------------------------------------------------------------- /extra/README: -------------------------------------------------------------------------------- 1 | This directory contains patterns that may not be of general interest, 2 | such as patterns for "protocols" that are really subsets of other 3 | protocols (example: Quicktime HTTP). For HTTP subsets, you should 4 | consider using a transparent proxy rather than l7-filter. 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | -------------------------------------------------------------------------------- /extra/audiogalaxy.pat: -------------------------------------------------------------------------------- 1 | # Audiogalaxy - (defunct) Peer to Peer filesharing 2 | # Pattern attributes: ok fast fast 3 | # Protocol groups: p2p obsolete 4 | # Wiki: http://protocolinfo.org/wiki/Audiogalaxy 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # http://www.movspclr.co.uk/info/agprotocol.html 8 | # 9 | # This pattern is untested. 10 | # 11 | # To get or provide more information about this protocol and/or pattern: 12 | # http://www.protocolinfo.org/wiki/Audiogalaxy 13 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 14 | 15 | audiogalaxy 16 | # (magic cookie that starts conversations)|(magic cookie that starts 17 | # 0.606W/0.608W client/server conversations and a string that should always 18 | # appear in login messages) 19 | ^(\x45\x5f\xd0\xd5|\x45\x5f.*0.60(6|8)W) 20 | -------------------------------------------------------------------------------- /extra/gtalk.pat: -------------------------------------------------------------------------------- 1 | # GTalk, a Jabber (XMPP) client 2 | # Pattern attributes: good veryfast fast subset 3 | # Protocol groups: chat ietf_proposed_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/Jabber 5 | # Copyright (C) 2009 Matthew Strait; See ../LICENSE 6 | 7 | # See ../protocols/jabber.pat for more details 8 | 9 | gtalk 10 | ^ 11 | 12 | http-itunes 13 | http/(0\.9|1\.0|1\.1).*(user-agent: itunes) 14 | 15 | -------------------------------------------------------------------------------- /extra/httpaudio.pat: -------------------------------------------------------------------------------- 1 | # HTTP - Audio over HyperText Transfer Protocol (RFC 2616) 2 | # Pattern attributes: good notsofast notsofast subset 3 | # Protocol groups: streaming_audio document_retrieval ietf_draft_standard 4 | # Wiki: http://protocolinfo.org/wiki/HTTP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 80 8 | # 9 | # Contributed by Deepak Seshadri 10 | # 11 | # This pattern has been tested and is believed to work well. 12 | # 13 | # To get or provide more information about this protocol and/or pattern: 14 | # http://www.protocolinfo.org/wiki/HTTP 15 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 16 | # 17 | # If you use this, you should be aware that: 18 | # 19 | # - they match both simple downloads of audio/video and streaming content. 20 | # 21 | # - blocking based on content-type encourages server 22 | # writers/administrators to misreport content-type (which will just make 23 | # headaches for everyone, including us), so I would strongly recommend 24 | # shaping audio/video down to a speed that discourages use of streaming 25 | # players without actually blocking it. 26 | # 27 | # - obviously, since this is a subset of HTTP, you need to match it 28 | # earlier in your iptables rules than HTTP. 29 | 30 | httpaudio 31 | http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: audio) 32 | 33 | -------------------------------------------------------------------------------- /extra/httpcachehit.pat: -------------------------------------------------------------------------------- 1 | # HTTP - Proxy Cache hit for HyperText Transfer Protocol (RFC 2616) 2 | # Pattern attributes: good notsofast notsofast subset 3 | # Protocol groups: document_retrieval ietf_draft_standard 4 | # Wiki: http://protocolinfo.org/wiki/HTTP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 80 8 | # 9 | # Contributed by Francesco Del Degan 10 | # 11 | # This pattern has been tested and is believed to work well. 12 | # 13 | # To get or provide more information about this protocol and/or pattern: 14 | # http://www.protocolinfo.org/wiki/HTTP 15 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 16 | 17 | httpcachehit 18 | http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: hit) 19 | 20 | -------------------------------------------------------------------------------- /extra/httpcachemiss.pat: -------------------------------------------------------------------------------- 1 | # HTTP - Proxy Cache miss for HyperText Transfer Protocol (RFC 2616) 2 | # Pattern attributes: good notsofast notsofast subset 3 | # Protocol groups: document_retrieval ietf_draft_standard 4 | # Wiki: http://protocolinfo.org/wiki/HTTP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 80 8 | # 9 | # This pattern has been tested and is believed to work well. 10 | # 11 | # To get or provide more information about this protocol and/or pattern: 12 | # http://www.protocolinfo.org/wiki/HTTP 13 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 14 | 15 | httpcachemiss 16 | http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: miss) 17 | 18 | -------------------------------------------------------------------------------- /extra/httpvideo.pat: -------------------------------------------------------------------------------- 1 | # HTTP - Video over HyperText Transfer Protocol (RFC 2616) 2 | # Pattern attributes: good notsofast notsofast subset 3 | # Protocol groups: streaming_video document_retrieval ietf_draft_standard 4 | # Wiki: http://protocolinfo.org/wiki/HTTP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 80 8 | # 9 | # Contributed by Deepak Seshadri 10 | # 11 | # This pattern has been tested and is believed to work well. 12 | # 13 | # To get or provide more information about this protocol and/or pattern: 14 | # http://www.protocolinfo.org/wiki/HTTP 15 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 16 | # 17 | # If you use this, you should be aware that: 18 | # 19 | # - they match both simple downloads of audio/video and streaming content. 20 | # 21 | # - blocking based on content-type encourages server 22 | # writers/administrators to misreport content-type (which will just make 23 | # headaches for everyone, including us), so I would strongly recommend 24 | # shaping audio/video down to a speed that discourages use of streaming 25 | # players without actually blocking it. 26 | # 27 | # - obviously, since this is a subset of HTTP, you need to match it 28 | # earlier in your iptables rules than HTTP. 29 | 30 | httpvideo 31 | http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: video) 32 | 33 | -------------------------------------------------------------------------------- /extra/pressplay.pat: -------------------------------------------------------------------------------- 1 | # pressplay - A legal music distribution site - http://pressplay.com 2 | # Pattern attributes: ok notsofast notsofast 3 | # Protocol groups: document_retrieval obsolete proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Pressplay 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern was "contributed" (taken with permission) by the bandwidth 8 | # arbitrator project (www.bandwidtharbitrator.com). 9 | # 10 | # This pattern is unconfirmed. 11 | 12 | pressplay 13 | # can we do better than this? 14 | user-agent: nsplayer 15 | 16 | -------------------------------------------------------------------------------- /extra/quicktime.pat: -------------------------------------------------------------------------------- 1 | # Quicktime HTTP 2 | # Pattern attributes: good notsofast notsofast subset 3 | # Protocol groups: streaming_video streaming_audio ietf_draft_standard 4 | # Wiki: http://protocolinfo.org/wiki/HTTP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been tested and is believed to work well. 8 | # (Quick Time v6.5.1 downloading from www.apple.com/trailers) 9 | # 10 | # To get or provide more information about this protocol and/or pattern: 11 | # http://www.protocolinfo.org/wiki/HTTP 12 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 13 | # 14 | # Since this is a subset of HTTP, it should be put earlier in the packet 15 | # filtering chain than HTTP. Also, please don't use this to block Quicktime. 16 | # If you must do that, you should use a filtering HTTP proxy, which is probably 17 | # more accurate. 18 | 19 | quicktime 20 | user-agent: quicktime \(qtver=[0-9].[0-9].[0-9];os=[\x09-\x0d -~]+\)\x0d\x0a 21 | 22 | -------------------------------------------------------------------------------- /extra/snmp-mon.pat: -------------------------------------------------------------------------------- 1 | # SNMP Monitoring - Simple Network Management Protocol (RFC1157) 2 | # Pattern attributes: good veryfast fast subset 3 | # Protocol groups: networking ietf_internet_standard 4 | # Wiki: http://en.wikipedia.org/wiki/SNMP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on UDP ports 161 8 | # 9 | # These filters match SNMPv1 packets without fail, and are made 10 | # as specific as possible not to match any ASN.1 encoded protocols. 11 | # However these could still be matched by other protocols that 12 | # use ASN.1 encoding 13 | 14 | # Contributed by Goli SriSairam 15 | 16 | # This pattern has been tested and is believe to work well. 17 | # 18 | # To get or provide more information about this protocol and/or pattern: 19 | # http://www.protocolinfo.org/wiki/SNMP 20 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 21 | 22 | # SNMPv1 GET/GETNEXT/SET request and response 23 | # matches SNMP header 24 | # version \x02\x01 25 | # community \x04.+ 26 | # PDU type [\xa0-\xa3] (GET/GETNEXT/SET/GETRESPONSE) 27 | # RequestId \x02[\x01-\x04].?.?.?.? 28 | # errorStatus \x02\x01.? 29 | # errorIndex \x02\x01.? 30 | # varbinds start \x30 31 | snmp-mon 32 | ^\x02\x01\x04.+[\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30 33 | -------------------------------------------------------------------------------- /extra/snmp-trap.pat: -------------------------------------------------------------------------------- 1 | # SNMP Traps - Simple Network Management Protocol (RFC1157) 2 | # Pattern attributes: good veryfast fast subset 3 | # Protocol groups: networking ietf_internet_standard 4 | # Wiki: http://en.wikipedia.org/wiki/SNMP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on UDP ports 162 8 | # 9 | # These filters match SNMPv1 packets without fail, and are made 10 | # as specific as possible not to match any ASN.1 encoded protocols. 11 | # However these could still be matched by other protocols that 12 | # use ASN.1 encoding 13 | 14 | # Contributed by Goli SriSairam 15 | 16 | # This pattern has been tested and is believe to work well. 17 | # 18 | # To get or provide more information about this protocol and/or pattern: 19 | # http://www.protocolinfo.org/wiki/SNMP 20 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 21 | 22 | # SNMPv1 Trap 23 | # matches SNMP trap header 24 | # version \x02\x01 25 | # community string \x04.+ 26 | # PDU type \xa4 (TRAP) 27 | # enterprise \x06.+ 28 | # agent address \x40\x04\.?.?.?.? 29 | # trap type \x02\x01.? 30 | # specific trap type \x02\x01.? 31 | # timestamp \x43 32 | snmp-trap 33 | ^\x02\x01\x04.+\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43 34 | -------------------------------------------------------------------------------- /file_types/README: -------------------------------------------------------------------------------- 1 | Patterns in this directory are not for network protocols, but rather for 2 | file types. They are for cases in which you would like to 3 | promote/restrict transfer of one file type regardless of what protocol 4 | it is being transfered over. 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | Writing patterns for this directory is pretty easy. Often 8 | /usr/share/magic has everything you need to know. If you'd like 9 | something that isn't here, please ask for it. 10 | 11 | Notes: 12 | 13 | 0) Support for doing this is pretty sketchy. Proceed at your own risk. 14 | 15 | 1) These patterns cannot use the ^ and $ anchors, because although you 16 | may be matching the beginning of a file, it's not the beginning of a 17 | connection. 18 | 19 | 2) A connection may very well contain more than one file transfer and/or 20 | things other than file transfers. These will match the first file sent 21 | (or nothing if the first stuff isn't a file) and continue to apply that 22 | classification to all subsequent files of that connection, regardless of 23 | their content. For instance: 24 | 25 | - HTTP can send several files over the same connection. l7-filter can 26 | match the first one, but subsequent ones just get the original match 27 | applied to them. 28 | 29 | - SMB sends all sorts of chatter over the same TCP connection as files 30 | are sent over, so we can't match its file transfers at all. 31 | 32 | 3) Since the file starts later than the application layer protocol 33 | information, you may need to increase the number of packets and bytes 34 | examined. Use /proc/net/layer7_numpackets to increase the number of 35 | packets examined. i.e. "echo 12 > /proc/net/layer7_numpackets". 36 | To increase the number of bytes examined, you'll need to recompile 37 | your kernel. See the documentation at http://l7-filter.sf.net 38 | 39 | 4) If you want a filter for both a file type and the application layer 40 | protocol that this file type is transported over (i.e. HTML and HTTP), 41 | you've got a difficult situation. Each connection can only be 42 | classified as one thing at a time. The obvious thing is to set up 43 | a tree like this: 44 | 45 | (root) 46 | \_ HTTP 47 | | \_ HTML 48 | | \_ PDF 49 | \_ FTP 50 | \_ TAR 51 | \_ PS 52 | \_ PDF 53 | 54 | But if you do this, you'll find that the file types never match, because 55 | the connections have already been classifed by their protocol. 56 | 57 | So what's the solution? Well, you can do this instead: 58 | 59 | (root) 60 | \_ port 80 61 | | \_ HTML 62 | | \_ PDF 63 | \_ port 21 64 | \_ TAR 65 | \_ PS 66 | \_ PDF 67 | 68 | (Except, of course, that FTP data doesn't actually go over port 21, so 69 | some extra magic is needed there.) 70 | 71 | Or perhaps you could use IMQ to create several unrelated regions of 72 | classification. i.e. On ingress, classify and shape on protocol 73 | and on egress, classify and shape on file type. I haven't tried this. 74 | -------------------------------------------------------------------------------- /file_types/exe.pat: -------------------------------------------------------------------------------- 1 | # Executable - Microsoft PE file format. 2 | # Pattern attributes: good notsofast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # Thanks to Brandon Enright [bmenrighATucsd.edu] 7 | 8 | # This pattern doesn't techincally match the PE file format but rather the 9 | # MZ stub program Microsoft uses for backwards compatibility with DOS. 10 | # That means this will correctly match DOS executables too. 11 | 12 | exe 13 | # There are two different stubs used depending on the compiler/packer. 14 | # Numerous NULL bytes have been stripped from this pattern. 15 | 16 | # This pattern may be more efficient: 17 | # \x4d\x5a\x90\x03\x04|\x4d\x5a\x50\x02\x04 18 | 19 | # This is easier to understand: 20 | \x4d\x5a(\x90\x03|\x50\x02)\x04 21 | -------------------------------------------------------------------------------- /file_types/flash.pat: -------------------------------------------------------------------------------- 1 | # Flash - Macromedia Flash. 2 | # Pattern attributes: good slow notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # Thanks to Brandon Enright {bmenrigh AT ucsd.edu} and chinalantian at 7 | # 126 dot com 8 | 9 | # Macromedia spec: 10 | # http://download.macromedia.com/pub/flash/flash_file_format_specification.pdf 11 | # See also: 12 | # http://www.digitalpreservation.gov/formats/fdd/fdd000130.shtml 13 | # http://osflash.org/flv 14 | 15 | flash 16 | # FWS = uncompressed, CWS = compressed, next byte is version number 17 | # FLV = video 18 | [FC]WS[\x01-\x09]|FLV\x01\x05\x09 19 | -------------------------------------------------------------------------------- /file_types/gif.pat: -------------------------------------------------------------------------------- 1 | # GIF - Popular Image format. 2 | # Pattern attributes: good notsofast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | gif 7 | # drawn from /usr/share/magic 8 | GIF8(7|9)a 9 | -------------------------------------------------------------------------------- /file_types/html.pat: -------------------------------------------------------------------------------- 1 | # (X)HTML - (Extensible) Hypertext Markup Language - http://w3.org 2 | # Pattern attributes: good fast notsofast subset 3 | # Protocol groups: file 4 | # 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # This pattern has been tested and is believe to work well. 7 | 8 | # this should match any (X)HTML document from any version that conforms 9 | # even vaugly to the standards. 10 | html 11 | 12 | -------------------------------------------------------------------------------- /file_types/jpeg.pat: -------------------------------------------------------------------------------- 1 | # JPEG - Joint Picture Expert Group image format. 2 | # Pattern attributes: ok fast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | jpeg 7 | # drawn from /usr/share/magic 8 | \xff\xd8 9 | -------------------------------------------------------------------------------- /file_types/mp3.pat: -------------------------------------------------------------------------------- 1 | # MP3 - Moving Picture Experts Group Audio Layer III 2 | # Pattern attributes: good notsofast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # By LanTian (chinalantian at 126 d.t com) 7 | 8 | # Only matches the standard MP3 form, non-standard files might not be matched. 9 | 10 | mp3 11 | \x49\x44\x33\x03 12 | -------------------------------------------------------------------------------- /file_types/ogg.pat: -------------------------------------------------------------------------------- 1 | # Ogg - Ogg Vorbis music format (not any ogg file, just vorbis) 2 | # Pattern attributes: ok notsofast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | ogg 7 | oggs.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x01vorbis 8 | -------------------------------------------------------------------------------- /file_types/pdf.pat: -------------------------------------------------------------------------------- 1 | # PDF - Portable Document Format - Postscript-like format by Adobe 2 | # Pattern attributes: good fast notsofast subset 3 | # Protocol groups: file 4 | # 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # This pattern has been tested and is believe to work well. 7 | 8 | # Matches PDF versions 1.0 - 1.6 (not sure if 1.6 exists yet, but it probably 9 | # will. 10 | pdf 11 | %PDF-1\.[0123456] 12 | -------------------------------------------------------------------------------- /file_types/perl.pat: -------------------------------------------------------------------------------- 1 | # Perl - A scripting language by Larry Wall. 2 | # Pattern attributes: good fast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | perl 7 | \#! ?/(usr/(local/)?)?bin/perl 8 | -------------------------------------------------------------------------------- /file_types/png.pat: -------------------------------------------------------------------------------- 1 | # PNG - Portable Network Graphics, a popular image format 2 | # Pattern attributes: good fast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # Contributed by Radovan Josth. Tested at least a bit. 7 | 8 | png 9 | # drawn from /usr/share/magic 10 | \x89PNG\x0d\x0a\x1a\x0a 11 | 12 | # this is probably sufficient, but by default let's use the longer version 13 | # \x89PNG 14 | -------------------------------------------------------------------------------- /file_types/postscript.pat: -------------------------------------------------------------------------------- 1 | # Postscript - Printing Language 2 | # Pattern attributes: good fast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | postscript 7 | %!ps 8 | -------------------------------------------------------------------------------- /file_types/rar.pat: -------------------------------------------------------------------------------- 1 | # RAR - The WinRAR archive format 2 | # Pattern attributes: good notsofast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | rar 7 | rar\x21\x1a\x07 8 | -------------------------------------------------------------------------------- /file_types/rpm.pat: -------------------------------------------------------------------------------- 1 | # RPM - Redhat Package Management packages 2 | # Pattern attributes: good fast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | rpm 7 | \xed\xab\xee\xdb.?.?.?.?[1-7] 8 | -------------------------------------------------------------------------------- /file_types/rtf.pat: -------------------------------------------------------------------------------- 1 | # RTF - Rich Text Format - an open document format 2 | # Pattern attributes: good fast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | rtf 7 | \{\\rtf[12] 8 | 9 | -------------------------------------------------------------------------------- /file_types/tar.pat: -------------------------------------------------------------------------------- 1 | # Tar - tape archive. Standard UNIX file archiver, not just for tapes. 2 | # Pattern attributes: good notsofast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | tar 7 | # /usr/share/magic 8 | ## POSIX tar archives 9 | #257 string ustar\0 POSIX tar archive 10 | #257 string ustar\040\040\0 GNU tar archive 11 | # this is pretty general. It's not a dictionary word, but still... 12 | ustar 13 | -------------------------------------------------------------------------------- /file_types/zip.pat: -------------------------------------------------------------------------------- 1 | # ZIP - (PK|Win)Zip archive format 2 | # Pattern attributes: good notsofast notsofast subset 3 | # Protocol groups: file 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | zip 7 | pk\x03\x04\x14 8 | -------------------------------------------------------------------------------- /groups.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cat */*.pat | grep -i "Protocol Groups" | cut -d\ -f 4- | tr ' ' '\n' | sort | uniq -c | sort -n 3 | -------------------------------------------------------------------------------- /l7-protocols.spec: -------------------------------------------------------------------------------- 1 | Name: l7-protocols 2 | Summary: Protocol definitions files for l7-filter 3 | Version: FILL_THIS_IN_WITH_THE_VERSION_NUMBER 4 | Release: 1 5 | License: GPL 6 | Group: Applications/Internet 7 | URL: http://l7-filter.sourceforge.net/ 8 | Source0: http://prdownloads.sf.net/l7-filter/%name-%version.tar.gz 9 | BuildRoot: %{_tmppath}/%{name}-buildroot 10 | 11 | %description 12 | Protocol definitions files for use with the Linux Layer 7 Packet Classifier. 13 | These files are regular expressions that define Internet protocols such as 14 | HTTP, MSN Messenger, FTP, Cisco VPN, Fasttrack, DNS, Gnutella, Quake, etc. 15 | 16 | %prep 17 | %setup -q 18 | 19 | %build 20 | 21 | %install 22 | rm -rf $RPM_BUILD_ROOT 23 | make PREFIX=$RPM_BUILD_ROOT install 24 | 25 | %clean 26 | 27 | %files 28 | %defattr(-, root, root) 29 | /etc/l7-protocols/ 30 | 31 | %changelog 32 | * Thu Dec 08 2004 FIRSTNAME LASTNAME VERSION-1 33 | - Upgrade to VERSION 34 | * Wed Jul 07 2004 Matthew Strait 2004_07_07-1 35 | - Initial RPM 36 | 37 | -------------------------------------------------------------------------------- /malware/README: -------------------------------------------------------------------------------- 1 | This directory hold patterns for viruses, worms and the like. 2 | 3 | Please see also ../file_types/README 4 | 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | The patterns here now (Code Red, Nimda) are only for proof-of-concept. 7 | To usefully control the spread of a new worm through bandwidth 8 | arbitration, it will be necessary for new patterns to be written quickly 9 | in response to the new worm. Also the patterns must be more flexible 10 | than the ones presented here, as these only use simple string matching, 11 | which would be easily defeated by any reasonably clever worm. 12 | -------------------------------------------------------------------------------- /malware/code_red.pat: -------------------------------------------------------------------------------- 1 | # Code Red - a worm that attacks Microsoft IIS web servers 2 | # Pattern attributes: ok fast notsofast subset 3 | # Protocol groups: worm 4 | # Wiki: http://www.protocolinfo.org/wiki/CodeRed 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | code_red 8 | /default\.ida\?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 9 | -------------------------------------------------------------------------------- /malware/nimda.pat: -------------------------------------------------------------------------------- 1 | # Nimda - a worm that attacks Microsoft IIS web servers, and MORE! 2 | # Pattern attributes: ok notsofast notsofast subset 3 | # Protocol groups: worm 4 | # Wiki: http://www.protocolinfo.org/wiki/Nimda 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | nimda 8 | GET (/scripts/root\.exe\?/c\+dir|/MSADC/root\.exe\?/c\+dir|/c/winnt/system32/cmd\.exe\?/c\+dir|/d/winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_vti_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_mem_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/msadc/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c/\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0/\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0\xaf\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x9c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%2f\.\./winnt/system32/cmd\.exe\?/c\+dir) 9 | -------------------------------------------------------------------------------- /protocols/100bao.pat: -------------------------------------------------------------------------------- 1 | # 100bao - a Chinese P2P protocol/program - http://www.100bao.com 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: p2p 4 | # Wiki: http://www.protocolinfo.org/wiki/100Bao 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Pattern written by www.routerclub.com's wsgtrsys. 8 | # The author of this pattern says it works, but this is unconfirmed. 9 | 10 | 100bao 11 | ^\x01\x01\x05\x0a 12 | 13 | -------------------------------------------------------------------------------- /protocols/aim.pat: -------------------------------------------------------------------------------- 1 | # AIM - AOL instant messenger (OSCAR and TOC) 2 | # Pattern attributes: good slow notsofast 3 | # Protocol groups: chat proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/AIM 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 5190 8 | # 9 | # This may also match ICQ traffic. 10 | # 11 | # This pattern has been tested and is believed to work well. 12 | 13 | aim 14 | # See http://gridley.res.carleton.edu/~straitm/final (and various other places) 15 | # The first bit matches OSCAR signon and data commands, but not sure what 16 | # \x03\x0b matches, but it works apparently. 17 | # The next three bits match various parts of the TOC signon process. 18 | # The third one is the magic number "*", then 0x01 for "signon", then up to four 19 | # bytes ("up to" because l7-filter strips out nulls) which contain a sequence 20 | # number (2 bytes) the data length (2 more) and 3 nulls (which don't count), 21 | # then 0x01 for the version number (not sure if there ever has been another 22 | # version) 23 | # The fourth one is a command string, followed by some stuff, then the 24 | # beginning of the "roasted" password 25 | 26 | # This pattern is too slow! 27 | 28 | ^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x 29 | -------------------------------------------------------------------------------- /protocols/aimwebcontent.pat: -------------------------------------------------------------------------------- 1 | # AIM web content - ads/news content downloaded by AOL Instant Messenger 2 | # Pattern attributes: good notsofast notsofast 3 | # Protocol groups: chat document_retrieval proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/AIM 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been tested and is believed to work well. 8 | 9 | aimwebcontent 10 | user-agent:aim/ 11 | -------------------------------------------------------------------------------- /protocols/applejuice.pat: -------------------------------------------------------------------------------- 1 | # Apple Juice - P2P filesharing - http://www.applejuicenet.de 2 | # Pattern attributes: great veryfast fast 3 | # Protocol groups: p2p 4 | # Wiki: http://www.protocolinfo.org/wiki/AppleJuice 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been tested with the Linux version (version 8 | # 0,29,142,229). It matches search reqests and file transfers. 9 | 10 | applejuice 11 | # this pattern extracted from ipp2p, by Eicke Friedrich. 12 | ^ajprot\x0d\x0a 13 | -------------------------------------------------------------------------------- /protocols/ares.pat: -------------------------------------------------------------------------------- 1 | # Ares - P2P filesharing - http://aresgalaxy.sf.net 2 | # Pattern attributes: good veryfast fast undermatch 3 | # Protocol groups: p2p open_source 4 | # Wiki: http://www.protocolinfo.org/wiki/Ares 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # This pattern catches only client-server connect messages. This is 8 | # sufficient for blocking, but not for shaping, since it doesn't catch 9 | # the actual file transfers (see below). 10 | 11 | # Original pattern by Brandon Enright 12 | 13 | # This pattern has been tested with Ares 1.8.8.2998. 14 | 15 | ares 16 | # regular expression madness: "[]Z]" means ']' or 'Z'. 17 | ^\x03[]Z].?.?\x05$ 18 | 19 | # It appears that the general packet format is: 20 | # - Two byte little endian integer giving the data length 21 | # - One byte packet type 22 | # - data 23 | # 24 | # Login packets (TCP) have the following format: 25 | # - \x03\x00 (the length appears to always be 3) 26 | # - \x5a - The login packet type. 27 | # The source code suggests that for supernodes \x5d is used instead. 28 | # - Three more bytes. I don't know the meaning of these, but for me they 29 | # are always \x06\x06\x05 (in Ares 1.8.8.2998). From the comments in IPP2P, 30 | # it seems that they are not always exactly that, but seem to always end in 31 | # \x05. 32 | # 33 | # Search packets have the following format: 34 | # - Two byte little endian integer giving the data length 35 | # A single two letter word make this \x0a 36 | # The biggest I could get it was \x4f 37 | # - Packet type = \x09 38 | # - One byte document type: 39 | # - "all" = 00 40 | # - "audio" = 01 41 | # - "software" = 03 42 | # - "video" = 05 43 | # - "document" = 06 44 | # - "image" = 07 45 | # - "other" = 08 46 | # - \x0f - I don't know what this means, but it is always this for me 47 | # - Two bytes of unknown meaning that change 48 | # - Some number search words: 49 | # - \x14 - I don't know what this means, but it is always this for me 50 | # - One byte length of the first search word 51 | # Between 2 and \x14 in my tests with Ares 1.8.8.2998 52 | # It ignores single letter words and truncates ones longer than \x14 53 | # - Two bytes of unknown meaning that change 54 | # - The search word (not null terminated) 55 | # This was all investigated by searching for strings in "all". Searches 56 | # can also be performed in "title" and "author". I'm not going to 57 | # bother to research these because I new realize that searches are done 58 | # on the same TCP connection as the login packets, so there is no need 59 | # to match them separately. 60 | # 61 | # File transfers appear to be encrypted or at least obfuscated. (The 62 | # files themselves, at least, are not transmitted in the clear.) I 63 | # haven't found any patterns. 64 | -------------------------------------------------------------------------------- /protocols/armagetron.pat: -------------------------------------------------------------------------------- 1 | # Armagetron Advanced - open source Tron/snake based multiplayer game 2 | # Pattern attributes: good slow notsofast 3 | # Protocol groups: open_source game 4 | # Wiki: http://protocolinfo.org/wiki/Armagetron 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # Contributed to protocolinfo.org, possibly by joda.bot, who says "The 8 | # filter matches the initial transfer of configuration data. Very early 9 | # versions might not transfer the CYCLE_ Settings (before 0.2.5.x)." 10 | 11 | armagetron 12 | YCLC_E|CYEL 13 | -------------------------------------------------------------------------------- /protocols/battlefield1942.pat: -------------------------------------------------------------------------------- 1 | # Battlefield 1942 - An EA game 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Battlefield_1942 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Contributed by Myles Uyema 8 | # 9 | # This pattern has only been tested by one person. 10 | 11 | # tested on two original EA battlefield 1942 servers 12 | # matches the first two packets of joining a server 13 | battlefield1942 14 | ^\x01\x11\x10\|\xf8\x02\x10\x40\x06 15 | -------------------------------------------------------------------------------- /protocols/battlefield2.pat: -------------------------------------------------------------------------------- 1 | # Battlefield 2 - An EA game. 2 | # Pattern attributes: ok slow notsofast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Battlefield_2 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern is unconfirmed except implicitly by a comment on protocolinfo. 8 | 9 | battlefield2 10 | # gameplay|account-login|server browsing/information 11 | # See http://protocolinfo.org/wiki/Battlefield_2 12 | # Can we put a ^ on the last branch? If so, nosofast --> veryfast 13 | 14 | # 193.85.217.35 on protocolinfo says: 15 | # The first part of the pattern, \x11\x20\x01\xa0\x98\x11, has to be 16 | # modified for different version of Battlefield 2. The gameplay part of 17 | # pattern for BF2 v1.4 is \x11\x20\x01\x30\xb9\x10\x11, and for BF2 18 | # v1.41 is \x11\x20\x01\x50\xb9\x10\x11 19 | # 20 | # Rather than put all of those in, I've just gone with "...?" in the 21 | # middle. 22 | 23 | ^(\x11\x20\x01...?\x11|\xfe\xfd.?.?.?.?.?.?(\x14\x01\x06|\xff\xff\xff))|[]\x01].?battlefield2 24 | 25 | # Pattern prior to 193.85.217.35's comment on protocolinfo: 26 | #^(\x11\x20\x01\xa0\x98\x11|\xfe\xfd.?.?.?.?.?.?(\x14\x01\x06|\xff\xff\xff))|[]\x01].?battlefield2 27 | -------------------------------------------------------------------------------- /protocols/battlefield2142.pat: -------------------------------------------------------------------------------- 1 | # Battlefield 2142 - An EA game. 2 | # Pattern attributes: ok fast fast 3 | # Protocol groups: proprietary game 4 | # Wiki: http://protocolinfo.org/wiki/Battlefield_2142 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # Submitted by Telsin. Not confirmed. 8 | 9 | battlefield2142 10 | # gameplay|account-login|server browsing/information 11 | # Can't put a ^ on the last branch: it fails to match if you do. 12 | # This branch seems to matter very rarely, though 13 | ^(\x11\x20\x01\x90\x50\x64\x10|\xfe\xfd.?.?.?\x18|[\x01\\].?battlefield2) 14 | 15 | -------------------------------------------------------------------------------- /protocols/bgp.pat: -------------------------------------------------------------------------------- 1 | # BGP - Border Gateway Protocol - RFC 1771 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: networking ietf_draft_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/BGP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern is UNTESTED. 8 | 9 | bgp 10 | # "After a transport protocol connection is established, the first 11 | # message sent by each side is an OPEN message." 12 | # "If the Type of the message is OPEN, or if the Authentication Code used 13 | # in the OPEN message of the connection is zero, then the Marker must be 14 | # all ones." 15 | # Then the 2 byte length field, then the 1 byte type field (1 = OPEN). 16 | # Then the BGP version: 3 was RFC'd in 1991, 4 was RFC'd in 1995. 17 | # Could keep going, but that should be sufficient. 18 | ^\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff..?\x01[\x03\x04] 19 | 20 | -------------------------------------------------------------------------------- /protocols/biff.pat: -------------------------------------------------------------------------------- 1 | # Biff - new mail notification 2 | # Pattern attributes: good fast fast undermatch overmatch 3 | # Protocol groups: mail 4 | # Wiki: http://www.protocolinfo.org/wiki/Biff 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 512 8 | # 9 | # This pattern is completely untested. 10 | 11 | biff 12 | # This is a rare case where we will specify a $ (end of line), since 13 | # this is the entirety of the communication. 14 | # something that looks like a username, an @, a number. 15 | # won't catch usernames that have strange characters in them. 16 | ^[a-z][a-z0-9]+@[1-9][0-9]+$ 17 | -------------------------------------------------------------------------------- /protocols/bittorrent.pat: -------------------------------------------------------------------------------- 1 | # Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com 2 | # Pattern attributes: good slow notsofast undermatch 3 | # Protocol groups: p2p open_source 4 | # Wiki: http://www.protocolinfo.org/wiki/Bittorrent 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been tested and is believed to work well. 8 | # It will, however, not work on bittorrent streams that are encrypted, since 9 | # it's impossible to match (well) encrypted data. 10 | 11 | bittorrent 12 | 13 | # Does not attempt to match the HTTP download of the tracker 14 | # 0x13 is the length of "bittorrent protocol" 15 | # Second two bits match UDP wierdness 16 | # Next bit matches something Azureus does 17 | # Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next 18 | # packet and perhaps this will match multiple clients. 19 | # bitcomet-specific strings contributed by liangjun. 20 | 21 | # This is not a valid GNU basic regular expression (but that's ok). 22 | ^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=|get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP] 23 | 24 | # This pattern is "fast", but won't catch as much 25 | #^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=) 26 | -------------------------------------------------------------------------------- /protocols/chikka.pat: -------------------------------------------------------------------------------- 1 | # Chikka - SMS service which can be used without phones - http://chikka.com 2 | # Pattern attributes: good fast fast superset 3 | # Protocol groups: proprietary chat 4 | # Wiki: http://www.protocolinfo.org/wiki/Chikka 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # Tested with Chikka Javalite on 14 Jan 2007. 8 | # The login and chat use the same TCP connection. 9 | 10 | # "Kamusta" means "Hello" in Tagalog, apparently, so that will probably 11 | # stay the same. I've only seen v1.2, but I've given it some leeway for 12 | # past and future versions. 13 | 14 | # Chikka uses CIMD as part of the login process, see cimd.pat 15 | 16 | chikka 17 | ^CTPv1\.[123] Kamusta.*\x0d\x0a$ 18 | -------------------------------------------------------------------------------- /protocols/cimd.pat: -------------------------------------------------------------------------------- 1 | # Computer Interface to Message Distribution, an SMSC protocol by Nokia 2 | # Pattern attributes: good notsofast notsofast subset 3 | # Protocol groups: proprietary chat 4 | # Wiki: http://www.protocolinfo.org/wiki/CIMD 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # I don't know whether CIMD is ever found by itself in a TCP connection. 8 | # I have only seen it myself as part of the Chikka login process, in 9 | # which the second and third packets (at least) are CIMD. So I am not 10 | # using a '^' at the beginning. 11 | # 12 | # This pretty well explains the pattern: 13 | # http://en.wikipedia.org/w/index.php?title=CIMD&oldid=42707583 14 | # However, Chikka does NOT terminate the last field with a tab. 15 | # 16 | # Tested with Chikka Javalite on 14 Jan 2007. 17 | 18 | cimd 19 | \x02[0-4][0-9]:[0-9]+.*\x03$ 20 | -------------------------------------------------------------------------------- /protocols/ciscovpn.pat: -------------------------------------------------------------------------------- 1 | # Cisco VPN - VPN client software to a Cisco VPN server 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: remote_access proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Cisco_VPN 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern contributed by Myles Uyema 8 | 9 | ciscovpn 10 | ^\x01\xf4\x01\xf4 11 | 12 | -------------------------------------------------------------------------------- /protocols/citrix.pat: -------------------------------------------------------------------------------- 1 | # Citrix ICA - proprietary remote desktop application - http://citrix.com 2 | # Pattern attributes: marginal notsofast notsofast 3 | # Protocol groups: remote_access proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Citrix 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern is UNTESTED. 8 | 9 | # This is based on decode_citrix in dsniff 2.4. 10 | 11 | citrix 12 | \x32\x26\x85\x92\x58 13 | -------------------------------------------------------------------------------- /protocols/counterstrike-source.pat: -------------------------------------------------------------------------------- 1 | # Counterstrike (using the new "Source" engine) - network game 2 | # Pattern attributes: good veryfast fast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Counter-Strike 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # By adam.randazzoATgmail.com 8 | 9 | counterstrike-source 10 | ^\xff\xff\xff\xff.*cstrikeCounter-Strike 11 | 12 | # These games use Steam, which is developed by Valve Software. 13 | # 14 | # This was based off of the following captured data from ethereal: 15 | # --Source-- 16 | # 0000 00 11 09 2a a8 79 00 13 10 2c 3f d7 08 00 45 20 ...*.y...,?...E 17 | # 0010 00 72 b9 f6 00 00 6b 11 b6 78 18 0e 04 cc c0 a8 .r....k..x...... 18 | # 0020 01 6a 69 87 04 65 00 5e 01 ac ff ff ff ff 49 07 .ji..e.^......I. 19 | # 0030 54 4a 27 73 20 50 6c 61 63 65 20 6f 66 20 50 61 TJ's Place of Pa 20 | # 0040 69 6e 00 64 65 5f 70 69 72 61 6e 65 73 69 00 63 in.de_piranesi.c 21 | # 0050 73 74 72 69 6b 65 00 43 6f 75 6e 74 65 72 2d 53 strike.Counter-S 22 | # 0060 74 72 69 6b 65 3a 20 53 6f 75 72 63 65 00 dc 00 trike: Source... 23 | # 0070 08 10 06 64 77 00 00 31 2e 30 2e 30 2e 31 38 00 ...dw..1.0.0.18. 24 | # 0080 25 | # 26 | # --1.6-- 27 | # 0000 00 11 09 2a a8 79 00 13 10 2c 3f d7 08 00 45 00 ...*.y...,?...E. 28 | # 0010 00 8e c4 1a 00 00 76 11 b3 85 08 09 02 fa c0 a8 ......v......... 29 | # 0020 01 14 69 91 04 37 00 7a c9 90 ff ff ff ff 6d 38 ..i..7.z......m8 30 | # 0030 2e 39 2e 32 2e 32 35 30 3a 32 37 30 32 35 00 49 .9.2.250:27025.I 31 | # 0040 50 20 2d 20 43 6c 61 6e 20 73 65 72 76 65 72 00 P - Clan server. 32 | # 0050 64 65 5f 64 75 73 74 32 00 63 73 74 72 69 6b 65 de_dust2.cstrike 33 | # 0060 00 43 6f 75 6e 74 65 72 2d 53 74 72 69 6b 65 00 .Counter-Strike. 34 | # 0070 0a 0c 2f 64 77 00 01 77 77 77 2e 63 6f 75 6e 74 ../dw..www.count 35 | # 0080 65 72 2d 73 74 72 69 6b 65 2e 6e 65 74 00 00 00 er-strike.net... 36 | # 0090 01 00 00 00 00 9e f7 0a 00 01 00 00 ............ 37 | 38 | 39 | # Old pattern. (Adam Randazzo says "CS 1.6 and CS: Source are the 40 | # only two versions that are playable on the Internet since Valve 41 | # disabled the WON system in favor of steam.") 42 | # cs .*dl.www.counter-strike.net 43 | -------------------------------------------------------------------------------- /protocols/cvs.pat: -------------------------------------------------------------------------------- 1 | # CVS - Concurrent Versions System 2 | # Pattern attributes: good veryfast fast 3 | # Protocol groups: version_control open_source 4 | # Wiki: http://www.protocolinfo.org/wiki/CVS 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | cvs 8 | 9 | # Matches pserver login. AUTH is for actually starting the protocol 10 | # VERIFICATION is for authenticating without starting the protocols 11 | # and GSSAPI is for using security services such as kerberos. 12 | # http://www.loria.fr/~molli/cvs/doc/cvsclient_3.html 13 | 14 | ^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\x0a 15 | -------------------------------------------------------------------------------- /protocols/dayofdefeat-source.pat: -------------------------------------------------------------------------------- 1 | # Day of Defeat: Source - game (Half-Life 2 mod) - http://www.valvesoftware.com 2 | # Pattern attributes: good veryfast fast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Day_of_Defeat:Source 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # By Clayton Macleod 8 | 9 | dayofdefeat-source 10 | ^\xff\xff\xff\xff.*dodDay of Defeat 11 | 12 | -------------------------------------------------------------------------------- /protocols/dazhihui.pat: -------------------------------------------------------------------------------- 1 | # Dazhihui - stock analysis and trading; Chinese - http://www.gw.com.cn 2 | # Pattern attributes: fast fast ok 3 | # Protocol groups: 4 | # Wiki: http://www.protocolinfo.org/wiki/Dazhihui 5 | # Copyright (C) 2009 Matthew Strait; See ../LICENSE 6 | 7 | # Pattern contributed by liangjun without comment. 8 | 9 | dazhihui 10 | ^(longaccoun|qsver2auth|\x35[57]\x30|\+\x10\*) 11 | 12 | -------------------------------------------------------------------------------- /protocols/dhcp.pat: -------------------------------------------------------------------------------- 1 | # DHCP - Dynamic Host Configuration Protocol - RFC 1541 2 | # Pattern attributes: good veryfast fast 3 | # Protocol groups: networking ietf_draft_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/DHCP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on ports 67 (server) and 68 (client) 8 | # 9 | # Also matches BOOTP (Bootstrap Protocol (RFC 951)) in the case that 10 | # the "vendor specific options" are used (these options were made standard 11 | # for DHCP). 12 | # 13 | # This pattern is lightly tested. 14 | 15 | dhcp 16 | ^[\x01\x02][\x01- ]\x06.*c\x82sc 17 | 18 | # Let's break that down: 19 | # 20 | # (\x01|\x02) is for BOOTREQUEST or BOOTREPLY 21 | # Is there a demand for doing these seperately? The Packeteer does. 22 | # 23 | # [\x01-\x20] is for any of the hardware address types listed at 24 | # (http://www.iana.org/assignments/arp-parameters) and hopefully faster 25 | # ethernets too (100, 1000 and 10000mb) as well (do they share the 10mb 26 | # number?). 27 | # 28 | # \x06 for "hardware address length = 6 bytes". Does anyone use other lengths 29 | # these days? If so, this pattern won't match it as it stands. 30 | # 31 | # .* covers the hops, xid, secs, flags, ciaddr, yiaddr, siaddr, giaddr, 32 | # chaddr, sname and file fields. While this can't really be "any number 33 | # of characters" long, it doesn't seem worth it to count. 34 | # Can we make this more specific by restricting the number of hops or seconds? 35 | # 36 | # 0x63825363 is the "magic cookie" which begins the DHCP options field. 37 | -------------------------------------------------------------------------------- /protocols/directconnect.pat: -------------------------------------------------------------------------------- 1 | # Direct Connect - P2P filesharing - http://www.neo-modus.com 2 | # Pattern attributes: good fast fast 3 | # Protocol groups: p2p 4 | # Wiki: http://www.protocolinfo.org/wiki/Direct_Connect 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Direct Connect "hubs" listen on port 411 8 | # http://www.dcpp.net/wiki/ 9 | # I've verified that this pattern can be used to limit direct connect 10 | # bandwidth using DC:PRO 0.2.3.149R11. 11 | 12 | directconnect 13 | # client-to-client handshake|client-to-hub login, hub speaking|client-to-hub login, client speaking 14 | ^(\$mynick |\$lock |\$key ) 15 | -------------------------------------------------------------------------------- /protocols/dns.pat: -------------------------------------------------------------------------------- 1 | # DNS - Domain Name System - RFC 1035 2 | # Pattern attributes: great slow fast 3 | # Protocol groups: networking ietf_internet_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/DNS 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # Thanks to Sebastien Bechet for TLD detection 8 | # improvements 9 | 10 | # While RFC 2181 says "Occasionally it is assumed that the Domain Name 11 | # System serves only the purpose of mapping Internet host names to data, 12 | # and mapping Internet addresses to host names. This is not correct, the 13 | # DNS is a general (if somewhat limited) hierarchical database, and can 14 | # store almost any kind of data, for almost any purpose.", we will assume 15 | # just that, because that represents the vast majority of DNS traffic. 16 | 17 | # The packet starts with a 2 byte random ID number and 2 bytes of flags that 18 | # aren't easy to match on. 19 | 20 | # The first thing that is matchable is QDCOUNT, the number of queries. 21 | # Despite the fact that you can apparently ask for up to 65535 22 | # things at a time, usually you only ask for one and I doubt you ever ask for 23 | # zero. Let's allow up to two, just in case (even though I can't find any 24 | # situation that generates more than one). 25 | 26 | # Next comes the ANCOUNT, NSCOUNT, and ARCOUNT fields, which could be null 27 | # or some smallish number, not matchable except by length (up to 6) 28 | 29 | # The next matchable thing is the query address. The first byte indicates the 30 | # length of the first part of the address, which is limited to 63 (0x3F == '?'). 31 | # The next byte has to be a letter (for domain names) or number (for reverse lookups). 32 | # Then there can be an combination of 33 | # letters, digits, hyphens, and 0x01-0x3F length markers. 34 | # Then we check for the presence of a top-level-domain at some later point. 35 | # This is indicated by a 0x02-0x06 and at least two letters, followed by no 36 | # more than four more letters. 37 | # Note that this will miss a very few queries that are for a TLD alone. 38 | # i.e. "host museum" (195.7.77.17) 39 | # 40 | # http://www.icann.org/tlds http://www.iana.org/cctld/cctld-whois.htm 41 | 42 | # next is the QTYPE field, which has valid values 1-16 (although this 43 | # could probably be restricted further since many are rare) and \x1c for 44 | # IPv6 (and maybe more?). It should follow immediately after the TLD 45 | # (and some stripped-out nulls) 46 | 47 | # next is QCLASS, which has valid values 1-4 and 255, except 2 is never used. 48 | # I'm not sure if 3 and 4 are used, so I'll include them. 1=Internet 255=any 49 | 50 | # If we wanted to match queries and responses separately, there could be 51 | # more specifics after this for the responses. 52 | 53 | dns 54 | # here's a sane way of doing it 55 | ^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][fglmoprstuvz]?[aeop]?(um)?[\x01-\x10\x1c][\x01\x03\x04\xFF] 56 | 57 | # This way assumes that TLDs are any alpha string 2-6 characters long. 58 | # If TLDs are added, this is a good fallback. 59 | #^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?[\x01-\x10][\x01\x03\x04\xFF] 60 | 61 | # If you have more processing power than me, you can substitute this for 62 | # the [a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]? 63 | #(aero|arpa|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|pro|arpa|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|eh|er|es|et|fi|fj|fk|fm|fo|fr|ga|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw) 64 | -------------------------------------------------------------------------------- /protocols/doom3.pat: -------------------------------------------------------------------------------- 1 | # Doom 3 - computer game 2 | # Pattern attributes: good veryfast fast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Doom 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Thanks to Clayton Macleod (cherrytwist at gmail.com). 8 | 9 | doom3 10 | ^\xff\xffchallenge 11 | -------------------------------------------------------------------------------- /protocols/edonkey.pat: -------------------------------------------------------------------------------- 1 | # eDonkey2000 - P2P filesharing - http://edonkey2000.com and others 2 | # Pattern attributes: good fast fast overmatch 3 | # Protocol groups: p2p 4 | # Wiki: http://www.protocolinfo.org/wiki/EDonkey 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4 8 | # and a long time ago with something else. 9 | # 10 | # In addition to matching what you might expect, this matches much of 11 | # what eMule does when you tell it to only connect to the KAD network. 12 | # I don't quite know what to make of this. 13 | 14 | # Thanks to Matt Skidmore 15 | 16 | edonkey 17 | 18 | # http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6 19 | # 20 | # In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5. 21 | # As of April 2006, I also see some \xe4. 22 | # 23 | # God this is a mess. What an irritating protocol. 24 | # This will match about 2% of streams with random data in them! 25 | # (But fortunately much fewer than 2% of streams that are other protocols. 26 | # You can test this with the data in ../testing/) 27 | 28 | ^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$) 29 | 30 | # matches everything and too much 31 | # ^(\xe3|\xc5|\xd4) 32 | 33 | # ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me. 34 | 35 | # bandwidtharbitrator uses 36 | # e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey 37 | # no comments to explain what all the mush is, of course... 38 | -------------------------------------------------------------------------------- /protocols/fasttrack.pat: -------------------------------------------------------------------------------- 1 | # FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc) 2 | # Pattern attributes: good slow notsofast 3 | # Protocol groups: p2p 4 | # Wiki: http://www.protocolinfo.org/wiki/Fasttrack 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Tested with Kazaa Lite Resurrection 0.0.7.6F 8 | # 9 | # This appears to match the download connections well, but not the search 10 | # connections (I think they are encrypted :-( ). 11 | 12 | fasttrack 13 | # while this is a valid http request, this will be caught because 14 | # the http pattern matches the response (and therefore the next packet) 15 | # Even so, it's best to put this match earlier in the chain. 16 | # http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup 17 | 18 | # This pattern is kinda slow, but not too bad. 19 | ^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? 20 | 21 | # This isn't much faster: 22 | #^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? 23 | 24 | -------------------------------------------------------------------------------- /protocols/finger.pat: -------------------------------------------------------------------------------- 1 | # Finger - User information server - RFC 1288 2 | # Pattern attributes: good slow slow undermatch overmatch 3 | # Protocol groups: ietf_draft_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/Finger 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 79 8 | # 9 | # This pattern is lightly tested. 10 | 11 | finger 12 | # The first matches the client request, which should look like a username. 13 | # The second matches the usual UNIX reply (but remember that they are 14 | # allowed to say whatever they want) 15 | ^[a-z][a-z0-9\-_]+\x0d\x0a|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory: 16 | -------------------------------------------------------------------------------- /protocols/freenet.pat: -------------------------------------------------------------------------------- 1 | # Freenet - Anonymous information retrieval - http://freenetproject.org 2 | # Pattern attributes: poor veryfast fast 3 | # Protocol groups: p2p document_retrieval open_source 4 | # Wiki: http://www.protocolinfo.org/wiki/Freenet 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | freenet 8 | # Freenet is intentionally hard to identify... 9 | # This is empirical, only tested on one computer, and unlikely to work anymore. 10 | ^\x01[\x08\x09][\x03\x04] 11 | -------------------------------------------------------------------------------- /protocols/ftp.pat: -------------------------------------------------------------------------------- 1 | # FTP - File Transfer Protocol - RFC 959 2 | # Pattern attributes: great notsofast fast 3 | # Protocol groups: document_retrieval ietf_internet_standard 4 | # Wiki: http://protocolinfo.org/wiki/FTP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 21. Note that the data stream is on a dynamically 8 | # assigned port, which means that you will need the FTP connection 9 | # tracking module in your kernel to usefully match FTP data transfers. 10 | # 11 | # This pattern is well tested. 12 | # 13 | # Handles the first two things a server should say: 14 | # 15 | # First, the server says it's ready by sending "220". Most servers say 16 | # something after 220, even though they don't have to, and it usually 17 | # includes the string "ftp" (l7-filter is case insensitive). This 18 | # includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP 19 | # Server, and whatever ftp.microsoft.com uses. Almost all servers use only 20 | # ASCII printable characters between the "220" and the "FTP", but non-English 21 | # ones might use others. 22 | # 23 | # The next thing the server sends is a 331. All the above servers also 24 | # send something including "password" after this code. By default, we 25 | # do not match on this because it takes another packet and is more work 26 | # for regexec. 27 | 28 | ftp 29 | # by default, we allow only ASCII 30 | ^220[\x09-\x0d -~]*ftp 31 | 32 | # This covers UTF-8 as well 33 | #^220[\x09-\x0d -~\x80-\xfd]*ftp 34 | 35 | # This allows any characters and is about 4x faster than either of the above 36 | # (which are about the same as each other) 37 | #^220.*ftp 38 | 39 | # This is much slower 40 | #^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password 41 | 42 | # This pattern is more precise, but takes longer to match. (3 packets vs. 1) 43 | #^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331 44 | 45 | # same as above, but slightly less precise and only takes 2 packets. 46 | #^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a 47 | -------------------------------------------------------------------------------- /protocols/gkrellm.pat: -------------------------------------------------------------------------------- 1 | # Gkrellm - a system monitor - http://gkrellm.net 2 | # Pattern attributes: great veryfast fast 3 | # Protocol groups: monitoring open_source 4 | # Wiki: http://www.protocolinfo.org/wiki/Gkrellm 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been tested and is believed to work well. 8 | # Since this is not anything resembling a published protocol, it may change without 9 | # warning in new versions of gkrellm. 10 | 11 | gkrellm 12 | # tested with gkrellm 2.2.7 13 | ^gkrellm [23].[0-9].[0-9]\x0a$ 14 | -------------------------------------------------------------------------------- /protocols/gnucleuslan.pat: -------------------------------------------------------------------------------- 1 | # GnucleusLAN - LAN-only P2P filesharing 2 | # Pattern attributes: good notsofast notsofast 3 | # Protocol groups: p2p open_source 4 | # Wiki: http://www.protocolinfo.org/wiki/GnucleusLAN 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been tested and is believed to work well. 8 | 9 | gnucleuslan 10 | gnuclear connect/[\x09-\x0d -~]*user-agent: gnucleus [\x09-\x0d -~]*lan: 11 | -------------------------------------------------------------------------------- /protocols/gnutella.pat: -------------------------------------------------------------------------------- 1 | # Gnutella - P2P filesharing 2 | # Pattern attributes: good notsofast notsofast 3 | # Protocol groups: p2p open_source 4 | # Wiki: http://www.protocolinfo.org/wiki/Gnutella 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This should match both Gnutella and "Gnutella2" ("Mike's protocol") 8 | # 9 | # Various clients use this protocol including Mactella, Shareaza, 10 | # GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare. 11 | # 12 | # This is tested with gtk-gnutella and Shareaza. 13 | 14 | # http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver 15 | # http://rfc-gnutella.sf.net/ 16 | # http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification 17 | # http://en.wikipedia.org/wiki/Shareaza 18 | 19 | gnutella 20 | 21 | # The first part matches UDP messages - All start with "GND", then have 22 | # a flag byte which is either \x00, \x01 or \x02, then two sequence bytes 23 | # that can be anything, then a fragment number, which must start at 1. 24 | # The rest matches TCP first client message or first server message (in case 25 | # we can't see client messages). Some parts of this are empirical rather than 26 | # document based. Assumes version is between 0.0 and 2.9. (usually is 27 | # 0.4 or 0.6). I'm guessing at many of the user-agents. 28 | # The last bit is emprical and probably only matches Limewire. 29 | ^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime) 30 | 31 | # Needlessly precise, at the expense of time 32 | #^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime) 33 | 34 | 35 | -------------------------------------------------------------------------------- /protocols/goboogy.pat: -------------------------------------------------------------------------------- 1 | # GoBoogy - a Korean P2P protocol 2 | # Pattern attributes: marginal slow notsofast 3 | # Protocol groups: p2p 4 | # Wiki: http://www.protocolinfo.org/wiki/GoBoogy 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern is untested and likely does not work in all cases! 8 | # 9 | # By Adam Przybyla, modified by Matthew Strait. Possibly lifted from 10 | # Josh Ballard (oofle.com). 11 | 12 | goboogy 13 | |^get /getfilebyhash\.cgi\?|^get /queue_register\.cgi\?|^get /getupdowninfo\.cgi\? 14 | -------------------------------------------------------------------------------- /protocols/gopher.pat: -------------------------------------------------------------------------------- 1 | # Gopher - A precursor to HTTP - RFC 1436 2 | # Pattern attributes: good slow notsofast undermatch 3 | # Protocol groups: document_retrieval obsolete ietf_rfc_documented 4 | # Wiki: http://www.protocolinfo.org/wiki/Gopher 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Gopher servers usually run on TCP port 70. 8 | # 9 | # This pattern is lightly tested using gopher.dna.affrc.go.jp . 10 | 11 | gopher 12 | # This matches the server's response, but naturally only if it is a 13 | # directory listing, not if it is sending a file, because then the data 14 | # is totally arbitrary. 15 | 16 | # Matches the client saying "list what you have", then the server 17 | # response: one of the file type characters, any printable characters, a 18 | # tab, any printable characters, a tab, something that looks like a 19 | # domain name, a tab, and then a number which could be the start of a 20 | # port number. 21 | 22 | # "0About internet Gopher\tStuff:About us\trawBits.micro.umn.edu\t70" 23 | # "\r7search by keywords on protein data using wais\twaissrc:/protein_all/protein\tgopher.dna.affrc.go.jp\t70" 24 | 25 | ^[\x09-\x0d]*[1-9,+tgi][\x09-\x0d -~]*\x09[\x09-\x0d -~]*\x09[a-z0-9.]*\.[a-z][a-z].?.?\x09[1-9] 26 | -------------------------------------------------------------------------------- /protocols/guildwars.pat: -------------------------------------------------------------------------------- 1 | # Guild Wars - online game - http://guildwars.com 2 | # Pattern attributes: marginal veryfast fast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Guild_Wars 5 | # Copyright (C) 2008 Matthew Strait; See ../LICENSE 6 | 7 | # Contributed on protocolinfo by Greatwolf with the comment, "Guild Wars 8 | # uses encrypted data on tcp/6112 and may be impossible to match by 9 | # content. An experimental filter has been written to match Guild Wars 10 | # packets. More testing is still required to determine the effectiveness 11 | # of this pattern." 12 | 13 | guildwars 14 | ^[\x04\x05]\x0c.i\x01 15 | -------------------------------------------------------------------------------- /protocols/h323.pat: -------------------------------------------------------------------------------- 1 | # H.323 - Voice over IP. 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: voip itu-t_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/H.323 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern is written without knowledge of the principles of H.323. 8 | # It has only been tested with gnomemeeting and may not work for other 9 | # clients. 10 | # 11 | # Also, it has been reported that: 12 | # "the pattern ... match[es] only first H.323 stream (conntrack for H.323 was 13 | # enabled). Also the major chunk of traffic was of RTP which went untracked." 14 | # 15 | # Also, it may very well match other things that use TPKT and 16 | # Q.931. 17 | 18 | # Note that to take full advantage of this pattern, you will need to 19 | # have connection tracking of H.323 support in your kernel. This 20 | # support is not in the stock kernel. A patch can be found at 21 | # http://netfilter.org 22 | 23 | h323 24 | # TPKT format: http://www.ietf.org/rfc/rfc1006.txt 25 | # \x03 = TPKT version. It was 3 in May 1987 and gnomemeeting still uses 3. 26 | # ..? = null reserved byte and packet length field. 27 | # Q.931 format: http://www.freesoft.org/CIE/Topics/126.htm 28 | # \x08 = Q.931 29 | # . = length of call reference 30 | # The next byte was: \x18 = message sent from originating side. 31 | # But based on experimentation, it seems that just . is better. 32 | # .?.?.?.?.?.?.?.?.?.?.?.?.?.?.? = call reference (0-15 bytes (0 for nulls)) 33 | # \x05 = setup message 34 | # 35 | # Yup, it doesn't actually include any H.323 protocol information. 36 | ^\x03..?\x08...?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x05 37 | -------------------------------------------------------------------------------- /protocols/halflife2-deathmatch.pat: -------------------------------------------------------------------------------- 1 | # Half-Life 2 Deathmatch - popular computer game 2 | # Pattern attributes: good veryfast fast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Half-Life 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # By Clayton Macleod 8 | 9 | halflife2-deathmatch 10 | ^\xff\xff\xff\xff.*hl2mpDeathmatch 11 | -------------------------------------------------------------------------------- /protocols/hddtemp.pat: -------------------------------------------------------------------------------- 1 | # hddtemp - Hard drive temperature reporting 2 | # Pattern attributes: great veryfast fast 3 | # Protocol groups: monitoring open_source 4 | # Wiki: http://www.protocolinfo.org/wiki/HDDtemp 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 7634 8 | # 9 | # You're a silly person if you use this pattern. 10 | # 11 | # This pattern has been tested and is believed to work well. 12 | 13 | hddtemp 14 | ^\|/dev/[a-z][a-z][a-z]\|[0-9a-z]*\|[0-9][0-9]\|[cfk]\| 15 | -------------------------------------------------------------------------------- /protocols/hotline.pat: -------------------------------------------------------------------------------- 1 | # Hotline - An old P2P filesharing protocol 2 | # Pattern attributes: marginal fast fast 3 | # Protocol groups: p2p 4 | # Wiki: http://www.protocolinfo.org/wiki/Hotline 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern is untested! 8 | # 9 | # This is lifted from http://oofle.com/filesharing.php?app=hotline 10 | 11 | hotline 12 | ^....................TRTPHOTL\x01\x02 13 | -------------------------------------------------------------------------------- /protocols/http-rtsp.pat: -------------------------------------------------------------------------------- 1 | # RTSP tunneled within HTTP 2 | # Pattern attributes: ok notsofast fast subset 3 | # Protocol groups: streaming_audio streaming_video ietf_draft_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/RTSP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Apple's documentation on what Quicktime does: 8 | # http://developer.apple.com/quicktime/icefloe/dispatch028.html 9 | # This is what the first part of the pattern is about 10 | # 11 | # The second part is based on the example in RFC 2326. For this part to 12 | # work, this pattern MUST be earlier in the iptables rules chain than 13 | # HTTP. Otherwise, the stream will be identified as HTTP. 14 | 15 | http-rtsp 16 | ^(get[\x09-\x0d -~]* Accept: application/x-rtsp-tunnelled|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*a=control:rtsp://) 17 | -------------------------------------------------------------------------------- /protocols/http.pat: -------------------------------------------------------------------------------- 1 | # HTTP - HyperText Transfer Protocol - RFC 2616 2 | # Pattern attributes: great slow notsofast superset 3 | # Protocol groups: document_retrieval ietf_draft_standard 4 | # Wiki: http://protocolinfo.org/wiki/HTTP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 80 8 | # 9 | # This pattern has been tested and is believed to work well. 10 | # 11 | # this intentionally catches the response from the server rather than 12 | # the request so that other protocols which use http (like kazaa) can be 13 | # caught based on specific http requests regardless of the ordering of 14 | # filters... also matches posts 15 | 16 | # Sites that serve really long cookies may break this by pushing the 17 | # server response too far away from the beginning of the connection. To 18 | # fix this, increase the kernel's data buffer length. 19 | 20 | http 21 | # Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616) 22 | # As specified in rfc 2616 a status code is preceeded and followed by a 23 | # space. 24 | http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019] 25 | # A slightly faster version that might be good enough: 26 | #http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019] 27 | # old pattern(s): 28 | #(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/) 29 | -------------------------------------------------------------------------------- /protocols/ident.pat: -------------------------------------------------------------------------------- 1 | # Ident - Identification Protocol - RFC 1413 2 | # Pattern attributes: good fast fast 3 | # Protocol groups: networking ietf_proposed_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/Ident 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 113 8 | # 9 | # This pattern is believed to work. 10 | 11 | ident 12 | # "number , numberCRLF" possibly without the CR and/or LF. 13 | # ^$ is appropriate because the first packet should never have anything 14 | # else in it. 15 | ^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$ 16 | -------------------------------------------------------------------------------- /protocols/imap.pat: -------------------------------------------------------------------------------- 1 | # IMAP - Internet Message Access Protocol (A common e-mail protocol) 2 | # Pattern attributes: great fast fast 3 | # Protocol groups: mail ietf_proposed_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/IMAP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This matches IMAP4 (RFC 3501) and probably IMAP2 (RFC 1176) 8 | # 9 | # This pattern has been tested and is believed to work well. 10 | # 11 | # This matches the IMAP welcome message or a noop command (which for 12 | # some unknown reason can happen at the start of a connection?) 13 | imap 14 | ^(\* ok|a[0-9]+ noop) 15 | -------------------------------------------------------------------------------- /protocols/imesh.pat: -------------------------------------------------------------------------------- 1 | # iMesh - the native protocol of iMesh, a P2P application - http://imesh.com 2 | # Pattern attributes: ok fast notsofast 3 | # Protocol groups: p2p 4 | # Wiki: http://protocolinfo.org/wiki/iMesh 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # depending on the version of iMesh (the program), it can also use fasttrack, 8 | # gnutella and edonkey in addition to iMesh (the protocol). 9 | 10 | imesh 11 | # The first branch matches the login 12 | # The second branch matches the main non-download connection (searches, etc) 13 | # The third branch matches downloads of "premium" content 14 | # The fourth branch matches peer downloads. 15 | ^(post[\x09-\x0d -~]*................................|\x34\x80?\x0d?\xfc\xff\x04|get[\x09-\x0d -~]*Host: imsh\.download-prod\.musicnet\.com|\x02[\x01\x02]\x83.*\x02[\x01\x02]\x83) 16 | -------------------------------------------------------------------------------- /protocols/ipp.pat: -------------------------------------------------------------------------------- 1 | # IP printing - a new standard for UNIX printing - RFC 2911 2 | # Pattern attributes: good notsofast notsofast 3 | # Protocol groups: printer ietf_proposed_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/IPP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been tested and is believed to work well. 8 | 9 | ipp 10 | # It's unlikely that anything else has this string, but I think we could 11 | # do a bit better... 12 | ipp:// 13 | -------------------------------------------------------------------------------- /protocols/irc.pat: -------------------------------------------------------------------------------- 1 | # IRC - Internet Relay Chat - RFC 1459 2 | # Pattern attributes: great fast fast 3 | # Protocol groups: chat ietf_proposed_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/IRC 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 6666 or 6667 8 | # Note that chat traffic runs on these ports, but IRC-DCC traffic (which 9 | # can use much more bandwidth) uses a dynamically assigned port, so you 10 | # must have the IRC connection tracking module in your kernel to classify 11 | # this. 12 | # 13 | # This pattern has been tested and is believed to work well. 14 | 15 | irc 16 | # First thing that happens is that the client sends NICK and USER, in 17 | # either order. This allows MIRC color codes (\x02-\x0d instead of 18 | # \x09-\x0d). 19 | ^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a) 20 | 21 | -------------------------------------------------------------------------------- /protocols/jabber.pat: -------------------------------------------------------------------------------- 1 | # Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org 2 | # Pattern attributes: good notsofast notsofast 3 | # Protocol groups: chat ietf_proposed_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/Jabber 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been tested with Gaim and Gabber. It is only tested 8 | # with non-SSL mode Jabber with no proxies. 9 | 10 | # Thanks to Jan Hudec for some improvements. 11 | 12 | # Jabber seems to take a long time to set up a connection. I'm 13 | # connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets 14 | # is this: 15 | # 20 | # 21 | # No mention of my username or password yet, you'll note. 22 | 23 | jabber 24 | says: 8 | # "This pattern identifies openFT P2P transfers fine. openFT is part of giFT 9 | # and is a pretty large p2p network. I would describe this pattern as pretty 10 | # weak, but it works for the giFT-based clients I've used." 11 | 12 | openft 13 | x-openftalias: [-)(0-9a-z ~.] 14 | -------------------------------------------------------------------------------- /protocols/pcanywhere.pat: -------------------------------------------------------------------------------- 1 | # pcAnywhere - Symantec remote access program 2 | # Pattern attributes: marginal veryfast fast 3 | # Protocol groups: remote_access proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/PcAnywhere 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # This is completely untested! 8 | # See http://www.unixwiz.net/tools/pcascan.txt 9 | 10 | pcanywhere 11 | # I think this only matches queries and not the bulk of the traffic! 12 | ^(nq|st)$ 13 | -------------------------------------------------------------------------------- /protocols/poco.pat: -------------------------------------------------------------------------------- 1 | # POCO and PP365 - Chinese P2P filesharing - http://pp365.com http://poco.cn 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: p2p 4 | # Wiki: http://www.protocolinfo.org/wiki/Poco 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # The author of this pattern says it works, but this is unconfirmed. 8 | # Written by www.routerclub.com wsgtrsys. 9 | 10 | poco 11 | ^\x80\x94\x0a\x01....\x1f\x9e 12 | 13 | -------------------------------------------------------------------------------- /protocols/pop3.pat: -------------------------------------------------------------------------------- 1 | # POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939 2 | # Pattern attributes: great fast fast 3 | # Protocol groups: mail ietf_internet_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/POP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been tested somewhat. 8 | 9 | # this is a difficult protocol to match because of the relative lack of 10 | # distinguishing information. Read on. 11 | pop3 12 | 13 | # this the most conservative pattern. It should definitely work. 14 | #^(\+ok|-err) 15 | 16 | # this pattern assumes that the server says _something_ after +ok or -err 17 | # I think this is probably the way to go. 18 | ^(\+ok |-err ) 19 | 20 | # more that 90% of servers seem to say "pop" after "+ok", but not all. 21 | #^(\+ok .*pop) 22 | 23 | # Here's another tack. I think this is my second favorite. 24 | #^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command)) 25 | 26 | # this matches the server saying "you have N messages that are M bytes", 27 | # which the client probably asks for early in the session (not tested) 28 | #\+ok [0-9]+ [0-9]+ 29 | 30 | # some sample servers: 31 | # RFC example: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us> 32 | # mail.dreamhost.com: +OK Hello there. 33 | # pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled) 34 | # mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon> 35 | # *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu> 36 | # mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready 37 | # mail.gustavus.edu: +OK POP3 solen v2001.78 server ready 38 | # mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready 39 | # mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003)) 40 | # pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting. 41 | # mail.mac.com: +OK Netscape Messaging Multiplexor ready 42 | 43 | # various error strings: 44 | #-ERR Invalid command. 45 | #-ERR invalid command 46 | #-ERR unimplemented 47 | #-ERR Invalid command, try one of: USER name, PASS string, QUIT 48 | #-ERR Unknown AUTHORIZATION state command 49 | #-ERR Unrecognized command 50 | #-ERR Unknown command: "sadf'". 51 | -------------------------------------------------------------------------------- /protocols/pplive.pat: -------------------------------------------------------------------------------- 1 | # PPLive - Chinese P2P streaming video - http://pplive.com 2 | # Pattern attributes: ok notsofast notsofast 3 | # Protocol groups: p2p streaming_video proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/PPLive 5 | # Copyright (C) 2008 Matthew Strait; See ../LICENSE 6 | 7 | # By liangjun, who says that it works. It may be easily improvable with 8 | # a bit more testing. 9 | 10 | pplive 11 | \x01...\xd3.+\x0c.$ 12 | -------------------------------------------------------------------------------- /protocols/qq.pat: -------------------------------------------------------------------------------- 1 | # Tencent QQ Protocol - Chinese instant messenger protocol - http://www.qq.com 2 | # Pattern attributes: good notsofast fast 3 | # Protocol groups: chat 4 | # Wiki: http://www.protocolinfo.org/wiki/QQ 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Over six million people use QQ in China, according to wsgtrsys. 8 | # 9 | # This pattern has been tested and is believed to work well. 10 | # 11 | # QQ uses three (two?) methods to connect to server(s?). 12 | # one is udp, and another is tcp 13 | # udp protocol: the first byte is 02 and last byte is 03 14 | # tcp protocol: the second byte is 02 and last byte is 03 15 | # tony on protocolinfo.org says that now the *third* byte is 02: 16 | # "but when I tested on my PC, I found that when qq2007/qq2008 17 | # use tcp protocol, the third byte instead of the second is always 02. 18 | # 19 | # So the QQ protocol changed again, or I have made a mistake, I wonder 20 | # that." 21 | # So now the pattern allows any of the first three bytes to be 02. Delete 22 | # one of the ".?" to restore to the old behaviour. 23 | # pattern written by www.routerclub.com wsgtrsys 24 | 25 | qq 26 | ^.?.?\x02.+\x03$ 27 | -------------------------------------------------------------------------------- /protocols/quake-halflife.pat: -------------------------------------------------------------------------------- 1 | # Half Life 1 engine games (HL 1, Quake 2/3/World, Counterstrike 1.6, etc.) 2 | # Pattern attributes: good veryfast fast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Half-Life http://www.protocolinfo.org/wiki/Counter-Strike http://www.protocolinfo.org/wiki/Day_of_Defeat 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Contributed by Laurens Blankers , who says: 8 | # 9 | # This pattern has been tested with QuakeWorld (2.30), Quake 2 (3.20), 10 | # Quake 3 (1.32), and Half-life (1.1.1.0). But may also work on other 11 | # games based on the Quake engine. 12 | # 13 | # Clayton Macleod says: 14 | # [This should match] Counter-Strike v1.6, [...] the slightly updated 15 | # Counter-Strike: Condition Zero, and the game Day Of Defeat, Team 16 | # Fortress Classic, Deathmatch Classic, Ricochet, Half-Life [1] Deathmatch, 17 | # and I imagine all the other 3rd party mods that also use this engine 18 | # will match that pattern. 19 | # 20 | # Gavin Pryke says: 21 | # Added "getstatus". Quake3 games were not being matched here until it was 22 | # added. 23 | 24 | quake-halflife 25 | # All quake (like) protocols start with 4x 0xFF. Then the client either 26 | # issues getinfo, getchallenge or getstatus. 27 | ^\xff\xff\xff\xffget(info|challenge|status) 28 | 29 | # A previous quake pattern allowed the connection to start with only 2 bytes 30 | # of 0xFF. This doesn't seem to ever happen, but we should keep an eye out 31 | # for it. 32 | 33 | -------------------------------------------------------------------------------- /protocols/quake1.pat: -------------------------------------------------------------------------------- 1 | # Quake 1 - A popular computer game. 2 | # Pattern attributes: marginal veryfast fast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Quake 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern is untested and unconfirmed. 8 | 9 | # Info taken from http://www.gamers.org/dEngine/quake/QDP/qnp.html, 10 | # which says that it "is incomplete, inaccurate and only applies to 11 | # versions 0.91, 0.92, 1.00 and 1.01 of QUAKE" 12 | 13 | quake1 14 | # Connection request: 80 00 00 0c 01 51 55 41 4b 45 00 03 15 | # \x80 = control packet. 16 | # \x0c = packet length 17 | # \x01 = CCREQ_CONNECT 18 | # \x03 = protocol version (3 == 0.91, 0.92, 1.00, 1.01) 19 | ^\x80\x0c\x01quake\x03 20 | -------------------------------------------------------------------------------- /protocols/radmin.pat: -------------------------------------------------------------------------------- 1 | # Famatech Remote Administrator - remote desktop for MS Windows 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: remote_access proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Radmin 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been verified with Radmin v1.1 and v3.0beta on Win2000/XP 8 | # It has only been tested between a single pair of computers. 9 | 10 | # The first packet of every TCP stream appears to be either one of: 11 | # 12 | # 01 00 00 00 01 00 00 00 08 08 13 | # 01 00 00 00 01 00 00 00 1b 1b 14 | 15 | radmin 16 | ^\x01\x01(\x08\x08|\x1b\x1b)$ 17 | 18 | -------------------------------------------------------------------------------- /protocols/rdp.pat: -------------------------------------------------------------------------------- 1 | # RDP - Remote Desktop Protocol (used in Windows Terminal Services) 2 | # Pattern attributes: ok notsofast notsofast 3 | # Protocol groups: remote_access proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/RDP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern was submitted by Michael Leong. It has been tested under the 8 | # following conditions: "WinXP Pro with all the patches, rdesktop server 9 | # running on port 7000 instead of 3389 --> WinXP Pro Remote Desktop Client." 10 | # Also tested is WinXP to Win 2000 Server. 11 | 12 | # At least one other person has reported it to work as well. 13 | 14 | rdp 15 | rdpdr.*cliprdr.*rdpsnd 16 | 17 | # Old pattern, submitted by Daniel Weatherford. 18 | # rdpdr.*cliprdp.*rdpsnd 19 | 20 | 21 | -------------------------------------------------------------------------------- /protocols/replaytv-ivs.pat: -------------------------------------------------------------------------------- 1 | # ReplayTV Internet Video Sharing - Digital Video Recorder - http://replaytv.com 2 | # Pattern attributes: good fast fast 3 | # Protocol groups: 4 | # Wiki: http://www.protocolinfo.org/wiki/ReplayTV 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Pattern by jm 409 at hot mail dot com, who says that this one "worked best". 8 | 9 | replaytv-ivs 10 | ^(get /ivs-IVSGetFileChunk|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*\x23\x23\x23\x23\x23REPLAY_CHUNK_START\x23\x23\x23\x23\x23) 11 | 12 | -------------------------------------------------------------------------------- /protocols/rlogin.pat: -------------------------------------------------------------------------------- 1 | # rlogin - remote login - RFC 1282 2 | # Pattern attributes: ok fast fast 3 | # Protocol groups: remote_access ietf_rfc_documented 4 | # Wiki: http://www.protocolinfo.org/wiki/Rlogin 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # usually runs on port 443 8 | # 9 | # This pattern is untested. 10 | 11 | rlogin 12 | # At least three characters (user name, user name, terminal type), 13 | # the first of which could be the first character of a user name, a 14 | # slash, then a terminal speed. (Assumes that usernames and terminal 15 | # types are alphanumeric only. I'm sure there are usernames like 16 | # "straitm-47" out there, but it's not common.) All terminal speeds 17 | # I know of end in two zeros and are between 3 and 6 digits long. 18 | # This pattern is uncomfortably general. 19 | ^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]?[0-9]?[0-9]?00 20 | -------------------------------------------------------------------------------- /protocols/rtmp.pat: -------------------------------------------------------------------------------- 1 | # Adobe Real Time Messaging Protocol(RTMP). By Jonathan A.P. Marpaung 2 | # Pattern attributes: works very fast 3 | # Protocol Groups: streaming_video streaming_audio 4 | # The RTMP Specification is availabe at 5 | # http://www.adobe.com/devnet/rtmp/pdf/rtmp_specification_1.0.pdf [^] 6 | # 7 | # First 12 bytes, starting at \x03 are the RTMP header. Next 25 bytes, 8 | # starting at \x02, are part of the RTMP body which is an AMF Object. 9 | # The first string "connect" is a command of the NetConnection class object. 10 | # The next string "app" is a Command Object which is followed by values 11 | # such as "video", . 12 | rtmp 13 | ^\x03.+\x14.+\x02.+\x07.(connect)?.+(app)? 14 | -------------------------------------------------------------------------------- /protocols/rtp.pat: -------------------------------------------------------------------------------- 1 | # RTP - Real-time Transport Protocol - RFC 3550 2 | # Pattern attributes: ok overmatch undermatch fast fast 3 | # Protocol groups: streaming_video ietf_internet_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/RTP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # RTP headers are *very* short and compact. They have almost nothing in 8 | # them that can be matched by l7-filter. As RTP connections take place 9 | # between even numbered ports, you should probably check for that before 10 | # applying this pattern. If you want to match them along with their 11 | # associated SIP packets, you might try setting up some iptables rules 12 | # that watch for SIP packets and then also match any other UDP packets 13 | # that are going between the same two IP addresses. 14 | # 15 | # I think we can count on the first bit being 1 and the second bit being 16 | # 0 (meaning protocol version 2). The next two bits could go either way, 17 | # but in the example I've seen, they are zero, so I'll assume they are 18 | # usually zero. The next four bits are a count of "contributing source 19 | # identifiers". I'm not sure how big that could be, but in the example 20 | # I've seen, they're zero, so I'll assume they're usually zero. So that 21 | # gives us ^\x80. The next bit is a tossup. Next is the payload type, 7 22 | # bits. I've taken likely values from the WireShark code: 0-34, 96-127 23 | # (decimal). The rest of the header is random numbers (sequence number, 24 | # timestamp, synchronization source identifier), so that's no help at 25 | # all. 26 | 27 | rtp 28 | ^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80 29 | 30 | # Might also try this. It's a bit slower (one packet and not too much extra 31 | # regexec load) and a bit more accurate: 32 | #^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80.*\x80 33 | 34 | -------------------------------------------------------------------------------- /protocols/rtsp.pat: -------------------------------------------------------------------------------- 1 | # RTSP - Real Time Streaming Protocol - http://www.rtsp.org - RFC 2326 2 | # Pattern attributes: good notsofast notsofast 3 | # Protocol groups: streaming_video ietf_proposed_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/RTSP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # usually runs on port 554 8 | # 9 | # To take full advantage of this pattern, please see the RTSP connection 10 | # tracking patch to the Linux kernel referenced at the above site. 11 | # 12 | # This pattern has been tested and is believed to work well. 13 | 14 | rtsp 15 | rtsp/1.0 200 ok 16 | -------------------------------------------------------------------------------- /protocols/runesofmagic.pat: -------------------------------------------------------------------------------- 1 | # Runes of Magic - game - http://www.runesofmagic.com 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Runes_of_Magic 5 | # Copyright (C) 2008 Matthew Strait; See ../LICENSE 6 | 7 | runesofmagic 8 | ^\x10\x03...........\x0a\x02.....\x0e 9 | # See below (this is also veryfast fast) 10 | #^\x10\x03...........?\x0a\x02.....?$ 11 | 12 | # Greatwolf captured the following: 13 | # 14 | # Server: 15 | # 16 | # 10 00 00 00 03 78 76 7a 1e 8a dd b5 95 a3 3a de .....xvz ......:. 17 | # 0a 00 00 00 02 df 85 cc cc cc ........ .. 18 | # 19 | # Client reply: 20 | # 21 | # 0e 00 00 00 02 28 82 cc cc cc 8b c9 cc cc .....(.. ...... 22 | # 23 | # Server: 24 | # 25 | # 2e 00 00 00 02 1e 7f f4 f4 f4 ef f4 f4 f4 b3 8c ........ ........ 26 | # [...] 27 | # 28 | # And says: "Bytes 10 00 00 00 03, 0a 00 00 00 02 and 0e (client reply) 29 | # were consistently present. 30 | # 31 | # ^\x10\x03...........\x0a\x02.....\x0e 32 | # 33 | # Pattern was able to match during the closed beta period. It is still 34 | # matching okay after RoM started open beta but could definitely use 35 | # more testing from others to verify effectiveness." 36 | # 37 | # Matthew Strait says: 38 | # 39 | # * If the server consistently sends those four bytes in the first packet, 40 | # it is probably wasteful to wait for the next (client) packet before 41 | # matching. 42 | # 43 | # * If we switch the match strategy to just looking at the first packet, and 44 | # the first packet is always the same (or nearly the same) length, we can 45 | # anchor (i.e. use a '$') at the end of the packet. 46 | # 47 | # * When there's a string of bytes that I don't understand and that take 48 | # different values from connection to connection, I think it's good to allow 49 | # for the possibility that at least one might be \x00, and so I'd make one 50 | # of the "." into ".?", unless you *know* that \x00 is impossible somehow. 51 | # 52 | # * All of those \xcc bytes don't look random to me. Your comments suggest 53 | # that it isn't always exactly like that, but is there always pattern of 54 | # repeated bytes or something else that might be useful? It probably isn't 55 | # necessary to exploit this, since it looks like there's already enough to 56 | # go with, but it would be nice to understand. 57 | # 58 | # So perhaps it would be an improvement to use: 59 | # 60 | # ^\x10\x03...........?\x0a\x02.....?$ 61 | # 62 | # but this depends on the assumptions I made above. 63 | 64 | -------------------------------------------------------------------------------- /protocols/shoutcast.pat: -------------------------------------------------------------------------------- 1 | # Shoutcast and Icecast - streaming audio 2 | # Pattern attributes: good slow notsofast 3 | # Protocol groups: streaming_audio 4 | # Wiki: http://www.protocolinfo.org/wiki/Icecast 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # usually runs on port 80 8 | # 9 | # Original pattern contributed by Deepak Seshadri who says "The difference between [Shoutcast and 11 | # Icecast] is not clearly mentioned anywhere. According to this 12 | # document, my pattern would filter JUST shoutcast packets." 13 | # 14 | # Should now match both Shoutcast and Icecast. Tested with Winamp (in 15 | # 2005) and Totem using streams at dir.xiph.org (in Nov 2007). 16 | # 17 | # http://sander.vanzoest.com/talks/2002/audio_and_apache/ 18 | # http://forums.radiotoolbox.com/viewtopic.php?t=74 19 | # http://www.icecast.org 20 | 21 | shoutcast 22 | # The first branch looks for an HTTP request that looks like it is asking for 23 | # a SHOUTcast stream. The second branch looks for the server's reply. However, 24 | # some (newer?) servers answer with "http/1.0 200 OK", not "ICY 200 OK", so 25 | # this will not work. 26 | # This pattern was discovered using Ethereal. 27 | ^get /.*icy-metadata:1|icy [1-5][0-9][0-9] [\x09-\x0d -~]*(content-type:audio|icy-) 28 | -------------------------------------------------------------------------------- /protocols/sip.pat: -------------------------------------------------------------------------------- 1 | # SIP - Session Initiation Protocol - Internet telephony - RFC 3261, 3265, etc. 2 | # Pattern attributes: good fast fast 3 | # Protocol groups: voip ietf_proposed_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/SIP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been tested with the Ubiquity SIP user agent and has been 8 | # confirmed by at least one other user. 9 | # 10 | # Thanks to Ankit Desai for this pattern. Updated by tehseen sagar. 11 | # 12 | # SIP typically uses port 5060. 13 | # 14 | # This pattern is based on SIP request format as per RFC 3261. I'm not 15 | # sure about the version part. The RFC doesn't say anything about it, so 16 | # I have allowed version ranging from 0.x to 2.x. 17 | 18 | #Request-Line = Method SP Request-URI SP SIP-Version CRLF 19 | sip 20 | ^(invite|register|cancel|message|subscribe|notify) sip[\x09-\x0d -~]*sip/[0-2]\.[0-9] 21 | -------------------------------------------------------------------------------- /protocols/skypetoskype.pat: -------------------------------------------------------------------------------- 1 | # Skype to Skype - UDP voice call (program to program) - http://skype.com 2 | # Pattern attributes: ok veryfast fast overmatch 3 | # Protocol groups: voip p2p proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Skype 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # This matches at least some of the general chatter that occurs when the 8 | # user isn't doing anything as well as actual calls. 9 | # Thanks to Myles Uyema, mylesuyema AT gmail.com 10 | 11 | skypetoskype 12 | # require at least 16 bytes (my limited tests always get at least 18) 13 | ^..\x02............. 14 | 15 | -------------------------------------------------------------------------------- /protocols/smb.pat: -------------------------------------------------------------------------------- 1 | # Samba/SMB - Server Message Block - Microsoft Windows filesharing 2 | # Pattern attributes: good fast notsofast 3 | # Protocol groups: document_retrieval networking proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/SMB 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # "This protocol is sometimes also referred to as the Common Internet File 8 | # System (CIFS), LanManager or NetBIOS protocol." -- "man samba" 9 | # 10 | # Actually, SMB is a higher level protocol than NetBIOS. However, the 11 | # NetBIOS header is only 4 bytes: not much to match on. 12 | # 13 | # http://www.ubiqx.org/cifs/SMB.html 14 | # 15 | # This pattern is lightly tested. 16 | 17 | smb 18 | # matches a NEGOTIATE PROTOCOL or TRANSACTION REQUEST command 19 | \xffsmb[\x72\x25] 20 | -------------------------------------------------------------------------------- /protocols/smtp.pat: -------------------------------------------------------------------------------- 1 | # SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869) 2 | # Pattern attributes: great notsofast fast 3 | # Protocol groups: mail ietf_internet_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/SMTP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # usually runs on port 25 8 | # 9 | # This pattern has been tested and is believed to work well. 10 | 11 | # As usual, no text is required after "220", but all known servers have some 12 | # there. It (almost?) always has string "smtp" in it. The RFC examples 13 | # does not, so we match those too, just in case anyone has copied them 14 | # literally. 15 | # 16 | # Some examples: 17 | # 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3 18 | # 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400 19 | # 220 mail.ut.caldera.com ESMTP 20 | # 220 persephone.pmail.gen.nz ESMTP server ready. 21 | # 220 smtp1.superb.net ESMTP 22 | # 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready 23 | # 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4 24 | # 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500 25 | # 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3) 26 | # 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200 27 | # 220-mail.email-scan.com ESMTP 28 | # 220 smaug.dreamhost.com ESMTP 29 | # 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648) 30 | # 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT) 31 | # 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700 32 | # 33 | # RFC examples: 34 | # 220 xyz.com Simple Mail Transfer Service Ready (RFC example) 35 | # 220 dbc.mtview.ca.us SMTP service ready 36 | 37 | smtp 38 | ^220[\x09-\x0d -~]* (e?smtp|simple mail) 39 | userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail) 40 | userspace flags=REG_NOSUB REG_EXTENDED 41 | -------------------------------------------------------------------------------- /protocols/snmp.pat: -------------------------------------------------------------------------------- 1 | # SNMP - Simple Network Management Protocol - RFC 1157 2 | # Pattern attributes: good veryfast fast superset 3 | # Protocol groups: networking ietf_internet_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/SNMP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on UDP ports 161 (monitoring) and 162 (traps). 8 | # 9 | # These filters match SNMPv1 packets without fail, and are made as 10 | # specific as possible not to match any ASN.1 encoded protocols. However 11 | # these could still be matched by other protocols that use ASN.1 encoding 12 | 13 | # Contributed by Goli SriSairam 14 | 15 | # This pattern has been tested and is believed to work well. 16 | 17 | # All SNMPv1 traffic. See snmp-mon.pat and snmp-trap.pat for details. 18 | snmp 19 | ^\x02\x01\x04.+([\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30|\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43) 20 | -------------------------------------------------------------------------------- /protocols/socks.pat: -------------------------------------------------------------------------------- 1 | # SOCKS Version 5 - Firewall traversal protocol - RFC 1928 2 | # Pattern attributes: good notsofast notsofast 3 | # Protocol groups: networking ietf_proposed_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/SOCKS 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 1080 8 | # Also useful: http://www.iana.org/assignments/socks-methods 9 | # 10 | # We have had two reports that this pattern works. 11 | 12 | # method request, no private methods \x05[\x01-\x08]* 13 | # method reply, assumes sucess \x05[\x01-\x08]? 14 | # method dependent sub-negotiation .* 15 | # request, ipv4 only \x05[\x01-\x03][\x01\x03].* 16 | # reply \x05[\x01-\x08]?[\x01\x03].* 17 | 18 | # username/password method 19 | # u/p request, assuming reasonable usernames and passwords 20 | # \x05[\x02-\x10][a-z][a-z0-9\-]*[\x05-\x20][!-~]* 21 | # server reply 22 | # \x05 23 | 24 | # GSSAPI method 25 | # client initial token \x01\x01\x02.* 26 | # server reply \x01\x01\x02.* 27 | 28 | # any other method .* (all methods boil down to this until we have information 29 | # about all the commonly used ones) 30 | 31 | socks 32 | \x05[\x01-\x08]*\x05[\x01-\x08]?.*\x05[\x01-\x03][\x01\x03].*\x05[\x01-\x08]?[\x01\x03] 33 | -------------------------------------------------------------------------------- /protocols/soribada.pat: -------------------------------------------------------------------------------- 1 | # Soribada - A Korean P2P filesharing program/protocol - http://www.soribada.com 2 | # Pattern attributes: good slow notsofast 3 | # Protocol groups: p2p 4 | # Wiki: http://www.protocolinfo.org/wiki/Soribada 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # I am told that there are three versions of this protocol, the first no 8 | # longer being used. That would probably explain why incoming searches 9 | # have two different formats... 10 | 11 | # There are three parts to Soribada protocal: 12 | # 1: Ping/Pong to establish a relationship on the net (UDP with 2 useful bytes) 13 | # 2: Searching (in two formats) (UDP with two short easy to match starts) 14 | # 3: Download requests/transfers (TCP with an obvious first packet) 15 | 16 | # 1 -- Pings/Pongs: 17 | # Requester send 2 bytes and a 6 byte response is sent back. 18 | # \x10 for the first byte and \x14-\x16 for the second. 19 | # The response is the first byte (\x10) and the second byte incremented 20 | # by 1 (\x15-\x17). 21 | # No further communication happens between the hosts except for searches. 22 | # A regex match: ^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$ 23 | # First Packet ---^^^^^^^^^^^^^^^ 24 | # Second Packet -----------------^^^^^^^^^^^^^^^^^^^^^^^ 25 | 26 | # 2 -- Search requests: 27 | # All searches are totally stateless and are only responded to if the user 28 | # actually has the file. 29 | # Both format start with a \x01 byte, have 3 "random bytes" and then 3 bytes 30 | # corasponding to one of two formats. 31 | # Format 1 is \x51\x3a\+ and format 2 is \x51\x32\x3a 32 | # A regex match: ^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a) 33 | 34 | # 3 -- Download requests: 35 | # All downloads start with "GETMP3\x0d\x0aFilename" 36 | # A regex match: ^GETMP3\x0d\x0aFilename 37 | 38 | soribada 39 | 40 | # This will match the second packet of two. 41 | # ^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$ 42 | 43 | # Again, matching this is the end of the comunication. 44 | # ^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a) 45 | 46 | # This is the start of the transfer and an easy match 47 | #^GETMP3\x0d\x0aFilename 48 | 49 | # This will match everything including the udp packet portions 50 | ^GETMP3\x0d\x0aFilename|^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a)|^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$ 51 | 52 | -------------------------------------------------------------------------------- /protocols/soulseek.pat: -------------------------------------------------------------------------------- 1 | # Soulseek - P2P filesharing - http://slsknet.org 2 | # Pattern attributes: good fast fast 3 | # Protocol groups: p2p 4 | # Wiki: http://www.protocolinfo.org/wiki/Soulseek 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # All my tests show that this pattern is fast, but one user has reported that 8 | # it is slow. Your milage may vary. 9 | 10 | # This has been tested and works for "pierce firewall" commands and file 11 | # transfers. It does *not* match all the various sorts of chatter that go on, 12 | # such as searches, pings and whatnot. 13 | 14 | soulseek 15 | # (Pierce firewall: in theory the token could be 4 bytes, but the last two 16 | # seem to always be zero.|download: Peer Init) 17 | ^(\x05..?|.\x01.[ -~]+\x01F..?.?.?.?.?.?.?)$ 18 | -------------------------------------------------------------------------------- /protocols/ssdp.pat: -------------------------------------------------------------------------------- 1 | # SSDP - Simple Service Discovery Protocol - easy discovery of network devices 2 | # Pattern attributes: good slow notsofast 3 | # Protocol groups: networking ietf_draft_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/SSDP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # This pattern was tested only by listening to a Linksys WRT54G. However, 8 | # I expect it works in general given the simplicity of the protocol. 9 | 10 | # SSDP packets should _always_ be sent to the multicast address 11 | # 239.255.255.250, making this pattern irrelevant. (Moreover, SSDP 12 | # packets should be resitricted to local networks that have plenty of 13 | # bandwidth.) However, Microsoft, as usual, has other ideas, so maybe 14 | # it could be useful. Can't hurt, anyway. :-) 15 | # 16 | # http://www.upnp.org/download/draft_cai_ssdp_v1_03.txt 17 | # http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/protocol/ssdp.asp 18 | 19 | ssdp 20 | ^notify[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:(alive|byebye)|^m-search[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:discover 21 | 22 | -------------------------------------------------------------------------------- /protocols/ssh.pat: -------------------------------------------------------------------------------- 1 | # SSH - Secure SHell 2 | # Pattern attributes: great veryfast fast 3 | # Protocol groups: remote_access secure ietf_draft_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/SSH 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # usually runs on port 22 8 | # 9 | # http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-22.txt 10 | # 11 | # This pattern has been tested and is believed to work well. 12 | 13 | ssh 14 | ^ssh-[12]\.[0-9] 15 | 16 | # old pattern: 17 | # (diffie-hellman-group-exchange-sha1|diffie-hellman-group1-sha1.ssh-rsa|ssh-dssfaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.sefaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.seuhmac-md5|hmac-sha1|hmac-ripemd160)+ 18 | -------------------------------------------------------------------------------- /protocols/ssl.pat: -------------------------------------------------------------------------------- 1 | # SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246 2 | # Pattern attributes: good notsofast fast superset 3 | # Protocol groups: secure ietf_proposed_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/SSL 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 443 8 | # 9 | # This is a superset of validcertssl. For it to match, it must be first. 10 | # 11 | # This pattern has been tested and is believed to work well. 12 | 13 | ssl 14 | # Server Hello with certificate | Client Hello 15 | # This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1 16 | ^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b) 17 | -------------------------------------------------------------------------------- /protocols/stun.pat: -------------------------------------------------------------------------------- 1 | # STUN - Simple Traversal of UDP Through NAT - RFC 3489 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: networking ietf_proposed_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/STUN 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern is untested as far as I know. 8 | 9 | # Wikipedia says: "The STUN server is contacted on UDP port 3478, 10 | # however the server will hint clients to perform tests on alternate IP 11 | # and port number too (STUN servers have two IP addresses). The RFC 12 | # states that this port and IP are arbitrary." 13 | 14 | stun 15 | # \x01 is a Binding Request. \x02 is a Shared Secret Request. Binding 16 | # Requests are, experimentally, exactly 20 Bytes with three NULL Bytes. 17 | # The first NULL is part of the two byte message type field. The other 18 | # two give the message length, zero. I'm guessing that Shared Secret 19 | # Requests are similar, but I have not checked. Please read the RFC and 20 | # do experiments to find out. All other message types are responses, 21 | # and so don't matter. 22 | # 23 | # The .? allows one of the Message Transaction ID Bytes to be \x00. If 24 | # two are \x00, it will fail. This will happen 0.37% of the time, since 25 | # the Message Transaction ID is supposed to be random. If this is 26 | # unacceptable to you, add another ? to reduce this to 0.020%, but be 27 | # aware of the increased possibility of false positives. 28 | ^[\x01\x02]................?$ 29 | 30 | # From my post to the mailing list: 31 | # http://sourceforge.net/mailarchive/message.php?msg_id=36787107 32 | # 33 | # This is a rather permissive pattern, but you can make it a little better 34 | # by combining it with another iptables rule that checks that the packet 35 | # data is exactly 20 Bytes. Of course, the second packet is longer, so 36 | # maybe that introduces more complications than benefits. 37 | # 38 | # If you're willing to wait until the second packet to make the 39 | # identification, you could use this: 40 | # 41 | # ^\x01................?\x01\x01 42 | # 43 | # or if the Message Length is always \x24 (I'm not sure it is from your 44 | # single example): 45 | # 46 | # ^\x01................?\x01\x01\x24 47 | -------------------------------------------------------------------------------- /protocols/subspace.pat: -------------------------------------------------------------------------------- 1 | # Subspace - 2D asteroids-style space game - http://sscentral.com 2 | # Pattern attributes: marginal veryfast fast 3 | # Protocol groups: game 4 | # Wiki: http://www.protocolinfo.org/wiki/Subspace 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # By Myles Uyema 8 | # 9 | # This pattern matches the initial 2 packets of the client-server 10 | # 'handshake' when joining a Zone. 11 | # 12 | # The first packet is an 8 byte UDP payload sent from client 13 | # 0x00 0x01 0x?? 0x?? 0x?? 0x?? 0x11 14 | # The next packet is a 12 byte UDP response from server 15 | # 0x00 0x10 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x01 0x00 16 | # 17 | # l7-filter strips out the null bytes, leaving me with this pattern 18 | 19 | subspace 20 | ^\x01....\x11\x10........\x01$ 21 | 22 | -------------------------------------------------------------------------------- /protocols/subversion.pat: -------------------------------------------------------------------------------- 1 | # Subversion - a version control system 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: version_control open_source 4 | # Wiki: http://www.protocolinfo.org/wiki/Subversion 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern is UNTESTED. (But it seems straightforward enough...) 8 | # 9 | # Subversion uses TCP port 3690 by default. 10 | 11 | subversion 12 | # This is not a valid basic GNU regular expression. 13 | ^\( success \( 1 2 \( 14 | -------------------------------------------------------------------------------- /protocols/teamfortress2.pat: -------------------------------------------------------------------------------- 1 | # Team Fortress 2 - network game - http://www.valvesoftware.com 2 | # Pattern attributes: good veryfast fast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Team_Fortress 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Credits: Clayton Macleod 8 | # Jan Engelhardt 9 | 10 | teamfortress2 11 | ^\xff\xff\xff\xff.....*tfTeam Fortress 12 | -------------------------------------------------------------------------------- /protocols/teamspeak.pat: -------------------------------------------------------------------------------- 1 | # TeamSpeak - VoIP application - http://goteamspeak.com 2 | # Pattern attributes: good veryfast fast 3 | # Protocol groups: voip proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/TeamSpeak 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been tested by Matthew Strait and verified by packet 8 | # traces by at least two other people. The meaning of f4b303 is not 9 | # known, but it seems to appear in all first packets. This pattern only 10 | # matches the actual UDP voice traffic, not the TeamSpeak web interface 11 | # or "TCP query". 12 | 13 | teamspeak 14 | ^\xf4\xbe\x03.*teamspeak 15 | 16 | -------------------------------------------------------------------------------- /protocols/telnet.pat: -------------------------------------------------------------------------------- 1 | # Telnet - Insecure remote login - RFC 854 2 | # Pattern attributes: good veryfast fast 3 | # Protocol groups: remote_access obsolete ietf_internet_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/Telnet 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 23 8 | # 9 | # This pattern is lightly tested. 10 | 11 | telnet 12 | # Matches at least three IAC (Do|Will|Don't|Won't) commands in a row. 13 | # My telnet client sends 9 when I connect, so this should be fine. 14 | # This pattern could fail on a unchatty connection or it could be 15 | # matched by something non-telnet spewing a lot of stuff in the fb-ff range. 16 | ^\xff[\xfb-\xfe].\xff[\xfb-\xfe].\xff[\xfb-\xfe] 17 | -------------------------------------------------------------------------------- /protocols/tesla.pat: -------------------------------------------------------------------------------- 1 | # Tesla Advanced Communication - P2P filesharing (?) 2 | # Pattern attributes: marginal slow notsofast 3 | # Protocol groups: p2p 4 | # Wiki: http://www.protocolinfo.org/wiki/Tesla 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern is untested! 8 | 9 | # This is lifted from http://oofle.com/filesharing.php?app=tesla 10 | # There is no explaination of what these numbers mean. 11 | # The above page says that the first string is found only in TCP packets 12 | # and the second only in UDP. 13 | 14 | tesla 15 | \x03\x9a\x89\x22\x31\x31\x31\.\x30\x30\x20\x42\x65\x74\x61\x20|\xe2\x3c\x69\x1e\x1c\xe9 16 | -------------------------------------------------------------------------------- /protocols/tftp.pat: -------------------------------------------------------------------------------- 1 | # TFTP - Trivial File Transfer Protocol - used for bootstrapping - RFC 1350 2 | # Pattern attributes: marginal fast fast 3 | # Protocol groups: document_retrieval ietf_internet_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/TFTP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # usually runs on port 69 8 | # 9 | # This pattern is unconfirmed. 10 | 11 | tftp 12 | # The first packet from the initiating host should either be a Read Request 13 | # or a Write Request. In the other direction, it should be data packet with 14 | # block number one or an ACK with block number zero. We only attempt to match 15 | # the initiating host's packets, because the only identifying features of 16 | # the responses to them are two byte sequences (which isn't specific enough). 17 | # (\x01|\x02) = Read Request or Write Request 18 | # [ -~]* = the file name 19 | # the rest = netascii|octet|mail (case insensitivity done by the kernel) 20 | 21 | ^(\x01|\x02)[ -~]*(netascii|octet|mail) 22 | -------------------------------------------------------------------------------- /protocols/thecircle.pat: -------------------------------------------------------------------------------- 1 | # The Circle - P2P application - http://thecircle.org.au 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: p2p open_source 4 | # Wiki: http://www.protocolinfo.org/wiki/The_Circle 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # This is tested with The Circle 0.41c on Linux. 8 | # It likely misses some stuff. Notably, I wasn't able to test it on any 9 | # large downloads, because no one is sharing anything! 10 | 11 | thecircle 12 | ^t\x03ni.?[\x01-\x06]?t[\x01-\x05]s[\x0a\x0b](glob|who are you$|query data) 13 | -------------------------------------------------------------------------------- /protocols/tonghuashun.pat: -------------------------------------------------------------------------------- 1 | # Tonghuashun - stock analysis and trading; Chinese - http://www.10jqka.com.cn 2 | # Pattern attributes: ok fast fast 3 | # Protocol groups: 4 | # Wiki: http://www.protocolinfo.org/wiki/Tonghuashun 5 | # Copyright (C) 2009 Matthew Strait; See ../LICENSE 6 | 7 | # Pattern contributed by liangjun without comment. 8 | 9 | tonghuashun 10 | ^(GET /docookie\.php\?uname=|\xfd\xfd\xfd\xfd\x30\x30\x30\x30\x30) 11 | 12 | -------------------------------------------------------------------------------- /protocols/tor.pat: -------------------------------------------------------------------------------- 1 | # Tor - The Onion Router - used for anonymization - http://tor.eff.org 2 | # Pattern attributes: good notsofast notsofast 3 | # Protocol groups: networking 4 | # Wiki: http://protocolinfo.org/wiki/Tor 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This pattern has been tested and is believed to work well. 8 | # 9 | # It matches on the second packet. I have no idea how the protocol 10 | # works, but this matches every stream I have made using Tor 0.1.0.16 as 11 | # a client on Linux. 12 | # 13 | # It does NOT attempt to match the HTTP request that fetches the list of 14 | # Tor servers. 15 | 16 | tor 17 | TOR1.* 18 | -------------------------------------------------------------------------------- /protocols/tsp.pat: -------------------------------------------------------------------------------- 1 | # TSP - Berkely UNIX Time Synchronization Protocol 2 | # Pattern attributes: good veryfast fast overmatch 3 | # Protocol groups: time_synchronization open_source 4 | # Wiki: http://www.protocolinfo.org/wiki/TSP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # http://ftp.svbug.com/ftp/pub/manuals/pdf/smm.22.timed.pdf 8 | # http://docs.freebsd.org/44doc/smm/12.timed/paper.pdf 9 | # 10 | # This pattern is barely tested. 11 | 12 | tsp 13 | # type, version (1), sequence number, 8 type specific bytes, machine name 14 | ^[\x01-\x13\x16-$]\x01.?.?.?.?.?.?.?.?.?.?[ -~]+ 15 | -------------------------------------------------------------------------------- /protocols/unknown.pat: -------------------------------------------------------------------------------- 1 | # Unknown - Dummy pattern for old unmatched connections. 2 | 3 | unknown 4 | # This pattern is ignored by the kernel. It sees that the "protocol" is 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # "unknown" and always returns unmatched for connections that are still 7 | # being tested. 8 | . 9 | -------------------------------------------------------------------------------- /protocols/unset.pat: -------------------------------------------------------------------------------- 1 | # Unset - Dummy pattern for unmatched connections that are still being tested 2 | 3 | unset 4 | # This pattern is ignored by the kernel. It sees that the "protocol" is 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # "testing" and always returns matched for connections that are still 7 | # being tested. 8 | . 9 | -------------------------------------------------------------------------------- /protocols/uucp.pat: -------------------------------------------------------------------------------- 1 | # UUCP - Unix to Unix Copy 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: document_retrieval obsolete 4 | # Wiki: http://www.protocolinfo.org/wiki/UUCP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # This is completely untested! (I don't know how to use UUCP...) 8 | 9 | # See http://docs.freebsd.org/info/uucp/uucp.info.The_Initial_Handshake.html 10 | 11 | uucp 12 | ^\x10here= 13 | -------------------------------------------------------------------------------- /protocols/validcertssl.pat: -------------------------------------------------------------------------------- 1 | # Valid certificate SSL 2 | # Pattern attributes: good slow notsofast subset 3 | # Protocol groups: secure ietf_proposed_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/SSL 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | # This matches anything claiming to use a valid certificate from a well 8 | # known certificate authority. 9 | # 10 | # This is a subset of ssl, so it needs to come first to match. 11 | # 12 | # Note that opening a website that has a valid certificate will 13 | # open one connection that matches this and many ssl connections that 14 | # only match the ssl pattern. Thus, this pattern may not be very useful. 15 | # 16 | # This pattern is believed match only the above, but may not match all 17 | # of it. 18 | # 19 | # the certificate authority info is sent in quasi plain text, if it matches 20 | # a well known certificate authority then we will assume it is a 21 | # web/imaps/etc server. Other ssl may be good too, but it should fall under 22 | # a different rule 23 | 24 | validcertssl 25 | ^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b).*(thawte|equifax secure|rsa data security, inc|verisign, inc|gte cybertrust root|entrust\.net limited) 26 | -------------------------------------------------------------------------------- /protocols/ventrilo.pat: -------------------------------------------------------------------------------- 1 | # Ventrilo - VoIP - http://ventrilo.com 2 | # Pattern attributes: good fast fast 3 | # Protocol groups: voip proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Ventrilo 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # I have tested this with Ventrilo client 2.3.0 on Windows talking to 8 | # Ventrilo server 2.3.1 (the public version) on Linux. I've done this 9 | # both within a LAN and over the Internet. In one test, I tried 10 | # monkeying around with the server settings to see if I could break the 11 | # pattern, and I couldn't. However, you can't change the port number in 12 | # the public server. 13 | # 14 | # It has also been tested by one other person in an unknown configuration. 15 | 16 | ventrilo 17 | ^..?v\$\xcf 18 | 19 | -------------------------------------------------------------------------------- /protocols/vnc.pat: -------------------------------------------------------------------------------- 1 | # VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer 2 | # Pattern attributes: great veryfast fast 3 | # Protocol groups: remote_access 4 | # Wiki: http://www.protocolinfo.org/wiki/VNC 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # http://www.realvnc.com/documentation.html 8 | # 9 | # This pattern has been verified with vnc v3.3.7 on WinXP and Linux 10 | # 11 | # Thanks to Trevor Paskett for this pattern. 12 | 13 | vnc 14 | # Assumes single digit major and minor version numbers 15 | # This message should be all alone in the first packet, so ^$ is appropriate 16 | ^rfb 00[1-9]\.00[0-9]\x0a$ 17 | 18 | # This is a more restrictive version which assumes the version numbers 19 | # are ones actually in existance at the time of this writing, i.e. 3.3, 20 | # 3.7 and 3.8 (with some clients wrongly reporting 3.5). It should be 21 | # slightly faster, but probably not worth the extra maintenance. 22 | # ^rfb 003\.00[3578]\x0a$ 23 | 24 | -------------------------------------------------------------------------------- /protocols/whois.pat: -------------------------------------------------------------------------------- 1 | # Whois - query/response system, usually used for domain name info - RFC 3912 2 | # Pattern attributes: good notsofast notsofast overmatch 3 | # Protocol groups: networking ietf_draft_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/Whois 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on TCP port 43 8 | # 9 | # This pattern has been tested and is believed to work well. 10 | 11 | whois 12 | # Matches the query. Assumes only that it is printable ASCII without wierd 13 | # whitespace. 14 | ^[ !-~]+\x0d\x0a$ 15 | -------------------------------------------------------------------------------- /protocols/worldofwarcraft.pat: -------------------------------------------------------------------------------- 1 | # World of Warcraft - popular network game - http://blizzard.com/ 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/World_of_Warcraft 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | 7 | worldofwarcraft 8 | ^\x06\xec\x01 9 | 10 | # Quoth the author of this pattern, Weisskopf Beat : 11 | 12 | # I have written a pattern for wow (tested with versions 1.8.3 and 13 | # 1.8.4, german edition). It does not match the login as i think this is 14 | # uncritical, but i have added the necessary info later on. So only the 15 | # actual in-game traffic is matched. 16 | # 17 | # I hope the pattern is specific enough, otherwise one may add some 18 | # bytes from the response. 19 | # 20 | # some captured info: 21 | # 22 | # login: 23 | # 24 | # 0000: 00 02 28 00 57 6F 57 00 01 08 03 C7 12 36 38 78 ..(.WoW......68x 25 | # 0010: 00 6E 69 57 00 45 44 65 64 3C 00 00 00 C0 A8 01 .niW.EDed<...... 26 | # 0020: 22 0A 42 57 45 49 53 53 4B 4F 50 46 ".BWEISSKOPF 27 | # 28 | # 0000: 00 02 28 00 57 6F 57 00 01 08 03 C7 12 36 38 78 ..(.WoW......68x 29 | # 0010: 00 6E 69 57 00 45 44 65 64 3C 00 00 00 C0 A8 01 .niW.EDed<...... 30 | # 0020: 22 0A 42 57 45 49 53 53 4B 4F 50 46 ".BWEISSKOPF 31 | # 32 | # server asking: 33 | # 34 | # #1 35 | # 0000: 00 06 EC 01 04 49 C5 33 .....I.3 36 | # 37 | # #2 38 | # 0000: 00 06 EC 01 C3 A8 6E 63 ......nc 39 | # 40 | # client response 41 | # #1 42 | # 0000: 00 A4 ED 01 00 00 C7 12 00 00 00 00 00 00 42 57 ..............BW 43 | # 0010: 45 49 53 53 4B 4F 50 46 00 EB 35 DC 89 5A CA 6D EISSKOPF..5..Z.m 44 | # 0020: 17 95 DE 5B 74 6E 1E 5D 23 73 C6 8F 27 9F 11 12 ...[tn.]#s..'... 45 | # 0030: BB 21 01 00 00 78 9C 75 CC 41 0A 83 50 0C 84 E1 .!...x.u.A..P... 46 | # 0040: E7 3D 7A 19 75 25 D4 4D AB EB 12 5E A2 0C 8D 51 .=z.u%.M...^...Q 47 | # 0050: D2 57 04 4F DF 2E 2D A4 B3 FD 86 3F A5 EF 1A C5 .W.O..-....?.... 48 | # 0060: 71 90 F3 A3 7E E7 82 D5 C6 2E 55 CB 7E B9 FE 58 q...~.....U.~..X 49 | # 0070: 43 A5 A8 4C 10 E5 1E 86 85 B6 E8 04 63 D8 1C 06 C..L........c... 50 | # 0080: 5A A7 A9 84 D2 D9 6B 93 1C 5B 4F D9 D7 50 6E 04 Z.....k..[O..Pn. 51 | # 0090: 0E 61 20 15 8B 6B 83 13 CB FD 09 D5 7F 0C 13 3F .a ..k.........? 52 | # 00A0: DB 07 B4 EA 54 F8 ....T. 53 | # 54 | # #2 55 | # 0000: 00 A4 ED 01 00 00 C7 12 00 00 00 00 00 00 42 57 ..............BW 56 | # 0010: 45 49 53 53 4B 4F 50 46 00 38 4C B5 95 C3 AD 25 EISSKOPF.8L....% 57 | # 0020: CB 73 48 BD 82 FC 99 63 59 AC BF F3 D0 C6 8D AB .sH....cY....... 58 | # 0030: 3D 21 01 00 00 78 9C 75 CC 41 0A 83 50 0C 84 E1 =!...x.u.A..P... 59 | # 0040: E7 3D 7A 19 75 25 D4 4D AB EB 12 5E A2 0C 8D 51 .=z.u%.M...^...Q 60 | # 0050: D2 57 04 4F DF 2E 2D A4 B3 FD 86 3F A5 EF 1A C5 .W.O..-....?.... 61 | # 0060: 71 90 F3 A3 7E E7 82 D5 C6 2E 55 CB 7E B9 FE 58 q...~.....U.~..X 62 | # 0070: 43 A5 A8 4C 10 E5 1E 86 85 B6 E8 04 63 D8 1C 06 C..L........c... 63 | # 0080: 5A A7 A9 84 D2 D9 6B 93 1C 5B 4F D9 D7 50 6E 04 Z.....k..[O..Pn. 64 | # 0090: 0E 61 20 15 8B 6B 83 13 CB FD 09 D5 7F 0C 13 3F .a ..k.........? 65 | # 00A0: DB 07 B4 EA 54 F8 ....T. 66 | 67 | -------------------------------------------------------------------------------- /protocols/x11.pat: -------------------------------------------------------------------------------- 1 | # X Windows Version 11 - Networked GUI system used in most Unices 2 | # Pattern attributes: good notsofast veryfast 3 | # Protocol groups: remote_access x_consortium_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/X11 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # It is common for X to be tunneled through SSH. Then obviously this pattern 8 | # will not catch it. 9 | # 10 | # Specification: http://www.msu.edu/~huntharo/xwin/docs/xwindows/PROTO.pdf 11 | # Usually runs on port 6000 (6001 for the second server on a host, etc) 12 | # 13 | # This pattern has been tested. 14 | 15 | x11 16 | # 'l' = little-endian. 'B' = big endian 17 | # ".?" is for the unused byte that comes next. If it's a null, it won't appear. 18 | # \x0b = protocol-major-version 11. 19 | # For some reason, protocol-minor-version is 0, not 6, so can't match it. 20 | # This pattern is too general. 21 | ^[lb].?\x0b 22 | userspace pattern=^[lB].?\x0b 23 | userspace flags=REG_NOSUB 24 | -------------------------------------------------------------------------------- /protocols/xboxlive.pat: -------------------------------------------------------------------------------- 1 | # XBox Live - Console gaming 2 | # Pattern attributes: marginal slow notsofast 3 | # Protocol groups: game proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/XBox_Live 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This may match all XBox traffic, or may only match Halo 2 traffic. 8 | # We don't know yet. 9 | # 10 | # Thanks to Myles Uyema , who says: 11 | # 12 | # Analyzing packet traces using Ethereal, the Xbox typically connects 13 | # to remote users using UDP port 3074. The first frame is typically 14 | # a 156 byte UDP payload. I've only scrutinized the first 20 or so bytes. 15 | # 16 | # Each line below represents the first frame between my Xbox and a remote 17 | # player's IP address playing Halo2 on Xbox Live. 18 | # 19 | # 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 05 0f c5 62 00 f3 96 08 20 | # 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 0f 0f c5 62 00 f3 97 09 21 | # 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 05 0f c5 62 00 f3 95 07 22 | # 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bc 07 23 | # 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 be 09 24 | # 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bf 0a 25 | # 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bd 08 26 | # 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 ba 05 27 | # 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bb 06 28 | # 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 ca 06 29 | # 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 cc 08 30 | # 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 c9 05 31 | # 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 d4 0a 32 | # 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f3 c3 00 f3 d1 07 33 | # 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 d2 08 34 | # 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 cf 05 35 | # 00 00 00 00 06 58 4e 00 00 00 e6 d9 6e ab 65 0d 63 9f 02 00 00 02 80 dd 36 | # 00 00 00 00 06 58 4e 00 00 00 46 e2 95 74 cd f9 bc 3d 00 00 00 00 8b ca 37 | # 00 00 00 00 06 58 4e 00 00 00 cf ce 3b 5c f5 f2 49 9a 00 00 00 00 8b ca 38 | # 00 00 00 00 06 58 4e 00 00 00 a9 c0 ac c5 16 e5 c9 92 00 00 00 00 8b ca 39 | 40 | xboxlive 41 | ^\x58\x80........\xf3|^\x06\x58\x4e 42 | -------------------------------------------------------------------------------- /protocols/xunlei.pat: -------------------------------------------------------------------------------- 1 | # Xunlei - Chinese P2P filesharing - http://xunlei.com 2 | # Pattern attributes: good slow notsofast 3 | # Protocol groups: p2p 4 | # Wiki: http://www.protocolinfo.org/wiki/Xunlei 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # This has been tested by a number of people. 8 | # 9 | # Written by wsgtrsys of www.routerclub.com. Improved by VeNoMouS. 10 | # Improved more by wsgtrsys and platinum of bbs.chinaunix.net. 11 | # 12 | # Further additions of HTTP-like content by liangjunATdcuxD.Tcom, who 13 | # says: "i find old pattern is not working . so i write a new pattern of 14 | # xunlei,it's working with all of xunlei 5 version!" Matthew Strait notes 15 | # in response: 16 | # 17 | # I've looked around and I'm fairly sure that Internet Explorer 5.0 18 | # never identifies itself as "Mozilla/4.0 (compatible; MSIE 5.00; 19 | # Windows 98)" and that Internet Explorer 6.0 never identifies itself as 20 | # either "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )" or 21 | # "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)". 22 | 23 | # The keep-alive part needs some examination too. These might validly 24 | # occur in an HTTP/1.0 connection, although I think in practical cases 25 | # they don't since there's general only one \x0d\x0a after it and/or the 26 | # next line starts with a letter (especially because it's the client 27 | # sending it). It wouldn't be crazy, though, if another protocol 28 | # (besides Xunlei) used keep-alive in a way that did match this. But 29 | # since I can't think of any examples, I'll assume it's ok for now. 30 | 31 | xunlei 32 | ^([()]|get)(...?.?.?(reg|get|query)|.+User-Agent: (Mozilla/4\.0 \(compatible; (MSIE 6\.0; Windows NT 5\.1;? ?\)|MSIE 5\.00; Windows 98\))))|Keep-Alive\x0d\x0a\x0d\x0a[26] 33 | 34 | 35 | # This was the pattern until 2008 11 08. It is safer than the above against 36 | # overmatching ordinary HTTP connections 37 | #^[()]...?.?.?(reg|get|query) 38 | 39 | # More detail: 40 | # From http://sourceforge.net/tracker/index.php?func=detail&aid=1885209&group_id=80085&atid=558668 41 | # 42 | ############################################################################## 43 | # Date: 2008-02-03 44 | # Sender: hydr0g3n 45 | # 46 | # Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei 47 | # pattern. It used to work in the past but not anymore. Maybe Xunlei was 48 | # updated and pattern should be adapted? 49 | # 50 | # Apparently ipp2p was edited by Chinese people to detect pplive and xunlei. 51 | # It is interesting and very recent: 52 | # http://www.chinaunix.net/jh/4/914377.html 53 | ############################################################################## 54 | # Date: 2008-02-03 55 | # Sender: quadong 56 | # 57 | # Ok. Only some of the ipp2p function can be translated into an l7-filter 58 | # regular expression. The first part of search_xunlei can't be, since it 59 | # works by checking whether the length of the packet matches a byte in the 60 | # packet. The second part of search_xunlei becomes: 61 | # 62 | # \x20.?\x01?.?[\x01\x77]............?.?.?.?\x38 63 | # 64 | # Or possibly: 65 | # 66 | # ^\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38 67 | # 68 | # I'm not sure whether IPP2P looks at every packet or only the first of each 69 | # connection. 70 | # 71 | # udp_search_xunlei says: 72 | # \x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff 73 | # 74 | # Again, putting a ^ at the beginning might work: 75 | # 76 | # ^(\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff) 77 | # 78 | # So this *might* work: 79 | # 80 | # ^(\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38|\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff) 81 | # 82 | # but the ^ might be wrong and it will not match the HTTP part of Xunlei. 83 | ############################################################################## 84 | -------------------------------------------------------------------------------- /protocols/yahoo.pat: -------------------------------------------------------------------------------- 1 | # Yahoo messenger - an instant messenger protocol - http://yahoo.com 2 | # Pattern attributes: good fast fast 3 | # Protocol groups: chat proprietary 4 | # Wiki: http://www.protocolinfo.org/wiki/Yahoo_Messenger 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # Usually runs on port 5050 8 | # 9 | # This pattern has been tested and is believed to work well. 10 | 11 | yahoo 12 | # http://www.venkydude.com/articles/yahoo.htm says: 13 | # All Yahoo commands start with YMSG. 14 | # (Well... http://ethereal.com/faq.html#q5.32 suggests that YPNS and YHOO 15 | # are also possible, so let's allow those) 16 | # The next 7 bytes contain command (packet?) length and version information 17 | # which we won't currently try to match. 18 | # L means "YAHOO_SERVICE_VERIFY" according to Ethereal 19 | # W means "encryption challenge command" (YAHOO_SERVICE_AUTH) 20 | # T means "login command" (YAHOO_SERVICE_AUTHRESP) 21 | # (there are others, i.e. 0x01 "coming online", 0x02 "going offline", 22 | # 0x04 "changing status to available", 0x06 "user message", but W and T 23 | # should appear in the first few packets.) 24 | # 0xC080 is the standard argument separator, it should appear not long 25 | # after the "type of command" byte. 26 | 27 | ^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*\xc0\x80 28 | -------------------------------------------------------------------------------- /protocols/zmaap.pat: -------------------------------------------------------------------------------- 1 | # ZMAAP - Zeroconf Multicast Address Allocation Protocol 2 | # Pattern attributes: ok veryfast fast 3 | # Protocol groups: networking ietf_draft_standard 4 | # Wiki: http://www.protocolinfo.org/wiki/ZMAAP 5 | # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE 6 | # 7 | # http://files.zeroconf.org/draft-ietf-zeroconf-zmaap-02.txt 8 | # (Note that this reference is an Internet-Draft, and therefore must 9 | # be considered a work in progress.) 10 | # 11 | # This pattern is untested! 12 | 13 | zmaap 14 | # - 4 byte magic number. 15 | # - 1 byte version. Allow 1 & 2, even though only version 1 currently exists. 16 | # - 1 byte message type,which is either 0 or 1 17 | # - 1 byte address family. L7-filter only works in IPv4, so this is 1. 18 | ^\x1b\xd7\x3b\x48[\x01\x02]\x01?\x01 19 | -------------------------------------------------------------------------------- /testing/Makefile: -------------------------------------------------------------------------------- 1 | all: randchars randprintable test_speed-kernel test_speed-userspace match_kernel 2 | 3 | randchars: randchars.c 4 | gcc -O2 -o randchars randchars.c 5 | 6 | randprintable: randprintable.c 7 | gcc -O2 -o randprintable randprintable.c 8 | 9 | test_speed-kernel: test_speed-kernel.c 10 | gcc -o test_speed-kernel test_speed-kernel.c 11 | 12 | test_speed-userspace: test_speed-userspace.cpp l7-parse-patterns.cpp l7-parse-patterns.h 13 | g++ -Wall -o test_speed-userspace test_speed-userspace.cpp l7-parse-patterns.cpp 14 | 15 | match_kernel: match-kernel.c 16 | gcc -O2 -o match_kernel match-kernel.c 17 | 18 | clean: 19 | rm -f randprintable randchars test_speed-kernel test_speed-userspace match_kernel 20 | -------------------------------------------------------------------------------- /testing/README: -------------------------------------------------------------------------------- 1 | Using these programs, you can: 2 | 3 | - test the speed of patterns. 4 | - test whether your pattern matches random data (which is bad!). 5 | 6 | Each test can be done with either the regular expression library that 7 | the kernel version of l7-filter uses (written by Henry Spencer) or the 8 | one that the userspace version of l7-filter uses (GNU). Note that these 9 | are fairly crude tests. They are not certain to reflect actual network 10 | performance. 11 | 12 | Start by saying "make". 13 | 14 | ************************************************************************ 15 | 16 | To test the speed of your pattern, use timeit.sh 17 | 18 | Run timeit.sh with no arguments for instructions. 19 | 20 | You'll find that the Henry Spencer (kernel) library has some performance 21 | quirks. Things we've noticed: 22 | 23 | - Branches are very expensive. Testing for "foo|bar" takes much 24 | longer than twice as long as testing for "foo". 25 | 26 | - Parentheses aren't optimized out. "(foo)" takes much longer than "foo". 27 | 28 | - "^(foo|bar)" is much faster than "^foo|^bar". 29 | 30 | *********************************************************************** 31 | 32 | To test whether your pattern matches random data, run test_match.sh 33 | 34 | Run test_match.sh with no arguments for instructions. 35 | 36 | *********************************************************************** 37 | 38 | ___DEVELOPER INFORMATION___ 39 | 40 | 1) 41 | 42 | The data directory holds packet captures to test against. The file name 43 | format is: [protocol]-[optional letter]-[number]. The protocol is the 44 | protocol and possibly some information about the situation. The letter 45 | denotes which session the capture is from if there are several. The 46 | number denotes how many packets the file contains. (To simulate what 47 | l7-filter sees, the first file has only the first packet, the second has 48 | the first two packets, and so on.) 49 | 50 | (The ares data is a bit of a cheat. I let these files sit around for a 51 | long time before putting them here, so I'm not sure what they are 52 | exactly, except that they are Ares data and they clearly aren't in the 53 | 1, 1-2, 1-2-3 form described above.) 54 | 55 | 2) 56 | 57 | Everything here is a kludge held together by chewing gum and masking 58 | tape. Note that test_speed-userspace is the backend for both timeit.sh 59 | and test_match.sh for their userspace modes, but for their kernel 60 | modes, they use the separate backends test_speed-kernel and 61 | match_kernel. Yuck. 62 | -------------------------------------------------------------------------------- /testing/data/aim-1: -------------------------------------------------------------------------------- 1 | * 2 | -------------------------------------------------------------------------------- /testing/data/aim-2: -------------------------------------------------------------------------------- 1 | ** / 2 | -------------------------------------------------------------------------------- /testing/data/aim-3: -------------------------------------------------------------------------------- 1 | ** /*  2 | qintoauraaKZ 3 | -------------------------------------------------------------------------------- /testing/data/aim-4: -------------------------------------------------------------------------------- 1 | ** /*  2 | qintoauraaKZ* 0 961849602 3 | -------------------------------------------------------------------------------- /testing/data/aim-5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/aim-5 -------------------------------------------------------------------------------- /testing/data/aim-6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/aim-6 -------------------------------------------------------------------------------- /testing/data/aresdownload-a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/aresdownload-a -------------------------------------------------------------------------------- /testing/data/aresdownload-b: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/aresdownload-b -------------------------------------------------------------------------------- /testing/data/aresdownload-c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/aresdownload-c -------------------------------------------------------------------------------- /testing/data/bittorrent-a-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/bittorrent-a-1 -------------------------------------------------------------------------------- /testing/data/bittorrent-a-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/bittorrent-a-2 -------------------------------------------------------------------------------- /testing/data/bittorrent-a-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/bittorrent-a-3 -------------------------------------------------------------------------------- /testing/data/bittorrent-a-4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/bittorrent-a-4 -------------------------------------------------------------------------------- /testing/data/bittorrent-b-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/bittorrent-b-1 -------------------------------------------------------------------------------- /testing/data/bittorrent-b-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/bittorrent-b-2 -------------------------------------------------------------------------------- /testing/data/bittorrent-b-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/bittorrent-b-3 -------------------------------------------------------------------------------- /testing/data/bittorrent-b-4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/bittorrent-b-4 -------------------------------------------------------------------------------- /testing/data/chikka-a-1: -------------------------------------------------------------------------------- 1 | CTPv1.2 Kamusta 66.93.17.216:39527 1168835268. Manila, Philippines! 2 | -------------------------------------------------------------------------------- /testing/data/chikka-a-2: -------------------------------------------------------------------------------- 1 | CTPv1.2 Kamusta 66.93.17.216:39527 1168835268. Manila, Philippines! 2 | 01:001 001:002141592650 002:ormskull 003:5 004:-6 01 -------------------------------------------------------------------------------- /testing/data/chikka-a-3: -------------------------------------------------------------------------------- 1 | CTPv1.2 Kamusta 66.93.17.216:39527 1168835268. Manila, Philippines! 2 | 01:001 001:002141592650 002:ormskull 003:5 004:-6 0101:000 032:Our system detects that you are not a registered Chikka user. To register, click on the REGISTER button in the toolbar. It's FREE! 3F -------------------------------------------------------------------------------- /testing/data/chikka-b-1: -------------------------------------------------------------------------------- 1 | CTPv1.2 Kamusta 66.93.17.216:42533 1168838269. Manila, Philippines! 2 | -------------------------------------------------------------------------------- /testing/data/chikka-b-2: -------------------------------------------------------------------------------- 1 | CTPv1.2 Kamusta 66.93.17.216:42533 1168838269. Manila, Philippines! 2 | 01:001 001:003141592650 002:ormskull 003:5 004:-6 02 -------------------------------------------------------------------------------- /testing/data/chikka-b-3: -------------------------------------------------------------------------------- 1 | CTPv1.2 Kamusta 66.93.17.216:42533 1168838269. Manila, Philippines! 2 | 01:001 001:003141592650 002:ormskull 003:5 004:-6 0251:001 004:1 44 -------------------------------------------------------------------------------- /testing/data/chikka-b-4: -------------------------------------------------------------------------------- 1 | CTPv1.2 Kamusta 66.93.17.216:42533 1168838269. Manila, Philippines! 2 | 01:001 001:003141592650 002:ormskull 003:5 004:-6 0251:001 004:1 4441:000 016:Bob 017:Smithy 018:quadong@gmail.com 019:0 020:2 031: 022: 005: 024: 025: 026: 027:0 028:0 001:003141592650 030:0 007:Chikka 021:0 023:0 006: 051: 032: 3E -------------------------------------------------------------------------------- /testing/data/chikka-b-5: -------------------------------------------------------------------------------- 1 | CTPv1.2 Kamusta 66.93.17.216:42533 1168838269. Manila, Philippines! 2 | 01:001 001:003141592650 002:ormskull 003:5 004:-6 0251:001 004:1 4441:000 016:Bob 017:Smithy 018:quadong@gmail.com 019:0 020:2 031: 022: 005: 024: 025: 026: 027:0 028:0 001:003141592650 030:0 007:Chikka 021:0 023:0 006: 051: 032: 3E91:000 3F -------------------------------------------------------------------------------- /testing/data/chikka-b-6: -------------------------------------------------------------------------------- 1 | CTPv1.2 Kamusta 66.93.17.216:42533 1168838269. Manila, Philippines! 2 | 01:001 001:003141592650 002:ormskull 003:5 004:-6 0251:001 004:1 4441:000 016:Bob 017:Smithy 018:quadong@gmail.com 019:0 020:2 031: 022: 005: 024: 025: 026: 027:0 028:0 001:003141592650 030:0 007:Chikka 021:0 023:0 006: 051: 032: 3E91:000 3F30:002 001:0 002:1 44 -------------------------------------------------------------------------------- /testing/data/chikka-b-7: -------------------------------------------------------------------------------- 1 | CTPv1.2 Kamusta 66.93.17.216:42533 1168838269. Manila, Philippines! 2 | 01:001 001:003141592650 002:ormskull 003:5 004:-6 0251:001 004:1 4441:000 016:Bob 017:Smithy 018:quadong@gmail.com 019:0 020:2 031: 022: 005: 024: 025: 026: 027:0 028:0 001:003141592650 030:0 007:Chikka 021:0 023:0 006: 051: 032: 3E91:000 3F30:002 001:0 002:1 4431:002 010:000141592653 015:0 012:Jack Jonesy 008:0 016: 017: 018: 019:0 020:2 031: 022: 005: 024: 025: 026: 027:0 014:0 013:0 029:1 030:0 007:Chikka 023:0 021:0 050:0 032: 6A39:002 43 -------------------------------------------------------------------------------- /testing/data/dce-rpc-spam-a-1: -------------------------------------------------------------------------------- 1 | Microsoft RegistryMicrosoft User{{WARNING! YOUR REGISTRY IS CORRUPTED 2 | 3 | Corrupted registry can result in unauthorized access to your computer by internet 4 | hackers and in extreme cases, complete operating system failure. 5 | 6 | To fix this problem: 7 | 8 | 1. Open Internet Explorer 9 | 2. In the URL Field type - www.RegistryCleanerGold.com 10 | 3. Note that all versions of windows are supported. 11 | 4. Once you load the program, close this window. 12 | 13 | Please note that once you visit www.RegistryCleanerGold.com and install the 14 | cleaner program you will not receive any more reminders or pop-ups like this one. 15 | 16 | www.RegistryCleanerGold.com -------------------------------------------------------------------------------- /testing/data/dce-rpc-spam-b-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/dce-rpc-spam-b-1 -------------------------------------------------------------------------------- /testing/data/dns-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/dns-1 -------------------------------------------------------------------------------- /testing/data/dns-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/dns-2 -------------------------------------------------------------------------------- /testing/data/edonkey-tcp-a-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/edonkey-tcp-a-1 -------------------------------------------------------------------------------- /testing/data/edonkey-tcp-a-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/edonkey-tcp-a-2 -------------------------------------------------------------------------------- /testing/data/edonkey-tcp-b-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/edonkey-tcp-b-1 -------------------------------------------------------------------------------- /testing/data/edonkey-tcp-b-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/edonkey-tcp-b-2 -------------------------------------------------------------------------------- /testing/data/edonkey-tcp-b-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/edonkey-tcp-b-3 -------------------------------------------------------------------------------- /testing/data/edonkey-tcp-b-4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/edonkey-tcp-b-4 -------------------------------------------------------------------------------- /testing/data/edonkey-tcp-b-5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/edonkey-tcp-b-5 -------------------------------------------------------------------------------- /testing/data/edonkey-tcp-b-6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/edonkey-tcp-b-6 -------------------------------------------------------------------------------- /testing/data/edonkey-udp-a-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/edonkey-udp-a-1 -------------------------------------------------------------------------------- /testing/data/edonkey-udp-b-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/edonkey-udp-b-1 -------------------------------------------------------------------------------- /testing/data/ftp-1: -------------------------------------------------------------------------------- 1 | 220 Welcome to ftp.kernel.org. 2 | -------------------------------------------------------------------------------- /testing/data/ftp-2: -------------------------------------------------------------------------------- 1 | 220 Welcome to ftp.kernel.org. 2 | USER anonymous 3 | -------------------------------------------------------------------------------- /testing/data/ftp-3: -------------------------------------------------------------------------------- 1 | 220 Welcome to ftp.kernel.org. 2 | USER anonymous 3 | 331 Please specify the password. 4 | -------------------------------------------------------------------------------- /testing/data/ftp-4: -------------------------------------------------------------------------------- 1 | 220 Welcome to ftp.kernel.org. 2 | USER anonymous 3 | 331 Please specify the password. 4 | PASS -wget@ 5 | -------------------------------------------------------------------------------- /testing/data/ftp-5: -------------------------------------------------------------------------------- 1 | 220 Welcome to ftp.kernel.org. 2 | USER anonymous 3 | 331 Please specify the password. 4 | PASS -wget@ 5 | 230- Welcome to the 6 | 230- 7 | 230- LINUX KERNEL ARCHIVES 8 | 230- ftp.kernel.org 9 | 230- 10 | 230- "Much more than just kernels" 11 | 230- 12 | 230- IF YOU'RE ACCESSING THIS SITE VIA A WEB BROWSER 13 | 230- PLEASE USE THE HTTP URL BELOW INSTEAD! 14 | 230- 15 | 230-----> If you are looking for mirror sites, please go <---- 16 | 230-----> to mirrors.kernel.org instead <---- 17 | 230- 18 | 230-This site is provided as a public service by the Kernel Dot Org 19 | 230-Organization, Inc. Bandwidth is provided by The Internet Software 20 | 230-Consortium, Inc. This server is located in San Francisco, California, 21 | 230-USA; use in violation of any applicable laws strictly prohibited. 22 | 230- 23 | 230-Due to U.S. Exports Regulations, all cryptographic software on this 24 | 230-site is subject to the following legal notice: 25 | 230- 26 | 230- This site includes publicly available encryption source code 27 | 230- which, together with object code resulting from the compiling of 28 | 230- publicly available source code, may be exported from the United 29 | 230- States under License Exception "TSU" pursuant to 15 C.F.R. Section 30 | 230- 740.13(e). 31 | 230- 32 | 230-This legal notice applies to cryptographic software only. Please see 33 | 230-the Bureau of Industry and Security (http://www.bis.doc.gov/) for more 34 | 230-information about current U.S. regulations. 35 | 230- 36 | 230-Neither the Kernel Dot Org Organization, Inc. nor its sponsors make 37 | 230-any guarantees, explicit or implicit, about the contents of this site. 38 | 230-Use at your own risk. 39 | 230- 40 | 230-This site is accessible via the following mechanisms: 41 | 230- 42 | 230- FTP ftp://ftp.kernel.org/pub/ 43 | 230- HTTP http://www.kernel.org/pub/ 44 | 230- RSYNC rsync://rsync.kernel.org/pub/ 45 | 230- 46 | 230-NFS and SMB/CIFS are no longer available. 47 | 230- 48 | 230-For comments on this site, please contact . 49 | 230-Please do not use this address for questions that are not related to 50 | 230-the operation of this site. -------------------------------------------------------------------------------- /testing/data/gnutella-1: -------------------------------------------------------------------------------- 1 | GNUTELLA CONNECT/0.6 2 | User-Agent: Shareaza 2.1.0.0 3 | Remote-IP: 24.255.13.79 4 | Accept: application/x-gnutella2,application/x-gnutella-packets 5 | Accept-Encoding: deflate 6 | X-Ultrapeer: False 7 | 8 | -------------------------------------------------------------------------------- /testing/data/gnutella-2: -------------------------------------------------------------------------------- 1 | GNUTELLA CONNECT/0.6 2 | User-Agent: Shareaza 2.1.0.0 3 | Remote-IP: 24.255.13.79 4 | Accept: application/x-gnutella2,application/x-gnutella-packets 5 | Accept-Encoding: deflate 6 | X-Ultrapeer: False 7 | 8 | GNUTELLA/0.6 200 OK 9 | User-Agent: Shareaza 2.1.0.0 10 | Listen-IP: 24.255.13.79:35229 11 | Remote-IP: 66.93.17.216 12 | Accept: application/x-gnutella2 13 | Content-Type: application/x-gnutella2 14 | Accept-Encoding: deflate 15 | Content-Encoding: deflate 16 | X-Ultrapeer: True 17 | X-Try-Ultrapeers: 24.78.174.19:35636 2005-08-31T02:32Z,67.160.30.114:6346 2005-08-31T02:32Z,84.119.62.85:6346 2005-08-31T02:32Z,155.207.25.147:6346 2005-08-31T02:32Z,69.157.122.198:15948 2005-08-31T02:32Z,68.12.90.229:6346 2005-08-31T02:32Z,196.206.193.128:28526 2005-08-31T02:32Z,84.222.62.111:6346 2005-08-31T02:32Z,86.128.128.208:16511 2005-08-31T02:32Z,82.234.123.135:6346 2005-08-31T02:32Z 18 | X-Ultrapeer-Needed: False 19 | 20 | -------------------------------------------------------------------------------- /testing/data/gnutella-3: -------------------------------------------------------------------------------- 1 | GNUTELLA CONNECT/0.6 2 | User-Agent: Shareaza 2.1.0.0 3 | Remote-IP: 24.255.13.79 4 | Accept: application/x-gnutella2,application/x-gnutella-packets 5 | Accept-Encoding: deflate 6 | X-Ultrapeer: False 7 | 8 | GNUTELLA/0.6 200 OK 9 | User-Agent: Shareaza 2.1.0.0 10 | Listen-IP: 24.255.13.79:35229 11 | Remote-IP: 66.93.17.216 12 | Accept: application/x-gnutella2 13 | Content-Type: application/x-gnutella2 14 | Accept-Encoding: deflate 15 | Content-Encoding: deflate 16 | X-Ultrapeer: True 17 | X-Try-Ultrapeers: 24.78.174.19:35636 2005-08-31T02:32Z,67.160.30.114:6346 2005-08-31T02:32Z,84.119.62.85:6346 2005-08-31T02:32Z,155.207.25.147:6346 2005-08-31T02:32Z,69.157.122.198:15948 2005-08-31T02:32Z,68.12.90.229:6346 2005-08-31T02:32Z,196.206.193.128:28526 2005-08-31T02:32Z,84.222.62.111:6346 2005-08-31T02:32Z,86.128.128.208:16511 2005-08-31T02:32Z,82.234.123.135:6346 2005-08-31T02:32Z 18 | X-Ultrapeer-Needed: False 19 | 20 | GNUTELLA/0.6 200 OK 21 | Listen-IP: 66.93.17.216:6346 22 | Accept: application/x-gnutella2 23 | Content-Type: application/x-gnutella2 24 | Accept-Encoding: deflate 25 | Content-Encoding: deflate 26 | 27 | -------------------------------------------------------------------------------- /testing/data/gnutella-connect-1: -------------------------------------------------------------------------------- 1 | GNUTELLA CONNECT/0.6 2 | X-Max-TTL: 3 3 | X-Dynamic-Querying: 0.1 4 | X-Version: 4.8 5 | X-Query-Routing: 0.1 6 | User-Agent: LimeWire/4.4.5 7 | Vendor-Message: 0.1 8 | X-Ultrapeer-Query-Routing: 0.1 9 | GGEP: 0.5 10 | Listen-IP: 66.93.17.216:6349 11 | Accept-Encoding: deflate 12 | Pong-Caching: 0.1 13 | X-Guess: 0.1 14 | X-Ultrapeer: False 15 | X-Degree: 32 16 | X-Locale-Pref: en 17 | Remote-IP: 24.49.218.201 18 | -------------------------------------------------------------------------------- /testing/data/gnutella-connect-2: -------------------------------------------------------------------------------- 1 | GNUTELLA CONNECT/0.6 2 | X-Max-TTL: 3 3 | X-Dynamic-Querying: 0.1 4 | X-Version: 4.8 5 | X-Query-Routing: 0.1 6 | User-Agent: LimeWire/4.4.5 7 | Vendor-Message: 0.1 8 | X-Ultrapeer-Query-Routing: 0.1 9 | GGEP: 0.5 10 | Listen-IP: 66.93.17.216:6349 11 | Accept-Encoding: deflate 12 | Pong-Caching: 0.1 13 | X-Guess: 0.1 14 | X-Ultrapeer: False 15 | X-Degree: 32 16 | X-Locale-Pref: en 17 | Remote-IP: 24.49.218.201 18 | 19 | GNUTELLA/0.6 503 I am a shielded leaf node 20 | 21 | -------------------------------------------------------------------------------- /testing/data/gnutella-udp-a-1: -------------------------------------------------------------------------------- 1 | GNDHPI -------------------------------------------------------------------------------- /testing/data/gnutella-udp-b-1: -------------------------------------------------------------------------------- 1 | GND LPO`RELAY -------------------------------------------------------------------------------- /testing/data/gnutella-udp-c-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/gnutella-udp-c-1 -------------------------------------------------------------------------------- /testing/data/http-digg-304-1: -------------------------------------------------------------------------------- 1 | GET /css/digg2.css HTTP/1.1 2 | Host: digg.com 3 | User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 4 | Accept: text/css,*/*;q=0.1 5 | Accept-Language: en-us,en;q=0.5 6 | Accept-Encoding: gzip,deflate 7 | Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 8 | Keep-Alive: 300 9 | Connection: keep-alive 10 | Referer: http://digg.com/ 11 | Cookie: PHPSESSID=da7a8c093a0018337e27137925c855c9; style=null 12 | If-Modified-Since: Mon, 29 Aug 2005 14:03:43 GMT 13 | If-None-Match: "4dc09d-5d0a-3ff79f691adc0" 14 | 15 | -------------------------------------------------------------------------------- /testing/data/http-digg-304-2: -------------------------------------------------------------------------------- 1 | GET /css/digg2.css HTTP/1.1 2 | Host: digg.com 3 | User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 4 | Accept: text/css,*/*;q=0.1 5 | Accept-Language: en-us,en;q=0.5 6 | Accept-Encoding: gzip,deflate 7 | Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 8 | Keep-Alive: 300 9 | Connection: keep-alive 10 | Referer: http://digg.com/ 11 | Cookie: PHPSESSID=da7a8c093a0018337e27137925c855c9; style=null 12 | If-Modified-Since: Mon, 29 Aug 2005 14:03:43 GMT 13 | If-None-Match: "4dc09d-5d0a-3ff79f691adc0" 14 | 15 | HTTP/1.1 304 Not Modified 16 | Date: Wed, 31 Aug 2005 04:32:13 GMT 17 | Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-15 18 | Connection: close 19 | ETag: "4dc09d-5d0a-3ff79f691adc0" 20 | 21 | -------------------------------------------------------------------------------- /testing/data/http-wunderground-1: -------------------------------------------------------------------------------- 1 | GET /cgi-bin/findweather/getForecast?query=55418 HTTP/1.1 2 | Host: www.wunderground.com 3 | User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 4 | Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 5 | Accept-Language: en-us,en;q=0.5 6 | Accept-Encoding: gzip,deflate 7 | Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 8 | Keep-Alive: 300 9 | Connection: keep-alive 10 | Cookie: Dwunderground.comFRQSTR=18607055x51783:1:1440,18607055x8404:1:204,18607055,18607055,18607055; Units=metric; DT=1114369348:1321:l8; JS=ON; TID=3c12na2116nrae; TData=; AS5000=2005-08-31:TRMP-00014=1:TACO-00011=1:ADVR-00022=1:; L1756983431=0.1125460969390; ANXD=x 11 | 12 | -------------------------------------------------------------------------------- /testing/data/http-wunderground-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/http-wunderground-2 -------------------------------------------------------------------------------- /testing/data/imap-1: -------------------------------------------------------------------------------- 1 | * OK florence.spa.umn.edu Cyrus IMAP4 v2.2.12 -------------------------------------------------------------------------------- /testing/data/imap-2: -------------------------------------------------------------------------------- 1 | * OK florence.spa.umn.edu Cyrus IMAP4 v2.2.12 server ready 2 | -------------------------------------------------------------------------------- /testing/data/imap-3: -------------------------------------------------------------------------------- 1 | * OK florence.spa.umn.edu Cyrus IMAP4 v2.2.12 server ready 2 | 00000000 CAPABILITY 3 | -------------------------------------------------------------------------------- /testing/data/imap-4: -------------------------------------------------------------------------------- 1 | * OK florence.spa.umn.edu Cyrus IMAP4 v2.2.12 server ready 2 | 00000000 CAPABILITY 3 | * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED 4 | 00000000 OK Completed 5 | -------------------------------------------------------------------------------- /testing/data/imap-5: -------------------------------------------------------------------------------- 1 | * OK florence.spa.umn.edu Cyrus IMAP4 v2.2.12 server ready 2 | 00000000 CAPABILITY 3 | * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED 4 | 00000000 OK Completed 5 | 00000001 STARTTLS 6 | -------------------------------------------------------------------------------- /testing/data/imap-6: -------------------------------------------------------------------------------- 1 | * OK florence.spa.umn.edu Cyrus IMAP4 v2.2.12 server ready 2 | 00000000 CAPABILITY 3 | * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE STARTTLS LOGINDISABLED 4 | 00000000 OK Completed 5 | 00000001 STARTTLS 6 | 00000001 OK Begin TLS negotiation now 7 | -------------------------------------------------------------------------------- /testing/data/ipp-1: -------------------------------------------------------------------------------- 1 | 901e 3 ipp://localhost.localdomain:631/printers/home_study "this is our printer in the study" "Created by redhat-config-printer 0.6.x" "HP DeskJet 3820 Foomatic/hpijs (recommended)" 2 | -------------------------------------------------------------------------------- /testing/data/jabber-1: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /testing/data/jabber-2: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /testing/data/jabber-3: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /testing/data/jabber-4: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /testing/data/jabber-5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/jabber-5 -------------------------------------------------------------------------------- /testing/data/jabber-6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/jabber-6 -------------------------------------------------------------------------------- /testing/data/skypeout-a-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-a-1 -------------------------------------------------------------------------------- /testing/data/skypeout-a-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-a-2 -------------------------------------------------------------------------------- /testing/data/skypeout-a-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-a-3 -------------------------------------------------------------------------------- /testing/data/skypeout-a-4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-a-4 -------------------------------------------------------------------------------- /testing/data/skypeout-a-5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-a-5 -------------------------------------------------------------------------------- /testing/data/skypeout-a-6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-a-6 -------------------------------------------------------------------------------- /testing/data/skypeout-b-1: -------------------------------------------------------------------------------- 1 | x -------------------------------------------------------------------------------- /testing/data/skypeout-b-2: -------------------------------------------------------------------------------- 1 | xx -------------------------------------------------------------------------------- /testing/data/skypeout-b-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-b-3 -------------------------------------------------------------------------------- /testing/data/skypeout-b-4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-b-4 -------------------------------------------------------------------------------- /testing/data/skypeout-b-5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-b-5 -------------------------------------------------------------------------------- /testing/data/skypeout-b-6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-b-6 -------------------------------------------------------------------------------- /testing/data/skypeout-b-7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-b-7 -------------------------------------------------------------------------------- /testing/data/skypeout-b-8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-b-8 -------------------------------------------------------------------------------- /testing/data/skypeout-b-9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-b-9 -------------------------------------------------------------------------------- /testing/data/skypeout-c-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-c-1 -------------------------------------------------------------------------------- /testing/data/skypeout-c-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-c-2 -------------------------------------------------------------------------------- /testing/data/skypeout-c-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-c-3 -------------------------------------------------------------------------------- /testing/data/skypeout-c-4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-c-4 -------------------------------------------------------------------------------- /testing/data/skypeout-c-5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-c-5 -------------------------------------------------------------------------------- /testing/data/skypeout-c-6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-c-6 -------------------------------------------------------------------------------- /testing/data/skypeout-c-7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-c-7 -------------------------------------------------------------------------------- /testing/data/skypeout-c-8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-c-8 -------------------------------------------------------------------------------- /testing/data/skypeout-c-9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/skypeout-c-9 -------------------------------------------------------------------------------- /testing/data/ssdp-1: -------------------------------------------------------------------------------- 1 | NOTIFY * HTTP/1.1 2 | HOST: 239.255.255.250:1900 3 | CACHE-CONTROL: max-age=1800 4 | Location: http://10.1.1.1:5431/dyndev/uuid:000f6639-dbac-000f-6639-dbac0032011c 5 | NT: upnp:rootdevice 6 | NTS: ssdp:alive 7 | SERVER:LINUX/2.4 UPnP/1.0 BRCM400/1.0 8 | USN: uuid:000f6639-dbac-000f-6639-dbac0032011c::upnp:rootdevice 9 | 10 | -------------------------------------------------------------------------------- /testing/data/ssh-1: -------------------------------------------------------------------------------- 1 | SSH-1.99-OpenSSH_3.6.1p2 2 | -------------------------------------------------------------------------------- /testing/data/ssh-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/ssh-2 -------------------------------------------------------------------------------- /testing/data/ssh-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/ssh-3 -------------------------------------------------------------------------------- /testing/data/ssh-4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/ssh-4 -------------------------------------------------------------------------------- /testing/data/ssh-5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/ssh-5 -------------------------------------------------------------------------------- /testing/data/ssh-6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/ssh-6 -------------------------------------------------------------------------------- /testing/data/stun-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/stun-1 -------------------------------------------------------------------------------- /testing/data/stun-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/stun-2 -------------------------------------------------------------------------------- /testing/data/validcertssl-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/validcertssl-1 -------------------------------------------------------------------------------- /testing/data/validcertssl-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/validcertssl-2 -------------------------------------------------------------------------------- /testing/data/validcertssl-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/validcertssl-3 -------------------------------------------------------------------------------- /testing/data/validcertssl-4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/validcertssl-4 -------------------------------------------------------------------------------- /testing/data/validcertssl-5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/validcertssl-5 -------------------------------------------------------------------------------- /testing/data/validcertssl-6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/validcertssl-6 -------------------------------------------------------------------------------- /testing/data/winmx-1: -------------------------------------------------------------------------------- 1 | 1 -------------------------------------------------------------------------------- /testing/data/winmx-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/winmx-2 -------------------------------------------------------------------------------- /testing/data/winmx-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/winmx-3 -------------------------------------------------------------------------------- /testing/data/x11-1: -------------------------------------------------------------------------------- 1 | l -------------------------------------------------------------------------------- /testing/data/x11-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/x11-2 -------------------------------------------------------------------------------- /testing/data/x11-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/x11-3 -------------------------------------------------------------------------------- /testing/data/x11-4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/x11-4 -------------------------------------------------------------------------------- /testing/data/x11-5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/x11-5 -------------------------------------------------------------------------------- /testing/data/yahoo-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/yahoo-1 -------------------------------------------------------------------------------- /testing/data/yahoo-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/yahoo-2 -------------------------------------------------------------------------------- /testing/data/yahoo-3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/yahoo-3 -------------------------------------------------------------------------------- /testing/data/yahoo-4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/l7-filter/l7-protocols/c159c8538e8be8a7374a7f6923d05f045a0be519/testing/data/yahoo-4 -------------------------------------------------------------------------------- /testing/doallspeeds.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Print a complete report of speeds. 4 | 5 | # Relies on output format of ./timeit.sh 6 | 7 | if [ ! $1 ]; then 8 | userspace=1 9 | kernel=1 10 | elif [ $1 == "userspace" ]; then 11 | userspace=1 12 | elif [ $1 == "kernel" ]; then 13 | kernel=1 14 | else 15 | echo huh? Say \"userspace\", \"kernel\" or nothing \(which does both\). 16 | exit 1 17 | fi 18 | 19 | printf proto 20 | if [ $userspace ]; then printf \\tuserspace; fi 21 | if [ $kernel ]; then printf \\tkernel; fi 22 | printf \\n 23 | 24 | for f in ../*/*.pat; do 25 | printf `basename $f .pat` 26 | 27 | if [ $userspace ]; then 28 | gtime=`./timeit.sh $f userspace real | grep Total | cut -d\ -f 2` 29 | printf \\t$gtime 30 | fi 31 | if [ $kernel ]; then 32 | htime=`./timeit.sh $f kernel real | grep Total | cut -d\ -f 2` 33 | printf \\t$htime 34 | fi 35 | printf \\n 36 | done 37 | -------------------------------------------------------------------------------- /testing/l7-parse-patterns.h: -------------------------------------------------------------------------------- 1 | /* 2 | By Ethan Sommer and Matthew Strait 3 | , (C) Nov 2006-2007 4 | http://l7-filter.sf.net 5 | 6 | This program is free software; you can redistribute it and/or 7 | modify it under the terms of the GNU General Public License 8 | as published by the Free Software Foundation; either version 9 | 2 of the License, or (at your option) any later version. 10 | http://www.gnu.org/licenses/gpl.txt 11 | 12 | This file is synced between the userspace source code and the test suite 13 | source code. I don't think it's worth the effort to make it a proper library. 14 | */ 15 | 16 | 17 | #ifndef L7_PARSE_PATTERNS_H 18 | #define L7_PARSE_PATTERNS_H 19 | 20 | using namespace std; 21 | #include 22 | 23 | int parse_pattern_file(int & cflags, int & eflags, string & pattern, 24 | string filename); 25 | string basename(string filename); 26 | 27 | #endif 28 | -------------------------------------------------------------------------------- /testing/match-kernel.c: -------------------------------------------------------------------------------- 1 | /* Reads in a stream of bytes and tests the first MAX of them to see if 2 | they match the regular expression passed in on the command line. 3 | 4 | Uses the Henry Spencer V8 regular expressions which the kernel version of 5 | l7-filter uses. 6 | 7 | See ../LICENCE for copyright. 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include "regexp/regexp.c" 15 | 16 | #define MAX 512 17 | #define MAX_PATTERN_LEN 8196 18 | 19 | static int hex2dec(char c) 20 | { 21 | switch (c) 22 | { 23 | case '0' ... '9': 24 | return c - '0'; 25 | case 'a' ... 'f': 26 | return c - 'a' + 10; 27 | case 'A' ... 'F': 28 | return c - 'A' + 10; 29 | default: 30 | fprintf(stderr, "hex2dec: bad value!\n"); 31 | exit(1); 32 | } 33 | } 34 | 35 | /* takes a string with \xHH escapes and returns one with the characters 36 | they stand for */ 37 | static char * pre_process(char * s) 38 | { 39 | char * result = malloc(strlen(s) + 1); 40 | int sindex = 0, rindex = 0; 41 | while( sindex < strlen(s) ) 42 | { 43 | if( sindex + 3 < strlen(s) && 44 | s[sindex] == '\\' && s[sindex+1] == 'x' && 45 | isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) 46 | { 47 | /* carefully remember to call tolower here... */ 48 | result[rindex] = tolower( hex2dec(s[sindex + 2])*16 + 49 | hex2dec(s[sindex + 3] ) ); 50 | sindex += 3; /* 4 total */ 51 | } 52 | else 53 | result[rindex] = tolower(s[sindex]); 54 | 55 | sindex++; 56 | rindex++; 57 | } 58 | result[rindex] = '\0'; 59 | 60 | return result; 61 | } 62 | 63 | int main(int argc, char ** argv) 64 | { 65 | regexp * pattern = (regexp *)malloc(sizeof(struct regexp)); 66 | char * s = argv[1]; 67 | char input[MAX]; 68 | int patternlen, inputlen = 0, c = 0; 69 | 70 | if(argc != 2 || !argv[1]){ 71 | fprintf(stderr, "need exactly one arg (the pattern)\n"); 72 | return 1; 73 | } 74 | patternlen = strlen(s); 75 | if(patternlen > MAX_PATTERN_LEN){ 76 | fprintf(stderr, "Pattern is too long! Max is %d.\n", MAX_PATTERN_LEN); 77 | return 1; 78 | } 79 | 80 | // fprintf(stderr, "\"%s\"", s); 81 | 82 | s = pre_process(s); /* do \xHH escapes */ 83 | 84 | pattern = regcomp(s, &patternlen); 85 | 86 | if(!pattern){ 87 | fprintf(stderr, "Error compiling regular expression!\n"); 88 | exit(1); 89 | } 90 | 91 | /* 92 | for(c = 0; c < MAX; c++){ 93 | // assumes there's plenty to eat 94 | input[inputlen] = getchar(); 95 | inputlen++; 96 | } 97 | input[inputlen] = '\0'; 98 | */ 99 | for(c = 0; c < MAX; c++){ 100 | char temp = 0; 101 | while(temp == 0){ 102 | if(EOF == scanf("%c", &temp)) 103 | goto out; 104 | input[c] = temp; 105 | } 106 | } 107 | out: 108 | 109 | input[c-1] = '\0'; 110 | 111 | inputlen = c; 112 | 113 | for(c = 0; c < inputlen; c++) input[c] = tolower(input[c]); 114 | 115 | if(regexec(pattern, input)) puts("Match"); 116 | else puts("No match"); 117 | 118 | return 0; 119 | } 120 | -------------------------------------------------------------------------------- /testing/randchars.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main() 8 | { 9 | char c; 10 | srand(time(NULL) * getpid()); 11 | 12 | while(1) 13 | printf("%c", (char)rand()%256); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /testing/randprintable.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main() 8 | { 9 | char c; 10 | srand(time(NULL) * getpid()); 11 | 12 | while(1) 13 | { 14 | c = (char)rand()%256; 15 | if(isprint(c) || isspace(c)) 16 | { 17 | printf("%c", c); 18 | } 19 | } 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /testing/regexp/regerror.c: -------------------------------------------------------------------------------- 1 | #if 0 2 | void regerror(char * s) 3 | { 4 | printk("regexp(3): %s", s); 5 | /* NOTREACHED */ 6 | } 7 | #endif 8 | -------------------------------------------------------------------------------- /testing/regexp/regexp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Definitions etc. for regexp(3) routines. 3 | * 4 | * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof], 5 | * not the System V one. 6 | */ 7 | 8 | #ifndef REGEXP_H 9 | #define REGEXP_H 10 | 11 | #define NSUBEXP 10 12 | typedef struct regexp { 13 | char *startp[NSUBEXP]; 14 | char *endp[NSUBEXP]; 15 | char regstart; /* Internal use only. */ 16 | char reganch; /* Internal use only. */ 17 | char *regmust; /* Internal use only. */ 18 | int regmlen; /* Internal use only. */ 19 | char program[1]; /* Unwarranted chumminess with compiler. */ 20 | } regexp; 21 | 22 | regexp * regcomp(char *exp, int *patternsize); 23 | int regexec(regexp *prog, char *string); 24 | void regsub(regexp *prog, char *source, char *dest); 25 | void regerror(char *s); 26 | 27 | #endif 28 | -------------------------------------------------------------------------------- /testing/regexp/regmagic.h: -------------------------------------------------------------------------------- 1 | /* 2 | * The first byte of the regexp internal "program" is actually this magic 3 | * number; the start node begins in the second byte. 4 | */ 5 | #define MAGIC 0234 6 | -------------------------------------------------------------------------------- /testing/regexp/regsub.c: -------------------------------------------------------------------------------- 1 | /* 2 | * regsub 3 | * @(#)regsub.c 1.3 of 2 April 86 4 | * 5 | * Copyright (c) 1986 by University of Toronto. 6 | * Written by Henry Spencer. Not derived from licensed software. 7 | * 8 | * Permission is granted to anyone to use this software for any 9 | * purpose on any computer system, and to redistribute it freely, 10 | * subject to the following restrictions: 11 | * 12 | * 1. The author is not responsible for the consequences of use of 13 | * this software, no matter how awful, even if they arise 14 | * from defects in it. 15 | * 16 | * 2. The origin of this software must not be misrepresented, either 17 | * by explicit claim or by omission. 18 | * 19 | * 3. Altered versions must be plainly marked as such, and must not 20 | * be misrepresented as being the original software. 21 | * 22 | * 23 | * This code was modified by Ethan Sommer to work within the kernel 24 | * (it now uses kmalloc etc..) 25 | * 26 | */ 27 | #include "regexp.h" 28 | #include "regmagic.h" 29 | #include 30 | 31 | 32 | #ifndef CHARBITS 33 | #define UCHARAT(p) ((int)*(unsigned char *)(p)) 34 | #else 35 | #define UCHARAT(p) ((int)*(p)&CHARBITS) 36 | #endif 37 | 38 | #if 0 39 | //void regerror(char * s) 40 | //{ 41 | // printk("regexp(3): %s", s); 42 | // /* NOTREACHED */ 43 | //} 44 | #endif 45 | 46 | /* 47 | - regsub - perform substitutions after a regexp match 48 | */ 49 | void 50 | regsub(regexp * prog, char * source, char * dest) 51 | { 52 | register char *src; 53 | register char *dst; 54 | register char c; 55 | register int no; 56 | register int len; 57 | 58 | /* Not necessary and gcc doesn't like it -MLS */ 59 | /*extern char *strncpy();*/ 60 | 61 | if (prog == NULL || source == NULL || dest == NULL) { 62 | regerror("NULL parm to regsub"); 63 | return; 64 | } 65 | if (UCHARAT(prog->program) != MAGIC) { 66 | regerror("damaged regexp fed to regsub"); 67 | return; 68 | } 69 | 70 | src = source; 71 | dst = dest; 72 | while ((c = *src++) != '\0') { 73 | if (c == '&') 74 | no = 0; 75 | else if (c == '\\' && '0' <= *src && *src <= '9') 76 | no = *src++ - '0'; 77 | else 78 | no = -1; 79 | 80 | if (no < 0) { /* Ordinary character. */ 81 | if (c == '\\' && (*src == '\\' || *src == '&')) 82 | c = *src++; 83 | *dst++ = c; 84 | } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) { 85 | len = prog->endp[no] - prog->startp[no]; 86 | (void) strncpy(dst, prog->startp[no], len); 87 | dst += len; 88 | if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */ 89 | regerror("damaged match string"); 90 | return; 91 | } 92 | } 93 | } 94 | *dst++ = '\0'; 95 | } 96 | -------------------------------------------------------------------------------- /testing/test_match.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | extract() 4 | { 5 | if [ -r $1 ]; then 6 | # this can miss pseudo-valid files that have crap after the pattern 7 | cat $1 | grep -v ^$ | grep -v ^# | tail -1 8 | else 9 | echo Argument is not a readable file > /dev/stderr 10 | exit 1 11 | fi 12 | } 13 | 14 | if [ ! $1 ]; then 15 | echo Please specify a pattern or pattern file. 16 | exit 1 17 | fi 18 | 19 | if [ ! $2 ]; then 20 | echo 21 | echo Using the userspace pattern and library. 22 | echo You can change this by saying \"kernel\" as the second argument. 23 | echo 24 | matchprog=./test_speed-userspace # no, really 25 | elif [ $2 == "kernel" ]; then 26 | echo Using the kernel pattern and library. 27 | matchprog=./match_kernel 28 | elif [ $2 == "userspace" ]; then 29 | echo Using the userspace pattern and library. 30 | matchprog=./test_speed-userspace 31 | else 32 | echo Didn\'t understand what you wanted. Using the userspace library. 33 | matchprog=./test_speed-userspace 34 | fi 35 | 36 | if [ $3 ]; then 37 | times=$3 38 | else 39 | times=500 40 | echo 41 | echo Doing 500 repetitions of each test. 42 | echo You can change this by giving a number as the third argument. 43 | echo 44 | fi 45 | 46 | if [ -x ./randchars ] && [ -x $matchprog ] && [ -x ./randprintable ]; then 47 | true 48 | else 49 | echo Can\'t find randchars, $matchprog or randprintable. 50 | echo They should be in this directory. Did you say \"make\"? 51 | exit 1 52 | fi 53 | 54 | printf "Out of $times completely random streams, this many match: " 55 | 56 | pattern="`extract $1`" 57 | 58 | for f in `seq $times`; do 59 | if [ $3 ]; then printf . > /dev/stderr; fi 60 | if [ $2 ] && [ $2 == "kernel" ]; then 61 | if ! ./randchars | $matchprog "$pattern"; then exit 1; fi 62 | else 63 | if ! ./randchars | $matchprog -f $1 -n 1 -v; then exit 1; fi 64 | fi 65 | done | grep -iE '^match' -c 66 | 67 | printf "Out of $times printable random streams, this many match: " 68 | 69 | for f in `seq $times`; do 70 | if [ $3 ]; then printf . > /dev/stderr; fi 71 | if [ $2 ] && [ $2 == "kernel" ]; then 72 | if ! ./randprintable | $matchprog "$pattern"; then 73 | exit 1 74 | fi 75 | else 76 | if ! ./randprintable | $matchprog -v -n 1 -f $1; then 77 | exit 1 78 | fi 79 | fi 80 | done | grep -iE '^match' -c 81 | -------------------------------------------------------------------------------- /testing/test_speed-kernel.c: -------------------------------------------------------------------------------- 1 | /* Reads in up to MAX bytes and runs regcomp against them TIMES times, using 2 | the regular expression given on the command line. 3 | 4 | Uses the Henry Spencer V8 regular expressions which the kernel version of 5 | l7-filter uses. 6 | 7 | See ../LICENCE for copyright 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include "regexp/regexp.c" 16 | 17 | #define MAX 1500 18 | #define TIMES 100000 19 | #define MAX_PATTERN_LEN 8192 20 | 21 | static int hex2dec(char c) 22 | { 23 | switch (c) 24 | { 25 | case '0' ... '9': 26 | return c - '0'; 27 | case 'a' ... 'f': 28 | return c - 'a' + 10; 29 | case 'A' ... 'F': 30 | return c - 'A' + 10; 31 | default: 32 | fprintf(stderr, "hex2dec: bad value!\n"); 33 | exit(1); 34 | } 35 | } 36 | 37 | /* takes a string with \xHH escapes and returns one with the characters 38 | they stand for */ 39 | static char * pre_process(char * s) 40 | { 41 | char * result = malloc(strlen(s) + 1); 42 | int sindex = 0, rindex = 0; 43 | while( sindex < strlen(s) ) 44 | { 45 | if( sindex + 3 < strlen(s) && 46 | s[sindex] == '\\' && s[sindex+1] == 'x' && 47 | isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) 48 | { 49 | /* carefully remember to call tolower here... */ 50 | result[rindex] = tolower( hex2dec(s[sindex + 2])*16 + 51 | hex2dec(s[sindex + 3] ) ); 52 | sindex += 3; /* 4 total */ 53 | } 54 | else 55 | result[rindex] = tolower(s[sindex]); 56 | 57 | sindex++; 58 | rindex++; 59 | } 60 | result[rindex] = '\0'; 61 | 62 | return result; 63 | } 64 | 65 | 66 | void doit(regexp * pattern, char ** argv, int verbose) 67 | { 68 | char input[MAX]; 69 | int c; 70 | 71 | for(c = 0; c < MAX; c++){ 72 | char temp = 0; 73 | while(temp == 0){ 74 | if(EOF == scanf("%c", &temp)) 75 | goto out; 76 | input[c] = temp; 77 | } 78 | } 79 | out: 80 | 81 | input[c-1] = '\0'; 82 | 83 | for(c = 0; c < MAX; c++) input[c] = tolower(input[c]); 84 | 85 | for(c = 1; c < TIMES; c++){ 86 | int result = regexec(pattern, input); 87 | if(c == 1) 88 | if(result) 89 | printf("match\t"); 90 | else 91 | printf("no_match\t"); 92 | 93 | if(TIMES/20 > 0 && c%(TIMES/20) == 0){ fprintf(stderr, "."); } 94 | } 95 | if(verbose) 96 | puts(""); 97 | else 98 | printf(" "); 99 | } 100 | 101 | // Syntax: test_speed regex [verbose] 102 | int main(int argc, char ** argv) 103 | { 104 | regexp * pattern = (regexp *)malloc(sizeof(struct regexp)); 105 | char * s = argv[1]; 106 | int patternlen, i, verbose = 0; 107 | 108 | if(argc < 2){ 109 | fprintf(stderr, "need an arg\n"); 110 | return 1; 111 | } 112 | if(argc > 2) 113 | verbose = 1; 114 | 115 | patternlen = strlen(s); 116 | if(patternlen > MAX_PATTERN_LEN){ 117 | fprintf(stderr, "Pattern too long! Max is %d\n", MAX_PATTERN_LEN); 118 | return 1; 119 | } 120 | 121 | s = pre_process(s); /* do \xHH escapes */ 122 | 123 | pattern = regcomp(s, &patternlen); 124 | 125 | if(!pattern){ 126 | fprintf(stderr, "error compiling regexp\n"); 127 | exit(1); 128 | } 129 | 130 | if(verbose) 131 | printf("running regexec \"%.16s...\" %d times\n", argv[1], TIMES); 132 | 133 | doit(pattern, argv, verbose); 134 | 135 | return 0; 136 | } 137 | --------------------------------------------------------------------------------