├── bitcoin.pat ├── file_types ├── ps.pat ├── rtf.pat ├── rpm.pat ├── perl.pat ├── ogg.pat ├── pdf.pat ├── html.pat ├── tar.pat └── README ├── gkrellm.pat ├── aimwebcontent.pat ├── rdp.pat ├── applejuice.pat ├── gnucleuslan.pat ├── ipp.pat ├── bittorrent.pat ├── malware ├── README ├── code_red.pat └── nimda.pat ├── msnmessenger.pat ├── rstp.pat ├── nbns.pat ├── biff.pat ├── live365.pat ├── quakeworld.pat ├── imap.pat ├── pressplay.pat ├── ident.pat ├── ncp.pat ├── ssh.pat ├── bearshare.pat ├── weakpatterns ├── mysql.pat ├── winmx.pat ├── README ├── finger.pat ├── gopher.pat └── netbios.pat ├── telnet.pat ├── irc.pat ├── counterstrike.pat ├── smb.pat ├── gnutella.pat ├── directconnect.pat ├── x11.pat ├── quake1.pat ├── kazaa.pat ├── rlogin.pat ├── nntp.pat ├── snmp.pat ├── validcertssl.pat ├── tftp.pat ├── jabber.pat ├── snmp-trap.pat ├── socks.pat ├── snmp-mon.pat ├── yahoo.pat ├── aim.pat ├── http.pat ├── edonkey.pat ├── ftp.pat ├── README ├── dhcp.pat ├── smtp.pat ├── pop3.pat ├── CHANGELOG ├── dns.pat ├── HOWTO ├── WANTED └── LICENSE /bitcoin.pat: -------------------------------------------------------------------------------- 1 | # Bitcoin protocol 2 | # Pattern attributes: fast good 3 | # Protocol groups: p2p open_source 4 | # Author: David Ehrmann 5 | # Wiki: https://en.bitcoin.it/wiki/Protocol_specification#Common_structures 6 | 7 | bitcoin 8 | ^\xF9\xBE\xB4\xD9|\xFA\xBF\xB5\xDA|\x0B\x11\x09\x07|\xF9\xBE\xB4\xFE 9 | -------------------------------------------------------------------------------- /file_types/ps.pat: -------------------------------------------------------------------------------- 1 | # Postscript - Printing Language 2 | # 3 | # If this pattern does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | postscript 9 | %!ps 10 | -------------------------------------------------------------------------------- /file_types/rtf.pat: -------------------------------------------------------------------------------- 1 | # RTF - Rich Text Format - an open document format 2 | # 3 | # If this pattern does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | rtf 9 | {\\rtf[12] 10 | -------------------------------------------------------------------------------- /file_types/rpm.pat: -------------------------------------------------------------------------------- 1 | # RPM - Redhat Package Managment packages 2 | # 3 | # If this pattern does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | rpm 9 | \xed\xab\xee\xdb.?.?.?.?[1-7] 10 | -------------------------------------------------------------------------------- /file_types/perl.pat: -------------------------------------------------------------------------------- 1 | # Perl - A scripting language by Larry Wall. 2 | # 3 | # If this pattern does not work for you, or you believe it could be 4 | # improved, please post to l7-filter-developers@lists.sf.net . 5 | # This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | perl 9 | \#! ?/(usr/(local/)?)?bin/perl 10 | -------------------------------------------------------------------------------- /file_types/ogg.pat: -------------------------------------------------------------------------------- 1 | # Ogg - Ogg Vorbis music format (not any ogg file, just vorbis) 2 | # 3 | # If this pattern does not work for you, 4 | # or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | ogg 9 | oggs.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x01vorbis 10 | -------------------------------------------------------------------------------- /gkrellm.pat: -------------------------------------------------------------------------------- 1 | # Gkrellm - a system monitor (http://gkrellm.net) 2 | # 3 | # This pattern has been tested and is believed to work well. 4 | # If you have trouble with this pattern, or you 5 | # believe it could be improved please post to l7-filter-developers@lists.sf.net 6 | # You may subscribe to this list at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | 9 | gkrellm 10 | ^ 11 | -------------------------------------------------------------------------------- /aimwebcontent.pat: -------------------------------------------------------------------------------- 1 | # AIM web content - ads/news content downloaded by AOL Instant Messenger 2 | # 3 | # This pattern has been tested and is believed to work well. If it does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | aimwebcontent 8 | user-agent:aim/ 9 | -------------------------------------------------------------------------------- /rdp.pat: -------------------------------------------------------------------------------- 1 | # RDP - Remote Desktop Protocol (used in Windows Terminal Services) 2 | # 3 | # This pattern was submitted by Daniel Weatherford. It is untested. Please 4 | # report how this pattern works for you to l7-filter-developers@lists.sf.net 5 | # This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | rdp 8 | # can we get rid of some of the .*s? 9 | rdpdr.*cliprdp.*rdpsnd 10 | -------------------------------------------------------------------------------- /applejuice.pat: -------------------------------------------------------------------------------- 1 | # Apple Juice - P2P filesharing - http://www.applejuicenet.de/ 2 | # 3 | # This pattern is untested. If it works for you, does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | applejuice 9 | # this pattern extracted from ipp2p, by Eicke Friedrich. 10 | ajprot\x0d\x0a 11 | -------------------------------------------------------------------------------- /gnucleuslan.pat: -------------------------------------------------------------------------------- 1 | # GnucleusLAN (the LAN-only version) - Peer-to-peer file sharing 2 | # 3 | # This pattern has been tested and is believed to work well. If it does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | gnucleuslan 8 | gnuclear connect/[\x09-\x0d -~]*user-agent: gnucleus [\x09-\x0d -~]*lan: 9 | -------------------------------------------------------------------------------- /ipp.pat: -------------------------------------------------------------------------------- 1 | # IP printing - a new standard for UNIX printing - RFC 2910 2 | # 3 | # This pattern has been tested and is believed to work well. If it does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | ipp 9 | # It's unlikely that anything else has this string, but I think we could 10 | # do a bit better... 11 | ipp:// 12 | -------------------------------------------------------------------------------- /file_types/pdf.pat: -------------------------------------------------------------------------------- 1 | # PDF - Portable Document Format - Postscript-like format by Adobe 2 | # 3 | # This pattern has been tested and is believe to work well. If it does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | # Matches PDF versions 1.0 - 1.6 (not sure if 1.6 exists yet, but it probably 9 | # will. 10 | pdf 11 | %PDF-1\.[0123456] 12 | -------------------------------------------------------------------------------- /bittorrent.pat: -------------------------------------------------------------------------------- 1 | # Bittorrent - http://sourceforge.net/projects/bittorrent/ 2 | # 3 | # This pattern has been tested and is believed to work well. If it does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | bittorrent 8 | 9 | # 0x13 is the length of "bittorrent protocol" 10 | \x13bittorrent protocol 11 | 12 | # pattern was this: 13 | # bittorrent protocols 14 | -------------------------------------------------------------------------------- /file_types/html.pat: -------------------------------------------------------------------------------- 1 | # (X)HTML - (Extensible) Hypertext Markup Language typedef - http://w3.org 2 | # 3 | # This pattern has been tested and is believe to work well. If it does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | # this should match any (X)HTML document from any version that is conforms 9 | # even vaugly to the standards. 10 | html 11 | 12 | -------------------------------------------------------------------------------- /malware/README: -------------------------------------------------------------------------------- 1 | This directory hold patterns for viruses, worms and the like. 2 | 3 | Please see ../file_types/README 4 | 5 | The patterns here now (Code Red, Nimda) are only for proof-of-concept. 6 | To usefully control the spread of a new worm through bandwidth 7 | arbitration, it will be necessary for new patterns to be written quickly 8 | in response to the new worm. Also the patterns must be more flexible 9 | than the ones presented here, as these only use simple string matching, 10 | which would be easily defeated by any reasonably clever worm. 11 | -------------------------------------------------------------------------------- /msnmessenger.pat: -------------------------------------------------------------------------------- 1 | # MSN Messenger - Microsoft Network chat client 2 | # Usually uses port 1863 3 | # http://www.hypothetic.org/docs/msn/index.php 4 | # 5 | # This pattern has been tested and is believed to work well. If it does not 6 | # work for you, or you believe it could be improved, please post to 7 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 8 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 9 | msnmessenger 10 | # ver: allow versions up to 99. 11 | # usr (in case ver didn't work): 12 | ver [0-9]+ msnp[1-9][0-9]? cvr|usr md5 i [ -~]* 13 | -------------------------------------------------------------------------------- /rstp.pat: -------------------------------------------------------------------------------- 1 | # RTSP - Real Time Streaming Protocol - http://www.rtsp.org/ 2 | # usually runs on port 554 3 | # 4 | # To take full advantage of this pattern, please see the RTSP connection 5 | # tracking patch to the Linux kernel referenced at the above site. 6 | # 7 | # This pattern has been tested and is believed to work well. If it does not 8 | # work for you, or you believe it could be improved, please post to 9 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 10 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 11 | rstp 12 | rtsp/1.0 200 ok 13 | -------------------------------------------------------------------------------- /file_types/tar.pat: -------------------------------------------------------------------------------- 1 | # Tar - tape archive. Standard UNIX file archiver, not just for tapes. 2 | # 3 | # If this pattern does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | tar 9 | # /usr/share/magic 10 | ## POSIX tar archives 11 | #257 string ustar\0 POSIX tar archive 12 | #257 string ustar\040\040\0 GNU tar archive 13 | # this is pretty general. It's not a dictionary word, but still... 14 | ustar 15 | -------------------------------------------------------------------------------- /nbns.pat: -------------------------------------------------------------------------------- 1 | # Netbios name service 2 | # 3 | # This pattern has been tested and is believed to work well. If it does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | # 8 | # name query 9 | # \x01\x10 means name query 10 | # 11 | # registration NB 12 | # (\x10 or )\x10 means registration 13 | # 14 | # release NB (merged with registration) 15 | # 0\x10 means release 16 | 17 | nbns 18 | \x01\x10\x01|\)\x10\x01\x01|0\x10\x01 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /biff.pat: -------------------------------------------------------------------------------- 1 | # Biff - new mail notification 2 | # Usually runs on port 512 3 | # 4 | # This pattern is untested. If it does not 5 | # work for you, or you believe it could be improved, please post to 6 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | biff 9 | # This is a rare case where we will specify a $ (end of line), since 10 | # this is the entirety of the communication. 11 | # something that looks like a username, an @, a number. 12 | # won't catch usernames that have strange characters in them. 13 | ^[a-z][a-z0-9]+@[1-9][0-9]+$ 14 | -------------------------------------------------------------------------------- /live365.pat: -------------------------------------------------------------------------------- 1 | # live365 - An Internet radio site (http://live365.com) 2 | # 3 | # This pattern was "contributed" (taken with permission) by the bandwidth 4 | # arbitrator project (www.bandwidtharbitrator.com). 5 | # 6 | # This pattern is unconfirmed. 7 | # Please post to l7-filter-developers@lists.sf.net as to whether it works 8 | # for you or not. If you believe it could be improved please post your 9 | # suggestions to that list as well. You may subscribe to this list at 10 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 11 | 12 | live365 13 | # FIXME: what's going on here? 14 | membername.*session.*player 15 | 16 | -------------------------------------------------------------------------------- /quakeworld.pat: -------------------------------------------------------------------------------- 1 | # Quake World - A popular computer game. 2 | # 3 | # This pattern is untested and unconfirmed. 4 | # Please post to l7-filter-developers@lists.sf.net as to whether it works 5 | # for you or not. If you believe it could be improved please post your 6 | # suggestions to that list as well. You may subscribe to this list at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | 9 | quakeworld 10 | # http://www.alumni.caltech.edu/~chamness/qwPackets.html 11 | # First half matches client, second matches server. 12 | # This is quite likely to be incomplete. 13 | \xff\xffconnect "|fullserverinfo "\teamplay 14 | -------------------------------------------------------------------------------- /imap.pat: -------------------------------------------------------------------------------- 1 | # IMAP - Internet Message Access Protocol (A common e-mail protocol) 2 | # This matches IMAP4 (RFC 3501) and probably IMAP2 (RFC 1176) 3 | # 4 | # This pattern has been tested and is believed to work well. If it does not 5 | # work for you, or you believe it could be improved, please post to 6 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | # 9 | # This matches the IMAP welcome message or a noop command (which for 10 | # some unknown reason can happen at the start of a connection?) 11 | imap 12 | (\* ok)|(a[0-9]+ noop) 13 | 14 | -------------------------------------------------------------------------------- /pressplay.pat: -------------------------------------------------------------------------------- 1 | # pressplay - A legal music distribution site (http://pressplay.com) 2 | # 3 | # This pattern was "contributed" (taken with permission) by the bandwidth 4 | # arbitrator project (www.bandwidtharbitrator.com). 5 | # 6 | # This pattern is unconfirmed. 7 | # Please post to l7-filter-developers@lists.sf.net as to whether it works 8 | # for you or not. If you believe it could be improved please post your 9 | # suggestions to that list as well. You may subscribe to this list at 10 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 11 | 12 | pressplay 13 | # can we do better than this? 14 | user-agent: nsplayer 15 | 16 | -------------------------------------------------------------------------------- /ident.pat: -------------------------------------------------------------------------------- 1 | # Ident - Identification Protocol - RFC 1413 2 | # Usually runs on port 113 3 | # 4 | # This pattern is believed to work. If it does not 5 | # work for you, or you believe it could be improved, please post to 6 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | 9 | ident 10 | # This is rather broad and could easily match things which aren't ident. 11 | ^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d*[1-9][0-9]?[0-9]?[0-9]?[0-9] 12 | # or we could just match the server response (2nd packet of 2, usually) 13 | # ^[0-9]+ *, *[0-9]+ *: *USERID *:.*: 14 | -------------------------------------------------------------------------------- /ncp.pat: -------------------------------------------------------------------------------- 1 | # NCP - Novell Core Protocol 2 | # 3 | # This pattern has been tested and is believed to work well. If it does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | # 8 | # dmdt means Request 9 | # *any length 10 | # 11 | # *any reply buffer size 12 | # "" means service request 13 | # | \x17\x17 means create a service connection 14 | # | uu means destroy service connection 15 | # ncp reply 16 | # tncp means reply 17 | # 33 means service reply 18 | 19 | ncp 20 | dmdt.*\x01.*(""|\x11\x11|uu)|tncp.*33 21 | -------------------------------------------------------------------------------- /ssh.pat: -------------------------------------------------------------------------------- 1 | # SSH - Secure SHell 2 | # usually runs on port 22 3 | # 4 | # This pattern has been tested and is believed to work well. If it does not 5 | # work for you, or you believe it could be improved, please post to 6 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | 9 | ssh 10 | (diffie-hellman-group-exchange-sha1|diffie-hellman-group1-sha1.ssh-rsa|ssh-dssfaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.sefaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.seuhmac-md5|hmac-sha1|hmac-ripemd160)+ 11 | -------------------------------------------------------------------------------- /bearshare.pat: -------------------------------------------------------------------------------- 1 | # Bearshare - a Gnutella client. 2 | # 3 | # Please post to l7-filter-developers@lists.sf.net if you can help 4 | # improve this pattern. You may subscribe at 5 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 6 | 7 | bearshare 8 | # This is the pattern used by www.bandwidtharbitrator.com 9 | # It has NOT been verified and is furthermore far too permissive, as it 10 | # matches _any_ stream with the word "bear" in it (or the string "nldu"). 11 | # However, the "z9.*u>p" branch has potential, so I'm including it alone. 12 | # Can anyone explain what it is and say whether it alone is sufficient to 13 | # match Bearshare? 14 | 15 | # bear|nldu|z9.*u>p 16 | 17 | z9.*u>p 18 | -------------------------------------------------------------------------------- /weakpatterns/mysql.pat: -------------------------------------------------------------------------------- 1 | # mySQL - Database 2 | # http://216.239.39.104/search?q=cache:Phier6mmAlAJ:public.logicacmg.com/~redferni/mysql/MySQL-Protocol.html+&hl=en&start=1&ie=UTF-8 3 | # (sorry) 4 | # 5 | # This pattern is untested. If it does not 6 | # work for you, or you believe it could be improved, please post to 7 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 8 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 9 | 10 | mysql 11 | # matches versions 9 and 10 of the protocol (what other versions should be 12 | # matched? 13 | # Assumes that the server version string is alphanumeric plus dashes and 14 | # underscores. 15 | [\x09\x0a][0-9a-z\.\-_]+|\x01..?[a-z][a-z0-9]+ 16 | -------------------------------------------------------------------------------- /malware/code_red.pat: -------------------------------------------------------------------------------- 1 | # Code Red - a worm that attacks Microsoft IIS web servers 2 | 3 | # If this pattern does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | codered 9 | /default\.ida\?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 10 | -------------------------------------------------------------------------------- /telnet.pat: -------------------------------------------------------------------------------- 1 | # Telnet - Insecure remote login (RFC 854) 2 | # Usually runs on port 23 3 | # 4 | # This pattern is lightly tested. If it does not 5 | # work for you, or you believe it could be improved, please post to 6 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | 9 | telnet 10 | # Matches at least three IAC (Do|Will|Don't|Won't) commands in a row. 11 | # My telnet client sends 9 when I connect, so this should be fine. 12 | # This pattern could fail on a unchatty connection or it could be 13 | # matched by something non-telnet spewing a lot of stuff in the fb-ff range. 14 | ^\xff[\xfb-\xfe].\xff[\xfb-\xfe].\xff[\xfb-\xfe] 15 | -------------------------------------------------------------------------------- /weakpatterns/winmx.pat: -------------------------------------------------------------------------------- 1 | # winmx - A peer to peer file sharing program (http://www.winmx.com/) 2 | # 3 | # This pattern was "contributed" (taken with permission) by the bandwidth 4 | # arbitrator project (www.bandwidtharbitrator.com). 5 | # 6 | # This pattern is unconfirmed. 7 | # Please post to l7-filter-developers@lists.sf.net as to whether it works 8 | # for you or not. If you believe it could be improved please post your 9 | # suggestions to that list as well. You may subscribe to this list at 10 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 11 | # 12 | winmx 13 | # this needs to be more specific if possible, it matches when I connect to 14 | # irc.flamed.net and also some http connections. 15 | \+.*p.*get 16 | -------------------------------------------------------------------------------- /irc.pat: -------------------------------------------------------------------------------- 1 | # IRC - Internet Relay Chat - RFC 1459 2 | # Usually runs on port 6666 or 6667 3 | # Note that chat traffic runs on these ports, but IRC-DCC traffic (which 4 | # can use much more bandwidth) uses a dynamically assigned port, so you 5 | # must have the IRC connection tracking module in your kernel to classify 6 | # this. 7 | # 8 | # This pattern has been tested and is believe to work well. If it does not 9 | # work for you, or you believe it could be improved, please post to 10 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 11 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 12 | 13 | irc 14 | # I'd rather this were less inclusive... 15 | ^nick[\x09-\x0d -~]*user[\x09-\x0d -~]*: 16 | -------------------------------------------------------------------------------- /counterstrike.pat: -------------------------------------------------------------------------------- 1 | # Counter Strike - A popular computer game. 2 | # 3 | # This pattern was "contributed" (taken with permission) by the bandwidth 4 | # arbitrator project (www.bandwidtharbitrator.com). 5 | # 6 | # It should match at least the connection to the global internet gaming 7 | # server, but may not match actual game connections. 8 | # 9 | # This pattern is unconfirmed. 10 | # Please post to l7-filter-developers@lists.sf.net as to whether it works 11 | # for you or not. If you believe it could be improved please post your 12 | # suggestions to that list as well. You may subscribe to this list at 13 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 14 | # 15 | counterstrike 16 | cs .*dl.www.counter-strike.net 17 | 18 | -------------------------------------------------------------------------------- /smb.pat: -------------------------------------------------------------------------------- 1 | # Samba/SMB - Server Message Block - Microsoft File Sharing 2 | # 3 | # "This protocol is sometimes also referred to as the Common Internet File 4 | # System (CIFS), LanManager or NetBIOS protocol." -- "man samba" 5 | # 6 | # Actually, SMB is a higher level protocol than NetBIOS. However, the 7 | # NetBIOS header is only 4 bytes: not much to match on. 8 | # 9 | # http://www.ubiqx.org/cifs/SMB.html 10 | # 11 | # This pattern is barely tested. If it does not 12 | # work for you, or you believe it could be improved, please post to 13 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 14 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 15 | 16 | smb 17 | # matches a NEGOTIATE PROTOCOL command 18 | \xffsmb\x72 19 | -------------------------------------------------------------------------------- /gnutella.pat: -------------------------------------------------------------------------------- 1 | # Gnutella - Peer-to-peer file sharing - various clients use this protocol 2 | # including Mactella, Gnucleus, Gnotella, LimeWire, BearShare, iMesh, 3 | # and WinMX. Note that we have seperate patterns for some of these 4 | # programs, should you have a reason to filter them individually. 5 | # 6 | # This pattern has been verified with bearshare. It may not work as well 7 | # with other clients. Please report on how this pattern works for you at 8 | # l7-filter-developers@lists.sf.net . If you can improve on this pattern, 9 | # please also post to that list. You may subscribe at 10 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 11 | 12 | gnutella 13 | gnutella connect/[\x09-\x0d -~]*x-ultrapeer|user-agent: bearshare|x-gnutella-content-urn 14 | -------------------------------------------------------------------------------- /directconnect.pat: -------------------------------------------------------------------------------- 1 | # Direct Connect - Peer to Peer filesharing http://www.neo-modus.com/ 2 | # Direct Connect "hubs" listen on port 411 3 | # Protocol info: http://wza.digitalbrains.com/DC/doc/Introduction.html 4 | # 5 | # This pattern is lightly tested. If this pattern does not 6 | # work for you, or you believe it could be improved, please post to 7 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 8 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 9 | 10 | directconnect 11 | # (client-to-client handshake)|(client-to-hub login, hub speaking)| 12 | # (client-to-hub login, client speaking) 13 | \$mynick[\x09-\x0d -~]*\|\$lock[\x09-\x0d -~]*\||\$lock[\x09-\x0d -~]*pk=[\x09-\x0d -~]*\|\$hubname[\x09-\x0d -~]*\||\$key[\x09-\x0d -~]*\|\$validatenick[\x09-\x0d -~]*\| 14 | -------------------------------------------------------------------------------- /weakpatterns/README: -------------------------------------------------------------------------------- 1 | Patterns in this directory are weak in the sense that: 2 | 3 | (1) they will very likely match things they are not intended to. 4 | (2) they are likely to miss a large fraction of things they should match 5 | or 6 | (3) they are too slow 7 | 8 | Some protocols just don't have much to latch on to. It is recommended 9 | that you match on port number for these protocols. You could use the 10 | patterns to verify that traffic on port X really is what is expected 11 | there. That is, you should do: 12 | 13 | If ( on port 79 && looks like finger ) 14 | treat as finger; 15 | 16 | But NOT simply: 17 | 18 | If ( looks like finger ) 19 | treat as finger; 20 | 21 | Actually, this is fairly good advice for most Internet standard protocols, 22 | but more so for things in this directory. 23 | -------------------------------------------------------------------------------- /weakpatterns/finger.pat: -------------------------------------------------------------------------------- 1 | # Finger - User information server 2 | # Usually runs on port 79 3 | # 4 | # This pattern is lightly tested. If it does not 5 | # work for you, or you believe it could be improved, please post to 6 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | 9 | # If you really want to use this pattern, I would set it up so that 10 | # it only gets consulted to confirm that traffic on port 79 is actually 11 | # finger. 12 | 13 | finger 14 | # The first matches the client request, which should look like a username. 15 | # The second matches the usual UNIX reply (but remember that they are 16 | # allowed to say whatever they want) 17 | $[a-z][a-z0-9\-_]+|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory: 18 | -------------------------------------------------------------------------------- /x11.pat: -------------------------------------------------------------------------------- 1 | # X Windows Version 11 - Networked GUI system used in most Unices 2 | # specification: http://www.msu.edu/~huntharo/xwin/docs/xwindows/PROTO.pdf 3 | # Usually runs on port 6000 (6001 for the second server on a host, etc) 4 | # 5 | # This pattern has been tested. If this pattern does not 6 | # work for you, or you believe it could be improved, please post to 7 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 8 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 9 | 10 | x11 11 | # 'l' = little-endian. 'B' = big endian 12 | # ".?" is for the unused byte that comes next. If it's a null, it won't appear. 13 | # \x0b = protocol-major-version 11. 14 | # For some reason, protocol-minor-version is 0, not 6, so can't match it. 15 | # This pattern is too general. 16 | ^(l|B).?\x0b 17 | -------------------------------------------------------------------------------- /quake1.pat: -------------------------------------------------------------------------------- 1 | # Quake 1 - A popular computer game. 2 | # 3 | # This pattern is untested and unconfirmed. 4 | # Please post to l7-filter-developers@lists.sf.net as to whether it works 5 | # for you or not. If you believe it could be improved please post your 6 | # suggestions to that list as well. You may subscribe to this list at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | 9 | # Info taken from http://www.gamers.org/dEngine/quake/QDP/qnp.html, 10 | # which says that it "is incomplete, inaccurate and only applies to 11 | # versions 0.91, 0.92, 1.00 and 1.01 of QUAKE" 12 | 13 | quake1 14 | # Connection request: 80 00 00 0c 01 51 55 41 4b 45 00 03 15 | # \x80 = control packet. 16 | # \x0c = packet length 17 | # \x01 = CCREQ_CONNECT 18 | # \x03 = protocol version (3 == 0.91, 0.92, 1.00, 1.01) 19 | \x80\x0c\x01quake\x03| 20 | -------------------------------------------------------------------------------- /kazaa.pat: -------------------------------------------------------------------------------- 1 | # Kazaa - Peer to Peer filesharing 2 | # 3 | # This pattern has worked for some people and not for others. 4 | # Please post to l7-filter-developers@lists.sf.net as to whether it works 5 | # for you or not. If you believe it could be improved please post your 6 | # suggestions to that list as well. You may subscribe to this list at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | 9 | kazaa 10 | # while this is a valid http request, this will be caught because 11 | # the http pattern matches the response (and therefore the next packet) 12 | get /.hash=[\x09-\x0d -~]* http/1.1|user-agent: kazaa 13 | 14 | # the source of ipp2p suggests that "x-kazza-" may also help 15 | 16 | # This is the pattern used by www.bandwidtharbitrator.com 17 | # It is unverified. Does it work for you? Post to the l7-filter-developers 18 | # kazaa|icw.*]p 19 | -------------------------------------------------------------------------------- /rlogin.pat: -------------------------------------------------------------------------------- 1 | # rlogin - remote login (RFC 1282) 2 | # usually runs on port 443 3 | # 4 | # This pattern is untested. If it does does not 5 | # work for you, or you believe it could be improved, please post to 6 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | 9 | rlogin 10 | # At least three characters (user name, user name, terminal type), 11 | # the first of which could be the first character of a user name, a 12 | # slash, then a terminal speed. (Assumes that usernames and terminal 13 | # types are alphanumeric only. I'm sure there are usernames like 14 | # "straitm-47" out there, but it's not common.) All terminal speeds 15 | # I know of end in two zeros and are between 3 and 6 digits long. 16 | # This pattern is uncomfortably general. 17 | ^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]?[0-9]?[0-9]?00 18 | -------------------------------------------------------------------------------- /nntp.pat: -------------------------------------------------------------------------------- 1 | # NNTP - Network News Transfer Protocol (RFC 977, 2980) 2 | # usually runs on port 119 3 | 4 | # This pattern is tested and is believed to work well (but could use more 5 | # testing). If it does not work for you, or you 6 | # believe it could be improved, please post to 7 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 8 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 9 | nntp 10 | # matches authorized login 11 | # OR 12 | # matches unauthorized login if the server says "news" after 20(0|1) 13 | # (Half of the 2 servers I tested did :-), but they both required authorization 14 | # so it's quite possible that this pattern will miss some nntp traffic.) 15 | 20(0|1)[\x09-\x0d -~]*AUTHINFO USER|20(0|1)[\x09-\x0d -~]*news 16 | 17 | # same thing, slightly more accurate, but about 8 times slower 18 | #20(0|1)[\x09-\x0d -~]*\x0d\x0a[\x09-\x0d -~]*AUTHINFO USER|20(0|1)[\x09-\x0d -~]*news 19 | -------------------------------------------------------------------------------- /snmp.pat: -------------------------------------------------------------------------------- 1 | # SNMP - Simple Network Management Protocol (RFC1157) 2 | # Usually runs on UDP ports 161 (monitoring) and 162 (traps) 3 | # 4 | # These filters match SNMPv1 packets without fail, and are made 5 | # as specific as possible not to match any ASN.1 encoded protocols. 6 | # However these could still be matched by other protocols that 7 | # use ASN.1 encoding 8 | 9 | # Contributed by Goli SriSairam 10 | 11 | # This pattern has been tested and is believe to work well. If it does not 12 | # work for you, or you believe it could be improved, please post to 13 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 14 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 15 | 16 | # All SNMPv1 traffic. See snmp-mon.pat and snmp-trap.pat for details. 17 | snmp 18 | ^\x02\x01\x04.+([\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30)|(\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43) 19 | -------------------------------------------------------------------------------- /validcertssl.pat: -------------------------------------------------------------------------------- 1 | # Valid certificate SSL - Anything tunneled through SSL (i.e. HTTPS, IMAPS) 2 | # claiming to use a valid certificate from a well known certificate authority. 3 | # 4 | # This pattern is believed match only the above, but may not match all 5 | # of it. 6 | # Please post to l7-filter-developers@lists.sf.net as to whether it works 7 | # for you or not. If you believe it could be improved please post your 8 | # suggestions to that list as well. You may subscribe to this list at 9 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 10 | # 11 | # the certificate authority info is sent in quasi plain text, if it matches 12 | # a well known certificate authority then we will assume it is a 13 | # web/imaps/etc server other ssl may be good too, but it should fall under 14 | # a different rule 15 | 16 | validcertssl 17 | server-certs@thawte.com|equifax secure certificate authority|rsa data security, inc|verisign, inc|gte cybertrust root 18 | -------------------------------------------------------------------------------- /tftp.pat: -------------------------------------------------------------------------------- 1 | # TFTP - Trivial File Transfer Protocol - used for bootstrapping (RFC 1350) 2 | # usually runs on port 69 3 | # 4 | # This pattern is unconfirmed. 5 | # Please post to l7-filter-developers@lists.sf.net as to whether it works 6 | # for you or not. If you believe it could be improved please post your 7 | # suggestions to that list as well. You may subscribe to this list at 8 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 9 | 10 | tftp 11 | # The first packet from the initiating host should either be a Read Request 12 | # or a Write Request. In the other direction, it should be data packet with 13 | # block number one or an ACK with block number zero. We only attempt to match 14 | # the initiating host's packets, because the only identifying features of 15 | # the responses to them are two byte sequences (which isn't specific enough). 16 | # (\x01|\x02) = Read Request or Write Request 17 | # [ -~]* = the file name 18 | # the rest = netascii|octet|mail (case insensitivity done by the kernel) 19 | 20 | ^(\x01|\x02)[ -~]*(netascii|octet|mail) 21 | -------------------------------------------------------------------------------- /jabber.pat: -------------------------------------------------------------------------------- 1 | # Jabber - an open instant messanger protocol - http://jabber.org 2 | # 3 | # This pattern has been lightly tested. It is only tested with 4 | # non-SSL mode Jabber with no proxies. If it does not 5 | # work for you, or you believe it could be improved, please post to 6 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | 9 | # This pattern is based totally on looking at packet dumps. It may not 10 | # always work! 11 | 12 | # Jabber seems to take a long time to set up a connection. I'm 13 | # connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets 14 | # is this: 15 | # 20 | # 21 | # No mention of my username or password yet, you'll note. 22 | 23 | jabber 24 | <\?xml 25 | -------------------------------------------------------------------------------- /snmp-trap.pat: -------------------------------------------------------------------------------- 1 | # SNMP Traps - Simple Network Management Protocol (RFC1157) 2 | # Usually runs on UDP ports 162 3 | # 4 | # These filters match SNMPv1 packets without fail, and are made 5 | # as specific as possible not to match any ASN.1 encoded protocols. 6 | # However these could still be matched by other protocols that 7 | # use ASN.1 encoding 8 | 9 | # Contributed by Goli SriSairam 10 | 11 | # This pattern has been tested and is believe to work well. If it does not 12 | # work for you, or you believe it could be improved, please post to 13 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 14 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 15 | 16 | # SNMPv1 Trap 17 | # matches SNMP trap header 18 | # version \x02\x01 19 | # community string \x04.+ 20 | # PDU type \xa4 (TRAP) 21 | # enterprise \x06.+ 22 | # agent address \x40\x04\.?.?.?.? 23 | # trap type \x02\x01.? 24 | # specific trap type \x02\x01.? 25 | # timestamp \x43 26 | snmp-trap ^\x02\x01\x04.+\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43 27 | 28 | 29 | -------------------------------------------------------------------------------- /socks.pat: -------------------------------------------------------------------------------- 1 | # SOCKS Version 5 - Firewall traversal protocol (RFC 1928) 2 | # Usually runs on port 1080 3 | # Also useful: http://www.iana.org/assignments/socks-methods 4 | # 5 | # This pattern is untested. If it does not 6 | # work for you, or you believe it could be improved, please post to 7 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 8 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 9 | 10 | # method request, no private methods \x05[\x01-\x08]* 11 | # method reply, assumes sucess \x05[\x01-\x08]? 12 | # method dependent sub-negotiation .* 13 | # request, ipv4 only \x05[\x01-\x03][\x01\x03].* 14 | # reply \x05[\x01-\x08]?[\x01\x03].* 15 | 16 | # username/password method 17 | # u/p request, assuming reasonable usernames and passwords 18 | # \x05[\x02-\x10][a-z][a-z0-9\-]*[\x05-\x20][!-~]* 19 | # server reply 20 | # \x05 21 | 22 | # GSSAPI method 23 | # client initial token \x01\x01\x02.* 24 | # server reply \x01\x01\x02.* 25 | 26 | # any other method .* (all methods boil down to this until we have information 27 | # about all the commonly used ones) 28 | 29 | socks 30 | \x05[\x01-\x08]*\x05[\x01-\x08]?.*\x05[\x01-\x03][\x01\x03].*\x05[\x01-\x08]?[\x01\x03] 31 | -------------------------------------------------------------------------------- /snmp-mon.pat: -------------------------------------------------------------------------------- 1 | # SNMP Monitoring - Simple Network Management Protocol (RFC1157) 2 | # Usually runs on UDP ports 161 3 | # 4 | # These filters match SNMPv1 packets without fail, and are made 5 | # as specific as possible not to match any ASN.1 encoded protocols. 6 | # However these could still be matched by other protocols that 7 | # use ASN.1 encoding 8 | 9 | # Contributed by Goli SriSairam 10 | 11 | # This pattern has been tested and is believe to work well. If it does not 12 | # work for you, or you believe it could be improved, please post to 13 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 14 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 15 | 16 | # SNMPv1 GET/GETNEXT/SET request and response 17 | # matches SNMP header 18 | # version \x02\x01 19 | # community \x04.+ 20 | # PDU type [\xa0-\xa3] (GET/GETNEXT/SET/GETRESPONSE) 21 | # RequestId \x02[\x01-\x04].?.?.?.? 22 | # errorStatus \x02\x01.? 23 | # errorIndex \x02\x01.? 24 | # varbinds start \x30 25 | snmp-mon 26 | ^\x02\x01\x04.+[\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30 27 | -------------------------------------------------------------------------------- /malware/nimda.pat: -------------------------------------------------------------------------------- 1 | # Nimda - a worm that attacks Microsoft IIS web servers, and MORE! 2 | 3 | # If this pattern does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | nimda 9 | GET (/scripts/root\.exe\?/c\+dir|/MSADC/root\.exe\?/c\+dir|/c/winnt/system32/cmd\.exe\?/c\+dir|/d/winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_vti_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_mem_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/msadc/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c/\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0/\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0\xaf\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x9c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%2f\.\./winnt/system32/cmd\.exe\?/c\+dir) 10 | -------------------------------------------------------------------------------- /yahoo.pat: -------------------------------------------------------------------------------- 1 | # Yahoo messenger - an instant messenger protocol (http://yahoo.com) 2 | # Usually runs on port 5050 3 | # 4 | # This pattern is untested. 5 | # Please post to l7-filter-developers@lists.sf.net as to whether it works 6 | # for you or not. If you believe it could be improved please post your 7 | # suggestions to that list as well. You may subscribe to this list at 8 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 9 | 10 | yahoo 11 | # http://www.venkydude.com/articles/yahoo.htm says: 12 | # All Yahoo commands start with YMSG. 13 | # (Well... http://ethereal.com/faq.html#q5.27 suggests that YPNS and YHOO 14 | # are also possible, so let's allow those) 15 | # The next 7 bytes contain command (packet?) length and version information 16 | # which we won't currently try to match. 17 | # W means "encryption challenge command" 18 | # T means "login command" 19 | # (there are others, i.e. 0x01 "coming online", 0x02 "going offline", 20 | # 0x04 "changing status to available", 0x06 "user message", but W and T 21 | # should appear in the first few packets.) 22 | # 0xC080 is the standard argument separator, it should appear not long 23 | # after the "type of command" byte. 24 | 25 | ^(ymsg|ypns|yhoo).?.?.?.?.?.?.?(w|t).*\xc0\x80 26 | -------------------------------------------------------------------------------- /aim.pat: -------------------------------------------------------------------------------- 1 | # AIM - AOL instant messenger (OSCAR and TOC) 2 | # Usually runs on port 5190 3 | # 4 | # This may also match ICQ traffic. 5 | # 6 | # This pattern has been tested and is believe to work well. If it does not 7 | # work for you, or you believe it could be improved, please post to 8 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 9 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 10 | 11 | aim 12 | # See http://gridley.acns.carleton.edu/~straitm/final (and various other places) 13 | # The first bit matches OSCAR signon and data commands, but not sure what 14 | # \x03\x0b matches, but it works apparently. 15 | # The next three bits match various parts of the TOC signon process. 16 | # The third one is the magic number "*", then 0x01 for "signon", then up to four 17 | # bytes ("up to" because l7-filter strips out nulls) which contain a sequence 18 | # number (2 bytes) the data length (2 more) and 3 nulls (which don't count), 19 | # then 0x01 for the version number (not sure if there ever has been another 20 | # version) 21 | # The fourth one is a command string, followed by some stuff, then the 22 | # beginning of the "roasted" password 23 | (^\*(\x01|\x02).*\x03\x0b)|(flapon)|(^\*\x01.?.?.?.?\x01)|(toc_signon.*0x) 24 | -------------------------------------------------------------------------------- /weakpatterns/gopher.pat: -------------------------------------------------------------------------------- 1 | # Gopher - A precurser to HTTP (RFC 1436) 2 | # Usually runs on port 70 3 | # 4 | # This pattern is untested. If it does not 5 | # work for you, or you believe it could be improved, please post to 6 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | 9 | gopher 10 | # This matches the server's response, but naturally only if it is a 11 | # directory listing, not if it is sending a file, because then the data 12 | # is totally arbitrary. 13 | 14 | # Matches one of the file type characters, any characters, a tab, any 15 | # characters, a tab something that has at least one letter (maybe something 16 | # else), then a dot and at least two letters for a TLD (see dns.pat), a tab 17 | # and then a number which could be the start of a port number. 18 | # i.e. "0About internet Gopher\tStuff:About us\trawBits.micro.umn.edu\t70" 19 | # [1-9,\+TgI].*\x09.*\x09.*[a-z].*\..*[a-z][a-z]\x09[1-9] 20 | 21 | # the above is very very VERY slow with our current regexp implmentation 22 | # this one won't bring your machine down, but is still at least an order 23 | # of magnitude slower than any other pattern: 24 | [1-9,\+TgI][\x09-\0d -~]*\x09[\x09-\0d -~]*\x09[a-z0-9\.]*\.[a-z][a-z].?.?\x09[1-9] 25 | -------------------------------------------------------------------------------- /http.pat: -------------------------------------------------------------------------------- 1 | # HTTP - HyperText Transfer Protocol (RFC 2616) 2 | # Usually runs on port 80 3 | # 4 | # This pattern has been tested and is believed to work well. If it does not 5 | # work for you, or you believe it could be improved, please post to 6 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | # 9 | # this intentionally catches the response from the server 10 | # rather than the request so that other protocols which use 11 | # http (like kazaa) can be caught based on specific http requests 12 | # regardless of the ordering of filters... 13 | # also matches posts 14 | 15 | http 16 | # Added response status code 304 to the current pattern. 17 | # Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616) 18 | # As specified in rfc 2616 a status code is preceeded and followed by a 19 | # space. 20 | (http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/) 21 | 22 | # I think this should work, but I'm going to consult others and read more 23 | # before making it official: 24 | #(http/[01]\.[019] [\x09-\x0d -~]* [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:))|(post [\x09-\x0d -~]* http/[01]\.[019]) 25 | -------------------------------------------------------------------------------- /edonkey.pat: -------------------------------------------------------------------------------- 1 | # eDonkey2000 - P2P filesharing (http://edonkey2000.com) 2 | # 3 | # Please post to l7-filter-developers@lists.sf.net as to whether this pattern 4 | # works for you or not. If you believe it could be improved please post your 5 | # suggestions to that list as well. You may subscribe to this list at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | # This pattern was contributed by Matt Skidmore 9 | # It is currently unclear whether this pattern matches the actual 10 | # (up|down)loads, or just the control streams. It may also not match the 11 | # official eDonkey2000 client, as \xc5 means "eMule extentions", according 12 | # to Ethereal. It definitely matches aMule control streams. 13 | 14 | # client hello 15 | # e3 <4 byte message length> 01 16 | # server hello 17 | # c5 <4 byte message length> 01 18 | # client answer 19 | # c5 <4 byte message length> 02 20 | # server answer 21 | # e3 <4 byte message length> 4c 22 | # 23 | # The first byte of the length feild will probably never be null but the 24 | # remaining bytes often are. 25 | 26 | edonkey 27 | \xe3[\x01-\xff].?.?.?\x01.*\xc5[\x01-\xff].?.?.?\x01.*\xc5[\x01-\xff].?.?.?\x02.*\xe3[\x01-\xff].?.?.?\x4c 28 | 29 | # ipp2p essentially uses "\xe3....\x47", which seems to contradict the above. 30 | # More testing is clearly needed. 31 | -------------------------------------------------------------------------------- /ftp.pat: -------------------------------------------------------------------------------- 1 | # FTP - File Transfer Protocol (RFC 959) 2 | # Usually runs on port 21. Note that the data stream is on a dynamically 3 | # assigned port, which means that you will need the FTP connection 4 | # tracking module in your kernel to usefully match FTP data transfers. 5 | # 6 | # 7 | # This is somewhat tested. If it does not 8 | # work for you, or you believe it could be improved, please post to 9 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 10 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 11 | 12 | # Matches the first two things a server should say. Most servers say 13 | # something after 220, even though they don't have to, and it usually 14 | # includes the string "ftp" (l7-filter is case insensitive at the moment). 15 | # This includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof 16 | # FTP Server, and whatever ftp.microsoft.com uses. Just in case, the next 17 | # thing the server sends is a 331. All the above servers also send 18 | # something including "password" after this code. 19 | ftp 20 | ^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password 21 | 22 | # This pattern is more precise, but takes longer to match. (3 packets vs. 1) 23 | #^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331 24 | 25 | # same as above, but slightly less precise and only takes 2 packets. 26 | #^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a 27 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | These are patterns for use with the Linux layer 7 packet classifier. 2 | In order to use them, you will need to use the kernel patch and the 3 | modified version of tc available at http://sf.net/projects/l7-filter/ 4 | 5 | The HOWTO at http://l7-filter.sf.net explains how to use these. 6 | The HOWTO in this directory is a guide to writing patterns. 7 | 8 | These patterns should be used only with version >= 0.3.0 of the kernel patch. 9 | 10 | The "weakpatterns" directory contains patterns that are too general for them 11 | to be really useful. They are included because (1) they may be good enough 12 | for some purposes and (2) it will make it easier for people to improve them 13 | if there's something to start with. 14 | 15 | The "malware" directory contains patterns for viruses and worms. The 16 | "file_types" directory contains patterns for file types. Please read 17 | file_types/README if you plan to use any patterns in these directories. 18 | 19 | Please report your experience with these patterns to 20 | l7-filter-developers@lists.sf.net . You may subscribe to this list at 21 | http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 22 | 23 | Please note that many of these patterns were written by someone (me, 24 | Matthew Strait) who didn't know anything about the protocol in question 25 | until he started doing google searches for it. So if you think a 26 | pattern is broken and you know better, you probably do! Let us know. 27 | -------------------------------------------------------------------------------- /weakpatterns/netbios.pat: -------------------------------------------------------------------------------- 1 | # NetBIOS - Network Basic Input Output System 2 | # 3 | # As mentioned in smb.pat: 4 | # 5 | # "This protocol is sometimes also referred to as the Common Internet File 6 | # System (CIFS), LanManager or NetBIOS protocol." -- "man samba" 7 | # 8 | # Actually, SMB is a higher level protocol than NetBIOS. However, the 9 | # NetBIOS header is only 4 bytes: not much to match on. 10 | # 11 | # http://www.ubiqx.org/cifs/SMB.html 12 | # 13 | # This pattern attempts to match the (Session layer) NetBIOS Session request. 14 | # If sucessful, you may be able to match NetBIOS several packets earlier 15 | # than if you just waited for the easier-to-match SMB header. 16 | # 17 | # This pattern is untested. If it does not 18 | # work for you, or you believe it could be improved, please post to 19 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 20 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 21 | 22 | netbios 23 | # session request byte, three bytes of flags and length. Then 24 | # there should be a big mess of letters between A and P which represent 25 | # the NetBIOS names of the involved computers (with a null between them). 26 | # (40ish here, damn this regexp implementation and its lack of {40,}) 27 | \x81.?.?.[A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P] 28 | -------------------------------------------------------------------------------- /dhcp.pat: -------------------------------------------------------------------------------- 1 | # DHCP - Dynamic Host Configuration Protocol (RFC 1541) 2 | # Usually runs on ports 67 (server) and 68 (client) 3 | # 4 | # Also matches BOOTP (Bootstrap Protocol (RFC 951)) in the case that 5 | # the "vendor specific options" are used (these options were made standard 6 | # for DHCP). 7 | # 8 | # This pattern is unconfirmed. 9 | # Please post to l7-filter-developers@lists.sf.net as to whether it works 10 | # for you or not. If you believe it could be improved please post your 11 | # suggestions to that list as well. You may subscribe to this list at 12 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 13 | 14 | dhcp 15 | ^(\x01|\x02)[\x01- ]\x06.*c\x82sc 16 | 17 | # Let's break that down: 18 | # 19 | # (\x01|\x02) is for BOOTREQUEST or BOOTREPLY 20 | # Is there a demand for doing these seperately? The Packeteer does. 21 | # 22 | # [\x01-\x20] is for any of the hardware address types listed at 23 | # (http://www.iana.org/assignments/arp-parameters) and hopefully faster 24 | # ethernets too (100, 1000 and 10000mb) as well (do they share the 10mb 25 | # number?). 26 | # 27 | # \x06 for "hardware address length = 6 bytes". Does anyone use other lengths 28 | # these days? If so, this pattern won't match it as it stands. 29 | # 30 | # .* covers the hops, xid, secs, flags, ciaddr, yiaddr, siaddr, giaddr, 31 | # chaddr, sname and file fields. While this can't really be "any number 32 | # of characters" long, it doesn't seem worth it to count. 33 | # Can we make this more specific by restricting the number of hops or seconds? 34 | # 35 | # 0x63825363 is the "magic cookie" which begins the DHCP options field. 36 | -------------------------------------------------------------------------------- /file_types/README: -------------------------------------------------------------------------------- 1 | Patterns in this directory are not for network protocols, but rather for 2 | file types. They are for cases in which you would like to 3 | promote/restrict transfer of one file type regardless of what protocol 4 | it is being transfered over. (So these could be considered "layer 8" 5 | protocols, if you like.) 6 | 7 | Writing patterns for this directory is pretty easy. Often 8 | /usr/share/magic has everything you need to know. If you'd like 9 | something that isn't here, please ask for it. 10 | 11 | Notes: 12 | 13 | 1) If you want a filter for both a file type and the application layer 14 | protocol that this file type is transported over (i.e. HTML and HTTP), 15 | you should set up your filters so that the file type is tested for in a 16 | child node of the node that tests for the protocol. In other words, you 17 | should construct trees like this: 18 | 19 | (root) 20 | \_ HTTP 21 | | \_ HTML 22 | | \_ PDF 23 | \_ FTP 24 | \_ TAR 25 | \_ PS 26 | 27 | If you test for file types and protocols at the same level, l7-filter 28 | will usually classify as the protocol because it sees that data first. 29 | We hope to make this process less clumsy in later releases. 30 | 31 | 2) A connection may very well contain more than one file transfer. These 32 | will match the first file sent and continue to apply that classification 33 | to all subsequent files of that connection, regardless of their content. 34 | 35 | 3) Since the file starts later than the application layer protocol 36 | information, you may need to use /proc/net/layer7_numpackets to increase 37 | the number of packets examined. i.e. "echo 12 > 38 | /proc/net/layer7_numpackets" (QoS version only.) 39 | -------------------------------------------------------------------------------- /smtp.pat: -------------------------------------------------------------------------------- 1 | # SMTP - Simple Mail Transfer Protocol (RFC 2821) (See also RFC 1869) 2 | # usually runs on port 25 3 | # 4 | # This pattern has been tested and is believed to work well. If it does not 5 | # work for you, or you believe it could be improved, please post to 6 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 7 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 8 | smtp 9 | # As usual, no text is required after "220", but all known servers have some 10 | # there. It (almost?) always has string "smtp" in it. The RFC examples 11 | # does not, so we match those too, just in case anyone has copied them 12 | # literally. 13 | ^220[\x09-\x0d -~]* (e?smtp|simple mail) 14 | 15 | # Some examples: 16 | # 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3 17 | # 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400 18 | # 220 mail.ut.caldera.com ESMTP 19 | # 220 persephone.pmail.gen.nz ESMTP server ready. 20 | # 220 smtp1.superb.net ESMTP 21 | # 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready 22 | # 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4 23 | # 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500 24 | # 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3) 25 | # 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200 26 | # 220-mail.email-scan.com ESMTP 27 | # 220 smaug.dreamhost.com ESMTP 28 | # 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648) 29 | # 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT) 30 | # 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700 31 | # 32 | # RFC examples: 33 | # 220 xyz.com Simple Mail Transfer Service Ready (RFC example) 34 | # 220 dbc.mtview.ca.us SMTP service ready 35 | -------------------------------------------------------------------------------- /pop3.pat: -------------------------------------------------------------------------------- 1 | # POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939 2 | # 3 | # This pattern has been tested somewhat. If it does not 4 | # work for you, or you believe it could be improved, please post to 5 | # l7-filter-developers@lists.sf.net . This list may be subscribed to at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | # this is a difficult protocol to match because of the relative lack of 9 | # distinguishing information. Read on. 10 | pop3 11 | 12 | # this the most conservative pattern. It should definitely work. 13 | #^(\+ok|-err) 14 | 15 | # this pattern assumes that the server says _something_ after +ok or -err 16 | # I think this is probably the way to go. 17 | ^(\+ok |-err ) 18 | 19 | # more that 90% of servers seem to say "pop" after "+ok", but not all. 20 | #^(\+ok .*pop) 21 | 22 | # Here's another tack. I think this is my second favorite. 23 | #^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command)) 24 | 25 | # this matches the server saying "you have N messages that are M bytes", 26 | # which the client probably asks for early in the session (not tested) 27 | #\+ok [0-9]+ [0-9]+ 28 | 29 | # some sample servers: 30 | # RFC example: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us> 31 | # mail.dreamhost.com: +OK Hello there. 32 | # pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled) 33 | # mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon> 34 | # *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu> 35 | # mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready 36 | # mail.gustavus.edu: +OK POP3 solen v2001.78 server ready 37 | # mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready 38 | # mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003)) 39 | # pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting. 40 | # mail.mac.com: +OK Netscape Messaging Multiplexor ready 41 | 42 | # various error strings: 43 | #-ERR Invalid command. 44 | #-ERR invalid command 45 | #-ERR unimplemented 46 | #-ERR Invalid command, try one of: USER name, PASS string, QUIT 47 | #-ERR Unknown AUTHORIZATION state command 48 | #-ERR Unrecognized command 49 | #-ERR Unknown command: "sadf'". 50 | -------------------------------------------------------------------------------- /CHANGELOG: -------------------------------------------------------------------------------- 1 | 2014 06 18 2 | Added bitcoin block pattern (thanks to David Ehrmann) 3 | 4 | 2003 11 12 5 | Updated HOWTO to include Netfilter version, etc. 6 | Added comments regarding what I've learned from ipp2p (thanks to Eicke 7 | Friedrich) 8 | Added applejuice, quake1, quakeworld. 9 | Improved (fixed?) bittorent. 10 | 11 | 2003 10 24 12 | Reverted to single packet ftp pattern. Minor revisions to malware/* 13 | 14 | 2003 10 08 15 | Added eDonkey2000 pattern. Added file_type directory (with html, ogg, 16 | pdf, perl, ps, rpm, tar and rtf). Added malware directory (with Code Red 17 | and Nimda). 18 | 19 | 2003 09 26 20 | I need to remember to include http in all the releases! Sorry about that. 21 | Added jabber. 22 | 23 | 2003 09 24 24 | Added socks, nntp. 25 | 26 | 2003 09 22 27 | Releases from here on should only be used with >=0.3.0 of the kernel patch 28 | Some significant speed improvements (gopher is no longer slow enough to bring 29 | down the machine when searching large strings) and some small accuracy 30 | improvements. 31 | Moved winmx and gopher to weakpatterns. 32 | Added snmp, snmp-mon and snmp-trap 33 | 34 | 2003 09 19 35 | Added Samba, telnet. 36 | Added weakpatterns directory, which now contains mysql, finger, netbios. 37 | 38 | 2003 09 18 39 | Added directconnect. 40 | 41 | 2003 09 15 42 | Added biff. Fixed pop3 again. Improved SMTP. 43 | 44 | 2003 09 14 45 | Added rlogin. 46 | 47 | 2003 09 12 48 | Fixed pop3. Improved HTTP. 49 | 50 | 2003 09 10 51 | Added dns, gopher. 52 | 53 | 2003 09 05 54 | Improved x11, yahoo. Added bearshare. Changed all patterns to use \xHH 55 | notation instead of non-printable characters. This release, therefore, 56 | MUST be used only with version >= 0.2.0 of the kernel patch. 57 | 58 | 2003 08 28 59 | Added irc, ident, x11. Made a number of patterns more specific by adding 60 | a '^' at the beginning of the line. Could have also added some $s at the end 61 | of lines, but in anticipation of matching across packets, didn't. 62 | Improved HOWTO. 63 | 64 | 2003 08 21 65 | Added counterstrike, live365, pressplay, winmx. Fixed gkrellm. 66 | Fixed several patterns that used uppercase letters, which can't ever 67 | match. Will fix the kernel patch soon so that this doesn't matter. 68 | Got rid of the #s in files like this one. They were annoying. 69 | Just use "*.pat" in your scripts instead of "*". 70 | Added pattern writing HOWTO. 71 | 72 | 2003 08 19 73 | Fixed ftp. Added gkrellm. Simplified tftp. 74 | 75 | 2003 08 09 76 | Fixed dhcp. Added tftp. Improved aim. 77 | -------------------------------------------------------------------------------- /dns.pat: -------------------------------------------------------------------------------- 1 | # DNS - Domain Name System (RFC 1035) 2 | # 3 | # Please post to l7-filter-developers@lists.sf.net as to whether this pattern 4 | # works for you or not. If you believe it could be improved please post your 5 | # suggestions to that list as well. You may subscribe to this list at 6 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 7 | 8 | # While RFC 2181 says "Occasionally it is assumed that the Domain Name 9 | # System serves only the purpose of mapping Internet host names to data, 10 | # and mapping Internet addresses to host names. This is not correct, the 11 | # DNS is a general (if somewhat limited) hierarchical database, and can 12 | # store almost any kind of data, for almost any purpose.", we will assume 13 | # just that, because that represents the vast majority of DNS traffic. 14 | 15 | # The first thing that is matchable is QDCOUNT, the number of queries. 16 | # Despite the fact that you can apparently ask for up to 65535 17 | # things at a time, usually you only ask for one and I doubt you ever ask for 18 | # zero. Let's allow up to two, just in case (even though I can't find any 19 | # situation that generates more than one). 20 | 21 | # Next comes the ANCOUNT, NSCOUNT, and ARCOUNT fields, which could be null 22 | # or some smallish number, not matchable except by length (up to 6) 23 | 24 | # The next matchable thing is the query address. The first byte indicates 25 | # the length of the first part of the address, which is limited to 63 (0x3F). 26 | # The next byte has to be a letter. Then there can be an combination of 27 | # letters, digits, hyphens, and 0x01-0x3F. 28 | # Then we check for the presence of a top-level-domain at some later point. 29 | # This is indicated by a 0x02-0x06 and at least two letters, followed by no 30 | # more than four more letters. 31 | # Note that this will miss a very few queries that are for a TLD alone. 32 | # i.e. "host museum" (195.7.77.17) 33 | # 34 | # http://www.icann.org/tlds http://www.iana.org/cctld/cctld-whois.htm 35 | 36 | # next is the QTYPE field, which has valid values 1-16 (although this could 37 | # probably be restricted further since many are rare). It should follow 38 | # immediately after the TLD (and some stripped-out nulls) 39 | 40 | # next is QCLASS, which has valid values 1-4 and 255, except 2 is never used. 41 | # I'm not sure if 3 and 4 are used, so I'll include them. 1=Internet 255=any 42 | 43 | # If we wanted to match queries and responses separately, there could be 44 | # more specifics after this for the responses. 45 | 46 | dns 47 | # here's a sane way of doing it 48 | [\x01\x02].?.?.?.?.?.?[\x01-\x3F][a-z][\x01-\x3Fa-z]*[\x02-\x06][a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?[\x01-\x10][\x01\x03\x04\xFF] 49 | 50 | # If you have more processing power than me, you can substitute this for 51 | # the [a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]? 52 | #(aero|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|pro|arpa|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|eh|er|es|et|fi|fj|fk|fm|fo|fr|ga|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw) 53 | -------------------------------------------------------------------------------- /HOWTO: -------------------------------------------------------------------------------- 1 | Hello. This is a guide for writing patterns for l7-filter. 2 | 3 | *** File Format *** 4 | 5 | A pattern file consists of the name of the protocol on one line followed 6 | by a regular expression defining that protocol on one line. Lines 7 | starting with # and blank lines are ignored. At the moment, the name of the 8 | file must match the protocol defined in it. i.e. if the protocol is "ftp", 9 | the file must be called "ftp.pat". 10 | 11 | *** Regular Expressions *** 12 | 13 | At the moment, l7-filter uses V8 regular expresions (see 14 | http://www.hmug.org/man/3/regsub.html). In addition, we have added the 15 | capability to do perl-style hex matches using the \xHH notation (i.e. to 16 | match a tab, use \x09). Note that our regexps are more limited than the 17 | ones you may be used to (for instance, grep's). Notably, you CANNOT use 18 | bounds ("foo{3}" to match foofoofoo), character classes ("[[:punct:]]" 19 | to match any punctuation) or backreferences. 20 | 21 | If you want to check for printable characters, including whitespace, 22 | [\x09-\0d -~] is a reasonable way of doing it. 23 | 24 | l7-filter is case insensitive. Using upper case in your patterns is 25 | identical to using lower case. This is largly because our regexp 26 | implementation doesn't have a case-insensitivity flag. 27 | 28 | l7-filter strips out nulls (0x00 bytes) in the packets it reads so that 29 | it can treat them as normal C strings. Therefore, you can't match on 30 | nulls. Also, fields may appear shorter than expected. For example, if 31 | a protocol has a 4 byte field and any of those bytes can be null, the 32 | field can appear to be any length from 0 to 4. 33 | 34 | *** What The Classifier Sees *** 35 | 36 | If you have setup your computer as recommended, the data to be matched 37 | is that of both the client and the server, in the order that it passes 38 | through the computer. For instance, in FTP, the first thing the filter 39 | sees is "221 server ready", then "USER bob", then "331 send password", 40 | then "PASS frogbeard", and so on. 41 | 42 | At the moment, only the QoS version of l7-filter can match across 43 | packets. Therefore, if you are using the QoS version, both 44 | "220.*ftp|331.*password" and "220.*USER.*331" will match. If you are 45 | using the Netfilter version, only the first will match. Hopefully, 46 | cross-packet matching will be added to the Netfilter version soon. 47 | 48 | *** What Makes A Good Pattern *** 49 | 50 | There are two general guidelines: 51 | 52 | 1) A pattern must be neither too specific nor not specific enough. 53 | 54 | Example 1: The pattern "bear" for Bearshare is not specific enough. 55 | This pattern could match a wide variety of non-Bearshare connections. 56 | For instance a HTTP request for http://bear.com would be matched. 57 | 58 | Example 2: "220 .*ftp.*(\[.*\]|\(.*\))" for FTP is too specific. 59 | Not all servers send ()s or []s after their 220. In fact, servers 60 | are not even required to send the string "ftp" at any time, but the 61 | vast majority do. Good judgement and testing are necessary for 62 | instances such as this. 63 | 64 | 2) It should use a minimum of processing power. Thus, if it is possible 65 | to reduce the number of *'s, +'s and |'s in your pattern, you should do 66 | so. In particular, ".*" really slows things down. For instance, this 67 | pattern for gopher is bad. Its use causes very noticable slowdowns on 68 | my machine (i.e. everything locks up for 1 second or more). 69 | 70 | [1-9,\+TgI].*\x09.*\x09.*[a-z].*\..*[a-z][a-z]\x09[1-9] 71 | 72 | In fact, with versions 0.3.0 and forward of the kernel patch (which look 73 | at multiple packets at once), all those .*'s can be so slow as to make 74 | you have to reboot your machine. So be careful! This pattern is better, 75 | it makes some reasonable assumptions about what's likely to be in those 76 | freeform fields rather than being totally permissive: 77 | 78 | [1-9,\+TgI][\x09-\0d -~]*\x09[\x09-\0d -~]*\x09[a-z0-9\.]*\.[a-z][a-z].?.?\x09[1-9] 79 | 80 | Remember, if you're only expecting printable characters, don't use ".*", 81 | use "[\x09-\x0d -~]*"! 82 | 83 | The recommended procedure for writing packets is this: 84 | 85 | 1) Find and read the spec for the protocol you wish to match. If it's 86 | an Internet standard, http://rfc-editor.org is a good place to start, 87 | although not all standards are RFCs. If it is a proprietary protocol, 88 | it is likely that someone has written a reverse-engineered spec for it 89 | anyway. Do a general web search to find it. Skipping this step is a 90 | good way to write patterns that are overly specific! 91 | 92 | 2) Use Ethereal (http://www.ethereal.com/) to watch packets of this 93 | protocol go by in a typical session of its use. (If you failed to find 94 | a spec for your protocol, but Ethereal can parse it, reading the 95 | Ethereal source code may also be worth your time.) 96 | 97 | 3) Write a pattern that will reliably match one of the first few packets 98 | that are sent in your protocol. Test it. 99 | 100 | 4) Send your pattern to l7-filter-developers@lists.sf.net for it to be 101 | incorporated into the official pattern definitions. 102 | 103 | -------------------------------------------------------------------------------- /WANTED: -------------------------------------------------------------------------------- 1 | Please read HOWTO for information on writing patterns. 2 | 3 | Below is the list of protocols supported by the Packeteer, a commercial 4 | packet shaper. This list is taken from page 197 of 5 | http://www.packeteer.com/support/home/DSP/docs/archive/41manuals/refGuide/41.refguide.pdf 6 | 7 | If you can contribute knowledge to this list, please post to 8 | l7-filter-developers@lists.sf.net Subscribe at 9 | http://lists.sourceforge.net/lists/listinfo/l7-filter-developers 10 | 11 | done = Have a pattern for this 12 | want = Don't have a pattern for this (and want one) 13 | don't = Not a layer 7 protocol, or shouldn't be matched at layer 7 for some reason 14 | ? = We don't know well enough how this works to know what we should do 15 | 16 | ? ActiveX Microsoft's object-oriented program technologies and tools 17 | want AFP AppleTalk Filing Protocol (AppleShare IP) 18 | dont AppleTalk Apple's network protocol 19 | ? AURP AppleTalk Update-based Routing Protocol 20 | want Baan Baan enterprise management system 21 | want BackWeb(Polite) Push technology Polite BackWeb has an agent on the client to prevent BackWeb background traffic from interfering with other IP network applications 22 | ? BGP Border Gateway Protocol 23 | done Biff UNIX new mail notification 24 | ? CBT Core-based Trees (Multicast Routing Protocol) 25 | want ccMail cc:Mail email application 26 | ? CiscoDiscovery Cisco Router Discovery Protocol 27 | want Citrix Connectivity application that enables any type of client to access applications across any type of network connection. 28 | want Citrix-ICA Citrix ICA 29 | want Citrix-SB Citrix server browsing (UDP) 30 | ? Clarent-CC Clarent Voice over IP Command Center 31 | ? Clarent-Complex Clarent complex traffic 32 | ? Clarent-Mgmt Clarent management traffic 33 | ? Clarent-Voice-S Clarent voice traffic (simple) 34 | don't Client The client end of any connection (not auto-discovered) 35 | want CORBA CORBA Internet Inter-ORB Protocol (IIOP) 36 | ? CRS Microsoft Content Replication Service and Distributed Password Authentication (Membership Broker) 37 | ? CU-Dev Fujitsu Device Control (CU-DEV on TCP/IP) 38 | want CUSeeMe Internet telephone application service group 39 | want CUSeeMe-av Internet telephone audio/video 40 | want CUSeeMe-ce Internet telephone connection establishment 41 | want CUSeeMe-cl Internet telephone connection listener 42 | want DCOM Microsoft Distributed Component Object Model 43 | ? DECnet Digital Equipment Corporation's network protocol 44 | done DHCP Dynamic Host Configuration Protocol 45 | don't DHCP-C DHCP or BootP Client 46 | don't DHCP-S DHCP or BootP Server 47 | want DLS SNA and FNA over TCP transport--Service group classification of Data Link Switch traffic, both read and write port numbers 48 | ? DLS-RPN Data Link Switch Read Port Number 49 | ? DLS-WPN Data Link Switch Write Port Number 50 | done DNS Domain Name Service 51 | want Doom Doom, the game 52 | want DPA Microsoft's Distributed Password Authentication 53 | ? DRP DECnet Routing Protocol 54 | ? EGP Network Routing Information (Exterior Gateway Protocol) 55 | ? EIGRP Enhanced Interior Gateway Routing Protocol 56 | want FileMaker Pro Database Application 57 | done Finger Finger User Information Protocol 58 | want FIX Financial Information eXchange 59 | ? FNA Fujitsu Network Architecture (a variant of SNA) 60 | ? FNAonTCP-1 Transport Independent Convergence - FNA on TCP port 492 61 | ? FNAonTCP-2 Transport Independent Convergence - FNA on TCP port 493 62 | done FTP File Transfer Protocol service group classification--both FTP commands and data 63 | want FTP-Cmd File Transfer Protocol command channel 64 | want FTP-Data File Transfer Protocol data transfer channel 65 | done Gopher Search application 66 | don't GRE General Routing Encapsulation 67 | want Groupwise Novell Groupwise messaging system 68 | want Groupwise-MTA Novell Groupwise Message Transfer Agent 69 | want Groupwise-POA Novell Groupwise Post Office Agent 70 | want H.323 Internet telephony standard service group 71 | want H.323-GKD H.323 Gatekeeper Discovery 72 | want H.323-H.245 H.323 call control 73 | want H.323-Q.931 H.323 call setup 74 | want H.323-RAS H.323 Gatekeeper Control (Registration, Admission, and Status) 75 | done HTTP (Web) Web traffic--Hypertext Transport Protocol 76 | want I-Phone Phone service via the Internet 77 | don't ICMP Internet Control Message Protocol 78 | done Ident Identification Protocol 79 | don't IGMP Internet Group Management Protocol 80 | done IMAP Interactive Mail Access Protocol 81 | don't IP Internet Protocol (not auto-discovered) 82 | want? IPSec IP Security Encapsulation 83 | want? IPSec-AH IPSec Authentication Header 84 | want? IPSec-ESP IPSec Encapsulating Security Payload 85 | don't IPv6 Internet Protocol version 6 86 | don't IPX Novell's networking protocol 87 | done IRC Internet Relay Chat 88 | don't IRC-194 IRC on port 194 89 | don't IRC-6665 IRC on port 6665 (server to server) 90 | don't IRC-6667 IRC on port 6667 (client to server) 91 | ? ISAKMP ISAKMP/IKE key exchange 92 | want Kali Gaming Protocol 93 | want Kerberos Network Authentication Service (ticket granting and checking) 94 | want L2TP Level 2 Tunneling Protocol for VPN connections (UDP encapsulation) 95 | don't? LAT DEC Printer Support (Local Area Transport) 96 | want LDAP Lightweight Directory Access Protocol 97 | ? Lockd Lock Daemon 98 | want LotusNotes Groupware for collaborative communication 99 | want Marimba Marimba's Castanet push technology 100 | want Micom-VIP Micom Voice over IP (V/IP) 101 | want? MPEG-Audio Moving Picture Experts Group - Audio Streams 102 | want? MPEG-Video Moving Picture Experts Group - Video Streams 103 | ? MSSQ Microsoft Message Queue Traffic 104 | ? MSSQ-CQ MSSQ Client Queue 105 | ? MSSQ-IS MSSQ Information Store 106 | ? MSSQ-Ping MSSQ Ping Mechanism 107 | ? MSSQ-QMT MSSQ Queue Manager Traffic 108 | ? MSSQ-SQ MSSQ Server Queue 109 | want MS-SQL Service group for both Microsoft SQL Mon and Server traffic 110 | want MS-SQL-Mon Microsoft SQL Monitor 111 | want MS-SQL-Server Microsoft Structured Query Language (SQL) Server 112 | ? NetBEUI Service group for NetBEUI--Network protocol for PCs 113 | done? NetBIOS-IP NetBIOS over IP 114 | done? NetBIOS-IP-DGM NetBIOS Datagram Service 115 | done NetBIOS-IP-NS NetBIOS Name Service 116 | done NetBIOS-IP-SSN NetBIOS Session Service 117 | want NFS Network File System (both TCP and UDP) 118 | want NNTP (News) Network News Transfer Protocol 119 | want NTP Network Time Protocol 120 | want NW5-CMD Netware 5 - Compatibility Mode Drivers service group 121 | want? NW5-CMD-TCP Netware 5 - Compatibility Mode Drivers over TCP 122 | want? NW5-CMD-UDP Netware 5 - Compatibility Mode Drivers over UDP 123 | want NW5-NCP Netware 5 Core Protocol 124 | ? OpenConnect-JCP Browser-based access to host applications 125 | want Oracle Database application 126 | want OracleClient Oracle Java client (Webforms) 127 | want Oracle-netv1 Oracle SQL*Net v1 128 | want Oracle-netv2 Oracle SQL*Net v2 129 | want Oracle 8i Oracle 8i by database name 130 | want OSI OSI over TCP (RFC2126), e.g., Microsoft Exchange X.400 131 | ? OSPF Network Routing Information (Open Shortest-Path First) 132 | want pcAnywhere Remote management collaboration tool 133 | want pcAnywhere-D pcAnywhere data 134 | want pcAnywhere-OD pcAnywhere data (old port) 135 | want pcAnywhere-OS pcAnywhere status (old port) 136 | want pcAnywhere-S pcAnywhere status 137 | ? PIM Protocol-Independent Multicast Routing Protocol 138 | want PointCast Push technology application 139 | done POP3 (Mail) Post office protocol for email 140 | want PPTP Point-to-Point Tunneling Protocol 141 | want Printer UNIX line printer spooler (LPR) 142 | want Quake Quake, the game 143 | want Quake-A Quake 1 144 | want Quake-B Quake 2 145 | want Quake-II-TCP Quake over TCP 146 | want Quake-II-UDP Quake over UDP 147 | want RADIUS Service group for Remote Authentication Dial-in Service 148 | want RADIUS-Acct RADIUS accounting service 149 | want RADIUS-Auth RADIUS authentication service 150 | ? RARP Reverse Address Resolution Protocol 151 | ? RC5DES DES (data encryption standard) encryption-cracking application 152 | want RDP Remote Desktop Protocol--Microsoft's Windows Terminal Server 153 | want RealAudio Service group for RealAudio streaming audio/video application--both TCP and UDP 154 | want RealAudio-TCP Streaming audio/video application TCP channel 155 | want RealAudio-UDP Streaming audio/video application UDP channel 156 | want REXEC UNIX remote execution protocol 157 | want RIP Routing Information Protocol (UDP) 158 | want rlogin Remote login 159 | ? RTCP-B Real-time control protocol (broadcast) 160 | ? RTCP-I Real-time control protocol (interactive) 161 | ? RTP-B Real-time protocol (broadcast) 162 | ? RTP-I Real-time protocol (interactive) 163 | done RTSP Real-time Streaming Protocol 164 | want? rwho Reports current users for all hosts on the local network 165 | want SHOUTcast Streaming audio 166 | want SLP Service Location Protocol 167 | want SMS Microsoft SMS (Systems Management Server) Help Desk 168 | want SMS-Auth Microsoft SMS authentication 169 | want SMS-Chat Microsoft SMS remote chat 170 | want SMS-File Microsoft SMS file transfer 171 | want SMS-RC Microsoft SMS remote control 172 | done SMTP (Mail) Simple Mail Transfer Protocol 173 | want SNA IBM's Systems Network Architecture protocol 174 | done SNMP Service group for both Simple Network Management Protocol monitor and traps 175 | done SNMP Mon Simple Network Management Protocol monitor 176 | done SNMP Trap Simple Network Management Protocol traps 177 | done SOCKS SOCKS Proxy Protocol 178 | ? Spanning Tree IEEE802.1 Bridge Spanning Tree 179 | done SSH Secure shell remote login protocol 180 | done SSL Secure Sockets Layer protocol 181 | ? ST2 Internet Stream Protocol, version 2 182 | ? StreamWorks StreamWorks Audio and Video 183 | want SunRPC Sun's Remote Procedure Calls (UDP) 184 | want Syslog UNIX System Logging 185 | ? T.120 Collaboration application 186 | ? TACACS Login host protocol 187 | don't TCP Transmission Control Protocol--all Internet TCP traffic (not auto-discovered) 188 | done Telnet Network terminal protocol 189 | done TFTP Trivial File Transfer Protocol 190 | want Timbuktu Timbuktu Pro service group; networked remote control application 191 | want Timbuktu-ctl Timbuktu Control Channel 192 | want Timbuktu-hs Timbuktu Handshaking 193 | want Timbuktu-obs Timbuktu Observe Channel 194 | want Timbuktu-snd Timbuktu Send Channel 195 | want Timbuktu-xch Timbuktu Exchange Channel 196 | ? TN3270 Telnet for IBM 3270 terminals and 3270 emulation 197 | ? TN3287 IBM 3270 print traffic (TN3287 extensions) 198 | ? TN5250 IBM 5250 terminal traffic over Telnet 199 | ? TN5250p IBM 5250 print traffic over Telnet 200 | don't UDP User Datagram Protocol--all Internet UDP traffic (not auto-discovered) 201 | want UUCP Unix-to-Unix Copy Protocol 202 | want VDOPhone Service group for Internet telephone application (not auto-discovered) 203 | want VDOPhone-a Internet telephone application--TCP port 1 (not auto-discovered) 204 | want VDOPhone-b Internet telephone application--TCP port 2 (not auto-discovered) 205 | want VDOPhone-UDP VDOPhone real-time media (not auto-discovered) 206 | want Whois Application that identifies the owner of a domain name 207 | want WindowsMedia Microsoft Windows Media Player 208 | want WindowsMedia-T Windows Media Streaming over TCP 209 | want WindowsMedia-U Windows Media Streaming over UDP 210 | want WINS Windows Internet Name Service 211 | want XWindows X11 Windowing agent (UDP) 212 | want XWindows-DM XWindows Display Manager (XDMCP) 213 | want XWindows-S XWindows Server 214 | done YahooMsg Yahoo! Messenger 215 | 216 | 217 | Here are some additional patterns that we'd like to have: 218 | 219 | Gadu-gadu - a popular Polish instant messenger protocol (so I'm told) 220 | Zephyr - an instant messanger 221 | 222 | 223 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. 5 | 675 Mass Ave, Cambridge, MA 02139, USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Library General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | Appendix: How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 19yy 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License 307 | along with this program; if not, write to the Free Software 308 | Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) 19yy name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Library General 339 | Public License instead of this License. 340 | --------------------------------------------------------------------------------