update stripped subset of l7 patterns to 11-03-2007 patterns
SVN-Revision: 9582v19.07.3_mercusys_ac12_duma
parent
c439768c9a
commit
85b17a4e9e
@ -1,14 +1,27 @@
|
||||
# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
|
||||
# Pattern quality: great veryfast
|
||||
# Pattern attributes: good slow notsofast undermatch
|
||||
# Protocol groups: p2p open_source
|
||||
# Wiki: http://www.protocolinfo.org/wiki/Bittorrent
|
||||
#
|
||||
# This pattern has been tested and is believed to work well. If it does not
|
||||
# work for you, or you believe it could be improved, please post to
|
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at
|
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
|
||||
# This pattern has been tested and is believed to work well.
|
||||
# It will, however, not work on bittorrent streams that are encrypted, since
|
||||
# it's impossible to match encrypted data (unless the encryption is extremely
|
||||
# weak, like rot13 or something...).
|
||||
|
||||
bittorrent
|
||||
|
||||
# Does not attempt to match the HTTP download of the tracker
|
||||
# 0x13 is the length of "bittorrent protocol"
|
||||
# Second two bits match UDP wierdness, commented out until it's tested
|
||||
#^(\x13bittorrent protocol|d1:ad2:id20:|\x08'7P\)[RP])
|
||||
^\x13bittorrent protocol
|
||||
# Second two bits match UDP wierdness
|
||||
# Next bit matches something Azureus does
|
||||
# Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next
|
||||
# packet and perhaps this will match multiple clients.
|
||||
|
||||
# Recently the ^ was removed from before \x13. I think this was an accident,
|
||||
# so I have restored it.
|
||||
|
||||
# This is not a valid GNU basic regular expression (but that's ok).
|
||||
^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)|d1:ad2:id20:|\x08'7P\)[RP]
|
||||
|
||||
# This pattern is "fast", but won't catch as much
|
||||
#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)
|
||||
|
@ -1,8 +0,0 @@
|
||||
# eDonkey2000 - P2P filesharing (download part) - http://edonkey2000.com
|
||||
# Pattern quality: good veryfast overmatch usepacket
|
||||
|
||||
edonkey-dl
|
||||
|
||||
^[\xe3\xe4\xc5\xe5\xd4](....)?[\x01\x0a\x0e\x0f\x10\x18\x19\x1b\x1c\x47\x4a\x4f\x51\x53\x54\x58\x60\x81\x90\x96\x9a\x9c\xa2]
|
||||
|
||||
|
@ -1,15 +1,27 @@
|
||||
# MSN Messenger - Microsoft Network chat client
|
||||
# Pattern quality: good veryfast
|
||||
# Pattern attributes: good slow notsofast
|
||||
# Protocol groups: chat proprietary
|
||||
# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
|
||||
#
|
||||
# Usually uses port 1863
|
||||
# Usually uses TCP port 1863
|
||||
# http://www.hypothetic.org/docs/msn/index.php
|
||||
# http://msnpiki.msnfanatic.com/
|
||||
#
|
||||
# This pattern has been tested and is believed to work well. If it does not
|
||||
# work for you, or you believe it could be improved, please post to
|
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at
|
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
|
||||
# This pattern has been tested and is believed to work well.
|
||||
|
||||
msnmessenger
|
||||
# ver: allow versions up to 99.
|
||||
# usr (in case ver didn't work):
|
||||
^(ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]* cvr|usr md5 i [ -~]*)
|
||||
|
||||
# First branch: login
|
||||
# ver: allow versions up to 99.
|
||||
# I've never seen a cvr other than cvr0. Maybe this will be trouble later?
|
||||
# Can't anchor at the beginning because sometimes this is encapsulated in
|
||||
# HTTP. But either way, the first packet ends like this.
|
||||
# Second/Third branches: accepting/sending a message
|
||||
# I will assume that these can also be encapsulated in HTTP, although I have
|
||||
# not checked. Example of each direction:
|
||||
# ANS 1 quadong@hotmail.com 1139803431.29427 17522047
|
||||
# USR 1 quadong@hotmail.com 530423708.968145.366138
|
||||
|
||||
# Branches are written entirely separately for better performance.
|
||||
ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$
|
||||
|
||||
|
@ -1,15 +1,15 @@
|
||||
# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
|
||||
# Pattern quality: good fast
|
||||
# Pattern attributes: good notsofast fast superset
|
||||
# Protocol groups: secure ietf_proposed_standard
|
||||
# Wiki: http://www.protocolinfo.org/wiki/SSL
|
||||
#
|
||||
# Usually runs on port 443
|
||||
#
|
||||
# This is a superset validcertssl. For it to match, it must be first.
|
||||
# This is a superset of validcertssl. For it to match, it must be first.
|
||||
#
|
||||
# This pattern has been tested and is believed to work well. If it does not
|
||||
# work for you, or you believe it could be improved, please post to
|
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at
|
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
|
||||
# This pattern has been tested and is believed to work well.
|
||||
|
||||
ssl
|
||||
# Client Hello | Server Hello with certificate
|
||||
# Server Hello with certificate | Client Hello
|
||||
# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1
|
||||
^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)
|
||||
|
Loading…
Reference in New Issue