update stripped subset of l7 patterns to 11-03-2007 patterns

SVN-Revision: 9582

package/iptables/files/l7/aim.pat

@@ -1,16 +1,16 @@
 # AIM - AOL instant messenger (OSCAR and TOC)
-# Pattern quality: good notsofast
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/AIM
+#
 # Usually runs on port 5190
 #
 # This may also match ICQ traffic.
 # 
-# This pattern has been tested and is believed to work well.  If it does not
-# work for you, or you believe it could be improved, please post to 
-# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# This pattern has been tested and is believed to work well.
 
 aim
-# See http://gridley.acns.carleton.edu/~straitm/final (and various other places)
+# See http://gridley.res.carleton.edu/~straitm/final (and various other places)
 # The first bit matches OSCAR signon and data commands, but not sure what
 # \x03\x0b matches, but it works apparently.
 # The next three bits match various parts of the TOC signon process.

package/iptables/files/l7/bittorrent.pat

@@ -1,14 +1,27 @@
 # Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
-# Pattern quality: great veryfast
+# Pattern attributes: good slow notsofast undermatch
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Bittorrent
 #
-# This pattern has been tested and is believed to work well.  If it does not
-# work for you, or you believe it could be improved, please post to 
-# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# This pattern has been tested and is believed to work well.
+# It will, however, not work on bittorrent streams that are encrypted, since
+# it's impossible to match encrypted data (unless the encryption is extremely 
+# weak, like rot13 or something...).
+
 bittorrent
 
 # Does not attempt to match the HTTP download of the tracker
 # 0x13 is the length of "bittorrent protocol"
-# Second two bits match UDP wierdness, commented out until it's tested
-#^(\x13bittorrent protocol|d1:ad2:id20:|\x08'7P\)[RP])
-^\x13bittorrent protocol
+# Second two bits match UDP wierdness
+# Next bit matches something Azureus does
+# Ditto on the next bit.  Could also match on "user-agent: azureus", but that's in the next
+# packet and perhaps this will match multiple clients.
+
+# Recently the ^ was removed from before \x13.  I think this was an accident,
+# so I have restored it.
+
+# This is not a valid GNU basic regular expression (but that's ok).
+^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)|d1:ad2:id20:|\x08'7P\)[RP]
+
+# This pattern is "fast", but won't catch as much
+#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)

package/iptables/files/l7/edonkey-dl.pat

@@ -1,8 +0,0 @@
-# eDonkey2000 - P2P filesharing (download part) - http://edonkey2000.com
-# Pattern quality: good veryfast overmatch usepacket
-
-edonkey-dl
-
-^[\xe3\xe4\xc5\xe5\xd4](....)?[\x01\x0a\x0e\x0f\x10\x18\x19\x1b\x1c\x47\x4a\x4f\x51\x53\x54\x58\x60\x81\x90\x96\x9a\x9c\xa2]
-
-

package/iptables/files/l7/edonkey.pat

@@ -1,10 +1,14 @@
-# eDonkey2000 - P2P filesharing - http://edonkey2000.com
-# Pattern quality: good veryfast overmatch
+# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
+# Pattern attributes: good veryfast fast overmatch
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/EDonkey
 #
-# Please post to l7-filter-developers@lists.sf.net as to whether this pattern 
-# works for you or not.  If you believe it could be improved please post your 
-# suggestions to that list as well. You may subscribe to this list at 
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4
+# and a long time ago with something else. 
+# 
+# In addition to matching what you might expect, this matches much of
+# what eMule does when you tell it to only connect to the KAD network. 
+# I don't quite know what to make of this.
 
 # Thanks to Matt Skidmore <fox AT woozle.org>
 
@@ -12,12 +16,15 @@ edonkey
 
 # http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6
 #
-# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5
+# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5.
+# As of April 2006, I also see some \xe4.
 #
 # God this is a mess.  What an irritating protocol.  
-# This will match about 1% of streams with random data in them!
+# This will match about 2% of streams with random data in them!
+# (But fortunately much fewer than 2% of streams that are other protocols.
+# You can test this with the data in ../testing/)
 
-^[\xe3\xc5\xe5\xd4](....)?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x5b\x5c\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
+^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
 
 # matches everything and too much 
 # ^(\xe3|\xc5|\xd4)

package/iptables/files/l7/fasttrack.pat

@@ -1,15 +1,12 @@
 # FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)
-# Pattern quality: good notsofast
+# Pattern attributes: good slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Fasttrack
 #
 # Tested with Kazaa Lite Resurrection 0.0.7.6F
 #
 # This appears to match the download connections well, but not the search
 # connections (I think they are encrypted :-( ).
-#
-# Please post to l7-filter-developers@lists.sf.net as to whether it works 
-# for you or not.  If you believe it could be improved please post your 
-# suggestions to that list as well. You may subscribe to this list at 
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
 
 fasttrack
 # while this is a valid http request, this will be caught because

package/iptables/files/l7/ftp.pat

@@ -1,30 +1,41 @@
 # FTP - File Transfer Protocol - RFC 959
-# Pattern quality: great fast
+# Pattern attributes: great notsofast fast
+# Protocol groups: document_retrieval ietf_internet_standard
+# Wiki: http://protocolinfo.org/wiki/FTP
 #
 # Usually runs on port 21.  Note that the data stream is on a dynamically
 # assigned port, which means that you will need the FTP connection 
 # tracking module in your kernel to usefully match FTP data transfers.
 # 
-# This pattern is well tested.  If it does not
-# work for you, or you believe it could be improved, please post to 
-# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# This pattern is well tested.
 #
-# Matches the first two things a server should say.  Most servers say 
-# something after 220, even though they don't have to, and it usually
-# includes the string "ftp" (l7-filter is case insensitive).
-# This includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof 
-# FTP Server, and whatever ftp.microsoft.com uses.  Just in case, the next 
-# thing the server sends is a 331.  All the above servers also send 
-# something including "password" after this code.
+# Handles the first two things a server should say:
+#
+# First, the server says it's ready by sending "220".  Most servers say 
+# something after 220, even though they don't have to, and it usually 
+# includes the string "ftp" (l7-filter is case insensitive). This 
+# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP 
+# Server, and whatever ftp.microsoft.com uses.  Almost all servers use only 
+# ASCII printable characters between the "220" and the "FTP", but non-English
+# ones might use others.
+# 
+# The next thing the server sends is a 331.  All the above servers also 
+# send something including "password" after this code.  By default, we 
+# do not match on this because it takes another packet and is more work 
+# for regexec.
+
 ftp
-# actually, let's just do the first for now, it's faster
+# by default, we allow only ASCII
 ^220[\x09-\x0d -~]*ftp
 
-# This is ~10x faster if the stream starts with "220"
+# This covers UTF-8 as well 
+#^220[\x09-\x0d -~\x80-\xfd]*ftp
+
+# This allows any characters and is about 4x faster than either of the above 
+# (which are about the same as each other)
 #^220.*ftp
 
-# This will match more, but much slower
+# This is much slower
 #^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password
 
 # This pattern is more precise, but takes longer to match. (3 packets vs. 1)

package/iptables/files/l7/gnutella.pat

@@ -1,17 +1,14 @@
 # Gnutella - P2P filesharing
-# Pattern quality: good fast
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Gnutella
 #
 # This should match both Gnutella and "Gnutella2" ("Mike's protocol")
 # 
 # Various clients use this protocol including Mactella, Shareaza,
-# GTK-gnutella, Gnucleus, Gnotella, LimeWire, BearShare, and iMesh.
+# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare.
 # 
 # This is tested with gtk-gnutella and Shareaza.
-#
-# Please report on how this pattern works for you at
-# l7-filter-developers@lists.sf.net .  If you can improve on this
-# pattern, please also post to that list. You may subscribe at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
 
 # http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver
 # http://rfc-gnutella.sf.net/
@@ -28,7 +25,7 @@ gnutella
 # document based.  Assumes version is between 0.0 and 2.9. (usually is
 # 0.4 or 0.6).  I'm guessing at many of the user-agents.
 # The last bit is emprical and probably only matches Limewire.
-^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|..................lime)
+^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime)
 
 # Needlessly precise, at the expense of time
 #^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime)

package/iptables/files/l7/http.pat

@@ -1,17 +1,16 @@
 # HTTP - HyperText Transfer Protocol - RFC 2616
-# Pattern quality: great notsofast
+# Pattern attributes: great slow notsofast superset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+#
 # Usually runs on port 80
 #
-# This pattern has been tested and is believed to work well.  If it does not
-# work for you, or you believe it could be improved, please post to 
-# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# This pattern has been tested and is believed to work well.
 #
-# this intentionally catches the response from the server
-# rather than the request so that other protocols which use
-# http (like kazaa) can be caught based on specific http requests
-# regardless of the ordering of filters...
-# also matches posts
+# this intentionally catches the response from the server rather than
+# the request so that other protocols which use http (like kazaa) can be
+# caught based on specific http requests regardless of the ordering of
+# filters... also matches posts
 
 # Sites that serve really long cookies may break this by pushing the
 # server response too far away from the beginning of the connection. To

package/iptables/files/l7/ident.pat

@@ -1,11 +1,11 @@
 # Ident - Identification Protocol - RFC 1413
-# Pattern quality: good veryfast
+# Pattern attributes: good fast fast
+# Protocol groups: networking ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Ident
+#
 # Usually runs on port 113
 #
-# This pattern is believed to work.  If it does not
-# work for you, or you believe it could be improved, please post to 
-# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# This pattern is believed to work.
 
 ident
 # "number , numberCRLF" possibly without the CR and/or LF.

package/iptables/files/l7/irc.pat

@@ -1,5 +1,7 @@
 # IRC - Internet Relay Chat - RFC 1459
-# Pattern quality: good veryfast
+# Pattern attributes: great veryfast fast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/IRC
 #
 # Usually runs on port 6666 or 6667
 # Note that chat traffic runs on these ports, but IRC-DCC traffic (which
@@ -7,10 +9,7 @@
 # must have the IRC connection tracking module in your kernel to classify
 # this.
 #
-# This pattern has been tested and is believed to work well.  If it does not
-# work for you, or you believe it could be improved, please post to 
-# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# This pattern has been tested and is believed to work well.
 
 irc
 # First thing that happens is that the client sends NICK and USER, in 

package/iptables/files/l7/jabber.pat

@@ -1,11 +1,10 @@
-# Jabber (XMPP) - an open instant messenger protocol - http://jabber.org
-# Pattern quality: good fast
+# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Jabber
 #
 # This pattern has been tested with Gaim and Gabber.  It is only tested 
-# with non-SSL mode Jabber with no proxies.  If it does not
-# work for you, or you believe it could be improved, please post to 
-# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# with non-SSL mode Jabber with no proxies.
 
 # Thanks to Jan Hudec for some improvements.
 

package/iptables/files/l7/msnmessenger.pat

@@ -1,15 +1,27 @@
 # MSN Messenger - Microsoft Network chat client
-# Pattern quality: good veryfast
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
 #
-# Usually uses port 1863
+# Usually uses TCP port 1863
 # http://www.hypothetic.org/docs/msn/index.php
+# http://msnpiki.msnfanatic.com/
 #
-# This pattern has been tested and is believed to work well.  If it does not
-# work for you, or you believe it could be improved, please post to 
-# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# This pattern has been tested and is believed to work well.
 
 msnmessenger
-# ver: allow versions up to 99.
-# usr (in case ver didn't work):  
-^(ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]* cvr|usr md5 i [ -~]*)
+
+# First branch: login
+#   ver: allow versions up to 99.
+#   I've never seen a cvr other than cvr0.  Maybe this will be trouble later?
+#   Can't anchor at the beginning because sometimes this is encapsulated in
+#   HTTP.  But either way, the first packet ends like this.
+# Second/Third branches: accepting/sending a message
+#   I will assume that these can also be encapsulated in HTTP, although I have
+#   not checked.  Example of each direction:
+#   ANS 1 quadong@hotmail.com 1139803431.29427 17522047
+#   USR 1 quadong@hotmail.com 530423708.968145.366138
+
+# Branches are written entirely separately for better performance.
+ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$
+

package/iptables/files/l7/ntp.pat

@@ -1,10 +1,9 @@
 # (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030
-# Pattern quality: good veryfast overmatch 
+# Pattern attributes: good fast fast overmatch 
+# Protocol groups: time_synchronization ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/NTP
 #
-# This pattern is tested and is believed to work. If this does not work
-# for you, or you believe it could be improved, please post to
-# l7-filter-developers@lists.sf.net .  Subscribe at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# This pattern is tested and is believed to work.
 
 # client|server
 # Requires the server's timestamp to be in the present or future (of 2005).

package/iptables/files/l7/pop3.pat

@@ -1,10 +1,9 @@
 # POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
-# Pattern quality: good veryfast
+# Pattern attributes: great veryfast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/POP
 #
-# This pattern has been tested somewhat.  If it does not
-# work for you, or you believe it could be improved, please post to 
-# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# This pattern has been tested somewhat.
 
 # this is a difficult protocol to match because of the relative lack of 
 # distinguishing information.  Read on.

package/iptables/files/l7/smtp.pat

@@ -1,22 +1,17 @@
 # SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869)
-# Pattern quality: great fast
+# Pattern attributes: great notsofast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/SMTP
+#
 # usually runs on port 25
 # 
-# This pattern has been tested and is believed to work well.  If it does not
-# work for you, or you believe it could be improved, please post to 
-# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# This pattern has been tested and is believed to work well.
 
-smtp
 # As usual, no text is required after "220", but all known servers have some
 # there.  It (almost?) always has string "smtp" in it.  The RFC examples
 # does not, so we match those too, just in case anyone has copied them 
 # literally.
-^220[\x09-\x0d -~]* (e?smtp|simple mail)
-
-# This is ~3x faster if the stream starts with "220" 
-#^220.* (e?smtp|simple mail)
-
+#
 # Some examples:
 # 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3
 # 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400
@@ -37,3 +32,8 @@ smtp
 # RFC examples:
 # 220 xyz.com Simple Mail Transfer Service Ready (RFC example)
 # 220 dbc.mtview.ca.us SMTP service ready
+
+smtp
+^220[\x09-\x0d -~]* (e?smtp|simple mail)
+userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail)
+userspace flags=REG_NOSUB REG_EXTENDED

package/iptables/files/l7/ssl.pat

@@ -1,15 +1,15 @@
 # SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
-# Pattern quality: good fast
+# Pattern attributes: good notsofast fast superset
+# Protocol groups: secure ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSL
+#
 # Usually runs on port 443
 #
-# This is a superset validcertssl.  For it to match, it must be first.
+# This is a superset of validcertssl.  For it to match, it must be first.
 # 
-# This pattern has been tested and is believed to work well.  If it does not
-# work for you, or you believe it could be improved, please post to
-# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+# This pattern has been tested and is believed to work well.
 
 ssl
-# Client Hello | Server Hello with certificate
+# Server Hello with certificate | Client Hello
 # This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1
 ^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)

package/iptables/files/l7/vnc.pat

@@ -1,12 +1,11 @@
 # VNC - Virtual Network Computing.  Also known as RFB - Remote Frame Buffer
-# Pattern quality: good fast
+# Pattern attributes: great veryfast fast
+# Protocol groups: remote_access
+# Wiki: http://www.protocolinfo.org/wiki/VNC
+#
 # http://www.realvnc.com/documentation.html
 # 
 # This pattern has been verified with vnc v3.3.7 on WinXP and Linux
-# Please report on how this pattern works for you at
-# l7-filter-developers@lists.sf.net .  If you can improve on this pattern,
-# please also post to that list. You may subscribe at
-# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
 #
 # Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern.