From 85b17a4e9e515a74095ecc691e60fd62e4819a9d Mon Sep 17 00:00:00 2001 From: Tim Yardley Date: Mon, 19 Nov 2007 23:07:00 +0000 Subject: [PATCH] update stripped subset of l7 patterns to 11-03-2007 patterns SVN-Revision: 9582 --- package/iptables/files/l7/aim.pat | 12 +++---- package/iptables/files/l7/bittorrent.pat | 29 ++++++++++----- package/iptables/files/l7/edonkey-dl.pat | 8 ----- package/iptables/files/l7/edonkey.pat | 25 ++++++++----- package/iptables/files/l7/fasttrack.pat | 9 ++--- package/iptables/files/l7/ftp.pat | 41 ++++++++++++++-------- package/iptables/files/l7/gnutella.pat | 13 +++---- package/iptables/files/l7/http.pat | 19 +++++----- package/iptables/files/l7/ident.pat | 10 +++--- package/iptables/files/l7/irc.pat | 9 +++-- package/iptables/files/l7/jabber.pat | 11 +++--- package/iptables/files/l7/msnmessenger.pat | 30 +++++++++++----- package/iptables/files/l7/ntp.pat | 9 +++-- package/iptables/files/l7/pop3.pat | 9 +++-- package/iptables/files/l7/smtp.pat | 22 ++++++------ package/iptables/files/l7/ssl.pat | 14 ++++---- package/iptables/files/l7/vnc.pat | 9 +++-- 17 files changed, 151 insertions(+), 128 deletions(-) delete mode 100644 package/iptables/files/l7/edonkey-dl.pat diff --git a/package/iptables/files/l7/aim.pat b/package/iptables/files/l7/aim.pat index 9768dbbdc8..e26a3c4d0b 100644 --- a/package/iptables/files/l7/aim.pat +++ b/package/iptables/files/l7/aim.pat @@ -1,16 +1,16 @@ # AIM - AOL instant messenger (OSCAR and TOC) -# Pattern quality: good notsofast +# Pattern attributes: good slow notsofast +# Protocol groups: chat proprietary +# Wiki: http://www.protocolinfo.org/wiki/AIM +# # Usually runs on port 5190 # # This may also match ICQ traffic. # -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# This pattern has been tested and is believed to work well. aim -# See http://gridley.acns.carleton.edu/~straitm/final (and various other places) +# See http://gridley.res.carleton.edu/~straitm/final (and various other places) # The first bit matches OSCAR signon and data commands, but not sure what # \x03\x0b matches, but it works apparently. # The next three bits match various parts of the TOC signon process. diff --git a/package/iptables/files/l7/bittorrent.pat b/package/iptables/files/l7/bittorrent.pat index c1804ee4ba..e5aa5bc13d 100644 --- a/package/iptables/files/l7/bittorrent.pat +++ b/package/iptables/files/l7/bittorrent.pat @@ -1,14 +1,27 @@ # Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com -# Pattern quality: great veryfast +# Pattern attributes: good slow notsofast undermatch +# Protocol groups: p2p open_source +# Wiki: http://www.protocolinfo.org/wiki/Bittorrent # -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# This pattern has been tested and is believed to work well. +# It will, however, not work on bittorrent streams that are encrypted, since +# it's impossible to match encrypted data (unless the encryption is extremely +# weak, like rot13 or something...). + bittorrent # Does not attempt to match the HTTP download of the tracker # 0x13 is the length of "bittorrent protocol" -# Second two bits match UDP wierdness, commented out until it's tested -#^(\x13bittorrent protocol|d1:ad2:id20:|\x08'7P\)[RP]) -^\x13bittorrent protocol +# Second two bits match UDP wierdness +# Next bit matches something Azureus does +# Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next +# packet and perhaps this will match multiple clients. + +# Recently the ^ was removed from before \x13. I think this was an accident, +# so I have restored it. + +# This is not a valid GNU basic regular expression (but that's ok). +^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)|d1:ad2:id20:|\x08'7P\)[RP] + +# This pattern is "fast", but won't catch as much +#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=) diff --git a/package/iptables/files/l7/edonkey-dl.pat b/package/iptables/files/l7/edonkey-dl.pat deleted file mode 100644 index d344d169d0..0000000000 --- a/package/iptables/files/l7/edonkey-dl.pat +++ /dev/null @@ -1,8 +0,0 @@ -# eDonkey2000 - P2P filesharing (download part) - http://edonkey2000.com -# Pattern quality: good veryfast overmatch usepacket - -edonkey-dl - -^[\xe3\xe4\xc5\xe5\xd4](....)?[\x01\x0a\x0e\x0f\x10\x18\x19\x1b\x1c\x47\x4a\x4f\x51\x53\x54\x58\x60\x81\x90\x96\x9a\x9c\xa2] - - diff --git a/package/iptables/files/l7/edonkey.pat b/package/iptables/files/l7/edonkey.pat index efbc3f361e..50a072cb28 100644 --- a/package/iptables/files/l7/edonkey.pat +++ b/package/iptables/files/l7/edonkey.pat @@ -1,10 +1,14 @@ -# eDonkey2000 - P2P filesharing - http://edonkey2000.com -# Pattern quality: good veryfast overmatch +# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others +# Pattern attributes: good veryfast fast overmatch +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/EDonkey # -# Please post to l7-filter-developers@lists.sf.net as to whether this pattern -# works for you or not. If you believe it could be improved please post your -# suggestions to that list as well. You may subscribe to this list at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4 +# and a long time ago with something else. +# +# In addition to matching what you might expect, this matches much of +# what eMule does when you tell it to only connect to the KAD network. +# I don't quite know what to make of this. # Thanks to Matt Skidmore @@ -12,12 +16,15 @@ edonkey # http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6 # -# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5 +# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5. +# As of April 2006, I also see some \xe4. # # God this is a mess. What an irritating protocol. -# This will match about 1% of streams with random data in them! +# This will match about 2% of streams with random data in them! +# (But fortunately much fewer than 2% of streams that are other protocols. +# You can test this with the data in ../testing/) -^[\xe3\xc5\xe5\xd4](....)?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x5b\x5c\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$) +^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$) # matches everything and too much # ^(\xe3|\xc5|\xd4) diff --git a/package/iptables/files/l7/fasttrack.pat b/package/iptables/files/l7/fasttrack.pat index 46295c6bbe..c821ae4d47 100644 --- a/package/iptables/files/l7/fasttrack.pat +++ b/package/iptables/files/l7/fasttrack.pat @@ -1,15 +1,12 @@ # FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc) -# Pattern quality: good notsofast +# Pattern attributes: good slow notsofast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/Fasttrack # # Tested with Kazaa Lite Resurrection 0.0.7.6F # # This appears to match the download connections well, but not the search # connections (I think they are encrypted :-( ). -# -# Please post to l7-filter-developers@lists.sf.net as to whether it works -# for you or not. If you believe it could be improved please post your -# suggestions to that list as well. You may subscribe to this list at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers fasttrack # while this is a valid http request, this will be caught because diff --git a/package/iptables/files/l7/ftp.pat b/package/iptables/files/l7/ftp.pat index 9593ffd1bd..a7f9e0eeaa 100644 --- a/package/iptables/files/l7/ftp.pat +++ b/package/iptables/files/l7/ftp.pat @@ -1,30 +1,41 @@ # FTP - File Transfer Protocol - RFC 959 -# Pattern quality: great fast +# Pattern attributes: great notsofast fast +# Protocol groups: document_retrieval ietf_internet_standard +# Wiki: http://protocolinfo.org/wiki/FTP # # Usually runs on port 21. Note that the data stream is on a dynamically # assigned port, which means that you will need the FTP connection # tracking module in your kernel to usefully match FTP data transfers. # -# This pattern is well tested. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# This pattern is well tested. # -# Matches the first two things a server should say. Most servers say -# something after 220, even though they don't have to, and it usually -# includes the string "ftp" (l7-filter is case insensitive). -# This includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof -# FTP Server, and whatever ftp.microsoft.com uses. Just in case, the next -# thing the server sends is a 331. All the above servers also send -# something including "password" after this code. +# Handles the first two things a server should say: +# +# First, the server says it's ready by sending "220". Most servers say +# something after 220, even though they don't have to, and it usually +# includes the string "ftp" (l7-filter is case insensitive). This +# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP +# Server, and whatever ftp.microsoft.com uses. Almost all servers use only +# ASCII printable characters between the "220" and the "FTP", but non-English +# ones might use others. +# +# The next thing the server sends is a 331. All the above servers also +# send something including "password" after this code. By default, we +# do not match on this because it takes another packet and is more work +# for regexec. + ftp -# actually, let's just do the first for now, it's faster +# by default, we allow only ASCII ^220[\x09-\x0d -~]*ftp -# This is ~10x faster if the stream starts with "220" +# This covers UTF-8 as well +#^220[\x09-\x0d -~\x80-\xfd]*ftp + +# This allows any characters and is about 4x faster than either of the above +# (which are about the same as each other) #^220.*ftp -# This will match more, but much slower +# This is much slower #^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password # This pattern is more precise, but takes longer to match. (3 packets vs. 1) diff --git a/package/iptables/files/l7/gnutella.pat b/package/iptables/files/l7/gnutella.pat index ebbd5c621d..57a76de02f 100644 --- a/package/iptables/files/l7/gnutella.pat +++ b/package/iptables/files/l7/gnutella.pat @@ -1,17 +1,14 @@ # Gnutella - P2P filesharing -# Pattern quality: good fast +# Pattern attributes: good notsofast notsofast +# Protocol groups: p2p open_source +# Wiki: http://www.protocolinfo.org/wiki/Gnutella # # This should match both Gnutella and "Gnutella2" ("Mike's protocol") # # Various clients use this protocol including Mactella, Shareaza, -# GTK-gnutella, Gnucleus, Gnotella, LimeWire, BearShare, and iMesh. +# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare. # # This is tested with gtk-gnutella and Shareaza. -# -# Please report on how this pattern works for you at -# l7-filter-developers@lists.sf.net . If you can improve on this -# pattern, please also post to that list. You may subscribe at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers # http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver # http://rfc-gnutella.sf.net/ @@ -28,7 +25,7 @@ gnutella # document based. Assumes version is between 0.0 and 2.9. (usually is # 0.4 or 0.6). I'm guessing at many of the user-agents. # The last bit is emprical and probably only matches Limewire. -^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|..................lime) +^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime) # Needlessly precise, at the expense of time #^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime) diff --git a/package/iptables/files/l7/http.pat b/package/iptables/files/l7/http.pat index 520e7fe212..550aa0b71b 100644 --- a/package/iptables/files/l7/http.pat +++ b/package/iptables/files/l7/http.pat @@ -1,17 +1,16 @@ # HTTP - HyperText Transfer Protocol - RFC 2616 -# Pattern quality: great notsofast +# Pattern attributes: great slow notsofast superset +# Protocol groups: document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# # Usually runs on port 80 # -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# This pattern has been tested and is believed to work well. # -# this intentionally catches the response from the server -# rather than the request so that other protocols which use -# http (like kazaa) can be caught based on specific http requests -# regardless of the ordering of filters... -# also matches posts +# this intentionally catches the response from the server rather than +# the request so that other protocols which use http (like kazaa) can be +# caught based on specific http requests regardless of the ordering of +# filters... also matches posts # Sites that serve really long cookies may break this by pushing the # server response too far away from the beginning of the connection. To diff --git a/package/iptables/files/l7/ident.pat b/package/iptables/files/l7/ident.pat index 672b0753ce..d6d89c333f 100644 --- a/package/iptables/files/l7/ident.pat +++ b/package/iptables/files/l7/ident.pat @@ -1,11 +1,11 @@ # Ident - Identification Protocol - RFC 1413 -# Pattern quality: good veryfast +# Pattern attributes: good fast fast +# Protocol groups: networking ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/Ident +# # Usually runs on port 113 # -# This pattern is believed to work. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# This pattern is believed to work. ident # "number , numberCRLF" possibly without the CR and/or LF. diff --git a/package/iptables/files/l7/irc.pat b/package/iptables/files/l7/irc.pat index 6643f6c2f7..2767336e8e 100644 --- a/package/iptables/files/l7/irc.pat +++ b/package/iptables/files/l7/irc.pat @@ -1,5 +1,7 @@ # IRC - Internet Relay Chat - RFC 1459 -# Pattern quality: good veryfast +# Pattern attributes: great veryfast fast +# Protocol groups: chat ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/IRC # # Usually runs on port 6666 or 6667 # Note that chat traffic runs on these ports, but IRC-DCC traffic (which @@ -7,10 +9,7 @@ # must have the IRC connection tracking module in your kernel to classify # this. # -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# This pattern has been tested and is believed to work well. irc # First thing that happens is that the client sends NICK and USER, in diff --git a/package/iptables/files/l7/jabber.pat b/package/iptables/files/l7/jabber.pat index 7a0c6840e1..aa51c76605 100644 --- a/package/iptables/files/l7/jabber.pat +++ b/package/iptables/files/l7/jabber.pat @@ -1,11 +1,10 @@ -# Jabber (XMPP) - an open instant messenger protocol - http://jabber.org -# Pattern quality: good fast +# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org +# Pattern attributes: good notsofast notsofast +# Protocol groups: chat ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/Jabber # # This pattern has been tested with Gaim and Gabber. It is only tested -# with non-SSL mode Jabber with no proxies. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# with non-SSL mode Jabber with no proxies. # Thanks to Jan Hudec for some improvements. diff --git a/package/iptables/files/l7/msnmessenger.pat b/package/iptables/files/l7/msnmessenger.pat index e07f71f311..41f107555a 100644 --- a/package/iptables/files/l7/msnmessenger.pat +++ b/package/iptables/files/l7/msnmessenger.pat @@ -1,15 +1,27 @@ # MSN Messenger - Microsoft Network chat client -# Pattern quality: good veryfast +# Pattern attributes: good slow notsofast +# Protocol groups: chat proprietary +# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger # -# Usually uses port 1863 +# Usually uses TCP port 1863 # http://www.hypothetic.org/docs/msn/index.php +# http://msnpiki.msnfanatic.com/ # -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# This pattern has been tested and is believed to work well. msnmessenger -# ver: allow versions up to 99. -# usr (in case ver didn't work): -^(ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]* cvr|usr md5 i [ -~]*) + +# First branch: login +# ver: allow versions up to 99. +# I've never seen a cvr other than cvr0. Maybe this will be trouble later? +# Can't anchor at the beginning because sometimes this is encapsulated in +# HTTP. But either way, the first packet ends like this. +# Second/Third branches: accepting/sending a message +# I will assume that these can also be encapsulated in HTTP, although I have +# not checked. Example of each direction: +# ANS 1 quadong@hotmail.com 1139803431.29427 17522047 +# USR 1 quadong@hotmail.com 530423708.968145.366138 + +# Branches are written entirely separately for better performance. +ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$ + diff --git a/package/iptables/files/l7/ntp.pat b/package/iptables/files/l7/ntp.pat index b7e443e21f..a24fb0560e 100644 --- a/package/iptables/files/l7/ntp.pat +++ b/package/iptables/files/l7/ntp.pat @@ -1,10 +1,9 @@ # (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030 -# Pattern quality: good veryfast overmatch +# Pattern attributes: good fast fast overmatch +# Protocol groups: time_synchronization ietf_draft_standard +# Wiki: http://www.protocolinfo.org/wiki/NTP # -# This pattern is tested and is believed to work. If this does not work -# for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . Subscribe at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# This pattern is tested and is believed to work. # client|server # Requires the server's timestamp to be in the present or future (of 2005). diff --git a/package/iptables/files/l7/pop3.pat b/package/iptables/files/l7/pop3.pat index f6bb630614..b3d76e20d8 100644 --- a/package/iptables/files/l7/pop3.pat +++ b/package/iptables/files/l7/pop3.pat @@ -1,10 +1,9 @@ # POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939 -# Pattern quality: good veryfast +# Pattern attributes: great veryfast fast +# Protocol groups: mail ietf_internet_standard +# Wiki: http://www.protocolinfo.org/wiki/POP # -# This pattern has been tested somewhat. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# This pattern has been tested somewhat. # this is a difficult protocol to match because of the relative lack of # distinguishing information. Read on. diff --git a/package/iptables/files/l7/smtp.pat b/package/iptables/files/l7/smtp.pat index 1bab7a1df4..eb98ae72f8 100644 --- a/package/iptables/files/l7/smtp.pat +++ b/package/iptables/files/l7/smtp.pat @@ -1,22 +1,17 @@ # SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869) -# Pattern quality: great fast +# Pattern attributes: great notsofast fast +# Protocol groups: mail ietf_internet_standard +# Wiki: http://www.protocolinfo.org/wiki/SMTP +# # usually runs on port 25 # -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# This pattern has been tested and is believed to work well. -smtp # As usual, no text is required after "220", but all known servers have some # there. It (almost?) always has string "smtp" in it. The RFC examples # does not, so we match those too, just in case anyone has copied them # literally. -^220[\x09-\x0d -~]* (e?smtp|simple mail) - -# This is ~3x faster if the stream starts with "220" -#^220.* (e?smtp|simple mail) - +# # Some examples: # 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3 # 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400 @@ -37,3 +32,8 @@ smtp # RFC examples: # 220 xyz.com Simple Mail Transfer Service Ready (RFC example) # 220 dbc.mtview.ca.us SMTP service ready + +smtp +^220[\x09-\x0d -~]* (e?smtp|simple mail) +userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail) +userspace flags=REG_NOSUB REG_EXTENDED diff --git a/package/iptables/files/l7/ssl.pat b/package/iptables/files/l7/ssl.pat index ab5f62caa7..a10589a103 100644 --- a/package/iptables/files/l7/ssl.pat +++ b/package/iptables/files/l7/ssl.pat @@ -1,15 +1,15 @@ # SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246 -# Pattern quality: good fast +# Pattern attributes: good notsofast fast superset +# Protocol groups: secure ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/SSL +# # Usually runs on port 443 # -# This is a superset validcertssl. For it to match, it must be first. +# This is a superset of validcertssl. For it to match, it must be first. # -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# This pattern has been tested and is believed to work well. ssl -# Client Hello | Server Hello with certificate +# Server Hello with certificate | Client Hello # This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1 ^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b) diff --git a/package/iptables/files/l7/vnc.pat b/package/iptables/files/l7/vnc.pat index 35bfbd4bad..9f77fdf55e 100644 --- a/package/iptables/files/l7/vnc.pat +++ b/package/iptables/files/l7/vnc.pat @@ -1,12 +1,11 @@ # VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer -# Pattern quality: good fast +# Pattern attributes: great veryfast fast +# Protocol groups: remote_access +# Wiki: http://www.protocolinfo.org/wiki/VNC +# # http://www.realvnc.com/documentation.html # # This pattern has been verified with vnc v3.3.7 on WinXP and Linux -# Please report on how this pattern works for you at -# l7-filter-developers@lists.sf.net . If you can improve on this pattern, -# please also post to that list. You may subscribe at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers # # Thanks to Trevor Paskett for this pattern.