summaryrefslogtreecommitdiffstats
path: root/src/usr/local/share/protocols/rtp.pat
diff options
context:
space:
mode:
authorRenato Botelho <renato@netgate.com>2015-08-25 08:08:24 -0300
committerRenato Botelho <renato@netgate.com>2015-08-25 14:49:54 -0300
commit46bc6e545a17e77202aaf01ec0cd8d5a46567525 (patch)
tree32d18dda436ec739c67c489ceb771e8629cd926f /src/usr/local/share/protocols/rtp.pat
parent4d9801c2dbd2b3e54a39578ee62b93af66607227 (diff)
downloadpfsense-46bc6e545a17e77202aaf01ec0cd8d5a46567525.zip
pfsense-46bc6e545a17e77202aaf01ec0cd8d5a46567525.tar.gz
Move main pfSense content to src/
Diffstat (limited to 'src/usr/local/share/protocols/rtp.pat')
-rw-r--r--src/usr/local/share/protocols/rtp.pat33
1 files changed, 33 insertions, 0 deletions
diff --git a/src/usr/local/share/protocols/rtp.pat b/src/usr/local/share/protocols/rtp.pat
new file mode 100644
index 0000000..61fcd8e
--- /dev/null
+++ b/src/usr/local/share/protocols/rtp.pat
@@ -0,0 +1,33 @@
+# RTP - Real-time Transport Protocol - RFC 3550
+# Pattern attributes: ok overmatch undermatch fast fast
+# Protocol groups: streaming_video ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/RTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# RTP headers are *very* short and compact. They have almost nothing in
+# them that can be matched by l7-filter. As RTP connections take place
+# between even numbered ports, you should probably check for that before
+# applying this pattern. If you want to match them along with their
+# associated SIP packets, you might try setting up some iptables rules
+# that watch for SIP packets and then also match any other UDP packets
+# that are going between the same two IP addresses.
+#
+# I think we can count on the first bit being 1 and the second bit being
+# 0 (meaning protocol version 2). The next two bits could go either way,
+# but in the example I've seen, they are zero, so I'll assume they are
+# usually zero. The next four bits are a count of "contributing source
+# identifiers". I'm not sure how big that could be, but in the example
+# I've seen, they're zero, so I'll assume they're usually zero. So that
+# gives us ^\x80. The next bit is a tossup. Next is the payload type, 7
+# bits. I've taken likely values from the WireShark code: 0-34, 96-127
+# (decimal). The rest of the header is random numbers (sequence number,
+# timestamp, synchronization source identifier), so that's no help at
+# all.
+
+rtp
+^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80
+
+# Might also try this. It's a bit slower (one packet and not too much extra
+# regexec load) and a bit more accurate:
+#^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80.*\x80
+
OpenPOWER on IntegriCloud