diff options
author | Renato Botelho <renato@netgate.com> | 2015-08-25 08:08:24 -0300 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2015-08-25 14:49:54 -0300 |
commit | 46bc6e545a17e77202aaf01ec0cd8d5a46567525 (patch) | |
tree | 32d18dda436ec739c67c489ceb771e8629cd926f /src/usr/local/share/protocols/rtp.pat | |
parent | 4d9801c2dbd2b3e54a39578ee62b93af66607227 (diff) | |
download | pfsense-46bc6e545a17e77202aaf01ec0cd8d5a46567525.zip pfsense-46bc6e545a17e77202aaf01ec0cd8d5a46567525.tar.gz |
Move main pfSense content to src/
Diffstat (limited to 'src/usr/local/share/protocols/rtp.pat')
-rw-r--r-- | src/usr/local/share/protocols/rtp.pat | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/src/usr/local/share/protocols/rtp.pat b/src/usr/local/share/protocols/rtp.pat new file mode 100644 index 0000000..61fcd8e --- /dev/null +++ b/src/usr/local/share/protocols/rtp.pat @@ -0,0 +1,33 @@ +# RTP - Real-time Transport Protocol - RFC 3550 +# Pattern attributes: ok overmatch undermatch fast fast +# Protocol groups: streaming_video ietf_internet_standard +# Wiki: http://www.protocolinfo.org/wiki/RTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# RTP headers are *very* short and compact. They have almost nothing in +# them that can be matched by l7-filter. As RTP connections take place +# between even numbered ports, you should probably check for that before +# applying this pattern. If you want to match them along with their +# associated SIP packets, you might try setting up some iptables rules +# that watch for SIP packets and then also match any other UDP packets +# that are going between the same two IP addresses. +# +# I think we can count on the first bit being 1 and the second bit being +# 0 (meaning protocol version 2). The next two bits could go either way, +# but in the example I've seen, they are zero, so I'll assume they are +# usually zero. The next four bits are a count of "contributing source +# identifiers". I'm not sure how big that could be, but in the example +# I've seen, they're zero, so I'll assume they're usually zero. So that +# gives us ^\x80. The next bit is a tossup. Next is the payload type, 7 +# bits. I've taken likely values from the WireShark code: 0-34, 96-127 +# (decimal). The rest of the header is random numbers (sequence number, +# timestamp, synchronization source identifier), so that's no help at +# all. + +rtp +^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80 + +# Might also try this. It's a bit slower (one packet and not too much extra +# regexec load) and a bit more accurate: +#^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80.*\x80 + |