Move main pfSense content to src/

149 files changed, 3608 insertions, 0 deletions

diff --git a/src/usr/local/share/protocols/100bao.pat b/src/usr/local/share/protocols/100bao.pat
new file mode 100644
index 0000000..a03a891
--- /dev/null
+++ b/src/usr/local/share/protocols/100bao.pat
@@ -0,0 +1,12 @@
+# 100bao - a Chinese P2P protocol/program - http://www.100bao.com
+# Pattern attributes: ok veryfast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/100Bao
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Pattern written by www.routerclub.com's wsgtrsys.
+# The author of this pattern says it works, but this is unconfirmed. 
+
+100bao
+^\x01\x01\x05\x0a
+
diff --git a/src/usr/local/share/protocols/EAOrigin.pat b/src/usr/local/share/protocols/EAOrigin.pat
new file mode 100644
index 0000000..391be72
--- /dev/null
+++ b/src/usr/local/share/protocols/EAOrigin.pat
@@ -0,0 +1,7 @@
+# Origin powered by EA
+# zip? - Main Downloads for Games/Patches/Updates
+# User-Agents - Browsing the EA store.
+
+User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/534.34 (KHTML, like Gecko) Origin/9.2.1.4399 Safari/534.34 EA Download Manager
+User-Agent: Mozilla/5.0 EA Download Manager Origin
+zip?
diff --git a/src/usr/local/share/protocols/LICENSE b/src/usr/local/share/protocols/LICENSE
new file mode 100644
index 0000000..49395f6
--- /dev/null
+++ b/src/usr/local/share/protocols/LICENSE
@@ -0,0 +1,605 @@
+You may distribute this software under either the GPLv2 or Creative
+Commons Attribution-ShareAlike 2.5.  The text of each follows:
+
+***************************************************************************
+
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                          675 Mass Ave, Cambridge, MA 02139, USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	Appendix: How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) 19yy  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.
+
+***************************************************************************
+
+                        Creative Commons Legal Code
+                         Attribution-ShareAlike 2.5
+
+   CREATIVE  COMMONS  CORPORATION  IS NOT A LAW FIRM AND DOES NOT PROVIDE
+   LEGAL  SERVICES.  DISTRIBUTION  OF  THIS  LICENSE  DOES  NOT CREATE AN
+   ATTORNEY-CLIENT   RELATIONSHIP.   CREATIVE   COMMONS   PROVIDES   THIS
+   INFORMATION  ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+   REGARDING  THE  INFORMATION  PROVIDED,  AND  DISCLAIMS  LIABILITY  FOR
+   DAMAGES RESULTING FROM ITS USE.
+
+   License
+
+   THE  WORK  (AS  DEFINED  BELOW)  IS  PROVIDED  UNDER THE TERMS OF THIS
+   CREATIVE  COMMONS  PUBLIC  LICENSE  ("CCPL" OR "LICENSE"). THE WORK IS
+   PROTECTED  BY  COPYRIGHT  AND/OR  OTHER APPLICABLE LAW. ANY USE OF THE
+   WORK  OTHER  THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS
+   PROHIBITED.
+
+   BY  EXERCISING  ANY  RIGHTS  TO THE WORK PROVIDED HERE, YOU ACCEPT AND
+   AGREE  TO  BE  BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS
+   YOU  THE  RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF
+   SUCH TERMS AND CONDITIONS.
+
+   1. Definitions
+    a. "Collective  Work"  means  a  work,  such  as  a periodical issue,
+       anthology  or  encyclopedia,  in which the Work in its entirety in
+       unmodified  form,  along  with  a  number  of other contributions,
+       constituting  separate  and  independent  works in themselves, are
+       assembled  into  a  collective  whole.  A  work that constitutes a
+       Collective  Work  will  not  be  considered  a Derivative Work (as
+       defined below) for the purposes of this License.
+    b. "Derivative  Work"  means  a  work based upon the Work or upon the
+       Work  and other pre-existing works, such as a translation, musical
+       arrangement,   dramatization,   fictionalization,  motion  picture
+       version,    sound   recording,   art   reproduction,   abridgment,
+       condensation,  or  any other form in which the Work may be recast,
+       transformed,  or  adapted,  except  that a work that constitutes a
+       Collective  Work  will not be considered a Derivative Work for the
+       purpose  of  this  License.  For the avoidance of doubt, where the
+       Work   is   a   musical   composition   or  sound  recording,  the
+       synchronization  of the Work in timed-relation with a moving image
+       ("synching")  will be considered a Derivative Work for the purpose
+       of this License.
+    c. "Licensor"  means  the  individual  or entity that offers the Work
+       under the terms of this License.
+    d. "Original  Author"  means the individual or entity who created the
+       Work.
+    e. "Work"  means  the  copyrightable work of authorship offered under
+       the terms of this License.
+    f. "You"  means  an individual or entity exercising rights under this
+       License  who has not previously violated the terms of this License
+       with  respect  to the Work, or who has received express permission
+       from  the Licensor to exercise rights under this License despite a
+       previous violation.
+    g. "License   Elements"   means   the  following  high-level  license
+       attributes  as  selected by Licensor and indicated in the title of
+       this License: Attribution, ShareAlike.
+
+   2.  Fair  Use  Rights.  Nothing in this license is intended to reduce,
+   limit,  or  restrict  any  rights arising from fair use, first sale or
+   other limitations on the exclusive rights of the copyright owner under
+   copyright law or other applicable laws.
+
+   3. License Grant. Subject to the terms and conditions of this License,
+   Licensor  hereby  grants You a worldwide, royalty-free, non-exclusive,
+   perpetual  (for  the  duration of the applicable copyright) license to
+   exercise the rights in the Work as stated below:
+    a. to  reproduce  the  Work, to incorporate the Work into one or more
+       Collective Works, and to reproduce the Work as incorporated in the
+       Collective Works;
+    b. to create and reproduce Derivative Works;
+    c. to distribute copies or phonorecords of, display publicly, perform
+       publicly,  and  perform  publicly  by  means  of  a  digital audio
+       transmission  the  Work  including  as  incorporated in Collective
+       Works;
+    d. to distribute copies or phonorecords of, display publicly, perform
+       publicly,  and  perform  publicly  by  means  of  a  digital audio
+       transmission Derivative Works.
+    e. For   the  avoidance  of  doubt,  where  the  work  is  a  musical
+       composition:
+         i. Performance Royalties Under Blanket Licenses. Licensor waives
+            the exclusive right to collect, whether individually or via a
+            performance   rights   society   (e.g.  ASCAP,  BMI,  SESAC),
+            royalties  for  the  public  performance  or  public  digital
+            performance (e.g. webcast) of the Work.
+        ii. Mechanical  Rights  and  Statutory Royalties. Licensor waives
+            the exclusive right to collect, whether individually or via a
+            music  rights  society  or  designated  agent (e.g. Harry Fox
+            Agency),  royalties  for  any phonorecord You create from the
+            Work   ("cover  version")  and  distribute,  subject  to  the
+            compulsory  license  created  by 17 USC Section 115 of the US
+            Copyright Act (or the equivalent in other jurisdictions).
+    f. Webcasting  Rights  and  Statutory Royalties. For the avoidance of
+       doubt,  where  the  Work is a sound recording, Licensor waives the
+       exclusive   right  to  collect,  whether  individually  or  via  a
+       performance-rights society (e.g. SoundExchange), royalties for the
+       public  digital performance (e.g. webcast) of the Work, subject to
+       the  compulsory  license  created  by 17 USC Section 114 of the US
+       Copyright Act (or the equivalent in other jurisdictions).
+
+   The above rights may be exercised in all media and formats whether now
+   known or hereafter devised. The above rights include the right to make
+   such modifications as are technically necessary to exercise the rights
+   in  other  media  and  formats.  All  rights  not expressly granted by
+   Licensor are hereby reserved.
+
+   4.  Restrictions.The  license  granted in Section 3 above is expressly
+   made subject to and limited by the following restrictions:
+    a. You   may  distribute,  publicly  display,  publicly  perform,  or
+       publicly  digitally  perform the Work only under the terms of this
+       License,  and  You must include a copy of, or the Uniform Resource
+       Identifier for, this License with every copy or phonorecord of the
+       Work  You  distribute,  publicly  display,  publicly  perform,  or
+       publicly  digitally perform. You may not offer or impose any terms
+       on  the  Work  that alter or restrict the terms of this License or
+       the  recipients' exercise of the rights granted hereunder. You may
+       not  sublicense  the  Work.  You must keep intact all notices that
+       refer to this License and to the disclaimer of warranties. You may
+       not  distribute,  publicly  display, publicly perform, or publicly
+       digitally  perform  the  Work with any technological measures that
+       control  access  or  use of the Work in a manner inconsistent with
+       the terms of this License Agreement. The above applies to the Work
+       as  incorporated  in  a Collective Work, but this does not require
+       the  Collective Work apart from the Work itself to be made subject
+       to  the  terms  of  this License. If You create a Collective Work,
+       upon notice from any Licensor You must, to the extent practicable,
+       remove  from  the Collective Work any credit as required by clause
+       4(c),  as  requested. If You create a Derivative Work, upon notice
+       from any Licensor You must, to the extent practicable, remove from
+       the  Derivative  Work  any  credit  as required by clause 4(c), as
+       requested.
+    b. You   may  distribute,  publicly  display,  publicly  perform,  or
+       publicly  digitally perform a Derivative Work only under the terms
+       of  this  License,  a  later version of this License with the same
+       License  Elements  as this License, or a Creative Commons iCommons
+       license  that  contains  the same License Elements as this License
+       (e.g.  Attribution-ShareAlike  2.5 Japan). You must include a copy
+       of,  or the Uniform Resource Identifier for, this License or other
+       license  specified  in  the  previous  sentence with every copy or
+       phonorecord  of  each  Derivative  Work  You  distribute, publicly
+       display,  publicly perform, or publicly digitally perform. You may
+       not  offer  or impose any terms on the Derivative Works that alter
+       or  restrict the terms of this License or the recipients' exercise
+       of  the  rights  granted  hereunder,  and You must keep intact all
+       notices  that  refer  to  this  License  and  to the disclaimer of
+       warranties.  You  may  not  distribute, publicly display, publicly
+       perform,  or  publicly  digitally perform the Derivative Work with
+       any  technological measures that control access or use of the Work
+       in a manner inconsistent with the terms of this License Agreement.
+       The  above  applies  to  the  Derivative Work as incorporated in a
+       Collective  Work,  but  this  does not require the Collective Work
+       apart  from  the  Derivative Work itself to be made subject to the
+       terms of this License.
+    c. If you distribute, publicly display, publicly perform, or publicly
+       digitally  perform  the Work or any Derivative Works or Collective
+       Works, You must keep intact all copyright notices for the Work and
+       provide,  reasonable to the medium or means You are utilizing: (i)
+       the  name  of the Original Author (or pseudonym, if applicable) if
+       supplied,  and/or  (ii)  if  the  Original  Author and/or Licensor
+       designate  another  party  or  parties  (e.g. a sponsor institute,
+       publishing   entity,   journal)   for  attribution  in  Licensor's
+       copyright  notice,  terms of service or by other reasonable means,
+       the  name  of  such  party  or  parties;  the title of the Work if
+       supplied;  to  the  extent  reasonably  practicable,  the  Uniform
+       Resource  Identifier,  if  any,  that  Licensor  specifies  to  be
+       associated  with  the  Work, unless such URI does not refer to the
+       copyright notice or licensing information for the Work; and in the
+       case  of  a  Derivative  Work, a credit identifying the use of the
+       Work in the Derivative Work (e.g., "French translation of the Work
+       by  Original  Author,"  or  "Screenplay  based on original Work by
+       Original   Author").   Such  credit  may  be  implemented  in  any
+       reasonable  manner;  provided,  however,  that  in  the  case of a
+       Derivative  Work or Collective Work, at a minimum such credit will
+       appear where any other comparable authorship credit appears and in
+       a manner at least as prominent as such other comparable authorship
+       credit.
+
+   5. Representations, Warranties and Disclaimer
+
+   UNLESS  OTHERWISE AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS
+   THE  WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
+   CONCERNING  THE  MATERIALS,  EXPRESS, IMPLIED, STATUTORY OR OTHERWISE,
+   INCLUDING,  WITHOUT  LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY,
+   FITNESS  FOR  A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF
+   LATENT  OR  OTHER  DEFECTS,  ACCURACY,  OR  THE PRESENCE OF ABSENCE OF
+   ERRORS,  WHETHER  OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW
+   THE  EXCLUSION  OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY
+   TO YOU.
+
+   6.   Limitation  on  Liability.  EXCEPT  TO  THE  EXTENT  REQUIRED  BY
+   APPLICABLE  LAW,  IN  NO  EVENT  WILL LICENSOR BE LIABLE TO YOU ON ANY
+   LEGAL  THEORY  FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR
+   EXEMPLARY  DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK,
+   EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+   7. Termination
+    a. This  License  and  the  rights  granted  hereunder will terminate
+       automatically upon any breach by You of the terms of this License.
+       Individuals  or  entities  who  have  received Derivative Works or
+       Collective  Works  from  You under this License, however, will not
+       have  their  licenses  terminated  provided  such  individuals  or
+       entities  remain  in full compliance with those licenses. Sections
+       1, 2, 5, 6, 7, and 8 will survive any termination of this License.
+    b. Subject  to  the  above  terms and conditions, the license granted
+       here is perpetual (for the duration of the applicable copyright in
+       the  Work). Notwithstanding the above, Licensor reserves the right
+       to  release  the  Work  under  different  license terms or to stop
+       distributing the Work at any time; provided, however that any such
+       election  will  not  serve  to withdraw this License (or any other
+       license  that  has  been,  or is required to be, granted under the
+       terms  of  this  License),  and this License will continue in full
+       force and effect unless terminated as stated above.
+
+   8. Miscellaneous
+    a. Each time You distribute or publicly digitally perform the Work or
+       a  Collective Work, the Licensor offers to the recipient a license
+       to  the  Work  on  the  same  terms  and conditions as the license
+       granted to You under this License.
+    b. Each   time   You  distribute  or  publicly  digitally  perform  a
+       Derivative Work, Licensor offers to the recipient a license to the
+       original  Work  on  the  same  terms and conditions as the license
+       granted to You under this License.
+    c. If any provision of this License is invalid or unenforceable under
+       applicable law, it shall not affect the validity or enforceability
+       of the remainder of the terms of this License, and without further
+       action  by  the parties to this agreement, such provision shall be
+       reformed  to  the  minimum extent necessary to make such provision
+       valid and enforceable.
+    d. No term or provision of this License shall be deemed waived and no
+       breach  consented  to  unless  such  waiver or consent shall be in
+       writing  and signed by the party to be charged with such waiver or
+       consent.
+    e. This  License constitutes the entire agreement between the parties
+       with   respect   to   the   Work   licensed  here.  There  are  no
+       understandings,  agreements or representations with respect to the
+       Work  not  specified  here.  Licensor  shall  not  be bound by any
+       additional  provisions  that  may appear in any communication from
+       You.  This  License may not be modified without the mutual written
+       agreement of the Licensor and You.
+
+   Creative Commons is not a party to this License, and makes no warranty
+   whatsoever  in  connection with the Work. Creative Commons will not be
+   liable  to  You  or  any  party  on  any  legal theory for any damages
+   whatsoever,   including   without  limitation  any  general,  special,
+   incidental  or  consequential  damages  arising  in connection to this
+   license.  Notwithstanding the foregoing two (2) sentences, if Creative
+   Commons  has expressly identified itself as the Licensor hereunder, it
+   shall have all rights and obligations of Licensor.
+
+   Except  for  the  limited purpose of indicating to the public that the
+   Work  is licensed under the CCPL, neither party will use the trademark
+   "Creative  Commons"  or  any  related  trademark  or  logo of Creative
+   Commons  without  the  prior  written consent of Creative Commons. Any
+   permitted   use   will   be   in  compliance  with  Creative  Commons'
+   then-current  trademark  usage  guidelines, as may be published on its
+   website or otherwise made available upon request from time to time.
+
+   Creative Commons may be contacted at http://creativecommons.org/.
diff --git a/src/usr/local/share/protocols/aim.pat b/src/usr/local/share/protocols/aim.pat
new file mode 100644
index 0000000..5c43930
--- /dev/null
+++ b/src/usr/local/share/protocols/aim.pat
@@ -0,0 +1,28 @@
+# AIM - AOL instant messenger (OSCAR and TOC)
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/AIM
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 5190
+#
+# This may also match ICQ traffic.
+# 
+# This pattern has been tested and is believed to work well.
+
+aim
+# See http://gridley.res.carleton.edu/~straitm/final (and various other places)
+# The first bit matches OSCAR signon and data commands, but not sure what
+# \x03\x0b matches, but it works apparently.
+# The next three bits match various parts of the TOC signon process.
+# The third one is the magic number "*", then 0x01 for "signon", then up to four
+# bytes ("up to" because l7-filter strips out nulls) which contain a sequence
+# number (2 bytes) the data length (2 more) and 3 nulls (which don't count), 
+# then 0x01 for the version number (not sure if there ever has been another 
+# version)
+# The fourth one is a command string, followed by some stuff, then the
+# beginning of the "roasted" password
+
+# This pattern is too slow!
+
+^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x
diff --git a/src/usr/local/share/protocols/aimwebcontent.pat b/src/usr/local/share/protocols/aimwebcontent.pat
new file mode 100644
index 0000000..bc9a22d
--- /dev/null
+++ b/src/usr/local/share/protocols/aimwebcontent.pat
@@ -0,0 +1,10 @@
+# AIM web content - ads/news content downloaded by AOL Instant Messenger
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: chat document_retrieval proprietary
+# Wiki: http://www.protocolinfo.org/wiki/AIM
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.
+
+aimwebcontent
+user-agent:aim/
diff --git a/src/usr/local/share/protocols/any.pat b/src/usr/local/share/protocols/any.pat
new file mode 100644
index 0000000..56d8134
--- /dev/null
+++ b/src/usr/local/share/protocols/any.pat
@@ -0,0 +1,8 @@
+# Unknown - Dummy pattern for old unmatched connections.
+
+unknown
+# This pattern is ignored by the kernel.  It sees that the "protocol" is
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# "unknown" and always returns unmatched for connections that are still
+# being tested.
+.
diff --git a/src/usr/local/share/protocols/applejuice.pat b/src/usr/local/share/protocols/applejuice.pat
new file mode 100644
index 0000000..eb552dc
--- /dev/null
+++ b/src/usr/local/share/protocols/applejuice.pat
@@ -0,0 +1,12 @@
+# Apple Juice - P2P filesharing - http://www.applejuicenet.de
+# Pattern attributes: great veryfast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/AppleJuice
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested with the Linux version (version
+# 0,29,142,229).  It matches search reqests and file transfers.
+
+applejuice
+# this pattern extracted from ipp2p, by Eicke Friedrich.
+^ajprot\x0d\x0a
diff --git a/src/usr/local/share/protocols/ares.pat b/src/usr/local/share/protocols/ares.pat
new file mode 100644
index 0000000..32dc70d
--- /dev/null
+++ b/src/usr/local/share/protocols/ares.pat
@@ -0,0 +1,63 @@
+# Ares - P2P filesharing - http://aresgalaxy.sf.net
+# Pattern attributes: good veryfast fast undermatch
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Ares
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# This pattern catches only client-server connect messages.  This is
+# sufficient for blocking, but not for shaping, since it doesn't catch
+# the actual file transfers (see below).
+
+# Original pattern by Brandon Enright <bmenrigh at the server known as ucsd.edu>
+
+# This pattern has been tested with Ares 1.8.8.2998.
+
+ares
+# regular expression madness: "[]Z]" means ']' or 'Z'.
+^\x03[]Z].?.?\x05$
+
+# It appears that the general packet format is:
+# - Two byte little endian integer giving the data length
+# - One byte packet type
+# - data
+#
+# Login packets (TCP) have the following format:
+# - \x03\x00 (the length appears to always be 3)
+# - \x5a - The login packet type.
+#   The source code suggests that for supernodes \x5d is used instead.
+# - Three more bytes.  I don't know the meaning of these, but for me they 
+#   are always \x06\x06\x05 (in Ares 1.8.8.2998).  From the comments in IPP2P, 
+#   it seems that they are not always exactly that, but seem to always end in 
+#   \x05.
+#
+# Search packets have the following format:
+# - Two byte little endian integer giving the data length
+#   A single two letter word make this \x0a
+#   The biggest I could get it was \x4f
+# - Packet type = \x09
+# - One byte document type:
+#   - "all"      = 00
+#   - "audio"    = 01
+#   - "software" = 03
+#   - "video"    = 05
+#   - "document" = 06
+#   - "image"    = 07
+#   - "other"    = 08
+# - \x0f - I don't know what this means, but it is always this for me
+# - Two bytes of unknown meaning that change
+# - Some number search words: 
+#   - \x14 - I don't know what this means, but it is always this for me
+#   - One byte length of the first search word 
+#     Between 2 and \x14 in my tests with Ares 1.8.8.2998
+#     It ignores single letter words and truncates ones longer than \x14
+#   - Two bytes of unknown meaning that change
+#   - The search word (not null terminated)
+# This was all investigated by searching for strings in "all".  Searches
+# can also be performed in "title" and "author".  I'm not going to
+# bother to research these because I new realize that searches are done
+# on the same TCP connection as the login packets, so there is no need
+# to match them separately.
+#
+# File transfers appear to be encrypted or at least obfuscated.  (The
+# files themselves, at least, are not transmitted in the clear.) I
+# haven't found any patterns.
diff --git a/src/usr/local/share/protocols/armagetron.pat b/src/usr/local/share/protocols/armagetron.pat
new file mode 100644
index 0000000..a032410
--- /dev/null
+++ b/src/usr/local/share/protocols/armagetron.pat
@@ -0,0 +1,12 @@
+# Armagetron Advanced - open source Tron/snake based multiplayer game
+# Pattern attributes: good slow notsofast
+# Protocol groups: open_source game
+# Wiki: http://protocolinfo.org/wiki/Armagetron
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# Contributed to protocolinfo.org, possibly by joda.bot, who says "The 
+# filter matches the initial transfer of configuration data. Very early 
+# versions might not transfer the CYCLE_ Settings (before 0.2.5.x)."
+
+armagetron
+YCLC_E|CYEL
diff --git a/src/usr/local/share/protocols/audiogalaxy.pat b/src/usr/local/share/protocols/audiogalaxy.pat
new file mode 100644
index 0000000..db1999a
--- /dev/null
+++ b/src/usr/local/share/protocols/audiogalaxy.pat
@@ -0,0 +1,19 @@
+# Audiogalaxy - (defunct) Peer to Peer filesharing
+# Pattern attributes: ok fast fast
+# Protocol groups: p2p obsolete
+# Wiki: http://protocolinfo.org/wiki/Audiogalaxy
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# http://www.movspclr.co.uk/info/agprotocol.html
+#
+# This pattern is untested.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/Audiogalaxy
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+audiogalaxy
+# (magic cookie that starts conversations)|(magic cookie that starts 
+# 0.606W/0.608W client/server conversations and a string that should always
+# appear in login messages)
+^(\x45\x5f\xd0\xd5|\x45\x5f.*0.60(6|8)W)
diff --git a/src/usr/local/share/protocols/battlefield1942.pat b/src/usr/local/share/protocols/battlefield1942.pat
new file mode 100644
index 0000000..ed7a7bf
--- /dev/null
+++ b/src/usr/local/share/protocols/battlefield1942.pat
@@ -0,0 +1,14 @@
+# Battlefield 1942 - An EA game
+# Pattern attributes: ok veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Battlefield_1942
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Contributed by Myles Uyema <mylesuyema AT gmail.com>
+#
+# This pattern has only been tested by one person.
+
+# tested on two original EA battlefield 1942 servers
+# matches the first two packets of joining a server
+battlefield1942
+^\x01\x11\x10\|\xf8\x02\x10\x40\x06
diff --git a/src/usr/local/share/protocols/battlefield2.pat b/src/usr/local/share/protocols/battlefield2.pat
new file mode 100644
index 0000000..e2d8791
--- /dev/null
+++ b/src/usr/local/share/protocols/battlefield2.pat
@@ -0,0 +1,26 @@
+# Battlefield 2 - An EA game.
+# Pattern attributes: ok slow notsofast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Battlefield_2
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is unconfirmed except implicitly by a comment on protocolinfo.
+
+battlefield2
+# gameplay|account-login|server browsing/information
+# See http://protocolinfo.org/wiki/Battlefield_2
+# Can we put a ^ on the last branch?  If so, nosofast --> veryfast
+
+# 193.85.217.35 on protocolinfo says:
+# The first part of the pattern, \x11\x20\x01\xa0\x98\x11, has to be 
+# modified for different version of Battlefield 2. The gameplay part of 
+# pattern for BF2 v1.4 is \x11\x20\x01\x30\xb9\x10\x11, and for BF2 
+# v1.41 is \x11\x20\x01\x50\xb9\x10\x11
+#
+# Rather than put all of those in, I've just gone with "...?" in the 
+# middle.
+
+^(\x11\x20\x01...?\x11|\xfe\xfd.?.?.?.?.?.?(\x14\x01\x06|\xff\xff\xff))|[]\x01].?battlefield2
+
+# Pattern prior to 193.85.217.35's comment on protocolinfo:
+#^(\x11\x20\x01\xa0\x98\x11|\xfe\xfd.?.?.?.?.?.?(\x14\x01\x06|\xff\xff\xff))|[]\x01].?battlefield2
diff --git a/src/usr/local/share/protocols/battlefield2142.pat b/src/usr/local/share/protocols/battlefield2142.pat
new file mode 100644
index 0000000..4c0e42b
--- /dev/null
+++ b/src/usr/local/share/protocols/battlefield2142.pat
@@ -0,0 +1,14 @@
+# Battlefield 2142 - An EA game.
+# Pattern attributes: ok fast fast
+# Protocol groups: proprietary game
+# Wiki: http://protocolinfo.org/wiki/Battlefield_2142
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# Submitted by Telsin.  Not confirmed.
+
+battlefield2142
+# gameplay|account-login|server browsing/information
+# Can't put a ^ on the last branch: it fails to match if you do.
+# This branch seems to matter very rarely, though
+^(\x11\x20\x01\x90\x50\x64\x10|\xfe\xfd.?.?.?\x18|[\x01\\].?battlefield2)
+
diff --git a/src/usr/local/share/protocols/bgp.pat b/src/usr/local/share/protocols/bgp.pat
new file mode 100644
index 0000000..61e417f
--- /dev/null
+++ b/src/usr/local/share/protocols/bgp.pat
@@ -0,0 +1,19 @@
+# BGP - Border Gateway Protocol - RFC 1771
+# Pattern attributes: ok veryfast fast
+# Protocol groups: networking ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/BGP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is UNTESTED.
+
+bgp
+# "After a transport protocol connection is established, the first
+# message sent by each side is an OPEN message."
+# "If the Type of the message is OPEN, or if the Authentication Code used
+# in the OPEN message of the connection is zero, then the Marker must be
+# all ones."
+# Then the 2 byte length field, then the 1 byte type field (1 = OPEN).
+# Then the BGP version: 3 was RFC'd in 1991, 4 was RFC'd in 1995.
+# Could keep going, but that should be sufficient.
+^\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff..?\x01[\x03\x04]
+
diff --git a/src/usr/local/share/protocols/biff.pat b/src/usr/local/share/protocols/biff.pat
new file mode 100644
index 0000000..91e8bbf
--- /dev/null
+++ b/src/usr/local/share/protocols/biff.pat
@@ -0,0 +1,16 @@
+# Biff - new mail notification 
+# Pattern attributes: good fast fast undermatch overmatch
+# Protocol groups: mail
+# Wiki: http://www.protocolinfo.org/wiki/Biff
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 512
+#
+# This pattern is completely untested.
+
+biff
+# This is a rare case where we will specify a $ (end of line), since
+# this is the entirety of the communication.
+# something that looks like a username, an @, a number.
+# won't catch usernames that have strange characters in them.
+^[a-z][a-z0-9]+@[1-9][0-9]+$
diff --git a/src/usr/local/share/protocols/bittorrent.pat b/src/usr/local/share/protocols/bittorrent.pat
new file mode 100644
index 0000000..c66f867
--- /dev/null
+++ b/src/usr/local/share/protocols/bittorrent.pat
@@ -0,0 +1,25 @@
+# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
+# Pattern attributes: good slow notsofast undermatch
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Bittorrent
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.
+# It will, however, not work on bittorrent streams that are encrypted, since
+# it's impossible to match (well) encrypted data.
+
+bittorrent
+
+# Does not attempt to match the HTTP download of the tracker
+# 0x13 is the length of "bittorrent protocol"
+# Second two bits match UDP wierdness
+# Next bit matches something Azureus does
+# Ditto on the next bit.  Could also match on "user-agent: azureus", but that's in the next
+# packet and perhaps this will match multiple clients.
+# bitcomet-specific strings contributed by liangjun.
+
+# This is not a valid GNU basic regular expression (but that's ok).
+^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=|get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
+
+# This pattern is "fast", but won't catch as much
+#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)
diff --git a/src/usr/local/share/protocols/chikka.pat b/src/usr/local/share/protocols/chikka.pat
new file mode 100644
index 0000000..a97ef28
--- /dev/null
+++ b/src/usr/local/share/protocols/chikka.pat
@@ -0,0 +1,17 @@
+# Chikka - SMS service which can be used without phones - http://chikka.com
+# Pattern attributes: good fast fast superset
+# Protocol groups: proprietary chat
+# Wiki: http://www.protocolinfo.org/wiki/Chikka
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# Tested with Chikka Javalite on 14 Jan 2007.
+# The login and chat use the same TCP connection.
+
+# "Kamusta" means "Hello" in Tagalog, apparently, so that will probably 
+# stay the same.  I've only seen v1.2, but I've given it some leeway for 
+# past and future versions.
+
+# Chikka uses CIMD as part of the login process, see cimd.pat
+
+chikka
+^CTPv1\.[123] Kamusta.*\x0d\x0a$
diff --git a/src/usr/local/share/protocols/cimd.pat b/src/usr/local/share/protocols/cimd.pat
new file mode 100644
index 0000000..f508350
--- /dev/null
+++ b/src/usr/local/share/protocols/cimd.pat
@@ -0,0 +1,19 @@
+# Computer Interface to Message Distribution, an SMSC protocol by Nokia
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: proprietary chat
+# Wiki: http://www.protocolinfo.org/wiki/CIMD
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# I don't know whether CIMD is ever found by itself in a TCP connection. 
+# I have only seen it myself as part of the Chikka login process, in 
+# which the second and third packets (at least) are CIMD.  So I am not 
+# using a '^' at the beginning.
+#
+# This pretty well explains the pattern:
+# http://en.wikipedia.org/w/index.php?title=CIMD&oldid=42707583
+# However, Chikka does NOT terminate the last field with a tab.
+#
+# Tested with Chikka Javalite on 14 Jan 2007.
+
+cimd
+\x02[0-4][0-9]:[0-9]+.*\x03$
diff --git a/src/usr/local/share/protocols/ciscovpn.pat b/src/usr/local/share/protocols/ciscovpn.pat
new file mode 100644
index 0000000..d3dd7a6
--- /dev/null
+++ b/src/usr/local/share/protocols/ciscovpn.pat
@@ -0,0 +1,11 @@
+# Cisco VPN - VPN client software to a Cisco VPN server
+# Pattern attributes: ok veryfast fast
+# Protocol groups: remote_access proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Cisco_VPN
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# 
+# This pattern contributed by Myles Uyema <myles AT uyema.net>
+
+ciscovpn
+^\x01\xf4\x01\xf4
+
diff --git a/src/usr/local/share/protocols/citrix.pat b/src/usr/local/share/protocols/citrix.pat
new file mode 100644
index 0000000..fa73ce1
--- /dev/null
+++ b/src/usr/local/share/protocols/citrix.pat
@@ -0,0 +1,12 @@
+# Citrix ICA - proprietary remote desktop application - http://citrix.com
+# Pattern attributes: marginal notsofast notsofast
+# Protocol groups: remote_access proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Citrix
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# 
+# This pattern is UNTESTED.
+
+# This is based on decode_citrix in dsniff 2.4.
+
+citrix
+\x32\x26\x85\x92\x58
diff --git a/src/usr/local/share/protocols/code_red.pat b/src/usr/local/share/protocols/code_red.pat
new file mode 100644
index 0000000..df0beee
--- /dev/null
+++ b/src/usr/local/share/protocols/code_red.pat
@@ -0,0 +1,8 @@
+# Code Red - a worm that attacks Microsoft IIS web servers
+# Pattern attributes: ok fast notsofast subset
+# Protocol groups: worm
+# Wiki: http://www.protocolinfo.org/wiki/CodeRed
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+code_red
+/default\.ida\?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
diff --git a/src/usr/local/share/protocols/counterstrike-source.pat b/src/usr/local/share/protocols/counterstrike-source.pat
new file mode 100644
index 0000000..8ebd627
--- /dev/null
+++ b/src/usr/local/share/protocols/counterstrike-source.pat
@@ -0,0 +1,42 @@
+# Counterstrike (using the new "Source" engine) - network game 
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Counter-Strike
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# By adam.randazzoATgmail.com
+
+counterstrike-source
+^\xff\xff\xff\xff.*cstrikeCounter-Strike
+
+# These games use Steam, which is developed by Valve Software.
+#
+# This was based off of the following captured data from ethereal:
+# --Source--
+# 0000   00 11 09 2a a8 79 00 13 10 2c 3f d7 08 00 45 20  ...*.y...,?...E 
+# 0010   00 72 b9 f6 00 00 6b 11 b6 78 18 0e 04 cc c0 a8  .r....k..x......
+# 0020   01 6a 69 87 04 65 00 5e 01 ac ff ff ff ff 49 07  .ji..e.^......I.
+# 0030   54 4a 27 73 20 50 6c 61 63 65 20 6f 66 20 50 61  TJ's Place of Pa
+# 0040   69 6e 00 64 65 5f 70 69 72 61 6e 65 73 69 00 63  in.de_piranesi.c
+# 0050   73 74 72 69 6b 65 00 43 6f 75 6e 74 65 72 2d 53  strike.Counter-S
+# 0060   74 72 69 6b 65 3a 20 53 6f 75 72 63 65 00 dc 00  trike: Source...
+# 0070   08 10 06 64 77 00 00 31 2e 30 2e 30 2e 31 38 00  ...dw..1.0.0.18.
+# 0080  
+# 
+# --1.6--
+# 0000   00 11 09 2a a8 79 00 13 10 2c 3f d7 08 00 45 00  ...*.y...,?...E.
+# 0010   00 8e c4 1a 00 00 76 11 b3 85 08 09 02 fa c0 a8  ......v.........
+# 0020   01 14 69 91 04 37 00 7a c9 90 ff ff ff ff 6d 38  ..i..7.z......m8
+# 0030   2e 39 2e 32 2e 32 35 30 3a 32 37 30 32 35 00 49  .9.2.250:27025.I
+# 0040   50 20 2d 20 43 6c 61 6e 20 73 65 72 76 65 72 00  P - Clan server.
+# 0050   64 65 5f 64 75 73 74 32 00 63 73 74 72 69 6b 65  de_dust2.cstrike
+# 0060   00 43 6f 75 6e 74 65 72 2d 53 74 72 69 6b 65 00  .Counter-Strike.
+# 0070   0a 0c 2f 64 77 00 01 77 77 77 2e 63 6f 75 6e 74  ../dw..www.count
+# 0080   65 72 2d 73 74 72 69 6b 65 2e 6e 65 74 00 00 00  er-strike.net...
+# 0090   01 00 00 00 00 9e f7 0a 00 01 00 00              ............
+
+
+# Old pattern.  (Adam Randazzo says "CS 1.6 and CS: Source are the
+# only two versions that are playable on the Internet since Valve
+# disabled the WON system in favor of steam.")
+# cs .*dl.www.counter-strike.net
diff --git a/src/usr/local/share/protocols/cvs.pat b/src/usr/local/share/protocols/cvs.pat
new file mode 100644
index 0000000..fc084d3
--- /dev/null
+++ b/src/usr/local/share/protocols/cvs.pat
@@ -0,0 +1,14 @@
+# CVS - Concurrent Versions System
+# Pattern attributes: good veryfast fast
+# Protocol groups: version_control open_source
+# Wiki: http://www.protocolinfo.org/wiki/CVS
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+cvs
+
+# Matches pserver login.  AUTH is for actually starting the protocol
+# VERIFICATION is for authenticating without starting the protocols
+# and GSSAPI is for using security services such as kerberos.
+# http://www.loria.fr/~molli/cvs/doc/cvsclient_3.html
+
+^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\x0a
diff --git a/src/usr/local/share/protocols/dayofdefeat-source.pat b/src/usr/local/share/protocols/dayofdefeat-source.pat
new file mode 100644
index 0000000..42b24bb
--- /dev/null
+++ b/src/usr/local/share/protocols/dayofdefeat-source.pat
@@ -0,0 +1,11 @@
+# Day of Defeat: Source - game (Half-Life 2 mod) - http://www.valvesoftware.com
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Day_of_Defeat:Source
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# By Clayton Macleod <cherry twist at gmail dot com>
+
+dayofdefeat-source
+^\xff\xff\xff\xff.*dodDay of Defeat
+
diff --git a/src/usr/local/share/protocols/dazhihui.pat b/src/usr/local/share/protocols/dazhihui.pat
new file mode 100644
index 0000000..032440c
--- /dev/null
+++ b/src/usr/local/share/protocols/dazhihui.pat
@@ -0,0 +1,11 @@
+# Dazhihui - stock analysis and trading; Chinese - http://www.gw.com.cn
+# Pattern attributes: fast fast ok
+# Protocol groups: 
+# Wiki: http://www.protocolinfo.org/wiki/Dazhihui
+# Copyright (C) 2009 Matthew Strait; See ../LICENSE
+
+# Pattern contributed by liangjun without comment.
+
+dazhihui
+^(longaccoun|qsver2auth|\x35[57]\x30|\+\x10\*)
+
diff --git a/src/usr/local/share/protocols/dhcp.pat b/src/usr/local/share/protocols/dhcp.pat
new file mode 100644
index 0000000..426480d
--- /dev/null
+++ b/src/usr/local/share/protocols/dhcp.pat
@@ -0,0 +1,36 @@
+# DHCP - Dynamic Host Configuration Protocol - RFC 1541
+# Pattern attributes: good veryfast fast
+# Protocol groups: networking ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/DHCP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on ports 67 (server) and 68 (client)
+#
+# Also matches BOOTP (Bootstrap Protocol (RFC 951)) in the case that 
+# the "vendor specific options" are used (these options were made standard
+# for DHCP).
+#
+# This pattern is lightly tested.
+
+dhcp
+^[\x01\x02][\x01- ]\x06.*c\x82sc
+
+# Let's break that down:
+#
+# (\x01|\x02) is for BOOTREQUEST or BOOTREPLY
+# Is there a demand for doing these separately?  The Packeteer does.
+#
+# [\x01-\x20] is for any of the hardware address types listed at
+# (http://www.iana.org/assignments/arp-parameters) and hopefully faster 
+# ethernets too (100, 1000 and 10000mb) as well (do they share the 10mb 
+# number?).
+#
+# \x06 for "hardware address length = 6 bytes".  Does anyone use other lengths
+# these days?  If so, this pattern won't match it as it stands.
+#
+# .* covers the hops, xid, secs, flags, ciaddr, yiaddr, siaddr, giaddr, 
+# chaddr, sname and file fields.  While this can't really be "any number
+# of characters" long, it doesn't seem worth it to count.
+# Can we make this more specific by restricting the number of hops or seconds?
+#
+# 0x63825363 is the "magic cookie" which begins the DHCP options field.
diff --git a/src/usr/local/share/protocols/directconnect.pat b/src/usr/local/share/protocols/directconnect.pat
new file mode 100644
index 0000000..13be4a1
--- /dev/null
+++ b/src/usr/local/share/protocols/directconnect.pat
@@ -0,0 +1,14 @@
+# Direct Connect - P2P filesharing - http://www.neo-modus.com
+# Pattern attributes: good fast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Direct_Connect
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Direct Connect "hubs" listen on port 411
+# http://www.dcpp.net/wiki/
+# I've verified that this pattern can be used to limit direct connect
+# bandwidth using DC:PRO 0.2.3.149R11.
+
+directconnect
+# client-to-client handshake|client-to-hub login, hub speaking|client-to-hub login, client speaking
+^(\$mynick |\$lock |\$key )
diff --git a/src/usr/local/share/protocols/dns.pat b/src/usr/local/share/protocols/dns.pat
new file mode 100644
index 0000000..c351831
--- /dev/null
+++ b/src/usr/local/share/protocols/dns.pat
@@ -0,0 +1,63 @@
+# DNS - Domain Name System - RFC 1035
+# Pattern attributes: great slow fast
+# Protocol groups: networking ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/DNS
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# Thanks to Sebastien Bechet <s.bechet AT av7.net> for TLD detection
+# improvements
+
+# While RFC 2181 says "Occasionally it is assumed that the Domain Name
+# System serves only the purpose of mapping Internet host names to data,
+# and mapping Internet addresses to host names.  This is not correct, the
+# DNS is a general (if somewhat limited) hierarchical database, and can
+# store almost any kind of data, for almost any purpose.", we will assume 
+# just that, because that represents the vast majority of DNS traffic.
+
+# The packet starts with a 2 byte random ID number and 2 bytes of flags that
+# aren't easy to match on.
+
+# The first thing that is matchable is QDCOUNT, the number of queries.
+# Despite the fact that you can apparently ask for up to 65535
+# things at a time, usually you only ask for one and I doubt you ever ask for
+# zero.  Let's allow up to two, just in case (even though I can't find any 
+# situation that generates more than one).
+
+# Next comes the ANCOUNT, NSCOUNT, and ARCOUNT fields, which could be null
+# or some smallish number, not matchable except by length (up to 6)
+
+# The next matchable thing is the query address. The first byte indicates the
+# length of the first part of the address, which is limited to 63 (0x3F == '?').
+# The next byte has to be a letter (for domain names) or number (for reverse lookups).
+# Then there can be an combination of 
+# letters, digits, hyphens, and 0x01-0x3F length markers.
+# Then we check for the presence of a top-level-domain at some later point.
+# This is indicated by a 0x02-0x06 and at least two letters, followed by no
+# more than four more letters.
+# Note that this will miss a very few queries that are for a TLD alone.
+# i.e. "host museum" (195.7.77.17)
+#
+# http://www.icann.org/tlds   http://www.iana.org/cctld/cctld-whois.htm
+
+# next is the QTYPE field, which has valid values 1-16 (although this
+# could probably be restricted further since many are rare) and \x1c for
+# IPv6 (and maybe more?).  It should follow immediately after the TLD
+# (and some stripped-out nulls)
+
+# next is QCLASS, which has valid values 1-4 and 255, except 2 is never used.
+# I'm not sure if 3 and 4 are used, so I'll include them. 1=Internet 255=any
+
+# If we wanted to match queries and responses separately, there could be
+# more specifics after this for the responses.
+
+dns
+# here's a sane way of doing it
+^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][fglmoprstuvz]?[aeop]?(um)?[\x01-\x10\x1c][\x01\x03\x04\xFF]
+
+# This way assumes that TLDs are any alpha string 2-6 characters long.
+# If TLDs are added, this is a good fallback.
+#^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?[\x01-\x10][\x01\x03\x04\xFF]
+
+# If you have more processing power than me, you can substitute this for
+# the [a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?
+#(aero|arpa|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|pro|arpa|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|eh|er|es|et|fi|fj|fk|fm|fo|fr|ga|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw)
diff --git a/src/usr/local/share/protocols/doom3.pat b/src/usr/local/share/protocols/doom3.pat
new file mode 100644
index 0000000..7d32d6f
--- /dev/null
+++ b/src/usr/local/share/protocols/doom3.pat
@@ -0,0 +1,10 @@
+# Doom 3 - computer game
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Doom
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Thanks to Clayton Macleod (cherrytwist at gmail.com).
+
+doom3
+^\xff\xffchallenge
diff --git a/src/usr/local/share/protocols/edonkey.pat b/src/usr/local/share/protocols/edonkey.pat
new file mode 100644
index 0000000..bc2522e
--- /dev/null
+++ b/src/usr/local/share/protocols/edonkey.pat
@@ -0,0 +1,37 @@
+# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
+# Pattern attributes: good fast fast overmatch
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/EDonkey
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4
+# and a long time ago with something else. 
+# 
+# In addition to matching what you might expect, this matches much of
+# what eMule does when you tell it to only connect to the KAD network. 
+# I don't quite know what to make of this.
+
+# Thanks to Matt Skidmore <fox AT woozle.org>
+
+edonkey
+
+# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6
+#
+# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5.
+# As of April 2006, I also see some \xe4.
+#
+# God this is a mess.  What an irritating protocol.  
+# This will match about 2% of streams with random data in them!
+# (But fortunately much fewer than 2% of streams that are other protocols.
+# You can test this with the data in ../testing/)
+
+^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
+
+# matches everything and too much 
+# ^(\xe3|\xc5|\xd4)
+
+# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me.
+
+# bandwidtharbitrator uses 
+# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey
+# no comments to explain what all the mush is, of course...
diff --git a/src/usr/local/share/protocols/exe.pat b/src/usr/local/share/protocols/exe.pat
new file mode 100644
index 0000000..0a16e2a
--- /dev/null
+++ b/src/usr/local/share/protocols/exe.pat
@@ -0,0 +1,20 @@
+# Executable - Microsoft PE file format.  
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# Thanks to Brandon Enright [bmenrighATucsd.edu]
+
+# This pattern doesn't techincally match the PE file format but rather the
+# MZ stub program Microsoft uses for backwards compatibility with DOS.
+# That means this will correctly match DOS executables too.
+
+exe
+# There are two different stubs used depending on the compiler/packer.
+# Numerous NULL bytes have been stripped from this pattern.
+
+# This pattern may be more efficient:
+# \x4d\x5a\x90\x03\x04|\x4d\x5a\x50\x02\x04
+
+# This is easier to understand:
+\x4d\x5a(\x90\x03|\x50\x02)\x04
diff --git a/src/usr/local/share/protocols/fasttrack.pat b/src/usr/local/share/protocols/fasttrack.pat
new file mode 100644
index 0000000..6ed8ff1
--- /dev/null
+++ b/src/usr/local/share/protocols/fasttrack.pat
@@ -0,0 +1,23 @@
+# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)
+# Pattern attributes: good slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Fasttrack
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Tested with Kazaa Lite Resurrection 0.0.7.6F
+#
+# This appears to match the download connections well, but not the search
+# connections (I think they are encrypted :-( ).
+
+fasttrack
+# while this is a valid http request, this will be caught because
+# the http pattern matches the response (and therefore the next packet)
+# Even so, it's best to put this match earlier in the chain.
+# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup
+
+# This pattern is kinda slow, but not too bad.
+^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
+# This isn't much faster:
+#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
diff --git a/src/usr/local/share/protocols/finger.pat b/src/usr/local/share/protocols/finger.pat
new file mode 100644
index 0000000..f567f8c
--- /dev/null
+++ b/src/usr/local/share/protocols/finger.pat
@@ -0,0 +1,15 @@
+# Finger - User information server - RFC 1288
+# Pattern attributes: good slow slow undermatch overmatch
+# Protocol groups: ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/Finger
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 79
+#
+# This pattern is lightly tested.
+
+finger
+# The first matches the client request, which should look like a username.
+# The second matches the usual UNIX reply (but remember that they are
+# allowed to say whatever they want)
+^[a-z][a-z0-9\-_]+\x0d\x0a|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory: 
diff --git a/src/usr/local/share/protocols/flash.pat b/src/usr/local/share/protocols/flash.pat
new file mode 100644
index 0000000..23e5d74
--- /dev/null
+++ b/src/usr/local/share/protocols/flash.pat
@@ -0,0 +1,18 @@
+# Flash - Macromedia Flash.  
+# Pattern attributes: good slow notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# Thanks to Brandon Enright {bmenrigh AT ucsd.edu} and chinalantian at 
+# 126 dot com
+
+# Macromedia spec:
+# http://download.macromedia.com/pub/flash/flash_file_format_specification.pdf
+# See also:
+# http://www.digitalpreservation.gov/formats/fdd/fdd000130.shtml
+# http://osflash.org/flv
+
+flash
+# FWS = uncompressed, CWS = compressed, next byte is version number
+# FLV = video 
+[FC]WS[\x01-\x09]|FLV\x01\x05\x09
diff --git a/src/usr/local/share/protocols/freenet.pat b/src/usr/local/share/protocols/freenet.pat
new file mode 100644
index 0000000..c62ad57
--- /dev/null
+++ b/src/usr/local/share/protocols/freenet.pat
@@ -0,0 +1,10 @@
+# Freenet - Anonymous information retrieval - http://freenetproject.org
+# Pattern attributes: poor veryfast fast
+# Protocol groups: p2p document_retrieval open_source
+# Wiki: http://www.protocolinfo.org/wiki/Freenet
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+freenet
+# Freenet is intentionally hard to identify...
+# This is empirical, only tested on one computer, and unlikely to work anymore.
+^\x01[\x08\x09][\x03\x04]
diff --git a/src/usr/local/share/protocols/ftp.pat b/src/usr/local/share/protocols/ftp.pat
new file mode 100644
index 0000000..44d97c4
--- /dev/null
+++ b/src/usr/local/share/protocols/ftp.pat
@@ -0,0 +1,46 @@
+# FTP - File Transfer Protocol - RFC 959
+# Pattern attributes: great notsofast fast
+# Protocol groups: document_retrieval ietf_internet_standard
+# Wiki: http://protocolinfo.org/wiki/FTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 21.  Note that the data stream is on a dynamically
+# assigned port, which means that you will need the FTP connection 
+# tracking module in your kernel to usefully match FTP data transfers.
+# 
+# This pattern is well tested.
+#
+# Handles the first two things a server should say:
+#
+# First, the server says it's ready by sending "220".  Most servers say 
+# something after 220, even though they don't have to, and it usually 
+# includes the string "ftp" (l7-filter is case insensitive). This 
+# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP 
+# Server, and whatever ftp.microsoft.com uses.  Almost all servers use only 
+# ASCII printable characters between the "220" and the "FTP", but non-English
+# ones might use others.
+# 
+# The next thing the server sends is a 331.  All the above servers also 
+# send something including "password" after this code.  By default, we 
+# do not match on this because it takes another packet and is more work 
+# for regexec.
+
+ftp
+# by default, we allow only ASCII
+^220[\x09-\x0d -~]*ftp
+
+# This covers UTF-8 as well 
+#^220[\x09-\x0d -~\x80-\xfd]*ftp
+
+# This allows any characters and is about 4x faster than either of the above 
+# (which are about the same as each other)
+#^220.*ftp
+
+# This is much slower
+#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password
+
+# This pattern is more precise, but takes longer to match. (3 packets vs. 1)
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331
+
+# same as above, but slightly less precise and only takes 2 packets.
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a
diff --git a/src/usr/local/share/protocols/gif.pat b/src/usr/local/share/protocols/gif.pat
new file mode 100644
index 0000000..d54ed91
--- /dev/null
+++ b/src/usr/local/share/protocols/gif.pat
@@ -0,0 +1,8 @@
+# GIF - Popular Image format.  
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+gif
+# drawn from /usr/share/magic
+GIF8(7|9)a
diff --git a/src/usr/local/share/protocols/gkrellm.pat b/src/usr/local/share/protocols/gkrellm.pat
new file mode 100644
index 0000000..73eb537
--- /dev/null
+++ b/src/usr/local/share/protocols/gkrellm.pat
@@ -0,0 +1,13 @@
+# Gkrellm - a system monitor - http://gkrellm.net
+# Pattern attributes: great veryfast fast
+# Protocol groups: monitoring open_source
+# Wiki: http://www.protocolinfo.org/wiki/Gkrellm
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# 
+# This pattern has been tested and is believed to work well.
+# Since this is not anything resembling a published protocol, it may change without
+# warning in new versions of gkrellm.
+
+gkrellm
+# tested with gkrellm 2.2.7
+^gkrellm [23].[0-9].[0-9]\x0a$
diff --git a/src/usr/local/share/protocols/gnucleuslan.pat b/src/usr/local/share/protocols/gnucleuslan.pat
new file mode 100644
index 0000000..ae5895b
--- /dev/null
+++ b/src/usr/local/share/protocols/gnucleuslan.pat
@@ -0,0 +1,10 @@
+# GnucleusLAN - LAN-only P2P filesharing
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/GnucleusLAN
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.
+
+gnucleuslan
+gnuclear connect/[\x09-\x0d -~]*user-agent: gnucleus [\x09-\x0d -~]*lan:
diff --git a/src/usr/local/share/protocols/gnutella.pat b/src/usr/local/share/protocols/gnutella.pat
new file mode 100644
index 0000000..770ed43
--- /dev/null
+++ b/src/usr/local/share/protocols/gnutella.pat
@@ -0,0 +1,34 @@
+# Gnutella - P2P filesharing
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Gnutella
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This should match both Gnutella and "Gnutella2" ("Mike's protocol")
+# 
+# Various clients use this protocol including Mactella, Shareaza,
+# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare.
+# 
+# This is tested with gtk-gnutella and Shareaza.
+
+# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver
+# http://rfc-gnutella.sf.net/
+# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification
+# http://en.wikipedia.org/wiki/Shareaza
+
+gnutella
+
+# The first part matches UDP messages - All start with "GND", then have
+# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes
+# that can be anything, then a fragment number, which must start at 1.
+# The rest matches TCP first client message or first server message (in case 
+# we can't see client messages).  Some parts of this are empirical rather than 
+# document based.  Assumes version is between 0.0 and 2.9. (usually is
+# 0.4 or 0.6).  I'm guessing at many of the user-agents.
+# The last bit is emprical and probably only matches Limewire.
+^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime)
+
+# Needlessly precise, at the expense of time
+#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime)
+
+
diff --git a/src/usr/local/share/protocols/goboogy.pat b/src/usr/local/share/protocols/goboogy.pat
new file mode 100644
index 0000000..d88d00b
--- /dev/null
+++ b/src/usr/local/share/protocols/goboogy.pat
@@ -0,0 +1,13 @@
+# GoBoogy - a Korean P2P protocol
+# Pattern attributes: marginal slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/GoBoogy
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# 
+# This pattern is untested and likely does not work in all cases!
+#
+# By Adam Przybyla, modified by Matthew Strait.  Possibly lifted from 
+# Josh Ballard (oofle.com).
+
+goboogy
+<peerplat>|^get /getfilebyhash\.cgi\?|^get /queue_register\.cgi\?|^get /getupdowninfo\.cgi\?
diff --git a/src/usr/local/share/protocols/gopher.pat b/src/usr/local/share/protocols/gopher.pat
new file mode 100644
index 0000000..773016f
--- /dev/null
+++ b/src/usr/local/share/protocols/gopher.pat
@@ -0,0 +1,25 @@
+# Gopher - A precursor to HTTP - RFC 1436
+# Pattern attributes: good slow notsofast undermatch
+# Protocol groups: document_retrieval obsolete ietf_rfc_documented
+# Wiki: http://www.protocolinfo.org/wiki/Gopher
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Gopher servers usually run on TCP port 70.
+#
+# This pattern is lightly tested using gopher.dna.affrc.go.jp .
+
+gopher
+# This matches the server's response, but naturally only if it is a
+# directory listing, not if it is sending a file, because then the data 
+# is totally arbitrary.
+
+# Matches the client saying "list what you have", then the server
+# response: one of the file type characters, any printable characters, a
+# tab, any printable characters, a tab, something that looks like a
+# domain name, a tab, and then a number which could be the start of a
+# port number.
+
+# "0About internet Gopher\tStuff:About us\trawBits.micro.umn.edu\t70"
+# "\r7search by keywords on protein data using wais\twaissrc:/protein_all/protein\tgopher.dna.affrc.go.jp\t70"
+
+^[\x09-\x0d]*[1-9,+tgi][\x09-\x0d -~]*\x09[\x09-\x0d -~]*\x09[a-z0-9.]*\.[a-z][a-z].?.?\x09[1-9]
diff --git a/src/usr/local/share/protocols/gtalk.pat b/src/usr/local/share/protocols/gtalk.pat
new file mode 100644
index 0000000..aa538ca
--- /dev/null
+++ b/src/usr/local/share/protocols/gtalk.pat
@@ -0,0 +1,11 @@
+# GTalk, a Jabber (XMPP) client
+# Pattern attributes: good veryfast fast subset
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Jabber
+# Copyright (C) 2009 Matthew Strait; See ../LICENSE
+
+# See ../protocols/jabber.pat for more details
+
+gtalk
+^<stream:stream to="gmail\.com"
+
diff --git a/src/usr/local/share/protocols/guildwars.pat b/src/usr/local/share/protocols/guildwars.pat
new file mode 100644
index 0000000..65d2b92
--- /dev/null
+++ b/src/usr/local/share/protocols/guildwars.pat
@@ -0,0 +1,14 @@
+# Guild Wars - online game - http://guildwars.com
+# Pattern attributes: marginal veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Guild_Wars
+# Copyright (C) 2008 Matthew Strait; See ../LICENSE
+
+# Contributed on protocolinfo by Greatwolf with the comment, "Guild Wars 
+# uses encrypted data on tcp/6112 and may be impossible to match by 
+# content. An experimental filter has been written to match Guild Wars 
+# packets. More testing is still required to determine the effectiveness 
+# of this pattern."
+
+guildwars
+^[\x04\x05]\x0c.i\x01
diff --git a/src/usr/local/share/protocols/h323.pat b/src/usr/local/share/protocols/h323.pat
new file mode 100644
index 0000000..75b1a39
--- /dev/null
+++ b/src/usr/local/share/protocols/h323.pat
@@ -0,0 +1,36 @@
+# H.323 - Voice over IP.
+# Pattern attributes: ok veryfast fast
+# Protocol groups: voip itu-t_standard
+# Wiki: http://www.protocolinfo.org/wiki/H.323
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is written without knowledge of the principles of H.323.
+# It has only been tested with gnomemeeting and may not work for other
+# clients. 
+#
+# Also, it has been reported that:
+# "the pattern ... match[es] only first H.323 stream (conntrack for H.323 was 
+# enabled).  Also the major chunk of traffic was of RTP which went untracked."
+#
+# Also, it may very well match other things that use TPKT and
+# Q.931. 
+
+# Note that to take full advantage of this pattern, you will need to
+# have connection tracking of H.323 support in your kernel.  This
+# support is not in the stock kernel.  A patch can be found at
+# http://netfilter.org
+
+h323
+# TPKT format: http://www.ietf.org/rfc/rfc1006.txt
+# \x03 = TPKT version.  It was 3 in May 1987 and gnomemeeting still uses 3.
+# ..? = null reserved byte and packet length field.
+# Q.931 format: http://www.freesoft.org/CIE/Topics/126.htm
+# \x08  = Q.931
+# . = length of call reference
+# The next byte was: \x18 = message sent from originating side.
+# But based on experimentation, it seems that just . is better. 
+# .?.?.?.?.?.?.?.?.?.?.?.?.?.?.? = call reference (0-15 bytes (0 for nulls))
+# \x05 = setup message
+#
+# Yup, it doesn't actually include any H.323 protocol information.
+^\x03..?\x08...?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x05
diff --git a/src/usr/local/share/protocols/halflife2-deathmatch.pat b/src/usr/local/share/protocols/halflife2-deathmatch.pat
new file mode 100644
index 0000000..45d0bb0
--- /dev/null
+++ b/src/usr/local/share/protocols/halflife2-deathmatch.pat
@@ -0,0 +1,10 @@
+# Half-Life 2 Deathmatch - popular computer game
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Half-Life
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# 
+# By Clayton Macleod <cherrytwist TA gmail.com>
+
+halflife2-deathmatch
+^\xff\xff\xff\xff.*hl2mpDeathmatch
diff --git a/src/usr/local/share/protocols/hddtemp.pat b/src/usr/local/share/protocols/hddtemp.pat
new file mode 100644
index 0000000..cdd908c
--- /dev/null
+++ b/src/usr/local/share/protocols/hddtemp.pat
@@ -0,0 +1,14 @@
+# hddtemp - Hard drive temperature reporting
+# Pattern attributes: great veryfast fast
+# Protocol groups: monitoring open_source
+# Wiki: http://www.protocolinfo.org/wiki/HDDtemp
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# 
+# Usually runs on port 7634
+#
+# You're a silly person if you use this pattern.
+#
+# This pattern has been tested and is believed to work well.
+
+hddtemp
+^\|/dev/[a-z][a-z][a-z]\|[0-9a-z]*\|[0-9][0-9]\|[cfk]\|
diff --git a/src/usr/local/share/protocols/hotline.pat b/src/usr/local/share/protocols/hotline.pat
new file mode 100644
index 0000000..20ec6de
--- /dev/null
+++ b/src/usr/local/share/protocols/hotline.pat
@@ -0,0 +1,12 @@
+# Hotline - An old P2P filesharing protocol
+# Pattern attributes: marginal fast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Hotline
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# 
+# This pattern is untested!
+#
+# This is lifted from http://oofle.com/filesharing.php?app=hotline
+
+hotline
+^....................TRTPHOTL\x01\x02
diff --git a/src/usr/local/share/protocols/html.pat b/src/usr/local/share/protocols/html.pat
new file mode 100644
index 0000000..d834a96
--- /dev/null
+++ b/src/usr/local/share/protocols/html.pat
@@ -0,0 +1,11 @@
+# (X)HTML - (Extensible) Hypertext Markup Language - http://w3.org
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+# 
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# This pattern has been tested and is believe to work well.
+
+# this should match any (X)HTML document from any version that conforms
+# even vaugly to the standards.
+html
+<html.*><head>
diff --git a/src/usr/local/share/protocols/http-dap.pat b/src/usr/local/share/protocols/http-dap.pat
new file mode 100644
index 0000000..216d8d6
--- /dev/null
+++ b/src/usr/local/share/protocols/http-dap.pat
@@ -0,0 +1,19 @@
+# HTTP by Download Accelerator Plus - http://www.speedbit.com
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Uses HTTP to download.
+
+http-dap
+
+# DAP identifies itself in the User-Agent field of every HTTP request it
+# makes.  This is pretty trivial to get around if speedbit.com ever
+# wanted to.
+
+# The latest version uses "User-Agent: DA 7.0".  The additional version
+# allowance is an attempt at "future proofing".
+
+User-Agent: DA [678]\.[0-9]
+
diff --git a/src/usr/local/share/protocols/http-freshdownload.pat b/src/usr/local/share/protocols/http-freshdownload.pat
new file mode 100644
index 0000000..a342e86
--- /dev/null
+++ b/src/usr/local/share/protocols/http-freshdownload.pat
@@ -0,0 +1,17 @@
+# HTTP by Fresh Download - http://www.freshdevices.com
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# Uses HTTP to download.
+
+http-freshdownload
+
+# Fresh Download identifies itself in the User-Agent field of every HTTP
+# request it makes.
+
+# The latest version uses "User-Agent: FreshDownload/4.40".  The
+# additional version allowance is an attempt at "future proofing".
+
+User-Agent: FreshDownload/[456](\.[0-9][0-9]?)?
+
diff --git a/src/usr/local/share/protocols/http-itunes.pat b/src/usr/local/share/protocols/http-itunes.pat
new file mode 100644
index 0000000..fd44ee4
--- /dev/null
+++ b/src/usr/local/share/protocols/http-itunes.pat
@@ -0,0 +1,14 @@
+# HTTP - iTunes (Apple's music program)
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: streaming_audio ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Port 80
+# iTunes program basically uses the HTTP protocol for its initial
+# communication.
+# Pattern contributed by Deepak Seshadri <dseshadri AT broadbandmaritime.com>
+
+http-itunes
+http/(0\.9|1\.0|1\.1).*(user-agent: itunes)
+
diff --git a/src/usr/local/share/protocols/http-rtsp.pat b/src/usr/local/share/protocols/http-rtsp.pat
new file mode 100644
index 0000000..73ef926
--- /dev/null
+++ b/src/usr/local/share/protocols/http-rtsp.pat
@@ -0,0 +1,16 @@
+# RTSP tunneled within HTTP
+# Pattern attributes: ok notsofast fast subset
+# Protocol groups: streaming_audio streaming_video ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/RTSP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Apple's documentation on what Quicktime does:
+# http://developer.apple.com/quicktime/icefloe/dispatch028.html
+# This is what the first part of the pattern is about
+#
+# The second part is based on the example in RFC 2326.  For this part to
+# work, this pattern MUST be earlier in the iptables rules chain than
+# HTTP.  Otherwise, the stream will be identified as HTTP.
+
+http-rtsp
+^(get[\x09-\x0d -~]* Accept: application/x-rtsp-tunnelled|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*a=control:rtsp://)
diff --git a/src/usr/local/share/protocols/http.pat b/src/usr/local/share/protocols/http.pat
new file mode 100644
index 0000000..5122310
--- /dev/null
+++ b/src/usr/local/share/protocols/http.pat
@@ -0,0 +1,28 @@
+# HTTP - HyperText Transfer Protocol - RFC 2616
+# Pattern attributes: great slow notsofast superset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# This pattern has been tested and is believed to work well.
+#
+# this intentionally catches the response from the server rather than
+# the request so that other protocols which use http (like kazaa) can be
+# caught based on specific http requests regardless of the ordering of
+# filters... also matches posts
+
+# Sites that serve really long cookies may break this by pushing the
+# server response too far away from the beginning of the connection. To
+# fix this, increase the kernel's data buffer length.
+
+http
+# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616)
+# As specified in rfc 2616 a status code is preceeded and followed by a
+# space. 
+http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]
+# A slightly faster version that might be good enough:
+#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019]
+# old pattern(s):
+#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/)
diff --git a/src/usr/local/share/protocols/httpaudio.pat b/src/usr/local/share/protocols/httpaudio.pat
new file mode 100644
index 0000000..c6cdd9a
--- /dev/null
+++ b/src/usr/local/share/protocols/httpaudio.pat
@@ -0,0 +1,32 @@
+# HTTP - Audio over HyperText Transfer Protocol (RFC 2616)
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: streaming_audio document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# Contributed by Deepak Seshadri <dseshadri AT broadbandmaritime.com>
+#
+# This pattern has been tested and is believed to work well.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/HTTP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+#
+# If you use this, you should be aware that:
+#
+# - they match both simple downloads of audio/video and streaming content.
+#
+# - blocking based on content-type encourages server
+# writers/administrators to misreport content-type (which will just make
+# headaches for everyone, including us), so I would strongly recommend
+# shaping audio/video down to a speed that discourages use of streaming
+# players without actually blocking it.
+#
+# - obviously, since this is a subset of HTTP, you need to match it
+# earlier in your iptables rules than HTTP.
+
+httpaudio
+http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: audio)
+
diff --git a/src/usr/local/share/protocols/httpcachehit.pat b/src/usr/local/share/protocols/httpcachehit.pat
new file mode 100644
index 0000000..41cb099
--- /dev/null
+++ b/src/usr/local/share/protocols/httpcachehit.pat
@@ -0,0 +1,19 @@
+# HTTP - Proxy Cache hit for HyperText Transfer Protocol (RFC 2616)
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# Contributed by Francesco Del Degan <fdeldegan AT libero.it>
+#
+# This pattern has been tested and is believed to work well.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/HTTP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+httpcachehit
+http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: hit)
+
diff --git a/src/usr/local/share/protocols/httpcachemiss.pat b/src/usr/local/share/protocols/httpcachemiss.pat
new file mode 100644
index 0000000..09ac6cd
--- /dev/null
+++ b/src/usr/local/share/protocols/httpcachemiss.pat
@@ -0,0 +1,17 @@
+# HTTP - Proxy Cache miss for HyperText Transfer Protocol (RFC 2616)
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# This pattern has been tested and is believed to work well.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/HTTP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+httpcachemiss
+http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: miss)
+
diff --git a/src/usr/local/share/protocols/httpvideo.pat b/src/usr/local/share/protocols/httpvideo.pat
new file mode 100644
index 0000000..4a75ce0
--- /dev/null
+++ b/src/usr/local/share/protocols/httpvideo.pat
@@ -0,0 +1,32 @@
+# HTTP - Video over HyperText Transfer Protocol (RFC 2616)
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: streaming_video document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# Contributed by Deepak Seshadri <dseshadri AT broadbandmaritime.com>
+#
+# This pattern has been tested and is believed to work well.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/HTTP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+#
+# If you use this, you should be aware that:
+#
+# - they match both simple downloads of audio/video and streaming content.
+#
+# - blocking based on content-type encourages server
+# writers/administrators to misreport content-type (which will just make
+# headaches for everyone, including us), so I would strongly recommend
+# shaping audio/video down to a speed that discourages use of streaming
+# players without actually blocking it.
+#
+# - obviously, since this is a subset of HTTP, you need to match it
+# earlier in your iptables rules than HTTP.
+
+httpvideo
+http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: video)
+
diff --git a/src/usr/local/share/protocols/ident.pat b/src/usr/local/share/protocols/ident.pat
new file mode 100644
index 0000000..3205e5e
--- /dev/null
+++ b/src/usr/local/share/protocols/ident.pat
@@ -0,0 +1,15 @@
+# Ident - Identification Protocol - RFC 1413
+# Pattern attributes: good fast fast
+# Protocol groups: networking ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Ident
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 113
+#
+# This pattern is believed to work.
+
+ident
+# "number , numberCRLF" possibly without the CR and/or LF.
+# ^$ is appropriate because the first packet should never have anything
+# else in it.
+^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$
diff --git a/src/usr/local/share/protocols/imap.pat b/src/usr/local/share/protocols/imap.pat
new file mode 100644
index 0000000..3f989c0
--- /dev/null
+++ b/src/usr/local/share/protocols/imap.pat
@@ -0,0 +1,14 @@
+# IMAP - Internet Message Access Protocol (A common e-mail protocol)
+# Pattern attributes: great fast fast
+# Protocol groups: mail ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/IMAP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This matches IMAP4 (RFC 3501) and probably IMAP2 (RFC 1176)
+#
+# This pattern has been tested and is believed to work well.
+# 
+# This matches the IMAP welcome message or a noop command (which for 
+# some unknown reason can happen at the start of a connection?)  
+imap
+^(\* ok|a[0-9]+ noop)
diff --git a/src/usr/local/share/protocols/imesh.pat b/src/usr/local/share/protocols/imesh.pat
new file mode 100644
index 0000000..4cb7ac7
--- /dev/null
+++ b/src/usr/local/share/protocols/imesh.pat
@@ -0,0 +1,15 @@
+# iMesh - the native protocol of iMesh, a P2P application - http://imesh.com
+# Pattern attributes: ok fast notsofast
+# Protocol groups: p2p
+# Wiki:   http://protocolinfo.org/wiki/iMesh
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# depending on the version of iMesh (the program), it can also use fasttrack,
+# gnutella and edonkey in addition to iMesh (the protocol).
+
+imesh
+# The first branch matches the login
+# The second branch matches the main non-download connection (searches, etc)
+# The third branch matches downloads of "premium" content
+# The fourth branch matches peer downloads.
+^(post[\x09-\x0d -~]*<PasswordHash>................................</PasswordHash><ClientVer>|\x34\x80?\x0d?\xfc\xff\x04|get[\x09-\x0d -~]*Host: imsh\.download-prod\.musicnet\.com|\x02[\x01\x02]\x83.*\x02[\x01\x02]\x83)
diff --git a/src/usr/local/share/protocols/ipp.pat b/src/usr/local/share/protocols/ipp.pat
new file mode 100644
index 0000000..15540d0
--- /dev/null
+++ b/src/usr/local/share/protocols/ipp.pat
@@ -0,0 +1,12 @@
+# IP printing - a new standard for UNIX printing - RFC 2911
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: printer ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/IPP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.
+
+ipp
+# It's unlikely that anything else has this string, but I think we could
+# do a bit better...
+ipp://
diff --git a/src/usr/local/share/protocols/irc.pat b/src/usr/local/share/protocols/irc.pat
new file mode 100644
index 0000000..b922b3e
--- /dev/null
+++ b/src/usr/local/share/protocols/irc.pat
@@ -0,0 +1,20 @@
+# IRC - Internet Relay Chat - RFC 1459
+# Pattern attributes: great fast fast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/IRC
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 6666 or 6667
+# Note that chat traffic runs on these ports, but IRC-DCC traffic (which
+# can use much more bandwidth) uses a dynamically assigned port, so you 
+# must have the IRC connection tracking module in your kernel to classify
+# this.
+#
+# This pattern has been tested and is believed to work well.
+
+irc
+# First thing that happens is that the client sends NICK and USER, in 
+# either order.  This allows MIRC color codes (\x02-\x0d instead of
+# \x09-\x0d).
+^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)
+
diff --git a/src/usr/local/share/protocols/jabber.pat b/src/usr/local/share/protocols/jabber.pat
new file mode 100644
index 0000000..7c32890
--- /dev/null
+++ b/src/usr/local/share/protocols/jabber.pat
@@ -0,0 +1,24 @@
+# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Jabber
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested with Gaim and Gabber.  It is only tested 
+# with non-SSL mode Jabber with no proxies.
+
+# Thanks to Jan Hudec for some improvements.
+
+# Jabber seems to take a long time to set up a connection.  I'm
+# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets
+# is this:
+# <stream:stream to='12jabber.com' xmlns='jabber:client'
+# xmlns:stream='http://etherx.jabber.org/streams'><?xml
+# version='1.0'?><stream:stream
+# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951'
+# xmlns='jabber:client' from='12jabber.com'>
+#
+# No mention of my username or password yet, you'll note.
+
+jabber
+<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber
diff --git a/src/usr/local/share/protocols/jpeg.pat b/src/usr/local/share/protocols/jpeg.pat
new file mode 100644
index 0000000..fd1a249
--- /dev/null
+++ b/src/usr/local/share/protocols/jpeg.pat
@@ -0,0 +1,8 @@
+# JPEG - Joint Picture Expert Group image format.  
+# Pattern attributes: ok fast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+jpeg
+# drawn from /usr/share/magic
+\xff\xd8
diff --git a/src/usr/local/share/protocols/kugoo.pat b/src/usr/local/share/protocols/kugoo.pat
new file mode 100644
index 0000000..c478317
--- /dev/null
+++ b/src/usr/local/share/protocols/kugoo.pat
@@ -0,0 +1,21 @@
+# KuGoo - a Chinese P2P program - http://www.kugoo.com
+# Pattern attributes: ok fast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/KuGoo
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+kugoo
+# liangjun says: "i find old pattern is not working for kugoo 2008. so i 
+# write a new pattern of kugoo 2008 ,it's working with all of kugoo 2008 
+# version!"
+^(\x64.....\x70....\x50\x37|\x65.+)
+
+# Pattern before 2008 11 08
+#
+# The author of this pattern says it works, but this is unconfirmed.
+# Written by www.routerclub.com wsgtrsys.
+#
+# LanTian submitted \x64.+\x74\x47\x50\x37 for "KuGoo2", but adding as 
+# another branch makes the pattern REALLY slow.  If it could have a ^, that'd
+# be ok (still veryfast/fast).  Waiting to hear.
+#^(\x31..\x8e|\x64.+\x74\x47\x50\x37)
diff --git a/src/usr/local/share/protocols/live365.pat b/src/usr/local/share/protocols/live365.pat
new file mode 100644
index 0000000..144ac50
--- /dev/null
+++ b/src/usr/local/share/protocols/live365.pat
@@ -0,0 +1,15 @@
+# live365 - An Internet radio site - http://live365.com
+# Pattern attributes: marginal notsofast notsofast
+# Protocol groups: streaming_audio
+# Wiki: http://www.protocolinfo.org/wiki/Live365
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern was "contributed" (taken with permission) by the bandwidth 
+# arbitrator project (www.bandwidtharbitrator.com).
+#
+# This pattern is unconfirmed.
+
+live365
+# FIXME: what's going on here?
+membername.*session.*player
+
diff --git a/src/usr/local/share/protocols/liveforspeed.pat b/src/usr/local/share/protocols/liveforspeed.pat
new file mode 100644
index 0000000..ad32e9a
--- /dev/null
+++ b/src/usr/local/share/protocols/liveforspeed.pat
@@ -0,0 +1,13 @@
+# Live For Speed - A racing game.
+# Pattern attributes: poor fast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Live_For_Speed
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern was submitted to protocolinfo.org by 80.55.238.74 with no
+# explanation.  It is unconfirmed.
+
+# Live For Speed S2 Alpha 0.5 X10
+liveforspeed
+^..\x05\x58\x0a\x1d\x03
+# The same guy came by the next day and deleted the \x03 without comment...
diff --git a/src/usr/local/share/protocols/lpd.pat b/src/usr/local/share/protocols/lpd.pat
new file mode 100644
index 0000000..4b78dfe
--- /dev/null
+++ b/src/usr/local/share/protocols/lpd.pat
@@ -0,0 +1,18 @@
+# LPD - Line Printer Daemon Protocol (old-style UNIX printing) - RFC 1179
+# Pattern attributes: ok fast fast
+# Protocol groups: printer ietf_rfc_documented
+# Wiki: http://www.protocolinfo.org/wiki/LPD
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is untested.
+
+lpd
+# print waiting jobs:  ^\x01[!-~]+\x0a$
+# receive a print job: ^\x02[!-~]+\x0a.[\x01\x02\x03][\x01-\x0a -~]*\x0a$
+# Send queue state:    ^[\x03\x04][!-~]+[\x09-\x0d]+[a-z][\x09-\x0d -~]*\x0a$
+# Remove jobs:         ^\x05[!-~]+[\x09-\x0d]+([a-z][!-~]*[\x09-\x0d]+[1-9][0-9]?[0-9]?|root[\x09-\x0d]+[!-~]+).*\x0a$
+
+# This pattern looks like it might match random data once in a while, but 
+# testing shows that this is not the case.
+
+^(\x01[!-~]+|\x02[!-~]+\x0a.[\x01\x02\x03][\x01-\x0a -~]*|[\x03\x04][!-~]+[\x09-\x0d]+[a-z][\x09-\x0d -~]*|\x05[!-~]+[\x09-\x0d]+([a-z][!-~]*[\x09-\x0d]+[1-9][0-9]?[0-9]?|root[\x09-\x0d]+[!-~]+).*)\x0a$
diff --git a/src/usr/local/share/protocols/mohaa.pat b/src/usr/local/share/protocols/mohaa.pat
new file mode 100644
index 0000000..00b6c07
--- /dev/null
+++ b/src/usr/local/share/protocols/mohaa.pat
@@ -0,0 +1,11 @@
+# Medal of Honor Allied Assault - an Electronic Arts game
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Medal_of_Honor_Allied_Assault
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is written and tested by Krzysztof Maciejewski.
+
+mohaa
+^\xff\xff\xff\xffgetstatus\x0a
+
diff --git a/src/usr/local/share/protocols/mp3.pat b/src/usr/local/share/protocols/mp3.pat
new file mode 100644
index 0000000..1b60a4c
--- /dev/null
+++ b/src/usr/local/share/protocols/mp3.pat
@@ -0,0 +1,11 @@
+# MP3 - Moving Picture Experts Group Audio Layer III
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# By LanTian (chinalantian at 126 d.t com)
+
+# Only matches the standard MP3 form, non-standard files might not be matched.
+
+mp3
+\x49\x44\x33\x03
diff --git a/src/usr/local/share/protocols/msn-filetransfer.pat b/src/usr/local/share/protocols/msn-filetransfer.pat
new file mode 100644
index 0000000..797edb4
--- /dev/null
+++ b/src/usr/local/share/protocols/msn-filetransfer.pat
@@ -0,0 +1,30 @@
+# MSN (Micosoft Network) Messenger file transfers (MSNFTP and MSNSLP)
+# Pattern attributes: good fast fast
+# Protocol groups: chat document_retrieval proprietary
+# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# http://www.hypothetic.org/docs/msn/client/file_transfer.php
+
+# NOTE!  This pattern does not catch the modern type of MSN filetransfers
+# because they use the same TCP connection as the chat itself.  See 
+# ../example_traffic/msn_chat_and_file_transfer.txt for a demonstration.
+
+# This pattern has been tested and seems to work well.  It, does,
+# however, require more testing with various versions of the official
+# MSN client as well as with clones such as Trillian, Miranda, Gaim,
+# etc.  If you are using a MSN clone and this pattern DOES work for you,
+# please, also let us know.
+
+# First part matches the older MSNFTP: A MSN filetransfer is a normal
+# MSN connection except that the protocol is MSNFTP. Some clients
+# (especially Trillian) send other protocol versions besides MSNFTP
+# which should be matched by the [ -~]*.
+
+# Second part matches newer MSNSLP: 
+# http://msnpiki.msnfanatic.com/index.php/MSNC:MSNSLP
+# This part is untested.
+
+msn-filetransfer
+^(ver [ -~]*msnftp\x0d\x0aver msnftp\x0d\x0ausr|method msnmsgr:)
+
diff --git a/src/usr/local/share/protocols/msnmessenger.pat b/src/usr/local/share/protocols/msnmessenger.pat
new file mode 100644
index 0000000..11dfc10
--- /dev/null
+++ b/src/usr/local/share/protocols/msnmessenger.pat
@@ -0,0 +1,28 @@
+# MSN Messenger - Microsoft Network chat client
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually uses TCP port 1863
+# http://www.hypothetic.org/docs/msn/index.php
+# http://msnpiki.msnfanatic.com/
+#
+# This pattern has been tested and is believed to work well.
+
+msnmessenger
+
+# First branch: login
+#   ver: allow versions up to 99.
+#   I've never seen a cvr other than cvr0.  Maybe this will be trouble later?
+#   Can't anchor at the beginning because sometimes this is encapsulated in
+#   HTTP.  But either way, the first packet ends like this.
+# Second/Third branches: accepting/sending a message
+#   I will assume that these can also be encapsulated in HTTP, although I have
+#   not checked.  Example of each direction:
+#   ANS 1 quadong@hotmail.com 1139803431.29427 17522047
+#   USR 1 quadong@hotmail.com 530423708.968145.366138
+
+# Branches are written entirely separately for better performance.
+ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$
+
diff --git a/src/usr/local/share/protocols/mute.pat b/src/usr/local/share/protocols/mute.pat
new file mode 100644
index 0000000..53f2e23
--- /dev/null
+++ b/src/usr/local/share/protocols/mute.pat
@@ -0,0 +1,11 @@
+# MUTE - P2P filesharing - http://mute-net.sourceforge.net
+# Pattern attributes: marginal fast fast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/MUTE
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is lightly tested.  I don't know for sure that it will 
+# match the actual file transfers.
+
+mute
+^(Public|AES)Key: [0-9a-f]*\x0aEnd(Public|AES)Key\x0a$
diff --git a/src/usr/local/share/protocols/napster.pat b/src/usr/local/share/protocols/napster.pat
new file mode 100644
index 0000000..d7ef032
--- /dev/null
+++ b/src/usr/local/share/protocols/napster.pat
@@ -0,0 +1,24 @@
+# Napster - P2P filesharing
+# Pattern attributes: good fast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Napster
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# All my tests show that this pattern is fast, but one user has reported that
+# it is slow.  Your milage may vary.
+# 
+# Should work for any Napster offspring, like OpenNAP.
+# (Yes, people still use this!)
+# Matches both searches and downloads.
+#
+# http://opennap.sourceforge.net/napster.txt
+#
+# This pattern has been tested and is believed to work well.
+
+napster
+# (client-server: length, assumed to be less than 256, login or new user login, 
+# username, password, port, client ID, link-type |
+# client-client: 1, firewalled or not, username, filename) 
+# Assumes that filenames are well-behaved ASCII strings.  I have found
+# one case where this assumptions fails (filename had \x99 in it).
+^(.[\x02\x06][!-~]+ [!-~]+ [0-9][0-9]?[0-9]?[0-9]?[0-9]? "[\x09-\x0d -~]+" ([0-9]|10)|1(send|get)[!-~]+ "[\x09-\x0d -~]+")
diff --git a/src/usr/local/share/protocols/nbns.pat b/src/usr/local/share/protocols/nbns.pat
new file mode 100644
index 0000000..ca114de
--- /dev/null
+++ b/src/usr/local/share/protocols/nbns.pat
@@ -0,0 +1,20 @@
+# NBNS - NetBIOS name service
+# Pattern attributes: good slow notsofast
+# Protocol groups: networking proprietary
+# Wiki: http://www.protocolinfo.org/wiki/NBNS
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.
+#
+# name query
+# \x01\x10 means name query
+#
+# registration NB
+# (\x10 or )\x10 means registration
+#
+# release NB (merged with registration)
+# 0\x10 means release
+
+nbns
+# This is not a valid basic GNU regular expression.
+\x01\x10\x01|\)\x10\x01\x01|0\x10\x01
diff --git a/src/usr/local/share/protocols/ncp.pat b/src/usr/local/share/protocols/ncp.pat
new file mode 100644
index 0000000..55792b2
--- /dev/null
+++ b/src/usr/local/share/protocols/ncp.pat
@@ -0,0 +1,23 @@
+# NCP - Novell Core Protocol
+# Pattern attributes: good fast fast
+# Protocol groups: networking proprietary
+# Wiki: http://www.protocolinfo.org/wiki/NCP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.
+
+# ncp request
+# dmdt means Request
+#  *any length
+#
+#  *any reply buffer size
+# "" means service request
+#  | \x17\x17 means create a service connection
+#  | uu means destroy service connection
+
+# ncp reply
+# tncp means reply
+# 33 means service reply
+
+ncp
+^(dmdt.*\x01.*(""|\x11\x11|uu)|tncp.*33)
diff --git a/src/usr/local/share/protocols/netbios.pat b/src/usr/local/share/protocols/netbios.pat
new file mode 100644
index 0000000..a0314b1
--- /dev/null
+++ b/src/usr/local/share/protocols/netbios.pat
@@ -0,0 +1,29 @@
+# NetBIOS - Network Basic Input Output System
+# Pattern attributes: marginal notsofast notsofast
+# Protocol groups: networking ietf_internet_standard proprietary
+# Wiki: http://www.protocolinfo.org/wiki/NetBIOS
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# As mentioned in smb.pat:
+#
+# "This protocol is sometimes also referred to as the Common Internet File 
+# System (CIFS), LanManager or NetBIOS protocol." -- "man samba"
+#
+# Actually, SMB is a higher level protocol than NetBIOS.  However, the 
+# NetBIOS header is only 4 bytes: not much to match on.
+#
+# http://www.ubiqx.org/cifs/SMB.html
+# See also RFCs 1001 and 1002.
+#
+# This pattern attempts to match the (Session layer) NetBIOS Session request. 
+# If sucessful, you may be able to match NetBIOS several packets earlier 
+# than if you just waited for the easier-to-match SMB header.
+#
+# This pattern is untested.
+
+netbios
+# session request byte, three bytes of flags and length.  Then 
+# there should be a big mess of letters between A and P which represent
+# the NetBIOS names of the involved computers (with a null between them).  
+# (40ish here, damn this regexp implementation and its lack of {40,})
+\x81.?.?.[A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P]
diff --git a/src/usr/local/share/protocols/nimda.pat b/src/usr/local/share/protocols/nimda.pat
new file mode 100644
index 0000000..86c7ce1
--- /dev/null
+++ b/src/usr/local/share/protocols/nimda.pat
@@ -0,0 +1,8 @@
+# Nimda - a worm that attacks Microsoft IIS web servers, and MORE!
+# Pattern attributes: ok notsofast notsofast subset
+# Protocol groups: worm
+# Wiki: http://www.protocolinfo.org/wiki/Nimda
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+nimda
+GET (/scripts/root\.exe\?/c\+dir|/MSADC/root\.exe\?/c\+dir|/c/winnt/system32/cmd\.exe\?/c\+dir|/d/winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_vti_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_mem_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/msadc/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c/\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0/\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0\xaf\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x9c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%2f\.\./winnt/system32/cmd\.exe\?/c\+dir)
diff --git a/src/usr/local/share/protocols/nntp.pat b/src/usr/local/share/protocols/nntp.pat
new file mode 100644
index 0000000..7a30578
--- /dev/null
+++ b/src/usr/local/share/protocols/nntp.pat
@@ -0,0 +1,21 @@
+# NNTP - Network News Transfer Protocol - RFCs 977 and 2980
+# Pattern attributes: good fast fast
+# Protocol groups: ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/NNTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# usually runs on port 119
+
+# This pattern is tested and is believed to work well (but could use
+# more testing).
+
+nntp
+# matches authorized login
+# OR 
+# matches unauthorized login if the server says "news" after 200/201
+# (Half of the 2 servers I tested did :-), but they both required authorization
+# so it's quite possible that this pattern will miss some nntp traffic.)
+^(20[01][\x09-\x0d -~]*AUTHINFO USER|20[01][\x09-\x0d -~]*news)
+
+# same thing, slightly more accurate, but 100+ times slower
+#^20[01][\x09-\x0d -~]*\x0d\x0a[\x09-\x0d -~]*AUTHINFO USER|20[01][\x09-\x0d -~]*news
diff --git a/src/usr/local/share/protocols/ntp.pat b/src/usr/local/share/protocols/ntp.pat
new file mode 100644
index 0000000..760cfdb
--- /dev/null
+++ b/src/usr/local/share/protocols/ntp.pat
@@ -0,0 +1,17 @@
+# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030
+# Pattern attributes: good fast fast overmatch 
+# Protocol groups: time_synchronization ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/NTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is tested and is believed to work.
+
+# client|server
+# Requires the server's timestamp to be in the present or future (of 2005).
+# Tested with ntpdate on Linux.
+# Assumes version 2, 3 or 4.
+
+# Note that ntp packets are always 48 bytes, so you should match on that too.
+
+ntp
+^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff])
diff --git a/src/usr/local/share/protocols/ogg.pat b/src/usr/local/share/protocols/ogg.pat
new file mode 100644
index 0000000..d9ba377
--- /dev/null
+++ b/src/usr/local/share/protocols/ogg.pat
@@ -0,0 +1,7 @@
+# Ogg - Ogg Vorbis music format (not any ogg file, just vorbis)
+# Pattern attributes: ok notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+ogg
+oggs.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x01vorbis
diff --git a/src/usr/local/share/protocols/openft.pat b/src/usr/local/share/protocols/openft.pat
new file mode 100644
index 0000000..09fa852
--- /dev/null
+++ b/src/usr/local/share/protocols/openft.pat
@@ -0,0 +1,13 @@
+# OpenFT - P2P filesharing (implemented in giFT library)
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/OpenFT
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# Ben Efros <ben AT xgendev.com> says:
+# "This pattern identifies openFT P2P transfers fine.  openFT is part of giFT
+# and is a pretty large p2p network. I would describe this pattern as pretty 
+# weak, but it works for the giFT-based clients I've used."
+
+openft
+x-openftalias: [-)(0-9a-z ~.]
diff --git a/src/usr/local/share/protocols/pcanywhere.pat b/src/usr/local/share/protocols/pcanywhere.pat
new file mode 100644
index 0000000..60b50a7
--- /dev/null
+++ b/src/usr/local/share/protocols/pcanywhere.pat
@@ -0,0 +1,12 @@
+# pcAnywhere - Symantec remote access program
+# Pattern attributes: marginal veryfast fast
+# Protocol groups: remote_access proprietary
+# Wiki: http://www.protocolinfo.org/wiki/PcAnywhere
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# This is completely untested!
+# See http://www.unixwiz.net/tools/pcascan.txt
+
+pcanywhere
+# I think this only matches queries and not the bulk of the traffic!
+^(nq|st)$
diff --git a/src/usr/local/share/protocols/pdf.pat b/src/usr/local/share/protocols/pdf.pat
new file mode 100644
index 0000000..0c0e5f9
--- /dev/null
+++ b/src/usr/local/share/protocols/pdf.pat
@@ -0,0 +1,11 @@
+# PDF - Portable Document Format - Postscript-like format by Adobe
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+# 
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# This pattern has been tested and is believe to work well.
+
+# Matches PDF versions 1.0 - 1.6 (not sure if 1.6 exists yet, but it probably 
+# will.
+pdf
+%PDF-1\.[0123456]
diff --git a/src/usr/local/share/protocols/perl.pat b/src/usr/local/share/protocols/perl.pat
new file mode 100644
index 0000000..822986b
--- /dev/null
+++ b/src/usr/local/share/protocols/perl.pat
@@ -0,0 +1,7 @@
+# Perl - A scripting language by Larry Wall.
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+perl
+\#! ?/(usr/(local/)?)?bin/perl
diff --git a/src/usr/local/share/protocols/png.pat b/src/usr/local/share/protocols/png.pat
new file mode 100644
index 0000000..33aafda
--- /dev/null
+++ b/src/usr/local/share/protocols/png.pat
@@ -0,0 +1,13 @@
+# PNG - Portable Network Graphics, a popular image format
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# Contributed by Radovan Josth.  Tested at least a bit.
+
+png
+# drawn from /usr/share/magic
+\x89PNG\x0d\x0a\x1a\x0a
+
+# this is probably sufficient, but by default let's use the longer version
+# \x89PNG
diff --git a/src/usr/local/share/protocols/poco.pat b/src/usr/local/share/protocols/poco.pat
new file mode 100644
index 0000000..c7ce686
--- /dev/null
+++ b/src/usr/local/share/protocols/poco.pat
@@ -0,0 +1,12 @@
+# POCO and PP365 - Chinese P2P filesharing - http://pp365.com http://poco.cn
+# Pattern attributes: ok veryfast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Poco
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# The author of this pattern says it works, but this is unconfirmed.
+# Written by www.routerclub.com wsgtrsys.
+
+poco
+^\x80\x94\x0a\x01....\x1f\x9e
+
diff --git a/src/usr/local/share/protocols/pop3.pat b/src/usr/local/share/protocols/pop3.pat
new file mode 100644
index 0000000..47a8252
--- /dev/null
+++ b/src/usr/local/share/protocols/pop3.pat
@@ -0,0 +1,50 @@
+# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
+# Pattern attributes: great fast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/POP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested somewhat.
+
+# this is a difficult protocol to match because of the relative lack of 
+# distinguishing information.  Read on.
+pop3
+
+# this the most conservative pattern.  It should definitely work.
+#^(\+ok|-err)
+
+# this pattern assumes that the server says _something_ after +ok or -err
+# I think this is probably the way to go.
+^(\+ok |-err )
+
+# more that 90% of servers seem to say "pop" after "+ok", but not all.
+#^(\+ok .*pop)
+
+# Here's another tack. I think this is my second favorite.
+#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command))
+
+# this matches the server saying "you have N messages that are M bytes",
+# which the client probably asks for early in the session (not tested)
+#\+ok [0-9]+ [0-9]+
+
+# some sample servers:
+# RFC example:        +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
+# mail.dreamhost.com: +OK Hello there.
+# pop.carleton.edu:   +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled)
+# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon>
+# *.email.umn.edu:    +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu>
+# mail.yale.edu:      +OK POP3 pantheon-po01 v2002.81 server ready
+# mail.gustavus.edu:  +OK POP3 solen v2001.78 server ready
+# mail.reed.edu:      +OK POP3 letra.reed.edu v2002.81 server ready
+# mail.bowdoin.edu:   +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003))
+# pop.colby.edu:      +OK Qpopper (version 4.0.5) at basalt starting.
+# mail.mac.com:       +OK Netscape Messaging Multiplexor ready
+
+# various error strings:
+#-ERR Invalid command.
+#-ERR invalid command
+#-ERR unimplemented
+#-ERR Invalid command, try one of: USER name, PASS string, QUIT
+#-ERR Unknown AUTHORIZATION state command
+#-ERR Unrecognized command
+#-ERR Unknown command: "sadf'".
diff --git a/src/usr/local/share/protocols/postscript.pat b/src/usr/local/share/protocols/postscript.pat
new file mode 100644
index 0000000..456ac21
--- /dev/null
+++ b/src/usr/local/share/protocols/postscript.pat
@@ -0,0 +1,7 @@
+# Postscript - Printing Language
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+postscript
+%!ps
diff --git a/src/usr/local/share/protocols/pplive.pat b/src/usr/local/share/protocols/pplive.pat
new file mode 100644
index 0000000..42fef72
--- /dev/null
+++ b/src/usr/local/share/protocols/pplive.pat
@@ -0,0 +1,11 @@
+# PPLive - Chinese P2P streaming video - http://pplive.com
+# Pattern attributes: ok notsofast notsofast
+# Protocol groups: p2p streaming_video proprietary
+# Wiki: http://www.protocolinfo.org/wiki/PPLive
+# Copyright (C) 2008 Matthew Strait; See ../LICENSE
+
+# By liangjun, who says that it works.  It may be easily improvable with 
+# a bit more testing.
+
+pplive
+\x01...\xd3.+\x0c.$
diff --git a/src/usr/local/share/protocols/pressplay.pat b/src/usr/local/share/protocols/pressplay.pat
new file mode 100644
index 0000000..cd814cc
--- /dev/null
+++ b/src/usr/local/share/protocols/pressplay.pat
@@ -0,0 +1,15 @@
+# pressplay - A legal music distribution site - http://pressplay.com
+# Pattern attributes: ok notsofast notsofast
+# Protocol groups: document_retrieval obsolete proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Pressplay
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern was "contributed" (taken with permission) by the bandwidth 
+# arbitrator project (www.bandwidtharbitrator.com).
+#
+# This pattern is unconfirmed.
+
+pressplay
+# can we do better than this?
+user-agent: nsplayer
+
diff --git a/src/usr/local/share/protocols/qq.pat b/src/usr/local/share/protocols/qq.pat
new file mode 100644
index 0000000..08db802
--- /dev/null
+++ b/src/usr/local/share/protocols/qq.pat
@@ -0,0 +1,26 @@
+# Tencent QQ Protocol - Chinese instant messenger protocol - http://www.qq.com
+# Pattern attributes: good notsofast fast
+# Protocol groups: chat
+# Wiki: http://www.protocolinfo.org/wiki/QQ
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Over six million people use QQ in China, according to wsgtrsys.
+# 
+# This pattern has been tested and is believed to work well.
+#
+# QQ uses three (two?) methods to connect to server(s?).
+# one is udp, and another is tcp
+# udp protocol: the first byte is 02 and last byte is 03
+# tcp protocol: the second byte is 02 and last byte is 03
+#   tony on protocolinfo.org says that now the *third* byte is 02:
+#     "but when I tested on my PC, I found that when qq2007/qq2008 
+#     use tcp protocol, the third byte instead of the second is always 02.
+#
+#     So the QQ protocol changed again, or I have made a mistake, I wonder 
+#     that."
+#   So now the pattern allows any of the first three bytes to be 02.  Delete
+#   one of the ".?" to restore to the old behaviour.
+# pattern written by www.routerclub.com wsgtrsys
+
+qq
+^.?.?\x02.+\x03$
diff --git a/src/usr/local/share/protocols/quake-halflife.pat b/src/usr/local/share/protocols/quake-halflife.pat
new file mode 100644
index 0000000..bc05b8f
--- /dev/null
+++ b/src/usr/local/share/protocols/quake-halflife.pat
@@ -0,0 +1,32 @@
+# Half Life 1 engine games (HL 1, Quake 2/3/World, Counterstrike 1.6, etc.)
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Half-Life http://www.protocolinfo.org/wiki/Counter-Strike http://www.protocolinfo.org/wiki/Day_of_Defeat
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Contributed by Laurens Blankers <laurens AT blankersfamily.com>, who says:
+#
+# This pattern has been tested with QuakeWorld (2.30), Quake 2 (3.20), 
+# Quake 3 (1.32), and Half-life (1.1.1.0). But may also work on other
+# games based on the Quake engine.
+#
+# Clayton Macleod <cherrytwist A gmail.com> says:
+# [This should match] Counter-Strike v1.6, [...] the slightly updated
+# Counter-Strike: Condition Zero, and the game Day Of Defeat, Team
+# Fortress Classic, Deathmatch Classic, Ricochet, Half-Life [1] Deathmatch,
+# and I imagine all the other 3rd party mods that also use this engine
+# will match that pattern.
+#
+# Gavin Pryke <gavinlee303 at googlemail.com> says:
+# Added "getstatus". Quake3 games were not being matched here until it was
+# added.
+
+quake-halflife
+# All quake (like) protocols start with 4x 0xFF.  Then the client either
+# issues getinfo, getchallenge or getstatus.
+^\xff\xff\xff\xffget(info|challenge|status)
+
+# A previous quake pattern allowed the connection to start with only 2 bytes
+# of 0xFF.  This doesn't seem to ever happen, but we should keep an eye out
+# for it.
+
diff --git a/src/usr/local/share/protocols/quake1.pat b/src/usr/local/share/protocols/quake1.pat
new file mode 100644
index 0000000..46bdebd
--- /dev/null
+++ b/src/usr/local/share/protocols/quake1.pat
@@ -0,0 +1,19 @@
+# Quake 1 - A popular computer game.
+# Pattern attributes: marginal veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Quake
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is untested and unconfirmed.
+
+# Info taken from http://www.gamers.org/dEngine/quake/QDP/qnp.html,
+# which says that it "is incomplete, inaccurate and only applies to
+# versions 0.91, 0.92, 1.00 and 1.01 of QUAKE"
+
+quake1
+# Connection request: 80 00 00 0c 01 51 55 41 4b 45 00 03
+# \x80 = control packet.
+# \x0c = packet length
+# \x01 = CCREQ_CONNECT
+# \x03 = protocol version (3 == 0.91, 0.92, 1.00, 1.01)
+^\x80\x0c\x01quake\x03
diff --git a/src/usr/local/share/protocols/quicktime.pat b/src/usr/local/share/protocols/quicktime.pat
new file mode 100644
index 0000000..5a6273d
--- /dev/null
+++ b/src/usr/local/share/protocols/quicktime.pat
@@ -0,0 +1,21 @@
+# Quicktime HTTP 
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: streaming_video streaming_audio ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.  
+# (Quick Time v6.5.1 downloading from www.apple.com/trailers)
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/HTTP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+#
+# Since this is a subset of HTTP, it should be put earlier in the packet
+# filtering chain than HTTP.  Also, please don't use this to block Quicktime.
+# If you must do that, you should use a filtering HTTP proxy, which is probably
+# more accurate.
+
+quicktime
+user-agent: quicktime \(qtver=[0-9].[0-9].[0-9];os=[\x09-\x0d -~]+\)\x0d\x0a
+
diff --git a/src/usr/local/share/protocols/radmin.pat b/src/usr/local/share/protocols/radmin.pat
new file mode 100644
index 0000000..d13aa65
--- /dev/null
+++ b/src/usr/local/share/protocols/radmin.pat
@@ -0,0 +1,17 @@
+# Famatech Remote Administrator - remote desktop for MS Windows
+# Pattern attributes: ok veryfast fast
+# Protocol groups: remote_access proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Radmin
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been verified with Radmin v1.1 and v3.0beta on Win2000/XP
+# It has only been tested between a single pair of computers.
+
+# The first packet of every TCP stream appears to be either one of:
+#
+# 01 00 00 00  01 00 00 00  08 08
+# 01 00 00 00  01 00 00 00  1b 1b
+
+radmin
+^\x01\x01(\x08\x08|\x1b\x1b)$
+
diff --git a/src/usr/local/share/protocols/rar.pat b/src/usr/local/share/protocols/rar.pat
new file mode 100644
index 0000000..1332af1
--- /dev/null
+++ b/src/usr/local/share/protocols/rar.pat
@@ -0,0 +1,7 @@
+# RAR - The WinRAR archive format  
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+rar
+rar\x21\x1a\x07
diff --git a/src/usr/local/share/protocols/rdp.pat b/src/usr/local/share/protocols/rdp.pat
new file mode 100644
index 0000000..44b853f
--- /dev/null
+++ b/src/usr/local/share/protocols/rdp.pat
@@ -0,0 +1,20 @@
+# RDP - Remote Desktop Protocol (used in Windows Terminal Services)
+# Pattern attributes: ok notsofast notsofast
+# Protocol groups: remote_access proprietary
+# Wiki: http://www.protocolinfo.org/wiki/RDP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern was submitted by Michael Leong.  It has been tested under the 
+# following conditions: "WinXP Pro with all the patches, rdesktop server 
+# running on port 7000 instead of 3389 --> WinXP Pro Remote Desktop Client."
+# Also tested is WinXP to Win 2000 Server.
+
+# At least one other person has reported it to work as well.
+
+rdp
+rdpdr.*cliprdr.*rdpsnd
+
+# Old pattern, submitted by Daniel Weatherford.
+# rdpdr.*cliprdp.*rdpsnd 
+
+
diff --git a/src/usr/local/share/protocols/replaytv-ivs.pat b/src/usr/local/share/protocols/replaytv-ivs.pat
new file mode 100644
index 0000000..aaf9255
--- /dev/null
+++ b/src/usr/local/share/protocols/replaytv-ivs.pat
@@ -0,0 +1,11 @@
+# ReplayTV Internet Video Sharing - Digital Video Recorder - http://replaytv.com
+# Pattern attributes: good fast fast
+# Protocol groups:
+# Wiki: http://www.protocolinfo.org/wiki/ReplayTV
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Pattern by jm 409 at hot mail dot com, who says that this one "worked best".
+
+replaytv-ivs
+^(get /ivs-IVSGetFileChunk|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*\x23\x23\x23\x23\x23REPLAY_CHUNK_START\x23\x23\x23\x23\x23)
+
diff --git a/src/usr/local/share/protocols/rlogin.pat b/src/usr/local/share/protocols/rlogin.pat
new file mode 100644
index 0000000..42c4f7e
--- /dev/null
+++ b/src/usr/local/share/protocols/rlogin.pat
@@ -0,0 +1,19 @@
+# rlogin - remote login - RFC 1282
+# Pattern attributes: ok fast fast
+# Protocol groups: remote_access ietf_rfc_documented
+# Wiki: http://www.protocolinfo.org/wiki/Rlogin
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# usually runs on port 443
+#
+# This pattern is untested.
+
+rlogin
+# At least three characters (user name, user name, terminal type), 
+# the first of which could be the first character of a user name, a
+# slash, then a terminal speed.  (Assumes that usernames and terminal
+# types are alphanumeric only.  I'm sure there are usernames like
+# "straitm-47" out there, but it's not common.) All terminal speeds 
+# I know of end in two zeros and are between 3 and 6 digits long.
+# This pattern is uncomfortably general.
+^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]?[0-9]?[0-9]?00
diff --git a/src/usr/local/share/protocols/rpm.pat b/src/usr/local/share/protocols/rpm.pat
new file mode 100644
index 0000000..0302839
--- /dev/null
+++ b/src/usr/local/share/protocols/rpm.pat
@@ -0,0 +1,7 @@
+# RPM - Redhat Package Management packages
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+rpm
+\xed\xab\xee\xdb.?.?.?.?[1-7]
diff --git a/src/usr/local/share/protocols/rtf.pat b/src/usr/local/share/protocols/rtf.pat
new file mode 100644
index 0000000..676cb1a
--- /dev/null
+++ b/src/usr/local/share/protocols/rtf.pat
@@ -0,0 +1,8 @@
+# RTF - Rich Text Format - an open document format
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+rtf
+\{\\rtf[12]
+
diff --git a/src/usr/local/share/protocols/rtmp.pat b/src/usr/local/share/protocols/rtmp.pat
new file mode 100644
index 0000000..2c7adad
--- /dev/null
+++ b/src/usr/local/share/protocols/rtmp.pat
@@ -0,0 +1,13 @@
+# Adobe Real Time Messaging Protocol(RTMP). By Jonathan A.P. Marpaung
+# Pattern attributes: works very fast
+# Protocol Groups: streaming_video streaming_audio
+# The RTMP Specification is availabe at 
+# http://www.adobe.com/devnet/rtmp/pdf/rtmp_specification_1.0.pdf [^]
+#
+# First 12 bytes, starting at \x03 are the RTMP header. Next 25 bytes,
+# starting at \x02, are part of the RTMP body which is an AMF Object.
+# The first string "connect" is a command of the NetConnection class object.
+# The next string "app" is a Command Object which is followed by values
+# such as "video", . 
+rtmp
+^\x03.+\x14.+\x02.+\x07.(connect)?.+(app)?
diff --git a/src/usr/local/share/protocols/rtp.pat b/src/usr/local/share/protocols/rtp.pat
new file mode 100644
index 0000000..61fcd8e
--- /dev/null
+++ b/src/usr/local/share/protocols/rtp.pat
@@ -0,0 +1,33 @@
+# RTP - Real-time Transport Protocol - RFC 3550
+# Pattern attributes: ok overmatch undermatch fast fast
+# Protocol groups: streaming_video ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/RTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# RTP headers are *very* short and compact.  They have almost nothing in 
+# them that can be matched by l7-filter.  As RTP connections take place 
+# between even numbered ports, you should probably check for that before 
+# applying this pattern.  If you want to match them along with their 
+# associated SIP packets, you might try setting up some iptables rules 
+# that watch for SIP packets and then also match any other UDP packets 
+# that are going between the same two IP addresses.
+#
+# I think we can count on the first bit being 1 and the second bit being 
+# 0 (meaning protocol version 2). The next two bits could go either way, 
+# but in the example I've seen, they are zero, so I'll assume they are 
+# usually zero.  The next four bits are a count of "contributing source 
+# identifiers".  I'm not sure how big that could be, but in the example 
+# I've seen, they're zero, so I'll assume they're usually zero. So that 
+# gives us ^\x80.  The next bit is a tossup. Next is the payload type, 7 
+# bits.  I've taken likely values from the WireShark code: 0-34, 96-127 
+# (decimal). The rest of the header is random numbers (sequence number, 
+# timestamp, synchronization source identifier), so that's no help at 
+# all.
+
+rtp
+^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80
+
+# Might also try this.  It's a bit slower (one packet and not too much extra
+# regexec load) and a bit more accurate:
+#^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80.*\x80
+
diff --git a/src/usr/local/share/protocols/rtsp.pat b/src/usr/local/share/protocols/rtsp.pat
new file mode 100644
index 0000000..1013ae3
--- /dev/null
+++ b/src/usr/local/share/protocols/rtsp.pat
@@ -0,0 +1,15 @@
+# RTSP - Real Time Streaming Protocol - http://www.rtsp.org - RFC 2326
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: streaming_video ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/RTSP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# usually runs on port 554
+#
+# To take full advantage of this pattern, please see the RTSP connection 
+# tracking patch to the Linux kernel referenced at the above site.
+#
+# This pattern has been tested and is believed to work well.
+
+rtsp
+rtsp/1.0 200 ok
diff --git a/src/usr/local/share/protocols/runesofmagic.pat b/src/usr/local/share/protocols/runesofmagic.pat
new file mode 100644
index 0000000..6fbfea4
--- /dev/null
+++ b/src/usr/local/share/protocols/runesofmagic.pat
@@ -0,0 +1,63 @@
+# Runes of Magic - game - http://www.runesofmagic.com
+# Pattern attributes: ok veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Runes_of_Magic
+# Copyright (C) 2008 Matthew Strait; See ../LICENSE
+
+runesofmagic
+^\x10\x03...........\x0a\x02.....\x0e
+# See below (this is also veryfast fast)
+#^\x10\x03...........?\x0a\x02.....?$
+
+# Greatwolf captured the following:
+#  
+# Server:
+#
+# 10 00 00 00 03 78 76 7a  1e 8a dd b5 95 a3 3a de .....xvz ......:.
+# 0a 00 00 00 02 df 85 cc  cc cc                   ........ ..
+# 
+# Client reply:
+#
+# 0e 00 00 00 02 28 82 cc  cc cc 8b c9 cc cc       .....(.. ......
+#  
+# Server:
+# 
+# 2e 00 00 00 02 1e 7f f4  f4 f4 ef f4 f4 f4 b3 8c ........ ........
+# [...]
+#
+# And says: "Bytes 10 00 00 00 03, 0a 00 00 00 02 and 0e (client reply) 
+# were consistently present.
+#
+# ^\x10\x03...........\x0a\x02.....\x0e
+#
+# Pattern was able to match during the closed beta period. It is still 
+# matching okay after RoM started open beta but could definitely use 
+# more testing from others to verify effectiveness."
+#
+# Matthew Strait says:
+#
+# * If the server consistently sends those four bytes in the first packet,   
+# it is probably wasteful to wait for the next (client) packet before
+# matching.
+#
+# * If we switch the match strategy to just looking at the first packet, and
+# the first packet is always the same (or nearly the same) length, we can
+# anchor (i.e. use a '$') at the end of the packet.
+# 
+# * When there's a string of bytes that I don't understand and that take    
+# different values from connection to connection, I think it's good to allow
+# for the possibility that at least one might be \x00, and so I'd make one  
+# of the "." into ".?", unless you *know* that \x00 is impossible somehow.
+#
+# * All of those \xcc bytes don't look random to me.  Your comments suggest
+# that it isn't always exactly like that, but is there always pattern of
+# repeated bytes or something else that might be useful?  It probably isn't
+# necessary to exploit this, since it looks like there's already enough to  
+# go with, but it would be nice to understand.
+#
+# So perhaps it would be an improvement to use:
+#
+# ^\x10\x03...........?\x0a\x02.....?$
+#
+# but this depends on the assumptions I made above.
+
diff --git a/src/usr/local/share/protocols/shoutcast.pat b/src/usr/local/share/protocols/shoutcast.pat
new file mode 100644
index 0000000..e78883c
--- /dev/null
+++ b/src/usr/local/share/protocols/shoutcast.pat
@@ -0,0 +1,27 @@
+# Shoutcast and Icecast - streaming audio
+# Pattern attributes: good slow notsofast
+# Protocol groups: streaming_audio
+# Wiki: http://www.protocolinfo.org/wiki/Icecast
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# usually runs on port 80
+#
+# Original pattern contributed by Deepak Seshadri <dseshadri AT 
+# broadbandmaritime.com> who says "The difference between [Shoutcast and 
+# Icecast] is not clearly mentioned anywhere. According to this 
+# document, my pattern would filter JUST shoutcast packets."
+#
+# Should now match both Shoutcast and Icecast.  Tested with Winamp (in 
+# 2005) and Totem using streams at dir.xiph.org (in Nov 2007).
+#
+# http://sander.vanzoest.com/talks/2002/audio_and_apache/
+# http://forums.radiotoolbox.com/viewtopic.php?t=74
+# http://www.icecast.org
+
+shoutcast
+# The first branch looks for an HTTP request that looks like it is asking for
+# a SHOUTcast stream.  The second branch looks for the server's reply.  However,
+# some (newer?) servers answer with "http/1.0 200 OK", not "ICY 200 OK", so
+# this will not work.
+# This pattern was discovered using Ethereal.
+^get /.*icy-metadata:1|icy [1-5][0-9][0-9] [\x09-\x0d -~]*(content-type:audio|icy-)
diff --git a/src/usr/local/share/protocols/sip.pat b/src/usr/local/share/protocols/sip.pat
new file mode 100644
index 0000000..2728009
--- /dev/null
+++ b/src/usr/local/share/protocols/sip.pat
@@ -0,0 +1,20 @@
+# SIP - Session Initiation Protocol - Internet telephony - RFC 3261, 3265, etc.
+# Pattern attributes: good fast fast
+# Protocol groups: voip ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SIP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested with the Ubiquity SIP user agent and has been
+# confirmed by at least one other user.
+# 
+# Thanks to Ankit Desai for this pattern.  Updated by tehseen sagar.
+#
+# SIP typically uses port 5060.
+#
+# This pattern is based on SIP request format as per RFC 3261. I'm not
+# sure about the version part. The RFC doesn't say anything about it, so
+# I have allowed version ranging from 0.x to 2.x.
+
+#Request-Line  =  Method SP Request-URI SP SIP-Version CRLF
+sip
+^(invite|register|cancel|message|subscribe|notify) sip[\x09-\x0d -~]*sip/[0-2]\.[0-9]
diff --git a/src/usr/local/share/protocols/skypeout.pat b/src/usr/local/share/protocols/skypeout.pat
new file mode 100644
index 0000000..55e4e10
--- /dev/null
+++ b/src/usr/local/share/protocols/skypeout.pat
@@ -0,0 +1,50 @@
+# Skype to phone - UDP voice call (program to POTS phone) - http://skype.com
+# Pattern attributes: ok slow notsofast overmatch
+# Protocol groups: voip p2p proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Skype
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# Thanks to Myles Uyema, mylesuyema AT gmail.com
+
+# Taken using Ethereal traces of Windows Skype v1.2.037, same in v1.2.0.18_API
+#
+# Skype will attempt to use the same UDP port for all its connections as
+# configured in its options.  However, this is a random port by default.
+# Skype has some preference for ports 80 and 443.
+#
+# Example sessions:
+#
+#SkypeOut <USA phone number>
+#c6 5c bf 41 8e 8d d6 d2 08 <-- this is sometimes as short as 1 byte and 
+#c6 5c bf 41 8e 8d d6 d2 08 <-- sometimes as long as 9 (or more?)
+#00 6b 2c f5 87 f1 06
+#00 6b 2c f5 87 f1 06
+#00 6b 2c f5 36 ea 85
+#00 6b 2c f5 36 ea 85
+#00 6b 2c f5 57 27 d4
+#00 6b 2c f5 57 27 d4
+#00 6b 2c f5 43 5b 00
+#00 6b 2c f5 43 5b 00
+#
+#SkypeOut <USA phone number>
+#7e 4f e5 b8
+#7e 4f e5 b8
+#00 6b 88 61 80 52 93
+#00 6b 88 61 80 52 93
+#00 6b 88 61 1a 09 e9
+#00 6b 88 61 1a 09 e9
+#00 6b 88 61 47 43 c4
+#00 6b 88 61 47 43 c4
+
+skypeout
+
+# Scary.  Our regular expressions suck.  This is a prime candidate for 
+# some sort of a scheme to support two different regular expressions 
+# when there's a major difference between what the two libraries allow.  
+# For the Henry Spencer library, there's not much that can be done 
+# except requiring that we see the same byte twice.
+
+# This matches about %4 of random streams and 13% of printable random streams
+
+# This is slow, but not as bad as you might think.
+^(\x01.?.?.?.?.?.?.?.?\x01|\x02.?.?.?.?.?.?.?.?\x02|\x03.?.?.?.?.?.?.?.?\x03|\x04.?.?.?.?.?.?.?.?\x04|\x05.?.?.?.?.?.?.?.?\x05|\x06.?.?.?.?.?.?.?.?\x06|\x07.?.?.?.?.?.?.?.?\x07|\x08.?.?.?.?.?.?.?.?\x08|\x09.?.?.?.?.?.?.?.?\x09|\x0a.?.?.?.?.?.?.?.?\x0a|\x0b.?.?.?.?.?.?.?.?\x0b|\x0c.?.?.?.?.?.?.?.?\x0c|\x0d.?.?.?.?.?.?.?.?\x0d|\x0e.?.?.?.?.?.?.?.?\x0e|\x0f.?.?.?.?.?.?.?.?\x0f|\x10.?.?.?.?.?.?.?.?\x10|\x11.?.?.?.?.?.?.?.?\x11|\x12.?.?.?.?.?.?.?.?\x12|\x13.?.?.?.?.?.?.?.?\x13|\x14.?.?.?.?.?.?.?.?\x14|\x15.?.?.?.?.?.?.?.?\x15|\x16.?.?.?.?.?.?.?.?\x16|\x17.?.?.?.?.?.?.?.?\x17|\x18.?.?.?.?.?.?.?.?\x18|\x19.?.?.?.?.?.?.?.?\x19|\x1a.?.?.?.?.?.?.?.?\x1a|\x1b.?.?.?.?.?.?.?.?\x1b|\x1c.?.?.?.?.?.?.?.?\x1c|\x1d.?.?.?.?.?.?.?.?\x1d|\x1e.?.?.?.?.?.?.?.?\x1e|\x1f.?.?.?.?.?.?.?.?\x1f|\x20.?.?.?.?.?.?.?.?\x20|\x21.?.?.?.?.?.?.?.?\x21|\x22.?.?.?.?.?.?.?.?\x22|\x23.?.?.?.?.?.?.?.?\x23|\$.?.?.?.?.?.?.?.?\$|\x25.?.?.?.?.?.?.?.?\x25|\x26.?.?.?.?.?.?.?.?\x26|\x27.?.?.?.?.?.?.?.?\x27|\(.?.?.?.?.?.?.?.?\(|\).?.?.?.?.?.?.?.?\)|\*.?.?.?.?.?.?.?.?\*|\+.?.?.?.?.?.?.?.?\+|\x2c.?.?.?.?.?.?.?.?\x2c|\x2d.?.?.?.?.?.?.?.?\x2d|\..?.?.?.?.?.?.?.?\.|\x2f.?.?.?.?.?.?.?.?\x2f|\x30.?.?.?.?.?.?.?.?\x30|\x31.?.?.?.?.?.?.?.?\x31|\x32.?.?.?.?.?.?.?.?\x32|\x33.?.?.?.?.?.?.?.?\x33|\x34.?.?.?.?.?.?.?.?\x34|\x35.?.?.?.?.?.?.?.?\x35|\x36.?.?.?.?.?.?.?.?\x36|\x37.?.?.?.?.?.?.?.?\x37|\x38.?.?.?.?.?.?.?.?\x38|\x39.?.?.?.?.?.?.?.?\x39|\x3a.?.?.?.?.?.?.?.?\x3a|\x3b.?.?.?.?.?.?.?.?\x3b|\x3c.?.?.?.?.?.?.?.?\x3c|\x3d.?.?.?.?.?.?.?.?\x3d|\x3e.?.?.?.?.?.?.?.?\x3e|\?.?.?.?.?.?.?.?.?\?|\x40.?.?.?.?.?.?.?.?\x40|\x41.?.?.?.?.?.?.?.?\x41|\x42.?.?.?.?.?.?.?.?\x42|\x43.?.?.?.?.?.?.?.?\x43|\x44.?.?.?.?.?.?.?.?\x44|\x45.?.?.?.?.?.?.?.?\x45|\x46.?.?.?.?.?.?.?.?\x46|\x47.?.?.?.?.?.?.?.?\x47|\x48.?.?.?.?.?.?.?.?\x48|\x49.?.?.?.?.?.?.?.?\x49|\x4a.?.?.?.?.?.?.?.?\x4a|\x4b.?.?.?.?.?.?.?.?\x4b|\x4c.?.?.?.?.?.?.?.?\x4c|\x4d.?.?.?.?.?.?.?.?\x4d|\x4e.?.?.?.?.?.?.?.?\x4e|\x4f.?.?.?.?.?.?.?.?\x4f|\x50.?.?.?.?.?.?.?.?\x50|\x51.?.?.?.?.?.?.?.?\x51|\x52.?.?.?.?.?.?.?.?\x52|\x53.?.?.?.?.?.?.?.?\x53|\x54.?.?.?.?.?.?.?.?\x54|\x55.?.?.?.?.?.?.?.?\x55|\x56.?.?.?.?.?.?.?.?\x56|\x57.?.?.?.?.?.?.?.?\x57|\x58.?.?.?.?.?.?.?.?\x58|\x59.?.?.?.?.?.?.?.?\x59|\x5a.?.?.?.?.?.?.?.?\x5a|\[.?.?.?.?.?.?.?.?\[|\\.?.?.?.?.?.?.?.?\\|\].?.?.?.?.?.?.?.?\]|\^.?.?.?.?.?.?.?.?\^|\x5f.?.?.?.?.?.?.?.?\x5f|\x60.?.?.?.?.?.?.?.?\x60|\x61.?.?.?.?.?.?.?.?\x61|\x62.?.?.?.?.?.?.?.?\x62|\x63.?.?.?.?.?.?.?.?\x63|\x64.?.?.?.?.?.?.?.?\x64|\x65.?.?.?.?.?.?.?.?\x65|\x66.?.?.?.?.?.?.?.?\x66|\x67.?.?.?.?.?.?.?.?\x67|\x68.?.?.?.?.?.?.?.?\x68|\x69.?.?.?.?.?.?.?.?\x69|\x6a.?.?.?.?.?.?.?.?\x6a|\x6b.?.?.?.?.?.?.?.?\x6b|\x6c.?.?.?.?.?.?.?.?\x6c|\x6d.?.?.?.?.?.?.?.?\x6d|\x6e.?.?.?.?.?.?.?.?\x6e|\x6f.?.?.?.?.?.?.?.?\x6f|\x70.?.?.?.?.?.?.?.?\x70|\x71.?.?.?.?.?.?.?.?\x71|\x72.?.?.?.?.?.?.?.?\x72|\x73.?.?.?.?.?.?.?.?\x73|\x74.?.?.?.?.?.?.?.?\x74|\x75.?.?.?.?.?.?.?.?\x75|\x76.?.?.?.?.?.?.?.?\x76|\x77.?.?.?.?.?.?.?.?\x77|\x78.?.?.?.?.?.?.?.?\x78|\x79.?.?.?.?.?.?.?.?\x79|\x7a.?.?.?.?.?.?.?.?\x7a|\{.?.?.?.?.?.?.?.?\{|\|.?.?.?.?.?.?.?.?\||\}.?.?.?.?.?.?.?.?\}|\x7e.?.?.?.?.?.?.?.?\x7e|\x7f.?.?.?.?.?.?.?.?\x7f|\x80.?.?.?.?.?.?.?.?\x80|\x81.?.?.?.?.?.?.?.?\x81|\x82.?.?.?.?.?.?.?.?\x82|\x83.?.?.?.?.?.?.?.?\x83|\x84.?.?.?.?.?.?.?.?\x84|\x85.?.?.?.?.?.?.?.?\x85|\x86.?.?.?.?.?.?.?.?\x86|\x87.?.?.?.?.?.?.?.?\x87|\x88.?.?.?.?.?.?.?.?\x88|\x89.?.?.?.?.?.?.?.?\x89|\x8a.?.?.?.?.?.?.?.?\x8a|\x8b.?.?.?.?.?.?.?.?\x8b|\x8c.?.?.?.?.?.?.?.?\x8c|\x8d.?.?.?.?.?.?.?.?\x8d|\x8e.?.?.?.?.?.?.?.?\x8e|\x8f.?.?.?.?.?.?.?.?\x8f|\x90.?.?.?.?.?.?.?.?\x90|\x91.?.?.?.?.?.?.?.?\x91|\x92.?.?.?.?.?.?.?.?\x92|\x93.?.?.?.?.?.?.?.?\x93|\x94.?.?.?.?.?.?.?.?\x94|\x95.?.?.?.?.?.?.?.?\x95|\x96.?.?.?.?.?.?.?.?\x96|\x97.?.?.?.?.?.?.?.?\x97|\x98.?.?.?.?.?.?.?.?\x98|\x99.?.?.?.?.?.?.?.?\x99|\x9a.?.?.?.?.?.?.?.?\x9a|\x9b.?.?.?.?.?.?.?.?\x9b|\x9c.?.?.?.?.?.?.?.?\x9c|\x9d.?.?.?.?.?.?.?.?\x9d|\x9e.?.?.?.?.?.?.?.?\x9e|\x9f.?.?.?.?.?.?.?.?\x9f|\xa0.?.?.?.?.?.?.?.?\xa0|\xa1.?.?.?.?.?.?.?.?\xa1|\xa2.?.?.?.?.?.?.?.?\xa2|\xa3.?.?.?.?.?.?.?.?\xa3|\xa4.?.?.?.?.?.?.?.?\xa4|\xa5.?.?.?.?.?.?.?.?\xa5|\xa6.?.?.?.?.?.?.?.?\xa6|\xa7.?.?.?.?.?.?.?.?\xa7|\xa8.?.?.?.?.?.?.?.?\xa8|\xa9.?.?.?.?.?.?.?.?\xa9|\xaa.?.?.?.?.?.?.?.?\xaa|\xab.?.?.?.?.?.?.?.?\xab|\xac.?.?.?.?.?.?.?.?\xac|\xad.?.?.?.?.?.?.?.?\xad|\xae.?.?.?.?.?.?.?.?\xae|\xaf.?.?.?.?.?.?.?.?\xaf|\xb0.?.?.?.?.?.?.?.?\xb0|\xb1.?.?.?.?.?.?.?.?\xb1|\xb2.?.?.?.?.?.?.?.?\xb2|\xb3.?.?.?.?.?.?.?.?\xb3|\xb4.?.?.?.?.?.?.?.?\xb4|\xb5.?.?.?.?.?.?.?.?\xb5|\xb6.?.?.?.?.?.?.?.?\xb6|\xb7.?.?.?.?.?.?.?.?\xb7|\xb8.?.?.?.?.?.?.?.?\xb8|\xb9.?.?.?.?.?.?.?.?\xb9|\xba.?.?.?.?.?.?.?.?\xba|\xbb.?.?.?.?.?.?.?.?\xbb|\xbc.?.?.?.?.?.?.?.?\xbc|\xbd.?.?.?.?.?.?.?.?\xbd|\xbe.?.?.?.?.?.?.?.?\xbe|\xbf.?.?.?.?.?.?.?.?\xbf|\xc0.?.?.?.?.?.?.?.?\xc0|\xc1.?.?.?.?.?.?.?.?\xc1|\xc2.?.?.?.?.?.?.?.?\xc2|\xc3.?.?.?.?.?.?.?.?\xc3|\xc4.?.?.?.?.?.?.?.?\xc4|\xc5.?.?.?.?.?.?.?.?\xc5|\xc6.?.?.?.?.?.?.?.?\xc6|\xc7.?.?.?.?.?.?.?.?\xc7|\xc8.?.?.?.?.?.?.?.?\xc8|\xc9.?.?.?.?.?.?.?.?\xc9|\xca.?.?.?.?.?.?.?.?\xca|\xcb.?.?.?.?.?.?.?.?\xcb|\xcc.?.?.?.?.?.?.?.?\xcc|\xcd.?.?.?.?.?.?.?.?\xcd|\xce.?.?.?.?.?.?.?.?\xce|\xcf.?.?.?.?.?.?.?.?\xcf|\xd0.?.?.?.?.?.?.?.?\xd0|\xd1.?.?.?.?.?.?.?.?\xd1|\xd2.?.?.?.?.?.?.?.?\xd2|\xd3.?.?.?.?.?.?.?.?\xd3|\xd4.?.?.?.?.?.?.?.?\xd4|\xd5.?.?.?.?.?.?.?.?\xd5|\xd6.?.?.?.?.?.?.?.?\xd6|\xd7.?.?.?.?.?.?.?.?\xd7|\xd8.?.?.?.?.?.?.?.?\xd8|\xd9.?.?.?.?.?.?.?.?\xd9|\xda.?.?.?.?.?.?.?.?\xda|\xdb.?.?.?.?.?.?.?.?\xdb|\xdc.?.?.?.?.?.?.?.?\xdc|\xdd.?.?.?.?.?.?.?.?\xdd|\xde.?.?.?.?.?.?.?.?\xde|\xdf.?.?.?.?.?.?.?.?\xdf|\xe0.?.?.?.?.?.?.?.?\xe0|\xe1.?.?.?.?.?.?.?.?\xe1|\xe2.?.?.?.?.?.?.?.?\xe2|\xe3.?.?.?.?.?.?.?.?\xe3|\xe4.?.?.?.?.?.?.?.?\xe4|\xe5.?.?.?.?.?.?.?.?\xe5|\xe6.?.?.?.?.?.?.?.?\xe6|\xe7.?.?.?.?.?.?.?.?\xe7|\xe8.?.?.?.?.?.?.?.?\xe8|\xe9.?.?.?.?.?.?.?.?\xe9|\xea.?.?.?.?.?.?.?.?\xea|\xeb.?.?.?.?.?.?.?.?\xeb|\xec.?.?.?.?.?.?.?.?\xec|\xed.?.?.?.?.?.?.?.?\xed|\xee.?.?.?.?.?.?.?.?\xee|\xef.?.?.?.?.?.?.?.?\xef|\xf0.?.?.?.?.?.?.?.?\xf0|\xf1.?.?.?.?.?.?.?.?\xf1|\xf2.?.?.?.?.?.?.?.?\xf2|\xf3.?.?.?.?.?.?.?.?\xf3|\xf4.?.?.?.?.?.?.?.?\xf4|\xf5.?.?.?.?.?.?.?.?\xf5|\xf6.?.?.?.?.?.?.?.?\xf6|\xf7.?.?.?.?.?.?.?.?\xf7|\xf8.?.?.?.?.?.?.?.?\xf8|\xf9.?.?.?.?.?.?.?.?\xf9|\xfa.?.?.?.?.?.?.?.?\xfa|\xfb.?.?.?.?.?.?.?.?\xfb|\xfc.?.?.?.?.?.?.?.?\xfc|\xfd.?.?.?.?.?.?.?.?\xfd|\xfe.?.?.?.?.?.?.?.?\xfe|\xff.?.?.?.?.?.?.?.?\xff)
diff --git a/src/usr/local/share/protocols/skypetoskype.pat b/src/usr/local/share/protocols/skypetoskype.pat
new file mode 100644
index 0000000..ed1103a
--- /dev/null
+++ b/src/usr/local/share/protocols/skypetoskype.pat
@@ -0,0 +1,14 @@
+# Skype to Skype - UDP voice call (program to program) - http://skype.com
+# Pattern attributes: ok veryfast fast overmatch
+# Protocol groups: voip p2p proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Skype
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# This matches at least some of the general chatter that occurs when the
+# user isn't doing anything as well as actual calls.
+# Thanks to Myles Uyema, mylesuyema AT gmail.com
+
+skypetoskype
+# require at least 16 bytes (my limited tests always get at least 18)
+^..\x02.............
+
diff --git a/src/usr/local/share/protocols/smb.pat b/src/usr/local/share/protocols/smb.pat
new file mode 100644
index 0000000..c1f8b0a
--- /dev/null
+++ b/src/usr/local/share/protocols/smb.pat
@@ -0,0 +1,19 @@
+# Samba/SMB - Server Message Block - Microsoft Windows filesharing
+# Pattern attributes: good fast notsofast
+# Protocol groups: document_retrieval networking proprietary
+# Wiki: http://www.protocolinfo.org/wiki/SMB
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# "This protocol is sometimes also referred to as the Common Internet File 
+# System (CIFS), LanManager or NetBIOS protocol." -- "man samba"
+#
+# Actually, SMB is a higher level protocol than NetBIOS.  However, the 
+# NetBIOS header is only 4 bytes: not much to match on.
+#
+# http://www.ubiqx.org/cifs/SMB.html
+#
+# This pattern is lightly tested.
+
+smb
+# matches a NEGOTIATE PROTOCOL or TRANSACTION REQUEST command
+\xffsmb[\x72\x25]
diff --git a/src/usr/local/share/protocols/smtp.pat b/src/usr/local/share/protocols/smtp.pat
new file mode 100644
index 0000000..2f5d195
--- /dev/null
+++ b/src/usr/local/share/protocols/smtp.pat
@@ -0,0 +1,40 @@
+# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869)
+# Pattern attributes: great notsofast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/SMTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# usually runs on port 25
+# 
+# This pattern has been tested and is believed to work well.
+
+# As usual, no text is required after "220", but all known servers have some
+# there.  It (almost?) always has string "smtp" in it.  The RFC examples
+# does not, so we match those too, just in case anyone has copied them 
+# literally.
+#
+# Some examples:
+# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3
+# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400
+# 220 mail.ut.caldera.com ESMTP
+# 220 persephone.pmail.gen.nz ESMTP server ready.
+# 220 smtp1.superb.net ESMTP
+# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready
+# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4
+# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500
+# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3)
+# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200
+# 220-mail.email-scan.com ESMTP
+# 220 smaug.dreamhost.com ESMTP
+# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648)
+# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT)
+# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700
+# 
+# RFC examples:
+# 220 xyz.com Simple Mail Transfer Service Ready (RFC example)
+# 220 dbc.mtview.ca.us SMTP service ready
+
+smtp
+^220[\x09-\x0d -~]* (e?smtp|simple mail)
+userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail)
+userspace flags=REG_NOSUB REG_EXTENDED
diff --git a/src/usr/local/share/protocols/snmp-mon.pat b/src/usr/local/share/protocols/snmp-mon.pat
new file mode 100644
index 0000000..fe22662
--- /dev/null
+++ b/src/usr/local/share/protocols/snmp-mon.pat
@@ -0,0 +1,32 @@
+# SNMP Monitoring - Simple Network Management Protocol (RFC1157)
+# Pattern attributes: good veryfast fast subset
+# Protocol groups: networking ietf_internet_standard
+# Wiki: http://en.wikipedia.org/wiki/SNMP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on UDP ports 161
+#
+# These filters match SNMPv1 packets without fail, and are made
+# as specific as possible not to match any ASN.1 encoded protocols.
+# However these could still be matched by other protocols that 
+# use ASN.1 encoding
+
+# Contributed by Goli SriSairam <goli_sai AT yahoo.com>
+
+# This pattern has been tested and is believe to work well.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/SNMP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+# SNMPv1 GET/GETNEXT/SET request and response
+# matches SNMP header 
+#         version             \x02\x01
+#         community           \x04.+ 
+#         PDU type            [\xa0-\xa3] (GET/GETNEXT/SET/GETRESPONSE)
+#         RequestId           \x02[\x01-\x04].?.?.?.?
+#         errorStatus         \x02\x01.?
+#         errorIndex          \x02\x01.?
+#         varbinds start      \x30
+snmp-mon
+^\x02\x01\x04.+[\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30
diff --git a/src/usr/local/share/protocols/snmp-trap.pat b/src/usr/local/share/protocols/snmp-trap.pat
new file mode 100644
index 0000000..e8ba19a
--- /dev/null
+++ b/src/usr/local/share/protocols/snmp-trap.pat
@@ -0,0 +1,33 @@
+# SNMP Traps - Simple Network Management Protocol (RFC1157)
+# Pattern attributes: good veryfast fast subset
+# Protocol groups: networking ietf_internet_standard
+# Wiki: http://en.wikipedia.org/wiki/SNMP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on UDP ports 162
+#
+# These filters match SNMPv1 packets without fail, and are made
+# as specific as possible not to match any ASN.1 encoded protocols.
+# However these could still be matched by other protocols that 
+# use ASN.1 encoding
+
+# Contributed by Goli SriSairam <goli_sai AT yahoo.com>
+
+# This pattern has been tested and is believe to work well.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/SNMP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+# SNMPv1 Trap
+# matches SNMP trap header
+#         version             \x02\x01
+#         community string    \x04.+ 
+#         PDU type            \xa4   (TRAP)
+#         enterprise          \x06.+
+#         agent  address      \x40\x04\.?.?.?.?
+#         trap type           \x02\x01.?
+#         specific trap type  \x02\x01.?
+#         timestamp           \x43       
+snmp-trap
+^\x02\x01\x04.+\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43
diff --git a/src/usr/local/share/protocols/snmp.pat b/src/usr/local/share/protocols/snmp.pat
new file mode 100644
index 0000000..a7186b2
--- /dev/null
+++ b/src/usr/local/share/protocols/snmp.pat
@@ -0,0 +1,19 @@
+# SNMP - Simple Network Management Protocol - RFC 1157
+# Pattern attributes: good veryfast fast superset
+# Protocol groups: networking ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/SNMP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on UDP ports 161 (monitoring) and 162 (traps).
+#
+# These filters match SNMPv1 packets without fail, and are made as
+# specific as possible not to match any ASN.1 encoded protocols. However
+# these could still be matched by other protocols that use ASN.1 encoding
+
+# Contributed by Goli SriSairam <goli_sai AT yahoo.com>
+
+# This pattern has been tested and is believed to work well.
+
+# All SNMPv1 traffic.  See snmp-mon.pat and snmp-trap.pat for details.
+snmp
+^\x02\x01\x04.+([\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30|\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43)
diff --git a/src/usr/local/share/protocols/socks.pat b/src/usr/local/share/protocols/socks.pat
new file mode 100644
index 0000000..54189fd
--- /dev/null
+++ b/src/usr/local/share/protocols/socks.pat
@@ -0,0 +1,32 @@
+# SOCKS Version 5 - Firewall traversal protocol - RFC 1928
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: networking ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SOCKS
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 1080
+# Also useful: http://www.iana.org/assignments/socks-methods
+#
+# We have had two reports that this pattern works.
+
+# method request, no private methods	\x05[\x01-\x08]*
+# method reply, assumes sucess		\x05[\x01-\x08]?
+# method dependent sub-negotiation	.*
+# request, ipv4 only			\x05[\x01-\x03][\x01\x03].*
+# reply					\x05[\x01-\x08]?[\x01\x03].*
+
+# username/password method
+# u/p request, assuming reasonable usernames and passwords
+# \x05[\x02-\x10][a-z][a-z0-9\-]*[\x05-\x20][!-~]*
+# server reply
+# \x05
+
+# GSSAPI method
+# client initial token 		\x01\x01\x02.*
+# server reply			\x01\x01\x02.*
+
+# any other method  .* (all methods boil down to this until we have information
+# about all the commonly used ones)
+
+socks
+\x05[\x01-\x08]*\x05[\x01-\x08]?.*\x05[\x01-\x03][\x01\x03].*\x05[\x01-\x08]?[\x01\x03]
diff --git a/src/usr/local/share/protocols/soribada.pat b/src/usr/local/share/protocols/soribada.pat
new file mode 100644
index 0000000..e1c0c56
--- /dev/null
+++ b/src/usr/local/share/protocols/soribada.pat
@@ -0,0 +1,51 @@
+# Soribada - A Korean P2P filesharing program/protocol - http://www.soribada.com
+# Pattern attributes: good slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Soribada
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# I am told that there are three versions of this protocol, the first no
+# longer being used.  That would probably explain why incoming searches
+# have two different formats...
+
+# There are three parts to Soribada protocal:
+# 1: Ping/Pong to establish a relationship on the net (UDP with 2 useful bytes)
+# 2: Searching (in two formats) (UDP with two short easy to match starts)
+# 3: Download requests/transfers (TCP with an obvious first packet)
+
+# 1 -- Pings/Pongs:
+# Requester send 2 bytes and a 6 byte response is sent back.
+# \x10 for the first byte and \x14-\x16 for the second.
+# The response is the first byte (\x10) and the second byte incremented
+# by 1 (\x15-\x17).
+# No further communication happens between the hosts except for searches.
+# A regex match: ^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$
+# First Packet ---^^^^^^^^^^^^^^^
+# Second Packet -----------------^^^^^^^^^^^^^^^^^^^^^^^
+
+# 2 -- Search requests:
+# All searches are totally stateless and are only responded to if the user
+# actually has the file.
+# Both format start with a \x01 byte, have 3 "random bytes" and then 3 bytes
+# corasponding to one of two formats.
+# Format 1 is \x51\x3a\+ and format 2 is \x51\x32\x3a
+# A regex match: ^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a)
+
+# 3 -- Download requests:
+# All downloads start with "GETMP3\x0d\x0aFilename"
+# A regex match: ^GETMP3\x0d\x0aFilename
+
+soribada
+
+# This will match the second packet of two.
+# ^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$
+
+# Again, matching this is the end of the comunication.
+# ^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a)
+
+# This is the start of the transfer and an easy match
+#^GETMP3\x0d\x0aFilename
+
+# This will match everything including the udp packet portions
+^GETMP3\x0d\x0aFilename|^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a)|^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$
+
diff --git a/src/usr/local/share/protocols/soulseek.pat b/src/usr/local/share/protocols/soulseek.pat
new file mode 100644
index 0000000..ebc06ab
--- /dev/null
+++ b/src/usr/local/share/protocols/soulseek.pat
@@ -0,0 +1,17 @@
+# Soulseek - P2P filesharing - http://slsknet.org
+# Pattern attributes: good fast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Soulseek
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# All my tests show that this pattern is fast, but one user has reported that
+# it is slow.  Your milage may vary.
+
+# This has been tested and works for "pierce firewall" commands and file
+# transfers.  It does *not* match all the various sorts of chatter that go on, 
+# such as searches, pings and whatnot.
+
+soulseek
+# (Pierce firewall: in theory the token could be 4 bytes, but the last two 
+# seem to always be zero.|download: Peer Init)
+^(\x05..?|.\x01.[ -~]+\x01F..?.?.?.?.?.?.?)$
diff --git a/src/usr/local/share/protocols/ssdp.pat b/src/usr/local/share/protocols/ssdp.pat
new file mode 100644
index 0000000..d2de92d
--- /dev/null
+++ b/src/usr/local/share/protocols/ssdp.pat
@@ -0,0 +1,21 @@
+# SSDP - Simple Service Discovery Protocol - easy discovery of network devices
+# Pattern attributes: good slow notsofast
+# Protocol groups: networking ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSDP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# This pattern was tested only by listening to a Linksys WRT54G. However,
+# I expect it works in general given the simplicity of the protocol.
+
+# SSDP packets should _always_ be sent to the multicast address
+# 239.255.255.250, making this pattern irrelevant.  (Moreover, SSDP
+# packets should be resitricted to local networks that have plenty of
+# bandwidth.)  However, Microsoft, as usual, has other ideas, so maybe
+# it could be useful.  Can't hurt, anyway. :-)
+#
+# http://www.upnp.org/download/draft_cai_ssdp_v1_03.txt
+# http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/protocol/ssdp.asp
+
+ssdp
+^notify[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:(alive|byebye)|^m-search[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:discover
+
diff --git a/src/usr/local/share/protocols/ssh.pat b/src/usr/local/share/protocols/ssh.pat
new file mode 100644
index 0000000..5e32f5c
--- /dev/null
+++ b/src/usr/local/share/protocols/ssh.pat
@@ -0,0 +1,17 @@
+# SSH - Secure SHell
+# Pattern attributes: great veryfast fast
+# Protocol groups: remote_access secure ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSH
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# usually runs on port 22
+#
+# http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-22.txt
+#
+# This pattern has been tested and is believed to work well.
+
+ssh
+^ssh-[12]\.[0-9]
+
+# old pattern:
+# (diffie-hellman-group-exchange-sha1|diffie-hellman-group1-sha1.ssh-rsa|ssh-dssfaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.sefaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.seuhmac-md5|hmac-sha1|hmac-ripemd160)+
diff --git a/src/usr/local/share/protocols/ssl.pat b/src/usr/local/share/protocols/ssl.pat
new file mode 100644
index 0000000..ae30ee4
--- /dev/null
+++ b/src/usr/local/share/protocols/ssl.pat
@@ -0,0 +1,16 @@
+# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
+# Pattern attributes: good notsofast fast superset
+# Protocol groups: secure ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSL
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 443
+#
+# This is a superset of validcertssl.  For it to match, it must be first.
+# 
+# This pattern has been tested and is believed to work well.
+
+ssl
+# Server Hello with certificate | Client Hello
+# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1
+^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)
diff --git a/src/usr/local/share/protocols/stun.pat b/src/usr/local/share/protocols/stun.pat
new file mode 100644
index 0000000..3bfc3ab
--- /dev/null
+++ b/src/usr/local/share/protocols/stun.pat
@@ -0,0 +1,46 @@
+# STUN - Simple Traversal of UDP Through NAT - RFC 3489
+# Pattern attributes: ok veryfast fast
+# Protocol groups: networking ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/STUN
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is untested as far as I know.
+
+# Wikipedia says: "The STUN server is contacted on UDP port 3478,
+# however the server will hint clients to perform tests on alternate IP
+# and port number too (STUN servers have two IP addresses). The RFC
+# states that this port and IP are arbitrary."
+
+stun
+# \x01 is a Binding Request.  \x02 is a Shared Secret Request. Binding
+# Requests are, experimentally, exactly 20 Bytes with three NULL Bytes. 
+# The first NULL is part of the two byte message type field.  The other
+# two give the message length, zero.  I'm guessing that Shared Secret
+# Requests are similar, but I have not checked.  Please read the RFC and
+# do experiments to find out.  All other message types are responses,
+# and so don't matter.
+#
+# The .? allows one of the Message Transaction ID Bytes to be \x00.  If
+# two are \x00, it will fail.  This will happen 0.37% of the time, since
+# the Message Transaction ID is supposed to be random.  If this is
+# unacceptable to you, add another ? to reduce this to 0.020%, but be
+# aware of the increased possibility of false positives.
+^[\x01\x02]................?$
+
+# From my post to the mailing list:
+# http://sourceforge.net/mailarchive/message.php?msg_id=36787107
+# 
+# This is a rather permissive pattern, but you can make it a little better 
+# by combining it with another iptables rule that checks that the packet 
+# data is exactly 20 Bytes.  Of course, the second packet is longer, so 
+# maybe that introduces more complications than benefits.
+# 
+# If you're willing to wait until the second packet to make the 
+# identification, you could use this:
+# 
+# ^\x01................?\x01\x01
+# 
+# or if the Message Length is always \x24 (I'm not sure it is from your 
+# single example):
+# 
+# ^\x01................?\x01\x01\x24
diff --git a/src/usr/local/share/protocols/subspace.pat b/src/usr/local/share/protocols/subspace.pat
new file mode 100644
index 0000000..0a1b174
--- /dev/null
+++ b/src/usr/local/share/protocols/subspace.pat
@@ -0,0 +1,21 @@
+# Subspace - 2D asteroids-style space game - http://sscentral.com
+# Pattern attributes: marginal veryfast fast
+# Protocol groups: game
+# Wiki: http://www.protocolinfo.org/wiki/Subspace
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# By Myles Uyema <mylesuyema AT gmail.com>
+#
+# This pattern matches the initial 2 packets of the client-server
+# 'handshake' when joining a Zone.
+#
+# The first packet is an 8 byte UDP payload sent from client
+# 0x00 0x01 0x?? 0x?? 0x?? 0x?? 0x11
+# The next packet is a 12 byte UDP response from server
+# 0x00 0x10 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x01 0x00
+#
+# l7-filter strips out the null bytes, leaving me with this pattern
+
+subspace
+^\x01....\x11\x10........\x01$
+
diff --git a/src/usr/local/share/protocols/subversion.pat b/src/usr/local/share/protocols/subversion.pat
new file mode 100644
index 0000000..8769a19
--- /dev/null
+++ b/src/usr/local/share/protocols/subversion.pat
@@ -0,0 +1,13 @@
+# Subversion - a version control system
+# Pattern attributes: ok veryfast fast
+# Protocol groups: version_control open_source
+# Wiki: http://www.protocolinfo.org/wiki/Subversion
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is UNTESTED.  (But it seems straightforward enough...)
+#
+# Subversion uses TCP port 3690 by default.
+
+subversion
+# This is not a valid basic GNU regular expression.
+^\( success \( 1 2 \(
diff --git a/src/usr/local/share/protocols/swf.pat b/src/usr/local/share/protocols/swf.pat
new file mode 100644
index 0000000..af03086
--- /dev/null
+++ b/src/usr/local/share/protocols/swf.pat
@@ -0,0 +1,2 @@
+swf
+swf\x21\x1a\x07
diff --git a/src/usr/local/share/protocols/tar.pat b/src/usr/local/share/protocols/tar.pat
new file mode 100644
index 0000000..d3ea987
--- /dev/null
+++ b/src/usr/local/share/protocols/tar.pat
@@ -0,0 +1,12 @@
+# Tar - tape archive.  Standard UNIX file archiver, not just for tapes.
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+tar
+# /usr/share/magic
+## POSIX tar archives
+#257     string          ustar\0         POSIX tar archive
+#257     string          ustar\040\040\0 GNU tar archive
+# this is pretty general.  It's not a dictionary word, but still...
+ustar
diff --git a/src/usr/local/share/protocols/teamfortress2.pat b/src/usr/local/share/protocols/teamfortress2.pat
new file mode 100644
index 0000000..337af39
--- /dev/null
+++ b/src/usr/local/share/protocols/teamfortress2.pat
@@ -0,0 +1,11 @@
+# Team Fortress 2 - network game - http://www.valvesoftware.com
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Team_Fortress
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Credits: Clayton Macleod <cherry twist at gmail dot com>
+#          Jan Engelhardt <jengelh at computergmbh dot de>
+
+teamfortress2
+^\xff\xff\xff\xff.....*tfTeam Fortress
diff --git a/src/usr/local/share/protocols/teamspeak.pat b/src/usr/local/share/protocols/teamspeak.pat
new file mode 100644
index 0000000..8b2155e
--- /dev/null
+++ b/src/usr/local/share/protocols/teamspeak.pat
@@ -0,0 +1,15 @@
+# TeamSpeak - VoIP application - http://goteamspeak.com
+# Pattern attributes: good veryfast fast
+# Protocol groups: voip proprietary
+# Wiki: http://www.protocolinfo.org/wiki/TeamSpeak
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested by Matthew Strait and verified by packet
+# traces by at least two other people.  The meaning of f4b303 is not
+# known, but it seems to appear in all first packets.  This pattern only
+# matches the actual UDP voice traffic, not the TeamSpeak web interface
+# or "TCP query".
+
+teamspeak
+^\xf4\xbe\x03.*teamspeak
+
diff --git a/src/usr/local/share/protocols/telnet.pat b/src/usr/local/share/protocols/telnet.pat
new file mode 100644
index 0000000..cf10d0e
--- /dev/null
+++ b/src/usr/local/share/protocols/telnet.pat
@@ -0,0 +1,16 @@
+# Telnet - Insecure remote login - RFC 854
+# Pattern attributes: good veryfast fast
+# Protocol groups: remote_access obsolete ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/Telnet
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 23
+#
+# This pattern is lightly tested.
+
+telnet
+# Matches at least three IAC (Do|Will|Don't|Won't) commands in a row.  
+# My telnet client sends 9 when I connect, so this should be fine.
+# This pattern could fail on a unchatty connection or it could be 
+# matched by something non-telnet spewing a lot of stuff in the fb-ff range.
+^\xff[\xfb-\xfe].\xff[\xfb-\xfe].\xff[\xfb-\xfe]
diff --git a/src/usr/local/share/protocols/tesla.pat b/src/usr/local/share/protocols/tesla.pat
new file mode 100644
index 0000000..1f4ee86
--- /dev/null
+++ b/src/usr/local/share/protocols/tesla.pat
@@ -0,0 +1,15 @@
+# Tesla Advanced Communication - P2P filesharing (?)
+# Pattern attributes: marginal slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Tesla
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is untested!
+
+# This is lifted from http://oofle.com/filesharing.php?app=tesla
+# There is no explaination of what these numbers mean.
+# The above page says that the first string is found only in TCP packets
+# and the second only in UDP.
+
+tesla
+\x03\x9a\x89\x22\x31\x31\x31\.\x30\x30\x20\x42\x65\x74\x61\x20|\xe2\x3c\x69\x1e\x1c\xe9
diff --git a/src/usr/local/share/protocols/tftp.pat b/src/usr/local/share/protocols/tftp.pat
new file mode 100644
index 0000000..1782ff5
--- /dev/null
+++ b/src/usr/local/share/protocols/tftp.pat
@@ -0,0 +1,21 @@
+# TFTP - Trivial File Transfer Protocol - used for bootstrapping - RFC 1350
+# Pattern attributes: marginal fast fast
+# Protocol groups: document_retrieval ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/TFTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# usually runs on port 69
+# 
+# This pattern is unconfirmed. 
+
+tftp
+# The first packet from the initiating host should either be a Read Request 
+# or a Write Request.  In the other direction, it should be data packet with 
+# block number one or an ACK with block number zero.  We only attempt to match
+# the initiating host's packets, because the only identifying features of 
+# the responses to them are two byte sequences (which isn't specific enough).
+# (\x01|\x02) = Read Request or Write Request
+# [ -~]* = the file name
+# the rest = netascii|octet|mail (case insensitivity done by the kernel)
+
+^(\x01|\x02)[ -~]*(netascii|octet|mail)
diff --git a/src/usr/local/share/protocols/thecircle.pat b/src/usr/local/share/protocols/thecircle.pat
new file mode 100644
index 0000000..d5e2b80
--- /dev/null
+++ b/src/usr/local/share/protocols/thecircle.pat
@@ -0,0 +1,12 @@
+# The Circle - P2P application - http://thecircle.org.au
+# Pattern attributes: ok veryfast fast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/The_Circle
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# This is tested with The Circle 0.41c on Linux.
+# It likely misses some stuff.  Notably, I wasn't able to test it on any 
+# large downloads, because no one is sharing anything!
+
+thecircle
+^t\x03ni.?[\x01-\x06]?t[\x01-\x05]s[\x0a\x0b](glob|who are you$|query data)
diff --git a/src/usr/local/share/protocols/tonghuashun.pat b/src/usr/local/share/protocols/tonghuashun.pat
new file mode 100644
index 0000000..45f838b
--- /dev/null
+++ b/src/usr/local/share/protocols/tonghuashun.pat
@@ -0,0 +1,11 @@
+# Tonghuashun - stock analysis and trading; Chinese - http://www.10jqka.com.cn
+# Pattern attributes: ok fast fast
+# Protocol groups: 
+# Wiki: http://www.protocolinfo.org/wiki/Tonghuashun
+# Copyright (C) 2009 Matthew Strait; See ../LICENSE
+
+# Pattern contributed by liangjun without comment.
+
+tonghuashun
+^(GET /docookie\.php\?uname=|\xfd\xfd\xfd\xfd\x30\x30\x30\x30\x30)
+
diff --git a/src/usr/local/share/protocols/tor.pat b/src/usr/local/share/protocols/tor.pat
new file mode 100644
index 0000000..7e4f707
--- /dev/null
+++ b/src/usr/local/share/protocols/tor.pat
@@ -0,0 +1,17 @@
+# Tor - The Onion Router - used for anonymization - http://tor.eff.org
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: networking
+# Wiki: http://protocolinfo.org/wiki/Tor
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.
+#
+# It matches on the second packet.  I have no idea how the protocol
+# works, but this matches every stream I have made using Tor 0.1.0.16 as
+# a client on Linux.
+#
+# It does NOT attempt to match the HTTP request that fetches the list of
+# Tor servers.
+
+tor
+TOR1.*<identity>
diff --git a/src/usr/local/share/protocols/tsp.pat b/src/usr/local/share/protocols/tsp.pat
new file mode 100644
index 0000000..7751df9
--- /dev/null
+++ b/src/usr/local/share/protocols/tsp.pat
@@ -0,0 +1,14 @@
+# TSP - Berkely UNIX Time Synchronization Protocol
+# Pattern attributes: good veryfast fast overmatch
+# Protocol groups: time_synchronization open_source
+# Wiki: http://www.protocolinfo.org/wiki/TSP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# http://ftp.svbug.com/ftp/pub/manuals/pdf/smm.22.timed.pdf
+# http://docs.freebsd.org/44doc/smm/12.timed/paper.pdf
+# 
+# This pattern is barely tested.
+
+tsp
+# type, version (1), sequence number, 8 type specific bytes, machine name
+^[\x01-\x13\x16-$]\x01.?.?.?.?.?.?.?.?.?.?[ -~]+
diff --git a/src/usr/local/share/protocols/unset.pat b/src/usr/local/share/protocols/unset.pat
new file mode 100644
index 0000000..b9c1244
--- /dev/null
+++ b/src/usr/local/share/protocols/unset.pat
@@ -0,0 +1,8 @@
+# Unset - Dummy pattern for unmatched connections that are still being tested
+
+unset
+# This pattern is ignored by the kernel.  It sees that the "protocol" is
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# "testing" and always returns matched for connections that are still
+# being tested.
+.
diff --git a/src/usr/local/share/protocols/uucp.pat b/src/usr/local/share/protocols/uucp.pat
new file mode 100644
index 0000000..f7ef22c
--- /dev/null
+++ b/src/usr/local/share/protocols/uucp.pat
@@ -0,0 +1,12 @@
+# UUCP - Unix to Unix Copy
+# Pattern attributes: ok veryfast fast
+# Protocol groups: document_retrieval obsolete
+# Wiki: http://www.protocolinfo.org/wiki/UUCP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# This is completely untested!  (I don't know how to use UUCP...)
+
+# See http://docs.freebsd.org/info/uucp/uucp.info.The_Initial_Handshake.html
+
+uucp
+^\x10here=
diff --git a/src/usr/local/share/protocols/validcertssl.pat b/src/usr/local/share/protocols/validcertssl.pat
new file mode 100644
index 0000000..7aa1812
--- /dev/null
+++ b/src/usr/local/share/protocols/validcertssl.pat
@@ -0,0 +1,25 @@
+# Valid certificate SSL 
+# Pattern attributes: good slow notsofast subset
+# Protocol groups: secure ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSL
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+# This matches anything claiming to use a valid certificate from a well 
+# known certificate authority.
+#
+# This is a subset of ssl, so it needs to come first to match.
+#
+# Note that opening a website that has a valid certificate will 
+# open one connection that matches this and many ssl connections that
+# only match the ssl pattern.  Thus, this pattern may not be very useful.
+#
+# This pattern is believed match only the above, but may not match all
+# of it.
+#
+# the certificate authority info is sent in quasi plain text, if it matches 
+# a well known certificate authority then we will assume it is a 
+# web/imaps/etc server. Other ssl may be good too, but it should fall under 
+# a different rule
+
+validcertssl
+^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b).*(thawte|equifax secure|rsa data security, inc|verisign, inc|gte cybertrust root|entrust\.net limited)
diff --git a/src/usr/local/share/protocols/ventrilo.pat b/src/usr/local/share/protocols/ventrilo.pat
new file mode 100644
index 0000000..74e588c
--- /dev/null
+++ b/src/usr/local/share/protocols/ventrilo.pat
@@ -0,0 +1,18 @@
+# Ventrilo - VoIP - http://ventrilo.com
+# Pattern attributes: good fast fast
+# Protocol groups: voip proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Ventrilo
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# I have tested this with Ventrilo client 2.3.0 on Windows talking to
+# Ventrilo server 2.3.1 (the public version) on Linux.  I've done this
+# both within a LAN and over the Internet.  In one test, I tried
+# monkeying around with the server settings to see if I could break the
+# pattern, and I couldn't.  However, you can't change the port number in
+# the public server. 
+#
+# It has also been tested by one other person in an unknown configuration.
+
+ventrilo
+^..?v\$\xcf
+
diff --git a/src/usr/local/share/protocols/vnc.pat b/src/usr/local/share/protocols/vnc.pat
new file mode 100644
index 0000000..79d0ae8
--- /dev/null
+++ b/src/usr/local/share/protocols/vnc.pat
@@ -0,0 +1,23 @@
+# VNC - Virtual Network Computing.  Also known as RFB - Remote Frame Buffer
+# Pattern attributes: great veryfast fast
+# Protocol groups: remote_access
+# Wiki: http://www.protocolinfo.org/wiki/VNC
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# http://www.realvnc.com/documentation.html
+# 
+# This pattern has been verified with vnc v3.3.7 on WinXP and Linux
+#
+# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern.
+
+vnc
+# Assumes single digit major and minor version numbers 
+# This message should be all alone in the first packet, so ^$ is appropriate
+^rfb 00[1-9]\.00[0-9]\x0a$
+
+# This is a more restrictive version which assumes the version numbers
+# are ones actually in existance at the time of this writing, i.e. 3.3,
+# 3.7 and 3.8 (with some clients wrongly reporting 3.5).  It should be
+# slightly faster, but probably not worth the extra maintenance. 
+# ^rfb 003\.00[3578]\x0a$
+
diff --git a/src/usr/local/share/protocols/whois.pat b/src/usr/local/share/protocols/whois.pat
new file mode 100644
index 0000000..6abf0e8
--- /dev/null
+++ b/src/usr/local/share/protocols/whois.pat
@@ -0,0 +1,14 @@
+# Whois - query/response system, usually used for domain name info - RFC 3912
+# Pattern attributes: good notsofast notsofast overmatch
+# Protocol groups: networking ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/Whois
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on TCP port 43
+# 
+# This pattern has been tested and is believed to work well.
+
+whois
+# Matches the query.  Assumes only that it is printable ASCII without wierd
+# whitespace.
+^[ !-~]+\x0d\x0a$
diff --git a/src/usr/local/share/protocols/worldofwarcraft.pat b/src/usr/local/share/protocols/worldofwarcraft.pat
new file mode 100644
index 0000000..4136d79
--- /dev/null
+++ b/src/usr/local/share/protocols/worldofwarcraft.pat
@@ -0,0 +1,66 @@
+# World of Warcraft - popular network game - http://blizzard.com/
+# Pattern attributes: ok veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/World_of_Warcraft
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+worldofwarcraft
+^\x06\xec\x01
+
+# Quoth the author of this pattern, Weisskopf Beat <weisb AT bfh.ch>:
+
+# I have written a pattern for wow (tested with versions 1.8.3 and
+# 1.8.4, german edition). It does not match the login as i think this is
+# uncritical, but i have added the necessary info later on. So only the
+# actual in-game traffic is matched.
+#
+# I hope the pattern is specific enough, otherwise one may add some
+# bytes from the response.
+#
+# some captured info:
+#
+# login:
+#
+# 0000:  00 02 28 00 57 6F 57 00 01 08 03 C7 12 36 38 78  ..(.WoW......68x
+# 0010:  00 6E 69 57 00 45 44 65 64 3C 00 00 00 C0 A8 01  .niW.EDed<......
+# 0020:  22 0A 42 57 45 49 53 53 4B 4F 50 46              ".BWEISSKOPF
+#
+# 0000:  00 02 28 00 57 6F 57 00 01 08 03 C7 12 36 38 78  ..(.WoW......68x
+# 0010:  00 6E 69 57 00 45 44 65 64 3C 00 00 00 C0 A8 01  .niW.EDed<......
+# 0020:  22 0A 42 57 45 49 53 53 4B 4F 50 46              ".BWEISSKOPF
+#
+# server asking:
+#
+# #1
+# 0000:  00 06 EC 01 04 49 C5 33                          .....I.3
+#
+# #2
+# 0000:  00 06 EC 01 C3 A8 6E 63                          ......nc
+#
+# client response
+# #1
+# 0000:  00 A4 ED 01 00 00 C7 12 00 00 00 00 00 00 42 57  ..............BW
+# 0010:  45 49 53 53 4B 4F 50 46 00 EB 35 DC 89 5A CA 6D  EISSKOPF..5..Z.m
+# 0020:  17 95 DE 5B 74 6E 1E 5D 23 73 C6 8F 27 9F 11 12  ...[tn.]#s..'...
+# 0030:  BB 21 01 00 00 78 9C 75 CC 41 0A 83 50 0C 84 E1  .!...x.u.A..P...
+# 0040:  E7 3D 7A 19 75 25 D4 4D AB EB 12 5E A2 0C 8D 51  .=z.u%.M...^...Q
+# 0050:  D2 57 04 4F DF 2E 2D A4 B3 FD 86 3F A5 EF 1A C5  .W.O..-....?....
+# 0060:  71 90 F3 A3 7E E7 82 D5 C6 2E 55 CB 7E B9 FE 58  q...~.....U.~..X
+# 0070:  43 A5 A8 4C 10 E5 1E 86 85 B6 E8 04 63 D8 1C 06  C..L........c...
+# 0080:  5A A7 A9 84 D2 D9 6B 93 1C 5B 4F D9 D7 50 6E 04  Z.....k..[O..Pn.
+# 0090:  0E 61 20 15 8B 6B 83 13 CB FD 09 D5 7F 0C 13 3F  .a ..k.........?
+# 00A0:  DB 07 B4 EA 54 F8                                ....T.
+#
+# #2
+# 0000:  00 A4 ED 01 00 00 C7 12 00 00 00 00 00 00 42 57  ..............BW
+# 0010:  45 49 53 53 4B 4F 50 46 00 38 4C B5 95 C3 AD 25  EISSKOPF.8L....%
+# 0020:  CB 73 48 BD 82 FC 99 63 59 AC BF F3 D0 C6 8D AB  .sH....cY.......
+# 0030:  3D 21 01 00 00 78 9C 75 CC 41 0A 83 50 0C 84 E1  =!...x.u.A..P...
+# 0040:  E7 3D 7A 19 75 25 D4 4D AB EB 12 5E A2 0C 8D 51  .=z.u%.M...^...Q
+# 0050:  D2 57 04 4F DF 2E 2D A4 B3 FD 86 3F A5 EF 1A C5  .W.O..-....?....
+# 0060:  71 90 F3 A3 7E E7 82 D5 C6 2E 55 CB 7E B9 FE 58  q...~.....U.~..X
+# 0070:  43 A5 A8 4C 10 E5 1E 86 85 B6 E8 04 63 D8 1C 06  C..L........c...
+# 0080:  5A A7 A9 84 D2 D9 6B 93 1C 5B 4F D9 D7 50 6E 04  Z.....k..[O..Pn.
+# 0090:  0E 61 20 15 8B 6B 83 13 CB FD 09 D5 7F 0C 13 3F  .a ..k.........?
+# 00A0:  DB 07 B4 EA 54 F8                                ....T.
+
diff --git a/src/usr/local/share/protocols/x11.pat b/src/usr/local/share/protocols/x11.pat
new file mode 100644
index 0000000..2028ee7
--- /dev/null
+++ b/src/usr/local/share/protocols/x11.pat
@@ -0,0 +1,23 @@
+# X Windows Version 11 - Networked GUI system used in most Unices
+# Pattern attributes: good notsofast veryfast
+# Protocol groups: remote_access x_consortium_standard
+# Wiki: http://www.protocolinfo.org/wiki/X11
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# It is common for X to be tunneled through SSH.  Then obviously this pattern
+# will not catch it.
+#
+# Specification: http://www.msu.edu/~huntharo/xwin/docs/xwindows/PROTO.pdf
+# Usually runs on port 6000 (6001 for the second server on a host, etc)
+#
+# This pattern has been tested.
+
+x11
+# 'l' = little-endian.  'B' = big endian
+# ".?" is for the unused byte that comes next.  If it's a null, it won't appear.
+# \x0b = protocol-major-version 11.
+# For some reason, protocol-minor-version is 0, not 6, so can't match it.
+# This pattern is too general. 
+^[lb].?\x0b
+userspace pattern=^[lB].?\x0b
+userspace flags=REG_NOSUB
diff --git a/src/usr/local/share/protocols/xboxlive.pat b/src/usr/local/share/protocols/xboxlive.pat
new file mode 100644
index 0000000..d04d9a7
--- /dev/null
+++ b/src/usr/local/share/protocols/xboxlive.pat
@@ -0,0 +1,41 @@
+# XBox Live - Console gaming
+# Pattern attributes: marginal slow notsofast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/XBox_Live
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This may match all XBox traffic, or may only match Halo 2 traffic.  
+# We don't know yet.
+#
+# Thanks to Myles Uyema <mylesuyema AT gmail DOT com>, who says:
+#
+# Analyzing packet traces using Ethereal, the Xbox typically connects
+# to remote users using UDP port 3074.  The first frame is typically
+# a 156 byte UDP payload.  I've only scrutinized the first 20 or so bytes.
+#
+# Each line below represents the first frame between my Xbox and a remote
+# player's IP address playing Halo2 on Xbox Live.
+#
+# 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 05 0f c5 62 00 f3 96 08
+# 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 0f 0f c5 62 00 f3 97 09
+# 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 05 0f c5 62 00 f3 95 07
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bc 07
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 be 09
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bf 0a
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bd 08
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 ba 05
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bb 06
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 ca 06
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 cc 08
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 c9 05
+# 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 d4 0a
+# 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f3 c3 00 f3 d1 07
+# 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 d2 08
+# 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 cf 05
+# 00 00 00 00 06 58 4e 00 00 00 e6 d9 6e ab 65 0d 63 9f 02 00 00 02 80 dd
+# 00 00 00 00 06 58 4e 00 00 00 46 e2 95 74 cd f9 bc 3d 00 00 00 00 8b ca
+# 00 00 00 00 06 58 4e 00 00 00 cf ce 3b 5c f5 f2 49 9a 00 00 00 00 8b ca
+# 00 00 00 00 06 58 4e 00 00 00 a9 c0 ac c5 16 e5 c9 92 00 00 00 00 8b ca
+
+xboxlive
+^\x58\x80........\xf3|^\x06\x58\x4e
diff --git a/src/usr/local/share/protocols/xunlei.pat b/src/usr/local/share/protocols/xunlei.pat
new file mode 100644
index 0000000..f7814c7
--- /dev/null
+++ b/src/usr/local/share/protocols/xunlei.pat
@@ -0,0 +1,83 @@
+# Xunlei - Chinese P2P filesharing - http://xunlei.com
+# Pattern attributes: good slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Xunlei
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This has been tested by a number of people.
+#
+# Written by wsgtrsys of www.routerclub.com.  Improved by VeNoMouS.
+# Improved more by wsgtrsys and platinum of bbs.chinaunix.net.
+#
+# Further additions of HTTP-like content by liangjunATdcuxD.Tcom, who
+# says: "i find old pattern is not working . so i write a new pattern of 
+# xunlei,it's working with all of xunlei 5 version!"  Matthew Strait notes
+# in response:
+# 
+# I've looked around and I'm fairly sure that Internet Explorer 5.0 
+# never identifies itself as "Mozilla/4.0 (compatible; MSIE 5.00; 
+# Windows 98)" and that Internet Explorer 6.0 never identifies itself as 
+# either "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )" or 
+# "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)".
+
+# The keep-alive part needs some examination too.  These might validly 
+# occur in an HTTP/1.0 connection, although I think in practical cases 
+# they don't since there's general only one \x0d\x0a after it and/or the 
+# next line starts with a letter (especially because it's the client 
+# sending it).  It wouldn't be crazy, though, if another protocol 
+# (besides Xunlei) used keep-alive in a way that did match this.  But 
+# since I can't think of any examples, I'll assume it's ok for now.
+
+xunlei
+^([()]|get)(...?.?.?(reg|get|query)|.+User-Agent: (Mozilla/4\.0 \(compatible; (MSIE 6\.0; Windows NT 5\.1;? ?\)|MSIE 5\.00; Windows 98\))))|Keep-Alive\x0d\x0a\x0d\x0a[26]
+
+
+# This was the pattern until 2008 11 08.  It is safer than the above against
+# overmatching ordinary HTTP connections
+#^[()]...?.?.?(reg|get|query)
+
+# More detail:
+# From http://sourceforge.net/tracker/index.php?func=detail&aid=1885209&group_id=80085&atid=558668
+# 
+##############################################################################
+# Date: 2008-02-03
+# Sender: hydr0g3n
+# 
+# Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei
+# pattern. It used to work in the past but not anymore. Maybe Xunlei was
+# updated and pattern should be adapted?
+#
+# Apparently ipp2p was edited by Chinese people to detect pplive and xunlei.
+# It is interesting and very recent:
+# http://www.chinaunix.net/jh/4/914377.html
+##############################################################################
+# Date: 2008-02-03
+# Sender: quadong
+# 
+# Ok.  Only some of the ipp2p function can be translated into an l7-filter
+# regular expression.  The first part of search_xunlei can't be, since it
+# works by checking whether the length of the packet matches a byte in the
+# packet.  The second part of search_xunlei becomes: 
+# 
+# \x20.?\x01?.?[\x01\x77]............?.?.?.?\x38
+# 
+# Or possibly:
+# 
+# ^\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38
+# 
+# I'm not sure whether IPP2P looks at every packet or only the first of each
+# connection.
+# 
+# udp_search_xunlei says:
+# \x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff
+# 
+# Again, putting a ^ at the beginning might work:
+# 
+# ^(\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff)
+# 
+# So this *might* work:
+# 
+# ^(\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38|\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff)
+# 
+# but the ^ might be wrong and it will not match the HTTP part of Xunlei. 
+##############################################################################
diff --git a/src/usr/local/share/protocols/yahoo.pat b/src/usr/local/share/protocols/yahoo.pat
new file mode 100644
index 0000000..17595b8
--- /dev/null
+++ b/src/usr/local/share/protocols/yahoo.pat
@@ -0,0 +1,27 @@
+# Yahoo messenger - an instant messenger protocol - http://yahoo.com
+# Pattern attributes: good fast fast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Yahoo_Messenger
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 5050 
+#
+# This pattern has been tested and is believed to work well. 
+
+yahoo
+# http://www.venkydude.com/articles/yahoo.htm says: 
+# All Yahoo commands start with YMSG.  
+# (Well... http://ethereal.com/faq.html#q5.32 suggests that YPNS and YHOO
+# are also possible, so let's allow those)
+# The next 7 bytes contain command (packet?) length and version information
+# which we won't currently try to match.
+# L means "YAHOO_SERVICE_VERIFY" according to Ethereal
+# W means "encryption challenge command" (YAHOO_SERVICE_AUTH)
+# T means "login command" (YAHOO_SERVICE_AUTHRESP)
+# (there are others, i.e. 0x01 "coming online", 0x02 "going offline",
+# 0x04 "changing status to available", 0x06 "user message", but W and T
+# should appear in the first few packets.)
+# 0xC080 is the standard argument separator, it should appear not long
+# after the "type of command" byte.
+
+^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*\xc0\x80
diff --git a/src/usr/local/share/protocols/zip.pat b/src/usr/local/share/protocols/zip.pat
new file mode 100644
index 0000000..e001354
--- /dev/null
+++ b/src/usr/local/share/protocols/zip.pat
@@ -0,0 +1,7 @@
+# ZIP - (PK|Win)Zip archive format  
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+zip
+pk\x03\x04\x14
diff --git a/src/usr/local/share/protocols/zmaap.pat b/src/usr/local/share/protocols/zmaap.pat
new file mode 100644
index 0000000..e741eca
--- /dev/null
+++ b/src/usr/local/share/protocols/zmaap.pat
@@ -0,0 +1,18 @@
+# ZMAAP - Zeroconf Multicast Address Allocation Protocol
+# Pattern attributes: ok veryfast fast
+# Protocol groups: networking ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/ZMAAP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# http://files.zeroconf.org/draft-ietf-zeroconf-zmaap-02.txt
+# (Note that this reference is an Internet-Draft, and therefore must
+# be considered a work in progress.)
+#
+# This pattern is untested!
+
+zmaap
+# - 4 byte magic number.
+# - 1 byte version. Allow 1 & 2, even though only version 1 currently exists.
+# - 1 byte message type,which is either 0 or 1
+# - 1 byte address family.  L7-filter only works in IPv4, so this is 1.
+^\x1b\xd7\x3b\x48[\x01\x02]\x01?\x01