Add protocol definitions needed by ipfw-classifyd. Basically they are copied from the ipfw-classifyd pfPort which inherits them from l7-filter project on sf.net.

109 files changed, 2235 insertions, 0 deletions

diff --git a/usr/local/share/protocols/100bao.pat b/usr/local/share/protocols/100bao.pat
new file mode 100644
index 0000000..66bb5c9
--- /dev/null
+++ b/usr/local/share/protocols/100bao.pat
@@ -0,0 +1,11 @@
+# 100bao - a Chinese P2P protocol/program - http://www.100bao.com
+# Pattern attributes: ok veryfast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/100Bao
+#
+# Pattern written by www.routerclub.com's wsgtrsys.
+# The author of this pattern says it works, but this is unconfirmed. 
+
+100bao
+^\x01\x01\x05\x0a
+
diff --git a/usr/local/share/protocols/aim.pat b/usr/local/share/protocols/aim.pat
new file mode 100644
index 0000000..e26a3c4
--- /dev/null
+++ b/usr/local/share/protocols/aim.pat
@@ -0,0 +1,27 @@
+# AIM - AOL instant messenger (OSCAR and TOC)
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/AIM
+#
+# Usually runs on port 5190
+#
+# This may also match ICQ traffic.
+# 
+# This pattern has been tested and is believed to work well.
+
+aim
+# See http://gridley.res.carleton.edu/~straitm/final (and various other places)
+# The first bit matches OSCAR signon and data commands, but not sure what
+# \x03\x0b matches, but it works apparently.
+# The next three bits match various parts of the TOC signon process.
+# The third one is the magic number "*", then 0x01 for "signon", then up to four
+# bytes ("up to" because l7-filter strips out nulls) which contain a sequence
+# number (2 bytes) the data length (2 more) and 3 nulls (which don't count), 
+# then 0x01 for the version number (not sure if there ever has been another 
+# version)
+# The fourth one is a command string, followed by some stuff, then the
+# beginning of the "roasted" password
+
+# This pattern is too slow!
+
+^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x
diff --git a/usr/local/share/protocols/aimwebcontent.pat b/usr/local/share/protocols/aimwebcontent.pat
new file mode 100644
index 0000000..af34d5b
--- /dev/null
+++ b/usr/local/share/protocols/aimwebcontent.pat
@@ -0,0 +1,9 @@
+# AIM web content - ads/news content downloaded by AOL Instant Messenger
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: chat document_retrieval proprietary
+# Wiki: http://www.protocolinfo.org/wiki/AIM
+#
+# This pattern has been tested and is believed to work well.
+
+aimwebcontent
+user-agent:aim/
diff --git a/usr/local/share/protocols/applejuice.pat b/usr/local/share/protocols/applejuice.pat
new file mode 100644
index 0000000..8158bc6
--- /dev/null
+++ b/usr/local/share/protocols/applejuice.pat
@@ -0,0 +1,11 @@
+# Apple Juice - P2P filesharing - http://www.applejuicenet.de
+# Pattern attributes: great veryfast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/AppleJuice
+#
+# This pattern has been tested with the Linux version (version
+# 0,29,142,229).  It matches search reqests and file transfers.
+
+applejuice
+# this pattern extracted from ipp2p, by Eicke Friedrich.
+^ajprot\x0d\x0a
diff --git a/usr/local/share/protocols/ares.pat b/usr/local/share/protocols/ares.pat
new file mode 100644
index 0000000..2e89a90
--- /dev/null
+++ b/usr/local/share/protocols/ares.pat
@@ -0,0 +1,62 @@
+# Ares - P2P filesharing - http://aresgalaxy.sf.net
+# Pattern attributes: good veryfast fast undermatch
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Ares
+
+# This pattern catches only client-server connect messages.  This is
+# sufficient for blocking, but not for shaping, since it doesn't catch
+# the actual file transfers (see below).
+
+# Original pattern by Brandon Enright <bmenrigh at the server known as ucsd.edu>
+
+# This pattern has been tested with Ares 1.8.8.2998.
+
+ares
+# regular expression madness: "[]Z]" means ']' or 'Z'.
+^\x03[]Z].?.?\x05$
+
+# It appears that the general packet format is:
+# - Two byte little endian integer giving the data length
+# - One byte packet type
+# - data
+#
+# Login packets (TCP) have the following format:
+# - \x03\x00 (the length appears to always be 3)
+# - \x5a - The login packet type.
+#   The source code suggests that for supernodes \x5d is used instead.
+# - Three more bytes.  I don't know the meaning of these, but for me they 
+#   are always \x06\x06\x05 (in Ares 1.8.8.2998).  From the comments in IPP2P, 
+#   it seems that they are not always exactly that, but seem to always end in 
+#   \x05.
+#
+# Search packets have the following format:
+# - Two byte little endian integer giving the data length
+#   A single two letter word make this \x0a
+#   The biggest I could get it was \x4f
+# - Packet type = \x09
+# - One byte document type:
+#   - "all"      = 00
+#   - "audio"    = 01
+#   - "software" = 03
+#   - "video"    = 05
+#   - "document" = 06
+#   - "image"    = 07
+#   - "other"    = 08
+# - \x0f - I don't know what this means, but it is always this for me
+# - Two bytes of unknown meaning that change
+# - Some number search words: 
+#   - \x14 - I don't know what this means, but it is always this for me
+#   - One byte length of the first search word 
+#     Between 2 and \x14 in my tests with Ares 1.8.8.2998
+#     It ignores single letter words and truncates ones longer than \x14
+#   - Two bytes of unknown meaning that change
+#   - The search word (not null terminated)
+# This was all investigated by searching for strings in "all".  Searches
+# can also be performed in "title" and "author".  I'm not going to
+# bother to research these because I new realize that searches are done
+# on the same TCP connection as the login packets, so there is no need
+# to match them separately.
+#
+# File transfers appear to be encrypted or at least obfuscated.  (The
+# files themselves, at least, are not transmitted in the clear.) I
+# haven't found any patterns.
diff --git a/usr/local/share/protocols/armagetron.pat b/usr/local/share/protocols/armagetron.pat
new file mode 100644
index 0000000..fb4cc1e
--- /dev/null
+++ b/usr/local/share/protocols/armagetron.pat
@@ -0,0 +1,11 @@
+# Armagetron Advanced - open source Tron/snake based multiplayer game
+# Pattern attributes: good slow notsofast
+# Protocol groups: open_source game
+# Wiki: http://protocolinfo.org/wiki/Armagetron
+
+# Contributed to protocolinfo.org, possibly by joda.bot, who says "The 
+# filter matches the initial transfer of configuration data. Very early 
+# versions might not transfer the CYCLE_ Settings (before 0.2.5.x)."
+
+armagetron
+YCLC_E|CYEL
diff --git a/usr/local/share/protocols/battlefield1942.pat b/usr/local/share/protocols/battlefield1942.pat
new file mode 100644
index 0000000..1a4d9c0
--- /dev/null
+++ b/usr/local/share/protocols/battlefield1942.pat
@@ -0,0 +1,13 @@
+# Battlefield 1942 - An EA game
+# Pattern attributes: ok veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Battlefield_1942
+#
+# Contributed by Myles Uyema <mylesuyema AT gmail.com>
+#
+# This pattern has only been tested by one person.
+
+# tested on two original EA battlefield 1942 servers
+# matches the first two packets of joining a server
+battlefield1942
+^\x01\x11\x10\|\xf8\x02\x10\x40\x06
diff --git a/usr/local/share/protocols/battlefield2.pat b/usr/local/share/protocols/battlefield2.pat
new file mode 100644
index 0000000..088714c
--- /dev/null
+++ b/usr/local/share/protocols/battlefield2.pat
@@ -0,0 +1,25 @@
+# Battlefield 2 - An EA game.
+# Pattern attributes: ok slow notsofast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Battlefield_2
+#
+# This pattern is unconfirmed except implicitly by a comment on protocolinfo.
+
+battlefield2
+# gameplay|account-login|server browsing/information
+# See http://protocolinfo.org/wiki/Battlefield_2
+# Can we put a ^ on the last branch?  If so, nosofast --> veryfast
+
+# 193.85.217.35 on protocolinfo says:
+# The first part of the pattern, \x11\x20\x01\xa0\x98\x11, has to be 
+# modified for different version of Battlefield 2. The gameplay part of 
+# pattern for BF2 v1.4 is \x11\x20\x01\x30\xb9\x10\x11, and for BF2 
+# v1.41 is \x11\x20\x01\x50\xb9\x10\x11
+#
+# Rather than put all of those in, I've just gone with "...?" in the 
+# middle.
+
+^(\x11\x20\x01...?\x11|\xfe\xfd.?.?.?.?.?.?(\x14\x01\x06|\xff\xff\xff))|[]\x01].?battlefield2
+
+# Pattern prior to 193.85.217.35's comment on protocolinfo:
+#^(\x11\x20\x01\xa0\x98\x11|\xfe\xfd.?.?.?.?.?.?(\x14\x01\x06|\xff\xff\xff))|[]\x01].?battlefield2
diff --git a/usr/local/share/protocols/battlefield2142.pat b/usr/local/share/protocols/battlefield2142.pat
new file mode 100644
index 0000000..6794cff
--- /dev/null
+++ b/usr/local/share/protocols/battlefield2142.pat
@@ -0,0 +1,13 @@
+# Battlefield 2142 - An EA game.
+# Pattern attributes: ok fast fast
+# Protocol groups: proprietary game 
+# Wiki: http://protocolinfo.org/wiki/Battlefield_2142
+
+# Submitted by Telsin.  Not confirmed.
+
+battlefield2142
+# gameplay|account-login|server browsing/information
+# Can't put a ^ on the last branch: it fails to match if you do.
+# This branch seems to matter very rarely, though
+^(\x11\x20\x01\x90\x50\x64\x10|\xfe\xfd.?.?.?\x18|[\x01\\].?battlefield2)
+
diff --git a/usr/local/share/protocols/bgp.pat b/usr/local/share/protocols/bgp.pat
new file mode 100644
index 0000000..d7985c0
--- /dev/null
+++ b/usr/local/share/protocols/bgp.pat
@@ -0,0 +1,18 @@
+# BGP - Border Gateway Protocol - RFC 1771
+# Pattern attributes: ok veryfast fast
+# Protocol groups: networking ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/BGP
+#
+# This pattern is UNTESTED.
+
+bgp
+# "After a transport protocol connection is established, the first
+# message sent by each side is an OPEN message."
+# "If the Type of the message is OPEN, or if the Authentication Code used
+# in the OPEN message of the connection is zero, then the Marker must be
+# all ones."
+# Then the 2 byte length field, then the 1 byte type field (1 = OPEN).
+# Then the BGP version: 3 was RFC'd in 1991, 4 was RFC'd in 1995.
+# Could keep going, but that should be sufficient.
+^\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff..?\x01[\x03\x04]
+
diff --git a/usr/local/share/protocols/biff.pat b/usr/local/share/protocols/biff.pat
new file mode 100644
index 0000000..7df399a
--- /dev/null
+++ b/usr/local/share/protocols/biff.pat
@@ -0,0 +1,15 @@
+# Biff - new mail notification 
+# Pattern attributes: good veryfast fast undermatch overmatch
+# Protocol groups: mail
+# Wiki: http://www.protocolinfo.org/wiki/Biff
+#
+# Usually runs on port 512
+#
+# This pattern is completely untested.
+
+biff
+# This is a rare case where we will specify a $ (end of line), since
+# this is the entirety of the communication.
+# something that looks like a username, an @, a number.
+# won't catch usernames that have strange characters in them.
+^[a-z][a-z0-9]+@[1-9][0-9]+$
diff --git a/usr/local/share/protocols/bittorrent.pat b/usr/local/share/protocols/bittorrent.pat
new file mode 100644
index 0000000..e5aa5bc
--- /dev/null
+++ b/usr/local/share/protocols/bittorrent.pat
@@ -0,0 +1,27 @@
+# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
+# Pattern attributes: good slow notsofast undermatch
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Bittorrent
+#
+# This pattern has been tested and is believed to work well.
+# It will, however, not work on bittorrent streams that are encrypted, since
+# it's impossible to match encrypted data (unless the encryption is extremely 
+# weak, like rot13 or something...).
+
+bittorrent
+
+# Does not attempt to match the HTTP download of the tracker
+# 0x13 is the length of "bittorrent protocol"
+# Second two bits match UDP wierdness
+# Next bit matches something Azureus does
+# Ditto on the next bit.  Could also match on "user-agent: azureus", but that's in the next
+# packet and perhaps this will match multiple clients.
+
+# Recently the ^ was removed from before \x13.  I think this was an accident,
+# so I have restored it.
+
+# This is not a valid GNU basic regular expression (but that's ok).
+^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)|d1:ad2:id20:|\x08'7P\)[RP]
+
+# This pattern is "fast", but won't catch as much
+#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)
diff --git a/usr/local/share/protocols/chikka.pat b/usr/local/share/protocols/chikka.pat
new file mode 100644
index 0000000..c7259a7
--- /dev/null
+++ b/usr/local/share/protocols/chikka.pat
@@ -0,0 +1,16 @@
+# Chikka - SMS service which can be used without phones - http://chikka.com
+# Pattern attributes: good veryfast fast superset
+# Protocol groups: proprietary chat
+# Wiki: http://www.protocolinfo.org/wiki/Chikka
+
+# Tested with Chikka Javalite on 14 Jan 2007.
+# The login and chat use the same TCP connection.
+
+# "Kamusta" means "Hello" in Tagalog, apparently, so that will probably 
+# stay the same.  I've only seen v1.2, but I've given it some leeway for 
+# past and future versions.
+
+# Chikka uses CIMD as part of the login process, see cimd.pat
+
+chikka
+^CTPv1.[123] Kamusta.*\x0d\x0a$
diff --git a/usr/local/share/protocols/cimd.pat b/usr/local/share/protocols/cimd.pat
new file mode 100644
index 0000000..6df274f
--- /dev/null
+++ b/usr/local/share/protocols/cimd.pat
@@ -0,0 +1,18 @@
+# Computer Interface to Message Distribution, an SMSC protocol by Nokia
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: proprietary chat
+# Wiki: http://www.protocolinfo.org/wiki/CIMD
+
+# I don't know whether CIMD is ever found by itself in a TCP connection. 
+# I have only seen it myself as part of the Chikka login process, in 
+# which the second and third packets (at least) are CIMD.  So I am not 
+# using a '^' at the beginning.
+#
+# This pretty well explains the pattern:
+# http://en.wikipedia.org/w/index.php?title=CIMD&oldid=42707583
+# However, Chikka does NOT terminate the last field with a tab.
+#
+# Tested with Chikka Javalite on 14 Jan 2007.
+
+cimd
+\x02[0-4][0-9]:[0-9]+.*\x03$
diff --git a/usr/local/share/protocols/ciscovpn.pat b/usr/local/share/protocols/ciscovpn.pat
new file mode 100644
index 0000000..c15725e
--- /dev/null
+++ b/usr/local/share/protocols/ciscovpn.pat
@@ -0,0 +1,10 @@
+# Cisco VPN - VPN client software to a Cisco VPN server
+# Pattern attributes: ok veryfast fast
+# Protocol groups: remote_access proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Cisco_VPN
+# 
+# This pattern contributed by Myles Uyema <myles AT uyema.net>
+
+ciscovpn
+^\x01\xf4\x01\xf4
+
diff --git a/usr/local/share/protocols/citrix.pat b/usr/local/share/protocols/citrix.pat
new file mode 100644
index 0000000..1215c22
--- /dev/null
+++ b/usr/local/share/protocols/citrix.pat
@@ -0,0 +1,11 @@
+# Citrix ICA - proprietary remote desktop application - http://citrix.com
+# Pattern attributes: marginal notsofast notsofast
+# Protocol groups: remote_access proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Citrix
+# 
+# This pattern is UNTESTED.
+
+# This is based on decode_citrix in dsniff 2.4.
+
+citrix
+\x32\x26\x85\x92\x58
diff --git a/usr/local/share/protocols/counterstrike-source.pat b/usr/local/share/protocols/counterstrike-source.pat
new file mode 100644
index 0000000..94aa07a
--- /dev/null
+++ b/usr/local/share/protocols/counterstrike-source.pat
@@ -0,0 +1,41 @@
+# Counterstrike (using the new "Source" engine) - network game 
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Counter-Strike
+#
+# By adam.randazzoATgmail.com
+
+counterstrike-source
+^\xff\xff\xff\xff.*cstrikeCounter-Strike
+
+# These games use Steam, which is developed by Valve Software.
+#
+# This was based off of the following captured data from ethereal:
+# --Source--
+# 0000   00 11 09 2a a8 79 00 13 10 2c 3f d7 08 00 45 20  ...*.y...,?...E 
+# 0010   00 72 b9 f6 00 00 6b 11 b6 78 18 0e 04 cc c0 a8  .r....k..x......
+# 0020   01 6a 69 87 04 65 00 5e 01 ac ff ff ff ff 49 07  .ji..e.^......I.
+# 0030   54 4a 27 73 20 50 6c 61 63 65 20 6f 66 20 50 61  TJ's Place of Pa
+# 0040   69 6e 00 64 65 5f 70 69 72 61 6e 65 73 69 00 63  in.de_piranesi.c
+# 0050   73 74 72 69 6b 65 00 43 6f 75 6e 74 65 72 2d 53  strike.Counter-S
+# 0060   74 72 69 6b 65 3a 20 53 6f 75 72 63 65 00 dc 00  trike: Source...
+# 0070   08 10 06 64 77 00 00 31 2e 30 2e 30 2e 31 38 00  ...dw..1.0.0.18.
+# 0080  
+# 
+# --1.6--
+# 0000   00 11 09 2a a8 79 00 13 10 2c 3f d7 08 00 45 00  ...*.y...,?...E.
+# 0010   00 8e c4 1a 00 00 76 11 b3 85 08 09 02 fa c0 a8  ......v.........
+# 0020   01 14 69 91 04 37 00 7a c9 90 ff ff ff ff 6d 38  ..i..7.z......m8
+# 0030   2e 39 2e 32 2e 32 35 30 3a 32 37 30 32 35 00 49  .9.2.250:27025.I
+# 0040   50 20 2d 20 43 6c 61 6e 20 73 65 72 76 65 72 00  P - Clan server.
+# 0050   64 65 5f 64 75 73 74 32 00 63 73 74 72 69 6b 65  de_dust2.cstrike
+# 0060   00 43 6f 75 6e 74 65 72 2d 53 74 72 69 6b 65 00  .Counter-Strike.
+# 0070   0a 0c 2f 64 77 00 01 77 77 77 2e 63 6f 75 6e 74  ../dw..www.count
+# 0080   65 72 2d 73 74 72 69 6b 65 2e 6e 65 74 00 00 00  er-strike.net...
+# 0090   01 00 00 00 00 9e f7 0a 00 01 00 00              ............
+
+
+# Old pattern.  (Adam Randazzo says "CS 1.6 and CS: Source are the
+# only two versions that are playable on the Internet since Valve
+# disabled the WON system in favor of steam.")
+# cs .*dl.www.counter-strike.net
diff --git a/usr/local/share/protocols/cvs.pat b/usr/local/share/protocols/cvs.pat
new file mode 100644
index 0000000..d6cf503
--- /dev/null
+++ b/usr/local/share/protocols/cvs.pat
@@ -0,0 +1,13 @@
+# CVS - Concurrent Versions System
+# Pattern attributes: good veryfast fast
+# Protocol groups: version_control open_source
+# Wiki: http://www.protocolinfo.org/wiki/CVS
+
+cvs
+
+# Matches pserver login.  AUTH is for actually starting the protocol
+# VERIFICATION is for authenticating without starting the protocols
+# and GSSAPI is for using security services such as kerberos.
+# http://www.loria.fr/~molli/cvs/doc/cvsclient_3.html
+
+^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\x0a
diff --git a/usr/local/share/protocols/dayofdefeat-source.pat b/usr/local/share/protocols/dayofdefeat-source.pat
new file mode 100644
index 0000000..1a90b4d
--- /dev/null
+++ b/usr/local/share/protocols/dayofdefeat-source.pat
@@ -0,0 +1,10 @@
+# Day of Defeat: Source - game (Half-Life 2 mod) - http://www.valvesoftware.com
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Day_of_Defeat:Source
+#
+# By Clayton Macleod <cherry twist at gmail dot com>
+
+dayofdefeat-source
+^\xff\xff\xff\xff.*dodDay of Defeat
+
diff --git a/usr/local/share/protocols/dhcp.pat b/usr/local/share/protocols/dhcp.pat
new file mode 100644
index 0000000..9594ea4
--- /dev/null
+++ b/usr/local/share/protocols/dhcp.pat
@@ -0,0 +1,35 @@
+# DHCP - Dynamic Host Configuration Protocol - RFC 1541
+# Pattern attributes: good veryfast fast
+# Protocol groups: networking ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/DHCP
+#
+# Usually runs on ports 67 (server) and 68 (client)
+#
+# Also matches BOOTP (Bootstrap Protocol (RFC 951)) in the case that 
+# the "vendor specific options" are used (these options were made standard
+# for DHCP).
+#
+# This pattern is lightly tested.
+
+dhcp
+^[\x01\x02][\x01- ]\x06.*c\x82sc
+
+# Let's break that down:
+#
+# (\x01|\x02) is for BOOTREQUEST or BOOTREPLY
+# Is there a demand for doing these seperately?  The Packeteer does.
+#
+# [\x01-\x20] is for any of the hardware address types listed at
+# (http://www.iana.org/assignments/arp-parameters) and hopefully faster 
+# ethernets too (100, 1000 and 10000mb) as well (do they share the 10mb 
+# number?).
+#
+# \x06 for "hardware address length = 6 bytes".  Does anyone use other lengths
+# these days?  If so, this pattern won't match it as it stands.
+#
+# .* covers the hops, xid, secs, flags, ciaddr, yiaddr, siaddr, giaddr, 
+# chaddr, sname and file fields.  While this can't really be "any number
+# of characters" long, it doesn't seem worth it to count.
+# Can we make this more specific by restricting the number of hops or seconds?
+#
+# 0x63825363 is the "magic cookie" which begins the DHCP options field.
diff --git a/usr/local/share/protocols/directconnect.pat b/usr/local/share/protocols/directconnect.pat
new file mode 100644
index 0000000..41631f7
--- /dev/null
+++ b/usr/local/share/protocols/directconnect.pat
@@ -0,0 +1,13 @@
+# Direct Connect - P2P filesharing - http://www.neo-modus.com
+# Pattern attributes: good fast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Direct_Connect
+#
+# Direct Connect "hubs" listen on port 411
+# http://www.dcpp.net/wiki/
+# I've verified that this pattern can be used to limit direct connect
+# bandwidth using DC:PRO 0.2.3.149R11.
+
+directconnect
+# client-to-client handshake|client-to-hub login, hub speaking|client-to-hub login, client speaking
+^(\$mynick |\$lock |\$key )
diff --git a/usr/local/share/protocols/dns.pat b/usr/local/share/protocols/dns.pat
new file mode 100644
index 0000000..5bc0ac0
--- /dev/null
+++ b/usr/local/share/protocols/dns.pat
@@ -0,0 +1,62 @@
+# DNS - Domain Name System - RFC 1035
+# Pattern attributes: great slow fast
+# Protocol groups: networking ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/DNS
+
+# Thanks to Sebastien Bechet <s.bechet AT av7.net> for TLD detection
+# improvements
+
+# While RFC 2181 says "Occasionally it is assumed that the Domain Name
+# System serves only the purpose of mapping Internet host names to data,
+# and mapping Internet addresses to host names.  This is not correct, the
+# DNS is a general (if somewhat limited) hierarchical database, and can
+# store almost any kind of data, for almost any purpose.", we will assume 
+# just that, because that represents the vast majority of DNS traffic.
+
+# The packet starts with a 2 byte random ID number and 2 bytes of flags that
+# aren't easy to match on.
+
+# The first thing that is matchable is QDCOUNT, the number of queries.
+# Despite the fact that you can apparently ask for up to 65535
+# things at a time, usually you only ask for one and I doubt you ever ask for
+# zero.  Let's allow up to two, just in case (even though I can't find any 
+# situation that generates more than one).
+
+# Next comes the ANCOUNT, NSCOUNT, and ARCOUNT fields, which could be null
+# or some smallish number, not matchable except by length (up to 6)
+
+# The next matchable thing is the query address. The first byte indicates the
+# length of the first part of the address, which is limited to 63 (0x3F == '?').
+# The next byte has to be a letter (for domain names) or number (for reverse lookups).
+# Then there can be an combination of 
+# letters, digits, hyphens, and 0x01-0x3F length markers.
+# Then we check for the presence of a top-level-domain at some later point.
+# This is indicated by a 0x02-0x06 and at least two letters, followed by no
+# more than four more letters.
+# Note that this will miss a very few queries that are for a TLD alone.
+# i.e. "host museum" (195.7.77.17)
+#
+# http://www.icann.org/tlds   http://www.iana.org/cctld/cctld-whois.htm
+
+# next is the QTYPE field, which has valid values 1-16 (although this
+# could probably be restricted further since many are rare) and \x1c for
+# IPv6 (and maybe more?).  It should follow immediately after the TLD
+# (and some stripped-out nulls)
+
+# next is QCLASS, which has valid values 1-4 and 255, except 2 is never used.
+# I'm not sure if 3 and 4 are used, so I'll include them. 1=Internet 255=any
+
+# If we wanted to match queries and responses separately, there could be
+# more specifics after this for the responses.
+
+dns
+# here's a sane way of doing it
+^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][fglmoprstuvz]?[aeop]?(um)?[\x01-\x10\x1c][\x01\x03\x04\xFF]
+
+# This way assumes that TLDs are any alpha string 2-6 characters long.
+# If TLDs are added, this is a good fallback.
+#^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?[\x01-\x10][\x01\x03\x04\xFF]
+
+# If you have more processing power than me, you can substitute this for
+# the [a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?
+#(aero|arpa|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|pro|arpa|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|eh|er|es|et|fi|fj|fk|fm|fo|fr|ga|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw)
diff --git a/usr/local/share/protocols/doom3.pat b/usr/local/share/protocols/doom3.pat
new file mode 100644
index 0000000..ef59ee7
--- /dev/null
+++ b/usr/local/share/protocols/doom3.pat
@@ -0,0 +1,9 @@
+# Doom 3 - computer game
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Doom
+#
+# Thanks to Clayton Macleod (cherrytwist at gmail.com).
+
+doom3
+^\xff\xffchallenge
diff --git a/usr/local/share/protocols/edonkey.pat b/usr/local/share/protocols/edonkey.pat
new file mode 100644
index 0000000..50a072c
--- /dev/null
+++ b/usr/local/share/protocols/edonkey.pat
@@ -0,0 +1,36 @@
+# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
+# Pattern attributes: good veryfast fast overmatch
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/EDonkey
+#
+# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4
+# and a long time ago with something else. 
+# 
+# In addition to matching what you might expect, this matches much of
+# what eMule does when you tell it to only connect to the KAD network. 
+# I don't quite know what to make of this.
+
+# Thanks to Matt Skidmore <fox AT woozle.org>
+
+edonkey
+
+# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6
+#
+# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5.
+# As of April 2006, I also see some \xe4.
+#
+# God this is a mess.  What an irritating protocol.  
+# This will match about 2% of streams with random data in them!
+# (But fortunately much fewer than 2% of streams that are other protocols.
+# You can test this with the data in ../testing/)
+
+^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
+
+# matches everything and too much 
+# ^(\xe3|\xc5|\xd4)
+
+# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me.
+
+# bandwidtharbitrator uses 
+# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey
+# no comments to explain what all the mush is, of course...
diff --git a/usr/local/share/protocols/fasttrack.pat b/usr/local/share/protocols/fasttrack.pat
new file mode 100644
index 0000000..c821ae4
--- /dev/null
+++ b/usr/local/share/protocols/fasttrack.pat
@@ -0,0 +1,22 @@
+# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)
+# Pattern attributes: good slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Fasttrack
+#
+# Tested with Kazaa Lite Resurrection 0.0.7.6F
+#
+# This appears to match the download connections well, but not the search
+# connections (I think they are encrypted :-( ).
+
+fasttrack
+# while this is a valid http request, this will be caught because
+# the http pattern matches the response (and therefore the next packet)
+# Even so, it's best to put this match earlier in the chain.
+# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup
+
+# This pattern is kinda slow, but not too bad.
+^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
+# This isn't much faster:
+#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
diff --git a/usr/local/share/protocols/finger.pat b/usr/local/share/protocols/finger.pat
new file mode 100644
index 0000000..b2b59d8
--- /dev/null
+++ b/usr/local/share/protocols/finger.pat
@@ -0,0 +1,14 @@
+# Finger - User information server - RFC 1288
+# Pattern attributes: good slow slow undermatch overmatch
+# Protocol groups: ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/Finger
+#
+# Usually runs on port 79
+#
+# This pattern is lightly tested.
+
+finger
+# The first matches the client request, which should look like a username.
+# The second matches the usual UNIX reply (but remember that they are
+# allowed to say whatever they want)
+^[a-z][a-z0-9\-_]+|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory: 
diff --git a/usr/local/share/protocols/freenet.pat b/usr/local/share/protocols/freenet.pat
new file mode 100644
index 0000000..626acb9
--- /dev/null
+++ b/usr/local/share/protocols/freenet.pat
@@ -0,0 +1,9 @@
+# Freenet - Anonymous information retrieval - http://freenetproject.org
+# Pattern attributes: poor veryfast fast
+# Protocol groups: p2p document_retrieval open_source
+# Wiki: http://www.protocolinfo.org/wiki/Freenet
+
+freenet
+# Freenet is intentionally hard to identify...
+# This is empirical, only tested on one computer, and unlikely to work anymore.
+^\x01[\x08\x09][\x03\x04]
diff --git a/usr/local/share/protocols/ftp.pat b/usr/local/share/protocols/ftp.pat
new file mode 100644
index 0000000..a7f9e0e
--- /dev/null
+++ b/usr/local/share/protocols/ftp.pat
@@ -0,0 +1,45 @@
+# FTP - File Transfer Protocol - RFC 959
+# Pattern attributes: great notsofast fast
+# Protocol groups: document_retrieval ietf_internet_standard
+# Wiki: http://protocolinfo.org/wiki/FTP
+#
+# Usually runs on port 21.  Note that the data stream is on a dynamically
+# assigned port, which means that you will need the FTP connection 
+# tracking module in your kernel to usefully match FTP data transfers.
+# 
+# This pattern is well tested.
+#
+# Handles the first two things a server should say:
+#
+# First, the server says it's ready by sending "220".  Most servers say 
+# something after 220, even though they don't have to, and it usually 
+# includes the string "ftp" (l7-filter is case insensitive). This 
+# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP 
+# Server, and whatever ftp.microsoft.com uses.  Almost all servers use only 
+# ASCII printable characters between the "220" and the "FTP", but non-English
+# ones might use others.
+# 
+# The next thing the server sends is a 331.  All the above servers also 
+# send something including "password" after this code.  By default, we 
+# do not match on this because it takes another packet and is more work 
+# for regexec.
+
+ftp
+# by default, we allow only ASCII
+^220[\x09-\x0d -~]*ftp
+
+# This covers UTF-8 as well 
+#^220[\x09-\x0d -~\x80-\xfd]*ftp
+
+# This allows any characters and is about 4x faster than either of the above 
+# (which are about the same as each other)
+#^220.*ftp
+
+# This is much slower
+#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password
+
+# This pattern is more precise, but takes longer to match. (3 packets vs. 1)
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331
+
+# same as above, but slightly less precise and only takes 2 packets.
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a
diff --git a/usr/local/share/protocols/gkrellm.pat b/usr/local/share/protocols/gkrellm.pat
new file mode 100644
index 0000000..2acf73b
--- /dev/null
+++ b/usr/local/share/protocols/gkrellm.pat
@@ -0,0 +1,12 @@
+# Gkrellm - a system monitor - http://gkrellm.net
+# Pattern attributes: great veryfast fast
+# Protocol groups: monitoring open_source
+# Wiki: http://www.protocolinfo.org/wiki/Gkrellm
+# 
+# This pattern has been tested and is believed to work well.
+# Since this is not anything resembling a published protocol, it may change without
+# warning in new versions of gkrellm.
+
+gkrellm
+# tested with gkrellm 2.2.7
+^gkrellm [23].[0-9].[0-9]\x0a$
diff --git a/usr/local/share/protocols/gnucleuslan.pat b/usr/local/share/protocols/gnucleuslan.pat
new file mode 100644
index 0000000..2a106f4
--- /dev/null
+++ b/usr/local/share/protocols/gnucleuslan.pat
@@ -0,0 +1,9 @@
+# GnucleusLAN - LAN-only P2P filesharing
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/GnucleusLAN
+#
+# This pattern has been tested and is believed to work well.
+
+gnucleuslan
+gnuclear connect/[\x09-\x0d -~]*user-agent: gnucleus [\x09-\x0d -~]*lan:
diff --git a/usr/local/share/protocols/gnutella.pat b/usr/local/share/protocols/gnutella.pat
new file mode 100644
index 0000000..57a76de
--- /dev/null
+++ b/usr/local/share/protocols/gnutella.pat
@@ -0,0 +1,33 @@
+# Gnutella - P2P filesharing
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Gnutella
+#
+# This should match both Gnutella and "Gnutella2" ("Mike's protocol")
+# 
+# Various clients use this protocol including Mactella, Shareaza,
+# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare.
+# 
+# This is tested with gtk-gnutella and Shareaza.
+
+# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver
+# http://rfc-gnutella.sf.net/
+# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification
+# http://en.wikipedia.org/wiki/Shareaza
+
+gnutella
+
+# The first part matches UDP messages - All start with "GND", then have
+# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes
+# that can be anything, then a fragment number, which must start at 1.
+# The rest matches TCP first client message or first server message (in case 
+# we can't see client messages).  Some parts of this are empirical rather than 
+# document based.  Assumes version is between 0.0 and 2.9. (usually is
+# 0.4 or 0.6).  I'm guessing at many of the user-agents.
+# The last bit is emprical and probably only matches Limewire.
+^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime)
+
+# Needlessly precise, at the expense of time
+#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime)
+
+
diff --git a/usr/local/share/protocols/goboogy.pat b/usr/local/share/protocols/goboogy.pat
new file mode 100644
index 0000000..2cc93da
--- /dev/null
+++ b/usr/local/share/protocols/goboogy.pat
@@ -0,0 +1,12 @@
+# GoBoogy - a Korean P2P protocol
+# Pattern attributes: marginal slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/GoBoogy
+# 
+# This pattern is untested and likely does not work in all cases!
+#
+# By Adam Przybyla, modified by Matthew Strait.  Possibly lifted from 
+# Josh Ballard (oofle.com).
+
+goboogy
+<peerplat>|^get /getfilebyhash\.cgi\?|^get /queue_register\.cgi\?|^get /getupdowninfo\.cgi\?
diff --git a/usr/local/share/protocols/gopher.pat b/usr/local/share/protocols/gopher.pat
new file mode 100644
index 0000000..3f49757
--- /dev/null
+++ b/usr/local/share/protocols/gopher.pat
@@ -0,0 +1,24 @@
+# Gopher - A precursor to HTTP - RFC 1436
+# Pattern attributes: good slow notsofast undermatch
+# Protocol groups: document_retrieval obsolete ietf_rfc_documented
+# Wiki: http://www.protocolinfo.org/wiki/Gopher
+#
+# Gopher servers usually run on TCP port 70.
+#
+# This pattern is lightly tested using gopher.dna.affrc.go.jp .
+
+gopher
+# This matches the server's response, but naturally only if it is a
+# directory listing, not if it is sending a file, because then the data 
+# is totally arbitrary.
+
+# Matches the client saying "list what you have", then the server
+# response: one of the file type characters, any printable characters, a
+# tab, any printable characters, a tab, something that looks like a
+# domain name, a tab, and then a number which could be the start of a
+# port number.
+
+# "0About internet Gopher\tStuff:About us\trawBits.micro.umn.edu\t70"
+# "\r7search by keywords on protein data using wais\twaissrc:/protein_all/protein\tgopher.dna.affrc.go.jp\t70"
+
+^[\x09-\x0d]*[1-9,+tgi][\x09-\x0d -~]*\x09[\x09-\x0d -~]*\x09[a-z0-9.]*\.[a-z][a-z].?.?\x09[1-9]
diff --git a/usr/local/share/protocols/h323.pat b/usr/local/share/protocols/h323.pat
new file mode 100644
index 0000000..d3f59c5
--- /dev/null
+++ b/usr/local/share/protocols/h323.pat
@@ -0,0 +1,35 @@
+# H.323 - Voice over IP.
+# Pattern attributes: ok veryfast fast
+# Protocol groups: voip itu-t_standard
+# Wiki: http://www.protocolinfo.org/wiki/H.323
+#
+# This pattern is written without knowledge of the principles of H.323.
+# It has only been tested with gnomemeeting and may not work for other
+# clients. 
+#
+# Also, it has been reported that:
+# "the pattern ... match[es] only first H.323 stream (conntrack for H.323 was 
+# enabled).  Also the major chunk of traffic was of RTP which went untracked."
+#
+# Also, it may very well match other things that use TPKT and
+# Q.931. 
+
+# Note that to take full advantage of this pattern, you will need to
+# have connection tracking of H.323 support in your kernel.  This
+# support is not in the stock kernel.  A patch can be found at
+# http://netfilter.org
+
+h323
+# TPKT format: http://www.ietf.org/rfc/rfc1006.txt
+# \x03 = TPKT version.  It was 3 in May 1987 and gnomemeeting still uses 3.
+# ..? = null reserved byte and packet length field.
+# Q.931 format: http://www.freesoft.org/CIE/Topics/126.htm
+# \x08  = Q.931
+# . = length of call reference
+# The next byte was: \x18 = message sent from originating side.
+# But based on experimentation, it seems that just . is better. 
+# .?.?.?.?.?.?.?.?.?.?.?.?.?.?.? = call reference (0-15 bytes (0 for nulls))
+# \x05 = setup message
+#
+# Yup, it doesn't actually include any H.323 protocol information.
+^\x03..?\x08...?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x05
diff --git a/usr/local/share/protocols/halflife2-deathmatch.pat b/usr/local/share/protocols/halflife2-deathmatch.pat
new file mode 100644
index 0000000..6efe59e
--- /dev/null
+++ b/usr/local/share/protocols/halflife2-deathmatch.pat
@@ -0,0 +1,9 @@
+# Half-Life 2 Deathmatch - popular computer game
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Half-Life
+# 
+# By Clayton Macleod <cherrytwist TA gmail.com>
+
+halflife2-deathmatch
+^\xff\xff\xff\xff.*hl2mpDeathmatch
diff --git a/usr/local/share/protocols/hddtemp.pat b/usr/local/share/protocols/hddtemp.pat
new file mode 100644
index 0000000..31a640f
--- /dev/null
+++ b/usr/local/share/protocols/hddtemp.pat
@@ -0,0 +1,13 @@
+# hddtemp - Hard drive temperature reporting
+# Pattern attributes: great veryfast fast
+# Protocol groups: monitoring open_source
+# Wiki: http://www.protocolinfo.org/wiki/HDDtemp
+# 
+# Usually runs on port 7634
+#
+# You're a silly person if you use this pattern.
+#
+# This pattern has been tested and is believed to work well.
+
+hddtemp
+^\|/dev/[a-z][a-z][a-z]\|[0-9a-z]*\|[0-9][0-9]\|[cfk]\|
diff --git a/usr/local/share/protocols/hotline.pat b/usr/local/share/protocols/hotline.pat
new file mode 100644
index 0000000..1c11c62
--- /dev/null
+++ b/usr/local/share/protocols/hotline.pat
@@ -0,0 +1,11 @@
+# Hotline - An old P2P filesharing protocol
+# Pattern attributes: marginal fast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Hotline
+# 
+# This pattern is untested!
+#
+# This is lifted from http://oofle.com/filesharing.php?app=hotline
+
+hotline
+^....................TRTPHOTL\x01\x02
diff --git a/usr/local/share/protocols/http-rtsp.pat b/usr/local/share/protocols/http-rtsp.pat
new file mode 100644
index 0000000..3cb65fb
--- /dev/null
+++ b/usr/local/share/protocols/http-rtsp.pat
@@ -0,0 +1,15 @@
+# RTSP tunneled within HTTP
+# Pattern attributes: ok notsofast notsofast subset
+# Protocol groups: streaming_audio streaming_video ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/RTSP
+#
+# Apple's documentation on what Quicktime does:
+# http://developer.apple.com/quicktime/icefloe/dispatch028.html
+# This is what the first part of the pattern is about
+#
+# The second part is based on the example in RFC 2326.  For this part to
+# work, this pattern MUST be earlier in the iptables rules chain than
+# HTTP.  Otherwise, the stream will be identified as HTTP.
+
+http-rtsp
+^(get[\x09-\x0d -~]* Accept: application/x-rtsp-tunnelled|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*a=control:rtsp://)
diff --git a/usr/local/share/protocols/http.pat b/usr/local/share/protocols/http.pat
new file mode 100644
index 0000000..550aa0b
--- /dev/null
+++ b/usr/local/share/protocols/http.pat
@@ -0,0 +1,27 @@
+# HTTP - HyperText Transfer Protocol - RFC 2616
+# Pattern attributes: great slow notsofast superset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+#
+# Usually runs on port 80
+#
+# This pattern has been tested and is believed to work well.
+#
+# this intentionally catches the response from the server rather than
+# the request so that other protocols which use http (like kazaa) can be
+# caught based on specific http requests regardless of the ordering of
+# filters... also matches posts
+
+# Sites that serve really long cookies may break this by pushing the
+# server response too far away from the beginning of the connection. To
+# fix this, increase the kernel's data buffer length.
+
+http
+# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616)
+# As specified in rfc 2616 a status code is preceeded and followed by a
+# space. 
+http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]
+# A slightly faster version that might be good enough:
+#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019]
+# old pattern(s):
+#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/)
diff --git a/usr/local/share/protocols/ident.pat b/usr/local/share/protocols/ident.pat
new file mode 100644
index 0000000..d6d89c3
--- /dev/null
+++ b/usr/local/share/protocols/ident.pat
@@ -0,0 +1,14 @@
+# Ident - Identification Protocol - RFC 1413
+# Pattern attributes: good fast fast
+# Protocol groups: networking ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Ident
+#
+# Usually runs on port 113
+#
+# This pattern is believed to work.
+
+ident
+# "number , numberCRLF" possibly without the CR and/or LF.
+# ^$ is appropriate because the first packet should never have anything
+# else in it.
+^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$
diff --git a/usr/local/share/protocols/imap.pat b/usr/local/share/protocols/imap.pat
new file mode 100644
index 0000000..eac620d
--- /dev/null
+++ b/usr/local/share/protocols/imap.pat
@@ -0,0 +1,13 @@
+# IMAP - Internet Message Access Protocol (A common e-mail protocol)
+# Pattern attributes: great veryfast fast
+# Protocol groups: mail ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/IMAP
+#
+# This matches IMAP4 (RFC 3501) and probably IMAP2 (RFC 1176)
+#
+# This pattern has been tested and is believed to work well.
+# 
+# This matches the IMAP welcome message or a noop command (which for 
+# some unknown reason can happen at the start of a connection?)  
+imap
+^(\* ok|a[0-9]+ noop)
diff --git a/usr/local/share/protocols/imesh.pat b/usr/local/share/protocols/imesh.pat
new file mode 100644
index 0000000..782047f
--- /dev/null
+++ b/usr/local/share/protocols/imesh.pat
@@ -0,0 +1,14 @@
+# iMesh - the native protocol of iMesh, a P2P application - http://imesh.com
+# Pattern attributes: ok notsofast notsofast
+# Protocol groups: p2p
+# Wiki:   http://protocolinfo.org/wiki/iMesh
+#
+# depending on the version of iMesh (the program), it can also use fasttrack,
+# gnutella and edonkey in addition to iMesh (the protocol).
+
+imesh
+# The first branch matches the login
+# The second branch matches the main non-download connection (searches, etc)
+# The third branch matches downloads of "premium" content
+# The fourth branch matches peer downloads.
+^(post[\x09-\x0d -~]*<PasswordHash>................................</PasswordHash><ClientVer>|\x34\x80?\x0d?\xfc\xff\x04|get[\x09-\x0d -~]*Host: imsh\.download-prod\.musicnet\.com|\x02[\x01\x02]\x83.*\x02[\x01\x02]\x83)
diff --git a/usr/local/share/protocols/ipp.pat b/usr/local/share/protocols/ipp.pat
new file mode 100644
index 0000000..a4a4d14
--- /dev/null
+++ b/usr/local/share/protocols/ipp.pat
@@ -0,0 +1,11 @@
+# IP printing - a new standard for UNIX printing - RFC 2911
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: printer ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/IPP
+#
+# This pattern has been tested and is believed to work well.
+
+ipp
+# It's unlikely that anything else has this string, but I think we could
+# do a bit better...
+ipp://
diff --git a/usr/local/share/protocols/irc.pat b/usr/local/share/protocols/irc.pat
new file mode 100644
index 0000000..2767336
--- /dev/null
+++ b/usr/local/share/protocols/irc.pat
@@ -0,0 +1,19 @@
+# IRC - Internet Relay Chat - RFC 1459
+# Pattern attributes: great veryfast fast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/IRC
+#
+# Usually runs on port 6666 or 6667
+# Note that chat traffic runs on these ports, but IRC-DCC traffic (which
+# can use much more bandwidth) uses a dynamically assigned port, so you 
+# must have the IRC connection tracking module in your kernel to classify
+# this.
+#
+# This pattern has been tested and is believed to work well.
+
+irc
+# First thing that happens is that the client sends NICK and USER, in 
+# either order.  This allows MIRC color codes (\x02-\x0d instead of
+# \x09-\x0d).
+^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)
+
diff --git a/usr/local/share/protocols/jabber.pat b/usr/local/share/protocols/jabber.pat
new file mode 100644
index 0000000..aa51c76
--- /dev/null
+++ b/usr/local/share/protocols/jabber.pat
@@ -0,0 +1,23 @@
+# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Jabber
+#
+# This pattern has been tested with Gaim and Gabber.  It is only tested 
+# with non-SSL mode Jabber with no proxies.
+
+# Thanks to Jan Hudec for some improvements.
+
+# Jabber seems to take a long time to set up a connection.  I'm
+# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets
+# is this:
+# <stream:stream to='12jabber.com' xmlns='jabber:client'
+# xmlns:stream='http://etherx.jabber.org/streams'><?xml
+# version='1.0'?><stream:stream
+# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951'
+# xmlns='jabber:client' from='12jabber.com'>
+#
+# No mention of my username or password yet, you'll note.
+
+jabber
+<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber
diff --git a/usr/local/share/protocols/kugoo.pat b/usr/local/share/protocols/kugoo.pat
new file mode 100644
index 0000000..be15ad5
--- /dev/null
+++ b/usr/local/share/protocols/kugoo.pat
@@ -0,0 +1,14 @@
+# KuGoo - a Chinese P2P program - http://www.kugoo.com
+# Pattern attributes: ok veryfast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/KuGoo
+#
+# The author of this pattern says it works, but this is unconfirmed.
+# Written by www.routerclub.com wsgtrsys.
+#
+# LanTian submitted \x64.+\x74\x47\x50\x37 for "KuGoo2", but adding as 
+# another branch makes the pattern REALLY slow.  If it could have a ^, that'd
+# be ok (still veryfast/fast).  Waiting to hear.
+
+kugoo
+^(\x31..\x8e|\x64.+\x74\x47\x50\x37)
diff --git a/usr/local/share/protocols/live365.pat b/usr/local/share/protocols/live365.pat
new file mode 100644
index 0000000..9360892
--- /dev/null
+++ b/usr/local/share/protocols/live365.pat
@@ -0,0 +1,14 @@
+# live365 - An Internet radio site - http://live365.com
+# Pattern attributes: marginal notsofast notsofast
+# Protocol groups: streaming_audio
+# Wiki: http://www.protocolinfo.org/wiki/Live365
+#
+# This pattern was "contributed" (taken with permission) by the bandwidth 
+# arbitrator project (www.bandwidtharbitrator.com).
+#
+# This pattern is unconfirmed.
+
+live365
+# FIXME: what's going on here?
+membername.*session.*player
+
diff --git a/usr/local/share/protocols/liveforspeed.pat b/usr/local/share/protocols/liveforspeed.pat
new file mode 100644
index 0000000..17b755d
--- /dev/null
+++ b/usr/local/share/protocols/liveforspeed.pat
@@ -0,0 +1,12 @@
+# Live For Speed - A racing game.
+# Pattern attributes: poor veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Live_For_Speed
+#
+# This pattern was submitted to protocolinfo.org by 80.55.238.74 with no
+# explanation.  It is unconfirmed.
+
+# Live For Speed S2 Alpha 0.5 X10
+liveforspeed
+^..\x05\x58\x0a\x1d\x03
+# The same guy came by the next day and deleted the \x03 without comment...
diff --git a/usr/local/share/protocols/lpd.pat b/usr/local/share/protocols/lpd.pat
new file mode 100644
index 0000000..d1b8ae7
--- /dev/null
+++ b/usr/local/share/protocols/lpd.pat
@@ -0,0 +1,17 @@
+# LPD - Line Printer Daemon Protocol (old-style UNIX printing) - RFC 1179
+# Pattern attributes: ok fast fast
+# Protocol groups: printer ietf_rfc_documented
+# Wiki: http://www.protocolinfo.org/wiki/LPD
+#
+# This pattern is untested.
+
+lpd
+# print waiting jobs:  ^\x01[!-~]+\x0a$
+# receive a print job: ^\x02[!-~]+\x0a.[\x01\x02\x03][\x01-\x0a -~]*\x0a$
+# Send queue state:    ^[\x03\x04][!-~]+[\x09-\x0d]+[a-z][\x09-\x0d -~]*\x0a$
+# Remove jobs:         ^\x05[!-~]+[\x09-\x0d]+([a-z][!-~]*[\x09-\x0d]+[1-9][0-9]?[0-9]?|root[\x09-\x0d]+[!-~]+).*\x0a$
+
+# This pattern looks like it might match random data once in a while, but 
+# testing shows that this is not the case.
+
+^(\x01[!-~]+|\x02[!-~]+\x0a.[\x01\x02\x03][\x01-\x0a -~]*|[\x03\x04][!-~]+[\x09-\x0d]+[a-z][\x09-\x0d -~]*|\x05[!-~]+[\x09-\x0d]+([a-z][!-~]*[\x09-\x0d]+[1-9][0-9]?[0-9]?|root[\x09-\x0d]+[!-~]+).*)\x0a$
diff --git a/usr/local/share/protocols/mohaa.pat b/usr/local/share/protocols/mohaa.pat
new file mode 100644
index 0000000..aebe47a
--- /dev/null
+++ b/usr/local/share/protocols/mohaa.pat
@@ -0,0 +1,10 @@
+# Medal of Honor Allied Assault - an Electronic Arts game
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Medal_of_Honor_Allied_Assault
+#
+# This pattern is written and tested by Krzysztof Maciejewski.
+
+mohaa
+^\xff\xff\xff\xffgetstatus\x0a
+
diff --git a/usr/local/share/protocols/msn-filetransfer.pat b/usr/local/share/protocols/msn-filetransfer.pat
new file mode 100644
index 0000000..5ffddfc
--- /dev/null
+++ b/usr/local/share/protocols/msn-filetransfer.pat
@@ -0,0 +1,29 @@
+# MSN (Micosoft Network) Messenger file transfers (MSNFTP and MSNSLP)
+# Pattern attributes: good veryfast fast
+# Protocol groups: chat document_retrieval proprietary
+# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
+#
+# http://www.hypothetic.org/docs/msn/client/file_transfer.php
+
+# NOTE!  This pattern does not catch the modern type of MSN filetransfers
+# because they use the same TCP connection as the chat itself.  See 
+# ../example_traffic/msn_chat_and_file_transfer.txt for a demonstration.
+
+# This pattern has been tested and seems to work well.  It, does,
+# however, require more testing with various versions of the official
+# MSN client as well as with clones such as Trillian, Miranda, Gaim,
+# etc.  If you are using a MSN clone and this pattern DOES work for you,
+# please, also let us know.
+
+# First part matches the older MSNFTP: A MSN filetransfer is a normal
+# MSN connection except that the protocol is MSNFTP. Some clients
+# (especially Trillian) send other protocol versions besides MSNFTP
+# which should be matched by the [ -~]*.
+
+# Second part matches newer MSNSLP: 
+# http://msnpiki.msnfanatic.com/index.php/MSNC:MSNSLP
+# This part is untested.
+
+msn-filetransfer
+^(ver [ -~]*msnftp\x0d\x0aver msnftp\x0d\x0ausr|method msnmsgr:)
+
diff --git a/usr/local/share/protocols/msnmessenger.pat b/usr/local/share/protocols/msnmessenger.pat
new file mode 100644
index 0000000..41f1075
--- /dev/null
+++ b/usr/local/share/protocols/msnmessenger.pat
@@ -0,0 +1,27 @@
+# MSN Messenger - Microsoft Network chat client
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
+#
+# Usually uses TCP port 1863
+# http://www.hypothetic.org/docs/msn/index.php
+# http://msnpiki.msnfanatic.com/
+#
+# This pattern has been tested and is believed to work well.
+
+msnmessenger
+
+# First branch: login
+#   ver: allow versions up to 99.
+#   I've never seen a cvr other than cvr0.  Maybe this will be trouble later?
+#   Can't anchor at the beginning because sometimes this is encapsulated in
+#   HTTP.  But either way, the first packet ends like this.
+# Second/Third branches: accepting/sending a message
+#   I will assume that these can also be encapsulated in HTTP, although I have
+#   not checked.  Example of each direction:
+#   ANS 1 quadong@hotmail.com 1139803431.29427 17522047
+#   USR 1 quadong@hotmail.com 530423708.968145.366138
+
+# Branches are written entirely separately for better performance.
+ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$
+
diff --git a/usr/local/share/protocols/mute.pat b/usr/local/share/protocols/mute.pat
new file mode 100644
index 0000000..c803090
--- /dev/null
+++ b/usr/local/share/protocols/mute.pat
@@ -0,0 +1,10 @@
+# MUTE - P2P filesharing - http://mute-net.sourceforge.net
+# Pattern attributes: marginal veryfast fast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/MUTE
+#
+# This pattern is lightly tested.  I don't know for sure that it will 
+# match the actual file transfers.
+
+mute
+^(Public|AES)Key: [0-9a-f]*\x0aEnd(Public|AES)Key\x0a$
diff --git a/usr/local/share/protocols/napster.pat b/usr/local/share/protocols/napster.pat
new file mode 100644
index 0000000..83005b8
--- /dev/null
+++ b/usr/local/share/protocols/napster.pat
@@ -0,0 +1,23 @@
+# Napster - P2P filesharing
+# Pattern attributes: good fast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Napster
+#
+# All my tests show that this pattern is fast, but one user has reported that
+# it is slow.  Your milage may vary.
+# 
+# Should work for any Napster offspring, like OpenNAP.
+# (Yes, people still use this!)
+# Matches both searches and downloads.
+#
+# http://opennap.sourceforge.net/napster.txt
+#
+# This pattern has been tested and is believed to work well.
+
+napster
+# (client-server: length, assumed to be less than 256, login or new user login, 
+# username, password, port, client ID, link-type |
+# client-client: 1, firewalled or not, username, filename) 
+# Assumes that filenames are well-behaved ASCII strings.  I have found
+# one case where this assumptions fails (filename had \x99 in it).
+^(.[\x02\x06][!-~]+ [!-~]+ [0-9][0-9]?[0-9]?[0-9]?[0-9]? "[\x09-\x0d -~]+" ([0-9]|10)|1(send|get)[!-~]+ "[\x09-\x0d -~]+")
diff --git a/usr/local/share/protocols/nbns.pat b/usr/local/share/protocols/nbns.pat
new file mode 100644
index 0000000..d4fff4f
--- /dev/null
+++ b/usr/local/share/protocols/nbns.pat
@@ -0,0 +1,19 @@
+# NBNS - NetBIOS name service
+# Pattern attributes: good slow notsofast
+# Protocol groups: networking proprietary
+# Wiki: http://www.protocolinfo.org/wiki/NBNS
+#
+# This pattern has been tested and is believed to work well.
+#
+# name query
+# \x01\x10 means name query
+#
+# registration NB
+# (\x10 or )\x10 means registration
+#
+# release NB (merged with registration)
+# 0\x10 means release
+
+nbns
+# This is not a valid basic GNU regular expression.
+\x01\x10\x01|\)\x10\x01\x01|0\x10\x01
diff --git a/usr/local/share/protocols/ncp.pat b/usr/local/share/protocols/ncp.pat
new file mode 100644
index 0000000..b4788a1
--- /dev/null
+++ b/usr/local/share/protocols/ncp.pat
@@ -0,0 +1,22 @@
+# NCP - Novell Core Protocol
+# Pattern attributes: good veryfast fast
+# Protocol groups: networking proprietary
+# Wiki: http://www.protocolinfo.org/wiki/NCP
+#
+# This pattern has been tested and is believed to work well.
+
+# ncp request
+# dmdt means Request
+#  *any length
+#
+#  *any reply buffer size
+# "" means service request
+#  | \x17\x17 means create a service connection
+#  | uu means destroy service connection
+
+# ncp reply
+# tncp means reply
+# 33 means service reply
+
+ncp
+^(dmdt.*\x01.*(""|\x11\x11|uu)|tncp.*33)
diff --git a/usr/local/share/protocols/netbios.pat b/usr/local/share/protocols/netbios.pat
new file mode 100644
index 0000000..8e90074
--- /dev/null
+++ b/usr/local/share/protocols/netbios.pat
@@ -0,0 +1,28 @@
+# NetBIOS - Network Basic Input Output System
+# Pattern attributes: marginal notsofast notsofast
+# Protocol groups: networking ietf_internet_standard proprietary
+# Wiki: http://www.protocolinfo.org/wiki/NetBIOS
+#
+# As mentioned in smb.pat:
+#
+# "This protocol is sometimes also referred to as the Common Internet File 
+# System (CIFS), LanManager or NetBIOS protocol." -- "man samba"
+#
+# Actually, SMB is a higher level protocol than NetBIOS.  However, the 
+# NetBIOS header is only 4 bytes: not much to match on.
+#
+# http://www.ubiqx.org/cifs/SMB.html
+# See also RFCs 1001 and 1002.
+#
+# This pattern attempts to match the (Session layer) NetBIOS Session request. 
+# If sucessful, you may be able to match NetBIOS several packets earlier 
+# than if you just waited for the easier-to-match SMB header.
+#
+# This pattern is untested.
+
+netbios
+# session request byte, three bytes of flags and length.  Then 
+# there should be a big mess of letters between A and P which represent
+# the NetBIOS names of the involved computers (with a null between them).  
+# (40ish here, damn this regexp implementation and its lack of {40,})
+\x81.?.?.[A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P]
diff --git a/usr/local/share/protocols/nntp.pat b/usr/local/share/protocols/nntp.pat
new file mode 100644
index 0000000..769c8a5
--- /dev/null
+++ b/usr/local/share/protocols/nntp.pat
@@ -0,0 +1,20 @@
+# NNTP - Network News Transfer Protocol - RFCs 977 and 2980
+# Pattern attributes: good veryfast fast
+# Protocol groups: ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/NNTP
+#
+# usually runs on port 119
+
+# This pattern is tested and is believed to work well (but could use
+# more testing).
+
+nntp
+# matches authorized login
+# OR 
+# matches unauthorized login if the server says "news" after 200/201
+# (Half of the 2 servers I tested did :-), but they both required authorization
+# so it's quite possible that this pattern will miss some nntp traffic.)
+^(20[01][\x09-\x0d -~]*AUTHINFO USER|20[01][\x09-\x0d -~]*news)
+
+# same thing, slightly more accurate, but 100+ times slower
+#^20[01][\x09-\x0d -~]*\x0d\x0a[\x09-\x0d -~]*AUTHINFO USER|20[01][\x09-\x0d -~]*news
diff --git a/usr/local/share/protocols/ntp.pat b/usr/local/share/protocols/ntp.pat
new file mode 100644
index 0000000..a24fb05
--- /dev/null
+++ b/usr/local/share/protocols/ntp.pat
@@ -0,0 +1,16 @@
+# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030
+# Pattern attributes: good fast fast overmatch 
+# Protocol groups: time_synchronization ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/NTP
+#
+# This pattern is tested and is believed to work.
+
+# client|server
+# Requires the server's timestamp to be in the present or future (of 2005).
+# Tested with ntpdate on Linux.
+# Assumes version 2, 3 or 4.
+
+# Note that ntp packets are always 48 bytes, so you should match on that too.
+
+ntp
+^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff])
diff --git a/usr/local/share/protocols/openft.pat b/usr/local/share/protocols/openft.pat
new file mode 100644
index 0000000..f81499a
--- /dev/null
+++ b/usr/local/share/protocols/openft.pat
@@ -0,0 +1,12 @@
+# OpenFT - P2P filesharing (implemented in giFT library)
+# Pattern attributes: good fast notsofast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/OpenFT
+
+# Ben Efros <ben AT xgendev.com> says:
+# "This pattern identifies openFT P2P transfers fine.  openFT is part of giFT
+# and is a pretty large p2p network. I would describe this pattern as pretty 
+# weak, but it works for the giFT-based clients I've used."
+
+openft
+x-openftalias: [-)(0-9a-z ~.]
diff --git a/usr/local/share/protocols/pcanywhere.pat b/usr/local/share/protocols/pcanywhere.pat
new file mode 100644
index 0000000..86dae6b
--- /dev/null
+++ b/usr/local/share/protocols/pcanywhere.pat
@@ -0,0 +1,11 @@
+# pcAnywhere - Symantec remote access program
+# Pattern attributes: marginal veryfast fast
+# Protocol groups: remote_access proprietary
+# Wiki: http://www.protocolinfo.org/wiki/PcAnywhere
+
+# This is completely untested!
+# See http://www.unixwiz.net/tools/pcascan.txt
+
+pcanywhere
+# I think this only matches queries and not the bulk of the traffic!
+^(nq|st)$
diff --git a/usr/local/share/protocols/poco.pat b/usr/local/share/protocols/poco.pat
new file mode 100644
index 0000000..2bcf66d
--- /dev/null
+++ b/usr/local/share/protocols/poco.pat
@@ -0,0 +1,11 @@
+# POCO and PP365 - Chinese P2P filesharing - http://pp365.com http://poco.cn
+# Pattern attributes: ok veryfast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Poco
+#
+# The author of this pattern says it works, but this is unconfirmed.
+# Written by www.routerclub.com wsgtrsys.
+
+poco
+^\x80\x94\x0a\x01....\x1f\x9e
+
diff --git a/usr/local/share/protocols/pop3.pat b/usr/local/share/protocols/pop3.pat
new file mode 100644
index 0000000..b3d76e2
--- /dev/null
+++ b/usr/local/share/protocols/pop3.pat
@@ -0,0 +1,49 @@
+# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
+# Pattern attributes: great veryfast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/POP
+#
+# This pattern has been tested somewhat.
+
+# this is a difficult protocol to match because of the relative lack of 
+# distinguishing information.  Read on.
+pop3
+
+# this the most conservative pattern.  It should definitely work.
+#^(\+ok|-err)
+
+# this pattern assumes that the server says _something_ after +ok or -err
+# I think this is probably the way to go.
+^(\+ok |-err )
+
+# more that 90% of servers seem to say "pop" after "+ok", but not all.
+#^(\+ok .*pop)
+
+# Here's another tack. I think this is my second favorite.
+#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command))
+
+# this matches the server saying "you have N messages that are M bytes",
+# which the client probably asks for early in the session (not tested)
+#\+ok [0-9]+ [0-9]+
+
+# some sample servers:
+# RFC example:        +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
+# mail.dreamhost.com: +OK Hello there.
+# pop.carleton.edu:   +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled)
+# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon>
+# *.email.umn.edu:    +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu>
+# mail.yale.edu:      +OK POP3 pantheon-po01 v2002.81 server ready
+# mail.gustavus.edu:  +OK POP3 solen v2001.78 server ready
+# mail.reed.edu:      +OK POP3 letra.reed.edu v2002.81 server ready
+# mail.bowdoin.edu:   +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003))
+# pop.colby.edu:      +OK Qpopper (version 4.0.5) at basalt starting.
+# mail.mac.com:       +OK Netscape Messaging Multiplexor ready
+
+# various error strings:
+#-ERR Invalid command.
+#-ERR invalid command
+#-ERR unimplemented
+#-ERR Invalid command, try one of: USER name, PASS string, QUIT
+#-ERR Unknown AUTHORIZATION state command
+#-ERR Unrecognized command
+#-ERR Unknown command: "sadf'".
diff --git a/usr/local/share/protocols/qq.pat b/usr/local/share/protocols/qq.pat
new file mode 100644
index 0000000..7689439
--- /dev/null
+++ b/usr/local/share/protocols/qq.pat
@@ -0,0 +1,25 @@
+# Tencent QQ Protocol - Chinese instant messenger protocol - http://www.qq.com
+# Pattern attributes: good fast fast
+# Protocol groups: chat
+# Wiki: http://www.protocolinfo.org/wiki/QQ
+#
+# Over six million people use QQ in China, according to wsgtrsys.
+# 
+# This pattern has been tested and is believed to work well.
+#
+# QQ uses three (two?) methods to connect to server(s?).
+# one is udp, and another is tcp
+# udp protocol: the first byte is 02 and last byte is 03
+# tcp protocol: the second byte is 02 and last byte is 03
+#   tony on protocolinfo.org says that now the *third* byte is 02:
+#     "but when I tested on my PC, I found that when qq2007/qq2008 
+#     use tcp protocol, the third byte instead of the second is always 02.
+#
+#     So the QQ protocol changed again, or I have made a mistake, I wonder 
+#     that."
+#   So now the pattern allows any of the first three bytes to be 02.  Delete
+#   one of the ".?" to restore to the old behaviour.
+# pattern written by www.routerclub.com wsgtrsys
+
+qq
+^.?.?\x02.+\x03$
diff --git a/usr/local/share/protocols/quake-halflife.pat b/usr/local/share/protocols/quake-halflife.pat
new file mode 100644
index 0000000..7e2b537
--- /dev/null
+++ b/usr/local/share/protocols/quake-halflife.pat
@@ -0,0 +1,26 @@
+# Half Life 1 engine games (HL 1, Quake 2/3/World, Counterstrike 1.6, etc.)
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Half-Life http://www.protocolinfo.org/wiki/Counter-Strike http://www.protocolinfo.org/wiki/Day_of_Defeat
+#
+# Contributed by Laurens Blankers <laurens AT blankersfamily.com>, who says:
+#
+# This pattern has been tested with QuakeWorld (2.30), Quake 2 (3.20), 
+# Quake 3 (1.32), and Half-life (1.1.1.0). But may also work on other
+# games based on the Quake engine.
+#
+# Clayton Macleod <cherrytwist A gmail.com> says:
+# [This should match] Counter-Strike v1.6, [...] the slightly updated
+# Counter-Strike: Condition Zero, and the game Day Of Defeat, Team
+# Fortress Classic, Deathmatch Classic, Ricochet, Half-Life [1] Deathmatch,
+# and I imagine all the other 3rd party mods that also use this engine
+# will match that pattern.
+
+quake-halflife
+# All quake (like) protocols start with 4x 0xFF.  Then the client either
+# issues getinfo or getchallenge.
+^\xff\xff\xff\xffget(info|challenge)
+
+# A previous quake pattern allowed the connection to start with only 2 bytes
+# of 0xFF.  This doesn't seem to ever happen, but we should keep an eye out
+# for it.
diff --git a/usr/local/share/protocols/quake1.pat b/usr/local/share/protocols/quake1.pat
new file mode 100644
index 0000000..18e0ca0
--- /dev/null
+++ b/usr/local/share/protocols/quake1.pat
@@ -0,0 +1,18 @@
+# Quake 1 - A popular computer game.
+# Pattern attributes: marginal veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Quake
+#
+# This pattern is untested and unconfirmed.
+
+# Info taken from http://www.gamers.org/dEngine/quake/QDP/qnp.html,
+# which says that it "is incomplete, inaccurate and only applies to
+# versions 0.91, 0.92, 1.00 and 1.01 of QUAKE"
+
+quake1
+# Connection request: 80 00 00 0c 01 51 55 41 4b 45 00 03
+# \x80 = control packet.
+# \x0c = packet length
+# \x01 = CCREQ_CONNECT
+# \x03 = protocol version (3 == 0.91, 0.92, 1.00, 1.01)
+^\x80\x0c\x01quake\x03
diff --git a/usr/local/share/protocols/radmin.pat b/usr/local/share/protocols/radmin.pat
new file mode 100644
index 0000000..52ff6e0
--- /dev/null
+++ b/usr/local/share/protocols/radmin.pat
@@ -0,0 +1,16 @@
+# Famatech Remote Administrator - remote desktop for MS Windows
+# Pattern attributes: ok veryfast fast
+# Protocol groups: remote_access proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Radmin
+#
+# This pattern has been verified with Radmin v1.1 and v3.0beta on Win2000/XP
+# It has only been tested between a single pair of computers.
+
+# The first packet of every TCP stream appears to be either one of:
+#
+# 01 00 00 00  01 00 00 00  08 08
+# 01 00 00 00  01 00 00 00  1b 1b
+
+radmin
+^\x01\x01(\x08\x08|\x1b\x1b)$
+
diff --git a/usr/local/share/protocols/rdp.pat b/usr/local/share/protocols/rdp.pat
new file mode 100644
index 0000000..e10a81d
--- /dev/null
+++ b/usr/local/share/protocols/rdp.pat
@@ -0,0 +1,19 @@
+# RDP - Remote Desktop Protocol (used in Windows Terminal Services)
+# Pattern attributes: ok notsofast notsofast
+# Protocol groups: remote_access proprietary
+# Wiki: http://www.protocolinfo.org/wiki/RDP
+#
+# This pattern was submitted by Michael Leong.  It has been tested under the 
+# following conditions: "WinXP Pro with all the patches, rdesktop server 
+# running on port 7000 instead of 3389 --> WinXP Pro Remote Desktop Client."
+# Also tested is WinXP to Win 2000 Server.
+
+# At least one other person has reported it to work as well.
+
+rdp
+rdpdr.*cliprdr.*rdpsnd
+
+# Old pattern, submitted by Daniel Weatherford.
+# rdpdr.*cliprdp.*rdpsnd 
+
+
diff --git a/usr/local/share/protocols/replaytv-ivs.pat b/usr/local/share/protocols/replaytv-ivs.pat
new file mode 100644
index 0000000..4d44b0f
--- /dev/null
+++ b/usr/local/share/protocols/replaytv-ivs.pat
@@ -0,0 +1,10 @@
+# ReplayTV Internet Video Sharing - Digital Video Recorder - http://replaytv.com
+# Pattern attributes: good veryfast fast
+# Protocol groups: 
+# Wiki: http://www.protocolinfo.org/wiki/ReplayTV
+#
+# Pattern by jm 409 at hot mail dot com, who says that this one "worked best".
+
+replaytv-ivs
+^(get /ivs-IVSGetFileChunk|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*\x23\x23\x23\x23\x23REPLAY_CHUNK_START\x23\x23\x23\x23\x23)
+
diff --git a/usr/local/share/protocols/rlogin.pat b/usr/local/share/protocols/rlogin.pat
new file mode 100644
index 0000000..92f3735
--- /dev/null
+++ b/usr/local/share/protocols/rlogin.pat
@@ -0,0 +1,18 @@
+# rlogin - remote login - RFC 1282
+# Pattern attributes: ok veryfast fast
+# Protocol groups: remote_access ietf_rfc_documented
+# Wiki: http://www.protocolinfo.org/wiki/Rlogin
+#
+# usually runs on port 443
+#
+# This pattern is untested.
+
+rlogin
+# At least three characters (user name, user name, terminal type), 
+# the first of which could be the first character of a user name, a
+# slash, then a terminal speed.  (Assumes that usernames and terminal
+# types are alphanumeric only.  I'm sure there are usernames like
+# "straitm-47" out there, but it's not common.) All terminal speeds 
+# I know of end in two zeros and are between 3 and 6 digits long.
+# This pattern is uncomfortably general.
+^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]?[0-9]?[0-9]?00
diff --git a/usr/local/share/protocols/rtp.pat b/usr/local/share/protocols/rtp.pat
new file mode 100644
index 0000000..d808e1e
--- /dev/null
+++ b/usr/local/share/protocols/rtp.pat
@@ -0,0 +1,40 @@
+# RTP - Real-time Transport Protocol - RFC 3550
+# Pattern attributes: marginal overmatch undermatch veryfast fast
+# Protocol groups: streaming_video ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/RTP
+#
+# RTP headers are *very* short and compact.  They have almost nothing in 
+# them that can be matched by l7-filter.  If you want to match them 
+# along with their associated SIP packets, I think the best way might be 
+# to set up some iptables rules that watch for SIP packets and then also 
+# match any other UDP packets that are going between the same two IP 
+# addresses.
+#
+# However, I will attempt a pattern anyway.  This is UNTESTED!
+# 
+# I think we can count on the first bit being 1 and the second bit being 
+# 0 (meaning protocol version 2). The next two bits could go either way, 
+# but in the example I've seen, they are zero, so I'll assume they are 
+# usually zero.  The next four bits are a count of "contributing source 
+# identifiers".  I'm not sure how big that could be, but in the example 
+# I've seen, they're zero, so I'll assume they're usually zero. So that 
+# gives us ^\x80.  The marker bit that comes next is probably zero for 
+# the first packet, although that's not a sure thing.  Next is the 
+# payload type, 7 bits that might usually only take a few values, but 
+# maybe not. In the example I've seen, it's zero, which (with a zero 
+# marker bit) means it looks to l7-filter like it's not there at all.  
+# The rest of the header is random numbers (sequence number, timestamp, 
+# synchronization source identifier), so that's no help at all.
+#
+# I think the best we could do is to watch to see if several \x80 bytes 
+# come in with a small number of bytes between them.  This makes all the 
+# above assumptions and also assumes that the first packet has no 
+# payload and not too much trailing gargage.  So this will definitely not
+# work all the time.  It clearly also might match other stuff.
+
+rtp
+^\x80......?.?.?.?.?.?.?.?.?.?.?.?.?\x80
+
+# Might also try this.  It's a bit slower (one packet and not too much extra
+# regexec load) and a bit more accurate:
+#^\x80......?.?.?.?.?.?.?.?.?.?.?.?.?\x80.*\x80
diff --git a/usr/local/share/protocols/rtsp.pat b/usr/local/share/protocols/rtsp.pat
new file mode 100644
index 0000000..a5f309c
--- /dev/null
+++ b/usr/local/share/protocols/rtsp.pat
@@ -0,0 +1,14 @@
+# RTSP - Real Time Streaming Protocol - http://www.rtsp.org - RFC 2326
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: streaming_video ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/RTSP
+#
+# usually runs on port 554
+#
+# To take full advantage of this pattern, please see the RTSP connection 
+# tracking patch to the Linux kernel referenced at the above site.
+#
+# This pattern has been tested and is believed to work well.
+
+rtsp
+rtsp/1.0 200 ok
diff --git a/usr/local/share/protocols/shoutcast.pat b/usr/local/share/protocols/shoutcast.pat
new file mode 100644
index 0000000..6ae0824
--- /dev/null
+++ b/usr/local/share/protocols/shoutcast.pat
@@ -0,0 +1,26 @@
+# Shoutcast and Icecast - streaming audio
+# Pattern attributes: good slow notsofast
+# Protocol groups: streaming_audio
+# Wiki: http://www.protocolinfo.org/wiki/Icecast
+#
+# usually runs on port 80
+#
+# Original pattern contributed by Deepak Seshadri <dseshadri AT 
+# broadbandmaritime.com> who says "The difference between [Shoutcast and 
+# Icecast] is not clearly mentioned anywhere. According to this 
+# document, my pattern would filter JUST shoutcast packets."
+#
+# Should now match both Shoutcast and Icecast.  Tested with Winamp (in 
+# 2005) and Totem using streams at dir.xiph.org (in Nov 2007).
+#
+# http://sander.vanzoest.com/talks/2002/audio_and_apache/
+# http://forums.radiotoolbox.com/viewtopic.php?t=74
+# http://www.icecast.org
+
+shoutcast
+# The first branch looks for an HTTP request that looks like it is asking for
+# a SHOUTcast stream.  The second branch looks for the server's reply.  However,
+# some (newer?) servers answer with "http/1.0 200 OK", not "ICY 200 OK", so
+# this will not work.
+# This pattern was discovered using Ethereal.
+^get /.*icy-metadata:1|icy [1-5][0-9][0-9] [\x09-\x0d -~]*(content-type:audio|icy-)
diff --git a/usr/local/share/protocols/sip.pat b/usr/local/share/protocols/sip.pat
new file mode 100644
index 0000000..3782e33
--- /dev/null
+++ b/usr/local/share/protocols/sip.pat
@@ -0,0 +1,18 @@
+# SIP - Session Initiation Protocol - Internet telephony - RFC 3261
+# Pattern attributes: ok fast fast
+# Protocol groups: voip ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SIP
+#
+# This pattern has been tested with the Ubiquity SIP user agent.
+#
+# Thanks to Ankit Desai for this pattern.
+#
+# SIP typically uses port 5060.
+#
+# This pattern is based on SIP request format as per RFC 3261. I'm not
+# sure about the version part. The RFC doesn't say anything about it, so
+# I have allowed version ranging from 0.x to 2.x.
+
+#Request-Line  =  Method SP Request-URI SP SIP-Version CRLF
+sip
+^(invite|register|cancel) sip[\x09-\x0d -~]*sip/[0-2]\.[0-9]
diff --git a/usr/local/share/protocols/skypeout.pat b/usr/local/share/protocols/skypeout.pat
new file mode 100644
index 0000000..a6b6ba7
--- /dev/null
+++ b/usr/local/share/protocols/skypeout.pat
@@ -0,0 +1,49 @@
+# Skype to phone - UDP voice call (program to POTS phone) - http://skype.com
+# Pattern attributes: ok slow notsofast overmatch
+# Protocol groups: voip p2p proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Skype
+
+# Thanks to Myles Uyema, mylesuyema AT gmail.com
+
+# Taken using Ethereal traces of Windows Skype v1.2.037, same in v1.2.0.18_API
+#
+# Skype will attempt to use the same UDP port for all its connections as
+# configured in its options.  However, this is a random port by default.
+# Skype has some preference for ports 80 and 443.
+#
+# Example sessions:
+#
+#SkypeOut <USA phone number>
+#c6 5c bf 41 8e 8d d6 d2 08 <-- this is sometimes as short as 1 byte and 
+#c6 5c bf 41 8e 8d d6 d2 08 <-- sometimes as long as 9 (or more?)
+#00 6b 2c f5 87 f1 06
+#00 6b 2c f5 87 f1 06
+#00 6b 2c f5 36 ea 85
+#00 6b 2c f5 36 ea 85
+#00 6b 2c f5 57 27 d4
+#00 6b 2c f5 57 27 d4
+#00 6b 2c f5 43 5b 00
+#00 6b 2c f5 43 5b 00
+#
+#SkypeOut <USA phone number>
+#7e 4f e5 b8
+#7e 4f e5 b8
+#00 6b 88 61 80 52 93
+#00 6b 88 61 80 52 93
+#00 6b 88 61 1a 09 e9
+#00 6b 88 61 1a 09 e9
+#00 6b 88 61 47 43 c4
+#00 6b 88 61 47 43 c4
+
+skypeout
+
+# Scary.  Our regular expressions suck.  This is a prime candidate for 
+# some sort of a scheme to support two different regular expressions 
+# when there's a major difference between what the two libraries allow.  
+# For the Henry Spencer library, there's not much that can be done 
+# except requiring that we see the same byte twice.
+
+# This matches about %4 of random streams and 13% of printable random streams
+
+# This is slow, but not as bad as you might think.
+^(\x01.?.?.?.?.?.?.?.?\x01|\x02.?.?.?.?.?.?.?.?\x02|\x03.?.?.?.?.?.?.?.?\x03|\x04.?.?.?.?.?.?.?.?\x04|\x05.?.?.?.?.?.?.?.?\x05|\x06.?.?.?.?.?.?.?.?\x06|\x07.?.?.?.?.?.?.?.?\x07|\x08.?.?.?.?.?.?.?.?\x08|\x09.?.?.?.?.?.?.?.?\x09|\x0a.?.?.?.?.?.?.?.?\x0a|\x0b.?.?.?.?.?.?.?.?\x0b|\x0c.?.?.?.?.?.?.?.?\x0c|\x0d.?.?.?.?.?.?.?.?\x0d|\x0e.?.?.?.?.?.?.?.?\x0e|\x0f.?.?.?.?.?.?.?.?\x0f|\x10.?.?.?.?.?.?.?.?\x10|\x11.?.?.?.?.?.?.?.?\x11|\x12.?.?.?.?.?.?.?.?\x12|\x13.?.?.?.?.?.?.?.?\x13|\x14.?.?.?.?.?.?.?.?\x14|\x15.?.?.?.?.?.?.?.?\x15|\x16.?.?.?.?.?.?.?.?\x16|\x17.?.?.?.?.?.?.?.?\x17|\x18.?.?.?.?.?.?.?.?\x18|\x19.?.?.?.?.?.?.?.?\x19|\x1a.?.?.?.?.?.?.?.?\x1a|\x1b.?.?.?.?.?.?.?.?\x1b|\x1c.?.?.?.?.?.?.?.?\x1c|\x1d.?.?.?.?.?.?.?.?\x1d|\x1e.?.?.?.?.?.?.?.?\x1e|\x1f.?.?.?.?.?.?.?.?\x1f|\x20.?.?.?.?.?.?.?.?\x20|\x21.?.?.?.?.?.?.?.?\x21|\x22.?.?.?.?.?.?.?.?\x22|\x23.?.?.?.?.?.?.?.?\x23|\$.?.?.?.?.?.?.?.?\$|\x25.?.?.?.?.?.?.?.?\x25|\x26.?.?.?.?.?.?.?.?\x26|\x27.?.?.?.?.?.?.?.?\x27|\(.?.?.?.?.?.?.?.?\(|\).?.?.?.?.?.?.?.?\)|\*.?.?.?.?.?.?.?.?\*|\+.?.?.?.?.?.?.?.?\+|\x2c.?.?.?.?.?.?.?.?\x2c|\x2d.?.?.?.?.?.?.?.?\x2d|\..?.?.?.?.?.?.?.?\.|\x2f.?.?.?.?.?.?.?.?\x2f|\x30.?.?.?.?.?.?.?.?\x30|\x31.?.?.?.?.?.?.?.?\x31|\x32.?.?.?.?.?.?.?.?\x32|\x33.?.?.?.?.?.?.?.?\x33|\x34.?.?.?.?.?.?.?.?\x34|\x35.?.?.?.?.?.?.?.?\x35|\x36.?.?.?.?.?.?.?.?\x36|\x37.?.?.?.?.?.?.?.?\x37|\x38.?.?.?.?.?.?.?.?\x38|\x39.?.?.?.?.?.?.?.?\x39|\x3a.?.?.?.?.?.?.?.?\x3a|\x3b.?.?.?.?.?.?.?.?\x3b|\x3c.?.?.?.?.?.?.?.?\x3c|\x3d.?.?.?.?.?.?.?.?\x3d|\x3e.?.?.?.?.?.?.?.?\x3e|\?.?.?.?.?.?.?.?.?\?|\x40.?.?.?.?.?.?.?.?\x40|\x41.?.?.?.?.?.?.?.?\x41|\x42.?.?.?.?.?.?.?.?\x42|\x43.?.?.?.?.?.?.?.?\x43|\x44.?.?.?.?.?.?.?.?\x44|\x45.?.?.?.?.?.?.?.?\x45|\x46.?.?.?.?.?.?.?.?\x46|\x47.?.?.?.?.?.?.?.?\x47|\x48.?.?.?.?.?.?.?.?\x48|\x49.?.?.?.?.?.?.?.?\x49|\x4a.?.?.?.?.?.?.?.?\x4a|\x4b.?.?.?.?.?.?.?.?\x4b|\x4c.?.?.?.?.?.?.?.?\x4c|\x4d.?.?.?.?.?.?.?.?\x4d|\x4e.?.?.?.?.?.?.?.?\x4e|\x4f.?.?.?.?.?.?.?.?\x4f|\x50.?.?.?.?.?.?.?.?\x50|\x51.?.?.?.?.?.?.?.?\x51|\x52.?.?.?.?.?.?.?.?\x52|\x53.?.?.?.?.?.?.?.?\x53|\x54.?.?.?.?.?.?.?.?\x54|\x55.?.?.?.?.?.?.?.?\x55|\x56.?.?.?.?.?.?.?.?\x56|\x57.?.?.?.?.?.?.?.?\x57|\x58.?.?.?.?.?.?.?.?\x58|\x59.?.?.?.?.?.?.?.?\x59|\x5a.?.?.?.?.?.?.?.?\x5a|\[.?.?.?.?.?.?.?.?\[|\\.?.?.?.?.?.?.?.?\\|\].?.?.?.?.?.?.?.?\]|\^.?.?.?.?.?.?.?.?\^|\x5f.?.?.?.?.?.?.?.?\x5f|\x60.?.?.?.?.?.?.?.?\x60|\x61.?.?.?.?.?.?.?.?\x61|\x62.?.?.?.?.?.?.?.?\x62|\x63.?.?.?.?.?.?.?.?\x63|\x64.?.?.?.?.?.?.?.?\x64|\x65.?.?.?.?.?.?.?.?\x65|\x66.?.?.?.?.?.?.?.?\x66|\x67.?.?.?.?.?.?.?.?\x67|\x68.?.?.?.?.?.?.?.?\x68|\x69.?.?.?.?.?.?.?.?\x69|\x6a.?.?.?.?.?.?.?.?\x6a|\x6b.?.?.?.?.?.?.?.?\x6b|\x6c.?.?.?.?.?.?.?.?\x6c|\x6d.?.?.?.?.?.?.?.?\x6d|\x6e.?.?.?.?.?.?.?.?\x6e|\x6f.?.?.?.?.?.?.?.?\x6f|\x70.?.?.?.?.?.?.?.?\x70|\x71.?.?.?.?.?.?.?.?\x71|\x72.?.?.?.?.?.?.?.?\x72|\x73.?.?.?.?.?.?.?.?\x73|\x74.?.?.?.?.?.?.?.?\x74|\x75.?.?.?.?.?.?.?.?\x75|\x76.?.?.?.?.?.?.?.?\x76|\x77.?.?.?.?.?.?.?.?\x77|\x78.?.?.?.?.?.?.?.?\x78|\x79.?.?.?.?.?.?.?.?\x79|\x7a.?.?.?.?.?.?.?.?\x7a|\{.?.?.?.?.?.?.?.?\{|\|.?.?.?.?.?.?.?.?\||\}.?.?.?.?.?.?.?.?\}|\x7e.?.?.?.?.?.?.?.?\x7e|\x7f.?.?.?.?.?.?.?.?\x7f|\x80.?.?.?.?.?.?.?.?\x80|\x81.?.?.?.?.?.?.?.?\x81|\x82.?.?.?.?.?.?.?.?\x82|\x83.?.?.?.?.?.?.?.?\x83|\x84.?.?.?.?.?.?.?.?\x84|\x85.?.?.?.?.?.?.?.?\x85|\x86.?.?.?.?.?.?.?.?\x86|\x87.?.?.?.?.?.?.?.?\x87|\x88.?.?.?.?.?.?.?.?\x88|\x89.?.?.?.?.?.?.?.?\x89|\x8a.?.?.?.?.?.?.?.?\x8a|\x8b.?.?.?.?.?.?.?.?\x8b|\x8c.?.?.?.?.?.?.?.?\x8c|\x8d.?.?.?.?.?.?.?.?\x8d|\x8e.?.?.?.?.?.?.?.?\x8e|\x8f.?.?.?.?.?.?.?.?\x8f|\x90.?.?.?.?.?.?.?.?\x90|\x91.?.?.?.?.?.?.?.?\x91|\x92.?.?.?.?.?.?.?.?\x92|\x93.?.?.?.?.?.?.?.?\x93|\x94.?.?.?.?.?.?.?.?\x94|\x95.?.?.?.?.?.?.?.?\x95|\x96.?.?.?.?.?.?.?.?\x96|\x97.?.?.?.?.?.?.?.?\x97|\x98.?.?.?.?.?.?.?.?\x98|\x99.?.?.?.?.?.?.?.?\x99|\x9a.?.?.?.?.?.?.?.?\x9a|\x9b.?.?.?.?.?.?.?.?\x9b|\x9c.?.?.?.?.?.?.?.?\x9c|\x9d.?.?.?.?.?.?.?.?\x9d|\x9e.?.?.?.?.?.?.?.?\x9e|\x9f.?.?.?.?.?.?.?.?\x9f|\xa0.?.?.?.?.?.?.?.?\xa0|\xa1.?.?.?.?.?.?.?.?\xa1|\xa2.?.?.?.?.?.?.?.?\xa2|\xa3.?.?.?.?.?.?.?.?\xa3|\xa4.?.?.?.?.?.?.?.?\xa4|\xa5.?.?.?.?.?.?.?.?\xa5|\xa6.?.?.?.?.?.?.?.?\xa6|\xa7.?.?.?.?.?.?.?.?\xa7|\xa8.?.?.?.?.?.?.?.?\xa8|\xa9.?.?.?.?.?.?.?.?\xa9|\xaa.?.?.?.?.?.?.?.?\xaa|\xab.?.?.?.?.?.?.?.?\xab|\xac.?.?.?.?.?.?.?.?\xac|\xad.?.?.?.?.?.?.?.?\xad|\xae.?.?.?.?.?.?.?.?\xae|\xaf.?.?.?.?.?.?.?.?\xaf|\xb0.?.?.?.?.?.?.?.?\xb0|\xb1.?.?.?.?.?.?.?.?\xb1|\xb2.?.?.?.?.?.?.?.?\xb2|\xb3.?.?.?.?.?.?.?.?\xb3|\xb4.?.?.?.?.?.?.?.?\xb4|\xb5.?.?.?.?.?.?.?.?\xb5|\xb6.?.?.?.?.?.?.?.?\xb6|\xb7.?.?.?.?.?.?.?.?\xb7|\xb8.?.?.?.?.?.?.?.?\xb8|\xb9.?.?.?.?.?.?.?.?\xb9|\xba.?.?.?.?.?.?.?.?\xba|\xbb.?.?.?.?.?.?.?.?\xbb|\xbc.?.?.?.?.?.?.?.?\xbc|\xbd.?.?.?.?.?.?.?.?\xbd|\xbe.?.?.?.?.?.?.?.?\xbe|\xbf.?.?.?.?.?.?.?.?\xbf|\xc0.?.?.?.?.?.?.?.?\xc0|\xc1.?.?.?.?.?.?.?.?\xc1|\xc2.?.?.?.?.?.?.?.?\xc2|\xc3.?.?.?.?.?.?.?.?\xc3|\xc4.?.?.?.?.?.?.?.?\xc4|\xc5.?.?.?.?.?.?.?.?\xc5|\xc6.?.?.?.?.?.?.?.?\xc6|\xc7.?.?.?.?.?.?.?.?\xc7|\xc8.?.?.?.?.?.?.?.?\xc8|\xc9.?.?.?.?.?.?.?.?\xc9|\xca.?.?.?.?.?.?.?.?\xca|\xcb.?.?.?.?.?.?.?.?\xcb|\xcc.?.?.?.?.?.?.?.?\xcc|\xcd.?.?.?.?.?.?.?.?\xcd|\xce.?.?.?.?.?.?.?.?\xce|\xcf.?.?.?.?.?.?.?.?\xcf|\xd0.?.?.?.?.?.?.?.?\xd0|\xd1.?.?.?.?.?.?.?.?\xd1|\xd2.?.?.?.?.?.?.?.?\xd2|\xd3.?.?.?.?.?.?.?.?\xd3|\xd4.?.?.?.?.?.?.?.?\xd4|\xd5.?.?.?.?.?.?.?.?\xd5|\xd6.?.?.?.?.?.?.?.?\xd6|\xd7.?.?.?.?.?.?.?.?\xd7|\xd8.?.?.?.?.?.?.?.?\xd8|\xd9.?.?.?.?.?.?.?.?\xd9|\xda.?.?.?.?.?.?.?.?\xda|\xdb.?.?.?.?.?.?.?.?\xdb|\xdc.?.?.?.?.?.?.?.?\xdc|\xdd.?.?.?.?.?.?.?.?\xdd|\xde.?.?.?.?.?.?.?.?\xde|\xdf.?.?.?.?.?.?.?.?\xdf|\xe0.?.?.?.?.?.?.?.?\xe0|\xe1.?.?.?.?.?.?.?.?\xe1|\xe2.?.?.?.?.?.?.?.?\xe2|\xe3.?.?.?.?.?.?.?.?\xe3|\xe4.?.?.?.?.?.?.?.?\xe4|\xe5.?.?.?.?.?.?.?.?\xe5|\xe6.?.?.?.?.?.?.?.?\xe6|\xe7.?.?.?.?.?.?.?.?\xe7|\xe8.?.?.?.?.?.?.?.?\xe8|\xe9.?.?.?.?.?.?.?.?\xe9|\xea.?.?.?.?.?.?.?.?\xea|\xeb.?.?.?.?.?.?.?.?\xeb|\xec.?.?.?.?.?.?.?.?\xec|\xed.?.?.?.?.?.?.?.?\xed|\xee.?.?.?.?.?.?.?.?\xee|\xef.?.?.?.?.?.?.?.?\xef|\xf0.?.?.?.?.?.?.?.?\xf0|\xf1.?.?.?.?.?.?.?.?\xf1|\xf2.?.?.?.?.?.?.?.?\xf2|\xf3.?.?.?.?.?.?.?.?\xf3|\xf4.?.?.?.?.?.?.?.?\xf4|\xf5.?.?.?.?.?.?.?.?\xf5|\xf6.?.?.?.?.?.?.?.?\xf6|\xf7.?.?.?.?.?.?.?.?\xf7|\xf8.?.?.?.?.?.?.?.?\xf8|\xf9.?.?.?.?.?.?.?.?\xf9|\xfa.?.?.?.?.?.?.?.?\xfa|\xfb.?.?.?.?.?.?.?.?\xfb|\xfc.?.?.?.?.?.?.?.?\xfc|\xfd.?.?.?.?.?.?.?.?\xfd|\xfe.?.?.?.?.?.?.?.?\xfe|\xff.?.?.?.?.?.?.?.?\xff)
diff --git a/usr/local/share/protocols/skypetoskype.pat b/usr/local/share/protocols/skypetoskype.pat
new file mode 100644
index 0000000..3649492
--- /dev/null
+++ b/usr/local/share/protocols/skypetoskype.pat
@@ -0,0 +1,13 @@
+# Skype to Skype - UDP voice call (program to program) - http://skype.com
+# Pattern attributes: ok veryfast fast overmatch
+# Protocol groups: voip p2p proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Skype
+
+# This matches at least some of the general chatter that occurs when the
+# user isn't doing anything as well as actual calls.
+# Thanks to Myles Uyema, mylesuyema AT gmail.com
+
+skypetoskype
+# require at least 16 bytes (my limited tests always get at least 18)
+^..\x02.............
+
diff --git a/usr/local/share/protocols/smb.pat b/usr/local/share/protocols/smb.pat
new file mode 100644
index 0000000..cdf0fe1
--- /dev/null
+++ b/usr/local/share/protocols/smb.pat
@@ -0,0 +1,18 @@
+# Samba/SMB - Server Message Block - Microsoft Windows filesharing
+# Pattern attributes: good fast notsofast
+# Protocol groups: document_retrieval networking proprietary
+# Wiki: http://www.protocolinfo.org/wiki/SMB
+#
+# "This protocol is sometimes also referred to as the Common Internet File 
+# System (CIFS), LanManager or NetBIOS protocol." -- "man samba"
+#
+# Actually, SMB is a higher level protocol than NetBIOS.  However, the 
+# NetBIOS header is only 4 bytes: not much to match on.
+#
+# http://www.ubiqx.org/cifs/SMB.html
+#
+# This pattern is lightly tested.
+
+smb
+# matches a NEGOTIATE PROTOCOL or TRANSACTION REQUEST command
+\xffsmb[\x72\x25]
diff --git a/usr/local/share/protocols/smtp.pat b/usr/local/share/protocols/smtp.pat
new file mode 100644
index 0000000..eb98ae7
--- /dev/null
+++ b/usr/local/share/protocols/smtp.pat
@@ -0,0 +1,39 @@
+# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869)
+# Pattern attributes: great notsofast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/SMTP
+#
+# usually runs on port 25
+# 
+# This pattern has been tested and is believed to work well.
+
+# As usual, no text is required after "220", but all known servers have some
+# there.  It (almost?) always has string "smtp" in it.  The RFC examples
+# does not, so we match those too, just in case anyone has copied them 
+# literally.
+#
+# Some examples:
+# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3
+# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400
+# 220 mail.ut.caldera.com ESMTP
+# 220 persephone.pmail.gen.nz ESMTP server ready.
+# 220 smtp1.superb.net ESMTP
+# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready
+# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4
+# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500
+# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3)
+# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200
+# 220-mail.email-scan.com ESMTP
+# 220 smaug.dreamhost.com ESMTP
+# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648)
+# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT)
+# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700
+# 
+# RFC examples:
+# 220 xyz.com Simple Mail Transfer Service Ready (RFC example)
+# 220 dbc.mtview.ca.us SMTP service ready
+
+smtp
+^220[\x09-\x0d -~]* (e?smtp|simple mail)
+userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail)
+userspace flags=REG_NOSUB REG_EXTENDED
diff --git a/usr/local/share/protocols/snmp.pat b/usr/local/share/protocols/snmp.pat
new file mode 100644
index 0000000..5b88f03
--- /dev/null
+++ b/usr/local/share/protocols/snmp.pat
@@ -0,0 +1,18 @@
+# SNMP - Simple Network Management Protocol - RFC 1157
+# Pattern attributes: good veryfast fast superset
+# Protocol groups: networking ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/SNMP
+#
+# Usually runs on UDP ports 161 (monitoring) and 162 (traps).
+#
+# These filters match SNMPv1 packets without fail, and are made as
+# specific as possible not to match any ASN.1 encoded protocols. However
+# these could still be matched by other protocols that use ASN.1 encoding
+
+# Contributed by Goli SriSairam <goli_sai AT yahoo.com>
+
+# This pattern has been tested and is believed to work well.
+
+# All SNMPv1 traffic.  See snmp-mon.pat and snmp-trap.pat for details.
+snmp
+^\x02\x01\x04.+([\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30|\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43)
diff --git a/usr/local/share/protocols/socks.pat b/usr/local/share/protocols/socks.pat
new file mode 100644
index 0000000..a7501a8
--- /dev/null
+++ b/usr/local/share/protocols/socks.pat
@@ -0,0 +1,31 @@
+# SOCKS Version 5 - Firewall traversal protocol - RFC 1928
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: networking ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SOCKS
+#
+# Usually runs on port 1080
+# Also useful: http://www.iana.org/assignments/socks-methods
+#
+# We have had two reports that this pattern works.
+
+# method request, no private methods	\x05[\x01-\x08]*
+# method reply, assumes sucess		\x05[\x01-\x08]?
+# method dependent sub-negotiation	.*
+# request, ipv4 only			\x05[\x01-\x03][\x01\x03].*
+# reply					\x05[\x01-\x08]?[\x01\x03].*
+
+# username/password method
+# u/p request, assuming reasonable usernames and passwords
+# \x05[\x02-\x10][a-z][a-z0-9\-]*[\x05-\x20][!-~]*
+# server reply
+# \x05
+
+# GSSAPI method
+# client initial token 		\x01\x01\x02.*
+# server reply			\x01\x01\x02.*
+
+# any other method  .* (all methods boil down to this until we have information
+# about all the commonly used ones)
+
+socks
+\x05[\x01-\x08]*\x05[\x01-\x08]?.*\x05[\x01-\x03][\x01\x03].*\x05[\x01-\x08]?[\x01\x03]
diff --git a/usr/local/share/protocols/soribada.pat b/usr/local/share/protocols/soribada.pat
new file mode 100644
index 0000000..a5da9fd
--- /dev/null
+++ b/usr/local/share/protocols/soribada.pat
@@ -0,0 +1,50 @@
+# Soribada - A Korean P2P filesharing program/protocol - http://www.soribada.com
+# Pattern attributes: good slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Soribada
+
+# I am told that there are three versions of this protocol, the first no
+# longer being used.  That would probably explain why incoming searches
+# have two different formats...
+
+# There are three parts to Soribada protocal:
+# 1: Ping/Pong to establish a relationship on the net (UDP with 2 useful bytes)
+# 2: Searching (in two formats) (UDP with two short easy to match starts)
+# 3: Download requests/transfers (TCP with an obvious first packet)
+
+# 1 -- Pings/Pongs:
+# Requester send 2 bytes and a 6 byte response is sent back.
+# \x10 for the first byte and \x14-\x16 for the second.
+# The response is the first byte (\x10) and the second byte incremented
+# by 1 (\x15-\x17).
+# No further communication happens between the hosts except for searches.
+# A regex match: ^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$
+# First Packet ---^^^^^^^^^^^^^^^
+# Second Packet -----------------^^^^^^^^^^^^^^^^^^^^^^^
+
+# 2 -- Search requests:
+# All searches are totally stateless and are only responded to if the user
+# actually has the file.
+# Both format start with a \x01 byte, have 3 "random bytes" and then 3 bytes
+# corasponding to one of two formats.
+# Format 1 is \x51\x3a\+ and format 2 is \x51\x32\x3a
+# A regex match: ^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a)
+
+# 3 -- Download requests:
+# All downloads start with "GETMP3\x0d\x0aFilename"
+# A regex match: ^GETMP3\x0d\x0aFilename
+
+soribada
+
+# This will match the second packet of two.
+# ^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$
+
+# Again, matching this is the end of the comunication.
+# ^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a)
+
+# This is the start of the transfer and an easy match
+#^GETMP3\x0d\x0aFilename
+
+# This will match everything including the udp packet portions
+^GETMP3\x0d\x0aFilename|^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a)|^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$
+
diff --git a/usr/local/share/protocols/soulseek.pat b/usr/local/share/protocols/soulseek.pat
new file mode 100644
index 0000000..4385141
--- /dev/null
+++ b/usr/local/share/protocols/soulseek.pat
@@ -0,0 +1,16 @@
+# Soulseek - P2P filesharing - http://slsknet.org
+# Pattern attributes: good fast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Soulseek
+#
+# All my tests show that this pattern is fast, but one user has reported that
+# it is slow.  Your milage may vary.
+
+# This has been tested and works for "pierce firewall" commands and file
+# transfers.  It does *not* match all the various sorts of chatter that go on, 
+# such as searches, pings and whatnot.
+
+soulseek
+# (Pierce firewall: in theory the token could be 4 bytes, but the last two 
+# seem to always be zero.|download: Peer Init)
+^(\x05..?|.\x01.[ -~]+\x01F..?.?.?.?.?.?.?)$
diff --git a/usr/local/share/protocols/ssdp.pat b/usr/local/share/protocols/ssdp.pat
new file mode 100644
index 0000000..db50362
--- /dev/null
+++ b/usr/local/share/protocols/ssdp.pat
@@ -0,0 +1,20 @@
+# SSDP - Simple Service Discovery Protocol - easy discovery of network devices
+# Pattern attributes: good slow notsofast
+# Protocol groups: networking ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSDP
+
+# This pattern was tested only by listening to a Linksys WRT54G. However,
+# I expect it works in general given the simplicity of the protocol.
+
+# SSDP packets should _always_ be sent to the multicast address
+# 239.255.255.250, making this pattern irrelevant.  (Moreover, SSDP
+# packets should be resitricted to local networks that have plenty of
+# bandwidth.)  However, Microsoft, as usual, has other ideas, so maybe
+# it could be useful.  Can't hurt, anyway. :-)
+#
+# http://www.upnp.org/download/draft_cai_ssdp_v1_03.txt
+# http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/protocol/ssdp.asp
+
+ssdp
+^notify[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:(alive|byebye)|^m-search[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:discover
+
diff --git a/usr/local/share/protocols/ssh.pat b/usr/local/share/protocols/ssh.pat
new file mode 100644
index 0000000..adffe9e
--- /dev/null
+++ b/usr/local/share/protocols/ssh.pat
@@ -0,0 +1,16 @@
+# SSH - Secure SHell
+# Pattern attributes: great veryfast fast
+# Protocol groups: remote_access secure ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSH
+#
+# usually runs on port 22
+#
+# http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-22.txt
+#
+# This pattern has been tested and is believed to work well.
+
+ssh
+^ssh-[12]\.[0-9]
+
+# old pattern:
+# (diffie-hellman-group-exchange-sha1|diffie-hellman-group1-sha1.ssh-rsa|ssh-dssfaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.sefaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.seuhmac-md5|hmac-sha1|hmac-ripemd160)+
diff --git a/usr/local/share/protocols/ssl.pat b/usr/local/share/protocols/ssl.pat
new file mode 100644
index 0000000..a10589a1
--- /dev/null
+++ b/usr/local/share/protocols/ssl.pat
@@ -0,0 +1,15 @@
+# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
+# Pattern attributes: good notsofast fast superset
+# Protocol groups: secure ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSL
+#
+# Usually runs on port 443
+#
+# This is a superset of validcertssl.  For it to match, it must be first.
+# 
+# This pattern has been tested and is believed to work well.
+
+ssl
+# Server Hello with certificate | Client Hello
+# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1
+^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)
diff --git a/usr/local/share/protocols/stun.pat b/usr/local/share/protocols/stun.pat
new file mode 100644
index 0000000..5f0f58a
--- /dev/null
+++ b/usr/local/share/protocols/stun.pat
@@ -0,0 +1,45 @@
+# STUN - Simple Traversal of UDP Through NAT - RFC 3489
+# Pattern attributes: ok veryfast fast
+# Protocol groups: networking ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/STUN
+#
+# This pattern is untested as far as I know.
+
+# Wikipedia says: "The STUN server is contacted on UDP port 3478,
+# however the server will hint clients to perform tests on alternate IP
+# and port number too (STUN servers have two IP addresses). The RFC
+# states that this port and IP are arbitrary."
+
+stun
+# \x01 is a Binding Request.  \x02 is a Shared Secret Request. Binding
+# Requests are, experimentally, exactly 20 Bytes with three NULL Bytes. 
+# The first NULL is part of the two byte message type field.  The other
+# two give the message length, zero.  I'm guessing that Shared Secret
+# Requests are similar, but I have not checked.  Please read the RFC and
+# do experiments to find out.  All other message types are responses,
+# and so don't matter.
+#
+# The .? allows one of the Message Transaction ID Bytes to be \x00.  If
+# two are \x00, it will fail.  This will happen 0.37% of the time, since
+# the Message Transaction ID is supposed to be random.  If this is
+# unacceptable to you, add another ? to reduce this to 0.020%, but be
+# aware of the increased possibility of false positives.
+^[\x01\x02]................?$
+
+# From my post to the mailing list:
+# http://sourceforge.net/mailarchive/message.php?msg_id=36787107
+# 
+# This is a rather permissive pattern, but you can make it a little better 
+# by combining it with another iptables rule that checks that the packet 
+# data is exactly 20 Bytes.  Of course, the second packet is longer, so 
+# maybe that introduces more complications than benefits.
+# 
+# If you're willing to wait until the second packet to make the 
+# identification, you could use this:
+# 
+# ^\x01................?\x01\x01
+# 
+# or if the Message Length is always \x24 (I'm not sure it is from your 
+# single example):
+# 
+# ^\x01................?\x01\x01\x24
diff --git a/usr/local/share/protocols/subspace.pat b/usr/local/share/protocols/subspace.pat
new file mode 100644
index 0000000..57dabf1
--- /dev/null
+++ b/usr/local/share/protocols/subspace.pat
@@ -0,0 +1,20 @@
+# Subspace - 2D asteroids-style space game - http://sscentral.com
+# Pattern attributes: marginal veryfast fast
+# Protocol groups: game
+# Wiki: http://www.protocolinfo.org/wiki/Subspace
+#
+# By Myles Uyema <mylesuyema AT gmail.com>
+#
+# This pattern matches the initial 2 packets of the client-server
+# 'handshake' when joining a Zone.
+#
+# The first packet is an 8 byte UDP payload sent from client
+# 0x00 0x01 0x?? 0x?? 0x?? 0x?? 0x11
+# The next packet is a 12 byte UDP response from server
+# 0x00 0x10 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x01 0x00
+#
+# l7-filter strips out the null bytes, leaving me with this pattern
+
+subspace
+^\x01....\x11\x10........\x01$
+
diff --git a/usr/local/share/protocols/subversion.pat b/usr/local/share/protocols/subversion.pat
new file mode 100644
index 0000000..cc5ec3b
--- /dev/null
+++ b/usr/local/share/protocols/subversion.pat
@@ -0,0 +1,12 @@
+# Subversion - a version control system
+# Pattern attributes: ok veryfast fast
+# Protocol groups: version_control open_source
+# Wiki: http://www.protocolinfo.org/wiki/Subversion
+#
+# This pattern is UNTESTED.  (But it seems straightforward enough...)
+#
+# Subversion uses TCP port 3690 by default.
+
+subversion
+# This is not a valid basic GNU regular expression.
+^\( success \( 1 2 \(
diff --git a/usr/local/share/protocols/teamfortress2.pat b/usr/local/share/protocols/teamfortress2.pat
new file mode 100644
index 0000000..83fb960
--- /dev/null
+++ b/usr/local/share/protocols/teamfortress2.pat
@@ -0,0 +1,10 @@
+# Team Fortress 2 - network game - http://www.valvesoftware.com
+# Pattern attributes: good veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Team_Fortress
+#
+# Credits: Clayton Macleod <cherry twist at gmail dot com>
+#          Jan Engelhardt <jengelh at computergmbh dot de>
+
+teamfortress2
+^\xff\xff\xff\xff.....*tfTeam Fortress
diff --git a/usr/local/share/protocols/teamspeak.pat b/usr/local/share/protocols/teamspeak.pat
new file mode 100644
index 0000000..e83569f
--- /dev/null
+++ b/usr/local/share/protocols/teamspeak.pat
@@ -0,0 +1,14 @@
+# TeamSpeak - VoIP application - http://goteamspeak.com
+# Pattern attributes: good veryfast fast
+# Protocol groups: voip proprietary
+# Wiki: http://www.protocolinfo.org/wiki/TeamSpeak
+#
+# This pattern has been tested by Matthew Strait and verified by packet
+# traces by at least two other people.  The meaning of f4b303 is not
+# known, but it seems to appear in all first packets.  This pattern only
+# matches the actual UDP voice traffic, not the TeamSpeak web interface
+# or "TCP query".
+
+teamspeak
+^\xf4\xbe\x03.*teamspeak
+
diff --git a/usr/local/share/protocols/telnet.pat b/usr/local/share/protocols/telnet.pat
new file mode 100644
index 0000000..a93d17d
--- /dev/null
+++ b/usr/local/share/protocols/telnet.pat
@@ -0,0 +1,15 @@
+# Telnet - Insecure remote login - RFC 854
+# Pattern attributes: good veryfast fast
+# Protocol groups: remote_access obsolete ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/Telnet
+#
+# Usually runs on port 23
+#
+# This pattern is lightly tested.
+
+telnet
+# Matches at least three IAC (Do|Will|Don't|Won't) commands in a row.  
+# My telnet client sends 9 when I connect, so this should be fine.
+# This pattern could fail on a unchatty connection or it could be 
+# matched by something non-telnet spewing a lot of stuff in the fb-ff range.
+^\xff[\xfb-\xfe].\xff[\xfb-\xfe].\xff[\xfb-\xfe]
diff --git a/usr/local/share/protocols/tesla.pat b/usr/local/share/protocols/tesla.pat
new file mode 100644
index 0000000..f9fdece
--- /dev/null
+++ b/usr/local/share/protocols/tesla.pat
@@ -0,0 +1,14 @@
+# Tesla Advanced Communication - P2P filesharing (?)
+# Pattern attributes: marginal slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Tesla
+#
+# This pattern is untested!
+
+# This is lifted from http://oofle.com/filesharing.php?app=tesla
+# There is no explaination of what these numbers mean.
+# The above page says that the first string is found only in TCP packets
+# and the second only in UDP.
+
+tesla
+\x03\x9a\x89\x22\x31\x31\x31\.\x30\x30\x20\x42\x65\x74\x61\x20|\xe2\x3c\x69\x1e\x1c\xe9
diff --git a/usr/local/share/protocols/tftp.pat b/usr/local/share/protocols/tftp.pat
new file mode 100644
index 0000000..e9f16f7
--- /dev/null
+++ b/usr/local/share/protocols/tftp.pat
@@ -0,0 +1,20 @@
+# TFTP - Trivial File Transfer Protocol - used for bootstrapping - RFC 1350
+# Pattern attributes: marginal veryfast fast
+# Protocol groups: document_retrieval ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/TFTP
+#
+# usually runs on port 69
+# 
+# This pattern is unconfirmed. 
+
+tftp
+# The first packet from the initiating host should either be a Read Request 
+# or a Write Request.  In the other direction, it should be data packet with 
+# block number one or an ACK with block number zero.  We only attempt to match
+# the initiating host's packets, because the only identifying features of 
+# the responses to them are two byte sequences (which isn't specific enough).
+# (\x01|\x02) = Read Request or Write Request
+# [ -~]* = the file name
+# the rest = netascii|octet|mail (case insensitivity done by the kernel)
+
+^(\x01|\x02)[ -~]*(netascii|octet|mail)
diff --git a/usr/local/share/protocols/thecircle.pat b/usr/local/share/protocols/thecircle.pat
new file mode 100644
index 0000000..a161531
--- /dev/null
+++ b/usr/local/share/protocols/thecircle.pat
@@ -0,0 +1,11 @@
+# The Circle - P2P application - http://thecircle.org.au
+# Pattern attributes: ok veryfast fast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/The_Circle
+
+# This is tested with The Circle 0.41c on Linux.
+# It likely misses some stuff.  Notably, I wasn't able to test it on any 
+# large downloads, because no one is sharing anything!
+
+thecircle
+^t\x03ni.?[\x01-\x06]?t[\x01-\x05]s[\x0a\x0b](glob|who are you$|query data)
diff --git a/usr/local/share/protocols/tor.pat b/usr/local/share/protocols/tor.pat
new file mode 100644
index 0000000..16f8884
--- /dev/null
+++ b/usr/local/share/protocols/tor.pat
@@ -0,0 +1,16 @@
+# Tor - The Onion Router - used for anonymization - http://tor.eff.org
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: networking
+# Wiki: http://protocolinfo.org/wiki/Tor
+#
+# This pattern has been tested and is believed to work well.
+#
+# It matches on the second packet.  I have no idea how the protocol
+# works, but this matches every stream I have made using Tor 0.1.0.16 as
+# a client on Linux.
+#
+# It does NOT attempt to match the HTTP request that fetches the list of
+# Tor servers.
+
+tor
+TOR1.*<identity>
diff --git a/usr/local/share/protocols/tsp.pat b/usr/local/share/protocols/tsp.pat
new file mode 100644
index 0000000..e704ce0
--- /dev/null
+++ b/usr/local/share/protocols/tsp.pat
@@ -0,0 +1,13 @@
+# TSP - Berkely UNIX Time Synchronization Protocol
+# Pattern attributes: good veryfast fast overmatch
+# Protocol groups: time_synchronization open_source
+# Wiki: http://www.protocolinfo.org/wiki/TSP
+#
+# http://ftp.svbug.com/ftp/pub/manuals/pdf/smm.22.timed.pdf
+# http://docs.freebsd.org/44doc/smm/12.timed/paper.pdf
+# 
+# This pattern is barely tested.
+
+tsp
+# type, version (1), sequence number, 8 type specific bytes, machine name
+^[\x01-\x13\x16-$]\x01.?.?.?.?.?.?.?.?.?.?[ -~]+
diff --git a/usr/local/share/protocols/unknown.pat b/usr/local/share/protocols/unknown.pat
new file mode 100644
index 0000000..1c1c166
--- /dev/null
+++ b/usr/local/share/protocols/unknown.pat
@@ -0,0 +1,7 @@
+# Unknown - Dummy pattern for old unmatched connections.
+
+unknown
+# This pattern is ignored by the kernel.  It sees that the "protocol" is
+# "unknown" and always returns unmatched for connections that are still
+# being tested.
+.
diff --git a/usr/local/share/protocols/unset.pat b/usr/local/share/protocols/unset.pat
new file mode 100644
index 0000000..80950c9
--- /dev/null
+++ b/usr/local/share/protocols/unset.pat
@@ -0,0 +1,8 @@
+# Unset - Dummy pattern for unmatched connections that are still being tested
+
+unset
+# This pattern is ignored by the kernel.  It sees that the "protocol" is
+# "testing" and always returns matched for connections that are still
+# being tested.
+# NOT YET IMPLEMENTED.
+.
diff --git a/usr/local/share/protocols/uucp.pat b/usr/local/share/protocols/uucp.pat
new file mode 100644
index 0000000..c7685cd
--- /dev/null
+++ b/usr/local/share/protocols/uucp.pat
@@ -0,0 +1,11 @@
+# UUCP - Unix to Unix Copy
+# Pattern attributes: ok veryfast fast
+# Protocol groups: document_retrieval obsolete
+# Wiki: http://www.protocolinfo.org/wiki/UUCP
+
+# This is completely untested!  (I don't know how to use UUCP...)
+
+# See http://docs.freebsd.org/info/uucp/uucp.info.The_Initial_Handshake.html
+
+uucp
+^\x10here=
diff --git a/usr/local/share/protocols/validcertssl.pat b/usr/local/share/protocols/validcertssl.pat
new file mode 100644
index 0000000..c004517
--- /dev/null
+++ b/usr/local/share/protocols/validcertssl.pat
@@ -0,0 +1,24 @@
+# Valid certificate SSL 
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: secure ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSL
+
+# This matches anything claiming to use a valid certificate from a well 
+# known certificate authority.
+#
+# This is a subset of ssl, so it needs to come first to match.
+#
+# Note that opening a website that has a valid certificate will 
+# open one connection that matches this and many ssl connections that
+# only match the ssl pattern.  Thus, this pattern may not be very useful.
+#
+# This pattern is believed match only the above, but may not match all
+# of it.
+#
+# the certificate authority info is sent in quasi plain text, if it matches 
+# a well known certificate authority then we will assume it is a 
+# web/imaps/etc server. Other ssl may be good too, but it should fall under 
+# a different rule
+
+validcertssl
+^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b).*(thawte|equifax secure|rsa data security, inc|verisign, inc|gte cybertrust root|entrust\.net limited)
diff --git a/usr/local/share/protocols/ventrilo.pat b/usr/local/share/protocols/ventrilo.pat
new file mode 100644
index 0000000..7ee9c13
--- /dev/null
+++ b/usr/local/share/protocols/ventrilo.pat
@@ -0,0 +1,17 @@
+# Ventrilo - VoIP - http://ventrilo.com
+# Pattern attributes: good fast fast
+# Protocol groups: voip proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Ventrilo
+#
+# I have tested this with Ventrilo client 2.3.0 on Windows talking to
+# Ventrilo server 2.3.1 (the public version) on Linux.  I've done this
+# both within a LAN and over the Internet.  In one test, I tried
+# monkeying around with the server settings to see if I could break the
+# pattern, and I couldn't.  However, you can't change the port number in
+# the public server. 
+#
+# It has also been tested by one other person in an unknown configuration.
+
+ventrilo
+^..?v\$\xcf
+
diff --git a/usr/local/share/protocols/vnc.pat b/usr/local/share/protocols/vnc.pat
new file mode 100644
index 0000000..9f77fdf
--- /dev/null
+++ b/usr/local/share/protocols/vnc.pat
@@ -0,0 +1,22 @@
+# VNC - Virtual Network Computing.  Also known as RFB - Remote Frame Buffer
+# Pattern attributes: great veryfast fast
+# Protocol groups: remote_access
+# Wiki: http://www.protocolinfo.org/wiki/VNC
+#
+# http://www.realvnc.com/documentation.html
+# 
+# This pattern has been verified with vnc v3.3.7 on WinXP and Linux
+#
+# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern.
+
+vnc
+# Assumes single digit major and minor version numbers 
+# This message should be all alone in the first packet, so ^$ is appropriate
+^rfb 00[1-9]\.00[0-9]\x0a$
+
+# This is a more restrictive version which assumes the version numbers
+# are ones actually in existance at the time of this writing, i.e. 3.3,
+# 3.7 and 3.8 (with some clients wrongly reporting 3.5).  It should be
+# slightly faster, but probably not worth the extra maintenance. 
+# ^rfb 003\.00[3578]\x0a$
+
diff --git a/usr/local/share/protocols/whois.pat b/usr/local/share/protocols/whois.pat
new file mode 100644
index 0000000..0c8d0d0
--- /dev/null
+++ b/usr/local/share/protocols/whois.pat
@@ -0,0 +1,13 @@
+# Whois - query/response system, usually used for domain name info - RFC 3912
+# Pattern attributes: good notsofast notsofast overmatch
+# Protocol groups: networking ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/Whois
+#
+# Usually runs on TCP port 43
+# 
+# This pattern has been tested and is believed to work well.
+
+whois
+# Matches the query.  Assumes only that it is printable ASCII without wierd
+# whitespace.
+^[ !-~]+\x0d\x0a$
diff --git a/usr/local/share/protocols/worldofwarcraft.pat b/usr/local/share/protocols/worldofwarcraft.pat
new file mode 100644
index 0000000..dae2643
--- /dev/null
+++ b/usr/local/share/protocols/worldofwarcraft.pat
@@ -0,0 +1,65 @@
+# World of Warcraft - popular network game - http://blizzard.com/
+# Pattern attributes: ok veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/World_of_Warcraft
+
+worldofwarcraft
+^\x06\xec\x01
+
+# Quoth the author of this pattern, Weisskopf Beat <weisb AT bfh.ch>:
+
+# I have written a pattern for wow (tested with versions 1.8.3 and
+# 1.8.4, german edition). It does not match the login as i think this is
+# uncritical, but i have added the necessary info later on. So only the
+# actual in-game traffic is matched.
+#
+# I hope the pattern is specific enough, otherwise one may add some
+# bytes from the response.
+#
+# some captured info:
+#
+# login:
+#
+# 0000:  00 02 28 00 57 6F 57 00 01 08 03 C7 12 36 38 78  ..(.WoW......68x
+# 0010:  00 6E 69 57 00 45 44 65 64 3C 00 00 00 C0 A8 01  .niW.EDed<......
+# 0020:  22 0A 42 57 45 49 53 53 4B 4F 50 46              ".BWEISSKOPF
+#
+# 0000:  00 02 28 00 57 6F 57 00 01 08 03 C7 12 36 38 78  ..(.WoW......68x
+# 0010:  00 6E 69 57 00 45 44 65 64 3C 00 00 00 C0 A8 01  .niW.EDed<......
+# 0020:  22 0A 42 57 45 49 53 53 4B 4F 50 46              ".BWEISSKOPF
+#
+# server asking:
+#
+# #1
+# 0000:  00 06 EC 01 04 49 C5 33                          .....I.3
+#
+# #2
+# 0000:  00 06 EC 01 C3 A8 6E 63                          ......nc
+#
+# client response
+# #1
+# 0000:  00 A4 ED 01 00 00 C7 12 00 00 00 00 00 00 42 57  ..............BW
+# 0010:  45 49 53 53 4B 4F 50 46 00 EB 35 DC 89 5A CA 6D  EISSKOPF..5..Z.m
+# 0020:  17 95 DE 5B 74 6E 1E 5D 23 73 C6 8F 27 9F 11 12  ...[tn.]#s..'...
+# 0030:  BB 21 01 00 00 78 9C 75 CC 41 0A 83 50 0C 84 E1  .!...x.u.A..P...
+# 0040:  E7 3D 7A 19 75 25 D4 4D AB EB 12 5E A2 0C 8D 51  .=z.u%.M...^...Q
+# 0050:  D2 57 04 4F DF 2E 2D A4 B3 FD 86 3F A5 EF 1A C5  .W.O..-....?....
+# 0060:  71 90 F3 A3 7E E7 82 D5 C6 2E 55 CB 7E B9 FE 58  q...~.....U.~..X
+# 0070:  43 A5 A8 4C 10 E5 1E 86 85 B6 E8 04 63 D8 1C 06  C..L........c...
+# 0080:  5A A7 A9 84 D2 D9 6B 93 1C 5B 4F D9 D7 50 6E 04  Z.....k..[O..Pn.
+# 0090:  0E 61 20 15 8B 6B 83 13 CB FD 09 D5 7F 0C 13 3F  .a ..k.........?
+# 00A0:  DB 07 B4 EA 54 F8                                ....T.
+#
+# #2
+# 0000:  00 A4 ED 01 00 00 C7 12 00 00 00 00 00 00 42 57  ..............BW
+# 0010:  45 49 53 53 4B 4F 50 46 00 38 4C B5 95 C3 AD 25  EISSKOPF.8L....%
+# 0020:  CB 73 48 BD 82 FC 99 63 59 AC BF F3 D0 C6 8D AB  .sH....cY.......
+# 0030:  3D 21 01 00 00 78 9C 75 CC 41 0A 83 50 0C 84 E1  =!...x.u.A..P...
+# 0040:  E7 3D 7A 19 75 25 D4 4D AB EB 12 5E A2 0C 8D 51  .=z.u%.M...^...Q
+# 0050:  D2 57 04 4F DF 2E 2D A4 B3 FD 86 3F A5 EF 1A C5  .W.O..-....?....
+# 0060:  71 90 F3 A3 7E E7 82 D5 C6 2E 55 CB 7E B9 FE 58  q...~.....U.~..X
+# 0070:  43 A5 A8 4C 10 E5 1E 86 85 B6 E8 04 63 D8 1C 06  C..L........c...
+# 0080:  5A A7 A9 84 D2 D9 6B 93 1C 5B 4F D9 D7 50 6E 04  Z.....k..[O..Pn.
+# 0090:  0E 61 20 15 8B 6B 83 13 CB FD 09 D5 7F 0C 13 3F  .a ..k.........?
+# 00A0:  DB 07 B4 EA 54 F8                                ....T.
+
diff --git a/usr/local/share/protocols/x11.pat b/usr/local/share/protocols/x11.pat
new file mode 100644
index 0000000..f42b98f
--- /dev/null
+++ b/usr/local/share/protocols/x11.pat
@@ -0,0 +1,22 @@
+# X Windows Version 11 - Networked GUI system used in most Unices
+# Pattern attributes: good notsofast fast
+# Protocol groups: remote_access x_consortium_standard
+# Wiki: http://www.protocolinfo.org/wiki/X11
+#
+# It is common for X to be tunneled through SSH.  Then obviously this pattern
+# will not catch it.
+#
+# Specification: http://www.msu.edu/~huntharo/xwin/docs/xwindows/PROTO.pdf
+# Usually runs on port 6000 (6001 for the second server on a host, etc)
+#
+# This pattern has been tested.
+
+x11
+# 'l' = little-endian.  'B' = big endian
+# ".?" is for the unused byte that comes next.  If it's a null, it won't appear.
+# \x0b = protocol-major-version 11.
+# For some reason, protocol-minor-version is 0, not 6, so can't match it.
+# This pattern is too general. 
+^[lb].?\x0b
+userspace pattern=^[lB].?\x0b
+userspace flags=REG_NOSUB
diff --git a/usr/local/share/protocols/xboxlive.pat b/usr/local/share/protocols/xboxlive.pat
new file mode 100644
index 0000000..8d402cf
--- /dev/null
+++ b/usr/local/share/protocols/xboxlive.pat
@@ -0,0 +1,40 @@
+# XBox Live - Console gaming
+# pattern attributes: marginal slow notsofast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/XBox_Live
+#
+# This may match all XBox traffic, or may only match Halo 2 traffic.  
+# We don't know yet.
+#
+# Thanks to Myles Uyema <mylesuyema AT gmail DOT com>, who says:
+#
+# Analyzing packet traces using Ethereal, the Xbox typically connects
+# to remote users using UDP port 3074.  The first frame is typically
+# a 156 byte UDP payload.  I've only scrutinized the first 20 or so bytes.
+#
+# Each line below represents the first frame between my Xbox and a remote
+# player's IP address playing Halo2 on Xbox Live.
+#
+# 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 05 0f c5 62 00 f3 96 08
+# 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 0f 0f c5 62 00 f3 97 09
+# 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 05 0f c5 62 00 f3 95 07
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bc 07
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 be 09
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bf 0a
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bd 08
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 ba 05
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bb 06
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 ca 06
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 cc 08
+# 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 c9 05
+# 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 d4 0a
+# 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f3 c3 00 f3 d1 07
+# 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 d2 08
+# 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 cf 05
+# 00 00 00 00 06 58 4e 00 00 00 e6 d9 6e ab 65 0d 63 9f 02 00 00 02 80 dd
+# 00 00 00 00 06 58 4e 00 00 00 46 e2 95 74 cd f9 bc 3d 00 00 00 00 8b ca
+# 00 00 00 00 06 58 4e 00 00 00 cf ce 3b 5c f5 f2 49 9a 00 00 00 00 8b ca
+# 00 00 00 00 06 58 4e 00 00 00 a9 c0 ac c5 16 e5 c9 92 00 00 00 00 8b ca
+
+xboxlive
+^\x58\x80........\xf3|^\x06\x58\x4e
diff --git a/usr/local/share/protocols/xunlei.pat b/usr/local/share/protocols/xunlei.pat
new file mode 100644
index 0000000..c362e37
--- /dev/null
+++ b/usr/local/share/protocols/xunlei.pat
@@ -0,0 +1,14 @@
+# Xunlei - Chinese P2P filesharing - http://xunlei.com
+# Pattern attributes: good veryfast fast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Xunlei
+#
+# This has been tested by three people.  It definitely catches some
+# streams. 
+#
+# Written by wsgtrsys of www.routerclub.com.  Improved by VeNoMouS.
+# Improved more by wsgtrsys and platinum of bbs.chinaunix.net.
+
+xunlei
+^[()]...?.?.?(reg|get|query)
+
diff --git a/usr/local/share/protocols/yahoo.pat b/usr/local/share/protocols/yahoo.pat
new file mode 100644
index 0000000..537349a
--- /dev/null
+++ b/usr/local/share/protocols/yahoo.pat
@@ -0,0 +1,26 @@
+# Yahoo messenger - an instant messenger protocol - http://yahoo.com
+# Pattern attributes: good fast fast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Yahoo_Messenger
+#
+# Usually runs on port 5050 
+#
+# This pattern has been tested and is believed to work well. 
+
+yahoo
+# http://www.venkydude.com/articles/yahoo.htm says: 
+# All Yahoo commands start with YMSG.  
+# (Well... http://ethereal.com/faq.html#q5.32 suggests that YPNS and YHOO
+# are also possible, so let's allow those)
+# The next 7 bytes contain command (packet?) length and version information
+# which we won't currently try to match.
+# L means "YAHOO_SERVICE_VERIFY" according to Ethereal
+# W means "encryption challenge command" (YAHOO_SERVICE_AUTH)
+# T means "login command" (YAHOO_SERVICE_AUTHRESP)
+# (there are others, i.e. 0x01 "coming online", 0x02 "going offline",
+# 0x04 "changing status to available", 0x06 "user message", but W and T
+# should appear in the first few packets.)
+# 0xC080 is the standard argument separator, it should appear not long
+# after the "type of command" byte.
+
+^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*\xc0\x80
diff --git a/usr/local/share/protocols/zmaap.pat b/usr/local/share/protocols/zmaap.pat
new file mode 100644
index 0000000..d21ad80
--- /dev/null
+++ b/usr/local/share/protocols/zmaap.pat
@@ -0,0 +1,17 @@
+# ZMAAP - Zeroconf Multicast Address Allocation Protocol
+# Pattern attributes: ok veryfast fast
+# Protocol groups: networking ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/ZMAAP
+#
+# http://files.zeroconf.org/draft-ietf-zeroconf-zmaap-02.txt
+# (Note that this reference is an Internet-Draft, and therefore must
+# be considered a work in progress.)
+#
+# This pattern is untested!
+
+zmaap
+# - 4 byte magic number.
+# - 1 byte version. Allow 1 & 2, even though only version 1 currently exists.
+# - 1 byte message type,which is either 0 or 1
+# - 1 byte address family.  L7-filter only works in IPv4, so this is 1.
+^\x1b\xd7\x3b\x48[\x01\x02]\x01?\x01