Second pass at updateing protocol definitions.

author: Ermal Luçi <eri@pfsense.org> 2009-11-10 14:20:14 +0000
committer: Ermal Luçi <eri@pfsense.org> 2009-11-10 14:20:14 +0000
commit: 66f2dd0e4cf28af5b4511a1bc06a93feaf712d9a (patch)
tree: 5fec310a541002c1d17552441c9840e9bc12d49d /usr/local/share
parent: c97ab82a7e6e2dc7f73cc594fbd50957c8bc1232 (diff)
download: pfsense-66f2dd0e4cf28af5b4511a1bc06a93feaf712d9a.zip
pfsense-66f2dd0e4cf28af5b4511a1bc06a93feaf712d9a.tar.gz
109 files changed, 240 insertions, 68 deletions
diff --git a/usr/local/share/protocols/100bao.pat b/usr/local/share/protocols/100bao.pat
index 66bb5c9..a03a891 100644
--- a/usr/local/share/protocols/100bao.pat
+++ b/usr/local/share/protocols/100bao.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/100Bao
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Pattern written by www.routerclub.com's wsgtrsys.
 # The author of this pattern says it works, but this is unconfirmed. 
diff --git a/usr/local/share/protocols/aim.pat b/usr/local/share/protocols/aim.pat
index e26a3c4..5c43930 100644
--- a/usr/local/share/protocols/aim.pat
+++ b/usr/local/share/protocols/aim.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good slow notsofast
 # Protocol groups: chat proprietary
 # Wiki: http://www.protocolinfo.org/wiki/AIM
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on port 5190
 #
diff --git a/usr/local/share/protocols/aimwebcontent.pat b/usr/local/share/protocols/aimwebcontent.pat
index af34d5b..bc9a22d 100644
--- a/usr/local/share/protocols/aimwebcontent.pat
+++ b/usr/local/share/protocols/aimwebcontent.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good notsofast notsofast
 # Protocol groups: chat document_retrieval proprietary
 # Wiki: http://www.protocolinfo.org/wiki/AIM
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern has been tested and is believed to work well.
 
diff --git a/usr/local/share/protocols/applejuice.pat b/usr/local/share/protocols/applejuice.pat
index 8158bc6..eb552dc 100644
--- a/usr/local/share/protocols/applejuice.pat
+++ b/usr/local/share/protocols/applejuice.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: great veryfast fast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/AppleJuice
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern has been tested with the Linux version (version
 # 0,29,142,229).  It matches search reqests and file transfers.
diff --git a/usr/local/share/protocols/ares.pat b/usr/local/share/protocols/ares.pat
index 2e89a90..32dc70d 100644
--- a/usr/local/share/protocols/ares.pat
+++ b/usr/local/share/protocols/ares.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast undermatch
 # Protocol groups: p2p open_source
 # Wiki: http://www.protocolinfo.org/wiki/Ares
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # This pattern catches only client-server connect messages.  This is
 # sufficient for blocking, but not for shaping, since it doesn't catch
diff --git a/usr/local/share/protocols/armagetron.pat b/usr/local/share/protocols/armagetron.pat
index fb4cc1e..a032410 100644
--- a/usr/local/share/protocols/armagetron.pat
+++ b/usr/local/share/protocols/armagetron.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good slow notsofast
 # Protocol groups: open_source game
 # Wiki: http://protocolinfo.org/wiki/Armagetron
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # Contributed to protocolinfo.org, possibly by joda.bot, who says "The 
 # filter matches the initial transfer of configuration data. Very early 
diff --git a/usr/local/share/protocols/battlefield1942.pat b/usr/local/share/protocols/battlefield1942.pat
index 1a4d9c0..ed7a7bf 100644
--- a/usr/local/share/protocols/battlefield1942.pat
+++ b/usr/local/share/protocols/battlefield1942.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Battlefield_1942
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Contributed by Myles Uyema <mylesuyema AT gmail.com>
 #
diff --git a/usr/local/share/protocols/battlefield2.pat b/usr/local/share/protocols/battlefield2.pat
index 088714c..e2d8791 100644
--- a/usr/local/share/protocols/battlefield2.pat
+++ b/usr/local/share/protocols/battlefield2.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok slow notsofast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Battlefield_2
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern is unconfirmed except implicitly by a comment on protocolinfo.
 
diff --git a/usr/local/share/protocols/battlefield2142.pat b/usr/local/share/protocols/battlefield2142.pat
index 6794cff..4c0e42b 100644
--- a/usr/local/share/protocols/battlefield2142.pat
+++ b/usr/local/share/protocols/battlefield2142.pat
@@ -1,7 +1,8 @@
 # Battlefield 2142 - An EA game.
 # Pattern attributes: ok fast fast
-# Protocol groups: proprietary game 
+# Protocol groups: proprietary game
 # Wiki: http://protocolinfo.org/wiki/Battlefield_2142
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # Submitted by Telsin.  Not confirmed.
 
diff --git a/usr/local/share/protocols/bgp.pat b/usr/local/share/protocols/bgp.pat
index d7985c0..61e417f 100644
--- a/usr/local/share/protocols/bgp.pat
+++ b/usr/local/share/protocols/bgp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: networking ietf_draft_standard
 # Wiki: http://www.protocolinfo.org/wiki/BGP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern is UNTESTED.
 
diff --git a/usr/local/share/protocols/biff.pat b/usr/local/share/protocols/biff.pat
index 7df399a..91e8bbf 100644
--- a/usr/local/share/protocols/biff.pat
+++ b/usr/local/share/protocols/biff.pat
@@ -1,7 +1,8 @@
 # Biff - new mail notification 
-# Pattern attributes: good veryfast fast undermatch overmatch
+# Pattern attributes: good fast fast undermatch overmatch
 # Protocol groups: mail
 # Wiki: http://www.protocolinfo.org/wiki/Biff
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on port 512
 #
diff --git a/usr/local/share/protocols/bittorrent.pat b/usr/local/share/protocols/bittorrent.pat
index e5aa5bc..54063ce 100644
--- a/usr/local/share/protocols/bittorrent.pat
+++ b/usr/local/share/protocols/bittorrent.pat
@@ -2,11 +2,11 @@
 # Pattern attributes: good slow notsofast undermatch
 # Protocol groups: p2p open_source
 # Wiki: http://www.protocolinfo.org/wiki/Bittorrent
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern has been tested and is believed to work well.
 # It will, however, not work on bittorrent streams that are encrypted, since
-# it's impossible to match encrypted data (unless the encryption is extremely 
-# weak, like rot13 or something...).
+# it's impossible to match (well) encrypted data.
 
 bittorrent
 
@@ -16,12 +16,10 @@ bittorrent
 # Next bit matches something Azureus does
 # Ditto on the next bit.  Could also match on "user-agent: azureus", but that's in the next
 # packet and perhaps this will match multiple clients.
-
-# Recently the ^ was removed from before \x13.  I think this was an accident,
-# so I have restored it.
+# bitcomet-specific strings contributed by liangjun.
 
 # This is not a valid GNU basic regular expression (but that's ok).
-^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)|d1:ad2:id20:|\x08'7P\)[RP]
+^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
 
 # This pattern is "fast", but won't catch as much
 #^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)
diff --git a/usr/local/share/protocols/chikka.pat b/usr/local/share/protocols/chikka.pat
index c7259a7..a97ef28 100644
--- a/usr/local/share/protocols/chikka.pat
+++ b/usr/local/share/protocols/chikka.pat
@@ -1,7 +1,8 @@
 # Chikka - SMS service which can be used without phones - http://chikka.com
-# Pattern attributes: good veryfast fast superset
+# Pattern attributes: good fast fast superset
 # Protocol groups: proprietary chat
 # Wiki: http://www.protocolinfo.org/wiki/Chikka
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # Tested with Chikka Javalite on 14 Jan 2007.
 # The login and chat use the same TCP connection.
@@ -13,4 +14,4 @@
 # Chikka uses CIMD as part of the login process, see cimd.pat
 
 chikka
-^CTPv1.[123] Kamusta.*\x0d\x0a$
+^CTPv1\.[123] Kamusta.*\x0d\x0a$
diff --git a/usr/local/share/protocols/cimd.pat b/usr/local/share/protocols/cimd.pat
index 6df274f..f508350 100644
--- a/usr/local/share/protocols/cimd.pat
+++ b/usr/local/share/protocols/cimd.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good notsofast notsofast subset
 # Protocol groups: proprietary chat
 # Wiki: http://www.protocolinfo.org/wiki/CIMD
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # I don't know whether CIMD is ever found by itself in a TCP connection. 
 # I have only seen it myself as part of the Chikka login process, in 
diff --git a/usr/local/share/protocols/ciscovpn.pat b/usr/local/share/protocols/ciscovpn.pat
index c15725e..d3dd7a6 100644
--- a/usr/local/share/protocols/ciscovpn.pat
+++ b/usr/local/share/protocols/ciscovpn.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: remote_access proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Cisco_VPN
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 # 
 # This pattern contributed by Myles Uyema <myles AT uyema.net>
 
diff --git a/usr/local/share/protocols/citrix.pat b/usr/local/share/protocols/citrix.pat
index 1215c22..fa73ce1 100644
--- a/usr/local/share/protocols/citrix.pat
+++ b/usr/local/share/protocols/citrix.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: marginal notsofast notsofast
 # Protocol groups: remote_access proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Citrix
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 # 
 # This pattern is UNTESTED.
 
diff --git a/usr/local/share/protocols/counterstrike-source.pat b/usr/local/share/protocols/counterstrike-source.pat
index 94aa07a..8ebd627 100644
--- a/usr/local/share/protocols/counterstrike-source.pat
+++ b/usr/local/share/protocols/counterstrike-source.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Counter-Strike
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # By adam.randazzoATgmail.com
 
diff --git a/usr/local/share/protocols/cvs.pat b/usr/local/share/protocols/cvs.pat
index d6cf503..fc084d3 100644
--- a/usr/local/share/protocols/cvs.pat
+++ b/usr/local/share/protocols/cvs.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast
 # Protocol groups: version_control open_source
 # Wiki: http://www.protocolinfo.org/wiki/CVS
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 cvs
 
diff --git a/usr/local/share/protocols/dayofdefeat-source.pat b/usr/local/share/protocols/dayofdefeat-source.pat
index 1a90b4d..42b24bb 100644
--- a/usr/local/share/protocols/dayofdefeat-source.pat
+++ b/usr/local/share/protocols/dayofdefeat-source.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Day_of_Defeat:Source
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # By Clayton Macleod <cherry twist at gmail dot com>
 
diff --git a/usr/local/share/protocols/dhcp.pat b/usr/local/share/protocols/dhcp.pat
index 9594ea4..fbda7de 100644
--- a/usr/local/share/protocols/dhcp.pat
+++ b/usr/local/share/protocols/dhcp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast
 # Protocol groups: networking ietf_draft_standard
 # Wiki: http://www.protocolinfo.org/wiki/DHCP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on ports 67 (server) and 68 (client)
 #
diff --git a/usr/local/share/protocols/directconnect.pat b/usr/local/share/protocols/directconnect.pat
index 41631f7..13be4a1 100644
--- a/usr/local/share/protocols/directconnect.pat
+++ b/usr/local/share/protocols/directconnect.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good fast fast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/Direct_Connect
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Direct Connect "hubs" listen on port 411
 # http://www.dcpp.net/wiki/
diff --git a/usr/local/share/protocols/dns.pat b/usr/local/share/protocols/dns.pat
index 5bc0ac0..c351831 100644
--- a/usr/local/share/protocols/dns.pat
+++ b/usr/local/share/protocols/dns.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: great slow fast
 # Protocol groups: networking ietf_internet_standard
 # Wiki: http://www.protocolinfo.org/wiki/DNS
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # Thanks to Sebastien Bechet <s.bechet AT av7.net> for TLD detection
 # improvements
diff --git a/usr/local/share/protocols/doom3.pat b/usr/local/share/protocols/doom3.pat
index ef59ee7..7d32d6f 100644
--- a/usr/local/share/protocols/doom3.pat
+++ b/usr/local/share/protocols/doom3.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Doom
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Thanks to Clayton Macleod (cherrytwist at gmail.com).
 
diff --git a/usr/local/share/protocols/edonkey.pat b/usr/local/share/protocols/edonkey.pat
index 50a072c..bc2522e 100644
--- a/usr/local/share/protocols/edonkey.pat
+++ b/usr/local/share/protocols/edonkey.pat
@@ -1,7 +1,8 @@
 # eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
-# Pattern attributes: good veryfast fast overmatch
+# Pattern attributes: good fast fast overmatch
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/EDonkey
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4
 # and a long time ago with something else. 
diff --git a/usr/local/share/protocols/fasttrack.pat b/usr/local/share/protocols/fasttrack.pat
index c821ae4..6ed8ff1 100644
--- a/usr/local/share/protocols/fasttrack.pat
+++ b/usr/local/share/protocols/fasttrack.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good slow notsofast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/Fasttrack
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Tested with Kazaa Lite Resurrection 0.0.7.6F
 #
diff --git a/usr/local/share/protocols/finger.pat b/usr/local/share/protocols/finger.pat
index b2b59d8..7f81d48 100644
--- a/usr/local/share/protocols/finger.pat
+++ b/usr/local/share/protocols/finger.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good slow slow undermatch overmatch
 # Protocol groups: ietf_draft_standard
 # Wiki: http://www.protocolinfo.org/wiki/Finger
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on port 79
 #
diff --git a/usr/local/share/protocols/freenet.pat b/usr/local/share/protocols/freenet.pat
index 626acb9..c62ad57 100644
--- a/usr/local/share/protocols/freenet.pat
+++ b/usr/local/share/protocols/freenet.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: poor veryfast fast
 # Protocol groups: p2p document_retrieval open_source
 # Wiki: http://www.protocolinfo.org/wiki/Freenet
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 freenet
 # Freenet is intentionally hard to identify...
diff --git a/usr/local/share/protocols/ftp.pat b/usr/local/share/protocols/ftp.pat
index a7f9e0e..44d97c4 100644
--- a/usr/local/share/protocols/ftp.pat
+++ b/usr/local/share/protocols/ftp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: great notsofast fast
 # Protocol groups: document_retrieval ietf_internet_standard
 # Wiki: http://protocolinfo.org/wiki/FTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on port 21.  Note that the data stream is on a dynamically
 # assigned port, which means that you will need the FTP connection 
diff --git a/usr/local/share/protocols/gkrellm.pat b/usr/local/share/protocols/gkrellm.pat
index 2acf73b..73eb537 100644
--- a/usr/local/share/protocols/gkrellm.pat
+++ b/usr/local/share/protocols/gkrellm.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: great veryfast fast
 # Protocol groups: monitoring open_source
 # Wiki: http://www.protocolinfo.org/wiki/Gkrellm
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 # 
 # This pattern has been tested and is believed to work well.
 # Since this is not anything resembling a published protocol, it may change without
diff --git a/usr/local/share/protocols/gnucleuslan.pat b/usr/local/share/protocols/gnucleuslan.pat
index 2a106f4..ae5895b 100644
--- a/usr/local/share/protocols/gnucleuslan.pat
+++ b/usr/local/share/protocols/gnucleuslan.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good notsofast notsofast
 # Protocol groups: p2p open_source
 # Wiki: http://www.protocolinfo.org/wiki/GnucleusLAN
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern has been tested and is believed to work well.
 
diff --git a/usr/local/share/protocols/gnutella.pat b/usr/local/share/protocols/gnutella.pat
index 57a76de..770ed43 100644
--- a/usr/local/share/protocols/gnutella.pat
+++ b/usr/local/share/protocols/gnutella.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good notsofast notsofast
 # Protocol groups: p2p open_source
 # Wiki: http://www.protocolinfo.org/wiki/Gnutella
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This should match both Gnutella and "Gnutella2" ("Mike's protocol")
 # 
diff --git a/usr/local/share/protocols/goboogy.pat b/usr/local/share/protocols/goboogy.pat
index 2cc93da..d88d00b 100644
--- a/usr/local/share/protocols/goboogy.pat
+++ b/usr/local/share/protocols/goboogy.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: marginal slow notsofast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/GoBoogy
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 # 
 # This pattern is untested and likely does not work in all cases!
 #
diff --git a/usr/local/share/protocols/gopher.pat b/usr/local/share/protocols/gopher.pat
index 3f49757..773016f 100644
--- a/usr/local/share/protocols/gopher.pat
+++ b/usr/local/share/protocols/gopher.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good slow notsofast undermatch
 # Protocol groups: document_retrieval obsolete ietf_rfc_documented
 # Wiki: http://www.protocolinfo.org/wiki/Gopher
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Gopher servers usually run on TCP port 70.
 #
diff --git a/usr/local/share/protocols/h323.pat b/usr/local/share/protocols/h323.pat
index d3f59c5..75b1a39 100644
--- a/usr/local/share/protocols/h323.pat
+++ b/usr/local/share/protocols/h323.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: voip itu-t_standard
 # Wiki: http://www.protocolinfo.org/wiki/H.323
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern is written without knowledge of the principles of H.323.
 # It has only been tested with gnomemeeting and may not work for other
diff --git a/usr/local/share/protocols/halflife2-deathmatch.pat b/usr/local/share/protocols/halflife2-deathmatch.pat
index 6efe59e..45d0bb0 100644
--- a/usr/local/share/protocols/halflife2-deathmatch.pat
+++ b/usr/local/share/protocols/halflife2-deathmatch.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Half-Life
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 # 
 # By Clayton Macleod <cherrytwist TA gmail.com>
 
diff --git a/usr/local/share/protocols/hddtemp.pat b/usr/local/share/protocols/hddtemp.pat
index 31a640f..cdd908c 100644
--- a/usr/local/share/protocols/hddtemp.pat
+++ b/usr/local/share/protocols/hddtemp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: great veryfast fast
 # Protocol groups: monitoring open_source
 # Wiki: http://www.protocolinfo.org/wiki/HDDtemp
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 # 
 # Usually runs on port 7634
 #
diff --git a/usr/local/share/protocols/hotline.pat b/usr/local/share/protocols/hotline.pat
index 1c11c62..20ec6de 100644
--- a/usr/local/share/protocols/hotline.pat
+++ b/usr/local/share/protocols/hotline.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: marginal fast fast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/Hotline
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 # 
 # This pattern is untested!
 #
diff --git a/usr/local/share/protocols/http-rtsp.pat b/usr/local/share/protocols/http-rtsp.pat
index 3cb65fb..73ef926 100644
--- a/usr/local/share/protocols/http-rtsp.pat
+++ b/usr/local/share/protocols/http-rtsp.pat
@@ -1,7 +1,8 @@
 # RTSP tunneled within HTTP
-# Pattern attributes: ok notsofast notsofast subset
+# Pattern attributes: ok notsofast fast subset
 # Protocol groups: streaming_audio streaming_video ietf_draft_standard
 # Wiki: http://www.protocolinfo.org/wiki/RTSP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Apple's documentation on what Quicktime does:
 # http://developer.apple.com/quicktime/icefloe/dispatch028.html
diff --git a/usr/local/share/protocols/http.pat b/usr/local/share/protocols/http.pat
index 550aa0b..5122310 100644
--- a/usr/local/share/protocols/http.pat
+++ b/usr/local/share/protocols/http.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: great slow notsofast superset
 # Protocol groups: document_retrieval ietf_draft_standard
 # Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on port 80
 #
diff --git a/usr/local/share/protocols/ident.pat b/usr/local/share/protocols/ident.pat
index d6d89c3..3205e5e 100644
--- a/usr/local/share/protocols/ident.pat
+++ b/usr/local/share/protocols/ident.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good fast fast
 # Protocol groups: networking ietf_proposed_standard
 # Wiki: http://www.protocolinfo.org/wiki/Ident
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on port 113
 #
diff --git a/usr/local/share/protocols/imap.pat b/usr/local/share/protocols/imap.pat
index eac620d..3f989c0 100644
--- a/usr/local/share/protocols/imap.pat
+++ b/usr/local/share/protocols/imap.pat
@@ -1,7 +1,8 @@
 # IMAP - Internet Message Access Protocol (A common e-mail protocol)
-# Pattern attributes: great veryfast fast
+# Pattern attributes: great fast fast
 # Protocol groups: mail ietf_proposed_standard
 # Wiki: http://www.protocolinfo.org/wiki/IMAP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This matches IMAP4 (RFC 3501) and probably IMAP2 (RFC 1176)
 #
diff --git a/usr/local/share/protocols/imesh.pat b/usr/local/share/protocols/imesh.pat
index 782047f..4cb7ac7 100644
--- a/usr/local/share/protocols/imesh.pat
+++ b/usr/local/share/protocols/imesh.pat
@@ -1,7 +1,8 @@
 # iMesh - the native protocol of iMesh, a P2P application - http://imesh.com
-# Pattern attributes: ok notsofast notsofast
+# Pattern attributes: ok fast notsofast
 # Protocol groups: p2p
 # Wiki:   http://protocolinfo.org/wiki/iMesh
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # depending on the version of iMesh (the program), it can also use fasttrack,
 # gnutella and edonkey in addition to iMesh (the protocol).
diff --git a/usr/local/share/protocols/ipp.pat b/usr/local/share/protocols/ipp.pat
index a4a4d14..15540d0 100644
--- a/usr/local/share/protocols/ipp.pat
+++ b/usr/local/share/protocols/ipp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good notsofast notsofast
 # Protocol groups: printer ietf_proposed_standard
 # Wiki: http://www.protocolinfo.org/wiki/IPP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern has been tested and is believed to work well.
 
diff --git a/usr/local/share/protocols/irc.pat b/usr/local/share/protocols/irc.pat
index 2767336..b922b3e 100644
--- a/usr/local/share/protocols/irc.pat
+++ b/usr/local/share/protocols/irc.pat
@@ -1,7 +1,8 @@
 # IRC - Internet Relay Chat - RFC 1459
-# Pattern attributes: great veryfast fast
+# Pattern attributes: great fast fast
 # Protocol groups: chat ietf_proposed_standard
 # Wiki: http://www.protocolinfo.org/wiki/IRC
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on port 6666 or 6667
 # Note that chat traffic runs on these ports, but IRC-DCC traffic (which
diff --git a/usr/local/share/protocols/jabber.pat b/usr/local/share/protocols/jabber.pat
index aa51c76..7c32890 100644
--- a/usr/local/share/protocols/jabber.pat
+++ b/usr/local/share/protocols/jabber.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good notsofast notsofast
 # Protocol groups: chat ietf_proposed_standard
 # Wiki: http://www.protocolinfo.org/wiki/Jabber
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern has been tested with Gaim and Gabber.  It is only tested 
 # with non-SSL mode Jabber with no proxies.
diff --git a/usr/local/share/protocols/kugoo.pat b/usr/local/share/protocols/kugoo.pat
index be15ad5..c478317 100644
--- a/usr/local/share/protocols/kugoo.pat
+++ b/usr/local/share/protocols/kugoo.pat
@@ -1,7 +1,16 @@
 # KuGoo - a Chinese P2P program - http://www.kugoo.com
-# Pattern attributes: ok veryfast fast
+# Pattern attributes: ok fast fast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/KuGoo
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+kugoo
+# liangjun says: "i find old pattern is not working for kugoo 2008. so i 
+# write a new pattern of kugoo 2008 ,it's working with all of kugoo 2008 
+# version!"
+^(\x64.....\x70....\x50\x37|\x65.+)
+
+# Pattern before 2008 11 08
 #
 # The author of this pattern says it works, but this is unconfirmed.
 # Written by www.routerclub.com wsgtrsys.
@@ -9,6 +18,4 @@
 # LanTian submitted \x64.+\x74\x47\x50\x37 for "KuGoo2", but adding as 
 # another branch makes the pattern REALLY slow.  If it could have a ^, that'd
 # be ok (still veryfast/fast).  Waiting to hear.
-
-kugoo
-^(\x31..\x8e|\x64.+\x74\x47\x50\x37)
+#^(\x31..\x8e|\x64.+\x74\x47\x50\x37)
diff --git a/usr/local/share/protocols/live365.pat b/usr/local/share/protocols/live365.pat
index 9360892..144ac50 100644
--- a/usr/local/share/protocols/live365.pat
+++ b/usr/local/share/protocols/live365.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: marginal notsofast notsofast
 # Protocol groups: streaming_audio
 # Wiki: http://www.protocolinfo.org/wiki/Live365
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern was "contributed" (taken with permission) by the bandwidth 
 # arbitrator project (www.bandwidtharbitrator.com).
diff --git a/usr/local/share/protocols/liveforspeed.pat b/usr/local/share/protocols/liveforspeed.pat
index 17b755d..ad32e9a 100644
--- a/usr/local/share/protocols/liveforspeed.pat
+++ b/usr/local/share/protocols/liveforspeed.pat
@@ -1,7 +1,8 @@
 # Live For Speed - A racing game.
-# Pattern attributes: poor veryfast fast
+# Pattern attributes: poor fast fast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Live_For_Speed
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern was submitted to protocolinfo.org by 80.55.238.74 with no
 # explanation.  It is unconfirmed.
diff --git a/usr/local/share/protocols/lpd.pat b/usr/local/share/protocols/lpd.pat
index d1b8ae7..4b78dfe 100644
--- a/usr/local/share/protocols/lpd.pat
+++ b/usr/local/share/protocols/lpd.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok fast fast
 # Protocol groups: printer ietf_rfc_documented
 # Wiki: http://www.protocolinfo.org/wiki/LPD
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern is untested.
 
diff --git a/usr/local/share/protocols/mohaa.pat b/usr/local/share/protocols/mohaa.pat
index aebe47a..00b6c07 100644
--- a/usr/local/share/protocols/mohaa.pat
+++ b/usr/local/share/protocols/mohaa.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Medal_of_Honor_Allied_Assault
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern is written and tested by Krzysztof Maciejewski.
 
diff --git a/usr/local/share/protocols/msn-filetransfer.pat b/usr/local/share/protocols/msn-filetransfer.pat
index 5ffddfc..797edb4 100644
--- a/usr/local/share/protocols/msn-filetransfer.pat
+++ b/usr/local/share/protocols/msn-filetransfer.pat
@@ -1,7 +1,8 @@
 # MSN (Micosoft Network) Messenger file transfers (MSNFTP and MSNSLP)
-# Pattern attributes: good veryfast fast
+# Pattern attributes: good fast fast
 # Protocol groups: chat document_retrieval proprietary
 # Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # http://www.hypothetic.org/docs/msn/client/file_transfer.php
 
diff --git a/usr/local/share/protocols/msnmessenger.pat b/usr/local/share/protocols/msnmessenger.pat
index 41f1075..11dfc10 100644
--- a/usr/local/share/protocols/msnmessenger.pat
+++ b/usr/local/share/protocols/msnmessenger.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good slow notsofast
 # Protocol groups: chat proprietary
 # Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually uses TCP port 1863
 # http://www.hypothetic.org/docs/msn/index.php
diff --git a/usr/local/share/protocols/mute.pat b/usr/local/share/protocols/mute.pat
index c803090..53f2e23 100644
--- a/usr/local/share/protocols/mute.pat
+++ b/usr/local/share/protocols/mute.pat
@@ -1,7 +1,8 @@
 # MUTE - P2P filesharing - http://mute-net.sourceforge.net
-# Pattern attributes: marginal veryfast fast
+# Pattern attributes: marginal fast fast
 # Protocol groups: p2p open_source
 # Wiki: http://www.protocolinfo.org/wiki/MUTE
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern is lightly tested.  I don't know for sure that it will 
 # match the actual file transfers.
diff --git a/usr/local/share/protocols/napster.pat b/usr/local/share/protocols/napster.pat
index 83005b8..d7ef032 100644
--- a/usr/local/share/protocols/napster.pat
+++ b/usr/local/share/protocols/napster.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good fast fast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/Napster
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # All my tests show that this pattern is fast, but one user has reported that
 # it is slow.  Your milage may vary.
diff --git a/usr/local/share/protocols/nbns.pat b/usr/local/share/protocols/nbns.pat
index d4fff4f..ca114de 100644
--- a/usr/local/share/protocols/nbns.pat
+++ b/usr/local/share/protocols/nbns.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good slow notsofast
 # Protocol groups: networking proprietary
 # Wiki: http://www.protocolinfo.org/wiki/NBNS
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern has been tested and is believed to work well.
 #
diff --git a/usr/local/share/protocols/ncp.pat b/usr/local/share/protocols/ncp.pat
index b4788a1..55792b2 100644
--- a/usr/local/share/protocols/ncp.pat
+++ b/usr/local/share/protocols/ncp.pat
@@ -1,7 +1,8 @@
 # NCP - Novell Core Protocol
-# Pattern attributes: good veryfast fast
+# Pattern attributes: good fast fast
 # Protocol groups: networking proprietary
 # Wiki: http://www.protocolinfo.org/wiki/NCP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern has been tested and is believed to work well.
 
diff --git a/usr/local/share/protocols/netbios.pat b/usr/local/share/protocols/netbios.pat
index 8e90074..a0314b1 100644
--- a/usr/local/share/protocols/netbios.pat
+++ b/usr/local/share/protocols/netbios.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: marginal notsofast notsofast
 # Protocol groups: networking ietf_internet_standard proprietary
 # Wiki: http://www.protocolinfo.org/wiki/NetBIOS
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # As mentioned in smb.pat:
 #
diff --git a/usr/local/share/protocols/nntp.pat b/usr/local/share/protocols/nntp.pat
index 769c8a5..7a30578 100644
--- a/usr/local/share/protocols/nntp.pat
+++ b/usr/local/share/protocols/nntp.pat
@@ -1,7 +1,8 @@
 # NNTP - Network News Transfer Protocol - RFCs 977 and 2980
-# Pattern attributes: good veryfast fast
+# Pattern attributes: good fast fast
 # Protocol groups: ietf_proposed_standard
 # Wiki: http://www.protocolinfo.org/wiki/NNTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # usually runs on port 119
 
diff --git a/usr/local/share/protocols/ntp.pat b/usr/local/share/protocols/ntp.pat
index a24fb05..760cfdb 100644
--- a/usr/local/share/protocols/ntp.pat
+++ b/usr/local/share/protocols/ntp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good fast fast overmatch 
 # Protocol groups: time_synchronization ietf_draft_standard
 # Wiki: http://www.protocolinfo.org/wiki/NTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern is tested and is believed to work.
 
diff --git a/usr/local/share/protocols/openft.pat b/usr/local/share/protocols/openft.pat
index f81499a..09fa852 100644
--- a/usr/local/share/protocols/openft.pat
+++ b/usr/local/share/protocols/openft.pat
@@ -1,7 +1,8 @@
 # OpenFT - P2P filesharing (implemented in giFT library)
-# Pattern attributes: good fast notsofast
+# Pattern attributes: good notsofast notsofast
 # Protocol groups: p2p open_source
 # Wiki: http://www.protocolinfo.org/wiki/OpenFT
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # Ben Efros <ben AT xgendev.com> says:
 # "This pattern identifies openFT P2P transfers fine.  openFT is part of giFT
diff --git a/usr/local/share/protocols/pcanywhere.pat b/usr/local/share/protocols/pcanywhere.pat
index 86dae6b..60b50a7 100644
--- a/usr/local/share/protocols/pcanywhere.pat
+++ b/usr/local/share/protocols/pcanywhere.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: marginal veryfast fast
 # Protocol groups: remote_access proprietary
 # Wiki: http://www.protocolinfo.org/wiki/PcAnywhere
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # This is completely untested!
 # See http://www.unixwiz.net/tools/pcascan.txt
diff --git a/usr/local/share/protocols/poco.pat b/usr/local/share/protocols/poco.pat
index 2bcf66d..c7ce686 100644
--- a/usr/local/share/protocols/poco.pat
+++ b/usr/local/share/protocols/poco.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/Poco
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # The author of this pattern says it works, but this is unconfirmed.
 # Written by www.routerclub.com wsgtrsys.
diff --git a/usr/local/share/protocols/pop3.pat b/usr/local/share/protocols/pop3.pat
index b3d76e2..47a8252 100644
--- a/usr/local/share/protocols/pop3.pat
+++ b/usr/local/share/protocols/pop3.pat
@@ -1,7 +1,8 @@
 # POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
-# Pattern attributes: great veryfast fast
+# Pattern attributes: great fast fast
 # Protocol groups: mail ietf_internet_standard
 # Wiki: http://www.protocolinfo.org/wiki/POP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern has been tested somewhat.
 
diff --git a/usr/local/share/protocols/qq.pat b/usr/local/share/protocols/qq.pat
index 7689439..08db802 100644
--- a/usr/local/share/protocols/qq.pat
+++ b/usr/local/share/protocols/qq.pat
@@ -1,7 +1,8 @@
 # Tencent QQ Protocol - Chinese instant messenger protocol - http://www.qq.com
-# Pattern attributes: good fast fast
+# Pattern attributes: good notsofast fast
 # Protocol groups: chat
 # Wiki: http://www.protocolinfo.org/wiki/QQ
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Over six million people use QQ in China, according to wsgtrsys.
 # 
diff --git a/usr/local/share/protocols/quake-halflife.pat b/usr/local/share/protocols/quake-halflife.pat
index 7e2b537..97e7d84 100644
--- a/usr/local/share/protocols/quake-halflife.pat
+++ b/usr/local/share/protocols/quake-halflife.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Half-Life http://www.protocolinfo.org/wiki/Counter-Strike http://www.protocolinfo.org/wiki/Day_of_Defeat
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Contributed by Laurens Blankers <laurens AT blankersfamily.com>, who says:
 #
diff --git a/usr/local/share/protocols/quake1.pat b/usr/local/share/protocols/quake1.pat
index 18e0ca0..46bdebd 100644
--- a/usr/local/share/protocols/quake1.pat
+++ b/usr/local/share/protocols/quake1.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: marginal veryfast fast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Quake
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern is untested and unconfirmed.
 
diff --git a/usr/local/share/protocols/radmin.pat b/usr/local/share/protocols/radmin.pat
index 52ff6e0..d13aa65 100644
--- a/usr/local/share/protocols/radmin.pat
+++ b/usr/local/share/protocols/radmin.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: remote_access proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Radmin
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern has been verified with Radmin v1.1 and v3.0beta on Win2000/XP
 # It has only been tested between a single pair of computers.
diff --git a/usr/local/share/protocols/rdp.pat b/usr/local/share/protocols/rdp.pat
index e10a81d..44b853f 100644
--- a/usr/local/share/protocols/rdp.pat
+++ b/usr/local/share/protocols/rdp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok notsofast notsofast
 # Protocol groups: remote_access proprietary
 # Wiki: http://www.protocolinfo.org/wiki/RDP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern was submitted by Michael Leong.  It has been tested under the 
 # following conditions: "WinXP Pro with all the patches, rdesktop server 
diff --git a/usr/local/share/protocols/replaytv-ivs.pat b/usr/local/share/protocols/replaytv-ivs.pat
index 4d44b0f..aaf9255 100644
--- a/usr/local/share/protocols/replaytv-ivs.pat
+++ b/usr/local/share/protocols/replaytv-ivs.pat
@@ -1,7 +1,8 @@
 # ReplayTV Internet Video Sharing - Digital Video Recorder - http://replaytv.com
-# Pattern attributes: good veryfast fast
-# Protocol groups: 
+# Pattern attributes: good fast fast
+# Protocol groups:
 # Wiki: http://www.protocolinfo.org/wiki/ReplayTV
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Pattern by jm 409 at hot mail dot com, who says that this one "worked best".
 
diff --git a/usr/local/share/protocols/rlogin.pat b/usr/local/share/protocols/rlogin.pat
index 92f3735..42c4f7e 100644
--- a/usr/local/share/protocols/rlogin.pat
+++ b/usr/local/share/protocols/rlogin.pat
@@ -1,7 +1,8 @@
 # rlogin - remote login - RFC 1282
-# Pattern attributes: ok veryfast fast
+# Pattern attributes: ok fast fast
 # Protocol groups: remote_access ietf_rfc_documented
 # Wiki: http://www.protocolinfo.org/wiki/Rlogin
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # usually runs on port 443
 #
diff --git a/usr/local/share/protocols/rtp.pat b/usr/local/share/protocols/rtp.pat
index d808e1e..61fcd8e 100644
--- a/usr/local/share/protocols/rtp.pat
+++ b/usr/local/share/protocols/rtp.pat
@@ -1,40 +1,33 @@
 # RTP - Real-time Transport Protocol - RFC 3550
-# Pattern attributes: marginal overmatch undermatch veryfast fast
+# Pattern attributes: ok overmatch undermatch fast fast
 # Protocol groups: streaming_video ietf_internet_standard
 # Wiki: http://www.protocolinfo.org/wiki/RTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # RTP headers are *very* short and compact.  They have almost nothing in 
-# them that can be matched by l7-filter.  If you want to match them 
-# along with their associated SIP packets, I think the best way might be 
-# to set up some iptables rules that watch for SIP packets and then also 
-# match any other UDP packets that are going between the same two IP 
-# addresses.
+# them that can be matched by l7-filter.  As RTP connections take place 
+# between even numbered ports, you should probably check for that before 
+# applying this pattern.  If you want to match them along with their 
+# associated SIP packets, you might try setting up some iptables rules 
+# that watch for SIP packets and then also match any other UDP packets 
+# that are going between the same two IP addresses.
 #
-# However, I will attempt a pattern anyway.  This is UNTESTED!
-# 
 # I think we can count on the first bit being 1 and the second bit being 
 # 0 (meaning protocol version 2). The next two bits could go either way, 
 # but in the example I've seen, they are zero, so I'll assume they are 
 # usually zero.  The next four bits are a count of "contributing source 
 # identifiers".  I'm not sure how big that could be, but in the example 
 # I've seen, they're zero, so I'll assume they're usually zero. So that 
-# gives us ^\x80.  The marker bit that comes next is probably zero for 
-# the first packet, although that's not a sure thing.  Next is the 
-# payload type, 7 bits that might usually only take a few values, but 
-# maybe not. In the example I've seen, it's zero, which (with a zero 
-# marker bit) means it looks to l7-filter like it's not there at all.  
-# The rest of the header is random numbers (sequence number, timestamp, 
-# synchronization source identifier), so that's no help at all.
-#
-# I think the best we could do is to watch to see if several \x80 bytes 
-# come in with a small number of bytes between them.  This makes all the 
-# above assumptions and also assumes that the first packet has no 
-# payload and not too much trailing gargage.  So this will definitely not
-# work all the time.  It clearly also might match other stuff.
+# gives us ^\x80.  The next bit is a tossup. Next is the payload type, 7 
+# bits.  I've taken likely values from the WireShark code: 0-34, 96-127 
+# (decimal). The rest of the header is random numbers (sequence number, 
+# timestamp, synchronization source identifier), so that's no help at 
+# all.
 
 rtp
-^\x80......?.?.?.?.?.?.?.?.?.?.?.?.?\x80
+^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80
 
 # Might also try this.  It's a bit slower (one packet and not too much extra
 # regexec load) and a bit more accurate:
-#^\x80......?.?.?.?.?.?.?.?.?.?.?.?.?\x80.*\x80
+#^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80.*\x80
+
diff --git a/usr/local/share/protocols/rtsp.pat b/usr/local/share/protocols/rtsp.pat
index a5f309c..1013ae3 100644
--- a/usr/local/share/protocols/rtsp.pat
+++ b/usr/local/share/protocols/rtsp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good notsofast notsofast
 # Protocol groups: streaming_video ietf_proposed_standard
 # Wiki: http://www.protocolinfo.org/wiki/RTSP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # usually runs on port 554
 #
diff --git a/usr/local/share/protocols/shoutcast.pat b/usr/local/share/protocols/shoutcast.pat
index 6ae0824..e78883c 100644
--- a/usr/local/share/protocols/shoutcast.pat
+++ b/usr/local/share/protocols/shoutcast.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good slow notsofast
 # Protocol groups: streaming_audio
 # Wiki: http://www.protocolinfo.org/wiki/Icecast
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # usually runs on port 80
 #
diff --git a/usr/local/share/protocols/sip.pat b/usr/local/share/protocols/sip.pat
index 3782e33..2728009 100644
--- a/usr/local/share/protocols/sip.pat
+++ b/usr/local/share/protocols/sip.pat
@@ -1,11 +1,13 @@
-# SIP - Session Initiation Protocol - Internet telephony - RFC 3261
-# Pattern attributes: ok fast fast
+# SIP - Session Initiation Protocol - Internet telephony - RFC 3261, 3265, etc.
+# Pattern attributes: good fast fast
 # Protocol groups: voip ietf_proposed_standard
 # Wiki: http://www.protocolinfo.org/wiki/SIP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
-# This pattern has been tested with the Ubiquity SIP user agent.
-#
-# Thanks to Ankit Desai for this pattern.
+# This pattern has been tested with the Ubiquity SIP user agent and has been
+# confirmed by at least one other user.
+# 
+# Thanks to Ankit Desai for this pattern.  Updated by tehseen sagar.
 #
 # SIP typically uses port 5060.
 #
@@ -15,4 +17,4 @@
 
 #Request-Line  =  Method SP Request-URI SP SIP-Version CRLF
 sip
-^(invite|register|cancel) sip[\x09-\x0d -~]*sip/[0-2]\.[0-9]
+^(invite|register|cancel|message|subscribe|notify) sip[\x09-\x0d -~]*sip/[0-2]\.[0-9]
diff --git a/usr/local/share/protocols/skypeout.pat b/usr/local/share/protocols/skypeout.pat
index a6b6ba7..55e4e10 100644
--- a/usr/local/share/protocols/skypeout.pat
+++ b/usr/local/share/protocols/skypeout.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok slow notsofast overmatch
 # Protocol groups: voip p2p proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Skype
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # Thanks to Myles Uyema, mylesuyema AT gmail.com
 
diff --git a/usr/local/share/protocols/skypetoskype.pat b/usr/local/share/protocols/skypetoskype.pat
index 3649492..ed1103a 100644
--- a/usr/local/share/protocols/skypetoskype.pat
+++ b/usr/local/share/protocols/skypetoskype.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast overmatch
 # Protocol groups: voip p2p proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Skype
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # This matches at least some of the general chatter that occurs when the
 # user isn't doing anything as well as actual calls.
diff --git a/usr/local/share/protocols/smb.pat b/usr/local/share/protocols/smb.pat
index cdf0fe1..c1f8b0a 100644
--- a/usr/local/share/protocols/smb.pat
+++ b/usr/local/share/protocols/smb.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good fast notsofast
 # Protocol groups: document_retrieval networking proprietary
 # Wiki: http://www.protocolinfo.org/wiki/SMB
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # "This protocol is sometimes also referred to as the Common Internet File 
 # System (CIFS), LanManager or NetBIOS protocol." -- "man samba"
diff --git a/usr/local/share/protocols/smtp.pat b/usr/local/share/protocols/smtp.pat
index eb98ae7..2f5d195 100644
--- a/usr/local/share/protocols/smtp.pat
+++ b/usr/local/share/protocols/smtp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: great notsofast fast
 # Protocol groups: mail ietf_internet_standard
 # Wiki: http://www.protocolinfo.org/wiki/SMTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # usually runs on port 25
 # 
diff --git a/usr/local/share/protocols/snmp.pat b/usr/local/share/protocols/snmp.pat
index 5b88f03..a7186b2 100644
--- a/usr/local/share/protocols/snmp.pat
+++ b/usr/local/share/protocols/snmp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast superset
 # Protocol groups: networking ietf_internet_standard
 # Wiki: http://www.protocolinfo.org/wiki/SNMP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on UDP ports 161 (monitoring) and 162 (traps).
 #
diff --git a/usr/local/share/protocols/socks.pat b/usr/local/share/protocols/socks.pat
index a7501a8..54189fd 100644
--- a/usr/local/share/protocols/socks.pat
+++ b/usr/local/share/protocols/socks.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good notsofast notsofast
 # Protocol groups: networking ietf_proposed_standard
 # Wiki: http://www.protocolinfo.org/wiki/SOCKS
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on port 1080
 # Also useful: http://www.iana.org/assignments/socks-methods
diff --git a/usr/local/share/protocols/soribada.pat b/usr/local/share/protocols/soribada.pat
index a5da9fd..e1c0c56 100644
--- a/usr/local/share/protocols/soribada.pat
+++ b/usr/local/share/protocols/soribada.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good slow notsofast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/Soribada
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # I am told that there are three versions of this protocol, the first no
 # longer being used.  That would probably explain why incoming searches
diff --git a/usr/local/share/protocols/soulseek.pat b/usr/local/share/protocols/soulseek.pat
index 4385141..ebc06ab 100644
--- a/usr/local/share/protocols/soulseek.pat
+++ b/usr/local/share/protocols/soulseek.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good fast fast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/Soulseek
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # All my tests show that this pattern is fast, but one user has reported that
 # it is slow.  Your milage may vary.
diff --git a/usr/local/share/protocols/ssdp.pat b/usr/local/share/protocols/ssdp.pat
index db50362..d2de92d 100644
--- a/usr/local/share/protocols/ssdp.pat
+++ b/usr/local/share/protocols/ssdp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good slow notsofast
 # Protocol groups: networking ietf_draft_standard
 # Wiki: http://www.protocolinfo.org/wiki/SSDP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # This pattern was tested only by listening to a Linksys WRT54G. However,
 # I expect it works in general given the simplicity of the protocol.
diff --git a/usr/local/share/protocols/ssh.pat b/usr/local/share/protocols/ssh.pat
index adffe9e..5e32f5c 100644
--- a/usr/local/share/protocols/ssh.pat
+++ b/usr/local/share/protocols/ssh.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: great veryfast fast
 # Protocol groups: remote_access secure ietf_draft_standard
 # Wiki: http://www.protocolinfo.org/wiki/SSH
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # usually runs on port 22
 #
diff --git a/usr/local/share/protocols/ssl.pat b/usr/local/share/protocols/ssl.pat
index a10589a1..ae30ee4 100644
--- a/usr/local/share/protocols/ssl.pat
+++ b/usr/local/share/protocols/ssl.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good notsofast fast superset
 # Protocol groups: secure ietf_proposed_standard
 # Wiki: http://www.protocolinfo.org/wiki/SSL
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on port 443
 #
diff --git a/usr/local/share/protocols/stun.pat b/usr/local/share/protocols/stun.pat
index 5f0f58a..3bfc3ab 100644
--- a/usr/local/share/protocols/stun.pat
+++ b/usr/local/share/protocols/stun.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: networking ietf_proposed_standard
 # Wiki: http://www.protocolinfo.org/wiki/STUN
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern is untested as far as I know.
 
diff --git a/usr/local/share/protocols/subspace.pat b/usr/local/share/protocols/subspace.pat
index 57dabf1..0a1b174 100644
--- a/usr/local/share/protocols/subspace.pat
+++ b/usr/local/share/protocols/subspace.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: marginal veryfast fast
 # Protocol groups: game
 # Wiki: http://www.protocolinfo.org/wiki/Subspace
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # By Myles Uyema <mylesuyema AT gmail.com>
 #
diff --git a/usr/local/share/protocols/subversion.pat b/usr/local/share/protocols/subversion.pat
index cc5ec3b..8769a19 100644
--- a/usr/local/share/protocols/subversion.pat
+++ b/usr/local/share/protocols/subversion.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: version_control open_source
 # Wiki: http://www.protocolinfo.org/wiki/Subversion
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern is UNTESTED.  (But it seems straightforward enough...)
 #
diff --git a/usr/local/share/protocols/teamfortress2.pat b/usr/local/share/protocols/teamfortress2.pat
index 83fb960..337af39 100644
--- a/usr/local/share/protocols/teamfortress2.pat
+++ b/usr/local/share/protocols/teamfortress2.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Team_Fortress
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Credits: Clayton Macleod <cherry twist at gmail dot com>
 #          Jan Engelhardt <jengelh at computergmbh dot de>
diff --git a/usr/local/share/protocols/teamspeak.pat b/usr/local/share/protocols/teamspeak.pat
index e83569f..8b2155e 100644
--- a/usr/local/share/protocols/teamspeak.pat
+++ b/usr/local/share/protocols/teamspeak.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast
 # Protocol groups: voip proprietary
 # Wiki: http://www.protocolinfo.org/wiki/TeamSpeak
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern has been tested by Matthew Strait and verified by packet
 # traces by at least two other people.  The meaning of f4b303 is not
diff --git a/usr/local/share/protocols/telnet.pat b/usr/local/share/protocols/telnet.pat
index a93d17d..cf10d0e 100644
--- a/usr/local/share/protocols/telnet.pat
+++ b/usr/local/share/protocols/telnet.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast
 # Protocol groups: remote_access obsolete ietf_internet_standard
 # Wiki: http://www.protocolinfo.org/wiki/Telnet
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on port 23
 #
diff --git a/usr/local/share/protocols/tesla.pat b/usr/local/share/protocols/tesla.pat
index f9fdece..1f4ee86 100644
--- a/usr/local/share/protocols/tesla.pat
+++ b/usr/local/share/protocols/tesla.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: marginal slow notsofast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/Tesla
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern is untested!
 
diff --git a/usr/local/share/protocols/tftp.pat b/usr/local/share/protocols/tftp.pat
index e9f16f7..1782ff5 100644
--- a/usr/local/share/protocols/tftp.pat
+++ b/usr/local/share/protocols/tftp.pat
@@ -1,7 +1,8 @@
 # TFTP - Trivial File Transfer Protocol - used for bootstrapping - RFC 1350
-# Pattern attributes: marginal veryfast fast
+# Pattern attributes: marginal fast fast
 # Protocol groups: document_retrieval ietf_internet_standard
 # Wiki: http://www.protocolinfo.org/wiki/TFTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # usually runs on port 69
 # 
diff --git a/usr/local/share/protocols/thecircle.pat b/usr/local/share/protocols/thecircle.pat
index a161531..d5e2b80 100644
--- a/usr/local/share/protocols/thecircle.pat
+++ b/usr/local/share/protocols/thecircle.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: p2p open_source
 # Wiki: http://www.protocolinfo.org/wiki/The_Circle
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # This is tested with The Circle 0.41c on Linux.
 # It likely misses some stuff.  Notably, I wasn't able to test it on any 
diff --git a/usr/local/share/protocols/tor.pat b/usr/local/share/protocols/tor.pat
index 16f8884..7e4f707 100644
--- a/usr/local/share/protocols/tor.pat
+++ b/usr/local/share/protocols/tor.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good notsofast notsofast
 # Protocol groups: networking
 # Wiki: http://protocolinfo.org/wiki/Tor
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This pattern has been tested and is believed to work well.
 #
diff --git a/usr/local/share/protocols/tsp.pat b/usr/local/share/protocols/tsp.pat
index e704ce0..7751df9 100644
--- a/usr/local/share/protocols/tsp.pat
+++ b/usr/local/share/protocols/tsp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good veryfast fast overmatch
 # Protocol groups: time_synchronization open_source
 # Wiki: http://www.protocolinfo.org/wiki/TSP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # http://ftp.svbug.com/ftp/pub/manuals/pdf/smm.22.timed.pdf
 # http://docs.freebsd.org/44doc/smm/12.timed/paper.pdf
diff --git a/usr/local/share/protocols/unknown.pat b/usr/local/share/protocols/unknown.pat
index 1c1c166..56d8134 100644
--- a/usr/local/share/protocols/unknown.pat
+++ b/usr/local/share/protocols/unknown.pat
@@ -2,6 +2,7 @@
 
 unknown
 # This pattern is ignored by the kernel.  It sees that the "protocol" is
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 # "unknown" and always returns unmatched for connections that are still
 # being tested.
 .
diff --git a/usr/local/share/protocols/unset.pat b/usr/local/share/protocols/unset.pat
index 80950c9..b9c1244 100644
--- a/usr/local/share/protocols/unset.pat
+++ b/usr/local/share/protocols/unset.pat
@@ -2,7 +2,7 @@
 
 unset
 # This pattern is ignored by the kernel.  It sees that the "protocol" is
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 # "testing" and always returns matched for connections that are still
 # being tested.
-# NOT YET IMPLEMENTED.
 .
diff --git a/usr/local/share/protocols/uucp.pat b/usr/local/share/protocols/uucp.pat
index c7685cd..f7ef22c 100644
--- a/usr/local/share/protocols/uucp.pat
+++ b/usr/local/share/protocols/uucp.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: document_retrieval obsolete
 # Wiki: http://www.protocolinfo.org/wiki/UUCP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # This is completely untested!  (I don't know how to use UUCP...)
 
diff --git a/usr/local/share/protocols/validcertssl.pat b/usr/local/share/protocols/validcertssl.pat
index c004517..7aa1812 100644
--- a/usr/local/share/protocols/validcertssl.pat
+++ b/usr/local/share/protocols/validcertssl.pat
@@ -1,7 +1,8 @@
 # Valid certificate SSL 
-# Pattern attributes: good notsofast notsofast subset
+# Pattern attributes: good slow notsofast subset
 # Protocol groups: secure ietf_proposed_standard
 # Wiki: http://www.protocolinfo.org/wiki/SSL
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 # This matches anything claiming to use a valid certificate from a well 
 # known certificate authority.
diff --git a/usr/local/share/protocols/ventrilo.pat b/usr/local/share/protocols/ventrilo.pat
index 7ee9c13..74e588c 100644
--- a/usr/local/share/protocols/ventrilo.pat
+++ b/usr/local/share/protocols/ventrilo.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good fast fast
 # Protocol groups: voip proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Ventrilo
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # I have tested this with Ventrilo client 2.3.0 on Windows talking to
 # Ventrilo server 2.3.1 (the public version) on Linux.  I've done this
diff --git a/usr/local/share/protocols/vnc.pat b/usr/local/share/protocols/vnc.pat
index 9f77fdf..79d0ae8 100644
--- a/usr/local/share/protocols/vnc.pat
+++ b/usr/local/share/protocols/vnc.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: great veryfast fast
 # Protocol groups: remote_access
 # Wiki: http://www.protocolinfo.org/wiki/VNC
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # http://www.realvnc.com/documentation.html
 # 
diff --git a/usr/local/share/protocols/whois.pat b/usr/local/share/protocols/whois.pat
index 0c8d0d0..6abf0e8 100644
--- a/usr/local/share/protocols/whois.pat
+++ b/usr/local/share/protocols/whois.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good notsofast notsofast overmatch
 # Protocol groups: networking ietf_draft_standard
 # Wiki: http://www.protocolinfo.org/wiki/Whois
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on TCP port 43
 # 
diff --git a/usr/local/share/protocols/worldofwarcraft.pat b/usr/local/share/protocols/worldofwarcraft.pat
index dae2643..4136d79 100644
--- a/usr/local/share/protocols/worldofwarcraft.pat
+++ b/usr/local/share/protocols/worldofwarcraft.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/World_of_Warcraft
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 
 worldofwarcraft
 ^\x06\xec\x01
diff --git a/usr/local/share/protocols/x11.pat b/usr/local/share/protocols/x11.pat
index f42b98f..2028ee7 100644
--- a/usr/local/share/protocols/x11.pat
+++ b/usr/local/share/protocols/x11.pat
@@ -1,7 +1,8 @@
 # X Windows Version 11 - Networked GUI system used in most Unices
-# Pattern attributes: good notsofast fast
+# Pattern attributes: good notsofast veryfast
 # Protocol groups: remote_access x_consortium_standard
 # Wiki: http://www.protocolinfo.org/wiki/X11
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # It is common for X to be tunneled through SSH.  Then obviously this pattern
 # will not catch it.
diff --git a/usr/local/share/protocols/xboxlive.pat b/usr/local/share/protocols/xboxlive.pat
index 8d402cf..d04d9a7 100644
--- a/usr/local/share/protocols/xboxlive.pat
+++ b/usr/local/share/protocols/xboxlive.pat
@@ -1,7 +1,8 @@
 # XBox Live - Console gaming
-# pattern attributes: marginal slow notsofast
+# Pattern attributes: marginal slow notsofast
 # Protocol groups: game proprietary
 # Wiki: http://www.protocolinfo.org/wiki/XBox_Live
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # This may match all XBox traffic, or may only match Halo 2 traffic.  
 # We don't know yet.
diff --git a/usr/local/share/protocols/xunlei.pat b/usr/local/share/protocols/xunlei.pat
index c362e37..f7814c7 100644
--- a/usr/local/share/protocols/xunlei.pat
+++ b/usr/local/share/protocols/xunlei.pat
@@ -1,14 +1,83 @@
 # Xunlei - Chinese P2P filesharing - http://xunlei.com
-# Pattern attributes: good veryfast fast
+# Pattern attributes: good slow notsofast
 # Protocol groups: p2p
 # Wiki: http://www.protocolinfo.org/wiki/Xunlei
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
-# This has been tested by three people.  It definitely catches some
-# streams. 
+# This has been tested by a number of people.
 #
 # Written by wsgtrsys of www.routerclub.com.  Improved by VeNoMouS.
 # Improved more by wsgtrsys and platinum of bbs.chinaunix.net.
+#
+# Further additions of HTTP-like content by liangjunATdcuxD.Tcom, who
+# says: "i find old pattern is not working . so i write a new pattern of 
+# xunlei,it's working with all of xunlei 5 version!"  Matthew Strait notes
+# in response:
+# 
+# I've looked around and I'm fairly sure that Internet Explorer 5.0 
+# never identifies itself as "Mozilla/4.0 (compatible; MSIE 5.00; 
+# Windows 98)" and that Internet Explorer 6.0 never identifies itself as 
+# either "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )" or 
+# "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)".
+
+# The keep-alive part needs some examination too.  These might validly 
+# occur in an HTTP/1.0 connection, although I think in practical cases 
+# they don't since there's general only one \x0d\x0a after it and/or the 
+# next line starts with a letter (especially because it's the client 
+# sending it).  It wouldn't be crazy, though, if another protocol 
+# (besides Xunlei) used keep-alive in a way that did match this.  But 
+# since I can't think of any examples, I'll assume it's ok for now.
 
 xunlei
-^[()]...?.?.?(reg|get|query)
+^([()]|get)(...?.?.?(reg|get|query)|.+User-Agent: (Mozilla/4\.0 \(compatible; (MSIE 6\.0; Windows NT 5\.1;? ?\)|MSIE 5\.00; Windows 98\))))|Keep-Alive\x0d\x0a\x0d\x0a[26]
+
 
+# This was the pattern until 2008 11 08.  It is safer than the above against
+# overmatching ordinary HTTP connections
+#^[()]...?.?.?(reg|get|query)
+
+# More detail:
+# From http://sourceforge.net/tracker/index.php?func=detail&aid=1885209&group_id=80085&atid=558668
+# 
+##############################################################################
+# Date: 2008-02-03
+# Sender: hydr0g3n
+# 
+# Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei
+# pattern. It used to work in the past but not anymore. Maybe Xunlei was
+# updated and pattern should be adapted?
+#
+# Apparently ipp2p was edited by Chinese people to detect pplive and xunlei.
+# It is interesting and very recent:
+# http://www.chinaunix.net/jh/4/914377.html
+##############################################################################
+# Date: 2008-02-03
+# Sender: quadong
+# 
+# Ok.  Only some of the ipp2p function can be translated into an l7-filter
+# regular expression.  The first part of search_xunlei can't be, since it
+# works by checking whether the length of the packet matches a byte in the
+# packet.  The second part of search_xunlei becomes: 
+# 
+# \x20.?\x01?.?[\x01\x77]............?.?.?.?\x38
+# 
+# Or possibly:
+# 
+# ^\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38
+# 
+# I'm not sure whether IPP2P looks at every packet or only the first of each
+# connection.
+# 
+# udp_search_xunlei says:
+# \x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff
+# 
+# Again, putting a ^ at the beginning might work:
+# 
+# ^(\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff)
+# 
+# So this *might* work:
+# 
+# ^(\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38|\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff)
+# 
+# but the ^ might be wrong and it will not match the HTTP part of Xunlei. 
+##############################################################################
diff --git a/usr/local/share/protocols/yahoo.pat b/usr/local/share/protocols/yahoo.pat
index 537349a..17595b8 100644
--- a/usr/local/share/protocols/yahoo.pat
+++ b/usr/local/share/protocols/yahoo.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: good fast fast
 # Protocol groups: chat proprietary
 # Wiki: http://www.protocolinfo.org/wiki/Yahoo_Messenger
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # Usually runs on port 5050 
 #
diff --git a/usr/local/share/protocols/zmaap.pat b/usr/local/share/protocols/zmaap.pat
index d21ad80..e741eca 100644
--- a/usr/local/share/protocols/zmaap.pat
+++ b/usr/local/share/protocols/zmaap.pat
@@ -2,6 +2,7 @@
 # Pattern attributes: ok veryfast fast
 # Protocol groups: networking ietf_draft_standard
 # Wiki: http://www.protocolinfo.org/wiki/ZMAAP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
 #
 # http://files.zeroconf.org/draft-ietf-zeroconf-zmaap-02.txt
 # (Note that this reference is an Internet-Draft, and therefore must
author	Ermal Luçi <eri@pfsense.org>	2009-11-10 14:20:14 +0000
committer	Ermal Luçi <eri@pfsense.org>	2009-11-10 14:20:14 +0000
commit	66f2dd0e4cf28af5b4511a1bc06a93feaf712d9a (patch)
tree	5fec310a541002c1d17552441c9840e9bc12d49d /usr/local/share
parent	c97ab82a7e6e2dc7f73cc594fbd50957c8bc1232 (diff)
download	pfsense-66f2dd0e4cf28af5b4511a1bc06a93feaf712d9a.zip pfsense-66f2dd0e4cf28af5b4511a1bc06a93feaf712d9a.tar.gz