summaryrefslogtreecommitdiffstats
path: root/usr/local/share
diff options
context:
space:
mode:
authorErmal Luçi <eri@pfsense.org>2009-11-10 14:18:56 +0000
committerErmal Luçi <eri@pfsense.org>2009-11-10 14:18:56 +0000
commitc97ab82a7e6e2dc7f73cc594fbd50957c8bc1232 (patch)
treed9ba396d0e512ce7120b2a9bd548bf33b0591dbe /usr/local/share
parent61c3a5afa21dc44143ec111c78ca82b6c15d802c (diff)
downloadpfsense-c97ab82a7e6e2dc7f73cc594fbd50957c8bc1232.zip
pfsense-c97ab82a7e6e2dc7f73cc594fbd50957c8bc1232.tar.gz
Update layer 7 protocol definitions and adding new regex definitions.
Diffstat (limited to 'usr/local/share')
-rw-r--r--usr/local/share/protocols/LICENSE605
-rw-r--r--usr/local/share/protocols/audiogalaxy.pat19
-rw-r--r--usr/local/share/protocols/code_red.pat8
-rw-r--r--usr/local/share/protocols/dazhihui.pat11
-rw-r--r--usr/local/share/protocols/exe.pat20
-rw-r--r--usr/local/share/protocols/flash.pat18
-rw-r--r--usr/local/share/protocols/gif.pat8
-rw-r--r--usr/local/share/protocols/gtalk.pat11
-rw-r--r--usr/local/share/protocols/guildwars.pat14
-rw-r--r--usr/local/share/protocols/html.pat11
-rw-r--r--usr/local/share/protocols/http-dap.pat19
-rw-r--r--usr/local/share/protocols/http-freshdownload.pat17
-rw-r--r--usr/local/share/protocols/http-itunes.pat14
-rw-r--r--usr/local/share/protocols/httpaudio.pat32
-rw-r--r--usr/local/share/protocols/httpcachehit.pat19
-rw-r--r--usr/local/share/protocols/httpcachemiss.pat17
-rw-r--r--usr/local/share/protocols/httpvideo.pat32
-rw-r--r--usr/local/share/protocols/jpeg.pat8
-rw-r--r--usr/local/share/protocols/mp3.pat11
-rw-r--r--usr/local/share/protocols/nimda.pat8
-rw-r--r--usr/local/share/protocols/ogg.pat7
-rw-r--r--usr/local/share/protocols/pdf.pat11
-rw-r--r--usr/local/share/protocols/perl.pat7
-rw-r--r--usr/local/share/protocols/png.pat13
-rw-r--r--usr/local/share/protocols/postscript.pat7
-rw-r--r--usr/local/share/protocols/pplive.pat11
-rw-r--r--usr/local/share/protocols/pressplay.pat15
-rw-r--r--usr/local/share/protocols/quicktime.pat21
-rw-r--r--usr/local/share/protocols/rar.pat7
-rw-r--r--usr/local/share/protocols/rpm.pat7
-rw-r--r--usr/local/share/protocols/rtf.pat8
-rw-r--r--usr/local/share/protocols/runesofmagic.pat63
-rw-r--r--usr/local/share/protocols/snmp-mon.pat32
-rw-r--r--usr/local/share/protocols/snmp-trap.pat33
-rw-r--r--usr/local/share/protocols/tar.pat12
-rw-r--r--usr/local/share/protocols/tonghuashun.pat11
-rw-r--r--usr/local/share/protocols/zip.pat7
37 files changed, 1174 insertions, 0 deletions
diff --git a/usr/local/share/protocols/LICENSE b/usr/local/share/protocols/LICENSE
new file mode 100644
index 0000000..49395f6
--- /dev/null
+++ b/usr/local/share/protocols/LICENSE
@@ -0,0 +1,605 @@
+You may distribute this software under either the GPLv2 or Creative
+Commons Attribution-ShareAlike 2.5. The text of each follows:
+
+***************************************************************************
+
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 675 Mass Ave, Cambridge, MA 02139, USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ Appendix: How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) 19yy <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) 19yy name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
+
+***************************************************************************
+
+ Creative Commons Legal Code
+ Attribution-ShareAlike 2.5
+
+ CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+ LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN
+ ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+ INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+ REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR
+ DAMAGES RESULTING FROM ITS USE.
+
+ License
+
+ THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS
+ CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS
+ PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE
+ WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS
+ PROHIBITED.
+
+ BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND
+ AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS
+ YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF
+ SUCH TERMS AND CONDITIONS.
+
+ 1. Definitions
+ a. "Collective Work" means a work, such as a periodical issue,
+ anthology or encyclopedia, in which the Work in its entirety in
+ unmodified form, along with a number of other contributions,
+ constituting separate and independent works in themselves, are
+ assembled into a collective whole. A work that constitutes a
+ Collective Work will not be considered a Derivative Work (as
+ defined below) for the purposes of this License.
+ b. "Derivative Work" means a work based upon the Work or upon the
+ Work and other pre-existing works, such as a translation, musical
+ arrangement, dramatization, fictionalization, motion picture
+ version, sound recording, art reproduction, abridgment,
+ condensation, or any other form in which the Work may be recast,
+ transformed, or adapted, except that a work that constitutes a
+ Collective Work will not be considered a Derivative Work for the
+ purpose of this License. For the avoidance of doubt, where the
+ Work is a musical composition or sound recording, the
+ synchronization of the Work in timed-relation with a moving image
+ ("synching") will be considered a Derivative Work for the purpose
+ of this License.
+ c. "Licensor" means the individual or entity that offers the Work
+ under the terms of this License.
+ d. "Original Author" means the individual or entity who created the
+ Work.
+ e. "Work" means the copyrightable work of authorship offered under
+ the terms of this License.
+ f. "You" means an individual or entity exercising rights under this
+ License who has not previously violated the terms of this License
+ with respect to the Work, or who has received express permission
+ from the Licensor to exercise rights under this License despite a
+ previous violation.
+ g. "License Elements" means the following high-level license
+ attributes as selected by Licensor and indicated in the title of
+ this License: Attribution, ShareAlike.
+
+ 2. Fair Use Rights. Nothing in this license is intended to reduce,
+ limit, or restrict any rights arising from fair use, first sale or
+ other limitations on the exclusive rights of the copyright owner under
+ copyright law or other applicable laws.
+
+ 3. License Grant. Subject to the terms and conditions of this License,
+ Licensor hereby grants You a worldwide, royalty-free, non-exclusive,
+ perpetual (for the duration of the applicable copyright) license to
+ exercise the rights in the Work as stated below:
+ a. to reproduce the Work, to incorporate the Work into one or more
+ Collective Works, and to reproduce the Work as incorporated in the
+ Collective Works;
+ b. to create and reproduce Derivative Works;
+ c. to distribute copies or phonorecords of, display publicly, perform
+ publicly, and perform publicly by means of a digital audio
+ transmission the Work including as incorporated in Collective
+ Works;
+ d. to distribute copies or phonorecords of, display publicly, perform
+ publicly, and perform publicly by means of a digital audio
+ transmission Derivative Works.
+ e. For the avoidance of doubt, where the work is a musical
+ composition:
+ i. Performance Royalties Under Blanket Licenses. Licensor waives
+ the exclusive right to collect, whether individually or via a
+ performance rights society (e.g. ASCAP, BMI, SESAC),
+ royalties for the public performance or public digital
+ performance (e.g. webcast) of the Work.
+ ii. Mechanical Rights and Statutory Royalties. Licensor waives
+ the exclusive right to collect, whether individually or via a
+ music rights society or designated agent (e.g. Harry Fox
+ Agency), royalties for any phonorecord You create from the
+ Work ("cover version") and distribute, subject to the
+ compulsory license created by 17 USC Section 115 of the US
+ Copyright Act (or the equivalent in other jurisdictions).
+ f. Webcasting Rights and Statutory Royalties. For the avoidance of
+ doubt, where the Work is a sound recording, Licensor waives the
+ exclusive right to collect, whether individually or via a
+ performance-rights society (e.g. SoundExchange), royalties for the
+ public digital performance (e.g. webcast) of the Work, subject to
+ the compulsory license created by 17 USC Section 114 of the US
+ Copyright Act (or the equivalent in other jurisdictions).
+
+ The above rights may be exercised in all media and formats whether now
+ known or hereafter devised. The above rights include the right to make
+ such modifications as are technically necessary to exercise the rights
+ in other media and formats. All rights not expressly granted by
+ Licensor are hereby reserved.
+
+ 4. Restrictions.The license granted in Section 3 above is expressly
+ made subject to and limited by the following restrictions:
+ a. You may distribute, publicly display, publicly perform, or
+ publicly digitally perform the Work only under the terms of this
+ License, and You must include a copy of, or the Uniform Resource
+ Identifier for, this License with every copy or phonorecord of the
+ Work You distribute, publicly display, publicly perform, or
+ publicly digitally perform. You may not offer or impose any terms
+ on the Work that alter or restrict the terms of this License or
+ the recipients' exercise of the rights granted hereunder. You may
+ not sublicense the Work. You must keep intact all notices that
+ refer to this License and to the disclaimer of warranties. You may
+ not distribute, publicly display, publicly perform, or publicly
+ digitally perform the Work with any technological measures that
+ control access or use of the Work in a manner inconsistent with
+ the terms of this License Agreement. The above applies to the Work
+ as incorporated in a Collective Work, but this does not require
+ the Collective Work apart from the Work itself to be made subject
+ to the terms of this License. If You create a Collective Work,
+ upon notice from any Licensor You must, to the extent practicable,
+ remove from the Collective Work any credit as required by clause
+ 4(c), as requested. If You create a Derivative Work, upon notice
+ from any Licensor You must, to the extent practicable, remove from
+ the Derivative Work any credit as required by clause 4(c), as
+ requested.
+ b. You may distribute, publicly display, publicly perform, or
+ publicly digitally perform a Derivative Work only under the terms
+ of this License, a later version of this License with the same
+ License Elements as this License, or a Creative Commons iCommons
+ license that contains the same License Elements as this License
+ (e.g. Attribution-ShareAlike 2.5 Japan). You must include a copy
+ of, or the Uniform Resource Identifier for, this License or other
+ license specified in the previous sentence with every copy or
+ phonorecord of each Derivative Work You distribute, publicly
+ display, publicly perform, or publicly digitally perform. You may
+ not offer or impose any terms on the Derivative Works that alter
+ or restrict the terms of this License or the recipients' exercise
+ of the rights granted hereunder, and You must keep intact all
+ notices that refer to this License and to the disclaimer of
+ warranties. You may not distribute, publicly display, publicly
+ perform, or publicly digitally perform the Derivative Work with
+ any technological measures that control access or use of the Work
+ in a manner inconsistent with the terms of this License Agreement.
+ The above applies to the Derivative Work as incorporated in a
+ Collective Work, but this does not require the Collective Work
+ apart from the Derivative Work itself to be made subject to the
+ terms of this License.
+ c. If you distribute, publicly display, publicly perform, or publicly
+ digitally perform the Work or any Derivative Works or Collective
+ Works, You must keep intact all copyright notices for the Work and
+ provide, reasonable to the medium or means You are utilizing: (i)
+ the name of the Original Author (or pseudonym, if applicable) if
+ supplied, and/or (ii) if the Original Author and/or Licensor
+ designate another party or parties (e.g. a sponsor institute,
+ publishing entity, journal) for attribution in Licensor's
+ copyright notice, terms of service or by other reasonable means,
+ the name of such party or parties; the title of the Work if
+ supplied; to the extent reasonably practicable, the Uniform
+ Resource Identifier, if any, that Licensor specifies to be
+ associated with the Work, unless such URI does not refer to the
+ copyright notice or licensing information for the Work; and in the
+ case of a Derivative Work, a credit identifying the use of the
+ Work in the Derivative Work (e.g., "French translation of the Work
+ by Original Author," or "Screenplay based on original Work by
+ Original Author"). Such credit may be implemented in any
+ reasonable manner; provided, however, that in the case of a
+ Derivative Work or Collective Work, at a minimum such credit will
+ appear where any other comparable authorship credit appears and in
+ a manner at least as prominent as such other comparable authorship
+ credit.
+
+ 5. Representations, Warranties and Disclaimer
+
+ UNLESS OTHERWISE AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS
+ THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
+ CONCERNING THE MATERIALS, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE,
+ INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY,
+ FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF
+ LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF
+ ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW
+ THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY
+ TO YOU.
+
+ 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY
+ APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY
+ LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR
+ EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK,
+ EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ 7. Termination
+ a. This License and the rights granted hereunder will terminate
+ automatically upon any breach by You of the terms of this License.
+ Individuals or entities who have received Derivative Works or
+ Collective Works from You under this License, however, will not
+ have their licenses terminated provided such individuals or
+ entities remain in full compliance with those licenses. Sections
+ 1, 2, 5, 6, 7, and 8 will survive any termination of this License.
+ b. Subject to the above terms and conditions, the license granted
+ here is perpetual (for the duration of the applicable copyright in
+ the Work). Notwithstanding the above, Licensor reserves the right
+ to release the Work under different license terms or to stop
+ distributing the Work at any time; provided, however that any such
+ election will not serve to withdraw this License (or any other
+ license that has been, or is required to be, granted under the
+ terms of this License), and this License will continue in full
+ force and effect unless terminated as stated above.
+
+ 8. Miscellaneous
+ a. Each time You distribute or publicly digitally perform the Work or
+ a Collective Work, the Licensor offers to the recipient a license
+ to the Work on the same terms and conditions as the license
+ granted to You under this License.
+ b. Each time You distribute or publicly digitally perform a
+ Derivative Work, Licensor offers to the recipient a license to the
+ original Work on the same terms and conditions as the license
+ granted to You under this License.
+ c. If any provision of this License is invalid or unenforceable under
+ applicable law, it shall not affect the validity or enforceability
+ of the remainder of the terms of this License, and without further
+ action by the parties to this agreement, such provision shall be
+ reformed to the minimum extent necessary to make such provision
+ valid and enforceable.
+ d. No term or provision of this License shall be deemed waived and no
+ breach consented to unless such waiver or consent shall be in
+ writing and signed by the party to be charged with such waiver or
+ consent.
+ e. This License constitutes the entire agreement between the parties
+ with respect to the Work licensed here. There are no
+ understandings, agreements or representations with respect to the
+ Work not specified here. Licensor shall not be bound by any
+ additional provisions that may appear in any communication from
+ You. This License may not be modified without the mutual written
+ agreement of the Licensor and You.
+
+ Creative Commons is not a party to this License, and makes no warranty
+ whatsoever in connection with the Work. Creative Commons will not be
+ liable to You or any party on any legal theory for any damages
+ whatsoever, including without limitation any general, special,
+ incidental or consequential damages arising in connection to this
+ license. Notwithstanding the foregoing two (2) sentences, if Creative
+ Commons has expressly identified itself as the Licensor hereunder, it
+ shall have all rights and obligations of Licensor.
+
+ Except for the limited purpose of indicating to the public that the
+ Work is licensed under the CCPL, neither party will use the trademark
+ "Creative Commons" or any related trademark or logo of Creative
+ Commons without the prior written consent of Creative Commons. Any
+ permitted use will be in compliance with Creative Commons'
+ then-current trademark usage guidelines, as may be published on its
+ website or otherwise made available upon request from time to time.
+
+ Creative Commons may be contacted at http://creativecommons.org/.
diff --git a/usr/local/share/protocols/audiogalaxy.pat b/usr/local/share/protocols/audiogalaxy.pat
new file mode 100644
index 0000000..db1999a
--- /dev/null
+++ b/usr/local/share/protocols/audiogalaxy.pat
@@ -0,0 +1,19 @@
+# Audiogalaxy - (defunct) Peer to Peer filesharing
+# Pattern attributes: ok fast fast
+# Protocol groups: p2p obsolete
+# Wiki: http://protocolinfo.org/wiki/Audiogalaxy
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# http://www.movspclr.co.uk/info/agprotocol.html
+#
+# This pattern is untested.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/Audiogalaxy
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+audiogalaxy
+# (magic cookie that starts conversations)|(magic cookie that starts
+# 0.606W/0.608W client/server conversations and a string that should always
+# appear in login messages)
+^(\x45\x5f\xd0\xd5|\x45\x5f.*0.60(6|8)W)
diff --git a/usr/local/share/protocols/code_red.pat b/usr/local/share/protocols/code_red.pat
new file mode 100644
index 0000000..df0beee
--- /dev/null
+++ b/usr/local/share/protocols/code_red.pat
@@ -0,0 +1,8 @@
+# Code Red - a worm that attacks Microsoft IIS web servers
+# Pattern attributes: ok fast notsofast subset
+# Protocol groups: worm
+# Wiki: http://www.protocolinfo.org/wiki/CodeRed
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+code_red
+/default\.ida\?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
diff --git a/usr/local/share/protocols/dazhihui.pat b/usr/local/share/protocols/dazhihui.pat
new file mode 100644
index 0000000..032440c
--- /dev/null
+++ b/usr/local/share/protocols/dazhihui.pat
@@ -0,0 +1,11 @@
+# Dazhihui - stock analysis and trading; Chinese - http://www.gw.com.cn
+# Pattern attributes: fast fast ok
+# Protocol groups:
+# Wiki: http://www.protocolinfo.org/wiki/Dazhihui
+# Copyright (C) 2009 Matthew Strait; See ../LICENSE
+
+# Pattern contributed by liangjun without comment.
+
+dazhihui
+^(longaccoun|qsver2auth|\x35[57]\x30|\+\x10\*)
+
diff --git a/usr/local/share/protocols/exe.pat b/usr/local/share/protocols/exe.pat
new file mode 100644
index 0000000..0a16e2a
--- /dev/null
+++ b/usr/local/share/protocols/exe.pat
@@ -0,0 +1,20 @@
+# Executable - Microsoft PE file format.
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# Thanks to Brandon Enright [bmenrighATucsd.edu]
+
+# This pattern doesn't techincally match the PE file format but rather the
+# MZ stub program Microsoft uses for backwards compatibility with DOS.
+# That means this will correctly match DOS executables too.
+
+exe
+# There are two different stubs used depending on the compiler/packer.
+# Numerous NULL bytes have been stripped from this pattern.
+
+# This pattern may be more efficient:
+# \x4d\x5a\x90\x03\x04|\x4d\x5a\x50\x02\x04
+
+# This is easier to understand:
+\x4d\x5a(\x90\x03|\x50\x02)\x04
diff --git a/usr/local/share/protocols/flash.pat b/usr/local/share/protocols/flash.pat
new file mode 100644
index 0000000..23e5d74
--- /dev/null
+++ b/usr/local/share/protocols/flash.pat
@@ -0,0 +1,18 @@
+# Flash - Macromedia Flash.
+# Pattern attributes: good slow notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# Thanks to Brandon Enright {bmenrigh AT ucsd.edu} and chinalantian at
+# 126 dot com
+
+# Macromedia spec:
+# http://download.macromedia.com/pub/flash/flash_file_format_specification.pdf
+# See also:
+# http://www.digitalpreservation.gov/formats/fdd/fdd000130.shtml
+# http://osflash.org/flv
+
+flash
+# FWS = uncompressed, CWS = compressed, next byte is version number
+# FLV = video
+[FC]WS[\x01-\x09]|FLV\x01\x05\x09
diff --git a/usr/local/share/protocols/gif.pat b/usr/local/share/protocols/gif.pat
new file mode 100644
index 0000000..d54ed91
--- /dev/null
+++ b/usr/local/share/protocols/gif.pat
@@ -0,0 +1,8 @@
+# GIF - Popular Image format.
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+gif
+# drawn from /usr/share/magic
+GIF8(7|9)a
diff --git a/usr/local/share/protocols/gtalk.pat b/usr/local/share/protocols/gtalk.pat
new file mode 100644
index 0000000..aa538ca
--- /dev/null
+++ b/usr/local/share/protocols/gtalk.pat
@@ -0,0 +1,11 @@
+# GTalk, a Jabber (XMPP) client
+# Pattern attributes: good veryfast fast subset
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Jabber
+# Copyright (C) 2009 Matthew Strait; See ../LICENSE
+
+# See ../protocols/jabber.pat for more details
+
+gtalk
+^<stream:stream to="gmail\.com"
+
diff --git a/usr/local/share/protocols/guildwars.pat b/usr/local/share/protocols/guildwars.pat
new file mode 100644
index 0000000..65d2b92
--- /dev/null
+++ b/usr/local/share/protocols/guildwars.pat
@@ -0,0 +1,14 @@
+# Guild Wars - online game - http://guildwars.com
+# Pattern attributes: marginal veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Guild_Wars
+# Copyright (C) 2008 Matthew Strait; See ../LICENSE
+
+# Contributed on protocolinfo by Greatwolf with the comment, "Guild Wars
+# uses encrypted data on tcp/6112 and may be impossible to match by
+# content. An experimental filter has been written to match Guild Wars
+# packets. More testing is still required to determine the effectiveness
+# of this pattern."
+
+guildwars
+^[\x04\x05]\x0c.i\x01
diff --git a/usr/local/share/protocols/html.pat b/usr/local/share/protocols/html.pat
new file mode 100644
index 0000000..d834a96
--- /dev/null
+++ b/usr/local/share/protocols/html.pat
@@ -0,0 +1,11 @@
+# (X)HTML - (Extensible) Hypertext Markup Language - http://w3.org
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+#
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# This pattern has been tested and is believe to work well.
+
+# this should match any (X)HTML document from any version that conforms
+# even vaugly to the standards.
+html
+<html.*><head>
diff --git a/usr/local/share/protocols/http-dap.pat b/usr/local/share/protocols/http-dap.pat
new file mode 100644
index 0000000..216d8d6
--- /dev/null
+++ b/usr/local/share/protocols/http-dap.pat
@@ -0,0 +1,19 @@
+# HTTP by Download Accelerator Plus - http://www.speedbit.com
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Uses HTTP to download.
+
+http-dap
+
+# DAP identifies itself in the User-Agent field of every HTTP request it
+# makes. This is pretty trivial to get around if speedbit.com ever
+# wanted to.
+
+# The latest version uses "User-Agent: DA 7.0". The additional version
+# allowance is an attempt at "future proofing".
+
+User-Agent: DA [678]\.[0-9]
+
diff --git a/usr/local/share/protocols/http-freshdownload.pat b/usr/local/share/protocols/http-freshdownload.pat
new file mode 100644
index 0000000..a342e86
--- /dev/null
+++ b/usr/local/share/protocols/http-freshdownload.pat
@@ -0,0 +1,17 @@
+# HTTP by Fresh Download - http://www.freshdevices.com
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# Uses HTTP to download.
+
+http-freshdownload
+
+# Fresh Download identifies itself in the User-Agent field of every HTTP
+# request it makes.
+
+# The latest version uses "User-Agent: FreshDownload/4.40". The
+# additional version allowance is an attempt at "future proofing".
+
+User-Agent: FreshDownload/[456](\.[0-9][0-9]?)?
+
diff --git a/usr/local/share/protocols/http-itunes.pat b/usr/local/share/protocols/http-itunes.pat
new file mode 100644
index 0000000..fd44ee4
--- /dev/null
+++ b/usr/local/share/protocols/http-itunes.pat
@@ -0,0 +1,14 @@
+# HTTP - iTunes (Apple's music program)
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: streaming_audio ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Port 80
+# iTunes program basically uses the HTTP protocol for its initial
+# communication.
+# Pattern contributed by Deepak Seshadri <dseshadri AT broadbandmaritime.com>
+
+http-itunes
+http/(0\.9|1\.0|1\.1).*(user-agent: itunes)
+
diff --git a/usr/local/share/protocols/httpaudio.pat b/usr/local/share/protocols/httpaudio.pat
new file mode 100644
index 0000000..c6cdd9a
--- /dev/null
+++ b/usr/local/share/protocols/httpaudio.pat
@@ -0,0 +1,32 @@
+# HTTP - Audio over HyperText Transfer Protocol (RFC 2616)
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: streaming_audio document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# Contributed by Deepak Seshadri <dseshadri AT broadbandmaritime.com>
+#
+# This pattern has been tested and is believed to work well.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/HTTP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+#
+# If you use this, you should be aware that:
+#
+# - they match both simple downloads of audio/video and streaming content.
+#
+# - blocking based on content-type encourages server
+# writers/administrators to misreport content-type (which will just make
+# headaches for everyone, including us), so I would strongly recommend
+# shaping audio/video down to a speed that discourages use of streaming
+# players without actually blocking it.
+#
+# - obviously, since this is a subset of HTTP, you need to match it
+# earlier in your iptables rules than HTTP.
+
+httpaudio
+http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: audio)
+
diff --git a/usr/local/share/protocols/httpcachehit.pat b/usr/local/share/protocols/httpcachehit.pat
new file mode 100644
index 0000000..41cb099
--- /dev/null
+++ b/usr/local/share/protocols/httpcachehit.pat
@@ -0,0 +1,19 @@
+# HTTP - Proxy Cache hit for HyperText Transfer Protocol (RFC 2616)
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# Contributed by Francesco Del Degan <fdeldegan AT libero.it>
+#
+# This pattern has been tested and is believed to work well.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/HTTP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+httpcachehit
+http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: hit)
+
diff --git a/usr/local/share/protocols/httpcachemiss.pat b/usr/local/share/protocols/httpcachemiss.pat
new file mode 100644
index 0000000..09ac6cd
--- /dev/null
+++ b/usr/local/share/protocols/httpcachemiss.pat
@@ -0,0 +1,17 @@
+# HTTP - Proxy Cache miss for HyperText Transfer Protocol (RFC 2616)
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# This pattern has been tested and is believed to work well.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/HTTP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+httpcachemiss
+http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: miss)
+
diff --git a/usr/local/share/protocols/httpvideo.pat b/usr/local/share/protocols/httpvideo.pat
new file mode 100644
index 0000000..4a75ce0
--- /dev/null
+++ b/usr/local/share/protocols/httpvideo.pat
@@ -0,0 +1,32 @@
+# HTTP - Video over HyperText Transfer Protocol (RFC 2616)
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: streaming_video document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# Contributed by Deepak Seshadri <dseshadri AT broadbandmaritime.com>
+#
+# This pattern has been tested and is believed to work well.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/HTTP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+#
+# If you use this, you should be aware that:
+#
+# - they match both simple downloads of audio/video and streaming content.
+#
+# - blocking based on content-type encourages server
+# writers/administrators to misreport content-type (which will just make
+# headaches for everyone, including us), so I would strongly recommend
+# shaping audio/video down to a speed that discourages use of streaming
+# players without actually blocking it.
+#
+# - obviously, since this is a subset of HTTP, you need to match it
+# earlier in your iptables rules than HTTP.
+
+httpvideo
+http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: video)
+
diff --git a/usr/local/share/protocols/jpeg.pat b/usr/local/share/protocols/jpeg.pat
new file mode 100644
index 0000000..fd1a249
--- /dev/null
+++ b/usr/local/share/protocols/jpeg.pat
@@ -0,0 +1,8 @@
+# JPEG - Joint Picture Expert Group image format.
+# Pattern attributes: ok fast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+jpeg
+# drawn from /usr/share/magic
+\xff\xd8
diff --git a/usr/local/share/protocols/mp3.pat b/usr/local/share/protocols/mp3.pat
new file mode 100644
index 0000000..1b60a4c
--- /dev/null
+++ b/usr/local/share/protocols/mp3.pat
@@ -0,0 +1,11 @@
+# MP3 - Moving Picture Experts Group Audio Layer III
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# By LanTian (chinalantian at 126 d.t com)
+
+# Only matches the standard MP3 form, non-standard files might not be matched.
+
+mp3
+\x49\x44\x33\x03
diff --git a/usr/local/share/protocols/nimda.pat b/usr/local/share/protocols/nimda.pat
new file mode 100644
index 0000000..86c7ce1
--- /dev/null
+++ b/usr/local/share/protocols/nimda.pat
@@ -0,0 +1,8 @@
+# Nimda - a worm that attacks Microsoft IIS web servers, and MORE!
+# Pattern attributes: ok notsofast notsofast subset
+# Protocol groups: worm
+# Wiki: http://www.protocolinfo.org/wiki/Nimda
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+
+nimda
+GET (/scripts/root\.exe\?/c\+dir|/MSADC/root\.exe\?/c\+dir|/c/winnt/system32/cmd\.exe\?/c\+dir|/d/winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_vti_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_mem_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/msadc/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c/\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0/\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0\xaf\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x9c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%2f\.\./winnt/system32/cmd\.exe\?/c\+dir)
diff --git a/usr/local/share/protocols/ogg.pat b/usr/local/share/protocols/ogg.pat
new file mode 100644
index 0000000..d9ba377
--- /dev/null
+++ b/usr/local/share/protocols/ogg.pat
@@ -0,0 +1,7 @@
+# Ogg - Ogg Vorbis music format (not any ogg file, just vorbis)
+# Pattern attributes: ok notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+ogg
+oggs.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x01vorbis
diff --git a/usr/local/share/protocols/pdf.pat b/usr/local/share/protocols/pdf.pat
new file mode 100644
index 0000000..0c0e5f9
--- /dev/null
+++ b/usr/local/share/protocols/pdf.pat
@@ -0,0 +1,11 @@
+# PDF - Portable Document Format - Postscript-like format by Adobe
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+#
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# This pattern has been tested and is believe to work well.
+
+# Matches PDF versions 1.0 - 1.6 (not sure if 1.6 exists yet, but it probably
+# will.
+pdf
+%PDF-1\.[0123456]
diff --git a/usr/local/share/protocols/perl.pat b/usr/local/share/protocols/perl.pat
new file mode 100644
index 0000000..822986b
--- /dev/null
+++ b/usr/local/share/protocols/perl.pat
@@ -0,0 +1,7 @@
+# Perl - A scripting language by Larry Wall.
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+perl
+\#! ?/(usr/(local/)?)?bin/perl
diff --git a/usr/local/share/protocols/png.pat b/usr/local/share/protocols/png.pat
new file mode 100644
index 0000000..33aafda
--- /dev/null
+++ b/usr/local/share/protocols/png.pat
@@ -0,0 +1,13 @@
+# PNG - Portable Network Graphics, a popular image format
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+# Contributed by Radovan Josth. Tested at least a bit.
+
+png
+# drawn from /usr/share/magic
+\x89PNG\x0d\x0a\x1a\x0a
+
+# this is probably sufficient, but by default let's use the longer version
+# \x89PNG
diff --git a/usr/local/share/protocols/postscript.pat b/usr/local/share/protocols/postscript.pat
new file mode 100644
index 0000000..456ac21
--- /dev/null
+++ b/usr/local/share/protocols/postscript.pat
@@ -0,0 +1,7 @@
+# Postscript - Printing Language
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+postscript
+%!ps
diff --git a/usr/local/share/protocols/pplive.pat b/usr/local/share/protocols/pplive.pat
new file mode 100644
index 0000000..42fef72
--- /dev/null
+++ b/usr/local/share/protocols/pplive.pat
@@ -0,0 +1,11 @@
+# PPLive - Chinese P2P streaming video - http://pplive.com
+# Pattern attributes: ok notsofast notsofast
+# Protocol groups: p2p streaming_video proprietary
+# Wiki: http://www.protocolinfo.org/wiki/PPLive
+# Copyright (C) 2008 Matthew Strait; See ../LICENSE
+
+# By liangjun, who says that it works. It may be easily improvable with
+# a bit more testing.
+
+pplive
+\x01...\xd3.+\x0c.$
diff --git a/usr/local/share/protocols/pressplay.pat b/usr/local/share/protocols/pressplay.pat
new file mode 100644
index 0000000..cd814cc
--- /dev/null
+++ b/usr/local/share/protocols/pressplay.pat
@@ -0,0 +1,15 @@
+# pressplay - A legal music distribution site - http://pressplay.com
+# Pattern attributes: ok notsofast notsofast
+# Protocol groups: document_retrieval obsolete proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Pressplay
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern was "contributed" (taken with permission) by the bandwidth
+# arbitrator project (www.bandwidtharbitrator.com).
+#
+# This pattern is unconfirmed.
+
+pressplay
+# can we do better than this?
+user-agent: nsplayer
+
diff --git a/usr/local/share/protocols/quicktime.pat b/usr/local/share/protocols/quicktime.pat
new file mode 100644
index 0000000..5a6273d
--- /dev/null
+++ b/usr/local/share/protocols/quicktime.pat
@@ -0,0 +1,21 @@
+# Quicktime HTTP
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: streaming_video streaming_audio ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.
+# (Quick Time v6.5.1 downloading from www.apple.com/trailers)
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/HTTP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+#
+# Since this is a subset of HTTP, it should be put earlier in the packet
+# filtering chain than HTTP. Also, please don't use this to block Quicktime.
+# If you must do that, you should use a filtering HTTP proxy, which is probably
+# more accurate.
+
+quicktime
+user-agent: quicktime \(qtver=[0-9].[0-9].[0-9];os=[\x09-\x0d -~]+\)\x0d\x0a
+
diff --git a/usr/local/share/protocols/rar.pat b/usr/local/share/protocols/rar.pat
new file mode 100644
index 0000000..1332af1
--- /dev/null
+++ b/usr/local/share/protocols/rar.pat
@@ -0,0 +1,7 @@
+# RAR - The WinRAR archive format
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+rar
+rar\x21\x1a\x07
diff --git a/usr/local/share/protocols/rpm.pat b/usr/local/share/protocols/rpm.pat
new file mode 100644
index 0000000..0302839
--- /dev/null
+++ b/usr/local/share/protocols/rpm.pat
@@ -0,0 +1,7 @@
+# RPM - Redhat Package Management packages
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+rpm
+\xed\xab\xee\xdb.?.?.?.?[1-7]
diff --git a/usr/local/share/protocols/rtf.pat b/usr/local/share/protocols/rtf.pat
new file mode 100644
index 0000000..676cb1a
--- /dev/null
+++ b/usr/local/share/protocols/rtf.pat
@@ -0,0 +1,8 @@
+# RTF - Rich Text Format - an open document format
+# Pattern attributes: good fast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+rtf
+\{\\rtf[12]
+
diff --git a/usr/local/share/protocols/runesofmagic.pat b/usr/local/share/protocols/runesofmagic.pat
new file mode 100644
index 0000000..6fbfea4
--- /dev/null
+++ b/usr/local/share/protocols/runesofmagic.pat
@@ -0,0 +1,63 @@
+# Runes of Magic - game - http://www.runesofmagic.com
+# Pattern attributes: ok veryfast fast
+# Protocol groups: game proprietary
+# Wiki: http://www.protocolinfo.org/wiki/Runes_of_Magic
+# Copyright (C) 2008 Matthew Strait; See ../LICENSE
+
+runesofmagic
+^\x10\x03...........\x0a\x02.....\x0e
+# See below (this is also veryfast fast)
+#^\x10\x03...........?\x0a\x02.....?$
+
+# Greatwolf captured the following:
+#
+# Server:
+#
+# 10 00 00 00 03 78 76 7a 1e 8a dd b5 95 a3 3a de .....xvz ......:.
+# 0a 00 00 00 02 df 85 cc cc cc ........ ..
+#
+# Client reply:
+#
+# 0e 00 00 00 02 28 82 cc cc cc 8b c9 cc cc .....(.. ......
+#
+# Server:
+#
+# 2e 00 00 00 02 1e 7f f4 f4 f4 ef f4 f4 f4 b3 8c ........ ........
+# [...]
+#
+# And says: "Bytes 10 00 00 00 03, 0a 00 00 00 02 and 0e (client reply)
+# were consistently present.
+#
+# ^\x10\x03...........\x0a\x02.....\x0e
+#
+# Pattern was able to match during the closed beta period. It is still
+# matching okay after RoM started open beta but could definitely use
+# more testing from others to verify effectiveness."
+#
+# Matthew Strait says:
+#
+# * If the server consistently sends those four bytes in the first packet,
+# it is probably wasteful to wait for the next (client) packet before
+# matching.
+#
+# * If we switch the match strategy to just looking at the first packet, and
+# the first packet is always the same (or nearly the same) length, we can
+# anchor (i.e. use a '$') at the end of the packet.
+#
+# * When there's a string of bytes that I don't understand and that take
+# different values from connection to connection, I think it's good to allow
+# for the possibility that at least one might be \x00, and so I'd make one
+# of the "." into ".?", unless you *know* that \x00 is impossible somehow.
+#
+# * All of those \xcc bytes don't look random to me. Your comments suggest
+# that it isn't always exactly like that, but is there always pattern of
+# repeated bytes or something else that might be useful? It probably isn't
+# necessary to exploit this, since it looks like there's already enough to
+# go with, but it would be nice to understand.
+#
+# So perhaps it would be an improvement to use:
+#
+# ^\x10\x03...........?\x0a\x02.....?$
+#
+# but this depends on the assumptions I made above.
+
diff --git a/usr/local/share/protocols/snmp-mon.pat b/usr/local/share/protocols/snmp-mon.pat
new file mode 100644
index 0000000..fe22662
--- /dev/null
+++ b/usr/local/share/protocols/snmp-mon.pat
@@ -0,0 +1,32 @@
+# SNMP Monitoring - Simple Network Management Protocol (RFC1157)
+# Pattern attributes: good veryfast fast subset
+# Protocol groups: networking ietf_internet_standard
+# Wiki: http://en.wikipedia.org/wiki/SNMP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on UDP ports 161
+#
+# These filters match SNMPv1 packets without fail, and are made
+# as specific as possible not to match any ASN.1 encoded protocols.
+# However these could still be matched by other protocols that
+# use ASN.1 encoding
+
+# Contributed by Goli SriSairam <goli_sai AT yahoo.com>
+
+# This pattern has been tested and is believe to work well.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/SNMP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+# SNMPv1 GET/GETNEXT/SET request and response
+# matches SNMP header
+# version \x02\x01
+# community \x04.+
+# PDU type [\xa0-\xa3] (GET/GETNEXT/SET/GETRESPONSE)
+# RequestId \x02[\x01-\x04].?.?.?.?
+# errorStatus \x02\x01.?
+# errorIndex \x02\x01.?
+# varbinds start \x30
+snmp-mon
+^\x02\x01\x04.+[\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30
diff --git a/usr/local/share/protocols/snmp-trap.pat b/usr/local/share/protocols/snmp-trap.pat
new file mode 100644
index 0000000..e8ba19a
--- /dev/null
+++ b/usr/local/share/protocols/snmp-trap.pat
@@ -0,0 +1,33 @@
+# SNMP Traps - Simple Network Management Protocol (RFC1157)
+# Pattern attributes: good veryfast fast subset
+# Protocol groups: networking ietf_internet_standard
+# Wiki: http://en.wikipedia.org/wiki/SNMP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on UDP ports 162
+#
+# These filters match SNMPv1 packets without fail, and are made
+# as specific as possible not to match any ASN.1 encoded protocols.
+# However these could still be matched by other protocols that
+# use ASN.1 encoding
+
+# Contributed by Goli SriSairam <goli_sai AT yahoo.com>
+
+# This pattern has been tested and is believe to work well.
+#
+# To get or provide more information about this protocol and/or pattern:
+# http://www.protocolinfo.org/wiki/SNMP
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+# SNMPv1 Trap
+# matches SNMP trap header
+# version \x02\x01
+# community string \x04.+
+# PDU type \xa4 (TRAP)
+# enterprise \x06.+
+# agent address \x40\x04\.?.?.?.?
+# trap type \x02\x01.?
+# specific trap type \x02\x01.?
+# timestamp \x43
+snmp-trap
+^\x02\x01\x04.+\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43
diff --git a/usr/local/share/protocols/tar.pat b/usr/local/share/protocols/tar.pat
new file mode 100644
index 0000000..d3ea987
--- /dev/null
+++ b/usr/local/share/protocols/tar.pat
@@ -0,0 +1,12 @@
+# Tar - tape archive. Standard UNIX file archiver, not just for tapes.
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+tar
+# /usr/share/magic
+## POSIX tar archives
+#257 string ustar\0 POSIX tar archive
+#257 string ustar\040\040\0 GNU tar archive
+# this is pretty general. It's not a dictionary word, but still...
+ustar
diff --git a/usr/local/share/protocols/tonghuashun.pat b/usr/local/share/protocols/tonghuashun.pat
new file mode 100644
index 0000000..45f838b
--- /dev/null
+++ b/usr/local/share/protocols/tonghuashun.pat
@@ -0,0 +1,11 @@
+# Tonghuashun - stock analysis and trading; Chinese - http://www.10jqka.com.cn
+# Pattern attributes: ok fast fast
+# Protocol groups:
+# Wiki: http://www.protocolinfo.org/wiki/Tonghuashun
+# Copyright (C) 2009 Matthew Strait; See ../LICENSE
+
+# Pattern contributed by liangjun without comment.
+
+tonghuashun
+^(GET /docookie\.php\?uname=|\xfd\xfd\xfd\xfd\x30\x30\x30\x30\x30)
+
diff --git a/usr/local/share/protocols/zip.pat b/usr/local/share/protocols/zip.pat
new file mode 100644
index 0000000..e001354
--- /dev/null
+++ b/usr/local/share/protocols/zip.pat
@@ -0,0 +1,7 @@
+# ZIP - (PK|Win)Zip archive format
+# Pattern attributes: good notsofast notsofast subset
+# Protocol groups: file
+
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+zip
+pk\x03\x04\x14
OpenPOWER on IntegriCloud