L7 protocols: add rtmp, sync bittorrent, finger and quake-halflife with l7-protocols

4 files changed, 22 insertions, 4 deletions

diff --git a/usr/local/share/protocols/bittorrent.pat b/usr/local/share/protocols/bittorrent.pat
index 54063ce..c66f867 100644
--- a/usr/local/share/protocols/bittorrent.pat
+++ b/usr/local/share/protocols/bittorrent.pat
@@ -19,7 +19,7 @@ bittorrent
 # bitcomet-specific strings contributed by liangjun.
 
 # This is not a valid GNU basic regular expression (but that's ok).
-^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
+^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=|get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
 
 # This pattern is "fast", but won't catch as much
 #^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)
diff --git a/usr/local/share/protocols/finger.pat b/usr/local/share/protocols/finger.pat
index 7f81d48..f567f8c 100644
--- a/usr/local/share/protocols/finger.pat
+++ b/usr/local/share/protocols/finger.pat
@@ -12,4 +12,4 @@ finger
 # The first matches the client request, which should look like a username.
 # The second matches the usual UNIX reply (but remember that they are
 # allowed to say whatever they want)
-^[a-z][a-z0-9\-_]+|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory: 
+^[a-z][a-z0-9\-_]+\x0d\x0a|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory: 
diff --git a/usr/local/share/protocols/quake-halflife.pat b/usr/local/share/protocols/quake-halflife.pat
index 97e7d84..bc05b8f 100644
--- a/usr/local/share/protocols/quake-halflife.pat
+++ b/usr/local/share/protocols/quake-halflife.pat
@@ -16,12 +16,17 @@
 # Fortress Classic, Deathmatch Classic, Ricochet, Half-Life [1] Deathmatch,
 # and I imagine all the other 3rd party mods that also use this engine
 # will match that pattern.
+#
+# Gavin Pryke <gavinlee303 at googlemail.com> says:
+# Added "getstatus". Quake3 games were not being matched here until it was
+# added.
 
 quake-halflife
 # All quake (like) protocols start with 4x 0xFF.  Then the client either
-# issues getinfo or getchallenge.
-^\xff\xff\xff\xffget(info|challenge)
+# issues getinfo, getchallenge or getstatus.
+^\xff\xff\xff\xffget(info|challenge|status)
 
 # A previous quake pattern allowed the connection to start with only 2 bytes
 # of 0xFF.  This doesn't seem to ever happen, but we should keep an eye out
 # for it.
+
diff --git a/usr/local/share/protocols/rtmp.pat b/usr/local/share/protocols/rtmp.pat
new file mode 100644
index 0000000..2c7adad
--- /dev/null
+++ b/usr/local/share/protocols/rtmp.pat
@@ -0,0 +1,13 @@
+# Adobe Real Time Messaging Protocol(RTMP). By Jonathan A.P. Marpaung
+# Pattern attributes: works very fast
+# Protocol Groups: streaming_video streaming_audio
+# The RTMP Specification is availabe at 
+# http://www.adobe.com/devnet/rtmp/pdf/rtmp_specification_1.0.pdf [^]
+#
+# First 12 bytes, starting at \x03 are the RTMP header. Next 25 bytes,
+# starting at \x02, are part of the RTMP body which is an AMF Object.
+# The first string "connect" is a command of the NetConnection class object.
+# The next string "app" is a Command Object which is followed by values
+# such as "video", . 
+rtmp
+^\x03.+\x14.+\x02.+\x07.(connect)?.+(app)?