summaryrefslogtreecommitdiffstats
path: root/usr/local/share/protocols/rtp.pat
diff options
context:
space:
mode:
Diffstat (limited to 'usr/local/share/protocols/rtp.pat')
-rw-r--r--usr/local/share/protocols/rtp.pat39
1 files changed, 16 insertions, 23 deletions
diff --git a/usr/local/share/protocols/rtp.pat b/usr/local/share/protocols/rtp.pat
index d808e1e..61fcd8e 100644
--- a/usr/local/share/protocols/rtp.pat
+++ b/usr/local/share/protocols/rtp.pat
@@ -1,40 +1,33 @@
# RTP - Real-time Transport Protocol - RFC 3550
-# Pattern attributes: marginal overmatch undermatch veryfast fast
+# Pattern attributes: ok overmatch undermatch fast fast
# Protocol groups: streaming_video ietf_internet_standard
# Wiki: http://www.protocolinfo.org/wiki/RTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# RTP headers are *very* short and compact. They have almost nothing in
-# them that can be matched by l7-filter. If you want to match them
-# along with their associated SIP packets, I think the best way might be
-# to set up some iptables rules that watch for SIP packets and then also
-# match any other UDP packets that are going between the same two IP
-# addresses.
+# them that can be matched by l7-filter. As RTP connections take place
+# between even numbered ports, you should probably check for that before
+# applying this pattern. If you want to match them along with their
+# associated SIP packets, you might try setting up some iptables rules
+# that watch for SIP packets and then also match any other UDP packets
+# that are going between the same two IP addresses.
#
-# However, I will attempt a pattern anyway. This is UNTESTED!
-#
# I think we can count on the first bit being 1 and the second bit being
# 0 (meaning protocol version 2). The next two bits could go either way,
# but in the example I've seen, they are zero, so I'll assume they are
# usually zero. The next four bits are a count of "contributing source
# identifiers". I'm not sure how big that could be, but in the example
# I've seen, they're zero, so I'll assume they're usually zero. So that
-# gives us ^\x80. The marker bit that comes next is probably zero for
-# the first packet, although that's not a sure thing. Next is the
-# payload type, 7 bits that might usually only take a few values, but
-# maybe not. In the example I've seen, it's zero, which (with a zero
-# marker bit) means it looks to l7-filter like it's not there at all.
-# The rest of the header is random numbers (sequence number, timestamp,
-# synchronization source identifier), so that's no help at all.
-#
-# I think the best we could do is to watch to see if several \x80 bytes
-# come in with a small number of bytes between them. This makes all the
-# above assumptions and also assumes that the first packet has no
-# payload and not too much trailing gargage. So this will definitely not
-# work all the time. It clearly also might match other stuff.
+# gives us ^\x80. The next bit is a tossup. Next is the payload type, 7
+# bits. I've taken likely values from the WireShark code: 0-34, 96-127
+# (decimal). The rest of the header is random numbers (sequence number,
+# timestamp, synchronization source identifier), so that's no help at
+# all.
rtp
-^\x80......?.?.?.?.?.?.?.?.?.?.?.?.?\x80
+^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80
# Might also try this. It's a bit slower (one packet and not too much extra
# regexec load) and a bit more accurate:
-#^\x80......?.?.?.?.?.?.?.?.?.?.?.?.?\x80.*\x80
+#^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80.*\x80
+
OpenPOWER on IntegriCloud