From 46bc6e545a17e77202aaf01ec0cd8d5a46567525 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Tue, 25 Aug 2015 08:08:24 -0300 Subject: Move main pfSense content to src/ --- src/usr/local/share/protocols/100bao.pat | 12 + src/usr/local/share/protocols/EAOrigin.pat | 7 + src/usr/local/share/protocols/LICENSE | 605 +++++++++++++++++++++ src/usr/local/share/protocols/aim.pat | 28 + src/usr/local/share/protocols/aimwebcontent.pat | 10 + src/usr/local/share/protocols/any.pat | 8 + src/usr/local/share/protocols/applejuice.pat | 12 + src/usr/local/share/protocols/ares.pat | 63 +++ src/usr/local/share/protocols/armagetron.pat | 12 + src/usr/local/share/protocols/audiogalaxy.pat | 19 + src/usr/local/share/protocols/battlefield1942.pat | 14 + src/usr/local/share/protocols/battlefield2.pat | 26 + src/usr/local/share/protocols/battlefield2142.pat | 14 + src/usr/local/share/protocols/bgp.pat | 19 + src/usr/local/share/protocols/biff.pat | 16 + src/usr/local/share/protocols/bittorrent.pat | 25 + src/usr/local/share/protocols/chikka.pat | 17 + src/usr/local/share/protocols/cimd.pat | 19 + src/usr/local/share/protocols/ciscovpn.pat | 11 + src/usr/local/share/protocols/citrix.pat | 12 + src/usr/local/share/protocols/code_red.pat | 8 + .../local/share/protocols/counterstrike-source.pat | 42 ++ src/usr/local/share/protocols/cvs.pat | 14 + .../local/share/protocols/dayofdefeat-source.pat | 11 + src/usr/local/share/protocols/dazhihui.pat | 11 + src/usr/local/share/protocols/dhcp.pat | 36 ++ src/usr/local/share/protocols/directconnect.pat | 14 + src/usr/local/share/protocols/dns.pat | 63 +++ src/usr/local/share/protocols/doom3.pat | 10 + src/usr/local/share/protocols/edonkey.pat | 37 ++ src/usr/local/share/protocols/exe.pat | 20 + src/usr/local/share/protocols/fasttrack.pat | 23 + src/usr/local/share/protocols/finger.pat | 15 + src/usr/local/share/protocols/flash.pat | 18 + src/usr/local/share/protocols/freenet.pat | 10 + src/usr/local/share/protocols/ftp.pat | 46 ++ src/usr/local/share/protocols/gif.pat | 8 + src/usr/local/share/protocols/gkrellm.pat | 13 + src/usr/local/share/protocols/gnucleuslan.pat | 10 + src/usr/local/share/protocols/gnutella.pat | 34 ++ src/usr/local/share/protocols/goboogy.pat | 13 + src/usr/local/share/protocols/gopher.pat | 25 + src/usr/local/share/protocols/gtalk.pat | 11 + src/usr/local/share/protocols/guildwars.pat | 14 + src/usr/local/share/protocols/h323.pat | 36 ++ .../local/share/protocols/halflife2-deathmatch.pat | 10 + src/usr/local/share/protocols/hddtemp.pat | 14 + src/usr/local/share/protocols/hotline.pat | 12 + src/usr/local/share/protocols/html.pat | 11 + src/usr/local/share/protocols/http-dap.pat | 19 + .../local/share/protocols/http-freshdownload.pat | 17 + src/usr/local/share/protocols/http-itunes.pat | 14 + src/usr/local/share/protocols/http-rtsp.pat | 16 + src/usr/local/share/protocols/http.pat | 28 + src/usr/local/share/protocols/httpaudio.pat | 32 ++ src/usr/local/share/protocols/httpcachehit.pat | 19 + src/usr/local/share/protocols/httpcachemiss.pat | 17 + src/usr/local/share/protocols/httpvideo.pat | 32 ++ src/usr/local/share/protocols/ident.pat | 15 + src/usr/local/share/protocols/imap.pat | 14 + src/usr/local/share/protocols/imesh.pat | 15 + src/usr/local/share/protocols/ipp.pat | 12 + src/usr/local/share/protocols/irc.pat | 20 + src/usr/local/share/protocols/jabber.pat | 24 + src/usr/local/share/protocols/jpeg.pat | 8 + src/usr/local/share/protocols/kugoo.pat | 21 + src/usr/local/share/protocols/live365.pat | 15 + src/usr/local/share/protocols/liveforspeed.pat | 13 + src/usr/local/share/protocols/lpd.pat | 18 + src/usr/local/share/protocols/mohaa.pat | 11 + src/usr/local/share/protocols/mp3.pat | 11 + src/usr/local/share/protocols/msn-filetransfer.pat | 30 + src/usr/local/share/protocols/msnmessenger.pat | 28 + src/usr/local/share/protocols/mute.pat | 11 + src/usr/local/share/protocols/napster.pat | 24 + src/usr/local/share/protocols/nbns.pat | 20 + src/usr/local/share/protocols/ncp.pat | 23 + src/usr/local/share/protocols/netbios.pat | 29 + src/usr/local/share/protocols/nimda.pat | 8 + src/usr/local/share/protocols/nntp.pat | 21 + src/usr/local/share/protocols/ntp.pat | 17 + src/usr/local/share/protocols/ogg.pat | 7 + src/usr/local/share/protocols/openft.pat | 13 + src/usr/local/share/protocols/pcanywhere.pat | 12 + src/usr/local/share/protocols/pdf.pat | 11 + src/usr/local/share/protocols/perl.pat | 7 + src/usr/local/share/protocols/png.pat | 13 + src/usr/local/share/protocols/poco.pat | 12 + src/usr/local/share/protocols/pop3.pat | 50 ++ src/usr/local/share/protocols/postscript.pat | 7 + src/usr/local/share/protocols/pplive.pat | 11 + src/usr/local/share/protocols/pressplay.pat | 15 + src/usr/local/share/protocols/qq.pat | 26 + src/usr/local/share/protocols/quake-halflife.pat | 32 ++ src/usr/local/share/protocols/quake1.pat | 19 + src/usr/local/share/protocols/quicktime.pat | 21 + src/usr/local/share/protocols/radmin.pat | 17 + src/usr/local/share/protocols/rar.pat | 7 + src/usr/local/share/protocols/rdp.pat | 20 + src/usr/local/share/protocols/replaytv-ivs.pat | 11 + src/usr/local/share/protocols/rlogin.pat | 19 + src/usr/local/share/protocols/rpm.pat | 7 + src/usr/local/share/protocols/rtf.pat | 8 + src/usr/local/share/protocols/rtmp.pat | 13 + src/usr/local/share/protocols/rtp.pat | 33 ++ src/usr/local/share/protocols/rtsp.pat | 15 + src/usr/local/share/protocols/runesofmagic.pat | 63 +++ src/usr/local/share/protocols/shoutcast.pat | 27 + src/usr/local/share/protocols/sip.pat | 20 + src/usr/local/share/protocols/skypeout.pat | 50 ++ src/usr/local/share/protocols/skypetoskype.pat | 14 + src/usr/local/share/protocols/smb.pat | 19 + src/usr/local/share/protocols/smtp.pat | 40 ++ src/usr/local/share/protocols/snmp-mon.pat | 32 ++ src/usr/local/share/protocols/snmp-trap.pat | 33 ++ src/usr/local/share/protocols/snmp.pat | 19 + src/usr/local/share/protocols/socks.pat | 32 ++ src/usr/local/share/protocols/soribada.pat | 51 ++ src/usr/local/share/protocols/soulseek.pat | 17 + src/usr/local/share/protocols/ssdp.pat | 21 + src/usr/local/share/protocols/ssh.pat | 17 + src/usr/local/share/protocols/ssl.pat | 16 + src/usr/local/share/protocols/stun.pat | 46 ++ src/usr/local/share/protocols/subspace.pat | 21 + src/usr/local/share/protocols/subversion.pat | 13 + src/usr/local/share/protocols/swf.pat | 2 + src/usr/local/share/protocols/tar.pat | 12 + src/usr/local/share/protocols/teamfortress2.pat | 11 + src/usr/local/share/protocols/teamspeak.pat | 15 + src/usr/local/share/protocols/telnet.pat | 16 + src/usr/local/share/protocols/tesla.pat | 15 + src/usr/local/share/protocols/tftp.pat | 21 + src/usr/local/share/protocols/thecircle.pat | 12 + src/usr/local/share/protocols/tonghuashun.pat | 11 + src/usr/local/share/protocols/tor.pat | 17 + src/usr/local/share/protocols/tsp.pat | 14 + src/usr/local/share/protocols/unset.pat | 8 + src/usr/local/share/protocols/uucp.pat | 12 + src/usr/local/share/protocols/validcertssl.pat | 25 + src/usr/local/share/protocols/ventrilo.pat | 18 + src/usr/local/share/protocols/vnc.pat | 23 + src/usr/local/share/protocols/whois.pat | 14 + src/usr/local/share/protocols/worldofwarcraft.pat | 66 +++ src/usr/local/share/protocols/x11.pat | 23 + src/usr/local/share/protocols/xboxlive.pat | 41 ++ src/usr/local/share/protocols/xunlei.pat | 83 +++ src/usr/local/share/protocols/yahoo.pat | 27 + src/usr/local/share/protocols/zip.pat | 7 + src/usr/local/share/protocols/zmaap.pat | 18 + 149 files changed, 3608 insertions(+) create mode 100644 src/usr/local/share/protocols/100bao.pat create mode 100644 src/usr/local/share/protocols/EAOrigin.pat create mode 100644 src/usr/local/share/protocols/LICENSE create mode 100644 src/usr/local/share/protocols/aim.pat create mode 100644 src/usr/local/share/protocols/aimwebcontent.pat create mode 100644 src/usr/local/share/protocols/any.pat create mode 100644 src/usr/local/share/protocols/applejuice.pat create mode 100644 src/usr/local/share/protocols/ares.pat create mode 100644 src/usr/local/share/protocols/armagetron.pat create mode 100644 src/usr/local/share/protocols/audiogalaxy.pat create mode 100644 src/usr/local/share/protocols/battlefield1942.pat create mode 100644 src/usr/local/share/protocols/battlefield2.pat create mode 100644 src/usr/local/share/protocols/battlefield2142.pat create mode 100644 src/usr/local/share/protocols/bgp.pat create mode 100644 src/usr/local/share/protocols/biff.pat create mode 100644 src/usr/local/share/protocols/bittorrent.pat create mode 100644 src/usr/local/share/protocols/chikka.pat create mode 100644 src/usr/local/share/protocols/cimd.pat create mode 100644 src/usr/local/share/protocols/ciscovpn.pat create mode 100644 src/usr/local/share/protocols/citrix.pat create mode 100644 src/usr/local/share/protocols/code_red.pat create mode 100644 src/usr/local/share/protocols/counterstrike-source.pat create mode 100644 src/usr/local/share/protocols/cvs.pat create mode 100644 src/usr/local/share/protocols/dayofdefeat-source.pat create mode 100644 src/usr/local/share/protocols/dazhihui.pat create mode 100644 src/usr/local/share/protocols/dhcp.pat create mode 100644 src/usr/local/share/protocols/directconnect.pat create mode 100644 src/usr/local/share/protocols/dns.pat create mode 100644 src/usr/local/share/protocols/doom3.pat create mode 100644 src/usr/local/share/protocols/edonkey.pat create mode 100644 src/usr/local/share/protocols/exe.pat create mode 100644 src/usr/local/share/protocols/fasttrack.pat create mode 100644 src/usr/local/share/protocols/finger.pat create mode 100644 src/usr/local/share/protocols/flash.pat create mode 100644 src/usr/local/share/protocols/freenet.pat create mode 100644 src/usr/local/share/protocols/ftp.pat create mode 100644 src/usr/local/share/protocols/gif.pat create mode 100644 src/usr/local/share/protocols/gkrellm.pat create mode 100644 src/usr/local/share/protocols/gnucleuslan.pat create mode 100644 src/usr/local/share/protocols/gnutella.pat create mode 100644 src/usr/local/share/protocols/goboogy.pat create mode 100644 src/usr/local/share/protocols/gopher.pat create mode 100644 src/usr/local/share/protocols/gtalk.pat create mode 100644 src/usr/local/share/protocols/guildwars.pat create mode 100644 src/usr/local/share/protocols/h323.pat create mode 100644 src/usr/local/share/protocols/halflife2-deathmatch.pat create mode 100644 src/usr/local/share/protocols/hddtemp.pat create mode 100644 src/usr/local/share/protocols/hotline.pat create mode 100644 src/usr/local/share/protocols/html.pat create mode 100644 src/usr/local/share/protocols/http-dap.pat create mode 100644 src/usr/local/share/protocols/http-freshdownload.pat create mode 100644 src/usr/local/share/protocols/http-itunes.pat create mode 100644 src/usr/local/share/protocols/http-rtsp.pat create mode 100644 src/usr/local/share/protocols/http.pat create mode 100644 src/usr/local/share/protocols/httpaudio.pat create mode 100644 src/usr/local/share/protocols/httpcachehit.pat create mode 100644 src/usr/local/share/protocols/httpcachemiss.pat create mode 100644 src/usr/local/share/protocols/httpvideo.pat create mode 100644 src/usr/local/share/protocols/ident.pat create mode 100644 src/usr/local/share/protocols/imap.pat create mode 100644 src/usr/local/share/protocols/imesh.pat create mode 100644 src/usr/local/share/protocols/ipp.pat create mode 100644 src/usr/local/share/protocols/irc.pat create mode 100644 src/usr/local/share/protocols/jabber.pat create mode 100644 src/usr/local/share/protocols/jpeg.pat create mode 100644 src/usr/local/share/protocols/kugoo.pat create mode 100644 src/usr/local/share/protocols/live365.pat create mode 100644 src/usr/local/share/protocols/liveforspeed.pat create mode 100644 src/usr/local/share/protocols/lpd.pat create mode 100644 src/usr/local/share/protocols/mohaa.pat create mode 100644 src/usr/local/share/protocols/mp3.pat create mode 100644 src/usr/local/share/protocols/msn-filetransfer.pat create mode 100644 src/usr/local/share/protocols/msnmessenger.pat create mode 100644 src/usr/local/share/protocols/mute.pat create mode 100644 src/usr/local/share/protocols/napster.pat create mode 100644 src/usr/local/share/protocols/nbns.pat create mode 100644 src/usr/local/share/protocols/ncp.pat create mode 100644 src/usr/local/share/protocols/netbios.pat create mode 100644 src/usr/local/share/protocols/nimda.pat create mode 100644 src/usr/local/share/protocols/nntp.pat create mode 100644 src/usr/local/share/protocols/ntp.pat create mode 100644 src/usr/local/share/protocols/ogg.pat create mode 100644 src/usr/local/share/protocols/openft.pat create mode 100644 src/usr/local/share/protocols/pcanywhere.pat create mode 100644 src/usr/local/share/protocols/pdf.pat create mode 100644 src/usr/local/share/protocols/perl.pat create mode 100644 src/usr/local/share/protocols/png.pat create mode 100644 src/usr/local/share/protocols/poco.pat create mode 100644 src/usr/local/share/protocols/pop3.pat create mode 100644 src/usr/local/share/protocols/postscript.pat create mode 100644 src/usr/local/share/protocols/pplive.pat create mode 100644 src/usr/local/share/protocols/pressplay.pat create mode 100644 src/usr/local/share/protocols/qq.pat create mode 100644 src/usr/local/share/protocols/quake-halflife.pat create mode 100644 src/usr/local/share/protocols/quake1.pat create mode 100644 src/usr/local/share/protocols/quicktime.pat create mode 100644 src/usr/local/share/protocols/radmin.pat create mode 100644 src/usr/local/share/protocols/rar.pat create mode 100644 src/usr/local/share/protocols/rdp.pat create mode 100644 src/usr/local/share/protocols/replaytv-ivs.pat create mode 100644 src/usr/local/share/protocols/rlogin.pat create mode 100644 src/usr/local/share/protocols/rpm.pat create mode 100644 src/usr/local/share/protocols/rtf.pat create mode 100644 src/usr/local/share/protocols/rtmp.pat create mode 100644 src/usr/local/share/protocols/rtp.pat create mode 100644 src/usr/local/share/protocols/rtsp.pat create mode 100644 src/usr/local/share/protocols/runesofmagic.pat create mode 100644 src/usr/local/share/protocols/shoutcast.pat create mode 100644 src/usr/local/share/protocols/sip.pat create mode 100644 src/usr/local/share/protocols/skypeout.pat create mode 100644 src/usr/local/share/protocols/skypetoskype.pat create mode 100644 src/usr/local/share/protocols/smb.pat create mode 100644 src/usr/local/share/protocols/smtp.pat create mode 100644 src/usr/local/share/protocols/snmp-mon.pat create mode 100644 src/usr/local/share/protocols/snmp-trap.pat create mode 100644 src/usr/local/share/protocols/snmp.pat create mode 100644 src/usr/local/share/protocols/socks.pat create mode 100644 src/usr/local/share/protocols/soribada.pat create mode 100644 src/usr/local/share/protocols/soulseek.pat create mode 100644 src/usr/local/share/protocols/ssdp.pat create mode 100644 src/usr/local/share/protocols/ssh.pat create mode 100644 src/usr/local/share/protocols/ssl.pat create mode 100644 src/usr/local/share/protocols/stun.pat create mode 100644 src/usr/local/share/protocols/subspace.pat create mode 100644 src/usr/local/share/protocols/subversion.pat create mode 100644 src/usr/local/share/protocols/swf.pat create mode 100644 src/usr/local/share/protocols/tar.pat create mode 100644 src/usr/local/share/protocols/teamfortress2.pat create mode 100644 src/usr/local/share/protocols/teamspeak.pat create mode 100644 src/usr/local/share/protocols/telnet.pat create mode 100644 src/usr/local/share/protocols/tesla.pat create mode 100644 src/usr/local/share/protocols/tftp.pat create mode 100644 src/usr/local/share/protocols/thecircle.pat create mode 100644 src/usr/local/share/protocols/tonghuashun.pat create mode 100644 src/usr/local/share/protocols/tor.pat create mode 100644 src/usr/local/share/protocols/tsp.pat create mode 100644 src/usr/local/share/protocols/unset.pat create mode 100644 src/usr/local/share/protocols/uucp.pat create mode 100644 src/usr/local/share/protocols/validcertssl.pat create mode 100644 src/usr/local/share/protocols/ventrilo.pat create mode 100644 src/usr/local/share/protocols/vnc.pat create mode 100644 src/usr/local/share/protocols/whois.pat create mode 100644 src/usr/local/share/protocols/worldofwarcraft.pat create mode 100644 src/usr/local/share/protocols/x11.pat create mode 100644 src/usr/local/share/protocols/xboxlive.pat create mode 100644 src/usr/local/share/protocols/xunlei.pat create mode 100644 src/usr/local/share/protocols/yahoo.pat create mode 100644 src/usr/local/share/protocols/zip.pat create mode 100644 src/usr/local/share/protocols/zmaap.pat (limited to 'src/usr/local/share/protocols') diff --git a/src/usr/local/share/protocols/100bao.pat b/src/usr/local/share/protocols/100bao.pat new file mode 100644 index 0000000..a03a891 --- /dev/null +++ b/src/usr/local/share/protocols/100bao.pat @@ -0,0 +1,12 @@ +# 100bao - a Chinese P2P protocol/program - http://www.100bao.com +# Pattern attributes: ok veryfast fast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/100Bao +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Pattern written by www.routerclub.com's wsgtrsys. +# The author of this pattern says it works, but this is unconfirmed. + +100bao +^\x01\x01\x05\x0a + diff --git a/src/usr/local/share/protocols/EAOrigin.pat b/src/usr/local/share/protocols/EAOrigin.pat new file mode 100644 index 0000000..391be72 --- /dev/null +++ b/src/usr/local/share/protocols/EAOrigin.pat @@ -0,0 +1,7 @@ +# Origin powered by EA +# zip? - Main Downloads for Games/Patches/Updates +# User-Agents - Browsing the EA store. + +User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/534.34 (KHTML, like Gecko) Origin/9.2.1.4399 Safari/534.34 EA Download Manager +User-Agent: Mozilla/5.0 EA Download Manager Origin +zip? diff --git a/src/usr/local/share/protocols/LICENSE b/src/usr/local/share/protocols/LICENSE new file mode 100644 index 0000000..49395f6 --- /dev/null +++ b/src/usr/local/share/protocols/LICENSE @@ -0,0 +1,605 @@ +You may distribute this software under either the GPLv2 or Creative +Commons Attribution-ShareAlike 2.5. The text of each follows: + +*************************************************************************** + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 675 Mass Ave, Cambridge, MA 02139, USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + Appendix: How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) 19yy + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. + +*************************************************************************** + + Creative Commons Legal Code + Attribution-ShareAlike 2.5 + + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE + LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN + ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS + INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES + REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR + DAMAGES RESULTING FROM ITS USE. + + License + + THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS + CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS + PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE + WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS + PROHIBITED. + + BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND + AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS + YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF + SUCH TERMS AND CONDITIONS. + + 1. Definitions + a. "Collective Work" means a work, such as a periodical issue, + anthology or encyclopedia, in which the Work in its entirety in + unmodified form, along with a number of other contributions, + constituting separate and independent works in themselves, are + assembled into a collective whole. A work that constitutes a + Collective Work will not be considered a Derivative Work (as + defined below) for the purposes of this License. + b. "Derivative Work" means a work based upon the Work or upon the + Work and other pre-existing works, such as a translation, musical + arrangement, dramatization, fictionalization, motion picture + version, sound recording, art reproduction, abridgment, + condensation, or any other form in which the Work may be recast, + transformed, or adapted, except that a work that constitutes a + Collective Work will not be considered a Derivative Work for the + purpose of this License. For the avoidance of doubt, where the + Work is a musical composition or sound recording, the + synchronization of the Work in timed-relation with a moving image + ("synching") will be considered a Derivative Work for the purpose + of this License. + c. "Licensor" means the individual or entity that offers the Work + under the terms of this License. + d. "Original Author" means the individual or entity who created the + Work. + e. "Work" means the copyrightable work of authorship offered under + the terms of this License. + f. "You" means an individual or entity exercising rights under this + License who has not previously violated the terms of this License + with respect to the Work, or who has received express permission + from the Licensor to exercise rights under this License despite a + previous violation. + g. "License Elements" means the following high-level license + attributes as selected by Licensor and indicated in the title of + this License: Attribution, ShareAlike. + + 2. Fair Use Rights. Nothing in this license is intended to reduce, + limit, or restrict any rights arising from fair use, first sale or + other limitations on the exclusive rights of the copyright owner under + copyright law or other applicable laws. + + 3. License Grant. Subject to the terms and conditions of this License, + Licensor hereby grants You a worldwide, royalty-free, non-exclusive, + perpetual (for the duration of the applicable copyright) license to + exercise the rights in the Work as stated below: + a. to reproduce the Work, to incorporate the Work into one or more + Collective Works, and to reproduce the Work as incorporated in the + Collective Works; + b. to create and reproduce Derivative Works; + c. to distribute copies or phonorecords of, display publicly, perform + publicly, and perform publicly by means of a digital audio + transmission the Work including as incorporated in Collective + Works; + d. to distribute copies or phonorecords of, display publicly, perform + publicly, and perform publicly by means of a digital audio + transmission Derivative Works. + e. For the avoidance of doubt, where the work is a musical + composition: + i. Performance Royalties Under Blanket Licenses. Licensor waives + the exclusive right to collect, whether individually or via a + performance rights society (e.g. ASCAP, BMI, SESAC), + royalties for the public performance or public digital + performance (e.g. webcast) of the Work. + ii. Mechanical Rights and Statutory Royalties. Licensor waives + the exclusive right to collect, whether individually or via a + music rights society or designated agent (e.g. Harry Fox + Agency), royalties for any phonorecord You create from the + Work ("cover version") and distribute, subject to the + compulsory license created by 17 USC Section 115 of the US + Copyright Act (or the equivalent in other jurisdictions). + f. Webcasting Rights and Statutory Royalties. For the avoidance of + doubt, where the Work is a sound recording, Licensor waives the + exclusive right to collect, whether individually or via a + performance-rights society (e.g. SoundExchange), royalties for the + public digital performance (e.g. webcast) of the Work, subject to + the compulsory license created by 17 USC Section 114 of the US + Copyright Act (or the equivalent in other jurisdictions). + + The above rights may be exercised in all media and formats whether now + known or hereafter devised. The above rights include the right to make + such modifications as are technically necessary to exercise the rights + in other media and formats. All rights not expressly granted by + Licensor are hereby reserved. + + 4. Restrictions.The license granted in Section 3 above is expressly + made subject to and limited by the following restrictions: + a. You may distribute, publicly display, publicly perform, or + publicly digitally perform the Work only under the terms of this + License, and You must include a copy of, or the Uniform Resource + Identifier for, this License with every copy or phonorecord of the + Work You distribute, publicly display, publicly perform, or + publicly digitally perform. You may not offer or impose any terms + on the Work that alter or restrict the terms of this License or + the recipients' exercise of the rights granted hereunder. You may + not sublicense the Work. You must keep intact all notices that + refer to this License and to the disclaimer of warranties. You may + not distribute, publicly display, publicly perform, or publicly + digitally perform the Work with any technological measures that + control access or use of the Work in a manner inconsistent with + the terms of this License Agreement. The above applies to the Work + as incorporated in a Collective Work, but this does not require + the Collective Work apart from the Work itself to be made subject + to the terms of this License. If You create a Collective Work, + upon notice from any Licensor You must, to the extent practicable, + remove from the Collective Work any credit as required by clause + 4(c), as requested. If You create a Derivative Work, upon notice + from any Licensor You must, to the extent practicable, remove from + the Derivative Work any credit as required by clause 4(c), as + requested. + b. You may distribute, publicly display, publicly perform, or + publicly digitally perform a Derivative Work only under the terms + of this License, a later version of this License with the same + License Elements as this License, or a Creative Commons iCommons + license that contains the same License Elements as this License + (e.g. Attribution-ShareAlike 2.5 Japan). You must include a copy + of, or the Uniform Resource Identifier for, this License or other + license specified in the previous sentence with every copy or + phonorecord of each Derivative Work You distribute, publicly + display, publicly perform, or publicly digitally perform. You may + not offer or impose any terms on the Derivative Works that alter + or restrict the terms of this License or the recipients' exercise + of the rights granted hereunder, and You must keep intact all + notices that refer to this License and to the disclaimer of + warranties. You may not distribute, publicly display, publicly + perform, or publicly digitally perform the Derivative Work with + any technological measures that control access or use of the Work + in a manner inconsistent with the terms of this License Agreement. + The above applies to the Derivative Work as incorporated in a + Collective Work, but this does not require the Collective Work + apart from the Derivative Work itself to be made subject to the + terms of this License. + c. If you distribute, publicly display, publicly perform, or publicly + digitally perform the Work or any Derivative Works or Collective + Works, You must keep intact all copyright notices for the Work and + provide, reasonable to the medium or means You are utilizing: (i) + the name of the Original Author (or pseudonym, if applicable) if + supplied, and/or (ii) if the Original Author and/or Licensor + designate another party or parties (e.g. a sponsor institute, + publishing entity, journal) for attribution in Licensor's + copyright notice, terms of service or by other reasonable means, + the name of such party or parties; the title of the Work if + supplied; to the extent reasonably practicable, the Uniform + Resource Identifier, if any, that Licensor specifies to be + associated with the Work, unless such URI does not refer to the + copyright notice or licensing information for the Work; and in the + case of a Derivative Work, a credit identifying the use of the + Work in the Derivative Work (e.g., "French translation of the Work + by Original Author," or "Screenplay based on original Work by + Original Author"). Such credit may be implemented in any + reasonable manner; provided, however, that in the case of a + Derivative Work or Collective Work, at a minimum such credit will + appear where any other comparable authorship credit appears and in + a manner at least as prominent as such other comparable authorship + credit. + + 5. Representations, Warranties and Disclaimer + + UNLESS OTHERWISE AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS + THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND + CONCERNING THE MATERIALS, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, + INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, + FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF + LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF + ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW + THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY + TO YOU. + + 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY + APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY + LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR + EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, + EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + + 7. Termination + a. This License and the rights granted hereunder will terminate + automatically upon any breach by You of the terms of this License. + Individuals or entities who have received Derivative Works or + Collective Works from You under this License, however, will not + have their licenses terminated provided such individuals or + entities remain in full compliance with those licenses. Sections + 1, 2, 5, 6, 7, and 8 will survive any termination of this License. + b. Subject to the above terms and conditions, the license granted + here is perpetual (for the duration of the applicable copyright in + the Work). Notwithstanding the above, Licensor reserves the right + to release the Work under different license terms or to stop + distributing the Work at any time; provided, however that any such + election will not serve to withdraw this License (or any other + license that has been, or is required to be, granted under the + terms of this License), and this License will continue in full + force and effect unless terminated as stated above. + + 8. Miscellaneous + a. Each time You distribute or publicly digitally perform the Work or + a Collective Work, the Licensor offers to the recipient a license + to the Work on the same terms and conditions as the license + granted to You under this License. + b. Each time You distribute or publicly digitally perform a + Derivative Work, Licensor offers to the recipient a license to the + original Work on the same terms and conditions as the license + granted to You under this License. + c. If any provision of this License is invalid or unenforceable under + applicable law, it shall not affect the validity or enforceability + of the remainder of the terms of this License, and without further + action by the parties to this agreement, such provision shall be + reformed to the minimum extent necessary to make such provision + valid and enforceable. + d. No term or provision of this License shall be deemed waived and no + breach consented to unless such waiver or consent shall be in + writing and signed by the party to be charged with such waiver or + consent. + e. This License constitutes the entire agreement between the parties + with respect to the Work licensed here. There are no + understandings, agreements or representations with respect to the + Work not specified here. Licensor shall not be bound by any + additional provisions that may appear in any communication from + You. This License may not be modified without the mutual written + agreement of the Licensor and You. + + Creative Commons is not a party to this License, and makes no warranty + whatsoever in connection with the Work. Creative Commons will not be + liable to You or any party on any legal theory for any damages + whatsoever, including without limitation any general, special, + incidental or consequential damages arising in connection to this + license. Notwithstanding the foregoing two (2) sentences, if Creative + Commons has expressly identified itself as the Licensor hereunder, it + shall have all rights and obligations of Licensor. + + Except for the limited purpose of indicating to the public that the + Work is licensed under the CCPL, neither party will use the trademark + "Creative Commons" or any related trademark or logo of Creative + Commons without the prior written consent of Creative Commons. Any + permitted use will be in compliance with Creative Commons' + then-current trademark usage guidelines, as may be published on its + website or otherwise made available upon request from time to time. + + Creative Commons may be contacted at http://creativecommons.org/. diff --git a/src/usr/local/share/protocols/aim.pat b/src/usr/local/share/protocols/aim.pat new file mode 100644 index 0000000..5c43930 --- /dev/null +++ b/src/usr/local/share/protocols/aim.pat @@ -0,0 +1,28 @@ +# AIM - AOL instant messenger (OSCAR and TOC) +# Pattern attributes: good slow notsofast +# Protocol groups: chat proprietary +# Wiki: http://www.protocolinfo.org/wiki/AIM +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 5190 +# +# This may also match ICQ traffic. +# +# This pattern has been tested and is believed to work well. + +aim +# See http://gridley.res.carleton.edu/~straitm/final (and various other places) +# The first bit matches OSCAR signon and data commands, but not sure what +# \x03\x0b matches, but it works apparently. +# The next three bits match various parts of the TOC signon process. +# The third one is the magic number "*", then 0x01 for "signon", then up to four +# bytes ("up to" because l7-filter strips out nulls) which contain a sequence +# number (2 bytes) the data length (2 more) and 3 nulls (which don't count), +# then 0x01 for the version number (not sure if there ever has been another +# version) +# The fourth one is a command string, followed by some stuff, then the +# beginning of the "roasted" password + +# This pattern is too slow! + +^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x diff --git a/src/usr/local/share/protocols/aimwebcontent.pat b/src/usr/local/share/protocols/aimwebcontent.pat new file mode 100644 index 0000000..bc9a22d --- /dev/null +++ b/src/usr/local/share/protocols/aimwebcontent.pat @@ -0,0 +1,10 @@ +# AIM web content - ads/news content downloaded by AOL Instant Messenger +# Pattern attributes: good notsofast notsofast +# Protocol groups: chat document_retrieval proprietary +# Wiki: http://www.protocolinfo.org/wiki/AIM +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested and is believed to work well. + +aimwebcontent +user-agent:aim/ diff --git a/src/usr/local/share/protocols/any.pat b/src/usr/local/share/protocols/any.pat new file mode 100644 index 0000000..56d8134 --- /dev/null +++ b/src/usr/local/share/protocols/any.pat @@ -0,0 +1,8 @@ +# Unknown - Dummy pattern for old unmatched connections. + +unknown +# This pattern is ignored by the kernel. It sees that the "protocol" is +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# "unknown" and always returns unmatched for connections that are still +# being tested. +. diff --git a/src/usr/local/share/protocols/applejuice.pat b/src/usr/local/share/protocols/applejuice.pat new file mode 100644 index 0000000..eb552dc --- /dev/null +++ b/src/usr/local/share/protocols/applejuice.pat @@ -0,0 +1,12 @@ +# Apple Juice - P2P filesharing - http://www.applejuicenet.de +# Pattern attributes: great veryfast fast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/AppleJuice +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested with the Linux version (version +# 0,29,142,229). It matches search reqests and file transfers. + +applejuice +# this pattern extracted from ipp2p, by Eicke Friedrich. +^ajprot\x0d\x0a diff --git a/src/usr/local/share/protocols/ares.pat b/src/usr/local/share/protocols/ares.pat new file mode 100644 index 0000000..32dc70d --- /dev/null +++ b/src/usr/local/share/protocols/ares.pat @@ -0,0 +1,63 @@ +# Ares - P2P filesharing - http://aresgalaxy.sf.net +# Pattern attributes: good veryfast fast undermatch +# Protocol groups: p2p open_source +# Wiki: http://www.protocolinfo.org/wiki/Ares +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# This pattern catches only client-server connect messages. This is +# sufficient for blocking, but not for shaping, since it doesn't catch +# the actual file transfers (see below). + +# Original pattern by Brandon Enright + +# This pattern has been tested with Ares 1.8.8.2998. + +ares +# regular expression madness: "[]Z]" means ']' or 'Z'. +^\x03[]Z].?.?\x05$ + +# It appears that the general packet format is: +# - Two byte little endian integer giving the data length +# - One byte packet type +# - data +# +# Login packets (TCP) have the following format: +# - \x03\x00 (the length appears to always be 3) +# - \x5a - The login packet type. +# The source code suggests that for supernodes \x5d is used instead. +# - Three more bytes. I don't know the meaning of these, but for me they +# are always \x06\x06\x05 (in Ares 1.8.8.2998). From the comments in IPP2P, +# it seems that they are not always exactly that, but seem to always end in +# \x05. +# +# Search packets have the following format: +# - Two byte little endian integer giving the data length +# A single two letter word make this \x0a +# The biggest I could get it was \x4f +# - Packet type = \x09 +# - One byte document type: +# - "all" = 00 +# - "audio" = 01 +# - "software" = 03 +# - "video" = 05 +# - "document" = 06 +# - "image" = 07 +# - "other" = 08 +# - \x0f - I don't know what this means, but it is always this for me +# - Two bytes of unknown meaning that change +# - Some number search words: +# - \x14 - I don't know what this means, but it is always this for me +# - One byte length of the first search word +# Between 2 and \x14 in my tests with Ares 1.8.8.2998 +# It ignores single letter words and truncates ones longer than \x14 +# - Two bytes of unknown meaning that change +# - The search word (not null terminated) +# This was all investigated by searching for strings in "all". Searches +# can also be performed in "title" and "author". I'm not going to +# bother to research these because I new realize that searches are done +# on the same TCP connection as the login packets, so there is no need +# to match them separately. +# +# File transfers appear to be encrypted or at least obfuscated. (The +# files themselves, at least, are not transmitted in the clear.) I +# haven't found any patterns. diff --git a/src/usr/local/share/protocols/armagetron.pat b/src/usr/local/share/protocols/armagetron.pat new file mode 100644 index 0000000..a032410 --- /dev/null +++ b/src/usr/local/share/protocols/armagetron.pat @@ -0,0 +1,12 @@ +# Armagetron Advanced - open source Tron/snake based multiplayer game +# Pattern attributes: good slow notsofast +# Protocol groups: open_source game +# Wiki: http://protocolinfo.org/wiki/Armagetron +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# Contributed to protocolinfo.org, possibly by joda.bot, who says "The +# filter matches the initial transfer of configuration data. Very early +# versions might not transfer the CYCLE_ Settings (before 0.2.5.x)." + +armagetron +YCLC_E|CYEL diff --git a/src/usr/local/share/protocols/audiogalaxy.pat b/src/usr/local/share/protocols/audiogalaxy.pat new file mode 100644 index 0000000..db1999a --- /dev/null +++ b/src/usr/local/share/protocols/audiogalaxy.pat @@ -0,0 +1,19 @@ +# Audiogalaxy - (defunct) Peer to Peer filesharing +# Pattern attributes: ok fast fast +# Protocol groups: p2p obsolete +# Wiki: http://protocolinfo.org/wiki/Audiogalaxy +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# http://www.movspclr.co.uk/info/agprotocol.html +# +# This pattern is untested. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/Audiogalaxy +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +audiogalaxy +# (magic cookie that starts conversations)|(magic cookie that starts +# 0.606W/0.608W client/server conversations and a string that should always +# appear in login messages) +^(\x45\x5f\xd0\xd5|\x45\x5f.*0.60(6|8)W) diff --git a/src/usr/local/share/protocols/battlefield1942.pat b/src/usr/local/share/protocols/battlefield1942.pat new file mode 100644 index 0000000..ed7a7bf --- /dev/null +++ b/src/usr/local/share/protocols/battlefield1942.pat @@ -0,0 +1,14 @@ +# Battlefield 1942 - An EA game +# Pattern attributes: ok veryfast fast +# Protocol groups: game proprietary +# Wiki: http://www.protocolinfo.org/wiki/Battlefield_1942 +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Contributed by Myles Uyema +# +# This pattern has only been tested by one person. + +# tested on two original EA battlefield 1942 servers +# matches the first two packets of joining a server +battlefield1942 +^\x01\x11\x10\|\xf8\x02\x10\x40\x06 diff --git a/src/usr/local/share/protocols/battlefield2.pat b/src/usr/local/share/protocols/battlefield2.pat new file mode 100644 index 0000000..e2d8791 --- /dev/null +++ b/src/usr/local/share/protocols/battlefield2.pat @@ -0,0 +1,26 @@ +# Battlefield 2 - An EA game. +# Pattern attributes: ok slow notsofast +# Protocol groups: game proprietary +# Wiki: http://www.protocolinfo.org/wiki/Battlefield_2 +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern is unconfirmed except implicitly by a comment on protocolinfo. + +battlefield2 +# gameplay|account-login|server browsing/information +# See http://protocolinfo.org/wiki/Battlefield_2 +# Can we put a ^ on the last branch? If so, nosofast --> veryfast + +# 193.85.217.35 on protocolinfo says: +# The first part of the pattern, \x11\x20\x01\xa0\x98\x11, has to be +# modified for different version of Battlefield 2. The gameplay part of +# pattern for BF2 v1.4 is \x11\x20\x01\x30\xb9\x10\x11, and for BF2 +# v1.41 is \x11\x20\x01\x50\xb9\x10\x11 +# +# Rather than put all of those in, I've just gone with "...?" in the +# middle. + +^(\x11\x20\x01...?\x11|\xfe\xfd.?.?.?.?.?.?(\x14\x01\x06|\xff\xff\xff))|[]\x01].?battlefield2 + +# Pattern prior to 193.85.217.35's comment on protocolinfo: +#^(\x11\x20\x01\xa0\x98\x11|\xfe\xfd.?.?.?.?.?.?(\x14\x01\x06|\xff\xff\xff))|[]\x01].?battlefield2 diff --git a/src/usr/local/share/protocols/battlefield2142.pat b/src/usr/local/share/protocols/battlefield2142.pat new file mode 100644 index 0000000..4c0e42b --- /dev/null +++ b/src/usr/local/share/protocols/battlefield2142.pat @@ -0,0 +1,14 @@ +# Battlefield 2142 - An EA game. +# Pattern attributes: ok fast fast +# Protocol groups: proprietary game +# Wiki: http://protocolinfo.org/wiki/Battlefield_2142 +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# Submitted by Telsin. Not confirmed. + +battlefield2142 +# gameplay|account-login|server browsing/information +# Can't put a ^ on the last branch: it fails to match if you do. +# This branch seems to matter very rarely, though +^(\x11\x20\x01\x90\x50\x64\x10|\xfe\xfd.?.?.?\x18|[\x01\\].?battlefield2) + diff --git a/src/usr/local/share/protocols/bgp.pat b/src/usr/local/share/protocols/bgp.pat new file mode 100644 index 0000000..61e417f --- /dev/null +++ b/src/usr/local/share/protocols/bgp.pat @@ -0,0 +1,19 @@ +# BGP - Border Gateway Protocol - RFC 1771 +# Pattern attributes: ok veryfast fast +# Protocol groups: networking ietf_draft_standard +# Wiki: http://www.protocolinfo.org/wiki/BGP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern is UNTESTED. + +bgp +# "After a transport protocol connection is established, the first +# message sent by each side is an OPEN message." +# "If the Type of the message is OPEN, or if the Authentication Code used +# in the OPEN message of the connection is zero, then the Marker must be +# all ones." +# Then the 2 byte length field, then the 1 byte type field (1 = OPEN). +# Then the BGP version: 3 was RFC'd in 1991, 4 was RFC'd in 1995. +# Could keep going, but that should be sufficient. +^\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff..?\x01[\x03\x04] + diff --git a/src/usr/local/share/protocols/biff.pat b/src/usr/local/share/protocols/biff.pat new file mode 100644 index 0000000..91e8bbf --- /dev/null +++ b/src/usr/local/share/protocols/biff.pat @@ -0,0 +1,16 @@ +# Biff - new mail notification +# Pattern attributes: good fast fast undermatch overmatch +# Protocol groups: mail +# Wiki: http://www.protocolinfo.org/wiki/Biff +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 512 +# +# This pattern is completely untested. + +biff +# This is a rare case where we will specify a $ (end of line), since +# this is the entirety of the communication. +# something that looks like a username, an @, a number. +# won't catch usernames that have strange characters in them. +^[a-z][a-z0-9]+@[1-9][0-9]+$ diff --git a/src/usr/local/share/protocols/bittorrent.pat b/src/usr/local/share/protocols/bittorrent.pat new file mode 100644 index 0000000..c66f867 --- /dev/null +++ b/src/usr/local/share/protocols/bittorrent.pat @@ -0,0 +1,25 @@ +# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com +# Pattern attributes: good slow notsofast undermatch +# Protocol groups: p2p open_source +# Wiki: http://www.protocolinfo.org/wiki/Bittorrent +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested and is believed to work well. +# It will, however, not work on bittorrent streams that are encrypted, since +# it's impossible to match (well) encrypted data. + +bittorrent + +# Does not attempt to match the HTTP download of the tracker +# 0x13 is the length of "bittorrent protocol" +# Second two bits match UDP wierdness +# Next bit matches something Azureus does +# Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next +# packet and perhaps this will match multiple clients. +# bitcomet-specific strings contributed by liangjun. + +# This is not a valid GNU basic regular expression (but that's ok). +^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=|get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP] + +# This pattern is "fast", but won't catch as much +#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=) diff --git a/src/usr/local/share/protocols/chikka.pat b/src/usr/local/share/protocols/chikka.pat new file mode 100644 index 0000000..a97ef28 --- /dev/null +++ b/src/usr/local/share/protocols/chikka.pat @@ -0,0 +1,17 @@ +# Chikka - SMS service which can be used without phones - http://chikka.com +# Pattern attributes: good fast fast superset +# Protocol groups: proprietary chat +# Wiki: http://www.protocolinfo.org/wiki/Chikka +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# Tested with Chikka Javalite on 14 Jan 2007. +# The login and chat use the same TCP connection. + +# "Kamusta" means "Hello" in Tagalog, apparently, so that will probably +# stay the same. I've only seen v1.2, but I've given it some leeway for +# past and future versions. + +# Chikka uses CIMD as part of the login process, see cimd.pat + +chikka +^CTPv1\.[123] Kamusta.*\x0d\x0a$ diff --git a/src/usr/local/share/protocols/cimd.pat b/src/usr/local/share/protocols/cimd.pat new file mode 100644 index 0000000..f508350 --- /dev/null +++ b/src/usr/local/share/protocols/cimd.pat @@ -0,0 +1,19 @@ +# Computer Interface to Message Distribution, an SMSC protocol by Nokia +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: proprietary chat +# Wiki: http://www.protocolinfo.org/wiki/CIMD +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# I don't know whether CIMD is ever found by itself in a TCP connection. +# I have only seen it myself as part of the Chikka login process, in +# which the second and third packets (at least) are CIMD. So I am not +# using a '^' at the beginning. +# +# This pretty well explains the pattern: +# http://en.wikipedia.org/w/index.php?title=CIMD&oldid=42707583 +# However, Chikka does NOT terminate the last field with a tab. +# +# Tested with Chikka Javalite on 14 Jan 2007. + +cimd +\x02[0-4][0-9]:[0-9]+.*\x03$ diff --git a/src/usr/local/share/protocols/ciscovpn.pat b/src/usr/local/share/protocols/ciscovpn.pat new file mode 100644 index 0000000..d3dd7a6 --- /dev/null +++ b/src/usr/local/share/protocols/ciscovpn.pat @@ -0,0 +1,11 @@ +# Cisco VPN - VPN client software to a Cisco VPN server +# Pattern attributes: ok veryfast fast +# Protocol groups: remote_access proprietary +# Wiki: http://www.protocolinfo.org/wiki/Cisco_VPN +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern contributed by Myles Uyema + +ciscovpn +^\x01\xf4\x01\xf4 + diff --git a/src/usr/local/share/protocols/citrix.pat b/src/usr/local/share/protocols/citrix.pat new file mode 100644 index 0000000..fa73ce1 --- /dev/null +++ b/src/usr/local/share/protocols/citrix.pat @@ -0,0 +1,12 @@ +# Citrix ICA - proprietary remote desktop application - http://citrix.com +# Pattern attributes: marginal notsofast notsofast +# Protocol groups: remote_access proprietary +# Wiki: http://www.protocolinfo.org/wiki/Citrix +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern is UNTESTED. + +# This is based on decode_citrix in dsniff 2.4. + +citrix +\x32\x26\x85\x92\x58 diff --git a/src/usr/local/share/protocols/code_red.pat b/src/usr/local/share/protocols/code_red.pat new file mode 100644 index 0000000..df0beee --- /dev/null +++ b/src/usr/local/share/protocols/code_red.pat @@ -0,0 +1,8 @@ +# Code Red - a worm that attacks Microsoft IIS web servers +# Pattern attributes: ok fast notsofast subset +# Protocol groups: worm +# Wiki: http://www.protocolinfo.org/wiki/CodeRed +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +code_red +/default\.ida\?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a diff --git a/src/usr/local/share/protocols/counterstrike-source.pat b/src/usr/local/share/protocols/counterstrike-source.pat new file mode 100644 index 0000000..8ebd627 --- /dev/null +++ b/src/usr/local/share/protocols/counterstrike-source.pat @@ -0,0 +1,42 @@ +# Counterstrike (using the new "Source" engine) - network game +# Pattern attributes: good veryfast fast +# Protocol groups: game proprietary +# Wiki: http://www.protocolinfo.org/wiki/Counter-Strike +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# By adam.randazzoATgmail.com + +counterstrike-source +^\xff\xff\xff\xff.*cstrikeCounter-Strike + +# These games use Steam, which is developed by Valve Software. +# +# This was based off of the following captured data from ethereal: +# --Source-- +# 0000 00 11 09 2a a8 79 00 13 10 2c 3f d7 08 00 45 20 ...*.y...,?...E +# 0010 00 72 b9 f6 00 00 6b 11 b6 78 18 0e 04 cc c0 a8 .r....k..x...... +# 0020 01 6a 69 87 04 65 00 5e 01 ac ff ff ff ff 49 07 .ji..e.^......I. +# 0030 54 4a 27 73 20 50 6c 61 63 65 20 6f 66 20 50 61 TJ's Place of Pa +# 0040 69 6e 00 64 65 5f 70 69 72 61 6e 65 73 69 00 63 in.de_piranesi.c +# 0050 73 74 72 69 6b 65 00 43 6f 75 6e 74 65 72 2d 53 strike.Counter-S +# 0060 74 72 69 6b 65 3a 20 53 6f 75 72 63 65 00 dc 00 trike: Source... +# 0070 08 10 06 64 77 00 00 31 2e 30 2e 30 2e 31 38 00 ...dw..1.0.0.18. +# 0080 +# +# --1.6-- +# 0000 00 11 09 2a a8 79 00 13 10 2c 3f d7 08 00 45 00 ...*.y...,?...E. +# 0010 00 8e c4 1a 00 00 76 11 b3 85 08 09 02 fa c0 a8 ......v......... +# 0020 01 14 69 91 04 37 00 7a c9 90 ff ff ff ff 6d 38 ..i..7.z......m8 +# 0030 2e 39 2e 32 2e 32 35 30 3a 32 37 30 32 35 00 49 .9.2.250:27025.I +# 0040 50 20 2d 20 43 6c 61 6e 20 73 65 72 76 65 72 00 P - Clan server. +# 0050 64 65 5f 64 75 73 74 32 00 63 73 74 72 69 6b 65 de_dust2.cstrike +# 0060 00 43 6f 75 6e 74 65 72 2d 53 74 72 69 6b 65 00 .Counter-Strike. +# 0070 0a 0c 2f 64 77 00 01 77 77 77 2e 63 6f 75 6e 74 ../dw..www.count +# 0080 65 72 2d 73 74 72 69 6b 65 2e 6e 65 74 00 00 00 er-strike.net... +# 0090 01 00 00 00 00 9e f7 0a 00 01 00 00 ............ + + +# Old pattern. (Adam Randazzo says "CS 1.6 and CS: Source are the +# only two versions that are playable on the Internet since Valve +# disabled the WON system in favor of steam.") +# cs .*dl.www.counter-strike.net diff --git a/src/usr/local/share/protocols/cvs.pat b/src/usr/local/share/protocols/cvs.pat new file mode 100644 index 0000000..fc084d3 --- /dev/null +++ b/src/usr/local/share/protocols/cvs.pat @@ -0,0 +1,14 @@ +# CVS - Concurrent Versions System +# Pattern attributes: good veryfast fast +# Protocol groups: version_control open_source +# Wiki: http://www.protocolinfo.org/wiki/CVS +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +cvs + +# Matches pserver login. AUTH is for actually starting the protocol +# VERIFICATION is for authenticating without starting the protocols +# and GSSAPI is for using security services such as kerberos. +# http://www.loria.fr/~molli/cvs/doc/cvsclient_3.html + +^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\x0a diff --git a/src/usr/local/share/protocols/dayofdefeat-source.pat b/src/usr/local/share/protocols/dayofdefeat-source.pat new file mode 100644 index 0000000..42b24bb --- /dev/null +++ b/src/usr/local/share/protocols/dayofdefeat-source.pat @@ -0,0 +1,11 @@ +# Day of Defeat: Source - game (Half-Life 2 mod) - http://www.valvesoftware.com +# Pattern attributes: good veryfast fast +# Protocol groups: game proprietary +# Wiki: http://www.protocolinfo.org/wiki/Day_of_Defeat:Source +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# By Clayton Macleod + +dayofdefeat-source +^\xff\xff\xff\xff.*dodDay of Defeat + diff --git a/src/usr/local/share/protocols/dazhihui.pat b/src/usr/local/share/protocols/dazhihui.pat new file mode 100644 index 0000000..032440c --- /dev/null +++ b/src/usr/local/share/protocols/dazhihui.pat @@ -0,0 +1,11 @@ +# Dazhihui - stock analysis and trading; Chinese - http://www.gw.com.cn +# Pattern attributes: fast fast ok +# Protocol groups: +# Wiki: http://www.protocolinfo.org/wiki/Dazhihui +# Copyright (C) 2009 Matthew Strait; See ../LICENSE + +# Pattern contributed by liangjun without comment. + +dazhihui +^(longaccoun|qsver2auth|\x35[57]\x30|\+\x10\*) + diff --git a/src/usr/local/share/protocols/dhcp.pat b/src/usr/local/share/protocols/dhcp.pat new file mode 100644 index 0000000..426480d --- /dev/null +++ b/src/usr/local/share/protocols/dhcp.pat @@ -0,0 +1,36 @@ +# DHCP - Dynamic Host Configuration Protocol - RFC 1541 +# Pattern attributes: good veryfast fast +# Protocol groups: networking ietf_draft_standard +# Wiki: http://www.protocolinfo.org/wiki/DHCP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on ports 67 (server) and 68 (client) +# +# Also matches BOOTP (Bootstrap Protocol (RFC 951)) in the case that +# the "vendor specific options" are used (these options were made standard +# for DHCP). +# +# This pattern is lightly tested. + +dhcp +^[\x01\x02][\x01- ]\x06.*c\x82sc + +# Let's break that down: +# +# (\x01|\x02) is for BOOTREQUEST or BOOTREPLY +# Is there a demand for doing these separately? The Packeteer does. +# +# [\x01-\x20] is for any of the hardware address types listed at +# (http://www.iana.org/assignments/arp-parameters) and hopefully faster +# ethernets too (100, 1000 and 10000mb) as well (do they share the 10mb +# number?). +# +# \x06 for "hardware address length = 6 bytes". Does anyone use other lengths +# these days? If so, this pattern won't match it as it stands. +# +# .* covers the hops, xid, secs, flags, ciaddr, yiaddr, siaddr, giaddr, +# chaddr, sname and file fields. While this can't really be "any number +# of characters" long, it doesn't seem worth it to count. +# Can we make this more specific by restricting the number of hops or seconds? +# +# 0x63825363 is the "magic cookie" which begins the DHCP options field. diff --git a/src/usr/local/share/protocols/directconnect.pat b/src/usr/local/share/protocols/directconnect.pat new file mode 100644 index 0000000..13be4a1 --- /dev/null +++ b/src/usr/local/share/protocols/directconnect.pat @@ -0,0 +1,14 @@ +# Direct Connect - P2P filesharing - http://www.neo-modus.com +# Pattern attributes: good fast fast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/Direct_Connect +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Direct Connect "hubs" listen on port 411 +# http://www.dcpp.net/wiki/ +# I've verified that this pattern can be used to limit direct connect +# bandwidth using DC:PRO 0.2.3.149R11. + +directconnect +# client-to-client handshake|client-to-hub login, hub speaking|client-to-hub login, client speaking +^(\$mynick |\$lock |\$key ) diff --git a/src/usr/local/share/protocols/dns.pat b/src/usr/local/share/protocols/dns.pat new file mode 100644 index 0000000..c351831 --- /dev/null +++ b/src/usr/local/share/protocols/dns.pat @@ -0,0 +1,63 @@ +# DNS - Domain Name System - RFC 1035 +# Pattern attributes: great slow fast +# Protocol groups: networking ietf_internet_standard +# Wiki: http://www.protocolinfo.org/wiki/DNS +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# Thanks to Sebastien Bechet for TLD detection +# improvements + +# While RFC 2181 says "Occasionally it is assumed that the Domain Name +# System serves only the purpose of mapping Internet host names to data, +# and mapping Internet addresses to host names. This is not correct, the +# DNS is a general (if somewhat limited) hierarchical database, and can +# store almost any kind of data, for almost any purpose.", we will assume +# just that, because that represents the vast majority of DNS traffic. + +# The packet starts with a 2 byte random ID number and 2 bytes of flags that +# aren't easy to match on. + +# The first thing that is matchable is QDCOUNT, the number of queries. +# Despite the fact that you can apparently ask for up to 65535 +# things at a time, usually you only ask for one and I doubt you ever ask for +# zero. Let's allow up to two, just in case (even though I can't find any +# situation that generates more than one). + +# Next comes the ANCOUNT, NSCOUNT, and ARCOUNT fields, which could be null +# or some smallish number, not matchable except by length (up to 6) + +# The next matchable thing is the query address. The first byte indicates the +# length of the first part of the address, which is limited to 63 (0x3F == '?'). +# The next byte has to be a letter (for domain names) or number (for reverse lookups). +# Then there can be an combination of +# letters, digits, hyphens, and 0x01-0x3F length markers. +# Then we check for the presence of a top-level-domain at some later point. +# This is indicated by a 0x02-0x06 and at least two letters, followed by no +# more than four more letters. +# Note that this will miss a very few queries that are for a TLD alone. +# i.e. "host museum" (195.7.77.17) +# +# http://www.icann.org/tlds http://www.iana.org/cctld/cctld-whois.htm + +# next is the QTYPE field, which has valid values 1-16 (although this +# could probably be restricted further since many are rare) and \x1c for +# IPv6 (and maybe more?). It should follow immediately after the TLD +# (and some stripped-out nulls) + +# next is QCLASS, which has valid values 1-4 and 255, except 2 is never used. +# I'm not sure if 3 and 4 are used, so I'll include them. 1=Internet 255=any + +# If we wanted to match queries and responses separately, there could be +# more specifics after this for the responses. + +dns +# here's a sane way of doing it +^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][fglmoprstuvz]?[aeop]?(um)?[\x01-\x10\x1c][\x01\x03\x04\xFF] + +# This way assumes that TLDs are any alpha string 2-6 characters long. +# If TLDs are added, this is a good fallback. +#^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?[\x01-\x10][\x01\x03\x04\xFF] + +# If you have more processing power than me, you can substitute this for +# the [a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]? +#(aero|arpa|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|pro|arpa|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|eh|er|es|et|fi|fj|fk|fm|fo|fr|ga|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw) diff --git a/src/usr/local/share/protocols/doom3.pat b/src/usr/local/share/protocols/doom3.pat new file mode 100644 index 0000000..7d32d6f --- /dev/null +++ b/src/usr/local/share/protocols/doom3.pat @@ -0,0 +1,10 @@ +# Doom 3 - computer game +# Pattern attributes: good veryfast fast +# Protocol groups: game proprietary +# Wiki: http://www.protocolinfo.org/wiki/Doom +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Thanks to Clayton Macleod (cherrytwist at gmail.com). + +doom3 +^\xff\xffchallenge diff --git a/src/usr/local/share/protocols/edonkey.pat b/src/usr/local/share/protocols/edonkey.pat new file mode 100644 index 0000000..bc2522e --- /dev/null +++ b/src/usr/local/share/protocols/edonkey.pat @@ -0,0 +1,37 @@ +# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others +# Pattern attributes: good fast fast overmatch +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/EDonkey +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4 +# and a long time ago with something else. +# +# In addition to matching what you might expect, this matches much of +# what eMule does when you tell it to only connect to the KAD network. +# I don't quite know what to make of this. + +# Thanks to Matt Skidmore + +edonkey + +# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6 +# +# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5. +# As of April 2006, I also see some \xe4. +# +# God this is a mess. What an irritating protocol. +# This will match about 2% of streams with random data in them! +# (But fortunately much fewer than 2% of streams that are other protocols. +# You can test this with the data in ../testing/) + +^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$) + +# matches everything and too much +# ^(\xe3|\xc5|\xd4) + +# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me. + +# bandwidtharbitrator uses +# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey +# no comments to explain what all the mush is, of course... diff --git a/src/usr/local/share/protocols/exe.pat b/src/usr/local/share/protocols/exe.pat new file mode 100644 index 0000000..0a16e2a --- /dev/null +++ b/src/usr/local/share/protocols/exe.pat @@ -0,0 +1,20 @@ +# Executable - Microsoft PE file format. +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# Thanks to Brandon Enright [bmenrighATucsd.edu] + +# This pattern doesn't techincally match the PE file format but rather the +# MZ stub program Microsoft uses for backwards compatibility with DOS. +# That means this will correctly match DOS executables too. + +exe +# There are two different stubs used depending on the compiler/packer. +# Numerous NULL bytes have been stripped from this pattern. + +# This pattern may be more efficient: +# \x4d\x5a\x90\x03\x04|\x4d\x5a\x50\x02\x04 + +# This is easier to understand: +\x4d\x5a(\x90\x03|\x50\x02)\x04 diff --git a/src/usr/local/share/protocols/fasttrack.pat b/src/usr/local/share/protocols/fasttrack.pat new file mode 100644 index 0000000..6ed8ff1 --- /dev/null +++ b/src/usr/local/share/protocols/fasttrack.pat @@ -0,0 +1,23 @@ +# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc) +# Pattern attributes: good slow notsofast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/Fasttrack +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Tested with Kazaa Lite Resurrection 0.0.7.6F +# +# This appears to match the download connections well, but not the search +# connections (I think they are encrypted :-( ). + +fasttrack +# while this is a valid http request, this will be caught because +# the http pattern matches the response (and therefore the next packet) +# Even so, it's best to put this match earlier in the chain. +# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup + +# This pattern is kinda slow, but not too bad. +^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? + +# This isn't much faster: +#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? + diff --git a/src/usr/local/share/protocols/finger.pat b/src/usr/local/share/protocols/finger.pat new file mode 100644 index 0000000..f567f8c --- /dev/null +++ b/src/usr/local/share/protocols/finger.pat @@ -0,0 +1,15 @@ +# Finger - User information server - RFC 1288 +# Pattern attributes: good slow slow undermatch overmatch +# Protocol groups: ietf_draft_standard +# Wiki: http://www.protocolinfo.org/wiki/Finger +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 79 +# +# This pattern is lightly tested. + +finger +# The first matches the client request, which should look like a username. +# The second matches the usual UNIX reply (but remember that they are +# allowed to say whatever they want) +^[a-z][a-z0-9\-_]+\x0d\x0a|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory: diff --git a/src/usr/local/share/protocols/flash.pat b/src/usr/local/share/protocols/flash.pat new file mode 100644 index 0000000..23e5d74 --- /dev/null +++ b/src/usr/local/share/protocols/flash.pat @@ -0,0 +1,18 @@ +# Flash - Macromedia Flash. +# Pattern attributes: good slow notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# Thanks to Brandon Enright {bmenrigh AT ucsd.edu} and chinalantian at +# 126 dot com + +# Macromedia spec: +# http://download.macromedia.com/pub/flash/flash_file_format_specification.pdf +# See also: +# http://www.digitalpreservation.gov/formats/fdd/fdd000130.shtml +# http://osflash.org/flv + +flash +# FWS = uncompressed, CWS = compressed, next byte is version number +# FLV = video +[FC]WS[\x01-\x09]|FLV\x01\x05\x09 diff --git a/src/usr/local/share/protocols/freenet.pat b/src/usr/local/share/protocols/freenet.pat new file mode 100644 index 0000000..c62ad57 --- /dev/null +++ b/src/usr/local/share/protocols/freenet.pat @@ -0,0 +1,10 @@ +# Freenet - Anonymous information retrieval - http://freenetproject.org +# Pattern attributes: poor veryfast fast +# Protocol groups: p2p document_retrieval open_source +# Wiki: http://www.protocolinfo.org/wiki/Freenet +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +freenet +# Freenet is intentionally hard to identify... +# This is empirical, only tested on one computer, and unlikely to work anymore. +^\x01[\x08\x09][\x03\x04] diff --git a/src/usr/local/share/protocols/ftp.pat b/src/usr/local/share/protocols/ftp.pat new file mode 100644 index 0000000..44d97c4 --- /dev/null +++ b/src/usr/local/share/protocols/ftp.pat @@ -0,0 +1,46 @@ +# FTP - File Transfer Protocol - RFC 959 +# Pattern attributes: great notsofast fast +# Protocol groups: document_retrieval ietf_internet_standard +# Wiki: http://protocolinfo.org/wiki/FTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 21. Note that the data stream is on a dynamically +# assigned port, which means that you will need the FTP connection +# tracking module in your kernel to usefully match FTP data transfers. +# +# This pattern is well tested. +# +# Handles the first two things a server should say: +# +# First, the server says it's ready by sending "220". Most servers say +# something after 220, even though they don't have to, and it usually +# includes the string "ftp" (l7-filter is case insensitive). This +# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP +# Server, and whatever ftp.microsoft.com uses. Almost all servers use only +# ASCII printable characters between the "220" and the "FTP", but non-English +# ones might use others. +# +# The next thing the server sends is a 331. All the above servers also +# send something including "password" after this code. By default, we +# do not match on this because it takes another packet and is more work +# for regexec. + +ftp +# by default, we allow only ASCII +^220[\x09-\x0d -~]*ftp + +# This covers UTF-8 as well +#^220[\x09-\x0d -~\x80-\xfd]*ftp + +# This allows any characters and is about 4x faster than either of the above +# (which are about the same as each other) +#^220.*ftp + +# This is much slower +#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password + +# This pattern is more precise, but takes longer to match. (3 packets vs. 1) +#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331 + +# same as above, but slightly less precise and only takes 2 packets. +#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a diff --git a/src/usr/local/share/protocols/gif.pat b/src/usr/local/share/protocols/gif.pat new file mode 100644 index 0000000..d54ed91 --- /dev/null +++ b/src/usr/local/share/protocols/gif.pat @@ -0,0 +1,8 @@ +# GIF - Popular Image format. +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +gif +# drawn from /usr/share/magic +GIF8(7|9)a diff --git a/src/usr/local/share/protocols/gkrellm.pat b/src/usr/local/share/protocols/gkrellm.pat new file mode 100644 index 0000000..73eb537 --- /dev/null +++ b/src/usr/local/share/protocols/gkrellm.pat @@ -0,0 +1,13 @@ +# Gkrellm - a system monitor - http://gkrellm.net +# Pattern attributes: great veryfast fast +# Protocol groups: monitoring open_source +# Wiki: http://www.protocolinfo.org/wiki/Gkrellm +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested and is believed to work well. +# Since this is not anything resembling a published protocol, it may change without +# warning in new versions of gkrellm. + +gkrellm +# tested with gkrellm 2.2.7 +^gkrellm [23].[0-9].[0-9]\x0a$ diff --git a/src/usr/local/share/protocols/gnucleuslan.pat b/src/usr/local/share/protocols/gnucleuslan.pat new file mode 100644 index 0000000..ae5895b --- /dev/null +++ b/src/usr/local/share/protocols/gnucleuslan.pat @@ -0,0 +1,10 @@ +# GnucleusLAN - LAN-only P2P filesharing +# Pattern attributes: good notsofast notsofast +# Protocol groups: p2p open_source +# Wiki: http://www.protocolinfo.org/wiki/GnucleusLAN +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested and is believed to work well. + +gnucleuslan +gnuclear connect/[\x09-\x0d -~]*user-agent: gnucleus [\x09-\x0d -~]*lan: diff --git a/src/usr/local/share/protocols/gnutella.pat b/src/usr/local/share/protocols/gnutella.pat new file mode 100644 index 0000000..770ed43 --- /dev/null +++ b/src/usr/local/share/protocols/gnutella.pat @@ -0,0 +1,34 @@ +# Gnutella - P2P filesharing +# Pattern attributes: good notsofast notsofast +# Protocol groups: p2p open_source +# Wiki: http://www.protocolinfo.org/wiki/Gnutella +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This should match both Gnutella and "Gnutella2" ("Mike's protocol") +# +# Various clients use this protocol including Mactella, Shareaza, +# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare. +# +# This is tested with gtk-gnutella and Shareaza. + +# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver +# http://rfc-gnutella.sf.net/ +# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification +# http://en.wikipedia.org/wiki/Shareaza + +gnutella + +# The first part matches UDP messages - All start with "GND", then have +# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes +# that can be anything, then a fragment number, which must start at 1. +# The rest matches TCP first client message or first server message (in case +# we can't see client messages). Some parts of this are empirical rather than +# document based. Assumes version is between 0.0 and 2.9. (usually is +# 0.4 or 0.6). I'm guessing at many of the user-agents. +# The last bit is emprical and probably only matches Limewire. +^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime) + +# Needlessly precise, at the expense of time +#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime) + + diff --git a/src/usr/local/share/protocols/goboogy.pat b/src/usr/local/share/protocols/goboogy.pat new file mode 100644 index 0000000..d88d00b --- /dev/null +++ b/src/usr/local/share/protocols/goboogy.pat @@ -0,0 +1,13 @@ +# GoBoogy - a Korean P2P protocol +# Pattern attributes: marginal slow notsofast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/GoBoogy +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern is untested and likely does not work in all cases! +# +# By Adam Przybyla, modified by Matthew Strait. Possibly lifted from +# Josh Ballard (oofle.com). + +goboogy +|^get /getfilebyhash\.cgi\?|^get /queue_register\.cgi\?|^get /getupdowninfo\.cgi\? diff --git a/src/usr/local/share/protocols/gopher.pat b/src/usr/local/share/protocols/gopher.pat new file mode 100644 index 0000000..773016f --- /dev/null +++ b/src/usr/local/share/protocols/gopher.pat @@ -0,0 +1,25 @@ +# Gopher - A precursor to HTTP - RFC 1436 +# Pattern attributes: good slow notsofast undermatch +# Protocol groups: document_retrieval obsolete ietf_rfc_documented +# Wiki: http://www.protocolinfo.org/wiki/Gopher +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Gopher servers usually run on TCP port 70. +# +# This pattern is lightly tested using gopher.dna.affrc.go.jp . + +gopher +# This matches the server's response, but naturally only if it is a +# directory listing, not if it is sending a file, because then the data +# is totally arbitrary. + +# Matches the client saying "list what you have", then the server +# response: one of the file type characters, any printable characters, a +# tab, any printable characters, a tab, something that looks like a +# domain name, a tab, and then a number which could be the start of a +# port number. + +# "0About internet Gopher\tStuff:About us\trawBits.micro.umn.edu\t70" +# "\r7search by keywords on protein data using wais\twaissrc:/protein_all/protein\tgopher.dna.affrc.go.jp\t70" + +^[\x09-\x0d]*[1-9,+tgi][\x09-\x0d -~]*\x09[\x09-\x0d -~]*\x09[a-z0-9.]*\.[a-z][a-z].?.?\x09[1-9] diff --git a/src/usr/local/share/protocols/gtalk.pat b/src/usr/local/share/protocols/gtalk.pat new file mode 100644 index 0000000..aa538ca --- /dev/null +++ b/src/usr/local/share/protocols/gtalk.pat @@ -0,0 +1,11 @@ +# GTalk, a Jabber (XMPP) client +# Pattern attributes: good veryfast fast subset +# Protocol groups: chat ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/Jabber +# Copyright (C) 2009 Matthew Strait; See ../LICENSE + +# See ../protocols/jabber.pat for more details + +gtalk +^ + +halflife2-deathmatch +^\xff\xff\xff\xff.*hl2mpDeathmatch diff --git a/src/usr/local/share/protocols/hddtemp.pat b/src/usr/local/share/protocols/hddtemp.pat new file mode 100644 index 0000000..cdd908c --- /dev/null +++ b/src/usr/local/share/protocols/hddtemp.pat @@ -0,0 +1,14 @@ +# hddtemp - Hard drive temperature reporting +# Pattern attributes: great veryfast fast +# Protocol groups: monitoring open_source +# Wiki: http://www.protocolinfo.org/wiki/HDDtemp +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 7634 +# +# You're a silly person if you use this pattern. +# +# This pattern has been tested and is believed to work well. + +hddtemp +^\|/dev/[a-z][a-z][a-z]\|[0-9a-z]*\|[0-9][0-9]\|[cfk]\| diff --git a/src/usr/local/share/protocols/hotline.pat b/src/usr/local/share/protocols/hotline.pat new file mode 100644 index 0000000..20ec6de --- /dev/null +++ b/src/usr/local/share/protocols/hotline.pat @@ -0,0 +1,12 @@ +# Hotline - An old P2P filesharing protocol +# Pattern attributes: marginal fast fast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/Hotline +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern is untested! +# +# This is lifted from http://oofle.com/filesharing.php?app=hotline + +hotline +^....................TRTPHOTL\x01\x02 diff --git a/src/usr/local/share/protocols/html.pat b/src/usr/local/share/protocols/html.pat new file mode 100644 index 0000000..d834a96 --- /dev/null +++ b/src/usr/local/share/protocols/html.pat @@ -0,0 +1,11 @@ +# (X)HTML - (Extensible) Hypertext Markup Language - http://w3.org +# Pattern attributes: good fast notsofast subset +# Protocol groups: file +# +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# This pattern has been tested and is believe to work well. + +# this should match any (X)HTML document from any version that conforms +# even vaugly to the standards. +html + diff --git a/src/usr/local/share/protocols/http-dap.pat b/src/usr/local/share/protocols/http-dap.pat new file mode 100644 index 0000000..216d8d6 --- /dev/null +++ b/src/usr/local/share/protocols/http-dap.pat @@ -0,0 +1,19 @@ +# HTTP by Download Accelerator Plus - http://www.speedbit.com +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Uses HTTP to download. + +http-dap + +# DAP identifies itself in the User-Agent field of every HTTP request it +# makes. This is pretty trivial to get around if speedbit.com ever +# wanted to. + +# The latest version uses "User-Agent: DA 7.0". The additional version +# allowance is an attempt at "future proofing". + +User-Agent: DA [678]\.[0-9] + diff --git a/src/usr/local/share/protocols/http-freshdownload.pat b/src/usr/local/share/protocols/http-freshdownload.pat new file mode 100644 index 0000000..a342e86 --- /dev/null +++ b/src/usr/local/share/protocols/http-freshdownload.pat @@ -0,0 +1,17 @@ +# HTTP by Fresh Download - http://www.freshdevices.com +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# Uses HTTP to download. + +http-freshdownload + +# Fresh Download identifies itself in the User-Agent field of every HTTP +# request it makes. + +# The latest version uses "User-Agent: FreshDownload/4.40". The +# additional version allowance is an attempt at "future proofing". + +User-Agent: FreshDownload/[456](\.[0-9][0-9]?)? + diff --git a/src/usr/local/share/protocols/http-itunes.pat b/src/usr/local/share/protocols/http-itunes.pat new file mode 100644 index 0000000..fd44ee4 --- /dev/null +++ b/src/usr/local/share/protocols/http-itunes.pat @@ -0,0 +1,14 @@ +# HTTP - iTunes (Apple's music program) +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: streaming_audio ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Port 80 +# iTunes program basically uses the HTTP protocol for its initial +# communication. +# Pattern contributed by Deepak Seshadri + +http-itunes +http/(0\.9|1\.0|1\.1).*(user-agent: itunes) + diff --git a/src/usr/local/share/protocols/http-rtsp.pat b/src/usr/local/share/protocols/http-rtsp.pat new file mode 100644 index 0000000..73ef926 --- /dev/null +++ b/src/usr/local/share/protocols/http-rtsp.pat @@ -0,0 +1,16 @@ +# RTSP tunneled within HTTP +# Pattern attributes: ok notsofast fast subset +# Protocol groups: streaming_audio streaming_video ietf_draft_standard +# Wiki: http://www.protocolinfo.org/wiki/RTSP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Apple's documentation on what Quicktime does: +# http://developer.apple.com/quicktime/icefloe/dispatch028.html +# This is what the first part of the pattern is about +# +# The second part is based on the example in RFC 2326. For this part to +# work, this pattern MUST be earlier in the iptables rules chain than +# HTTP. Otherwise, the stream will be identified as HTTP. + +http-rtsp +^(get[\x09-\x0d -~]* Accept: application/x-rtsp-tunnelled|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*a=control:rtsp://) diff --git a/src/usr/local/share/protocols/http.pat b/src/usr/local/share/protocols/http.pat new file mode 100644 index 0000000..5122310 --- /dev/null +++ b/src/usr/local/share/protocols/http.pat @@ -0,0 +1,28 @@ +# HTTP - HyperText Transfer Protocol - RFC 2616 +# Pattern attributes: great slow notsofast superset +# Protocol groups: document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 80 +# +# This pattern has been tested and is believed to work well. +# +# this intentionally catches the response from the server rather than +# the request so that other protocols which use http (like kazaa) can be +# caught based on specific http requests regardless of the ordering of +# filters... also matches posts + +# Sites that serve really long cookies may break this by pushing the +# server response too far away from the beginning of the connection. To +# fix this, increase the kernel's data buffer length. + +http +# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616) +# As specified in rfc 2616 a status code is preceeded and followed by a +# space. +http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019] +# A slightly faster version that might be good enough: +#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019] +# old pattern(s): +#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/) diff --git a/src/usr/local/share/protocols/httpaudio.pat b/src/usr/local/share/protocols/httpaudio.pat new file mode 100644 index 0000000..c6cdd9a --- /dev/null +++ b/src/usr/local/share/protocols/httpaudio.pat @@ -0,0 +1,32 @@ +# HTTP - Audio over HyperText Transfer Protocol (RFC 2616) +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: streaming_audio document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 80 +# +# Contributed by Deepak Seshadri +# +# This pattern has been tested and is believed to work well. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/HTTP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# +# If you use this, you should be aware that: +# +# - they match both simple downloads of audio/video and streaming content. +# +# - blocking based on content-type encourages server +# writers/administrators to misreport content-type (which will just make +# headaches for everyone, including us), so I would strongly recommend +# shaping audio/video down to a speed that discourages use of streaming +# players without actually blocking it. +# +# - obviously, since this is a subset of HTTP, you need to match it +# earlier in your iptables rules than HTTP. + +httpaudio +http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: audio) + diff --git a/src/usr/local/share/protocols/httpcachehit.pat b/src/usr/local/share/protocols/httpcachehit.pat new file mode 100644 index 0000000..41cb099 --- /dev/null +++ b/src/usr/local/share/protocols/httpcachehit.pat @@ -0,0 +1,19 @@ +# HTTP - Proxy Cache hit for HyperText Transfer Protocol (RFC 2616) +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 80 +# +# Contributed by Francesco Del Degan +# +# This pattern has been tested and is believed to work well. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/HTTP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +httpcachehit +http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: hit) + diff --git a/src/usr/local/share/protocols/httpcachemiss.pat b/src/usr/local/share/protocols/httpcachemiss.pat new file mode 100644 index 0000000..09ac6cd --- /dev/null +++ b/src/usr/local/share/protocols/httpcachemiss.pat @@ -0,0 +1,17 @@ +# HTTP - Proxy Cache miss for HyperText Transfer Protocol (RFC 2616) +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 80 +# +# This pattern has been tested and is believed to work well. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/HTTP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +httpcachemiss +http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: miss) + diff --git a/src/usr/local/share/protocols/httpvideo.pat b/src/usr/local/share/protocols/httpvideo.pat new file mode 100644 index 0000000..4a75ce0 --- /dev/null +++ b/src/usr/local/share/protocols/httpvideo.pat @@ -0,0 +1,32 @@ +# HTTP - Video over HyperText Transfer Protocol (RFC 2616) +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: streaming_video document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 80 +# +# Contributed by Deepak Seshadri +# +# This pattern has been tested and is believed to work well. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/HTTP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# +# If you use this, you should be aware that: +# +# - they match both simple downloads of audio/video and streaming content. +# +# - blocking based on content-type encourages server +# writers/administrators to misreport content-type (which will just make +# headaches for everyone, including us), so I would strongly recommend +# shaping audio/video down to a speed that discourages use of streaming +# players without actually blocking it. +# +# - obviously, since this is a subset of HTTP, you need to match it +# earlier in your iptables rules than HTTP. + +httpvideo +http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: video) + diff --git a/src/usr/local/share/protocols/ident.pat b/src/usr/local/share/protocols/ident.pat new file mode 100644 index 0000000..3205e5e --- /dev/null +++ b/src/usr/local/share/protocols/ident.pat @@ -0,0 +1,15 @@ +# Ident - Identification Protocol - RFC 1413 +# Pattern attributes: good fast fast +# Protocol groups: networking ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/Ident +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 113 +# +# This pattern is believed to work. + +ident +# "number , numberCRLF" possibly without the CR and/or LF. +# ^$ is appropriate because the first packet should never have anything +# else in it. +^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$ diff --git a/src/usr/local/share/protocols/imap.pat b/src/usr/local/share/protocols/imap.pat new file mode 100644 index 0000000..3f989c0 --- /dev/null +++ b/src/usr/local/share/protocols/imap.pat @@ -0,0 +1,14 @@ +# IMAP - Internet Message Access Protocol (A common e-mail protocol) +# Pattern attributes: great fast fast +# Protocol groups: mail ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/IMAP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This matches IMAP4 (RFC 3501) and probably IMAP2 (RFC 1176) +# +# This pattern has been tested and is believed to work well. +# +# This matches the IMAP welcome message or a noop command (which for +# some unknown reason can happen at the start of a connection?) +imap +^(\* ok|a[0-9]+ noop) diff --git a/src/usr/local/share/protocols/imesh.pat b/src/usr/local/share/protocols/imesh.pat new file mode 100644 index 0000000..4cb7ac7 --- /dev/null +++ b/src/usr/local/share/protocols/imesh.pat @@ -0,0 +1,15 @@ +# iMesh - the native protocol of iMesh, a P2P application - http://imesh.com +# Pattern attributes: ok fast notsofast +# Protocol groups: p2p +# Wiki: http://protocolinfo.org/wiki/iMesh +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# depending on the version of iMesh (the program), it can also use fasttrack, +# gnutella and edonkey in addition to iMesh (the protocol). + +imesh +# The first branch matches the login +# The second branch matches the main non-download connection (searches, etc) +# The third branch matches downloads of "premium" content +# The fourth branch matches peer downloads. +^(post[\x09-\x0d -~]*................................|\x34\x80?\x0d?\xfc\xff\x04|get[\x09-\x0d -~]*Host: imsh\.download-prod\.musicnet\.com|\x02[\x01\x02]\x83.*\x02[\x01\x02]\x83) diff --git a/src/usr/local/share/protocols/ipp.pat b/src/usr/local/share/protocols/ipp.pat new file mode 100644 index 0000000..15540d0 --- /dev/null +++ b/src/usr/local/share/protocols/ipp.pat @@ -0,0 +1,12 @@ +# IP printing - a new standard for UNIX printing - RFC 2911 +# Pattern attributes: good notsofast notsofast +# Protocol groups: printer ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/IPP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested and is believed to work well. + +ipp +# It's unlikely that anything else has this string, but I think we could +# do a bit better... +ipp:// diff --git a/src/usr/local/share/protocols/irc.pat b/src/usr/local/share/protocols/irc.pat new file mode 100644 index 0000000..b922b3e --- /dev/null +++ b/src/usr/local/share/protocols/irc.pat @@ -0,0 +1,20 @@ +# IRC - Internet Relay Chat - RFC 1459 +# Pattern attributes: great fast fast +# Protocol groups: chat ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/IRC +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 6666 or 6667 +# Note that chat traffic runs on these ports, but IRC-DCC traffic (which +# can use much more bandwidth) uses a dynamically assigned port, so you +# must have the IRC connection tracking module in your kernel to classify +# this. +# +# This pattern has been tested and is believed to work well. + +irc +# First thing that happens is that the client sends NICK and USER, in +# either order. This allows MIRC color codes (\x02-\x0d instead of +# \x09-\x0d). +^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a) + diff --git a/src/usr/local/share/protocols/jabber.pat b/src/usr/local/share/protocols/jabber.pat new file mode 100644 index 0000000..7c32890 --- /dev/null +++ b/src/usr/local/share/protocols/jabber.pat @@ -0,0 +1,24 @@ +# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org +# Pattern attributes: good notsofast notsofast +# Protocol groups: chat ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/Jabber +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested with Gaim and Gabber. It is only tested +# with non-SSL mode Jabber with no proxies. + +# Thanks to Jan Hudec for some improvements. + +# Jabber seems to take a long time to set up a connection. I'm +# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets +# is this: +# +# +# No mention of my username or password yet, you'll note. + +jabber + says: +# "This pattern identifies openFT P2P transfers fine. openFT is part of giFT +# and is a pretty large p2p network. I would describe this pattern as pretty +# weak, but it works for the giFT-based clients I've used." + +openft +x-openftalias: [-)(0-9a-z ~.] diff --git a/src/usr/local/share/protocols/pcanywhere.pat b/src/usr/local/share/protocols/pcanywhere.pat new file mode 100644 index 0000000..60b50a7 --- /dev/null +++ b/src/usr/local/share/protocols/pcanywhere.pat @@ -0,0 +1,12 @@ +# pcAnywhere - Symantec remote access program +# Pattern attributes: marginal veryfast fast +# Protocol groups: remote_access proprietary +# Wiki: http://www.protocolinfo.org/wiki/PcAnywhere +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# This is completely untested! +# See http://www.unixwiz.net/tools/pcascan.txt + +pcanywhere +# I think this only matches queries and not the bulk of the traffic! +^(nq|st)$ diff --git a/src/usr/local/share/protocols/pdf.pat b/src/usr/local/share/protocols/pdf.pat new file mode 100644 index 0000000..0c0e5f9 --- /dev/null +++ b/src/usr/local/share/protocols/pdf.pat @@ -0,0 +1,11 @@ +# PDF - Portable Document Format - Postscript-like format by Adobe +# Pattern attributes: good fast notsofast subset +# Protocol groups: file +# +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# This pattern has been tested and is believe to work well. + +# Matches PDF versions 1.0 - 1.6 (not sure if 1.6 exists yet, but it probably +# will. +pdf +%PDF-1\.[0123456] diff --git a/src/usr/local/share/protocols/perl.pat b/src/usr/local/share/protocols/perl.pat new file mode 100644 index 0000000..822986b --- /dev/null +++ b/src/usr/local/share/protocols/perl.pat @@ -0,0 +1,7 @@ +# Perl - A scripting language by Larry Wall. +# Pattern attributes: good fast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +perl +\#! ?/(usr/(local/)?)?bin/perl diff --git a/src/usr/local/share/protocols/png.pat b/src/usr/local/share/protocols/png.pat new file mode 100644 index 0000000..33aafda --- /dev/null +++ b/src/usr/local/share/protocols/png.pat @@ -0,0 +1,13 @@ +# PNG - Portable Network Graphics, a popular image format +# Pattern attributes: good fast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# Contributed by Radovan Josth. Tested at least a bit. + +png +# drawn from /usr/share/magic +\x89PNG\x0d\x0a\x1a\x0a + +# this is probably sufficient, but by default let's use the longer version +# \x89PNG diff --git a/src/usr/local/share/protocols/poco.pat b/src/usr/local/share/protocols/poco.pat new file mode 100644 index 0000000..c7ce686 --- /dev/null +++ b/src/usr/local/share/protocols/poco.pat @@ -0,0 +1,12 @@ +# POCO and PP365 - Chinese P2P filesharing - http://pp365.com http://poco.cn +# Pattern attributes: ok veryfast fast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/Poco +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# The author of this pattern says it works, but this is unconfirmed. +# Written by www.routerclub.com wsgtrsys. + +poco +^\x80\x94\x0a\x01....\x1f\x9e + diff --git a/src/usr/local/share/protocols/pop3.pat b/src/usr/local/share/protocols/pop3.pat new file mode 100644 index 0000000..47a8252 --- /dev/null +++ b/src/usr/local/share/protocols/pop3.pat @@ -0,0 +1,50 @@ +# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939 +# Pattern attributes: great fast fast +# Protocol groups: mail ietf_internet_standard +# Wiki: http://www.protocolinfo.org/wiki/POP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested somewhat. + +# this is a difficult protocol to match because of the relative lack of +# distinguishing information. Read on. +pop3 + +# this the most conservative pattern. It should definitely work. +#^(\+ok|-err) + +# this pattern assumes that the server says _something_ after +ok or -err +# I think this is probably the way to go. +^(\+ok |-err ) + +# more that 90% of servers seem to say "pop" after "+ok", but not all. +#^(\+ok .*pop) + +# Here's another tack. I think this is my second favorite. +#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command)) + +# this matches the server saying "you have N messages that are M bytes", +# which the client probably asks for early in the session (not tested) +#\+ok [0-9]+ [0-9]+ + +# some sample servers: +# RFC example: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us> +# mail.dreamhost.com: +OK Hello there. +# pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled) +# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon> +# *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu> +# mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready +# mail.gustavus.edu: +OK POP3 solen v2001.78 server ready +# mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready +# mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003)) +# pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting. +# mail.mac.com: +OK Netscape Messaging Multiplexor ready + +# various error strings: +#-ERR Invalid command. +#-ERR invalid command +#-ERR unimplemented +#-ERR Invalid command, try one of: USER name, PASS string, QUIT +#-ERR Unknown AUTHORIZATION state command +#-ERR Unrecognized command +#-ERR Unknown command: "sadf'". diff --git a/src/usr/local/share/protocols/postscript.pat b/src/usr/local/share/protocols/postscript.pat new file mode 100644 index 0000000..456ac21 --- /dev/null +++ b/src/usr/local/share/protocols/postscript.pat @@ -0,0 +1,7 @@ +# Postscript - Printing Language +# Pattern attributes: good fast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +postscript +%!ps diff --git a/src/usr/local/share/protocols/pplive.pat b/src/usr/local/share/protocols/pplive.pat new file mode 100644 index 0000000..42fef72 --- /dev/null +++ b/src/usr/local/share/protocols/pplive.pat @@ -0,0 +1,11 @@ +# PPLive - Chinese P2P streaming video - http://pplive.com +# Pattern attributes: ok notsofast notsofast +# Protocol groups: p2p streaming_video proprietary +# Wiki: http://www.protocolinfo.org/wiki/PPLive +# Copyright (C) 2008 Matthew Strait; See ../LICENSE + +# By liangjun, who says that it works. It may be easily improvable with +# a bit more testing. + +pplive +\x01...\xd3.+\x0c.$ diff --git a/src/usr/local/share/protocols/pressplay.pat b/src/usr/local/share/protocols/pressplay.pat new file mode 100644 index 0000000..cd814cc --- /dev/null +++ b/src/usr/local/share/protocols/pressplay.pat @@ -0,0 +1,15 @@ +# pressplay - A legal music distribution site - http://pressplay.com +# Pattern attributes: ok notsofast notsofast +# Protocol groups: document_retrieval obsolete proprietary +# Wiki: http://www.protocolinfo.org/wiki/Pressplay +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern was "contributed" (taken with permission) by the bandwidth +# arbitrator project (www.bandwidtharbitrator.com). +# +# This pattern is unconfirmed. + +pressplay +# can we do better than this? +user-agent: nsplayer + diff --git a/src/usr/local/share/protocols/qq.pat b/src/usr/local/share/protocols/qq.pat new file mode 100644 index 0000000..08db802 --- /dev/null +++ b/src/usr/local/share/protocols/qq.pat @@ -0,0 +1,26 @@ +# Tencent QQ Protocol - Chinese instant messenger protocol - http://www.qq.com +# Pattern attributes: good notsofast fast +# Protocol groups: chat +# Wiki: http://www.protocolinfo.org/wiki/QQ +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Over six million people use QQ in China, according to wsgtrsys. +# +# This pattern has been tested and is believed to work well. +# +# QQ uses three (two?) methods to connect to server(s?). +# one is udp, and another is tcp +# udp protocol: the first byte is 02 and last byte is 03 +# tcp protocol: the second byte is 02 and last byte is 03 +# tony on protocolinfo.org says that now the *third* byte is 02: +# "but when I tested on my PC, I found that when qq2007/qq2008 +# use tcp protocol, the third byte instead of the second is always 02. +# +# So the QQ protocol changed again, or I have made a mistake, I wonder +# that." +# So now the pattern allows any of the first three bytes to be 02. Delete +# one of the ".?" to restore to the old behaviour. +# pattern written by www.routerclub.com wsgtrsys + +qq +^.?.?\x02.+\x03$ diff --git a/src/usr/local/share/protocols/quake-halflife.pat b/src/usr/local/share/protocols/quake-halflife.pat new file mode 100644 index 0000000..bc05b8f --- /dev/null +++ b/src/usr/local/share/protocols/quake-halflife.pat @@ -0,0 +1,32 @@ +# Half Life 1 engine games (HL 1, Quake 2/3/World, Counterstrike 1.6, etc.) +# Pattern attributes: good veryfast fast +# Protocol groups: game proprietary +# Wiki: http://www.protocolinfo.org/wiki/Half-Life http://www.protocolinfo.org/wiki/Counter-Strike http://www.protocolinfo.org/wiki/Day_of_Defeat +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Contributed by Laurens Blankers , who says: +# +# This pattern has been tested with QuakeWorld (2.30), Quake 2 (3.20), +# Quake 3 (1.32), and Half-life (1.1.1.0). But may also work on other +# games based on the Quake engine. +# +# Clayton Macleod says: +# [This should match] Counter-Strike v1.6, [...] the slightly updated +# Counter-Strike: Condition Zero, and the game Day Of Defeat, Team +# Fortress Classic, Deathmatch Classic, Ricochet, Half-Life [1] Deathmatch, +# and I imagine all the other 3rd party mods that also use this engine +# will match that pattern. +# +# Gavin Pryke says: +# Added "getstatus". Quake3 games were not being matched here until it was +# added. + +quake-halflife +# All quake (like) protocols start with 4x 0xFF. Then the client either +# issues getinfo, getchallenge or getstatus. +^\xff\xff\xff\xffget(info|challenge|status) + +# A previous quake pattern allowed the connection to start with only 2 bytes +# of 0xFF. This doesn't seem to ever happen, but we should keep an eye out +# for it. + diff --git a/src/usr/local/share/protocols/quake1.pat b/src/usr/local/share/protocols/quake1.pat new file mode 100644 index 0000000..46bdebd --- /dev/null +++ b/src/usr/local/share/protocols/quake1.pat @@ -0,0 +1,19 @@ +# Quake 1 - A popular computer game. +# Pattern attributes: marginal veryfast fast +# Protocol groups: game proprietary +# Wiki: http://www.protocolinfo.org/wiki/Quake +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern is untested and unconfirmed. + +# Info taken from http://www.gamers.org/dEngine/quake/QDP/qnp.html, +# which says that it "is incomplete, inaccurate and only applies to +# versions 0.91, 0.92, 1.00 and 1.01 of QUAKE" + +quake1 +# Connection request: 80 00 00 0c 01 51 55 41 4b 45 00 03 +# \x80 = control packet. +# \x0c = packet length +# \x01 = CCREQ_CONNECT +# \x03 = protocol version (3 == 0.91, 0.92, 1.00, 1.01) +^\x80\x0c\x01quake\x03 diff --git a/src/usr/local/share/protocols/quicktime.pat b/src/usr/local/share/protocols/quicktime.pat new file mode 100644 index 0000000..5a6273d --- /dev/null +++ b/src/usr/local/share/protocols/quicktime.pat @@ -0,0 +1,21 @@ +# Quicktime HTTP +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: streaming_video streaming_audio ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested and is believed to work well. +# (Quick Time v6.5.1 downloading from www.apple.com/trailers) +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/HTTP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# +# Since this is a subset of HTTP, it should be put earlier in the packet +# filtering chain than HTTP. Also, please don't use this to block Quicktime. +# If you must do that, you should use a filtering HTTP proxy, which is probably +# more accurate. + +quicktime +user-agent: quicktime \(qtver=[0-9].[0-9].[0-9];os=[\x09-\x0d -~]+\)\x0d\x0a + diff --git a/src/usr/local/share/protocols/radmin.pat b/src/usr/local/share/protocols/radmin.pat new file mode 100644 index 0000000..d13aa65 --- /dev/null +++ b/src/usr/local/share/protocols/radmin.pat @@ -0,0 +1,17 @@ +# Famatech Remote Administrator - remote desktop for MS Windows +# Pattern attributes: ok veryfast fast +# Protocol groups: remote_access proprietary +# Wiki: http://www.protocolinfo.org/wiki/Radmin +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been verified with Radmin v1.1 and v3.0beta on Win2000/XP +# It has only been tested between a single pair of computers. + +# The first packet of every TCP stream appears to be either one of: +# +# 01 00 00 00 01 00 00 00 08 08 +# 01 00 00 00 01 00 00 00 1b 1b + +radmin +^\x01\x01(\x08\x08|\x1b\x1b)$ + diff --git a/src/usr/local/share/protocols/rar.pat b/src/usr/local/share/protocols/rar.pat new file mode 100644 index 0000000..1332af1 --- /dev/null +++ b/src/usr/local/share/protocols/rar.pat @@ -0,0 +1,7 @@ +# RAR - The WinRAR archive format +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +rar +rar\x21\x1a\x07 diff --git a/src/usr/local/share/protocols/rdp.pat b/src/usr/local/share/protocols/rdp.pat new file mode 100644 index 0000000..44b853f --- /dev/null +++ b/src/usr/local/share/protocols/rdp.pat @@ -0,0 +1,20 @@ +# RDP - Remote Desktop Protocol (used in Windows Terminal Services) +# Pattern attributes: ok notsofast notsofast +# Protocol groups: remote_access proprietary +# Wiki: http://www.protocolinfo.org/wiki/RDP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern was submitted by Michael Leong. It has been tested under the +# following conditions: "WinXP Pro with all the patches, rdesktop server +# running on port 7000 instead of 3389 --> WinXP Pro Remote Desktop Client." +# Also tested is WinXP to Win 2000 Server. + +# At least one other person has reported it to work as well. + +rdp +rdpdr.*cliprdr.*rdpsnd + +# Old pattern, submitted by Daniel Weatherford. +# rdpdr.*cliprdp.*rdpsnd + + diff --git a/src/usr/local/share/protocols/replaytv-ivs.pat b/src/usr/local/share/protocols/replaytv-ivs.pat new file mode 100644 index 0000000..aaf9255 --- /dev/null +++ b/src/usr/local/share/protocols/replaytv-ivs.pat @@ -0,0 +1,11 @@ +# ReplayTV Internet Video Sharing - Digital Video Recorder - http://replaytv.com +# Pattern attributes: good fast fast +# Protocol groups: +# Wiki: http://www.protocolinfo.org/wiki/ReplayTV +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Pattern by jm 409 at hot mail dot com, who says that this one "worked best". + +replaytv-ivs +^(get /ivs-IVSGetFileChunk|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*\x23\x23\x23\x23\x23REPLAY_CHUNK_START\x23\x23\x23\x23\x23) + diff --git a/src/usr/local/share/protocols/rlogin.pat b/src/usr/local/share/protocols/rlogin.pat new file mode 100644 index 0000000..42c4f7e --- /dev/null +++ b/src/usr/local/share/protocols/rlogin.pat @@ -0,0 +1,19 @@ +# rlogin - remote login - RFC 1282 +# Pattern attributes: ok fast fast +# Protocol groups: remote_access ietf_rfc_documented +# Wiki: http://www.protocolinfo.org/wiki/Rlogin +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# usually runs on port 443 +# +# This pattern is untested. + +rlogin +# At least three characters (user name, user name, terminal type), +# the first of which could be the first character of a user name, a +# slash, then a terminal speed. (Assumes that usernames and terminal +# types are alphanumeric only. I'm sure there are usernames like +# "straitm-47" out there, but it's not common.) All terminal speeds +# I know of end in two zeros and are between 3 and 6 digits long. +# This pattern is uncomfortably general. +^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]?[0-9]?[0-9]?00 diff --git a/src/usr/local/share/protocols/rpm.pat b/src/usr/local/share/protocols/rpm.pat new file mode 100644 index 0000000..0302839 --- /dev/null +++ b/src/usr/local/share/protocols/rpm.pat @@ -0,0 +1,7 @@ +# RPM - Redhat Package Management packages +# Pattern attributes: good fast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +rpm +\xed\xab\xee\xdb.?.?.?.?[1-7] diff --git a/src/usr/local/share/protocols/rtf.pat b/src/usr/local/share/protocols/rtf.pat new file mode 100644 index 0000000..676cb1a --- /dev/null +++ b/src/usr/local/share/protocols/rtf.pat @@ -0,0 +1,8 @@ +# RTF - Rich Text Format - an open document format +# Pattern attributes: good fast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +rtf +\{\\rtf[12] + diff --git a/src/usr/local/share/protocols/rtmp.pat b/src/usr/local/share/protocols/rtmp.pat new file mode 100644 index 0000000..2c7adad --- /dev/null +++ b/src/usr/local/share/protocols/rtmp.pat @@ -0,0 +1,13 @@ +# Adobe Real Time Messaging Protocol(RTMP). By Jonathan A.P. Marpaung +# Pattern attributes: works very fast +# Protocol Groups: streaming_video streaming_audio +# The RTMP Specification is availabe at +# http://www.adobe.com/devnet/rtmp/pdf/rtmp_specification_1.0.pdf [^] +# +# First 12 bytes, starting at \x03 are the RTMP header. Next 25 bytes, +# starting at \x02, are part of the RTMP body which is an AMF Object. +# The first string "connect" is a command of the NetConnection class object. +# The next string "app" is a Command Object which is followed by values +# such as "video", . +rtmp +^\x03.+\x14.+\x02.+\x07.(connect)?.+(app)? diff --git a/src/usr/local/share/protocols/rtp.pat b/src/usr/local/share/protocols/rtp.pat new file mode 100644 index 0000000..61fcd8e --- /dev/null +++ b/src/usr/local/share/protocols/rtp.pat @@ -0,0 +1,33 @@ +# RTP - Real-time Transport Protocol - RFC 3550 +# Pattern attributes: ok overmatch undermatch fast fast +# Protocol groups: streaming_video ietf_internet_standard +# Wiki: http://www.protocolinfo.org/wiki/RTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# RTP headers are *very* short and compact. They have almost nothing in +# them that can be matched by l7-filter. As RTP connections take place +# between even numbered ports, you should probably check for that before +# applying this pattern. If you want to match them along with their +# associated SIP packets, you might try setting up some iptables rules +# that watch for SIP packets and then also match any other UDP packets +# that are going between the same two IP addresses. +# +# I think we can count on the first bit being 1 and the second bit being +# 0 (meaning protocol version 2). The next two bits could go either way, +# but in the example I've seen, they are zero, so I'll assume they are +# usually zero. The next four bits are a count of "contributing source +# identifiers". I'm not sure how big that could be, but in the example +# I've seen, they're zero, so I'll assume they're usually zero. So that +# gives us ^\x80. The next bit is a tossup. Next is the payload type, 7 +# bits. I've taken likely values from the WireShark code: 0-34, 96-127 +# (decimal). The rest of the header is random numbers (sequence number, +# timestamp, synchronization source identifier), so that's no help at +# all. + +rtp +^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80 + +# Might also try this. It's a bit slower (one packet and not too much extra +# regexec load) and a bit more accurate: +#^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80.*\x80 + diff --git a/src/usr/local/share/protocols/rtsp.pat b/src/usr/local/share/protocols/rtsp.pat new file mode 100644 index 0000000..1013ae3 --- /dev/null +++ b/src/usr/local/share/protocols/rtsp.pat @@ -0,0 +1,15 @@ +# RTSP - Real Time Streaming Protocol - http://www.rtsp.org - RFC 2326 +# Pattern attributes: good notsofast notsofast +# Protocol groups: streaming_video ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/RTSP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# usually runs on port 554 +# +# To take full advantage of this pattern, please see the RTSP connection +# tracking patch to the Linux kernel referenced at the above site. +# +# This pattern has been tested and is believed to work well. + +rtsp +rtsp/1.0 200 ok diff --git a/src/usr/local/share/protocols/runesofmagic.pat b/src/usr/local/share/protocols/runesofmagic.pat new file mode 100644 index 0000000..6fbfea4 --- /dev/null +++ b/src/usr/local/share/protocols/runesofmagic.pat @@ -0,0 +1,63 @@ +# Runes of Magic - game - http://www.runesofmagic.com +# Pattern attributes: ok veryfast fast +# Protocol groups: game proprietary +# Wiki: http://www.protocolinfo.org/wiki/Runes_of_Magic +# Copyright (C) 2008 Matthew Strait; See ../LICENSE + +runesofmagic +^\x10\x03...........\x0a\x02.....\x0e +# See below (this is also veryfast fast) +#^\x10\x03...........?\x0a\x02.....?$ + +# Greatwolf captured the following: +# +# Server: +# +# 10 00 00 00 03 78 76 7a 1e 8a dd b5 95 a3 3a de .....xvz ......:. +# 0a 00 00 00 02 df 85 cc cc cc ........ .. +# +# Client reply: +# +# 0e 00 00 00 02 28 82 cc cc cc 8b c9 cc cc .....(.. ...... +# +# Server: +# +# 2e 00 00 00 02 1e 7f f4 f4 f4 ef f4 f4 f4 b3 8c ........ ........ +# [...] +# +# And says: "Bytes 10 00 00 00 03, 0a 00 00 00 02 and 0e (client reply) +# were consistently present. +# +# ^\x10\x03...........\x0a\x02.....\x0e +# +# Pattern was able to match during the closed beta period. It is still +# matching okay after RoM started open beta but could definitely use +# more testing from others to verify effectiveness." +# +# Matthew Strait says: +# +# * If the server consistently sends those four bytes in the first packet, +# it is probably wasteful to wait for the next (client) packet before +# matching. +# +# * If we switch the match strategy to just looking at the first packet, and +# the first packet is always the same (or nearly the same) length, we can +# anchor (i.e. use a '$') at the end of the packet. +# +# * When there's a string of bytes that I don't understand and that take +# different values from connection to connection, I think it's good to allow +# for the possibility that at least one might be \x00, and so I'd make one +# of the "." into ".?", unless you *know* that \x00 is impossible somehow. +# +# * All of those \xcc bytes don't look random to me. Your comments suggest +# that it isn't always exactly like that, but is there always pattern of +# repeated bytes or something else that might be useful? It probably isn't +# necessary to exploit this, since it looks like there's already enough to +# go with, but it would be nice to understand. +# +# So perhaps it would be an improvement to use: +# +# ^\x10\x03...........?\x0a\x02.....?$ +# +# but this depends on the assumptions I made above. + diff --git a/src/usr/local/share/protocols/shoutcast.pat b/src/usr/local/share/protocols/shoutcast.pat new file mode 100644 index 0000000..e78883c --- /dev/null +++ b/src/usr/local/share/protocols/shoutcast.pat @@ -0,0 +1,27 @@ +# Shoutcast and Icecast - streaming audio +# Pattern attributes: good slow notsofast +# Protocol groups: streaming_audio +# Wiki: http://www.protocolinfo.org/wiki/Icecast +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# usually runs on port 80 +# +# Original pattern contributed by Deepak Seshadri who says "The difference between [Shoutcast and +# Icecast] is not clearly mentioned anywhere. According to this +# document, my pattern would filter JUST shoutcast packets." +# +# Should now match both Shoutcast and Icecast. Tested with Winamp (in +# 2005) and Totem using streams at dir.xiph.org (in Nov 2007). +# +# http://sander.vanzoest.com/talks/2002/audio_and_apache/ +# http://forums.radiotoolbox.com/viewtopic.php?t=74 +# http://www.icecast.org + +shoutcast +# The first branch looks for an HTTP request that looks like it is asking for +# a SHOUTcast stream. The second branch looks for the server's reply. However, +# some (newer?) servers answer with "http/1.0 200 OK", not "ICY 200 OK", so +# this will not work. +# This pattern was discovered using Ethereal. +^get /.*icy-metadata:1|icy [1-5][0-9][0-9] [\x09-\x0d -~]*(content-type:audio|icy-) diff --git a/src/usr/local/share/protocols/sip.pat b/src/usr/local/share/protocols/sip.pat new file mode 100644 index 0000000..2728009 --- /dev/null +++ b/src/usr/local/share/protocols/sip.pat @@ -0,0 +1,20 @@ +# SIP - Session Initiation Protocol - Internet telephony - RFC 3261, 3265, etc. +# Pattern attributes: good fast fast +# Protocol groups: voip ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/SIP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested with the Ubiquity SIP user agent and has been +# confirmed by at least one other user. +# +# Thanks to Ankit Desai for this pattern. Updated by tehseen sagar. +# +# SIP typically uses port 5060. +# +# This pattern is based on SIP request format as per RFC 3261. I'm not +# sure about the version part. The RFC doesn't say anything about it, so +# I have allowed version ranging from 0.x to 2.x. + +#Request-Line = Method SP Request-URI SP SIP-Version CRLF +sip +^(invite|register|cancel|message|subscribe|notify) sip[\x09-\x0d -~]*sip/[0-2]\.[0-9] diff --git a/src/usr/local/share/protocols/skypeout.pat b/src/usr/local/share/protocols/skypeout.pat new file mode 100644 index 0000000..55e4e10 --- /dev/null +++ b/src/usr/local/share/protocols/skypeout.pat @@ -0,0 +1,50 @@ +# Skype to phone - UDP voice call (program to POTS phone) - http://skype.com +# Pattern attributes: ok slow notsofast overmatch +# Protocol groups: voip p2p proprietary +# Wiki: http://www.protocolinfo.org/wiki/Skype +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# Thanks to Myles Uyema, mylesuyema AT gmail.com + +# Taken using Ethereal traces of Windows Skype v1.2.037, same in v1.2.0.18_API +# +# Skype will attempt to use the same UDP port for all its connections as +# configured in its options. However, this is a random port by default. +# Skype has some preference for ports 80 and 443. +# +# Example sessions: +# +#SkypeOut +#c6 5c bf 41 8e 8d d6 d2 08 <-- this is sometimes as short as 1 byte and +#c6 5c bf 41 8e 8d d6 d2 08 <-- sometimes as long as 9 (or more?) +#00 6b 2c f5 87 f1 06 +#00 6b 2c f5 87 f1 06 +#00 6b 2c f5 36 ea 85 +#00 6b 2c f5 36 ea 85 +#00 6b 2c f5 57 27 d4 +#00 6b 2c f5 57 27 d4 +#00 6b 2c f5 43 5b 00 +#00 6b 2c f5 43 5b 00 +# +#SkypeOut +#7e 4f e5 b8 +#7e 4f e5 b8 +#00 6b 88 61 80 52 93 +#00 6b 88 61 80 52 93 +#00 6b 88 61 1a 09 e9 +#00 6b 88 61 1a 09 e9 +#00 6b 88 61 47 43 c4 +#00 6b 88 61 47 43 c4 + +skypeout + +# Scary. Our regular expressions suck. This is a prime candidate for +# some sort of a scheme to support two different regular expressions +# when there's a major difference between what the two libraries allow. +# For the Henry Spencer library, there's not much that can be done +# except requiring that we see the same byte twice. + +# This matches about %4 of random streams and 13% of printable random streams + +# This is slow, but not as bad as you might think. +^(\x01.?.?.?.?.?.?.?.?\x01|\x02.?.?.?.?.?.?.?.?\x02|\x03.?.?.?.?.?.?.?.?\x03|\x04.?.?.?.?.?.?.?.?\x04|\x05.?.?.?.?.?.?.?.?\x05|\x06.?.?.?.?.?.?.?.?\x06|\x07.?.?.?.?.?.?.?.?\x07|\x08.?.?.?.?.?.?.?.?\x08|\x09.?.?.?.?.?.?.?.?\x09|\x0a.?.?.?.?.?.?.?.?\x0a|\x0b.?.?.?.?.?.?.?.?\x0b|\x0c.?.?.?.?.?.?.?.?\x0c|\x0d.?.?.?.?.?.?.?.?\x0d|\x0e.?.?.?.?.?.?.?.?\x0e|\x0f.?.?.?.?.?.?.?.?\x0f|\x10.?.?.?.?.?.?.?.?\x10|\x11.?.?.?.?.?.?.?.?\x11|\x12.?.?.?.?.?.?.?.?\x12|\x13.?.?.?.?.?.?.?.?\x13|\x14.?.?.?.?.?.?.?.?\x14|\x15.?.?.?.?.?.?.?.?\x15|\x16.?.?.?.?.?.?.?.?\x16|\x17.?.?.?.?.?.?.?.?\x17|\x18.?.?.?.?.?.?.?.?\x18|\x19.?.?.?.?.?.?.?.?\x19|\x1a.?.?.?.?.?.?.?.?\x1a|\x1b.?.?.?.?.?.?.?.?\x1b|\x1c.?.?.?.?.?.?.?.?\x1c|\x1d.?.?.?.?.?.?.?.?\x1d|\x1e.?.?.?.?.?.?.?.?\x1e|\x1f.?.?.?.?.?.?.?.?\x1f|\x20.?.?.?.?.?.?.?.?\x20|\x21.?.?.?.?.?.?.?.?\x21|\x22.?.?.?.?.?.?.?.?\x22|\x23.?.?.?.?.?.?.?.?\x23|\$.?.?.?.?.?.?.?.?\$|\x25.?.?.?.?.?.?.?.?\x25|\x26.?.?.?.?.?.?.?.?\x26|\x27.?.?.?.?.?.?.?.?\x27|\(.?.?.?.?.?.?.?.?\(|\).?.?.?.?.?.?.?.?\)|\*.?.?.?.?.?.?.?.?\*|\+.?.?.?.?.?.?.?.?\+|\x2c.?.?.?.?.?.?.?.?\x2c|\x2d.?.?.?.?.?.?.?.?\x2d|\..?.?.?.?.?.?.?.?\.|\x2f.?.?.?.?.?.?.?.?\x2f|\x30.?.?.?.?.?.?.?.?\x30|\x31.?.?.?.?.?.?.?.?\x31|\x32.?.?.?.?.?.?.?.?\x32|\x33.?.?.?.?.?.?.?.?\x33|\x34.?.?.?.?.?.?.?.?\x34|\x35.?.?.?.?.?.?.?.?\x35|\x36.?.?.?.?.?.?.?.?\x36|\x37.?.?.?.?.?.?.?.?\x37|\x38.?.?.?.?.?.?.?.?\x38|\x39.?.?.?.?.?.?.?.?\x39|\x3a.?.?.?.?.?.?.?.?\x3a|\x3b.?.?.?.?.?.?.?.?\x3b|\x3c.?.?.?.?.?.?.?.?\x3c|\x3d.?.?.?.?.?.?.?.?\x3d|\x3e.?.?.?.?.?.?.?.?\x3e|\?.?.?.?.?.?.?.?.?\?|\x40.?.?.?.?.?.?.?.?\x40|\x41.?.?.?.?.?.?.?.?\x41|\x42.?.?.?.?.?.?.?.?\x42|\x43.?.?.?.?.?.?.?.?\x43|\x44.?.?.?.?.?.?.?.?\x44|\x45.?.?.?.?.?.?.?.?\x45|\x46.?.?.?.?.?.?.?.?\x46|\x47.?.?.?.?.?.?.?.?\x47|\x48.?.?.?.?.?.?.?.?\x48|\x49.?.?.?.?.?.?.?.?\x49|\x4a.?.?.?.?.?.?.?.?\x4a|\x4b.?.?.?.?.?.?.?.?\x4b|\x4c.?.?.?.?.?.?.?.?\x4c|\x4d.?.?.?.?.?.?.?.?\x4d|\x4e.?.?.?.?.?.?.?.?\x4e|\x4f.?.?.?.?.?.?.?.?\x4f|\x50.?.?.?.?.?.?.?.?\x50|\x51.?.?.?.?.?.?.?.?\x51|\x52.?.?.?.?.?.?.?.?\x52|\x53.?.?.?.?.?.?.?.?\x53|\x54.?.?.?.?.?.?.?.?\x54|\x55.?.?.?.?.?.?.?.?\x55|\x56.?.?.?.?.?.?.?.?\x56|\x57.?.?.?.?.?.?.?.?\x57|\x58.?.?.?.?.?.?.?.?\x58|\x59.?.?.?.?.?.?.?.?\x59|\x5a.?.?.?.?.?.?.?.?\x5a|\[.?.?.?.?.?.?.?.?\[|\\.?.?.?.?.?.?.?.?\\|\].?.?.?.?.?.?.?.?\]|\^.?.?.?.?.?.?.?.?\^|\x5f.?.?.?.?.?.?.?.?\x5f|\x60.?.?.?.?.?.?.?.?\x60|\x61.?.?.?.?.?.?.?.?\x61|\x62.?.?.?.?.?.?.?.?\x62|\x63.?.?.?.?.?.?.?.?\x63|\x64.?.?.?.?.?.?.?.?\x64|\x65.?.?.?.?.?.?.?.?\x65|\x66.?.?.?.?.?.?.?.?\x66|\x67.?.?.?.?.?.?.?.?\x67|\x68.?.?.?.?.?.?.?.?\x68|\x69.?.?.?.?.?.?.?.?\x69|\x6a.?.?.?.?.?.?.?.?\x6a|\x6b.?.?.?.?.?.?.?.?\x6b|\x6c.?.?.?.?.?.?.?.?\x6c|\x6d.?.?.?.?.?.?.?.?\x6d|\x6e.?.?.?.?.?.?.?.?\x6e|\x6f.?.?.?.?.?.?.?.?\x6f|\x70.?.?.?.?.?.?.?.?\x70|\x71.?.?.?.?.?.?.?.?\x71|\x72.?.?.?.?.?.?.?.?\x72|\x73.?.?.?.?.?.?.?.?\x73|\x74.?.?.?.?.?.?.?.?\x74|\x75.?.?.?.?.?.?.?.?\x75|\x76.?.?.?.?.?.?.?.?\x76|\x77.?.?.?.?.?.?.?.?\x77|\x78.?.?.?.?.?.?.?.?\x78|\x79.?.?.?.?.?.?.?.?\x79|\x7a.?.?.?.?.?.?.?.?\x7a|\{.?.?.?.?.?.?.?.?\{|\|.?.?.?.?.?.?.?.?\||\}.?.?.?.?.?.?.?.?\}|\x7e.?.?.?.?.?.?.?.?\x7e|\x7f.?.?.?.?.?.?.?.?\x7f|\x80.?.?.?.?.?.?.?.?\x80|\x81.?.?.?.?.?.?.?.?\x81|\x82.?.?.?.?.?.?.?.?\x82|\x83.?.?.?.?.?.?.?.?\x83|\x84.?.?.?.?.?.?.?.?\x84|\x85.?.?.?.?.?.?.?.?\x85|\x86.?.?.?.?.?.?.?.?\x86|\x87.?.?.?.?.?.?.?.?\x87|\x88.?.?.?.?.?.?.?.?\x88|\x89.?.?.?.?.?.?.?.?\x89|\x8a.?.?.?.?.?.?.?.?\x8a|\x8b.?.?.?.?.?.?.?.?\x8b|\x8c.?.?.?.?.?.?.?.?\x8c|\x8d.?.?.?.?.?.?.?.?\x8d|\x8e.?.?.?.?.?.?.?.?\x8e|\x8f.?.?.?.?.?.?.?.?\x8f|\x90.?.?.?.?.?.?.?.?\x90|\x91.?.?.?.?.?.?.?.?\x91|\x92.?.?.?.?.?.?.?.?\x92|\x93.?.?.?.?.?.?.?.?\x93|\x94.?.?.?.?.?.?.?.?\x94|\x95.?.?.?.?.?.?.?.?\x95|\x96.?.?.?.?.?.?.?.?\x96|\x97.?.?.?.?.?.?.?.?\x97|\x98.?.?.?.?.?.?.?.?\x98|\x99.?.?.?.?.?.?.?.?\x99|\x9a.?.?.?.?.?.?.?.?\x9a|\x9b.?.?.?.?.?.?.?.?\x9b|\x9c.?.?.?.?.?.?.?.?\x9c|\x9d.?.?.?.?.?.?.?.?\x9d|\x9e.?.?.?.?.?.?.?.?\x9e|\x9f.?.?.?.?.?.?.?.?\x9f|\xa0.?.?.?.?.?.?.?.?\xa0|\xa1.?.?.?.?.?.?.?.?\xa1|\xa2.?.?.?.?.?.?.?.?\xa2|\xa3.?.?.?.?.?.?.?.?\xa3|\xa4.?.?.?.?.?.?.?.?\xa4|\xa5.?.?.?.?.?.?.?.?\xa5|\xa6.?.?.?.?.?.?.?.?\xa6|\xa7.?.?.?.?.?.?.?.?\xa7|\xa8.?.?.?.?.?.?.?.?\xa8|\xa9.?.?.?.?.?.?.?.?\xa9|\xaa.?.?.?.?.?.?.?.?\xaa|\xab.?.?.?.?.?.?.?.?\xab|\xac.?.?.?.?.?.?.?.?\xac|\xad.?.?.?.?.?.?.?.?\xad|\xae.?.?.?.?.?.?.?.?\xae|\xaf.?.?.?.?.?.?.?.?\xaf|\xb0.?.?.?.?.?.?.?.?\xb0|\xb1.?.?.?.?.?.?.?.?\xb1|\xb2.?.?.?.?.?.?.?.?\xb2|\xb3.?.?.?.?.?.?.?.?\xb3|\xb4.?.?.?.?.?.?.?.?\xb4|\xb5.?.?.?.?.?.?.?.?\xb5|\xb6.?.?.?.?.?.?.?.?\xb6|\xb7.?.?.?.?.?.?.?.?\xb7|\xb8.?.?.?.?.?.?.?.?\xb8|\xb9.?.?.?.?.?.?.?.?\xb9|\xba.?.?.?.?.?.?.?.?\xba|\xbb.?.?.?.?.?.?.?.?\xbb|\xbc.?.?.?.?.?.?.?.?\xbc|\xbd.?.?.?.?.?.?.?.?\xbd|\xbe.?.?.?.?.?.?.?.?\xbe|\xbf.?.?.?.?.?.?.?.?\xbf|\xc0.?.?.?.?.?.?.?.?\xc0|\xc1.?.?.?.?.?.?.?.?\xc1|\xc2.?.?.?.?.?.?.?.?\xc2|\xc3.?.?.?.?.?.?.?.?\xc3|\xc4.?.?.?.?.?.?.?.?\xc4|\xc5.?.?.?.?.?.?.?.?\xc5|\xc6.?.?.?.?.?.?.?.?\xc6|\xc7.?.?.?.?.?.?.?.?\xc7|\xc8.?.?.?.?.?.?.?.?\xc8|\xc9.?.?.?.?.?.?.?.?\xc9|\xca.?.?.?.?.?.?.?.?\xca|\xcb.?.?.?.?.?.?.?.?\xcb|\xcc.?.?.?.?.?.?.?.?\xcc|\xcd.?.?.?.?.?.?.?.?\xcd|\xce.?.?.?.?.?.?.?.?\xce|\xcf.?.?.?.?.?.?.?.?\xcf|\xd0.?.?.?.?.?.?.?.?\xd0|\xd1.?.?.?.?.?.?.?.?\xd1|\xd2.?.?.?.?.?.?.?.?\xd2|\xd3.?.?.?.?.?.?.?.?\xd3|\xd4.?.?.?.?.?.?.?.?\xd4|\xd5.?.?.?.?.?.?.?.?\xd5|\xd6.?.?.?.?.?.?.?.?\xd6|\xd7.?.?.?.?.?.?.?.?\xd7|\xd8.?.?.?.?.?.?.?.?\xd8|\xd9.?.?.?.?.?.?.?.?\xd9|\xda.?.?.?.?.?.?.?.?\xda|\xdb.?.?.?.?.?.?.?.?\xdb|\xdc.?.?.?.?.?.?.?.?\xdc|\xdd.?.?.?.?.?.?.?.?\xdd|\xde.?.?.?.?.?.?.?.?\xde|\xdf.?.?.?.?.?.?.?.?\xdf|\xe0.?.?.?.?.?.?.?.?\xe0|\xe1.?.?.?.?.?.?.?.?\xe1|\xe2.?.?.?.?.?.?.?.?\xe2|\xe3.?.?.?.?.?.?.?.?\xe3|\xe4.?.?.?.?.?.?.?.?\xe4|\xe5.?.?.?.?.?.?.?.?\xe5|\xe6.?.?.?.?.?.?.?.?\xe6|\xe7.?.?.?.?.?.?.?.?\xe7|\xe8.?.?.?.?.?.?.?.?\xe8|\xe9.?.?.?.?.?.?.?.?\xe9|\xea.?.?.?.?.?.?.?.?\xea|\xeb.?.?.?.?.?.?.?.?\xeb|\xec.?.?.?.?.?.?.?.?\xec|\xed.?.?.?.?.?.?.?.?\xed|\xee.?.?.?.?.?.?.?.?\xee|\xef.?.?.?.?.?.?.?.?\xef|\xf0.?.?.?.?.?.?.?.?\xf0|\xf1.?.?.?.?.?.?.?.?\xf1|\xf2.?.?.?.?.?.?.?.?\xf2|\xf3.?.?.?.?.?.?.?.?\xf3|\xf4.?.?.?.?.?.?.?.?\xf4|\xf5.?.?.?.?.?.?.?.?\xf5|\xf6.?.?.?.?.?.?.?.?\xf6|\xf7.?.?.?.?.?.?.?.?\xf7|\xf8.?.?.?.?.?.?.?.?\xf8|\xf9.?.?.?.?.?.?.?.?\xf9|\xfa.?.?.?.?.?.?.?.?\xfa|\xfb.?.?.?.?.?.?.?.?\xfb|\xfc.?.?.?.?.?.?.?.?\xfc|\xfd.?.?.?.?.?.?.?.?\xfd|\xfe.?.?.?.?.?.?.?.?\xfe|\xff.?.?.?.?.?.?.?.?\xff) diff --git a/src/usr/local/share/protocols/skypetoskype.pat b/src/usr/local/share/protocols/skypetoskype.pat new file mode 100644 index 0000000..ed1103a --- /dev/null +++ b/src/usr/local/share/protocols/skypetoskype.pat @@ -0,0 +1,14 @@ +# Skype to Skype - UDP voice call (program to program) - http://skype.com +# Pattern attributes: ok veryfast fast overmatch +# Protocol groups: voip p2p proprietary +# Wiki: http://www.protocolinfo.org/wiki/Skype +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# This matches at least some of the general chatter that occurs when the +# user isn't doing anything as well as actual calls. +# Thanks to Myles Uyema, mylesuyema AT gmail.com + +skypetoskype +# require at least 16 bytes (my limited tests always get at least 18) +^..\x02............. + diff --git a/src/usr/local/share/protocols/smb.pat b/src/usr/local/share/protocols/smb.pat new file mode 100644 index 0000000..c1f8b0a --- /dev/null +++ b/src/usr/local/share/protocols/smb.pat @@ -0,0 +1,19 @@ +# Samba/SMB - Server Message Block - Microsoft Windows filesharing +# Pattern attributes: good fast notsofast +# Protocol groups: document_retrieval networking proprietary +# Wiki: http://www.protocolinfo.org/wiki/SMB +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# "This protocol is sometimes also referred to as the Common Internet File +# System (CIFS), LanManager or NetBIOS protocol." -- "man samba" +# +# Actually, SMB is a higher level protocol than NetBIOS. However, the +# NetBIOS header is only 4 bytes: not much to match on. +# +# http://www.ubiqx.org/cifs/SMB.html +# +# This pattern is lightly tested. + +smb +# matches a NEGOTIATE PROTOCOL or TRANSACTION REQUEST command +\xffsmb[\x72\x25] diff --git a/src/usr/local/share/protocols/smtp.pat b/src/usr/local/share/protocols/smtp.pat new file mode 100644 index 0000000..2f5d195 --- /dev/null +++ b/src/usr/local/share/protocols/smtp.pat @@ -0,0 +1,40 @@ +# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869) +# Pattern attributes: great notsofast fast +# Protocol groups: mail ietf_internet_standard +# Wiki: http://www.protocolinfo.org/wiki/SMTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# usually runs on port 25 +# +# This pattern has been tested and is believed to work well. + +# As usual, no text is required after "220", but all known servers have some +# there. It (almost?) always has string "smtp" in it. The RFC examples +# does not, so we match those too, just in case anyone has copied them +# literally. +# +# Some examples: +# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3 +# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400 +# 220 mail.ut.caldera.com ESMTP +# 220 persephone.pmail.gen.nz ESMTP server ready. +# 220 smtp1.superb.net ESMTP +# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready +# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4 +# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500 +# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3) +# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200 +# 220-mail.email-scan.com ESMTP +# 220 smaug.dreamhost.com ESMTP +# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648) +# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT) +# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700 +# +# RFC examples: +# 220 xyz.com Simple Mail Transfer Service Ready (RFC example) +# 220 dbc.mtview.ca.us SMTP service ready + +smtp +^220[\x09-\x0d -~]* (e?smtp|simple mail) +userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail) +userspace flags=REG_NOSUB REG_EXTENDED diff --git a/src/usr/local/share/protocols/snmp-mon.pat b/src/usr/local/share/protocols/snmp-mon.pat new file mode 100644 index 0000000..fe22662 --- /dev/null +++ b/src/usr/local/share/protocols/snmp-mon.pat @@ -0,0 +1,32 @@ +# SNMP Monitoring - Simple Network Management Protocol (RFC1157) +# Pattern attributes: good veryfast fast subset +# Protocol groups: networking ietf_internet_standard +# Wiki: http://en.wikipedia.org/wiki/SNMP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on UDP ports 161 +# +# These filters match SNMPv1 packets without fail, and are made +# as specific as possible not to match any ASN.1 encoded protocols. +# However these could still be matched by other protocols that +# use ASN.1 encoding + +# Contributed by Goli SriSairam + +# This pattern has been tested and is believe to work well. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/SNMP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +# SNMPv1 GET/GETNEXT/SET request and response +# matches SNMP header +# version \x02\x01 +# community \x04.+ +# PDU type [\xa0-\xa3] (GET/GETNEXT/SET/GETRESPONSE) +# RequestId \x02[\x01-\x04].?.?.?.? +# errorStatus \x02\x01.? +# errorIndex \x02\x01.? +# varbinds start \x30 +snmp-mon +^\x02\x01\x04.+[\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30 diff --git a/src/usr/local/share/protocols/snmp-trap.pat b/src/usr/local/share/protocols/snmp-trap.pat new file mode 100644 index 0000000..e8ba19a --- /dev/null +++ b/src/usr/local/share/protocols/snmp-trap.pat @@ -0,0 +1,33 @@ +# SNMP Traps - Simple Network Management Protocol (RFC1157) +# Pattern attributes: good veryfast fast subset +# Protocol groups: networking ietf_internet_standard +# Wiki: http://en.wikipedia.org/wiki/SNMP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on UDP ports 162 +# +# These filters match SNMPv1 packets without fail, and are made +# as specific as possible not to match any ASN.1 encoded protocols. +# However these could still be matched by other protocols that +# use ASN.1 encoding + +# Contributed by Goli SriSairam + +# This pattern has been tested and is believe to work well. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/SNMP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +# SNMPv1 Trap +# matches SNMP trap header +# version \x02\x01 +# community string \x04.+ +# PDU type \xa4 (TRAP) +# enterprise \x06.+ +# agent address \x40\x04\.?.?.?.? +# trap type \x02\x01.? +# specific trap type \x02\x01.? +# timestamp \x43 +snmp-trap +^\x02\x01\x04.+\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43 diff --git a/src/usr/local/share/protocols/snmp.pat b/src/usr/local/share/protocols/snmp.pat new file mode 100644 index 0000000..a7186b2 --- /dev/null +++ b/src/usr/local/share/protocols/snmp.pat @@ -0,0 +1,19 @@ +# SNMP - Simple Network Management Protocol - RFC 1157 +# Pattern attributes: good veryfast fast superset +# Protocol groups: networking ietf_internet_standard +# Wiki: http://www.protocolinfo.org/wiki/SNMP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on UDP ports 161 (monitoring) and 162 (traps). +# +# These filters match SNMPv1 packets without fail, and are made as +# specific as possible not to match any ASN.1 encoded protocols. However +# these could still be matched by other protocols that use ASN.1 encoding + +# Contributed by Goli SriSairam + +# This pattern has been tested and is believed to work well. + +# All SNMPv1 traffic. See snmp-mon.pat and snmp-trap.pat for details. +snmp +^\x02\x01\x04.+([\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30|\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43) diff --git a/src/usr/local/share/protocols/socks.pat b/src/usr/local/share/protocols/socks.pat new file mode 100644 index 0000000..54189fd --- /dev/null +++ b/src/usr/local/share/protocols/socks.pat @@ -0,0 +1,32 @@ +# SOCKS Version 5 - Firewall traversal protocol - RFC 1928 +# Pattern attributes: good notsofast notsofast +# Protocol groups: networking ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/SOCKS +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 1080 +# Also useful: http://www.iana.org/assignments/socks-methods +# +# We have had two reports that this pattern works. + +# method request, no private methods \x05[\x01-\x08]* +# method reply, assumes sucess \x05[\x01-\x08]? +# method dependent sub-negotiation .* +# request, ipv4 only \x05[\x01-\x03][\x01\x03].* +# reply \x05[\x01-\x08]?[\x01\x03].* + +# username/password method +# u/p request, assuming reasonable usernames and passwords +# \x05[\x02-\x10][a-z][a-z0-9\-]*[\x05-\x20][!-~]* +# server reply +# \x05 + +# GSSAPI method +# client initial token \x01\x01\x02.* +# server reply \x01\x01\x02.* + +# any other method .* (all methods boil down to this until we have information +# about all the commonly used ones) + +socks +\x05[\x01-\x08]*\x05[\x01-\x08]?.*\x05[\x01-\x03][\x01\x03].*\x05[\x01-\x08]?[\x01\x03] diff --git a/src/usr/local/share/protocols/soribada.pat b/src/usr/local/share/protocols/soribada.pat new file mode 100644 index 0000000..e1c0c56 --- /dev/null +++ b/src/usr/local/share/protocols/soribada.pat @@ -0,0 +1,51 @@ +# Soribada - A Korean P2P filesharing program/protocol - http://www.soribada.com +# Pattern attributes: good slow notsofast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/Soribada +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# I am told that there are three versions of this protocol, the first no +# longer being used. That would probably explain why incoming searches +# have two different formats... + +# There are three parts to Soribada protocal: +# 1: Ping/Pong to establish a relationship on the net (UDP with 2 useful bytes) +# 2: Searching (in two formats) (UDP with two short easy to match starts) +# 3: Download requests/transfers (TCP with an obvious first packet) + +# 1 -- Pings/Pongs: +# Requester send 2 bytes and a 6 byte response is sent back. +# \x10 for the first byte and \x14-\x16 for the second. +# The response is the first byte (\x10) and the second byte incremented +# by 1 (\x15-\x17). +# No further communication happens between the hosts except for searches. +# A regex match: ^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$ +# First Packet ---^^^^^^^^^^^^^^^ +# Second Packet -----------------^^^^^^^^^^^^^^^^^^^^^^^ + +# 2 -- Search requests: +# All searches are totally stateless and are only responded to if the user +# actually has the file. +# Both format start with a \x01 byte, have 3 "random bytes" and then 3 bytes +# corasponding to one of two formats. +# Format 1 is \x51\x3a\+ and format 2 is \x51\x32\x3a +# A regex match: ^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a) + +# 3 -- Download requests: +# All downloads start with "GETMP3\x0d\x0aFilename" +# A regex match: ^GETMP3\x0d\x0aFilename + +soribada + +# This will match the second packet of two. +# ^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$ + +# Again, matching this is the end of the comunication. +# ^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a) + +# This is the start of the transfer and an easy match +#^GETMP3\x0d\x0aFilename + +# This will match everything including the udp packet portions +^GETMP3\x0d\x0aFilename|^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a)|^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$ + diff --git a/src/usr/local/share/protocols/soulseek.pat b/src/usr/local/share/protocols/soulseek.pat new file mode 100644 index 0000000..ebc06ab --- /dev/null +++ b/src/usr/local/share/protocols/soulseek.pat @@ -0,0 +1,17 @@ +# Soulseek - P2P filesharing - http://slsknet.org +# Pattern attributes: good fast fast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/Soulseek +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# All my tests show that this pattern is fast, but one user has reported that +# it is slow. Your milage may vary. + +# This has been tested and works for "pierce firewall" commands and file +# transfers. It does *not* match all the various sorts of chatter that go on, +# such as searches, pings and whatnot. + +soulseek +# (Pierce firewall: in theory the token could be 4 bytes, but the last two +# seem to always be zero.|download: Peer Init) +^(\x05..?|.\x01.[ -~]+\x01F..?.?.?.?.?.?.?)$ diff --git a/src/usr/local/share/protocols/ssdp.pat b/src/usr/local/share/protocols/ssdp.pat new file mode 100644 index 0000000..d2de92d --- /dev/null +++ b/src/usr/local/share/protocols/ssdp.pat @@ -0,0 +1,21 @@ +# SSDP - Simple Service Discovery Protocol - easy discovery of network devices +# Pattern attributes: good slow notsofast +# Protocol groups: networking ietf_draft_standard +# Wiki: http://www.protocolinfo.org/wiki/SSDP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# This pattern was tested only by listening to a Linksys WRT54G. However, +# I expect it works in general given the simplicity of the protocol. + +# SSDP packets should _always_ be sent to the multicast address +# 239.255.255.250, making this pattern irrelevant. (Moreover, SSDP +# packets should be resitricted to local networks that have plenty of +# bandwidth.) However, Microsoft, as usual, has other ideas, so maybe +# it could be useful. Can't hurt, anyway. :-) +# +# http://www.upnp.org/download/draft_cai_ssdp_v1_03.txt +# http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/protocol/ssdp.asp + +ssdp +^notify[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:(alive|byebye)|^m-search[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:discover + diff --git a/src/usr/local/share/protocols/ssh.pat b/src/usr/local/share/protocols/ssh.pat new file mode 100644 index 0000000..5e32f5c --- /dev/null +++ b/src/usr/local/share/protocols/ssh.pat @@ -0,0 +1,17 @@ +# SSH - Secure SHell +# Pattern attributes: great veryfast fast +# Protocol groups: remote_access secure ietf_draft_standard +# Wiki: http://www.protocolinfo.org/wiki/SSH +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# usually runs on port 22 +# +# http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-22.txt +# +# This pattern has been tested and is believed to work well. + +ssh +^ssh-[12]\.[0-9] + +# old pattern: +# (diffie-hellman-group-exchange-sha1|diffie-hellman-group1-sha1.ssh-rsa|ssh-dssfaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.sefaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.seuhmac-md5|hmac-sha1|hmac-ripemd160)+ diff --git a/src/usr/local/share/protocols/ssl.pat b/src/usr/local/share/protocols/ssl.pat new file mode 100644 index 0000000..ae30ee4 --- /dev/null +++ b/src/usr/local/share/protocols/ssl.pat @@ -0,0 +1,16 @@ +# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246 +# Pattern attributes: good notsofast fast superset +# Protocol groups: secure ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/SSL +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 443 +# +# This is a superset of validcertssl. For it to match, it must be first. +# +# This pattern has been tested and is believed to work well. + +ssl +# Server Hello with certificate | Client Hello +# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1 +^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b) diff --git a/src/usr/local/share/protocols/stun.pat b/src/usr/local/share/protocols/stun.pat new file mode 100644 index 0000000..3bfc3ab --- /dev/null +++ b/src/usr/local/share/protocols/stun.pat @@ -0,0 +1,46 @@ +# STUN - Simple Traversal of UDP Through NAT - RFC 3489 +# Pattern attributes: ok veryfast fast +# Protocol groups: networking ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/STUN +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern is untested as far as I know. + +# Wikipedia says: "The STUN server is contacted on UDP port 3478, +# however the server will hint clients to perform tests on alternate IP +# and port number too (STUN servers have two IP addresses). The RFC +# states that this port and IP are arbitrary." + +stun +# \x01 is a Binding Request. \x02 is a Shared Secret Request. Binding +# Requests are, experimentally, exactly 20 Bytes with three NULL Bytes. +# The first NULL is part of the two byte message type field. The other +# two give the message length, zero. I'm guessing that Shared Secret +# Requests are similar, but I have not checked. Please read the RFC and +# do experiments to find out. All other message types are responses, +# and so don't matter. +# +# The .? allows one of the Message Transaction ID Bytes to be \x00. If +# two are \x00, it will fail. This will happen 0.37% of the time, since +# the Message Transaction ID is supposed to be random. If this is +# unacceptable to you, add another ? to reduce this to 0.020%, but be +# aware of the increased possibility of false positives. +^[\x01\x02]................?$ + +# From my post to the mailing list: +# http://sourceforge.net/mailarchive/message.php?msg_id=36787107 +# +# This is a rather permissive pattern, but you can make it a little better +# by combining it with another iptables rule that checks that the packet +# data is exactly 20 Bytes. Of course, the second packet is longer, so +# maybe that introduces more complications than benefits. +# +# If you're willing to wait until the second packet to make the +# identification, you could use this: +# +# ^\x01................?\x01\x01 +# +# or if the Message Length is always \x24 (I'm not sure it is from your +# single example): +# +# ^\x01................?\x01\x01\x24 diff --git a/src/usr/local/share/protocols/subspace.pat b/src/usr/local/share/protocols/subspace.pat new file mode 100644 index 0000000..0a1b174 --- /dev/null +++ b/src/usr/local/share/protocols/subspace.pat @@ -0,0 +1,21 @@ +# Subspace - 2D asteroids-style space game - http://sscentral.com +# Pattern attributes: marginal veryfast fast +# Protocol groups: game +# Wiki: http://www.protocolinfo.org/wiki/Subspace +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# By Myles Uyema +# +# This pattern matches the initial 2 packets of the client-server +# 'handshake' when joining a Zone. +# +# The first packet is an 8 byte UDP payload sent from client +# 0x00 0x01 0x?? 0x?? 0x?? 0x?? 0x11 +# The next packet is a 12 byte UDP response from server +# 0x00 0x10 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x01 0x00 +# +# l7-filter strips out the null bytes, leaving me with this pattern + +subspace +^\x01....\x11\x10........\x01$ + diff --git a/src/usr/local/share/protocols/subversion.pat b/src/usr/local/share/protocols/subversion.pat new file mode 100644 index 0000000..8769a19 --- /dev/null +++ b/src/usr/local/share/protocols/subversion.pat @@ -0,0 +1,13 @@ +# Subversion - a version control system +# Pattern attributes: ok veryfast fast +# Protocol groups: version_control open_source +# Wiki: http://www.protocolinfo.org/wiki/Subversion +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern is UNTESTED. (But it seems straightforward enough...) +# +# Subversion uses TCP port 3690 by default. + +subversion +# This is not a valid basic GNU regular expression. +^\( success \( 1 2 \( diff --git a/src/usr/local/share/protocols/swf.pat b/src/usr/local/share/protocols/swf.pat new file mode 100644 index 0000000..af03086 --- /dev/null +++ b/src/usr/local/share/protocols/swf.pat @@ -0,0 +1,2 @@ +swf +swf\x21\x1a\x07 diff --git a/src/usr/local/share/protocols/tar.pat b/src/usr/local/share/protocols/tar.pat new file mode 100644 index 0000000..d3ea987 --- /dev/null +++ b/src/usr/local/share/protocols/tar.pat @@ -0,0 +1,12 @@ +# Tar - tape archive. Standard UNIX file archiver, not just for tapes. +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +tar +# /usr/share/magic +## POSIX tar archives +#257 string ustar\0 POSIX tar archive +#257 string ustar\040\040\0 GNU tar archive +# this is pretty general. It's not a dictionary word, but still... +ustar diff --git a/src/usr/local/share/protocols/teamfortress2.pat b/src/usr/local/share/protocols/teamfortress2.pat new file mode 100644 index 0000000..337af39 --- /dev/null +++ b/src/usr/local/share/protocols/teamfortress2.pat @@ -0,0 +1,11 @@ +# Team Fortress 2 - network game - http://www.valvesoftware.com +# Pattern attributes: good veryfast fast +# Protocol groups: game proprietary +# Wiki: http://www.protocolinfo.org/wiki/Team_Fortress +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Credits: Clayton Macleod +# Jan Engelhardt + +teamfortress2 +^\xff\xff\xff\xff.....*tfTeam Fortress diff --git a/src/usr/local/share/protocols/teamspeak.pat b/src/usr/local/share/protocols/teamspeak.pat new file mode 100644 index 0000000..8b2155e --- /dev/null +++ b/src/usr/local/share/protocols/teamspeak.pat @@ -0,0 +1,15 @@ +# TeamSpeak - VoIP application - http://goteamspeak.com +# Pattern attributes: good veryfast fast +# Protocol groups: voip proprietary +# Wiki: http://www.protocolinfo.org/wiki/TeamSpeak +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested by Matthew Strait and verified by packet +# traces by at least two other people. The meaning of f4b303 is not +# known, but it seems to appear in all first packets. This pattern only +# matches the actual UDP voice traffic, not the TeamSpeak web interface +# or "TCP query". + +teamspeak +^\xf4\xbe\x03.*teamspeak + diff --git a/src/usr/local/share/protocols/telnet.pat b/src/usr/local/share/protocols/telnet.pat new file mode 100644 index 0000000..cf10d0e --- /dev/null +++ b/src/usr/local/share/protocols/telnet.pat @@ -0,0 +1,16 @@ +# Telnet - Insecure remote login - RFC 854 +# Pattern attributes: good veryfast fast +# Protocol groups: remote_access obsolete ietf_internet_standard +# Wiki: http://www.protocolinfo.org/wiki/Telnet +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 23 +# +# This pattern is lightly tested. + +telnet +# Matches at least three IAC (Do|Will|Don't|Won't) commands in a row. +# My telnet client sends 9 when I connect, so this should be fine. +# This pattern could fail on a unchatty connection or it could be +# matched by something non-telnet spewing a lot of stuff in the fb-ff range. +^\xff[\xfb-\xfe].\xff[\xfb-\xfe].\xff[\xfb-\xfe] diff --git a/src/usr/local/share/protocols/tesla.pat b/src/usr/local/share/protocols/tesla.pat new file mode 100644 index 0000000..1f4ee86 --- /dev/null +++ b/src/usr/local/share/protocols/tesla.pat @@ -0,0 +1,15 @@ +# Tesla Advanced Communication - P2P filesharing (?) +# Pattern attributes: marginal slow notsofast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/Tesla +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern is untested! + +# This is lifted from http://oofle.com/filesharing.php?app=tesla +# There is no explaination of what these numbers mean. +# The above page says that the first string is found only in TCP packets +# and the second only in UDP. + +tesla +\x03\x9a\x89\x22\x31\x31\x31\.\x30\x30\x20\x42\x65\x74\x61\x20|\xe2\x3c\x69\x1e\x1c\xe9 diff --git a/src/usr/local/share/protocols/tftp.pat b/src/usr/local/share/protocols/tftp.pat new file mode 100644 index 0000000..1782ff5 --- /dev/null +++ b/src/usr/local/share/protocols/tftp.pat @@ -0,0 +1,21 @@ +# TFTP - Trivial File Transfer Protocol - used for bootstrapping - RFC 1350 +# Pattern attributes: marginal fast fast +# Protocol groups: document_retrieval ietf_internet_standard +# Wiki: http://www.protocolinfo.org/wiki/TFTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# usually runs on port 69 +# +# This pattern is unconfirmed. + +tftp +# The first packet from the initiating host should either be a Read Request +# or a Write Request. In the other direction, it should be data packet with +# block number one or an ACK with block number zero. We only attempt to match +# the initiating host's packets, because the only identifying features of +# the responses to them are two byte sequences (which isn't specific enough). +# (\x01|\x02) = Read Request or Write Request +# [ -~]* = the file name +# the rest = netascii|octet|mail (case insensitivity done by the kernel) + +^(\x01|\x02)[ -~]*(netascii|octet|mail) diff --git a/src/usr/local/share/protocols/thecircle.pat b/src/usr/local/share/protocols/thecircle.pat new file mode 100644 index 0000000..d5e2b80 --- /dev/null +++ b/src/usr/local/share/protocols/thecircle.pat @@ -0,0 +1,12 @@ +# The Circle - P2P application - http://thecircle.org.au +# Pattern attributes: ok veryfast fast +# Protocol groups: p2p open_source +# Wiki: http://www.protocolinfo.org/wiki/The_Circle +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# This is tested with The Circle 0.41c on Linux. +# It likely misses some stuff. Notably, I wasn't able to test it on any +# large downloads, because no one is sharing anything! + +thecircle +^t\x03ni.?[\x01-\x06]?t[\x01-\x05]s[\x0a\x0b](glob|who are you$|query data) diff --git a/src/usr/local/share/protocols/tonghuashun.pat b/src/usr/local/share/protocols/tonghuashun.pat new file mode 100644 index 0000000..45f838b --- /dev/null +++ b/src/usr/local/share/protocols/tonghuashun.pat @@ -0,0 +1,11 @@ +# Tonghuashun - stock analysis and trading; Chinese - http://www.10jqka.com.cn +# Pattern attributes: ok fast fast +# Protocol groups: +# Wiki: http://www.protocolinfo.org/wiki/Tonghuashun +# Copyright (C) 2009 Matthew Strait; See ../LICENSE + +# Pattern contributed by liangjun without comment. + +tonghuashun +^(GET /docookie\.php\?uname=|\xfd\xfd\xfd\xfd\x30\x30\x30\x30\x30) + diff --git a/src/usr/local/share/protocols/tor.pat b/src/usr/local/share/protocols/tor.pat new file mode 100644 index 0000000..7e4f707 --- /dev/null +++ b/src/usr/local/share/protocols/tor.pat @@ -0,0 +1,17 @@ +# Tor - The Onion Router - used for anonymization - http://tor.eff.org +# Pattern attributes: good notsofast notsofast +# Protocol groups: networking +# Wiki: http://protocolinfo.org/wiki/Tor +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested and is believed to work well. +# +# It matches on the second packet. I have no idea how the protocol +# works, but this matches every stream I have made using Tor 0.1.0.16 as +# a client on Linux. +# +# It does NOT attempt to match the HTTP request that fetches the list of +# Tor servers. + +tor +TOR1.* diff --git a/src/usr/local/share/protocols/tsp.pat b/src/usr/local/share/protocols/tsp.pat new file mode 100644 index 0000000..7751df9 --- /dev/null +++ b/src/usr/local/share/protocols/tsp.pat @@ -0,0 +1,14 @@ +# TSP - Berkely UNIX Time Synchronization Protocol +# Pattern attributes: good veryfast fast overmatch +# Protocol groups: time_synchronization open_source +# Wiki: http://www.protocolinfo.org/wiki/TSP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# http://ftp.svbug.com/ftp/pub/manuals/pdf/smm.22.timed.pdf +# http://docs.freebsd.org/44doc/smm/12.timed/paper.pdf +# +# This pattern is barely tested. + +tsp +# type, version (1), sequence number, 8 type specific bytes, machine name +^[\x01-\x13\x16-$]\x01.?.?.?.?.?.?.?.?.?.?[ -~]+ diff --git a/src/usr/local/share/protocols/unset.pat b/src/usr/local/share/protocols/unset.pat new file mode 100644 index 0000000..b9c1244 --- /dev/null +++ b/src/usr/local/share/protocols/unset.pat @@ -0,0 +1,8 @@ +# Unset - Dummy pattern for unmatched connections that are still being tested + +unset +# This pattern is ignored by the kernel. It sees that the "protocol" is +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# "testing" and always returns matched for connections that are still +# being tested. +. diff --git a/src/usr/local/share/protocols/uucp.pat b/src/usr/local/share/protocols/uucp.pat new file mode 100644 index 0000000..f7ef22c --- /dev/null +++ b/src/usr/local/share/protocols/uucp.pat @@ -0,0 +1,12 @@ +# UUCP - Unix to Unix Copy +# Pattern attributes: ok veryfast fast +# Protocol groups: document_retrieval obsolete +# Wiki: http://www.protocolinfo.org/wiki/UUCP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# This is completely untested! (I don't know how to use UUCP...) + +# See http://docs.freebsd.org/info/uucp/uucp.info.The_Initial_Handshake.html + +uucp +^\x10here= diff --git a/src/usr/local/share/protocols/validcertssl.pat b/src/usr/local/share/protocols/validcertssl.pat new file mode 100644 index 0000000..7aa1812 --- /dev/null +++ b/src/usr/local/share/protocols/validcertssl.pat @@ -0,0 +1,25 @@ +# Valid certificate SSL +# Pattern attributes: good slow notsofast subset +# Protocol groups: secure ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/SSL +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +# This matches anything claiming to use a valid certificate from a well +# known certificate authority. +# +# This is a subset of ssl, so it needs to come first to match. +# +# Note that opening a website that has a valid certificate will +# open one connection that matches this and many ssl connections that +# only match the ssl pattern. Thus, this pattern may not be very useful. +# +# This pattern is believed match only the above, but may not match all +# of it. +# +# the certificate authority info is sent in quasi plain text, if it matches +# a well known certificate authority then we will assume it is a +# web/imaps/etc server. Other ssl may be good too, but it should fall under +# a different rule + +validcertssl +^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b).*(thawte|equifax secure|rsa data security, inc|verisign, inc|gte cybertrust root|entrust\.net limited) diff --git a/src/usr/local/share/protocols/ventrilo.pat b/src/usr/local/share/protocols/ventrilo.pat new file mode 100644 index 0000000..74e588c --- /dev/null +++ b/src/usr/local/share/protocols/ventrilo.pat @@ -0,0 +1,18 @@ +# Ventrilo - VoIP - http://ventrilo.com +# Pattern attributes: good fast fast +# Protocol groups: voip proprietary +# Wiki: http://www.protocolinfo.org/wiki/Ventrilo +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# I have tested this with Ventrilo client 2.3.0 on Windows talking to +# Ventrilo server 2.3.1 (the public version) on Linux. I've done this +# both within a LAN and over the Internet. In one test, I tried +# monkeying around with the server settings to see if I could break the +# pattern, and I couldn't. However, you can't change the port number in +# the public server. +# +# It has also been tested by one other person in an unknown configuration. + +ventrilo +^..?v\$\xcf + diff --git a/src/usr/local/share/protocols/vnc.pat b/src/usr/local/share/protocols/vnc.pat new file mode 100644 index 0000000..79d0ae8 --- /dev/null +++ b/src/usr/local/share/protocols/vnc.pat @@ -0,0 +1,23 @@ +# VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer +# Pattern attributes: great veryfast fast +# Protocol groups: remote_access +# Wiki: http://www.protocolinfo.org/wiki/VNC +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# http://www.realvnc.com/documentation.html +# +# This pattern has been verified with vnc v3.3.7 on WinXP and Linux +# +# Thanks to Trevor Paskett for this pattern. + +vnc +# Assumes single digit major and minor version numbers +# This message should be all alone in the first packet, so ^$ is appropriate +^rfb 00[1-9]\.00[0-9]\x0a$ + +# This is a more restrictive version which assumes the version numbers +# are ones actually in existance at the time of this writing, i.e. 3.3, +# 3.7 and 3.8 (with some clients wrongly reporting 3.5). It should be +# slightly faster, but probably not worth the extra maintenance. +# ^rfb 003\.00[3578]\x0a$ + diff --git a/src/usr/local/share/protocols/whois.pat b/src/usr/local/share/protocols/whois.pat new file mode 100644 index 0000000..6abf0e8 --- /dev/null +++ b/src/usr/local/share/protocols/whois.pat @@ -0,0 +1,14 @@ +# Whois - query/response system, usually used for domain name info - RFC 3912 +# Pattern attributes: good notsofast notsofast overmatch +# Protocol groups: networking ietf_draft_standard +# Wiki: http://www.protocolinfo.org/wiki/Whois +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on TCP port 43 +# +# This pattern has been tested and is believed to work well. + +whois +# Matches the query. Assumes only that it is printable ASCII without wierd +# whitespace. +^[ !-~]+\x0d\x0a$ diff --git a/src/usr/local/share/protocols/worldofwarcraft.pat b/src/usr/local/share/protocols/worldofwarcraft.pat new file mode 100644 index 0000000..4136d79 --- /dev/null +++ b/src/usr/local/share/protocols/worldofwarcraft.pat @@ -0,0 +1,66 @@ +# World of Warcraft - popular network game - http://blizzard.com/ +# Pattern attributes: ok veryfast fast +# Protocol groups: game proprietary +# Wiki: http://www.protocolinfo.org/wiki/World_of_Warcraft +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +worldofwarcraft +^\x06\xec\x01 + +# Quoth the author of this pattern, Weisskopf Beat : + +# I have written a pattern for wow (tested with versions 1.8.3 and +# 1.8.4, german edition). It does not match the login as i think this is +# uncritical, but i have added the necessary info later on. So only the +# actual in-game traffic is matched. +# +# I hope the pattern is specific enough, otherwise one may add some +# bytes from the response. +# +# some captured info: +# +# login: +# +# 0000: 00 02 28 00 57 6F 57 00 01 08 03 C7 12 36 38 78 ..(.WoW......68x +# 0010: 00 6E 69 57 00 45 44 65 64 3C 00 00 00 C0 A8 01 .niW.EDed<...... +# 0020: 22 0A 42 57 45 49 53 53 4B 4F 50 46 ".BWEISSKOPF +# +# 0000: 00 02 28 00 57 6F 57 00 01 08 03 C7 12 36 38 78 ..(.WoW......68x +# 0010: 00 6E 69 57 00 45 44 65 64 3C 00 00 00 C0 A8 01 .niW.EDed<...... +# 0020: 22 0A 42 57 45 49 53 53 4B 4F 50 46 ".BWEISSKOPF +# +# server asking: +# +# #1 +# 0000: 00 06 EC 01 04 49 C5 33 .....I.3 +# +# #2 +# 0000: 00 06 EC 01 C3 A8 6E 63 ......nc +# +# client response +# #1 +# 0000: 00 A4 ED 01 00 00 C7 12 00 00 00 00 00 00 42 57 ..............BW +# 0010: 45 49 53 53 4B 4F 50 46 00 EB 35 DC 89 5A CA 6D EISSKOPF..5..Z.m +# 0020: 17 95 DE 5B 74 6E 1E 5D 23 73 C6 8F 27 9F 11 12 ...[tn.]#s..'... +# 0030: BB 21 01 00 00 78 9C 75 CC 41 0A 83 50 0C 84 E1 .!...x.u.A..P... +# 0040: E7 3D 7A 19 75 25 D4 4D AB EB 12 5E A2 0C 8D 51 .=z.u%.M...^...Q +# 0050: D2 57 04 4F DF 2E 2D A4 B3 FD 86 3F A5 EF 1A C5 .W.O..-....?.... +# 0060: 71 90 F3 A3 7E E7 82 D5 C6 2E 55 CB 7E B9 FE 58 q...~.....U.~..X +# 0070: 43 A5 A8 4C 10 E5 1E 86 85 B6 E8 04 63 D8 1C 06 C..L........c... +# 0080: 5A A7 A9 84 D2 D9 6B 93 1C 5B 4F D9 D7 50 6E 04 Z.....k..[O..Pn. +# 0090: 0E 61 20 15 8B 6B 83 13 CB FD 09 D5 7F 0C 13 3F .a ..k.........? +# 00A0: DB 07 B4 EA 54 F8 ....T. +# +# #2 +# 0000: 00 A4 ED 01 00 00 C7 12 00 00 00 00 00 00 42 57 ..............BW +# 0010: 45 49 53 53 4B 4F 50 46 00 38 4C B5 95 C3 AD 25 EISSKOPF.8L....% +# 0020: CB 73 48 BD 82 FC 99 63 59 AC BF F3 D0 C6 8D AB .sH....cY....... +# 0030: 3D 21 01 00 00 78 9C 75 CC 41 0A 83 50 0C 84 E1 =!...x.u.A..P... +# 0040: E7 3D 7A 19 75 25 D4 4D AB EB 12 5E A2 0C 8D 51 .=z.u%.M...^...Q +# 0050: D2 57 04 4F DF 2E 2D A4 B3 FD 86 3F A5 EF 1A C5 .W.O..-....?.... +# 0060: 71 90 F3 A3 7E E7 82 D5 C6 2E 55 CB 7E B9 FE 58 q...~.....U.~..X +# 0070: 43 A5 A8 4C 10 E5 1E 86 85 B6 E8 04 63 D8 1C 06 C..L........c... +# 0080: 5A A7 A9 84 D2 D9 6B 93 1C 5B 4F D9 D7 50 6E 04 Z.....k..[O..Pn. +# 0090: 0E 61 20 15 8B 6B 83 13 CB FD 09 D5 7F 0C 13 3F .a ..k.........? +# 00A0: DB 07 B4 EA 54 F8 ....T. + diff --git a/src/usr/local/share/protocols/x11.pat b/src/usr/local/share/protocols/x11.pat new file mode 100644 index 0000000..2028ee7 --- /dev/null +++ b/src/usr/local/share/protocols/x11.pat @@ -0,0 +1,23 @@ +# X Windows Version 11 - Networked GUI system used in most Unices +# Pattern attributes: good notsofast veryfast +# Protocol groups: remote_access x_consortium_standard +# Wiki: http://www.protocolinfo.org/wiki/X11 +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# It is common for X to be tunneled through SSH. Then obviously this pattern +# will not catch it. +# +# Specification: http://www.msu.edu/~huntharo/xwin/docs/xwindows/PROTO.pdf +# Usually runs on port 6000 (6001 for the second server on a host, etc) +# +# This pattern has been tested. + +x11 +# 'l' = little-endian. 'B' = big endian +# ".?" is for the unused byte that comes next. If it's a null, it won't appear. +# \x0b = protocol-major-version 11. +# For some reason, protocol-minor-version is 0, not 6, so can't match it. +# This pattern is too general. +^[lb].?\x0b +userspace pattern=^[lB].?\x0b +userspace flags=REG_NOSUB diff --git a/src/usr/local/share/protocols/xboxlive.pat b/src/usr/local/share/protocols/xboxlive.pat new file mode 100644 index 0000000..d04d9a7 --- /dev/null +++ b/src/usr/local/share/protocols/xboxlive.pat @@ -0,0 +1,41 @@ +# XBox Live - Console gaming +# Pattern attributes: marginal slow notsofast +# Protocol groups: game proprietary +# Wiki: http://www.protocolinfo.org/wiki/XBox_Live +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This may match all XBox traffic, or may only match Halo 2 traffic. +# We don't know yet. +# +# Thanks to Myles Uyema , who says: +# +# Analyzing packet traces using Ethereal, the Xbox typically connects +# to remote users using UDP port 3074. The first frame is typically +# a 156 byte UDP payload. I've only scrutinized the first 20 or so bytes. +# +# Each line below represents the first frame between my Xbox and a remote +# player's IP address playing Halo2 on Xbox Live. +# +# 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 05 0f c5 62 00 f3 96 08 +# 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 0f 0f c5 62 00 f3 97 09 +# 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 05 0f c5 62 00 f3 95 07 +# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bc 07 +# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 be 09 +# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bf 0a +# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bd 08 +# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 ba 05 +# 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bb 06 +# 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 ca 06 +# 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 cc 08 +# 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 c9 05 +# 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 d4 0a +# 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f3 c3 00 f3 d1 07 +# 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 d2 08 +# 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 cf 05 +# 00 00 00 00 06 58 4e 00 00 00 e6 d9 6e ab 65 0d 63 9f 02 00 00 02 80 dd +# 00 00 00 00 06 58 4e 00 00 00 46 e2 95 74 cd f9 bc 3d 00 00 00 00 8b ca +# 00 00 00 00 06 58 4e 00 00 00 cf ce 3b 5c f5 f2 49 9a 00 00 00 00 8b ca +# 00 00 00 00 06 58 4e 00 00 00 a9 c0 ac c5 16 e5 c9 92 00 00 00 00 8b ca + +xboxlive +^\x58\x80........\xf3|^\x06\x58\x4e diff --git a/src/usr/local/share/protocols/xunlei.pat b/src/usr/local/share/protocols/xunlei.pat new file mode 100644 index 0000000..f7814c7 --- /dev/null +++ b/src/usr/local/share/protocols/xunlei.pat @@ -0,0 +1,83 @@ +# Xunlei - Chinese P2P filesharing - http://xunlei.com +# Pattern attributes: good slow notsofast +# Protocol groups: p2p +# Wiki: http://www.protocolinfo.org/wiki/Xunlei +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This has been tested by a number of people. +# +# Written by wsgtrsys of www.routerclub.com. Improved by VeNoMouS. +# Improved more by wsgtrsys and platinum of bbs.chinaunix.net. +# +# Further additions of HTTP-like content by liangjunATdcuxD.Tcom, who +# says: "i find old pattern is not working . so i write a new pattern of +# xunlei,it's working with all of xunlei 5 version!" Matthew Strait notes +# in response: +# +# I've looked around and I'm fairly sure that Internet Explorer 5.0 +# never identifies itself as "Mozilla/4.0 (compatible; MSIE 5.00; +# Windows 98)" and that Internet Explorer 6.0 never identifies itself as +# either "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )" or +# "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)". + +# The keep-alive part needs some examination too. These might validly +# occur in an HTTP/1.0 connection, although I think in practical cases +# they don't since there's general only one \x0d\x0a after it and/or the +# next line starts with a letter (especially because it's the client +# sending it). It wouldn't be crazy, though, if another protocol +# (besides Xunlei) used keep-alive in a way that did match this. But +# since I can't think of any examples, I'll assume it's ok for now. + +xunlei +^([()]|get)(...?.?.?(reg|get|query)|.+User-Agent: (Mozilla/4\.0 \(compatible; (MSIE 6\.0; Windows NT 5\.1;? ?\)|MSIE 5\.00; Windows 98\))))|Keep-Alive\x0d\x0a\x0d\x0a[26] + + +# This was the pattern until 2008 11 08. It is safer than the above against +# overmatching ordinary HTTP connections +#^[()]...?.?.?(reg|get|query) + +# More detail: +# From http://sourceforge.net/tracker/index.php?func=detail&aid=1885209&group_id=80085&atid=558668 +# +############################################################################## +# Date: 2008-02-03 +# Sender: hydr0g3n +# +# Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei +# pattern. It used to work in the past but not anymore. Maybe Xunlei was +# updated and pattern should be adapted? +# +# Apparently ipp2p was edited by Chinese people to detect pplive and xunlei. +# It is interesting and very recent: +# http://www.chinaunix.net/jh/4/914377.html +############################################################################## +# Date: 2008-02-03 +# Sender: quadong +# +# Ok. Only some of the ipp2p function can be translated into an l7-filter +# regular expression. The first part of search_xunlei can't be, since it +# works by checking whether the length of the packet matches a byte in the +# packet. The second part of search_xunlei becomes: +# +# \x20.?\x01?.?[\x01\x77]............?.?.?.?\x38 +# +# Or possibly: +# +# ^\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38 +# +# I'm not sure whether IPP2P looks at every packet or only the first of each +# connection. +# +# udp_search_xunlei says: +# \x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff +# +# Again, putting a ^ at the beginning might work: +# +# ^(\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff) +# +# So this *might* work: +# +# ^(\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38|\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff) +# +# but the ^ might be wrong and it will not match the HTTP part of Xunlei. +############################################################################## diff --git a/src/usr/local/share/protocols/yahoo.pat b/src/usr/local/share/protocols/yahoo.pat new file mode 100644 index 0000000..17595b8 --- /dev/null +++ b/src/usr/local/share/protocols/yahoo.pat @@ -0,0 +1,27 @@ +# Yahoo messenger - an instant messenger protocol - http://yahoo.com +# Pattern attributes: good fast fast +# Protocol groups: chat proprietary +# Wiki: http://www.protocolinfo.org/wiki/Yahoo_Messenger +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 5050 +# +# This pattern has been tested and is believed to work well. + +yahoo +# http://www.venkydude.com/articles/yahoo.htm says: +# All Yahoo commands start with YMSG. +# (Well... http://ethereal.com/faq.html#q5.32 suggests that YPNS and YHOO +# are also possible, so let's allow those) +# The next 7 bytes contain command (packet?) length and version information +# which we won't currently try to match. +# L means "YAHOO_SERVICE_VERIFY" according to Ethereal +# W means "encryption challenge command" (YAHOO_SERVICE_AUTH) +# T means "login command" (YAHOO_SERVICE_AUTHRESP) +# (there are others, i.e. 0x01 "coming online", 0x02 "going offline", +# 0x04 "changing status to available", 0x06 "user message", but W and T +# should appear in the first few packets.) +# 0xC080 is the standard argument separator, it should appear not long +# after the "type of command" byte. + +^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*\xc0\x80 diff --git a/src/usr/local/share/protocols/zip.pat b/src/usr/local/share/protocols/zip.pat new file mode 100644 index 0000000..e001354 --- /dev/null +++ b/src/usr/local/share/protocols/zip.pat @@ -0,0 +1,7 @@ +# ZIP - (PK|Win)Zip archive format +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +zip +pk\x03\x04\x14 diff --git a/src/usr/local/share/protocols/zmaap.pat b/src/usr/local/share/protocols/zmaap.pat new file mode 100644 index 0000000..e741eca --- /dev/null +++ b/src/usr/local/share/protocols/zmaap.pat @@ -0,0 +1,18 @@ +# ZMAAP - Zeroconf Multicast Address Allocation Protocol +# Pattern attributes: ok veryfast fast +# Protocol groups: networking ietf_draft_standard +# Wiki: http://www.protocolinfo.org/wiki/ZMAAP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# http://files.zeroconf.org/draft-ietf-zeroconf-zmaap-02.txt +# (Note that this reference is an Internet-Draft, and therefore must +# be considered a work in progress.) +# +# This pattern is untested! + +zmaap +# - 4 byte magic number. +# - 1 byte version. Allow 1 & 2, even though only version 1 currently exists. +# - 1 byte message type,which is either 0 or 1 +# - 1 byte address family. L7-filter only works in IPv4, so this is 1. +^\x1b\xd7\x3b\x48[\x01\x02]\x01?\x01 -- cgit v1.1