From c97ab82a7e6e2dc7f73cc594fbd50957c8bc1232 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ermal=20Lu=E7i?= Date: Tue, 10 Nov 2009 14:18:56 +0000 Subject: Update layer 7 protocol definitions and adding new regex definitions. --- usr/local/share/protocols/LICENSE | 605 +++++++++++++++++++++++ usr/local/share/protocols/audiogalaxy.pat | 19 + usr/local/share/protocols/code_red.pat | 8 + usr/local/share/protocols/dazhihui.pat | 11 + usr/local/share/protocols/exe.pat | 20 + usr/local/share/protocols/flash.pat | 18 + usr/local/share/protocols/gif.pat | 8 + usr/local/share/protocols/gtalk.pat | 11 + usr/local/share/protocols/guildwars.pat | 14 + usr/local/share/protocols/html.pat | 11 + usr/local/share/protocols/http-dap.pat | 19 + usr/local/share/protocols/http-freshdownload.pat | 17 + usr/local/share/protocols/http-itunes.pat | 14 + usr/local/share/protocols/httpaudio.pat | 32 ++ usr/local/share/protocols/httpcachehit.pat | 19 + usr/local/share/protocols/httpcachemiss.pat | 17 + usr/local/share/protocols/httpvideo.pat | 32 ++ usr/local/share/protocols/jpeg.pat | 8 + usr/local/share/protocols/mp3.pat | 11 + usr/local/share/protocols/nimda.pat | 8 + usr/local/share/protocols/ogg.pat | 7 + usr/local/share/protocols/pdf.pat | 11 + usr/local/share/protocols/perl.pat | 7 + usr/local/share/protocols/png.pat | 13 + usr/local/share/protocols/postscript.pat | 7 + usr/local/share/protocols/pplive.pat | 11 + usr/local/share/protocols/pressplay.pat | 15 + usr/local/share/protocols/quicktime.pat | 21 + usr/local/share/protocols/rar.pat | 7 + usr/local/share/protocols/rpm.pat | 7 + usr/local/share/protocols/rtf.pat | 8 + usr/local/share/protocols/runesofmagic.pat | 63 +++ usr/local/share/protocols/snmp-mon.pat | 32 ++ usr/local/share/protocols/snmp-trap.pat | 33 ++ usr/local/share/protocols/tar.pat | 12 + usr/local/share/protocols/tonghuashun.pat | 11 + usr/local/share/protocols/zip.pat | 7 + 37 files changed, 1174 insertions(+) create mode 100644 usr/local/share/protocols/LICENSE create mode 100644 usr/local/share/protocols/audiogalaxy.pat create mode 100644 usr/local/share/protocols/code_red.pat create mode 100644 usr/local/share/protocols/dazhihui.pat create mode 100644 usr/local/share/protocols/exe.pat create mode 100644 usr/local/share/protocols/flash.pat create mode 100644 usr/local/share/protocols/gif.pat create mode 100644 usr/local/share/protocols/gtalk.pat create mode 100644 usr/local/share/protocols/guildwars.pat create mode 100644 usr/local/share/protocols/html.pat create mode 100644 usr/local/share/protocols/http-dap.pat create mode 100644 usr/local/share/protocols/http-freshdownload.pat create mode 100644 usr/local/share/protocols/http-itunes.pat create mode 100644 usr/local/share/protocols/httpaudio.pat create mode 100644 usr/local/share/protocols/httpcachehit.pat create mode 100644 usr/local/share/protocols/httpcachemiss.pat create mode 100644 usr/local/share/protocols/httpvideo.pat create mode 100644 usr/local/share/protocols/jpeg.pat create mode 100644 usr/local/share/protocols/mp3.pat create mode 100644 usr/local/share/protocols/nimda.pat create mode 100644 usr/local/share/protocols/ogg.pat create mode 100644 usr/local/share/protocols/pdf.pat create mode 100644 usr/local/share/protocols/perl.pat create mode 100644 usr/local/share/protocols/png.pat create mode 100644 usr/local/share/protocols/postscript.pat create mode 100644 usr/local/share/protocols/pplive.pat create mode 100644 usr/local/share/protocols/pressplay.pat create mode 100644 usr/local/share/protocols/quicktime.pat create mode 100644 usr/local/share/protocols/rar.pat create mode 100644 usr/local/share/protocols/rpm.pat create mode 100644 usr/local/share/protocols/rtf.pat create mode 100644 usr/local/share/protocols/runesofmagic.pat create mode 100644 usr/local/share/protocols/snmp-mon.pat create mode 100644 usr/local/share/protocols/snmp-trap.pat create mode 100644 usr/local/share/protocols/tar.pat create mode 100644 usr/local/share/protocols/tonghuashun.pat create mode 100644 usr/local/share/protocols/zip.pat (limited to 'usr/local/share') diff --git a/usr/local/share/protocols/LICENSE b/usr/local/share/protocols/LICENSE new file mode 100644 index 0000000..49395f6 --- /dev/null +++ b/usr/local/share/protocols/LICENSE @@ -0,0 +1,605 @@ +You may distribute this software under either the GPLv2 or Creative +Commons Attribution-ShareAlike 2.5. The text of each follows: + +*************************************************************************** + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 675 Mass Ave, Cambridge, MA 02139, USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + Appendix: How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) 19yy + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. + +*************************************************************************** + + Creative Commons Legal Code + Attribution-ShareAlike 2.5 + + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE + LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN + ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS + INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES + REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR + DAMAGES RESULTING FROM ITS USE. + + License + + THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS + CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS + PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE + WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS + PROHIBITED. + + BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND + AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS + YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF + SUCH TERMS AND CONDITIONS. + + 1. Definitions + a. "Collective Work" means a work, such as a periodical issue, + anthology or encyclopedia, in which the Work in its entirety in + unmodified form, along with a number of other contributions, + constituting separate and independent works in themselves, are + assembled into a collective whole. A work that constitutes a + Collective Work will not be considered a Derivative Work (as + defined below) for the purposes of this License. + b. "Derivative Work" means a work based upon the Work or upon the + Work and other pre-existing works, such as a translation, musical + arrangement, dramatization, fictionalization, motion picture + version, sound recording, art reproduction, abridgment, + condensation, or any other form in which the Work may be recast, + transformed, or adapted, except that a work that constitutes a + Collective Work will not be considered a Derivative Work for the + purpose of this License. For the avoidance of doubt, where the + Work is a musical composition or sound recording, the + synchronization of the Work in timed-relation with a moving image + ("synching") will be considered a Derivative Work for the purpose + of this License. + c. "Licensor" means the individual or entity that offers the Work + under the terms of this License. + d. "Original Author" means the individual or entity who created the + Work. + e. "Work" means the copyrightable work of authorship offered under + the terms of this License. + f. "You" means an individual or entity exercising rights under this + License who has not previously violated the terms of this License + with respect to the Work, or who has received express permission + from the Licensor to exercise rights under this License despite a + previous violation. + g. "License Elements" means the following high-level license + attributes as selected by Licensor and indicated in the title of + this License: Attribution, ShareAlike. + + 2. Fair Use Rights. Nothing in this license is intended to reduce, + limit, or restrict any rights arising from fair use, first sale or + other limitations on the exclusive rights of the copyright owner under + copyright law or other applicable laws. + + 3. License Grant. Subject to the terms and conditions of this License, + Licensor hereby grants You a worldwide, royalty-free, non-exclusive, + perpetual (for the duration of the applicable copyright) license to + exercise the rights in the Work as stated below: + a. to reproduce the Work, to incorporate the Work into one or more + Collective Works, and to reproduce the Work as incorporated in the + Collective Works; + b. to create and reproduce Derivative Works; + c. to distribute copies or phonorecords of, display publicly, perform + publicly, and perform publicly by means of a digital audio + transmission the Work including as incorporated in Collective + Works; + d. to distribute copies or phonorecords of, display publicly, perform + publicly, and perform publicly by means of a digital audio + transmission Derivative Works. + e. For the avoidance of doubt, where the work is a musical + composition: + i. Performance Royalties Under Blanket Licenses. Licensor waives + the exclusive right to collect, whether individually or via a + performance rights society (e.g. ASCAP, BMI, SESAC), + royalties for the public performance or public digital + performance (e.g. webcast) of the Work. + ii. Mechanical Rights and Statutory Royalties. Licensor waives + the exclusive right to collect, whether individually or via a + music rights society or designated agent (e.g. Harry Fox + Agency), royalties for any phonorecord You create from the + Work ("cover version") and distribute, subject to the + compulsory license created by 17 USC Section 115 of the US + Copyright Act (or the equivalent in other jurisdictions). + f. Webcasting Rights and Statutory Royalties. For the avoidance of + doubt, where the Work is a sound recording, Licensor waives the + exclusive right to collect, whether individually or via a + performance-rights society (e.g. SoundExchange), royalties for the + public digital performance (e.g. webcast) of the Work, subject to + the compulsory license created by 17 USC Section 114 of the US + Copyright Act (or the equivalent in other jurisdictions). + + The above rights may be exercised in all media and formats whether now + known or hereafter devised. The above rights include the right to make + such modifications as are technically necessary to exercise the rights + in other media and formats. All rights not expressly granted by + Licensor are hereby reserved. + + 4. Restrictions.The license granted in Section 3 above is expressly + made subject to and limited by the following restrictions: + a. You may distribute, publicly display, publicly perform, or + publicly digitally perform the Work only under the terms of this + License, and You must include a copy of, or the Uniform Resource + Identifier for, this License with every copy or phonorecord of the + Work You distribute, publicly display, publicly perform, or + publicly digitally perform. You may not offer or impose any terms + on the Work that alter or restrict the terms of this License or + the recipients' exercise of the rights granted hereunder. You may + not sublicense the Work. You must keep intact all notices that + refer to this License and to the disclaimer of warranties. You may + not distribute, publicly display, publicly perform, or publicly + digitally perform the Work with any technological measures that + control access or use of the Work in a manner inconsistent with + the terms of this License Agreement. The above applies to the Work + as incorporated in a Collective Work, but this does not require + the Collective Work apart from the Work itself to be made subject + to the terms of this License. If You create a Collective Work, + upon notice from any Licensor You must, to the extent practicable, + remove from the Collective Work any credit as required by clause + 4(c), as requested. If You create a Derivative Work, upon notice + from any Licensor You must, to the extent practicable, remove from + the Derivative Work any credit as required by clause 4(c), as + requested. + b. You may distribute, publicly display, publicly perform, or + publicly digitally perform a Derivative Work only under the terms + of this License, a later version of this License with the same + License Elements as this License, or a Creative Commons iCommons + license that contains the same License Elements as this License + (e.g. Attribution-ShareAlike 2.5 Japan). You must include a copy + of, or the Uniform Resource Identifier for, this License or other + license specified in the previous sentence with every copy or + phonorecord of each Derivative Work You distribute, publicly + display, publicly perform, or publicly digitally perform. You may + not offer or impose any terms on the Derivative Works that alter + or restrict the terms of this License or the recipients' exercise + of the rights granted hereunder, and You must keep intact all + notices that refer to this License and to the disclaimer of + warranties. You may not distribute, publicly display, publicly + perform, or publicly digitally perform the Derivative Work with + any technological measures that control access or use of the Work + in a manner inconsistent with the terms of this License Agreement. + The above applies to the Derivative Work as incorporated in a + Collective Work, but this does not require the Collective Work + apart from the Derivative Work itself to be made subject to the + terms of this License. + c. If you distribute, publicly display, publicly perform, or publicly + digitally perform the Work or any Derivative Works or Collective + Works, You must keep intact all copyright notices for the Work and + provide, reasonable to the medium or means You are utilizing: (i) + the name of the Original Author (or pseudonym, if applicable) if + supplied, and/or (ii) if the Original Author and/or Licensor + designate another party or parties (e.g. a sponsor institute, + publishing entity, journal) for attribution in Licensor's + copyright notice, terms of service or by other reasonable means, + the name of such party or parties; the title of the Work if + supplied; to the extent reasonably practicable, the Uniform + Resource Identifier, if any, that Licensor specifies to be + associated with the Work, unless such URI does not refer to the + copyright notice or licensing information for the Work; and in the + case of a Derivative Work, a credit identifying the use of the + Work in the Derivative Work (e.g., "French translation of the Work + by Original Author," or "Screenplay based on original Work by + Original Author"). Such credit may be implemented in any + reasonable manner; provided, however, that in the case of a + Derivative Work or Collective Work, at a minimum such credit will + appear where any other comparable authorship credit appears and in + a manner at least as prominent as such other comparable authorship + credit. + + 5. Representations, Warranties and Disclaimer + + UNLESS OTHERWISE AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS + THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND + CONCERNING THE MATERIALS, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, + INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, + FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF + LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF + ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW + THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY + TO YOU. + + 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY + APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY + LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR + EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, + EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + + 7. Termination + a. This License and the rights granted hereunder will terminate + automatically upon any breach by You of the terms of this License. + Individuals or entities who have received Derivative Works or + Collective Works from You under this License, however, will not + have their licenses terminated provided such individuals or + entities remain in full compliance with those licenses. Sections + 1, 2, 5, 6, 7, and 8 will survive any termination of this License. + b. Subject to the above terms and conditions, the license granted + here is perpetual (for the duration of the applicable copyright in + the Work). Notwithstanding the above, Licensor reserves the right + to release the Work under different license terms or to stop + distributing the Work at any time; provided, however that any such + election will not serve to withdraw this License (or any other + license that has been, or is required to be, granted under the + terms of this License), and this License will continue in full + force and effect unless terminated as stated above. + + 8. Miscellaneous + a. Each time You distribute or publicly digitally perform the Work or + a Collective Work, the Licensor offers to the recipient a license + to the Work on the same terms and conditions as the license + granted to You under this License. + b. Each time You distribute or publicly digitally perform a + Derivative Work, Licensor offers to the recipient a license to the + original Work on the same terms and conditions as the license + granted to You under this License. + c. If any provision of this License is invalid or unenforceable under + applicable law, it shall not affect the validity or enforceability + of the remainder of the terms of this License, and without further + action by the parties to this agreement, such provision shall be + reformed to the minimum extent necessary to make such provision + valid and enforceable. + d. No term or provision of this License shall be deemed waived and no + breach consented to unless such waiver or consent shall be in + writing and signed by the party to be charged with such waiver or + consent. + e. This License constitutes the entire agreement between the parties + with respect to the Work licensed here. There are no + understandings, agreements or representations with respect to the + Work not specified here. Licensor shall not be bound by any + additional provisions that may appear in any communication from + You. This License may not be modified without the mutual written + agreement of the Licensor and You. + + Creative Commons is not a party to this License, and makes no warranty + whatsoever in connection with the Work. Creative Commons will not be + liable to You or any party on any legal theory for any damages + whatsoever, including without limitation any general, special, + incidental or consequential damages arising in connection to this + license. Notwithstanding the foregoing two (2) sentences, if Creative + Commons has expressly identified itself as the Licensor hereunder, it + shall have all rights and obligations of Licensor. + + Except for the limited purpose of indicating to the public that the + Work is licensed under the CCPL, neither party will use the trademark + "Creative Commons" or any related trademark or logo of Creative + Commons without the prior written consent of Creative Commons. Any + permitted use will be in compliance with Creative Commons' + then-current trademark usage guidelines, as may be published on its + website or otherwise made available upon request from time to time. + + Creative Commons may be contacted at http://creativecommons.org/. diff --git a/usr/local/share/protocols/audiogalaxy.pat b/usr/local/share/protocols/audiogalaxy.pat new file mode 100644 index 0000000..db1999a --- /dev/null +++ b/usr/local/share/protocols/audiogalaxy.pat @@ -0,0 +1,19 @@ +# Audiogalaxy - (defunct) Peer to Peer filesharing +# Pattern attributes: ok fast fast +# Protocol groups: p2p obsolete +# Wiki: http://protocolinfo.org/wiki/Audiogalaxy +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# http://www.movspclr.co.uk/info/agprotocol.html +# +# This pattern is untested. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/Audiogalaxy +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +audiogalaxy +# (magic cookie that starts conversations)|(magic cookie that starts +# 0.606W/0.608W client/server conversations and a string that should always +# appear in login messages) +^(\x45\x5f\xd0\xd5|\x45\x5f.*0.60(6|8)W) diff --git a/usr/local/share/protocols/code_red.pat b/usr/local/share/protocols/code_red.pat new file mode 100644 index 0000000..df0beee --- /dev/null +++ b/usr/local/share/protocols/code_red.pat @@ -0,0 +1,8 @@ +# Code Red - a worm that attacks Microsoft IIS web servers +# Pattern attributes: ok fast notsofast subset +# Protocol groups: worm +# Wiki: http://www.protocolinfo.org/wiki/CodeRed +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +code_red +/default\.ida\?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a diff --git a/usr/local/share/protocols/dazhihui.pat b/usr/local/share/protocols/dazhihui.pat new file mode 100644 index 0000000..032440c --- /dev/null +++ b/usr/local/share/protocols/dazhihui.pat @@ -0,0 +1,11 @@ +# Dazhihui - stock analysis and trading; Chinese - http://www.gw.com.cn +# Pattern attributes: fast fast ok +# Protocol groups: +# Wiki: http://www.protocolinfo.org/wiki/Dazhihui +# Copyright (C) 2009 Matthew Strait; See ../LICENSE + +# Pattern contributed by liangjun without comment. + +dazhihui +^(longaccoun|qsver2auth|\x35[57]\x30|\+\x10\*) + diff --git a/usr/local/share/protocols/exe.pat b/usr/local/share/protocols/exe.pat new file mode 100644 index 0000000..0a16e2a --- /dev/null +++ b/usr/local/share/protocols/exe.pat @@ -0,0 +1,20 @@ +# Executable - Microsoft PE file format. +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# Thanks to Brandon Enright [bmenrighATucsd.edu] + +# This pattern doesn't techincally match the PE file format but rather the +# MZ stub program Microsoft uses for backwards compatibility with DOS. +# That means this will correctly match DOS executables too. + +exe +# There are two different stubs used depending on the compiler/packer. +# Numerous NULL bytes have been stripped from this pattern. + +# This pattern may be more efficient: +# \x4d\x5a\x90\x03\x04|\x4d\x5a\x50\x02\x04 + +# This is easier to understand: +\x4d\x5a(\x90\x03|\x50\x02)\x04 diff --git a/usr/local/share/protocols/flash.pat b/usr/local/share/protocols/flash.pat new file mode 100644 index 0000000..23e5d74 --- /dev/null +++ b/usr/local/share/protocols/flash.pat @@ -0,0 +1,18 @@ +# Flash - Macromedia Flash. +# Pattern attributes: good slow notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# Thanks to Brandon Enright {bmenrigh AT ucsd.edu} and chinalantian at +# 126 dot com + +# Macromedia spec: +# http://download.macromedia.com/pub/flash/flash_file_format_specification.pdf +# See also: +# http://www.digitalpreservation.gov/formats/fdd/fdd000130.shtml +# http://osflash.org/flv + +flash +# FWS = uncompressed, CWS = compressed, next byte is version number +# FLV = video +[FC]WS[\x01-\x09]|FLV\x01\x05\x09 diff --git a/usr/local/share/protocols/gif.pat b/usr/local/share/protocols/gif.pat new file mode 100644 index 0000000..d54ed91 --- /dev/null +++ b/usr/local/share/protocols/gif.pat @@ -0,0 +1,8 @@ +# GIF - Popular Image format. +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +gif +# drawn from /usr/share/magic +GIF8(7|9)a diff --git a/usr/local/share/protocols/gtalk.pat b/usr/local/share/protocols/gtalk.pat new file mode 100644 index 0000000..aa538ca --- /dev/null +++ b/usr/local/share/protocols/gtalk.pat @@ -0,0 +1,11 @@ +# GTalk, a Jabber (XMPP) client +# Pattern attributes: good veryfast fast subset +# Protocol groups: chat ietf_proposed_standard +# Wiki: http://www.protocolinfo.org/wiki/Jabber +# Copyright (C) 2009 Matthew Strait; See ../LICENSE + +# See ../protocols/jabber.pat for more details + +gtalk +^ diff --git a/usr/local/share/protocols/http-dap.pat b/usr/local/share/protocols/http-dap.pat new file mode 100644 index 0000000..216d8d6 --- /dev/null +++ b/usr/local/share/protocols/http-dap.pat @@ -0,0 +1,19 @@ +# HTTP by Download Accelerator Plus - http://www.speedbit.com +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Uses HTTP to download. + +http-dap + +# DAP identifies itself in the User-Agent field of every HTTP request it +# makes. This is pretty trivial to get around if speedbit.com ever +# wanted to. + +# The latest version uses "User-Agent: DA 7.0". The additional version +# allowance is an attempt at "future proofing". + +User-Agent: DA [678]\.[0-9] + diff --git a/usr/local/share/protocols/http-freshdownload.pat b/usr/local/share/protocols/http-freshdownload.pat new file mode 100644 index 0000000..a342e86 --- /dev/null +++ b/usr/local/share/protocols/http-freshdownload.pat @@ -0,0 +1,17 @@ +# HTTP by Fresh Download - http://www.freshdevices.com +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# Uses HTTP to download. + +http-freshdownload + +# Fresh Download identifies itself in the User-Agent field of every HTTP +# request it makes. + +# The latest version uses "User-Agent: FreshDownload/4.40". The +# additional version allowance is an attempt at "future proofing". + +User-Agent: FreshDownload/[456](\.[0-9][0-9]?)? + diff --git a/usr/local/share/protocols/http-itunes.pat b/usr/local/share/protocols/http-itunes.pat new file mode 100644 index 0000000..fd44ee4 --- /dev/null +++ b/usr/local/share/protocols/http-itunes.pat @@ -0,0 +1,14 @@ +# HTTP - iTunes (Apple's music program) +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: streaming_audio ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Port 80 +# iTunes program basically uses the HTTP protocol for its initial +# communication. +# Pattern contributed by Deepak Seshadri + +http-itunes +http/(0\.9|1\.0|1\.1).*(user-agent: itunes) + diff --git a/usr/local/share/protocols/httpaudio.pat b/usr/local/share/protocols/httpaudio.pat new file mode 100644 index 0000000..c6cdd9a --- /dev/null +++ b/usr/local/share/protocols/httpaudio.pat @@ -0,0 +1,32 @@ +# HTTP - Audio over HyperText Transfer Protocol (RFC 2616) +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: streaming_audio document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 80 +# +# Contributed by Deepak Seshadri +# +# This pattern has been tested and is believed to work well. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/HTTP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# +# If you use this, you should be aware that: +# +# - they match both simple downloads of audio/video and streaming content. +# +# - blocking based on content-type encourages server +# writers/administrators to misreport content-type (which will just make +# headaches for everyone, including us), so I would strongly recommend +# shaping audio/video down to a speed that discourages use of streaming +# players without actually blocking it. +# +# - obviously, since this is a subset of HTTP, you need to match it +# earlier in your iptables rules than HTTP. + +httpaudio +http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: audio) + diff --git a/usr/local/share/protocols/httpcachehit.pat b/usr/local/share/protocols/httpcachehit.pat new file mode 100644 index 0000000..41cb099 --- /dev/null +++ b/usr/local/share/protocols/httpcachehit.pat @@ -0,0 +1,19 @@ +# HTTP - Proxy Cache hit for HyperText Transfer Protocol (RFC 2616) +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 80 +# +# Contributed by Francesco Del Degan +# +# This pattern has been tested and is believed to work well. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/HTTP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +httpcachehit +http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: hit) + diff --git a/usr/local/share/protocols/httpcachemiss.pat b/usr/local/share/protocols/httpcachemiss.pat new file mode 100644 index 0000000..09ac6cd --- /dev/null +++ b/usr/local/share/protocols/httpcachemiss.pat @@ -0,0 +1,17 @@ +# HTTP - Proxy Cache miss for HyperText Transfer Protocol (RFC 2616) +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 80 +# +# This pattern has been tested and is believed to work well. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/HTTP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +httpcachemiss +http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: miss) + diff --git a/usr/local/share/protocols/httpvideo.pat b/usr/local/share/protocols/httpvideo.pat new file mode 100644 index 0000000..4a75ce0 --- /dev/null +++ b/usr/local/share/protocols/httpvideo.pat @@ -0,0 +1,32 @@ +# HTTP - Video over HyperText Transfer Protocol (RFC 2616) +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: streaming_video document_retrieval ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on port 80 +# +# Contributed by Deepak Seshadri +# +# This pattern has been tested and is believed to work well. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/HTTP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# +# If you use this, you should be aware that: +# +# - they match both simple downloads of audio/video and streaming content. +# +# - blocking based on content-type encourages server +# writers/administrators to misreport content-type (which will just make +# headaches for everyone, including us), so I would strongly recommend +# shaping audio/video down to a speed that discourages use of streaming +# players without actually blocking it. +# +# - obviously, since this is a subset of HTTP, you need to match it +# earlier in your iptables rules than HTTP. + +httpvideo +http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: video) + diff --git a/usr/local/share/protocols/jpeg.pat b/usr/local/share/protocols/jpeg.pat new file mode 100644 index 0000000..fd1a249 --- /dev/null +++ b/usr/local/share/protocols/jpeg.pat @@ -0,0 +1,8 @@ +# JPEG - Joint Picture Expert Group image format. +# Pattern attributes: ok fast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +jpeg +# drawn from /usr/share/magic +\xff\xd8 diff --git a/usr/local/share/protocols/mp3.pat b/usr/local/share/protocols/mp3.pat new file mode 100644 index 0000000..1b60a4c --- /dev/null +++ b/usr/local/share/protocols/mp3.pat @@ -0,0 +1,11 @@ +# MP3 - Moving Picture Experts Group Audio Layer III +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# By LanTian (chinalantian at 126 d.t com) + +# Only matches the standard MP3 form, non-standard files might not be matched. + +mp3 +\x49\x44\x33\x03 diff --git a/usr/local/share/protocols/nimda.pat b/usr/local/share/protocols/nimda.pat new file mode 100644 index 0000000..86c7ce1 --- /dev/null +++ b/usr/local/share/protocols/nimda.pat @@ -0,0 +1,8 @@ +# Nimda - a worm that attacks Microsoft IIS web servers, and MORE! +# Pattern attributes: ok notsofast notsofast subset +# Protocol groups: worm +# Wiki: http://www.protocolinfo.org/wiki/Nimda +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +nimda +GET (/scripts/root\.exe\?/c\+dir|/MSADC/root\.exe\?/c\+dir|/c/winnt/system32/cmd\.exe\?/c\+dir|/d/winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_vti_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_mem_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/msadc/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c/\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0/\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0\xaf\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x9c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%2f\.\./winnt/system32/cmd\.exe\?/c\+dir) diff --git a/usr/local/share/protocols/ogg.pat b/usr/local/share/protocols/ogg.pat new file mode 100644 index 0000000..d9ba377 --- /dev/null +++ b/usr/local/share/protocols/ogg.pat @@ -0,0 +1,7 @@ +# Ogg - Ogg Vorbis music format (not any ogg file, just vorbis) +# Pattern attributes: ok notsofast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +ogg +oggs.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x01vorbis diff --git a/usr/local/share/protocols/pdf.pat b/usr/local/share/protocols/pdf.pat new file mode 100644 index 0000000..0c0e5f9 --- /dev/null +++ b/usr/local/share/protocols/pdf.pat @@ -0,0 +1,11 @@ +# PDF - Portable Document Format - Postscript-like format by Adobe +# Pattern attributes: good fast notsofast subset +# Protocol groups: file +# +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# This pattern has been tested and is believe to work well. + +# Matches PDF versions 1.0 - 1.6 (not sure if 1.6 exists yet, but it probably +# will. +pdf +%PDF-1\.[0123456] diff --git a/usr/local/share/protocols/perl.pat b/usr/local/share/protocols/perl.pat new file mode 100644 index 0000000..822986b --- /dev/null +++ b/usr/local/share/protocols/perl.pat @@ -0,0 +1,7 @@ +# Perl - A scripting language by Larry Wall. +# Pattern attributes: good fast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +perl +\#! ?/(usr/(local/)?)?bin/perl diff --git a/usr/local/share/protocols/png.pat b/usr/local/share/protocols/png.pat new file mode 100644 index 0000000..33aafda --- /dev/null +++ b/usr/local/share/protocols/png.pat @@ -0,0 +1,13 @@ +# PNG - Portable Network Graphics, a popular image format +# Pattern attributes: good fast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# Contributed by Radovan Josth. Tested at least a bit. + +png +# drawn from /usr/share/magic +\x89PNG\x0d\x0a\x1a\x0a + +# this is probably sufficient, but by default let's use the longer version +# \x89PNG diff --git a/usr/local/share/protocols/postscript.pat b/usr/local/share/protocols/postscript.pat new file mode 100644 index 0000000..456ac21 --- /dev/null +++ b/usr/local/share/protocols/postscript.pat @@ -0,0 +1,7 @@ +# Postscript - Printing Language +# Pattern attributes: good fast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +postscript +%!ps diff --git a/usr/local/share/protocols/pplive.pat b/usr/local/share/protocols/pplive.pat new file mode 100644 index 0000000..42fef72 --- /dev/null +++ b/usr/local/share/protocols/pplive.pat @@ -0,0 +1,11 @@ +# PPLive - Chinese P2P streaming video - http://pplive.com +# Pattern attributes: ok notsofast notsofast +# Protocol groups: p2p streaming_video proprietary +# Wiki: http://www.protocolinfo.org/wiki/PPLive +# Copyright (C) 2008 Matthew Strait; See ../LICENSE + +# By liangjun, who says that it works. It may be easily improvable with +# a bit more testing. + +pplive +\x01...\xd3.+\x0c.$ diff --git a/usr/local/share/protocols/pressplay.pat b/usr/local/share/protocols/pressplay.pat new file mode 100644 index 0000000..cd814cc --- /dev/null +++ b/usr/local/share/protocols/pressplay.pat @@ -0,0 +1,15 @@ +# pressplay - A legal music distribution site - http://pressplay.com +# Pattern attributes: ok notsofast notsofast +# Protocol groups: document_retrieval obsolete proprietary +# Wiki: http://www.protocolinfo.org/wiki/Pressplay +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern was "contributed" (taken with permission) by the bandwidth +# arbitrator project (www.bandwidtharbitrator.com). +# +# This pattern is unconfirmed. + +pressplay +# can we do better than this? +user-agent: nsplayer + diff --git a/usr/local/share/protocols/quicktime.pat b/usr/local/share/protocols/quicktime.pat new file mode 100644 index 0000000..5a6273d --- /dev/null +++ b/usr/local/share/protocols/quicktime.pat @@ -0,0 +1,21 @@ +# Quicktime HTTP +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: streaming_video streaming_audio ietf_draft_standard +# Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# This pattern has been tested and is believed to work well. +# (Quick Time v6.5.1 downloading from www.apple.com/trailers) +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/HTTP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers +# +# Since this is a subset of HTTP, it should be put earlier in the packet +# filtering chain than HTTP. Also, please don't use this to block Quicktime. +# If you must do that, you should use a filtering HTTP proxy, which is probably +# more accurate. + +quicktime +user-agent: quicktime \(qtver=[0-9].[0-9].[0-9];os=[\x09-\x0d -~]+\)\x0d\x0a + diff --git a/usr/local/share/protocols/rar.pat b/usr/local/share/protocols/rar.pat new file mode 100644 index 0000000..1332af1 --- /dev/null +++ b/usr/local/share/protocols/rar.pat @@ -0,0 +1,7 @@ +# RAR - The WinRAR archive format +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +rar +rar\x21\x1a\x07 diff --git a/usr/local/share/protocols/rpm.pat b/usr/local/share/protocols/rpm.pat new file mode 100644 index 0000000..0302839 --- /dev/null +++ b/usr/local/share/protocols/rpm.pat @@ -0,0 +1,7 @@ +# RPM - Redhat Package Management packages +# Pattern attributes: good fast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +rpm +\xed\xab\xee\xdb.?.?.?.?[1-7] diff --git a/usr/local/share/protocols/rtf.pat b/usr/local/share/protocols/rtf.pat new file mode 100644 index 0000000..676cb1a --- /dev/null +++ b/usr/local/share/protocols/rtf.pat @@ -0,0 +1,8 @@ +# RTF - Rich Text Format - an open document format +# Pattern attributes: good fast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +rtf +\{\\rtf[12] + diff --git a/usr/local/share/protocols/runesofmagic.pat b/usr/local/share/protocols/runesofmagic.pat new file mode 100644 index 0000000..6fbfea4 --- /dev/null +++ b/usr/local/share/protocols/runesofmagic.pat @@ -0,0 +1,63 @@ +# Runes of Magic - game - http://www.runesofmagic.com +# Pattern attributes: ok veryfast fast +# Protocol groups: game proprietary +# Wiki: http://www.protocolinfo.org/wiki/Runes_of_Magic +# Copyright (C) 2008 Matthew Strait; See ../LICENSE + +runesofmagic +^\x10\x03...........\x0a\x02.....\x0e +# See below (this is also veryfast fast) +#^\x10\x03...........?\x0a\x02.....?$ + +# Greatwolf captured the following: +# +# Server: +# +# 10 00 00 00 03 78 76 7a 1e 8a dd b5 95 a3 3a de .....xvz ......:. +# 0a 00 00 00 02 df 85 cc cc cc ........ .. +# +# Client reply: +# +# 0e 00 00 00 02 28 82 cc cc cc 8b c9 cc cc .....(.. ...... +# +# Server: +# +# 2e 00 00 00 02 1e 7f f4 f4 f4 ef f4 f4 f4 b3 8c ........ ........ +# [...] +# +# And says: "Bytes 10 00 00 00 03, 0a 00 00 00 02 and 0e (client reply) +# were consistently present. +# +# ^\x10\x03...........\x0a\x02.....\x0e +# +# Pattern was able to match during the closed beta period. It is still +# matching okay after RoM started open beta but could definitely use +# more testing from others to verify effectiveness." +# +# Matthew Strait says: +# +# * If the server consistently sends those four bytes in the first packet, +# it is probably wasteful to wait for the next (client) packet before +# matching. +# +# * If we switch the match strategy to just looking at the first packet, and +# the first packet is always the same (or nearly the same) length, we can +# anchor (i.e. use a '$') at the end of the packet. +# +# * When there's a string of bytes that I don't understand and that take +# different values from connection to connection, I think it's good to allow +# for the possibility that at least one might be \x00, and so I'd make one +# of the "." into ".?", unless you *know* that \x00 is impossible somehow. +# +# * All of those \xcc bytes don't look random to me. Your comments suggest +# that it isn't always exactly like that, but is there always pattern of +# repeated bytes or something else that might be useful? It probably isn't +# necessary to exploit this, since it looks like there's already enough to +# go with, but it would be nice to understand. +# +# So perhaps it would be an improvement to use: +# +# ^\x10\x03...........?\x0a\x02.....?$ +# +# but this depends on the assumptions I made above. + diff --git a/usr/local/share/protocols/snmp-mon.pat b/usr/local/share/protocols/snmp-mon.pat new file mode 100644 index 0000000..fe22662 --- /dev/null +++ b/usr/local/share/protocols/snmp-mon.pat @@ -0,0 +1,32 @@ +# SNMP Monitoring - Simple Network Management Protocol (RFC1157) +# Pattern attributes: good veryfast fast subset +# Protocol groups: networking ietf_internet_standard +# Wiki: http://en.wikipedia.org/wiki/SNMP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on UDP ports 161 +# +# These filters match SNMPv1 packets without fail, and are made +# as specific as possible not to match any ASN.1 encoded protocols. +# However these could still be matched by other protocols that +# use ASN.1 encoding + +# Contributed by Goli SriSairam + +# This pattern has been tested and is believe to work well. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/SNMP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +# SNMPv1 GET/GETNEXT/SET request and response +# matches SNMP header +# version \x02\x01 +# community \x04.+ +# PDU type [\xa0-\xa3] (GET/GETNEXT/SET/GETRESPONSE) +# RequestId \x02[\x01-\x04].?.?.?.? +# errorStatus \x02\x01.? +# errorIndex \x02\x01.? +# varbinds start \x30 +snmp-mon +^\x02\x01\x04.+[\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30 diff --git a/usr/local/share/protocols/snmp-trap.pat b/usr/local/share/protocols/snmp-trap.pat new file mode 100644 index 0000000..e8ba19a --- /dev/null +++ b/usr/local/share/protocols/snmp-trap.pat @@ -0,0 +1,33 @@ +# SNMP Traps - Simple Network Management Protocol (RFC1157) +# Pattern attributes: good veryfast fast subset +# Protocol groups: networking ietf_internet_standard +# Wiki: http://en.wikipedia.org/wiki/SNMP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +# +# Usually runs on UDP ports 162 +# +# These filters match SNMPv1 packets without fail, and are made +# as specific as possible not to match any ASN.1 encoded protocols. +# However these could still be matched by other protocols that +# use ASN.1 encoding + +# Contributed by Goli SriSairam + +# This pattern has been tested and is believe to work well. +# +# To get or provide more information about this protocol and/or pattern: +# http://www.protocolinfo.org/wiki/SNMP +# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers + +# SNMPv1 Trap +# matches SNMP trap header +# version \x02\x01 +# community string \x04.+ +# PDU type \xa4 (TRAP) +# enterprise \x06.+ +# agent address \x40\x04\.?.?.?.? +# trap type \x02\x01.? +# specific trap type \x02\x01.? +# timestamp \x43 +snmp-trap +^\x02\x01\x04.+\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43 diff --git a/usr/local/share/protocols/tar.pat b/usr/local/share/protocols/tar.pat new file mode 100644 index 0000000..d3ea987 --- /dev/null +++ b/usr/local/share/protocols/tar.pat @@ -0,0 +1,12 @@ +# Tar - tape archive. Standard UNIX file archiver, not just for tapes. +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +tar +# /usr/share/magic +## POSIX tar archives +#257 string ustar\0 POSIX tar archive +#257 string ustar\040\040\0 GNU tar archive +# this is pretty general. It's not a dictionary word, but still... +ustar diff --git a/usr/local/share/protocols/tonghuashun.pat b/usr/local/share/protocols/tonghuashun.pat new file mode 100644 index 0000000..45f838b --- /dev/null +++ b/usr/local/share/protocols/tonghuashun.pat @@ -0,0 +1,11 @@ +# Tonghuashun - stock analysis and trading; Chinese - http://www.10jqka.com.cn +# Pattern attributes: ok fast fast +# Protocol groups: +# Wiki: http://www.protocolinfo.org/wiki/Tonghuashun +# Copyright (C) 2009 Matthew Strait; See ../LICENSE + +# Pattern contributed by liangjun without comment. + +tonghuashun +^(GET /docookie\.php\?uname=|\xfd\xfd\xfd\xfd\x30\x30\x30\x30\x30) + diff --git a/usr/local/share/protocols/zip.pat b/usr/local/share/protocols/zip.pat new file mode 100644 index 0000000..e001354 --- /dev/null +++ b/usr/local/share/protocols/zip.pat @@ -0,0 +1,7 @@ +# ZIP - (PK|Win)Zip archive format +# Pattern attributes: good notsofast notsofast subset +# Protocol groups: file + +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE +zip +pk\x03\x04\x14 -- cgit v1.1