From 66f2dd0e4cf28af5b4511a1bc06a93feaf712d9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ermal=20Lu=E7i?= Date: Tue, 10 Nov 2009 14:20:14 +0000 Subject: Second pass at updateing protocol definitions. --- usr/local/share/protocols/100bao.pat | 1 + usr/local/share/protocols/aim.pat | 1 + usr/local/share/protocols/aimwebcontent.pat | 1 + usr/local/share/protocols/applejuice.pat | 1 + usr/local/share/protocols/ares.pat | 1 + usr/local/share/protocols/armagetron.pat | 1 + usr/local/share/protocols/battlefield1942.pat | 1 + usr/local/share/protocols/battlefield2.pat | 1 + usr/local/share/protocols/battlefield2142.pat | 3 +- usr/local/share/protocols/bgp.pat | 1 + usr/local/share/protocols/biff.pat | 3 +- usr/local/share/protocols/bittorrent.pat | 10 ++- usr/local/share/protocols/chikka.pat | 5 +- usr/local/share/protocols/cimd.pat | 1 + usr/local/share/protocols/ciscovpn.pat | 1 + usr/local/share/protocols/citrix.pat | 1 + usr/local/share/protocols/counterstrike-source.pat | 1 + usr/local/share/protocols/cvs.pat | 1 + usr/local/share/protocols/dayofdefeat-source.pat | 1 + usr/local/share/protocols/dhcp.pat | 1 + usr/local/share/protocols/directconnect.pat | 1 + usr/local/share/protocols/dns.pat | 1 + usr/local/share/protocols/doom3.pat | 1 + usr/local/share/protocols/edonkey.pat | 3 +- usr/local/share/protocols/fasttrack.pat | 1 + usr/local/share/protocols/finger.pat | 1 + usr/local/share/protocols/freenet.pat | 1 + usr/local/share/protocols/ftp.pat | 1 + usr/local/share/protocols/gkrellm.pat | 1 + usr/local/share/protocols/gnucleuslan.pat | 1 + usr/local/share/protocols/gnutella.pat | 1 + usr/local/share/protocols/goboogy.pat | 1 + usr/local/share/protocols/gopher.pat | 1 + usr/local/share/protocols/h323.pat | 1 + usr/local/share/protocols/halflife2-deathmatch.pat | 1 + usr/local/share/protocols/hddtemp.pat | 1 + usr/local/share/protocols/hotline.pat | 1 + usr/local/share/protocols/http-rtsp.pat | 3 +- usr/local/share/protocols/http.pat | 1 + usr/local/share/protocols/ident.pat | 1 + usr/local/share/protocols/imap.pat | 3 +- usr/local/share/protocols/imesh.pat | 3 +- usr/local/share/protocols/ipp.pat | 1 + usr/local/share/protocols/irc.pat | 3 +- usr/local/share/protocols/jabber.pat | 1 + usr/local/share/protocols/kugoo.pat | 15 +++-- usr/local/share/protocols/live365.pat | 1 + usr/local/share/protocols/liveforspeed.pat | 3 +- usr/local/share/protocols/lpd.pat | 1 + usr/local/share/protocols/mohaa.pat | 1 + usr/local/share/protocols/msn-filetransfer.pat | 3 +- usr/local/share/protocols/msnmessenger.pat | 1 + usr/local/share/protocols/mute.pat | 3 +- usr/local/share/protocols/napster.pat | 1 + usr/local/share/protocols/nbns.pat | 1 + usr/local/share/protocols/ncp.pat | 3 +- usr/local/share/protocols/netbios.pat | 1 + usr/local/share/protocols/nntp.pat | 3 +- usr/local/share/protocols/ntp.pat | 1 + usr/local/share/protocols/openft.pat | 3 +- usr/local/share/protocols/pcanywhere.pat | 1 + usr/local/share/protocols/poco.pat | 1 + usr/local/share/protocols/pop3.pat | 3 +- usr/local/share/protocols/qq.pat | 3 +- usr/local/share/protocols/quake-halflife.pat | 1 + usr/local/share/protocols/quake1.pat | 1 + usr/local/share/protocols/radmin.pat | 1 + usr/local/share/protocols/rdp.pat | 1 + usr/local/share/protocols/replaytv-ivs.pat | 5 +- usr/local/share/protocols/rlogin.pat | 3 +- usr/local/share/protocols/rtp.pat | 39 +++++------ usr/local/share/protocols/rtsp.pat | 1 + usr/local/share/protocols/shoutcast.pat | 1 + usr/local/share/protocols/sip.pat | 14 ++-- usr/local/share/protocols/skypeout.pat | 1 + usr/local/share/protocols/skypetoskype.pat | 1 + usr/local/share/protocols/smb.pat | 1 + usr/local/share/protocols/smtp.pat | 1 + usr/local/share/protocols/snmp.pat | 1 + usr/local/share/protocols/socks.pat | 1 + usr/local/share/protocols/soribada.pat | 1 + usr/local/share/protocols/soulseek.pat | 1 + usr/local/share/protocols/ssdp.pat | 1 + usr/local/share/protocols/ssh.pat | 1 + usr/local/share/protocols/ssl.pat | 1 + usr/local/share/protocols/stun.pat | 1 + usr/local/share/protocols/subspace.pat | 1 + usr/local/share/protocols/subversion.pat | 1 + usr/local/share/protocols/teamfortress2.pat | 1 + usr/local/share/protocols/teamspeak.pat | 1 + usr/local/share/protocols/telnet.pat | 1 + usr/local/share/protocols/tesla.pat | 1 + usr/local/share/protocols/tftp.pat | 3 +- usr/local/share/protocols/thecircle.pat | 1 + usr/local/share/protocols/tor.pat | 1 + usr/local/share/protocols/tsp.pat | 1 + usr/local/share/protocols/unknown.pat | 1 + usr/local/share/protocols/unset.pat | 2 +- usr/local/share/protocols/uucp.pat | 1 + usr/local/share/protocols/validcertssl.pat | 3 +- usr/local/share/protocols/ventrilo.pat | 1 + usr/local/share/protocols/vnc.pat | 1 + usr/local/share/protocols/whois.pat | 1 + usr/local/share/protocols/worldofwarcraft.pat | 1 + usr/local/share/protocols/x11.pat | 3 +- usr/local/share/protocols/xboxlive.pat | 3 +- usr/local/share/protocols/xunlei.pat | 77 ++++++++++++++++++++-- usr/local/share/protocols/yahoo.pat | 1 + usr/local/share/protocols/zmaap.pat | 1 + 109 files changed, 240 insertions(+), 68 deletions(-) (limited to 'usr') diff --git a/usr/local/share/protocols/100bao.pat b/usr/local/share/protocols/100bao.pat index 66bb5c9..a03a891 100644 --- a/usr/local/share/protocols/100bao.pat +++ b/usr/local/share/protocols/100bao.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/100Bao +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Pattern written by www.routerclub.com's wsgtrsys. # The author of this pattern says it works, but this is unconfirmed. diff --git a/usr/local/share/protocols/aim.pat b/usr/local/share/protocols/aim.pat index e26a3c4..5c43930 100644 --- a/usr/local/share/protocols/aim.pat +++ b/usr/local/share/protocols/aim.pat @@ -2,6 +2,7 @@ # Pattern attributes: good slow notsofast # Protocol groups: chat proprietary # Wiki: http://www.protocolinfo.org/wiki/AIM +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 5190 # diff --git a/usr/local/share/protocols/aimwebcontent.pat b/usr/local/share/protocols/aimwebcontent.pat index af34d5b..bc9a22d 100644 --- a/usr/local/share/protocols/aimwebcontent.pat +++ b/usr/local/share/protocols/aimwebcontent.pat @@ -2,6 +2,7 @@ # Pattern attributes: good notsofast notsofast # Protocol groups: chat document_retrieval proprietary # Wiki: http://www.protocolinfo.org/wiki/AIM +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. diff --git a/usr/local/share/protocols/applejuice.pat b/usr/local/share/protocols/applejuice.pat index 8158bc6..eb552dc 100644 --- a/usr/local/share/protocols/applejuice.pat +++ b/usr/local/share/protocols/applejuice.pat @@ -2,6 +2,7 @@ # Pattern attributes: great veryfast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/AppleJuice +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested with the Linux version (version # 0,29,142,229). It matches search reqests and file transfers. diff --git a/usr/local/share/protocols/ares.pat b/usr/local/share/protocols/ares.pat index 2e89a90..32dc70d 100644 --- a/usr/local/share/protocols/ares.pat +++ b/usr/local/share/protocols/ares.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast undermatch # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/Ares +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This pattern catches only client-server connect messages. This is # sufficient for blocking, but not for shaping, since it doesn't catch diff --git a/usr/local/share/protocols/armagetron.pat b/usr/local/share/protocols/armagetron.pat index fb4cc1e..a032410 100644 --- a/usr/local/share/protocols/armagetron.pat +++ b/usr/local/share/protocols/armagetron.pat @@ -2,6 +2,7 @@ # Pattern attributes: good slow notsofast # Protocol groups: open_source game # Wiki: http://protocolinfo.org/wiki/Armagetron +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Contributed to protocolinfo.org, possibly by joda.bot, who says "The # filter matches the initial transfer of configuration data. Very early diff --git a/usr/local/share/protocols/battlefield1942.pat b/usr/local/share/protocols/battlefield1942.pat index 1a4d9c0..ed7a7bf 100644 --- a/usr/local/share/protocols/battlefield1942.pat +++ b/usr/local/share/protocols/battlefield1942.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Battlefield_1942 +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Contributed by Myles Uyema # diff --git a/usr/local/share/protocols/battlefield2.pat b/usr/local/share/protocols/battlefield2.pat index 088714c..e2d8791 100644 --- a/usr/local/share/protocols/battlefield2.pat +++ b/usr/local/share/protocols/battlefield2.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok slow notsofast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Battlefield_2 +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is unconfirmed except implicitly by a comment on protocolinfo. diff --git a/usr/local/share/protocols/battlefield2142.pat b/usr/local/share/protocols/battlefield2142.pat index 6794cff..4c0e42b 100644 --- a/usr/local/share/protocols/battlefield2142.pat +++ b/usr/local/share/protocols/battlefield2142.pat @@ -1,7 +1,8 @@ # Battlefield 2142 - An EA game. # Pattern attributes: ok fast fast -# Protocol groups: proprietary game +# Protocol groups: proprietary game # Wiki: http://protocolinfo.org/wiki/Battlefield_2142 +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Submitted by Telsin. Not confirmed. diff --git a/usr/local/share/protocols/bgp.pat b/usr/local/share/protocols/bgp.pat index d7985c0..61e417f 100644 --- a/usr/local/share/protocols/bgp.pat +++ b/usr/local/share/protocols/bgp.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: networking ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/BGP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is UNTESTED. diff --git a/usr/local/share/protocols/biff.pat b/usr/local/share/protocols/biff.pat index 7df399a..91e8bbf 100644 --- a/usr/local/share/protocols/biff.pat +++ b/usr/local/share/protocols/biff.pat @@ -1,7 +1,8 @@ # Biff - new mail notification -# Pattern attributes: good veryfast fast undermatch overmatch +# Pattern attributes: good fast fast undermatch overmatch # Protocol groups: mail # Wiki: http://www.protocolinfo.org/wiki/Biff +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 512 # diff --git a/usr/local/share/protocols/bittorrent.pat b/usr/local/share/protocols/bittorrent.pat index e5aa5bc..54063ce 100644 --- a/usr/local/share/protocols/bittorrent.pat +++ b/usr/local/share/protocols/bittorrent.pat @@ -2,11 +2,11 @@ # Pattern attributes: good slow notsofast undermatch # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/Bittorrent +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. # It will, however, not work on bittorrent streams that are encrypted, since -# it's impossible to match encrypted data (unless the encryption is extremely -# weak, like rot13 or something...). +# it's impossible to match (well) encrypted data. bittorrent @@ -16,12 +16,10 @@ bittorrent # Next bit matches something Azureus does # Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next # packet and perhaps this will match multiple clients. - -# Recently the ^ was removed from before \x13. I think this was an accident, -# so I have restored it. +# bitcomet-specific strings contributed by liangjun. # This is not a valid GNU basic regular expression (but that's ok). -^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)|d1:ad2:id20:|\x08'7P\)[RP] +^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP] # This pattern is "fast", but won't catch as much #^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=) diff --git a/usr/local/share/protocols/chikka.pat b/usr/local/share/protocols/chikka.pat index c7259a7..a97ef28 100644 --- a/usr/local/share/protocols/chikka.pat +++ b/usr/local/share/protocols/chikka.pat @@ -1,7 +1,8 @@ # Chikka - SMS service which can be used without phones - http://chikka.com -# Pattern attributes: good veryfast fast superset +# Pattern attributes: good fast fast superset # Protocol groups: proprietary chat # Wiki: http://www.protocolinfo.org/wiki/Chikka +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Tested with Chikka Javalite on 14 Jan 2007. # The login and chat use the same TCP connection. @@ -13,4 +14,4 @@ # Chikka uses CIMD as part of the login process, see cimd.pat chikka -^CTPv1.[123] Kamusta.*\x0d\x0a$ +^CTPv1\.[123] Kamusta.*\x0d\x0a$ diff --git a/usr/local/share/protocols/cimd.pat b/usr/local/share/protocols/cimd.pat index 6df274f..f508350 100644 --- a/usr/local/share/protocols/cimd.pat +++ b/usr/local/share/protocols/cimd.pat @@ -2,6 +2,7 @@ # Pattern attributes: good notsofast notsofast subset # Protocol groups: proprietary chat # Wiki: http://www.protocolinfo.org/wiki/CIMD +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # I don't know whether CIMD is ever found by itself in a TCP connection. # I have only seen it myself as part of the Chikka login process, in diff --git a/usr/local/share/protocols/ciscovpn.pat b/usr/local/share/protocols/ciscovpn.pat index c15725e..d3dd7a6 100644 --- a/usr/local/share/protocols/ciscovpn.pat +++ b/usr/local/share/protocols/ciscovpn.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: remote_access proprietary # Wiki: http://www.protocolinfo.org/wiki/Cisco_VPN +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern contributed by Myles Uyema diff --git a/usr/local/share/protocols/citrix.pat b/usr/local/share/protocols/citrix.pat index 1215c22..fa73ce1 100644 --- a/usr/local/share/protocols/citrix.pat +++ b/usr/local/share/protocols/citrix.pat @@ -2,6 +2,7 @@ # Pattern attributes: marginal notsofast notsofast # Protocol groups: remote_access proprietary # Wiki: http://www.protocolinfo.org/wiki/Citrix +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is UNTESTED. diff --git a/usr/local/share/protocols/counterstrike-source.pat b/usr/local/share/protocols/counterstrike-source.pat index 94aa07a..8ebd627 100644 --- a/usr/local/share/protocols/counterstrike-source.pat +++ b/usr/local/share/protocols/counterstrike-source.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Counter-Strike +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # By adam.randazzoATgmail.com diff --git a/usr/local/share/protocols/cvs.pat b/usr/local/share/protocols/cvs.pat index d6cf503..fc084d3 100644 --- a/usr/local/share/protocols/cvs.pat +++ b/usr/local/share/protocols/cvs.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast # Protocol groups: version_control open_source # Wiki: http://www.protocolinfo.org/wiki/CVS +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE cvs diff --git a/usr/local/share/protocols/dayofdefeat-source.pat b/usr/local/share/protocols/dayofdefeat-source.pat index 1a90b4d..42b24bb 100644 --- a/usr/local/share/protocols/dayofdefeat-source.pat +++ b/usr/local/share/protocols/dayofdefeat-source.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Day_of_Defeat:Source +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # By Clayton Macleod diff --git a/usr/local/share/protocols/dhcp.pat b/usr/local/share/protocols/dhcp.pat index 9594ea4..fbda7de 100644 --- a/usr/local/share/protocols/dhcp.pat +++ b/usr/local/share/protocols/dhcp.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast # Protocol groups: networking ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/DHCP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on ports 67 (server) and 68 (client) # diff --git a/usr/local/share/protocols/directconnect.pat b/usr/local/share/protocols/directconnect.pat index 41631f7..13be4a1 100644 --- a/usr/local/share/protocols/directconnect.pat +++ b/usr/local/share/protocols/directconnect.pat @@ -2,6 +2,7 @@ # Pattern attributes: good fast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Direct_Connect +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Direct Connect "hubs" listen on port 411 # http://www.dcpp.net/wiki/ diff --git a/usr/local/share/protocols/dns.pat b/usr/local/share/protocols/dns.pat index 5bc0ac0..c351831 100644 --- a/usr/local/share/protocols/dns.pat +++ b/usr/local/share/protocols/dns.pat @@ -2,6 +2,7 @@ # Pattern attributes: great slow fast # Protocol groups: networking ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/DNS +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Thanks to Sebastien Bechet for TLD detection # improvements diff --git a/usr/local/share/protocols/doom3.pat b/usr/local/share/protocols/doom3.pat index ef59ee7..7d32d6f 100644 --- a/usr/local/share/protocols/doom3.pat +++ b/usr/local/share/protocols/doom3.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Doom +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Thanks to Clayton Macleod (cherrytwist at gmail.com). diff --git a/usr/local/share/protocols/edonkey.pat b/usr/local/share/protocols/edonkey.pat index 50a072c..bc2522e 100644 --- a/usr/local/share/protocols/edonkey.pat +++ b/usr/local/share/protocols/edonkey.pat @@ -1,7 +1,8 @@ # eDonkey2000 - P2P filesharing - http://edonkey2000.com and others -# Pattern attributes: good veryfast fast overmatch +# Pattern attributes: good fast fast overmatch # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/EDonkey +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4 # and a long time ago with something else. diff --git a/usr/local/share/protocols/fasttrack.pat b/usr/local/share/protocols/fasttrack.pat index c821ae4..6ed8ff1 100644 --- a/usr/local/share/protocols/fasttrack.pat +++ b/usr/local/share/protocols/fasttrack.pat @@ -2,6 +2,7 @@ # Pattern attributes: good slow notsofast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Fasttrack +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Tested with Kazaa Lite Resurrection 0.0.7.6F # diff --git a/usr/local/share/protocols/finger.pat b/usr/local/share/protocols/finger.pat index b2b59d8..7f81d48 100644 --- a/usr/local/share/protocols/finger.pat +++ b/usr/local/share/protocols/finger.pat @@ -2,6 +2,7 @@ # Pattern attributes: good slow slow undermatch overmatch # Protocol groups: ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/Finger +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 79 # diff --git a/usr/local/share/protocols/freenet.pat b/usr/local/share/protocols/freenet.pat index 626acb9..c62ad57 100644 --- a/usr/local/share/protocols/freenet.pat +++ b/usr/local/share/protocols/freenet.pat @@ -2,6 +2,7 @@ # Pattern attributes: poor veryfast fast # Protocol groups: p2p document_retrieval open_source # Wiki: http://www.protocolinfo.org/wiki/Freenet +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE freenet # Freenet is intentionally hard to identify... diff --git a/usr/local/share/protocols/ftp.pat b/usr/local/share/protocols/ftp.pat index a7f9e0e..44d97c4 100644 --- a/usr/local/share/protocols/ftp.pat +++ b/usr/local/share/protocols/ftp.pat @@ -2,6 +2,7 @@ # Pattern attributes: great notsofast fast # Protocol groups: document_retrieval ietf_internet_standard # Wiki: http://protocolinfo.org/wiki/FTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 21. Note that the data stream is on a dynamically # assigned port, which means that you will need the FTP connection diff --git a/usr/local/share/protocols/gkrellm.pat b/usr/local/share/protocols/gkrellm.pat index 2acf73b..73eb537 100644 --- a/usr/local/share/protocols/gkrellm.pat +++ b/usr/local/share/protocols/gkrellm.pat @@ -2,6 +2,7 @@ # Pattern attributes: great veryfast fast # Protocol groups: monitoring open_source # Wiki: http://www.protocolinfo.org/wiki/Gkrellm +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. # Since this is not anything resembling a published protocol, it may change without diff --git a/usr/local/share/protocols/gnucleuslan.pat b/usr/local/share/protocols/gnucleuslan.pat index 2a106f4..ae5895b 100644 --- a/usr/local/share/protocols/gnucleuslan.pat +++ b/usr/local/share/protocols/gnucleuslan.pat @@ -2,6 +2,7 @@ # Pattern attributes: good notsofast notsofast # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/GnucleusLAN +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. diff --git a/usr/local/share/protocols/gnutella.pat b/usr/local/share/protocols/gnutella.pat index 57a76de..770ed43 100644 --- a/usr/local/share/protocols/gnutella.pat +++ b/usr/local/share/protocols/gnutella.pat @@ -2,6 +2,7 @@ # Pattern attributes: good notsofast notsofast # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/Gnutella +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This should match both Gnutella and "Gnutella2" ("Mike's protocol") # diff --git a/usr/local/share/protocols/goboogy.pat b/usr/local/share/protocols/goboogy.pat index 2cc93da..d88d00b 100644 --- a/usr/local/share/protocols/goboogy.pat +++ b/usr/local/share/protocols/goboogy.pat @@ -2,6 +2,7 @@ # Pattern attributes: marginal slow notsofast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/GoBoogy +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is untested and likely does not work in all cases! # diff --git a/usr/local/share/protocols/gopher.pat b/usr/local/share/protocols/gopher.pat index 3f49757..773016f 100644 --- a/usr/local/share/protocols/gopher.pat +++ b/usr/local/share/protocols/gopher.pat @@ -2,6 +2,7 @@ # Pattern attributes: good slow notsofast undermatch # Protocol groups: document_retrieval obsolete ietf_rfc_documented # Wiki: http://www.protocolinfo.org/wiki/Gopher +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Gopher servers usually run on TCP port 70. # diff --git a/usr/local/share/protocols/h323.pat b/usr/local/share/protocols/h323.pat index d3f59c5..75b1a39 100644 --- a/usr/local/share/protocols/h323.pat +++ b/usr/local/share/protocols/h323.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: voip itu-t_standard # Wiki: http://www.protocolinfo.org/wiki/H.323 +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is written without knowledge of the principles of H.323. # It has only been tested with gnomemeeting and may not work for other diff --git a/usr/local/share/protocols/halflife2-deathmatch.pat b/usr/local/share/protocols/halflife2-deathmatch.pat index 6efe59e..45d0bb0 100644 --- a/usr/local/share/protocols/halflife2-deathmatch.pat +++ b/usr/local/share/protocols/halflife2-deathmatch.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Half-Life +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # By Clayton Macleod diff --git a/usr/local/share/protocols/hddtemp.pat b/usr/local/share/protocols/hddtemp.pat index 31a640f..cdd908c 100644 --- a/usr/local/share/protocols/hddtemp.pat +++ b/usr/local/share/protocols/hddtemp.pat @@ -2,6 +2,7 @@ # Pattern attributes: great veryfast fast # Protocol groups: monitoring open_source # Wiki: http://www.protocolinfo.org/wiki/HDDtemp +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 7634 # diff --git a/usr/local/share/protocols/hotline.pat b/usr/local/share/protocols/hotline.pat index 1c11c62..20ec6de 100644 --- a/usr/local/share/protocols/hotline.pat +++ b/usr/local/share/protocols/hotline.pat @@ -2,6 +2,7 @@ # Pattern attributes: marginal fast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Hotline +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is untested! # diff --git a/usr/local/share/protocols/http-rtsp.pat b/usr/local/share/protocols/http-rtsp.pat index 3cb65fb..73ef926 100644 --- a/usr/local/share/protocols/http-rtsp.pat +++ b/usr/local/share/protocols/http-rtsp.pat @@ -1,7 +1,8 @@ # RTSP tunneled within HTTP -# Pattern attributes: ok notsofast notsofast subset +# Pattern attributes: ok notsofast fast subset # Protocol groups: streaming_audio streaming_video ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/RTSP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Apple's documentation on what Quicktime does: # http://developer.apple.com/quicktime/icefloe/dispatch028.html diff --git a/usr/local/share/protocols/http.pat b/usr/local/share/protocols/http.pat index 550aa0b..5122310 100644 --- a/usr/local/share/protocols/http.pat +++ b/usr/local/share/protocols/http.pat @@ -2,6 +2,7 @@ # Pattern attributes: great slow notsofast superset # Protocol groups: document_retrieval ietf_draft_standard # Wiki: http://protocolinfo.org/wiki/HTTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 80 # diff --git a/usr/local/share/protocols/ident.pat b/usr/local/share/protocols/ident.pat index d6d89c3..3205e5e 100644 --- a/usr/local/share/protocols/ident.pat +++ b/usr/local/share/protocols/ident.pat @@ -2,6 +2,7 @@ # Pattern attributes: good fast fast # Protocol groups: networking ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/Ident +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 113 # diff --git a/usr/local/share/protocols/imap.pat b/usr/local/share/protocols/imap.pat index eac620d..3f989c0 100644 --- a/usr/local/share/protocols/imap.pat +++ b/usr/local/share/protocols/imap.pat @@ -1,7 +1,8 @@ # IMAP - Internet Message Access Protocol (A common e-mail protocol) -# Pattern attributes: great veryfast fast +# Pattern attributes: great fast fast # Protocol groups: mail ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/IMAP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This matches IMAP4 (RFC 3501) and probably IMAP2 (RFC 1176) # diff --git a/usr/local/share/protocols/imesh.pat b/usr/local/share/protocols/imesh.pat index 782047f..4cb7ac7 100644 --- a/usr/local/share/protocols/imesh.pat +++ b/usr/local/share/protocols/imesh.pat @@ -1,7 +1,8 @@ # iMesh - the native protocol of iMesh, a P2P application - http://imesh.com -# Pattern attributes: ok notsofast notsofast +# Pattern attributes: ok fast notsofast # Protocol groups: p2p # Wiki: http://protocolinfo.org/wiki/iMesh +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # depending on the version of iMesh (the program), it can also use fasttrack, # gnutella and edonkey in addition to iMesh (the protocol). diff --git a/usr/local/share/protocols/ipp.pat b/usr/local/share/protocols/ipp.pat index a4a4d14..15540d0 100644 --- a/usr/local/share/protocols/ipp.pat +++ b/usr/local/share/protocols/ipp.pat @@ -2,6 +2,7 @@ # Pattern attributes: good notsofast notsofast # Protocol groups: printer ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/IPP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. diff --git a/usr/local/share/protocols/irc.pat b/usr/local/share/protocols/irc.pat index 2767336..b922b3e 100644 --- a/usr/local/share/protocols/irc.pat +++ b/usr/local/share/protocols/irc.pat @@ -1,7 +1,8 @@ # IRC - Internet Relay Chat - RFC 1459 -# Pattern attributes: great veryfast fast +# Pattern attributes: great fast fast # Protocol groups: chat ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/IRC +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 6666 or 6667 # Note that chat traffic runs on these ports, but IRC-DCC traffic (which diff --git a/usr/local/share/protocols/jabber.pat b/usr/local/share/protocols/jabber.pat index aa51c76..7c32890 100644 --- a/usr/local/share/protocols/jabber.pat +++ b/usr/local/share/protocols/jabber.pat @@ -2,6 +2,7 @@ # Pattern attributes: good notsofast notsofast # Protocol groups: chat ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/Jabber +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested with Gaim and Gabber. It is only tested # with non-SSL mode Jabber with no proxies. diff --git a/usr/local/share/protocols/kugoo.pat b/usr/local/share/protocols/kugoo.pat index be15ad5..c478317 100644 --- a/usr/local/share/protocols/kugoo.pat +++ b/usr/local/share/protocols/kugoo.pat @@ -1,7 +1,16 @@ # KuGoo - a Chinese P2P program - http://www.kugoo.com -# Pattern attributes: ok veryfast fast +# Pattern attributes: ok fast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/KuGoo +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE + +kugoo +# liangjun says: "i find old pattern is not working for kugoo 2008. so i +# write a new pattern of kugoo 2008 ,it's working with all of kugoo 2008 +# version!" +^(\x64.....\x70....\x50\x37|\x65.+) + +# Pattern before 2008 11 08 # # The author of this pattern says it works, but this is unconfirmed. # Written by www.routerclub.com wsgtrsys. @@ -9,6 +18,4 @@ # LanTian submitted \x64.+\x74\x47\x50\x37 for "KuGoo2", but adding as # another branch makes the pattern REALLY slow. If it could have a ^, that'd # be ok (still veryfast/fast). Waiting to hear. - -kugoo -^(\x31..\x8e|\x64.+\x74\x47\x50\x37) +#^(\x31..\x8e|\x64.+\x74\x47\x50\x37) diff --git a/usr/local/share/protocols/live365.pat b/usr/local/share/protocols/live365.pat index 9360892..144ac50 100644 --- a/usr/local/share/protocols/live365.pat +++ b/usr/local/share/protocols/live365.pat @@ -2,6 +2,7 @@ # Pattern attributes: marginal notsofast notsofast # Protocol groups: streaming_audio # Wiki: http://www.protocolinfo.org/wiki/Live365 +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern was "contributed" (taken with permission) by the bandwidth # arbitrator project (www.bandwidtharbitrator.com). diff --git a/usr/local/share/protocols/liveforspeed.pat b/usr/local/share/protocols/liveforspeed.pat index 17b755d..ad32e9a 100644 --- a/usr/local/share/protocols/liveforspeed.pat +++ b/usr/local/share/protocols/liveforspeed.pat @@ -1,7 +1,8 @@ # Live For Speed - A racing game. -# Pattern attributes: poor veryfast fast +# Pattern attributes: poor fast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Live_For_Speed +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern was submitted to protocolinfo.org by 80.55.238.74 with no # explanation. It is unconfirmed. diff --git a/usr/local/share/protocols/lpd.pat b/usr/local/share/protocols/lpd.pat index d1b8ae7..4b78dfe 100644 --- a/usr/local/share/protocols/lpd.pat +++ b/usr/local/share/protocols/lpd.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok fast fast # Protocol groups: printer ietf_rfc_documented # Wiki: http://www.protocolinfo.org/wiki/LPD +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is untested. diff --git a/usr/local/share/protocols/mohaa.pat b/usr/local/share/protocols/mohaa.pat index aebe47a..00b6c07 100644 --- a/usr/local/share/protocols/mohaa.pat +++ b/usr/local/share/protocols/mohaa.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Medal_of_Honor_Allied_Assault +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is written and tested by Krzysztof Maciejewski. diff --git a/usr/local/share/protocols/msn-filetransfer.pat b/usr/local/share/protocols/msn-filetransfer.pat index 5ffddfc..797edb4 100644 --- a/usr/local/share/protocols/msn-filetransfer.pat +++ b/usr/local/share/protocols/msn-filetransfer.pat @@ -1,7 +1,8 @@ # MSN (Micosoft Network) Messenger file transfers (MSNFTP and MSNSLP) -# Pattern attributes: good veryfast fast +# Pattern attributes: good fast fast # Protocol groups: chat document_retrieval proprietary # Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # http://www.hypothetic.org/docs/msn/client/file_transfer.php diff --git a/usr/local/share/protocols/msnmessenger.pat b/usr/local/share/protocols/msnmessenger.pat index 41f1075..11dfc10 100644 --- a/usr/local/share/protocols/msnmessenger.pat +++ b/usr/local/share/protocols/msnmessenger.pat @@ -2,6 +2,7 @@ # Pattern attributes: good slow notsofast # Protocol groups: chat proprietary # Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually uses TCP port 1863 # http://www.hypothetic.org/docs/msn/index.php diff --git a/usr/local/share/protocols/mute.pat b/usr/local/share/protocols/mute.pat index c803090..53f2e23 100644 --- a/usr/local/share/protocols/mute.pat +++ b/usr/local/share/protocols/mute.pat @@ -1,7 +1,8 @@ # MUTE - P2P filesharing - http://mute-net.sourceforge.net -# Pattern attributes: marginal veryfast fast +# Pattern attributes: marginal fast fast # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/MUTE +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is lightly tested. I don't know for sure that it will # match the actual file transfers. diff --git a/usr/local/share/protocols/napster.pat b/usr/local/share/protocols/napster.pat index 83005b8..d7ef032 100644 --- a/usr/local/share/protocols/napster.pat +++ b/usr/local/share/protocols/napster.pat @@ -2,6 +2,7 @@ # Pattern attributes: good fast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Napster +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # All my tests show that this pattern is fast, but one user has reported that # it is slow. Your milage may vary. diff --git a/usr/local/share/protocols/nbns.pat b/usr/local/share/protocols/nbns.pat index d4fff4f..ca114de 100644 --- a/usr/local/share/protocols/nbns.pat +++ b/usr/local/share/protocols/nbns.pat @@ -2,6 +2,7 @@ # Pattern attributes: good slow notsofast # Protocol groups: networking proprietary # Wiki: http://www.protocolinfo.org/wiki/NBNS +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. # diff --git a/usr/local/share/protocols/ncp.pat b/usr/local/share/protocols/ncp.pat index b4788a1..55792b2 100644 --- a/usr/local/share/protocols/ncp.pat +++ b/usr/local/share/protocols/ncp.pat @@ -1,7 +1,8 @@ # NCP - Novell Core Protocol -# Pattern attributes: good veryfast fast +# Pattern attributes: good fast fast # Protocol groups: networking proprietary # Wiki: http://www.protocolinfo.org/wiki/NCP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. diff --git a/usr/local/share/protocols/netbios.pat b/usr/local/share/protocols/netbios.pat index 8e90074..a0314b1 100644 --- a/usr/local/share/protocols/netbios.pat +++ b/usr/local/share/protocols/netbios.pat @@ -2,6 +2,7 @@ # Pattern attributes: marginal notsofast notsofast # Protocol groups: networking ietf_internet_standard proprietary # Wiki: http://www.protocolinfo.org/wiki/NetBIOS +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # As mentioned in smb.pat: # diff --git a/usr/local/share/protocols/nntp.pat b/usr/local/share/protocols/nntp.pat index 769c8a5..7a30578 100644 --- a/usr/local/share/protocols/nntp.pat +++ b/usr/local/share/protocols/nntp.pat @@ -1,7 +1,8 @@ # NNTP - Network News Transfer Protocol - RFCs 977 and 2980 -# Pattern attributes: good veryfast fast +# Pattern attributes: good fast fast # Protocol groups: ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/NNTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 119 diff --git a/usr/local/share/protocols/ntp.pat b/usr/local/share/protocols/ntp.pat index a24fb05..760cfdb 100644 --- a/usr/local/share/protocols/ntp.pat +++ b/usr/local/share/protocols/ntp.pat @@ -2,6 +2,7 @@ # Pattern attributes: good fast fast overmatch # Protocol groups: time_synchronization ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/NTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is tested and is believed to work. diff --git a/usr/local/share/protocols/openft.pat b/usr/local/share/protocols/openft.pat index f81499a..09fa852 100644 --- a/usr/local/share/protocols/openft.pat +++ b/usr/local/share/protocols/openft.pat @@ -1,7 +1,8 @@ # OpenFT - P2P filesharing (implemented in giFT library) -# Pattern attributes: good fast notsofast +# Pattern attributes: good notsofast notsofast # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/OpenFT +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Ben Efros says: # "This pattern identifies openFT P2P transfers fine. openFT is part of giFT diff --git a/usr/local/share/protocols/pcanywhere.pat b/usr/local/share/protocols/pcanywhere.pat index 86dae6b..60b50a7 100644 --- a/usr/local/share/protocols/pcanywhere.pat +++ b/usr/local/share/protocols/pcanywhere.pat @@ -2,6 +2,7 @@ # Pattern attributes: marginal veryfast fast # Protocol groups: remote_access proprietary # Wiki: http://www.protocolinfo.org/wiki/PcAnywhere +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This is completely untested! # See http://www.unixwiz.net/tools/pcascan.txt diff --git a/usr/local/share/protocols/poco.pat b/usr/local/share/protocols/poco.pat index 2bcf66d..c7ce686 100644 --- a/usr/local/share/protocols/poco.pat +++ b/usr/local/share/protocols/poco.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Poco +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # The author of this pattern says it works, but this is unconfirmed. # Written by www.routerclub.com wsgtrsys. diff --git a/usr/local/share/protocols/pop3.pat b/usr/local/share/protocols/pop3.pat index b3d76e2..47a8252 100644 --- a/usr/local/share/protocols/pop3.pat +++ b/usr/local/share/protocols/pop3.pat @@ -1,7 +1,8 @@ # POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939 -# Pattern attributes: great veryfast fast +# Pattern attributes: great fast fast # Protocol groups: mail ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/POP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested somewhat. diff --git a/usr/local/share/protocols/qq.pat b/usr/local/share/protocols/qq.pat index 7689439..08db802 100644 --- a/usr/local/share/protocols/qq.pat +++ b/usr/local/share/protocols/qq.pat @@ -1,7 +1,8 @@ # Tencent QQ Protocol - Chinese instant messenger protocol - http://www.qq.com -# Pattern attributes: good fast fast +# Pattern attributes: good notsofast fast # Protocol groups: chat # Wiki: http://www.protocolinfo.org/wiki/QQ +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Over six million people use QQ in China, according to wsgtrsys. # diff --git a/usr/local/share/protocols/quake-halflife.pat b/usr/local/share/protocols/quake-halflife.pat index 7e2b537..97e7d84 100644 --- a/usr/local/share/protocols/quake-halflife.pat +++ b/usr/local/share/protocols/quake-halflife.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Half-Life http://www.protocolinfo.org/wiki/Counter-Strike http://www.protocolinfo.org/wiki/Day_of_Defeat +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Contributed by Laurens Blankers , who says: # diff --git a/usr/local/share/protocols/quake1.pat b/usr/local/share/protocols/quake1.pat index 18e0ca0..46bdebd 100644 --- a/usr/local/share/protocols/quake1.pat +++ b/usr/local/share/protocols/quake1.pat @@ -2,6 +2,7 @@ # Pattern attributes: marginal veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Quake +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is untested and unconfirmed. diff --git a/usr/local/share/protocols/radmin.pat b/usr/local/share/protocols/radmin.pat index 52ff6e0..d13aa65 100644 --- a/usr/local/share/protocols/radmin.pat +++ b/usr/local/share/protocols/radmin.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: remote_access proprietary # Wiki: http://www.protocolinfo.org/wiki/Radmin +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been verified with Radmin v1.1 and v3.0beta on Win2000/XP # It has only been tested between a single pair of computers. diff --git a/usr/local/share/protocols/rdp.pat b/usr/local/share/protocols/rdp.pat index e10a81d..44b853f 100644 --- a/usr/local/share/protocols/rdp.pat +++ b/usr/local/share/protocols/rdp.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok notsofast notsofast # Protocol groups: remote_access proprietary # Wiki: http://www.protocolinfo.org/wiki/RDP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern was submitted by Michael Leong. It has been tested under the # following conditions: "WinXP Pro with all the patches, rdesktop server diff --git a/usr/local/share/protocols/replaytv-ivs.pat b/usr/local/share/protocols/replaytv-ivs.pat index 4d44b0f..aaf9255 100644 --- a/usr/local/share/protocols/replaytv-ivs.pat +++ b/usr/local/share/protocols/replaytv-ivs.pat @@ -1,7 +1,8 @@ # ReplayTV Internet Video Sharing - Digital Video Recorder - http://replaytv.com -# Pattern attributes: good veryfast fast -# Protocol groups: +# Pattern attributes: good fast fast +# Protocol groups: # Wiki: http://www.protocolinfo.org/wiki/ReplayTV +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Pattern by jm 409 at hot mail dot com, who says that this one "worked best". diff --git a/usr/local/share/protocols/rlogin.pat b/usr/local/share/protocols/rlogin.pat index 92f3735..42c4f7e 100644 --- a/usr/local/share/protocols/rlogin.pat +++ b/usr/local/share/protocols/rlogin.pat @@ -1,7 +1,8 @@ # rlogin - remote login - RFC 1282 -# Pattern attributes: ok veryfast fast +# Pattern attributes: ok fast fast # Protocol groups: remote_access ietf_rfc_documented # Wiki: http://www.protocolinfo.org/wiki/Rlogin +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 443 # diff --git a/usr/local/share/protocols/rtp.pat b/usr/local/share/protocols/rtp.pat index d808e1e..61fcd8e 100644 --- a/usr/local/share/protocols/rtp.pat +++ b/usr/local/share/protocols/rtp.pat @@ -1,40 +1,33 @@ # RTP - Real-time Transport Protocol - RFC 3550 -# Pattern attributes: marginal overmatch undermatch veryfast fast +# Pattern attributes: ok overmatch undermatch fast fast # Protocol groups: streaming_video ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/RTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # RTP headers are *very* short and compact. They have almost nothing in -# them that can be matched by l7-filter. If you want to match them -# along with their associated SIP packets, I think the best way might be -# to set up some iptables rules that watch for SIP packets and then also -# match any other UDP packets that are going between the same two IP -# addresses. +# them that can be matched by l7-filter. As RTP connections take place +# between even numbered ports, you should probably check for that before +# applying this pattern. If you want to match them along with their +# associated SIP packets, you might try setting up some iptables rules +# that watch for SIP packets and then also match any other UDP packets +# that are going between the same two IP addresses. # -# However, I will attempt a pattern anyway. This is UNTESTED! -# # I think we can count on the first bit being 1 and the second bit being # 0 (meaning protocol version 2). The next two bits could go either way, # but in the example I've seen, they are zero, so I'll assume they are # usually zero. The next four bits are a count of "contributing source # identifiers". I'm not sure how big that could be, but in the example # I've seen, they're zero, so I'll assume they're usually zero. So that -# gives us ^\x80. The marker bit that comes next is probably zero for -# the first packet, although that's not a sure thing. Next is the -# payload type, 7 bits that might usually only take a few values, but -# maybe not. In the example I've seen, it's zero, which (with a zero -# marker bit) means it looks to l7-filter like it's not there at all. -# The rest of the header is random numbers (sequence number, timestamp, -# synchronization source identifier), so that's no help at all. -# -# I think the best we could do is to watch to see if several \x80 bytes -# come in with a small number of bytes between them. This makes all the -# above assumptions and also assumes that the first packet has no -# payload and not too much trailing gargage. So this will definitely not -# work all the time. It clearly also might match other stuff. +# gives us ^\x80. The next bit is a tossup. Next is the payload type, 7 +# bits. I've taken likely values from the WireShark code: 0-34, 96-127 +# (decimal). The rest of the header is random numbers (sequence number, +# timestamp, synchronization source identifier), so that's no help at +# all. rtp -^\x80......?.?.?.?.?.?.?.?.?.?.?.?.?\x80 +^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80 # Might also try this. It's a bit slower (one packet and not too much extra # regexec load) and a bit more accurate: -#^\x80......?.?.?.?.?.?.?.?.?.?.?.?.?\x80.*\x80 +#^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80.*\x80 + diff --git a/usr/local/share/protocols/rtsp.pat b/usr/local/share/protocols/rtsp.pat index a5f309c..1013ae3 100644 --- a/usr/local/share/protocols/rtsp.pat +++ b/usr/local/share/protocols/rtsp.pat @@ -2,6 +2,7 @@ # Pattern attributes: good notsofast notsofast # Protocol groups: streaming_video ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/RTSP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 554 # diff --git a/usr/local/share/protocols/shoutcast.pat b/usr/local/share/protocols/shoutcast.pat index 6ae0824..e78883c 100644 --- a/usr/local/share/protocols/shoutcast.pat +++ b/usr/local/share/protocols/shoutcast.pat @@ -2,6 +2,7 @@ # Pattern attributes: good slow notsofast # Protocol groups: streaming_audio # Wiki: http://www.protocolinfo.org/wiki/Icecast +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 80 # diff --git a/usr/local/share/protocols/sip.pat b/usr/local/share/protocols/sip.pat index 3782e33..2728009 100644 --- a/usr/local/share/protocols/sip.pat +++ b/usr/local/share/protocols/sip.pat @@ -1,11 +1,13 @@ -# SIP - Session Initiation Protocol - Internet telephony - RFC 3261 -# Pattern attributes: ok fast fast +# SIP - Session Initiation Protocol - Internet telephony - RFC 3261, 3265, etc. +# Pattern attributes: good fast fast # Protocol groups: voip ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/SIP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # -# This pattern has been tested with the Ubiquity SIP user agent. -# -# Thanks to Ankit Desai for this pattern. +# This pattern has been tested with the Ubiquity SIP user agent and has been +# confirmed by at least one other user. +# +# Thanks to Ankit Desai for this pattern. Updated by tehseen sagar. # # SIP typically uses port 5060. # @@ -15,4 +17,4 @@ #Request-Line = Method SP Request-URI SP SIP-Version CRLF sip -^(invite|register|cancel) sip[\x09-\x0d -~]*sip/[0-2]\.[0-9] +^(invite|register|cancel|message|subscribe|notify) sip[\x09-\x0d -~]*sip/[0-2]\.[0-9] diff --git a/usr/local/share/protocols/skypeout.pat b/usr/local/share/protocols/skypeout.pat index a6b6ba7..55e4e10 100644 --- a/usr/local/share/protocols/skypeout.pat +++ b/usr/local/share/protocols/skypeout.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok slow notsofast overmatch # Protocol groups: voip p2p proprietary # Wiki: http://www.protocolinfo.org/wiki/Skype +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Thanks to Myles Uyema, mylesuyema AT gmail.com diff --git a/usr/local/share/protocols/skypetoskype.pat b/usr/local/share/protocols/skypetoskype.pat index 3649492..ed1103a 100644 --- a/usr/local/share/protocols/skypetoskype.pat +++ b/usr/local/share/protocols/skypetoskype.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast overmatch # Protocol groups: voip p2p proprietary # Wiki: http://www.protocolinfo.org/wiki/Skype +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This matches at least some of the general chatter that occurs when the # user isn't doing anything as well as actual calls. diff --git a/usr/local/share/protocols/smb.pat b/usr/local/share/protocols/smb.pat index cdf0fe1..c1f8b0a 100644 --- a/usr/local/share/protocols/smb.pat +++ b/usr/local/share/protocols/smb.pat @@ -2,6 +2,7 @@ # Pattern attributes: good fast notsofast # Protocol groups: document_retrieval networking proprietary # Wiki: http://www.protocolinfo.org/wiki/SMB +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # "This protocol is sometimes also referred to as the Common Internet File # System (CIFS), LanManager or NetBIOS protocol." -- "man samba" diff --git a/usr/local/share/protocols/smtp.pat b/usr/local/share/protocols/smtp.pat index eb98ae7..2f5d195 100644 --- a/usr/local/share/protocols/smtp.pat +++ b/usr/local/share/protocols/smtp.pat @@ -2,6 +2,7 @@ # Pattern attributes: great notsofast fast # Protocol groups: mail ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/SMTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 25 # diff --git a/usr/local/share/protocols/snmp.pat b/usr/local/share/protocols/snmp.pat index 5b88f03..a7186b2 100644 --- a/usr/local/share/protocols/snmp.pat +++ b/usr/local/share/protocols/snmp.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast superset # Protocol groups: networking ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/SNMP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on UDP ports 161 (monitoring) and 162 (traps). # diff --git a/usr/local/share/protocols/socks.pat b/usr/local/share/protocols/socks.pat index a7501a8..54189fd 100644 --- a/usr/local/share/protocols/socks.pat +++ b/usr/local/share/protocols/socks.pat @@ -2,6 +2,7 @@ # Pattern attributes: good notsofast notsofast # Protocol groups: networking ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/SOCKS +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 1080 # Also useful: http://www.iana.org/assignments/socks-methods diff --git a/usr/local/share/protocols/soribada.pat b/usr/local/share/protocols/soribada.pat index a5da9fd..e1c0c56 100644 --- a/usr/local/share/protocols/soribada.pat +++ b/usr/local/share/protocols/soribada.pat @@ -2,6 +2,7 @@ # Pattern attributes: good slow notsofast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Soribada +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # I am told that there are three versions of this protocol, the first no # longer being used. That would probably explain why incoming searches diff --git a/usr/local/share/protocols/soulseek.pat b/usr/local/share/protocols/soulseek.pat index 4385141..ebc06ab 100644 --- a/usr/local/share/protocols/soulseek.pat +++ b/usr/local/share/protocols/soulseek.pat @@ -2,6 +2,7 @@ # Pattern attributes: good fast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Soulseek +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # All my tests show that this pattern is fast, but one user has reported that # it is slow. Your milage may vary. diff --git a/usr/local/share/protocols/ssdp.pat b/usr/local/share/protocols/ssdp.pat index db50362..d2de92d 100644 --- a/usr/local/share/protocols/ssdp.pat +++ b/usr/local/share/protocols/ssdp.pat @@ -2,6 +2,7 @@ # Pattern attributes: good slow notsofast # Protocol groups: networking ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/SSDP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This pattern was tested only by listening to a Linksys WRT54G. However, # I expect it works in general given the simplicity of the protocol. diff --git a/usr/local/share/protocols/ssh.pat b/usr/local/share/protocols/ssh.pat index adffe9e..5e32f5c 100644 --- a/usr/local/share/protocols/ssh.pat +++ b/usr/local/share/protocols/ssh.pat @@ -2,6 +2,7 @@ # Pattern attributes: great veryfast fast # Protocol groups: remote_access secure ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/SSH +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 22 # diff --git a/usr/local/share/protocols/ssl.pat b/usr/local/share/protocols/ssl.pat index a10589a1..ae30ee4 100644 --- a/usr/local/share/protocols/ssl.pat +++ b/usr/local/share/protocols/ssl.pat @@ -2,6 +2,7 @@ # Pattern attributes: good notsofast fast superset # Protocol groups: secure ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/SSL +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 443 # diff --git a/usr/local/share/protocols/stun.pat b/usr/local/share/protocols/stun.pat index 5f0f58a..3bfc3ab 100644 --- a/usr/local/share/protocols/stun.pat +++ b/usr/local/share/protocols/stun.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: networking ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/STUN +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is untested as far as I know. diff --git a/usr/local/share/protocols/subspace.pat b/usr/local/share/protocols/subspace.pat index 57dabf1..0a1b174 100644 --- a/usr/local/share/protocols/subspace.pat +++ b/usr/local/share/protocols/subspace.pat @@ -2,6 +2,7 @@ # Pattern attributes: marginal veryfast fast # Protocol groups: game # Wiki: http://www.protocolinfo.org/wiki/Subspace +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # By Myles Uyema # diff --git a/usr/local/share/protocols/subversion.pat b/usr/local/share/protocols/subversion.pat index cc5ec3b..8769a19 100644 --- a/usr/local/share/protocols/subversion.pat +++ b/usr/local/share/protocols/subversion.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: version_control open_source # Wiki: http://www.protocolinfo.org/wiki/Subversion +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is UNTESTED. (But it seems straightforward enough...) # diff --git a/usr/local/share/protocols/teamfortress2.pat b/usr/local/share/protocols/teamfortress2.pat index 83fb960..337af39 100644 --- a/usr/local/share/protocols/teamfortress2.pat +++ b/usr/local/share/protocols/teamfortress2.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Team_Fortress +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Credits: Clayton Macleod # Jan Engelhardt diff --git a/usr/local/share/protocols/teamspeak.pat b/usr/local/share/protocols/teamspeak.pat index e83569f..8b2155e 100644 --- a/usr/local/share/protocols/teamspeak.pat +++ b/usr/local/share/protocols/teamspeak.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast # Protocol groups: voip proprietary # Wiki: http://www.protocolinfo.org/wiki/TeamSpeak +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested by Matthew Strait and verified by packet # traces by at least two other people. The meaning of f4b303 is not diff --git a/usr/local/share/protocols/telnet.pat b/usr/local/share/protocols/telnet.pat index a93d17d..cf10d0e 100644 --- a/usr/local/share/protocols/telnet.pat +++ b/usr/local/share/protocols/telnet.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast # Protocol groups: remote_access obsolete ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/Telnet +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 23 # diff --git a/usr/local/share/protocols/tesla.pat b/usr/local/share/protocols/tesla.pat index f9fdece..1f4ee86 100644 --- a/usr/local/share/protocols/tesla.pat +++ b/usr/local/share/protocols/tesla.pat @@ -2,6 +2,7 @@ # Pattern attributes: marginal slow notsofast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Tesla +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is untested! diff --git a/usr/local/share/protocols/tftp.pat b/usr/local/share/protocols/tftp.pat index e9f16f7..1782ff5 100644 --- a/usr/local/share/protocols/tftp.pat +++ b/usr/local/share/protocols/tftp.pat @@ -1,7 +1,8 @@ # TFTP - Trivial File Transfer Protocol - used for bootstrapping - RFC 1350 -# Pattern attributes: marginal veryfast fast +# Pattern attributes: marginal fast fast # Protocol groups: document_retrieval ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/TFTP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 69 # diff --git a/usr/local/share/protocols/thecircle.pat b/usr/local/share/protocols/thecircle.pat index a161531..d5e2b80 100644 --- a/usr/local/share/protocols/thecircle.pat +++ b/usr/local/share/protocols/thecircle.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/The_Circle +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This is tested with The Circle 0.41c on Linux. # It likely misses some stuff. Notably, I wasn't able to test it on any diff --git a/usr/local/share/protocols/tor.pat b/usr/local/share/protocols/tor.pat index 16f8884..7e4f707 100644 --- a/usr/local/share/protocols/tor.pat +++ b/usr/local/share/protocols/tor.pat @@ -2,6 +2,7 @@ # Pattern attributes: good notsofast notsofast # Protocol groups: networking # Wiki: http://protocolinfo.org/wiki/Tor +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. # diff --git a/usr/local/share/protocols/tsp.pat b/usr/local/share/protocols/tsp.pat index e704ce0..7751df9 100644 --- a/usr/local/share/protocols/tsp.pat +++ b/usr/local/share/protocols/tsp.pat @@ -2,6 +2,7 @@ # Pattern attributes: good veryfast fast overmatch # Protocol groups: time_synchronization open_source # Wiki: http://www.protocolinfo.org/wiki/TSP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # http://ftp.svbug.com/ftp/pub/manuals/pdf/smm.22.timed.pdf # http://docs.freebsd.org/44doc/smm/12.timed/paper.pdf diff --git a/usr/local/share/protocols/unknown.pat b/usr/local/share/protocols/unknown.pat index 1c1c166..56d8134 100644 --- a/usr/local/share/protocols/unknown.pat +++ b/usr/local/share/protocols/unknown.pat @@ -2,6 +2,7 @@ unknown # This pattern is ignored by the kernel. It sees that the "protocol" is +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # "unknown" and always returns unmatched for connections that are still # being tested. . diff --git a/usr/local/share/protocols/unset.pat b/usr/local/share/protocols/unset.pat index 80950c9..b9c1244 100644 --- a/usr/local/share/protocols/unset.pat +++ b/usr/local/share/protocols/unset.pat @@ -2,7 +2,7 @@ unset # This pattern is ignored by the kernel. It sees that the "protocol" is +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # "testing" and always returns matched for connections that are still # being tested. -# NOT YET IMPLEMENTED. . diff --git a/usr/local/share/protocols/uucp.pat b/usr/local/share/protocols/uucp.pat index c7685cd..f7ef22c 100644 --- a/usr/local/share/protocols/uucp.pat +++ b/usr/local/share/protocols/uucp.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: document_retrieval obsolete # Wiki: http://www.protocolinfo.org/wiki/UUCP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This is completely untested! (I don't know how to use UUCP...) diff --git a/usr/local/share/protocols/validcertssl.pat b/usr/local/share/protocols/validcertssl.pat index c004517..7aa1812 100644 --- a/usr/local/share/protocols/validcertssl.pat +++ b/usr/local/share/protocols/validcertssl.pat @@ -1,7 +1,8 @@ # Valid certificate SSL -# Pattern attributes: good notsofast notsofast subset +# Pattern attributes: good slow notsofast subset # Protocol groups: secure ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/SSL +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This matches anything claiming to use a valid certificate from a well # known certificate authority. diff --git a/usr/local/share/protocols/ventrilo.pat b/usr/local/share/protocols/ventrilo.pat index 7ee9c13..74e588c 100644 --- a/usr/local/share/protocols/ventrilo.pat +++ b/usr/local/share/protocols/ventrilo.pat @@ -2,6 +2,7 @@ # Pattern attributes: good fast fast # Protocol groups: voip proprietary # Wiki: http://www.protocolinfo.org/wiki/Ventrilo +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # I have tested this with Ventrilo client 2.3.0 on Windows talking to # Ventrilo server 2.3.1 (the public version) on Linux. I've done this diff --git a/usr/local/share/protocols/vnc.pat b/usr/local/share/protocols/vnc.pat index 9f77fdf..79d0ae8 100644 --- a/usr/local/share/protocols/vnc.pat +++ b/usr/local/share/protocols/vnc.pat @@ -2,6 +2,7 @@ # Pattern attributes: great veryfast fast # Protocol groups: remote_access # Wiki: http://www.protocolinfo.org/wiki/VNC +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # http://www.realvnc.com/documentation.html # diff --git a/usr/local/share/protocols/whois.pat b/usr/local/share/protocols/whois.pat index 0c8d0d0..6abf0e8 100644 --- a/usr/local/share/protocols/whois.pat +++ b/usr/local/share/protocols/whois.pat @@ -2,6 +2,7 @@ # Pattern attributes: good notsofast notsofast overmatch # Protocol groups: networking ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/Whois +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on TCP port 43 # diff --git a/usr/local/share/protocols/worldofwarcraft.pat b/usr/local/share/protocols/worldofwarcraft.pat index dae2643..4136d79 100644 --- a/usr/local/share/protocols/worldofwarcraft.pat +++ b/usr/local/share/protocols/worldofwarcraft.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/World_of_Warcraft +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE worldofwarcraft ^\x06\xec\x01 diff --git a/usr/local/share/protocols/x11.pat b/usr/local/share/protocols/x11.pat index f42b98f..2028ee7 100644 --- a/usr/local/share/protocols/x11.pat +++ b/usr/local/share/protocols/x11.pat @@ -1,7 +1,8 @@ # X Windows Version 11 - Networked GUI system used in most Unices -# Pattern attributes: good notsofast fast +# Pattern attributes: good notsofast veryfast # Protocol groups: remote_access x_consortium_standard # Wiki: http://www.protocolinfo.org/wiki/X11 +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # It is common for X to be tunneled through SSH. Then obviously this pattern # will not catch it. diff --git a/usr/local/share/protocols/xboxlive.pat b/usr/local/share/protocols/xboxlive.pat index 8d402cf..d04d9a7 100644 --- a/usr/local/share/protocols/xboxlive.pat +++ b/usr/local/share/protocols/xboxlive.pat @@ -1,7 +1,8 @@ # XBox Live - Console gaming -# pattern attributes: marginal slow notsofast +# Pattern attributes: marginal slow notsofast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/XBox_Live +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This may match all XBox traffic, or may only match Halo 2 traffic. # We don't know yet. diff --git a/usr/local/share/protocols/xunlei.pat b/usr/local/share/protocols/xunlei.pat index c362e37..f7814c7 100644 --- a/usr/local/share/protocols/xunlei.pat +++ b/usr/local/share/protocols/xunlei.pat @@ -1,14 +1,83 @@ # Xunlei - Chinese P2P filesharing - http://xunlei.com -# Pattern attributes: good veryfast fast +# Pattern attributes: good slow notsofast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Xunlei +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # -# This has been tested by three people. It definitely catches some -# streams. +# This has been tested by a number of people. # # Written by wsgtrsys of www.routerclub.com. Improved by VeNoMouS. # Improved more by wsgtrsys and platinum of bbs.chinaunix.net. +# +# Further additions of HTTP-like content by liangjunATdcuxD.Tcom, who +# says: "i find old pattern is not working . so i write a new pattern of +# xunlei,it's working with all of xunlei 5 version!" Matthew Strait notes +# in response: +# +# I've looked around and I'm fairly sure that Internet Explorer 5.0 +# never identifies itself as "Mozilla/4.0 (compatible; MSIE 5.00; +# Windows 98)" and that Internet Explorer 6.0 never identifies itself as +# either "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )" or +# "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)". + +# The keep-alive part needs some examination too. These might validly +# occur in an HTTP/1.0 connection, although I think in practical cases +# they don't since there's general only one \x0d\x0a after it and/or the +# next line starts with a letter (especially because it's the client +# sending it). It wouldn't be crazy, though, if another protocol +# (besides Xunlei) used keep-alive in a way that did match this. But +# since I can't think of any examples, I'll assume it's ok for now. xunlei -^[()]...?.?.?(reg|get|query) +^([()]|get)(...?.?.?(reg|get|query)|.+User-Agent: (Mozilla/4\.0 \(compatible; (MSIE 6\.0; Windows NT 5\.1;? ?\)|MSIE 5\.00; Windows 98\))))|Keep-Alive\x0d\x0a\x0d\x0a[26] + +# This was the pattern until 2008 11 08. It is safer than the above against +# overmatching ordinary HTTP connections +#^[()]...?.?.?(reg|get|query) + +# More detail: +# From http://sourceforge.net/tracker/index.php?func=detail&aid=1885209&group_id=80085&atid=558668 +# +############################################################################## +# Date: 2008-02-03 +# Sender: hydr0g3n +# +# Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei +# pattern. It used to work in the past but not anymore. Maybe Xunlei was +# updated and pattern should be adapted? +# +# Apparently ipp2p was edited by Chinese people to detect pplive and xunlei. +# It is interesting and very recent: +# http://www.chinaunix.net/jh/4/914377.html +############################################################################## +# Date: 2008-02-03 +# Sender: quadong +# +# Ok. Only some of the ipp2p function can be translated into an l7-filter +# regular expression. The first part of search_xunlei can't be, since it +# works by checking whether the length of the packet matches a byte in the +# packet. The second part of search_xunlei becomes: +# +# \x20.?\x01?.?[\x01\x77]............?.?.?.?\x38 +# +# Or possibly: +# +# ^\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38 +# +# I'm not sure whether IPP2P looks at every packet or only the first of each +# connection. +# +# udp_search_xunlei says: +# \x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff +# +# Again, putting a ^ at the beginning might work: +# +# ^(\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff) +# +# So this *might* work: +# +# ^(\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38|\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff) +# +# but the ^ might be wrong and it will not match the HTTP part of Xunlei. +############################################################################## diff --git a/usr/local/share/protocols/yahoo.pat b/usr/local/share/protocols/yahoo.pat index 537349a..17595b8 100644 --- a/usr/local/share/protocols/yahoo.pat +++ b/usr/local/share/protocols/yahoo.pat @@ -2,6 +2,7 @@ # Pattern attributes: good fast fast # Protocol groups: chat proprietary # Wiki: http://www.protocolinfo.org/wiki/Yahoo_Messenger +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 5050 # diff --git a/usr/local/share/protocols/zmaap.pat b/usr/local/share/protocols/zmaap.pat index d21ad80..e741eca 100644 --- a/usr/local/share/protocols/zmaap.pat +++ b/usr/local/share/protocols/zmaap.pat @@ -2,6 +2,7 @@ # Pattern attributes: ok veryfast fast # Protocol groups: networking ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/ZMAAP +# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # http://files.zeroconf.org/draft-ietf-zeroconf-zmaap-02.txt # (Note that this reference is an Internet-Draft, and therefore must -- cgit v1.1