Felix Fietkau
19 years ago
parent
7164dc5f27
commit
198e0eb841
@ -0,0 +1,27 @@ |
||||
# AIM - AOL instant messenger (OSCAR and TOC) |
||||
# Pattern quality: good notsofast |
||||
# Usually runs on port 5190 |
||||
# |
||||
# This may also match ICQ traffic. |
||||
# |
||||
# This pattern has been tested and is believed to work well. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
aim |
||||
# See http://gridley.acns.carleton.edu/~straitm/final (and various other places) |
||||
# The first bit matches OSCAR signon and data commands, but not sure what |
||||
# \x03\x0b matches, but it works apparently. |
||||
# The next three bits match various parts of the TOC signon process. |
||||
# The third one is the magic number "*", then 0x01 for "signon", then up to four |
||||
# bytes ("up to" because l7-filter strips out nulls) which contain a sequence |
||||
# number (2 bytes) the data length (2 more) and 3 nulls (which don't count), |
||||
# then 0x01 for the version number (not sure if there ever has been another |
||||
# version) |
||||
# The fourth one is a command string, followed by some stuff, then the |
||||
# beginning of the "roasted" password |
||||
|
||||
# This pattern is too slow! |
||||
|
||||
^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x |
||||
@ -0,0 +1,14 @@ |
||||
# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com |
||||
# Pattern quality: great veryfast |
||||
# |
||||
# This pattern has been tested and is believed to work well. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
bittorrent |
||||
|
||||
# Does not attempt to match the HTTP download of the tracker |
||||
# 0x13 is the length of "bittorrent protocol" |
||||
# Second two bits match UDP wierdness, commented out until it's tested |
||||
#^(\x13bittorrent protocol|d1:ad2:id20:|\x08'7P\)[RP]) |
||||
^\x13bittorrent protocol |
||||
@ -0,0 +1,8 @@ |
||||
# eDonkey2000 - P2P filesharing (download part) - http://edonkey2000.com |
||||
# Pattern quality: good veryfast overmatch usepacket |
||||
|
||||
edonkey-dl |
||||
|
||||
^[\xe3\xe4\xc5\xe5\xd4](....)?[\x01\x0a\x0e\x0f\x10\x18\x19\x1b\x1c\x47\x4a\x4f\x51\x53\x54\x58\x60\x81\x90\x96\x9a\x9c\xa2] |
||||
|
||||
|
||||
@ -0,0 +1,29 @@ |
||||
# eDonkey2000 - P2P filesharing - http://edonkey2000.com |
||||
# Pattern quality: good veryfast overmatch |
||||
# |
||||
# Please post to l7-filter-developers@lists.sf.net as to whether this pattern |
||||
# works for you or not. If you believe it could be improved please post your |
||||
# suggestions to that list as well. You may subscribe to this list at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
# Thanks to Matt Skidmore <fox AT woozle.org> |
||||
|
||||
edonkey |
||||
|
||||
# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6 |
||||
# |
||||
# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5 |
||||
# |
||||
# God this is a mess. What an irritating protocol. |
||||
# This will match about 1% of streams with random data in them! |
||||
|
||||
^[\xe3\xc5\xe5\xd4](....)?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x5b\x5c\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$) |
||||
|
||||
# matches everything and too much |
||||
# ^(\xe3|\xc5|\xd4) |
||||
|
||||
# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me. |
||||
|
||||
# bandwidtharbitrator uses |
||||
# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey |
||||
# no comments to explain what all the mush is, of course... |
||||
@ -0,0 +1,25 @@ |
||||
# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc) |
||||
# Pattern quality: good notsofast |
||||
# |
||||
# Tested with Kazaa Lite Resurrection 0.0.7.6F |
||||
# |
||||
# This appears to match the download connections well, but not the search |
||||
# connections (I think they are encrypted :-( ). |
||||
# |
||||
# Please post to l7-filter-developers@lists.sf.net as to whether it works |
||||
# for you or not. If you believe it could be improved please post your |
||||
# suggestions to that list as well. You may subscribe to this list at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
fasttrack |
||||
# while this is a valid http request, this will be caught because |
||||
# the http pattern matches the response (and therefore the next packet) |
||||
# Even so, it's best to put this match earlier in the chain. |
||||
# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup |
||||
|
||||
# This pattern is kinda slow, but not too bad. |
||||
^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? |
||||
|
||||
# This isn't much faster: |
||||
#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? |
||||
|
||||
@ -0,0 +1,34 @@ |
||||
# FTP - File Transfer Protocol - RFC 959 |
||||
# Pattern quality: great fast |
||||
# |
||||
# Usually runs on port 21. Note that the data stream is on a dynamically |
||||
# assigned port, which means that you will need the FTP connection |
||||
# tracking module in your kernel to usefully match FTP data transfers. |
||||
# |
||||
# This pattern is well tested. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
# |
||||
# Matches the first two things a server should say. Most servers say |
||||
# something after 220, even though they don't have to, and it usually |
||||
# includes the string "ftp" (l7-filter is case insensitive). |
||||
# This includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof |
||||
# FTP Server, and whatever ftp.microsoft.com uses. Just in case, the next |
||||
# thing the server sends is a 331. All the above servers also send |
||||
# something including "password" after this code. |
||||
ftp |
||||
# actually, let's just do the first for now, it's faster |
||||
^220[\x09-\x0d -~]*ftp |
||||
|
||||
# This is ~10x faster if the stream starts with "220" |
||||
#^220.*ftp |
||||
|
||||
# This will match more, but much slower |
||||
#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password |
||||
|
||||
# This pattern is more precise, but takes longer to match. (3 packets vs. 1) |
||||
#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331 |
||||
|
||||
# same as above, but slightly less precise and only takes 2 packets. |
||||
#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a |
||||
@ -0,0 +1,36 @@ |
||||
# Gnutella - P2P filesharing |
||||
# Pattern quality: good fast |
||||
# |
||||
# This should match both Gnutella and "Gnutella2" ("Mike's protocol") |
||||
# |
||||
# Various clients use this protocol including Mactella, Shareaza, |
||||
# GTK-gnutella, Gnucleus, Gnotella, LimeWire, BearShare, and iMesh. |
||||
# |
||||
# This is tested with gtk-gnutella and Shareaza. |
||||
# |
||||
# Please report on how this pattern works for you at |
||||
# l7-filter-developers@lists.sf.net . If you can improve on this |
||||
# pattern, please also post to that list. You may subscribe at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver |
||||
# http://rfc-gnutella.sf.net/ |
||||
# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification |
||||
# http://en.wikipedia.org/wiki/Shareaza |
||||
|
||||
gnutella |
||||
|
||||
# The first part matches UDP messages - All start with "GND", then have |
||||
# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes |
||||
# that can be anything, then a fragment number, which must start at 1. |
||||
# The rest matches TCP first client message or first server message (in case |
||||
# we can't see client messages). Some parts of this are empirical rather than |
||||
# document based. Assumes version is between 0.0 and 2.9. (usually is |
||||
# 0.4 or 0.6). I'm guessing at many of the user-agents. |
||||
# The last bit is emprical and probably only matches Limewire. |
||||
^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|..................lime) |
||||
|
||||
# Needlessly precise, at the expense of time |
||||
#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime) |
||||
|
||||
|
||||
@ -0,0 +1,28 @@ |
||||
# HTTP - HyperText Transfer Protocol - RFC 2616 |
||||
# Pattern quality: great notsofast |
||||
# Usually runs on port 80 |
||||
# |
||||
# This pattern has been tested and is believed to work well. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
# |
||||
# this intentionally catches the response from the server |
||||
# rather than the request so that other protocols which use |
||||
# http (like kazaa) can be caught based on specific http requests |
||||
# regardless of the ordering of filters... |
||||
# also matches posts |
||||
|
||||
# Sites that serve really long cookies may break this by pushing the |
||||
# server response too far away from the beginning of the connection. To |
||||
# fix this, increase the kernel's data buffer length. |
||||
|
||||
http |
||||
# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616) |
||||
# As specified in rfc 2616 a status code is preceeded and followed by a |
||||
# space. |
||||
http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019] |
||||
# A slightly faster version that might be good enough: |
||||
#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019] |
||||
# old pattern(s): |
||||
#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/) |
||||
@ -0,0 +1,14 @@ |
||||
# Ident - Identification Protocol - RFC 1413 |
||||
# Pattern quality: good veryfast |
||||
# Usually runs on port 113 |
||||
# |
||||
# This pattern is believed to work. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
ident |
||||
# "number , numberCRLF" possibly without the CR and/or LF. |
||||
# ^$ is appropriate because the first packet should never have anything |
||||
# else in it. |
||||
^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$ |
||||
@ -0,0 +1,20 @@ |
||||
# IRC - Internet Relay Chat - RFC 1459 |
||||
# Pattern quality: good veryfast |
||||
# |
||||
# Usually runs on port 6666 or 6667 |
||||
# Note that chat traffic runs on these ports, but IRC-DCC traffic (which |
||||
# can use much more bandwidth) uses a dynamically assigned port, so you |
||||
# must have the IRC connection tracking module in your kernel to classify |
||||
# this. |
||||
# |
||||
# This pattern has been tested and is believed to work well. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
irc |
||||
# First thing that happens is that the client sends NICK and USER, in |
||||
# either order. This allows MIRC color codes (\x02-\x0d instead of |
||||
# \x09-\x0d). |
||||
^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a) |
||||
|
||||
@ -0,0 +1,24 @@ |
||||
# Jabber (XMPP) - an open instant messenger protocol - http://jabber.org |
||||
# Pattern quality: good fast |
||||
# |
||||
# This pattern has been tested with Gaim and Gabber. It is only tested |
||||
# with non-SSL mode Jabber with no proxies. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
# Thanks to Jan Hudec for some improvements. |
||||
|
||||
# Jabber seems to take a long time to set up a connection. I'm |
||||
# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets |
||||
# is this: |
||||
# <stream:stream to='12jabber.com' xmlns='jabber:client' |
||||
# xmlns:stream='http://etherx.jabber.org/streams'><?xml |
||||
# version='1.0'?><stream:stream |
||||
# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951' |
||||
# xmlns='jabber:client' from='12jabber.com'> |
||||
# |
||||
# No mention of my username or password yet, you'll note. |
||||
|
||||
jabber |
||||
<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber |
||||
@ -0,0 +1,15 @@ |
||||
# MSN Messenger - Microsoft Network chat client |
||||
# Pattern quality: good veryfast |
||||
# |
||||
# Usually uses port 1863 |
||||
# http://www.hypothetic.org/docs/msn/index.php |
||||
# |
||||
# This pattern has been tested and is believed to work well. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
msnmessenger |
||||
# ver: allow versions up to 99. |
||||
# usr (in case ver didn't work): |
||||
^(ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]* cvr|usr md5 i [ -~]*) |
||||
@ -0,0 +1,17 @@ |
||||
# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030 |
||||
# Pattern quality: good veryfast overmatch |
||||
# |
||||
# This pattern is tested and is believed to work. If this does not work |
||||
# for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . Subscribe at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
# client|server |
||||
# Requires the server's timestamp to be in the present or future (of 2005). |
||||
# Tested with ntpdate on Linux. |
||||
# Assumes version 2, 3 or 4. |
||||
|
||||
# Note that ntp packets are always 48 bytes, so you should match on that too. |
||||
|
||||
ntp |
||||
^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff]) |
||||
@ -0,0 +1,50 @@ |
||||
# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939 |
||||
# Pattern quality: good veryfast |
||||
# |
||||
# This pattern has been tested somewhat. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
# this is a difficult protocol to match because of the relative lack of |
||||
# distinguishing information. Read on. |
||||
pop3 |
||||
|
||||
# this the most conservative pattern. It should definitely work. |
||||
#^(\+ok|-err) |
||||
|
||||
# this pattern assumes that the server says _something_ after +ok or -err |
||||
# I think this is probably the way to go. |
||||
^(\+ok |-err ) |
||||
|
||||
# more that 90% of servers seem to say "pop" after "+ok", but not all. |
||||
#^(\+ok .*pop) |
||||
|
||||
# Here's another tack. I think this is my second favorite. |
||||
#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command)) |
||||
|
||||
# this matches the server saying "you have N messages that are M bytes", |
||||
# which the client probably asks for early in the session (not tested) |
||||
#\+ok [0-9]+ [0-9]+ |
||||
|
||||
# some sample servers: |
||||
# RFC example: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us> |
||||
# mail.dreamhost.com: +OK Hello there. |
||||
# pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled) |
||||
# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon> |
||||
# *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu> |
||||
# mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready |
||||
# mail.gustavus.edu: +OK POP3 solen v2001.78 server ready |
||||
# mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready |
||||
# mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003)) |
||||
# pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting. |
||||
# mail.mac.com: +OK Netscape Messaging Multiplexor ready |
||||
|
||||
# various error strings: |
||||
#-ERR Invalid command. |
||||
#-ERR invalid command |
||||
#-ERR unimplemented |
||||
#-ERR Invalid command, try one of: USER name, PASS string, QUIT |
||||
#-ERR Unknown AUTHORIZATION state command |
||||
#-ERR Unrecognized command |
||||
#-ERR Unknown command: "sadf'". |
||||
@ -0,0 +1,39 @@ |
||||
# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869) |
||||
# Pattern quality: great fast |
||||
# usually runs on port 25 |
||||
# |
||||
# This pattern has been tested and is believed to work well. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
smtp |
||||
# As usual, no text is required after "220", but all known servers have some |
||||
# there. It (almost?) always has string "smtp" in it. The RFC examples |
||||
# does not, so we match those too, just in case anyone has copied them |
||||
# literally. |
||||
^220[\x09-\x0d -~]* (e?smtp|simple mail) |
||||
|
||||
# This is ~3x faster if the stream starts with "220" |
||||
#^220.* (e?smtp|simple mail) |
||||
|
||||
# Some examples: |
||||
# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3 |
||||
# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400 |
||||
# 220 mail.ut.caldera.com ESMTP |
||||
# 220 persephone.pmail.gen.nz ESMTP server ready. |
||||
# 220 smtp1.superb.net ESMTP |
||||
# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready |
||||
# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4 |
||||
# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500 |
||||
# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3) |
||||
# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200 |
||||
# 220-mail.email-scan.com ESMTP |
||||
# 220 smaug.dreamhost.com ESMTP |
||||
# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648) |
||||
# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT) |
||||
# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700 |
||||
# |
||||
# RFC examples: |
||||
# 220 xyz.com Simple Mail Transfer Service Ready (RFC example) |
||||
# 220 dbc.mtview.ca.us SMTP service ready |
||||
@ -0,0 +1,16 @@ |
||||
# SSH - Secure SHell |
||||
# Pattern quality: great veryfast |
||||
# usually runs on port 22 |
||||
# |
||||
# http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-22.txt |
||||
# |
||||
# This pattern has been tested and is believed to work well. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
ssh |
||||
^ssh-[12]\.[0-9] |
||||
|
||||
# old pattern: |
||||
# (diffie-hellman-group-exchange-sha1|diffie-hellman-group1-sha1.ssh-rsa|ssh-dssfaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.sefaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.seuhmac-md5|hmac-sha1|hmac-ripemd160)+ |
||||
@ -0,0 +1,15 @@ |
||||
# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246 |
||||
# Pattern quality: good fast |
||||
# Usually runs on port 443 |
||||
# |
||||
# This is a superset validcertssl. For it to match, it must be first. |
||||
# |
||||
# This pattern has been tested and is believed to work well. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
|
||||
ssl |
||||
# Client Hello | Server Hello with certificate |
||||
# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1 |
||||
^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b) |
||||
@ -0,0 +1,23 @@ |
||||
# VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer |
||||
# Pattern quality: good fast |
||||
# http://www.realvnc.com/documentation.html |
||||
# |
||||
# This pattern has been verified with vnc v3.3.7 on WinXP and Linux |
||||
# Please report on how this pattern works for you at |
||||
# l7-filter-developers@lists.sf.net . If you can improve on this pattern, |
||||
# please also post to that list. You may subscribe at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
# |
||||
# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern. |
||||
|
||||
vnc |
||||
# Assumes single digit major and minor version numbers |
||||
# This message should be all alone in the first packet, so ^$ is appropriate |
||||
^rfb 00[1-9]\.00[0-9]\x0a$ |
||||
|
||||
# This is a more restrictive version which assumes the version numbers |
||||
# are ones actually in existance at the time of this writing, i.e. 3.3, |
||||
# 3.7 and 3.8 (with some clients wrongly reporting 3.5). It should be |
||||
# slightly faster, but probably not worth the extra maintenance. |
||||
# ^rfb 003\.00[3578]\x0a$ |
||||
|
||||
Loading…
Reference in new issue