iptables: remove obsolete files

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45494
master
Felix Fietkau 10 years ago
parent af4d04ed36
commit 563c26a34f
  1. 28
      package/network/utils/iptables/files/l7/aim.pat
  2. 25
      package/network/utils/iptables/files/l7/bittorrent.pat
  3. 37
      package/network/utils/iptables/files/l7/edonkey.pat
  4. 23
      package/network/utils/iptables/files/l7/fasttrack.pat
  5. 46
      package/network/utils/iptables/files/l7/ftp.pat
  6. 34
      package/network/utils/iptables/files/l7/gnutella.pat
  7. 28
      package/network/utils/iptables/files/l7/http.pat
  8. 15
      package/network/utils/iptables/files/l7/ident.pat
  9. 20
      package/network/utils/iptables/files/l7/irc.pat
  10. 24
      package/network/utils/iptables/files/l7/jabber.pat
  11. 28
      package/network/utils/iptables/files/l7/msnmessenger.pat
  12. 17
      package/network/utils/iptables/files/l7/ntp.pat
  13. 50
      package/network/utils/iptables/files/l7/pop3.pat
  14. 40
      package/network/utils/iptables/files/l7/smtp.pat
  15. 16
      package/network/utils/iptables/files/l7/ssl.pat
  16. 23
      package/network/utils/iptables/files/l7/vnc.pat

@ -1,28 +0,0 @@
# AIM - AOL instant messenger (OSCAR and TOC)
# Pattern attributes: good slow notsofast
# Protocol groups: chat proprietary
# Wiki: http://www.protocolinfo.org/wiki/AIM
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually runs on port 5190
#
# This may also match ICQ traffic.
#
# This pattern has been tested and is believed to work well.
aim
# See http://gridley.res.carleton.edu/~straitm/final (and various other places)
# The first bit matches OSCAR signon and data commands, but not sure what
# \x03\x0b matches, but it works apparently.
# The next three bits match various parts of the TOC signon process.
# The third one is the magic number "*", then 0x01 for "signon", then up to four
# bytes ("up to" because l7-filter strips out nulls) which contain a sequence
# number (2 bytes) the data length (2 more) and 3 nulls (which don't count),
# then 0x01 for the version number (not sure if there ever has been another
# version)
# The fourth one is a command string, followed by some stuff, then the
# beginning of the "roasted" password
# This pattern is too slow!
^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x

@ -1,25 +0,0 @@
# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
# Pattern attributes: good slow594 notsofast undermatch
# Protocol groups: p2p open_source
# Wiki: http://www.protocolinfo.org/wiki/Bittorrent
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# This pattern has been tested and is believed to work well.
# It will, however, not work on bittorrent streams that are encrypted, since
# it's impossible to match (well) encrypted data.
bittorrent
# Does not attempt to match the HTTP download of the tracker
# 0x13 is the length of "bittorrent protocol"
# Second two bits match UDP wierdness
# Next bit matches something Azureus does
# Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next
# packet and perhaps this will match multiple clients.
# bitcomet-specific strings contributed by liangjun.
# This is not a valid GNU basic regular expression (but that's ok).
^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
# This pattern is "fast", but won't catch as much
#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)

@ -1,37 +0,0 @@
# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
# Pattern attributes: good veryfast fast overmatch
# Protocol groups: p2p
# Wiki: http://www.protocolinfo.org/wiki/EDonkey
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4
# and a long time ago with something else.
#
# In addition to matching what you might expect, this matches much of
# what eMule does when you tell it to only connect to the KAD network.
# I don't quite know what to make of this.
# Thanks to Matt Skidmore <fox AT woozle.org>
edonkey
# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6
#
# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5.
# As of April 2006, I also see some \xe4.
#
# God this is a mess. What an irritating protocol.
# This will match about 2% of streams with random data in them!
# (But fortunately much fewer than 2% of streams that are other protocols.
# You can test this with the data in ../testing/)
^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
# matches everything and too much
# ^(\xe3|\xc5|\xd4)
# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me.
# bandwidtharbitrator uses
# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey
# no comments to explain what all the mush is, of course...

@ -1,23 +0,0 @@
# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)
# Pattern attributes: good slow notsofast
# Protocol groups: p2p
# Wiki: http://www.protocolinfo.org/wiki/Fasttrack
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Tested with Kazaa Lite Resurrection 0.0.7.6F
#
# This appears to match the download connections well, but not the search
# connections (I think they are encrypted :-( ).
fasttrack
# while this is a valid http request, this will be caught because
# the http pattern matches the response (and therefore the next packet)
# Even so, it's best to put this match earlier in the chain.
# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup
# This pattern is kinda slow, but not too bad.
^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
# This isn't much faster:
#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?

@ -1,46 +0,0 @@
# FTP - File Transfer Protocol - RFC 959
# Pattern attributes: great notsofast fast
# Protocol groups: document_retrieval ietf_internet_standard
# Wiki: http://protocolinfo.org/wiki/FTP
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually runs on port 21. Note that the data stream is on a dynamically
# assigned port, which means that you will need the FTP connection
# tracking module in your kernel to usefully match FTP data transfers.
#
# This pattern is well tested.
#
# Handles the first two things a server should say:
#
# First, the server says it's ready by sending "220". Most servers say
# something after 220, even though they don't have to, and it usually
# includes the string "ftp" (l7-filter is case insensitive). This
# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP
# Server, and whatever ftp.microsoft.com uses. Almost all servers use only
# ASCII printable characters between the "220" and the "FTP", but non-English
# ones might use others.
#
# The next thing the server sends is a 331. All the above servers also
# send something including "password" after this code. By default, we
# do not match on this because it takes another packet and is more work
# for regexec.
ftp
# by default, we allow only ASCII
^220[\x09-\x0d -~]*ftp
# This covers UTF-8 as well
#^220[\x09-\x0d -~\x80-\xfd]*ftp
# This allows any characters and is about 4x faster than either of the above
# (which are about the same as each other)
#^220.*ftp
# This is much slower
#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password
# This pattern is more precise, but takes longer to match. (3 packets vs. 1)
#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331
# same as above, but slightly less precise and only takes 2 packets.
#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a

@ -1,34 +0,0 @@
# Gnutella - P2P filesharing
# Pattern attributes: good notsofast notsofast
# Protocol groups: p2p open_source
# Wiki: http://www.protocolinfo.org/wiki/Gnutella
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# This should match both Gnutella and "Gnutella2" ("Mike's protocol")
#
# Various clients use this protocol including Mactella, Shareaza,
# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare.
#
# This is tested with gtk-gnutella and Shareaza.
# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver
# http://rfc-gnutella.sf.net/
# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification
# http://en.wikipedia.org/wiki/Shareaza
gnutella
# The first part matches UDP messages - All start with "GND", then have
# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes
# that can be anything, then a fragment number, which must start at 1.
# The rest matches TCP first client message or first server message (in case
# we can't see client messages). Some parts of this are empirical rather than
# document based. Assumes version is between 0.0 and 2.9. (usually is
# 0.4 or 0.6). I'm guessing at many of the user-agents.
# The last bit is emprical and probably only matches Limewire.
^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime)
# Needlessly precise, at the expense of time
#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime)

@ -1,28 +0,0 @@
# HTTP - HyperText Transfer Protocol - RFC 2616
# Pattern attributes: great slow notsofast superset
# Protocol groups: document_retrieval ietf_draft_standard
# Wiki: http://protocolinfo.org/wiki/HTTP
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually runs on port 80
#
# This pattern has been tested and is believed to work well.
#
# this intentionally catches the response from the server rather than
# the request so that other protocols which use http (like kazaa) can be
# caught based on specific http requests regardless of the ordering of
# filters... also matches posts
# Sites that serve really long cookies may break this by pushing the
# server response too far away from the beginning of the connection. To
# fix this, increase the kernel's data buffer length.
http
# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616)
# As specified in rfc 2616 a status code is preceeded and followed by a
# space.
http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]
# A slightly faster version that might be good enough:
#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019]
# old pattern(s):
#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/)

@ -1,15 +0,0 @@
# Ident - Identification Protocol - RFC 1413
# Pattern attributes: good fast fast
# Protocol groups: networking ietf_proposed_standard
# Wiki: http://www.protocolinfo.org/wiki/Ident
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually runs on port 113
#
# This pattern is believed to work.
ident
# "number , numberCRLF" possibly without the CR and/or LF.
# ^$ is appropriate because the first packet should never have anything
# else in it.
^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$

@ -1,20 +0,0 @@
# IRC - Internet Relay Chat - RFC 1459
# Pattern attributes: great veryfast fast
# Protocol groups: chat ietf_proposed_standard
# Wiki: http://www.protocolinfo.org/wiki/IRC
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually runs on port 6666 or 6667
# Note that chat traffic runs on these ports, but IRC-DCC traffic (which
# can use much more bandwidth) uses a dynamically assigned port, so you
# must have the IRC connection tracking module in your kernel to classify
# this.
#
# This pattern has been tested and is believed to work well.
irc
# First thing that happens is that the client sends NICK and USER, in
# either order. This allows MIRC color codes (\x02-\x0d instead of
# \x09-\x0d).
^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)

@ -1,24 +0,0 @@
# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org
# Pattern attributes: good notsofast notsofast
# Protocol groups: chat ietf_proposed_standard
# Wiki: http://www.protocolinfo.org/wiki/Jabber
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# This pattern has been tested with Gaim and Gabber. It is only tested
# with non-SSL mode Jabber with no proxies.
# Thanks to Jan Hudec for some improvements.
# Jabber seems to take a long time to set up a connection. I'm
# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets
# is this:
# <stream:stream to='12jabber.com' xmlns='jabber:client'
# xmlns:stream='http://etherx.jabber.org/streams'><?xml
# version='1.0'?><stream:stream
# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951'
# xmlns='jabber:client' from='12jabber.com'>
#
# No mention of my username or password yet, you'll note.
jabber
<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber

@ -1,28 +0,0 @@
# MSN Messenger - Microsoft Network chat client
# Pattern attributes: good slow notsofast
# Protocol groups: chat proprietary
# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually uses TCP port 1863
# http://www.hypothetic.org/docs/msn/index.php
# http://msnpiki.msnfanatic.com/
#
# This pattern has been tested and is believed to work well.
msnmessenger
# First branch: login
# ver: allow versions up to 99.
# I've never seen a cvr other than cvr0. Maybe this will be trouble later?
# Can't anchor at the beginning because sometimes this is encapsulated in
# HTTP. But either way, the first packet ends like this.
# Second/Third branches: accepting/sending a message
# I will assume that these can also be encapsulated in HTTP, although I have
# not checked. Example of each direction:
# ANS 1 quadong@hotmail.com 1139803431.29427 17522047
# USR 1 quadong@hotmail.com 530423708.968145.366138
# Branches are written entirely separately for better performance.
ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$

@ -1,17 +0,0 @@
# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030
# Pattern attributes: good fast fast overmatch
# Protocol groups: time_synchronization ietf_draft_standard
# Wiki: http://www.protocolinfo.org/wiki/NTP
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# This pattern is tested and is believed to work.
# client|server
# Requires the server's timestamp to be in the present or future (of 2005).
# Tested with ntpdate on Linux.
# Assumes version 2, 3 or 4.
# Note that ntp packets are always 48 bytes, so you should match on that too.
ntp
^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff])

@ -1,50 +0,0 @@
# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
# Pattern attributes: great veryfast fast
# Protocol groups: mail ietf_internet_standard
# Wiki: http://www.protocolinfo.org/wiki/POP
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# This pattern has been tested somewhat.
# this is a difficult protocol to match because of the relative lack of
# distinguishing information. Read on.
pop3
# this the most conservative pattern. It should definitely work.
#^(\+ok|-err)
# this pattern assumes that the server says _something_ after +ok or -err
# I think this is probably the way to go.
^(\+ok |-err )
# more that 90% of servers seem to say "pop" after "+ok", but not all.
#^(\+ok .*pop)
# Here's another tack. I think this is my second favorite.
#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command))
# this matches the server saying "you have N messages that are M bytes",
# which the client probably asks for early in the session (not tested)
#\+ok [0-9]+ [0-9]+
# some sample servers:
# RFC example: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
# mail.dreamhost.com: +OK Hello there.
# pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled)
# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon>
# *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu>
# mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready
# mail.gustavus.edu: +OK POP3 solen v2001.78 server ready
# mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready
# mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003))
# pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting.
# mail.mac.com: +OK Netscape Messaging Multiplexor ready
# various error strings:
#-ERR Invalid command.
#-ERR invalid command
#-ERR unimplemented
#-ERR Invalid command, try one of: USER name, PASS string, QUIT
#-ERR Unknown AUTHORIZATION state command
#-ERR Unrecognized command
#-ERR Unknown command: "sadf'".

@ -1,40 +0,0 @@
# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869)
# Pattern attributes: great notsofast fast
# Protocol groups: mail ietf_internet_standard
# Wiki: http://www.protocolinfo.org/wiki/SMTP
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# usually runs on port 25
#
# This pattern has been tested and is believed to work well.
# As usual, no text is required after "220", but all known servers have some
# there. It (almost?) always has string "smtp" in it. The RFC examples
# does not, so we match those too, just in case anyone has copied them
# literally.
#
# Some examples:
# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3
# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400
# 220 mail.ut.caldera.com ESMTP
# 220 persephone.pmail.gen.nz ESMTP server ready.
# 220 smtp1.superb.net ESMTP
# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready
# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4
# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500
# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3)
# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200
# 220-mail.email-scan.com ESMTP
# 220 smaug.dreamhost.com ESMTP
# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648)
# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT)
# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700
#
# RFC examples:
# 220 xyz.com Simple Mail Transfer Service Ready (RFC example)
# 220 dbc.mtview.ca.us SMTP service ready
smtp
^220[\x09-\x0d -~]* (e?smtp|simple mail)
userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail)
userspace flags=REG_NOSUB REG_EXTENDED

@ -1,16 +0,0 @@
# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
# Pattern attributes: good notsofast fast superset
# Protocol groups: secure ietf_proposed_standard
# Wiki: http://www.protocolinfo.org/wiki/SSL
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# Usually runs on port 443
#
# This is a superset of validcertssl. For it to match, it must be first.
#
# This pattern has been tested and is believed to work well.
ssl
# Server Hello with certificate | Client Hello
# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1
^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)

@ -1,23 +0,0 @@
# VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer
# Pattern attributes: great veryfast fast
# Protocol groups: remote_access
# Wiki: http://www.protocolinfo.org/wiki/VNC
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# http://www.realvnc.com/documentation.html
#
# This pattern has been verified with vnc v3.3.7 on WinXP and Linux
#
# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern.
vnc
# Assumes single digit major and minor version numbers
# This message should be all alone in the first packet, so ^$ is appropriate
^rfb 00[1-9]\.00[0-9]\x0a$
# This is a more restrictive version which assumes the version numbers
# are ones actually in existance at the time of this writing, i.e. 3.3,
# 3.7 and 3.8 (with some clients wrongly reporting 3.5). It should be
# slightly faster, but probably not worth the extra maintenance.
# ^rfb 003\.00[3578]\x0a$
Loading…
Cancel
Save