parent
c439768c9a
commit
85b17a4e9e
@ -1,14 +1,27 @@ |
||||
# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com |
||||
# Pattern quality: great veryfast |
||||
# Pattern attributes: good slow notsofast undermatch |
||||
# Protocol groups: p2p open_source |
||||
# Wiki: http://www.protocolinfo.org/wiki/Bittorrent |
||||
# |
||||
# This pattern has been tested and is believed to work well. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
# This pattern has been tested and is believed to work well. |
||||
# It will, however, not work on bittorrent streams that are encrypted, since |
||||
# it's impossible to match encrypted data (unless the encryption is extremely |
||||
# weak, like rot13 or something...). |
||||
|
||||
bittorrent |
||||
|
||||
# Does not attempt to match the HTTP download of the tracker |
||||
# 0x13 is the length of "bittorrent protocol" |
||||
# Second two bits match UDP wierdness, commented out until it's tested |
||||
#^(\x13bittorrent protocol|d1:ad2:id20:|\x08'7P\)[RP]) |
||||
^\x13bittorrent protocol |
||||
# Second two bits match UDP wierdness |
||||
# Next bit matches something Azureus does |
||||
# Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next |
||||
# packet and perhaps this will match multiple clients. |
||||
|
||||
# Recently the ^ was removed from before \x13. I think this was an accident, |
||||
# so I have restored it. |
||||
|
||||
# This is not a valid GNU basic regular expression (but that's ok). |
||||
^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)|d1:ad2:id20:|\x08'7P\)[RP] |
||||
|
||||
# This pattern is "fast", but won't catch as much |
||||
#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=) |
||||
|
@ -1,8 +0,0 @@ |
||||
# eDonkey2000 - P2P filesharing (download part) - http://edonkey2000.com |
||||
# Pattern quality: good veryfast overmatch usepacket |
||||
|
||||
edonkey-dl |
||||
|
||||
^[\xe3\xe4\xc5\xe5\xd4](....)?[\x01\x0a\x0e\x0f\x10\x18\x19\x1b\x1c\x47\x4a\x4f\x51\x53\x54\x58\x60\x81\x90\x96\x9a\x9c\xa2] |
||||
|
||||
|
@ -1,15 +1,27 @@ |
||||
# MSN Messenger - Microsoft Network chat client |
||||
# Pattern quality: good veryfast |
||||
# Pattern attributes: good slow notsofast |
||||
# Protocol groups: chat proprietary |
||||
# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger |
||||
# |
||||
# Usually uses port 1863 |
||||
# Usually uses TCP port 1863 |
||||
# http://www.hypothetic.org/docs/msn/index.php |
||||
# http://msnpiki.msnfanatic.com/ |
||||
# |
||||
# This pattern has been tested and is believed to work well. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
# This pattern has been tested and is believed to work well. |
||||
|
||||
msnmessenger |
||||
# ver: allow versions up to 99. |
||||
# usr (in case ver didn't work): |
||||
^(ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]* cvr|usr md5 i [ -~]*) |
||||
|
||||
# First branch: login |
||||
# ver: allow versions up to 99. |
||||
# I've never seen a cvr other than cvr0. Maybe this will be trouble later? |
||||
# Can't anchor at the beginning because sometimes this is encapsulated in |
||||
# HTTP. But either way, the first packet ends like this. |
||||
# Second/Third branches: accepting/sending a message |
||||
# I will assume that these can also be encapsulated in HTTP, although I have |
||||
# not checked. Example of each direction: |
||||
# ANS 1 quadong@hotmail.com 1139803431.29427 17522047 |
||||
# USR 1 quadong@hotmail.com 530423708.968145.366138 |
||||
|
||||
# Branches are written entirely separately for better performance. |
||||
ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$ |
||||
|
||||
|
@ -1,15 +1,15 @@ |
||||
# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246 |
||||
# Pattern quality: good fast |
||||
# Pattern attributes: good notsofast fast superset |
||||
# Protocol groups: secure ietf_proposed_standard |
||||
# Wiki: http://www.protocolinfo.org/wiki/SSL |
||||
# |
||||
# Usually runs on port 443 |
||||
# |
||||
# This is a superset validcertssl. For it to match, it must be first. |
||||
# This is a superset of validcertssl. For it to match, it must be first. |
||||
# |
||||
# This pattern has been tested and is believed to work well. If it does not |
||||
# work for you, or you believe it could be improved, please post to |
||||
# l7-filter-developers@lists.sf.net . This list may be subscribed to at |
||||
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers |
||||
# This pattern has been tested and is believed to work well. |
||||
|
||||
ssl |
||||
# Client Hello | Server Hello with certificate |
||||
# Server Hello with certificate | Client Hello |
||||
# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1 |
||||
^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b) |
||||
|
Loading…
Reference in new issue