l7-protocols-2009-05-28/0000755000175000017500000000000010620476124014415 5ustar straitmstraitml7-protocols-2009-05-28/example_traffic/0000755000175000017500000000000010505575566017562 5ustar straitmstraitml7-protocols-2009-05-28/example_traffic/msn_chat_and_file_transfer.txt0000644000175000017500000001221010537156107025627 0ustar straitmstraitmUSR 1 quadong@hotmail.com 628030951.225204228.212171253 USR 1 OK quadong@hotmail.com quadong CAL 2 minotaurb@hotmail.com CAL 2 RINGING 628030951 JOI minotaurb@hotmail.com Bobo 1616756772 MSG 3 U 92 MIME-Version: 1.0 Content-Type: text/x-msmsgscontrol TypingUser: quadong@hotmail.com MSG 4 N 139 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-MMS-IM-Format: FN=MS%20Shell%20Dlg; EF=; CO=0; CS=0; PF=0 neutrino to bobo MSG minotaurb@hotmail.com Bobo 1346 MIME-Version: 1.0 Content-Type: application/x-msnmsgrp2p P2P-Dest: quadong@hotmail.com .....g"...........................@.............INVITE MSNMSGR:quadong@hotmail.com MSNSLP/1.0 To: From: Via: MSNSLP/1.0/TLP ;branch={22CB2F1C-39CB-4AA2-923A-1F591F9F5592} CSeq: 0 Call-ID: {CBBC97B7-0274-4AA6-8070-218C050E48B4} Max-Forwards: 0 Content-Type: application/x-msnmsgr-sessionreqbody Content-Length: 966 EUF-GUID: {5D3E02AB-6190-11D3-BBBB-00C04F795683} SessionID: 452864154 SChannelState: 0 AppID: 2 Context: fgIAAAMAAAAVAAAAAAAAAAEAAABOAGUAdwAgAFQAZQB4AHQAIABEAG8AYwB1AG0AZQBuAHQALgB0AHgAdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... MSG minotaurb@hotmail.com Bobo 248 MIME-Version: 1.0 Content-Type: application/x-msnmsgrp2p P2P-Dest: quadong@hotmail.com .....g".................h.........@.............AAAAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= ..... MSG 5 D 146 MIME-Version: 1.0 Content-Type: application/x-msnmsgrp2p P2P-Dest: minotaurb@hotmail.com ....P............................g"...@............. ACK 5 MSG 6 D 500 MIME-Version: 1.0 Content-Type: application/x-msnmsgrp2p P2P-Dest: minotaurb@hotmail.com ....Q...........b.......b.......................MSNSLP/1.0 200 OK To: From: Via: MSNSLP/1.0/TLP ;branch={22CB2F1C-39CB-4AA2-923A-1F591F9F5592} CSeq: 1 Call-ID: {CBBC97B7-0274-4AA6-8070-218C050E48B4} Max-Forwards: 0 Content-Type: application/x-msnmsgr-sessionreqbody Content-Length: 43 SessionID: 452864154 SChannelState: 0 ..... ACK 6 MSG minotaurb@hotmail.com Bobo 144 MIME-Version: 1.0 Content-Type: application/x-msnmsgrp2p P2P-Dest: quadong@hotmail.com .....g".........................Q.......b........... MSG minotaurb@hotmail.com Bobo 668 MIME-Version: 1.0 Content-Type: application/x-msnmsgrp2p P2P-Dest: quadong@hotmail.com .....g"...........................@.............INVITE MSNMSGR:quadong@hotmail.com MSNSLP/1.0 To: From: Via: MSNSLP/1.0/TLP ;branch={D93272E0-ED36-447B-9362-A1FBB26CDCEC} CSeq: 0 Call-ID: {CBBC97B7-0274-4AA6-8070-218C050E48B4} Max-Forwards: 0 Content-Type: application/x-msnmsgr-transreqbody Content-Length: 186 Bridges: TRUDPv1 TCPv1 NetID: 0 Conn-Type: Direct-Connect UPnPNat: false ICF: false Hashed-Nonce: {DE369EDA-E922-D0DC-4AD5-37104DEBA851} SessionID: 452864154 SChannelState: 0 ..... MSG 7 D 146 MIME-Version: 1.0 Content-Type: application/x-msnmsgrp2p P2P-Dest: minotaurb@hotmail.com ....S............................g"...@............. ACK 7 MSG 8 D 648 MIME-Version: 1.0 Content-Type: application/x-msnmsgrp2p P2P-Dest: minotaurb@hotmail.com ....R...........................................MSNSLP/1.0 200 OK To: From: Via: MSNSLP/1.0/TLP ;branch={D93272E0-ED36-447B-9362-A1FBB26CDCEC} CSeq: 1 Call-ID: {CBBC97B7-0274-4AA6-8070-218C050E48B4} Max-Forwards: 0 Content-Type: application/x-msnmsgr-transrespbody Content-Length: 191 Bridge: TCPv1 Listening: true Hashed-Nonce: {41120FAC-CF14-6399-D3BE-3990B364A764} IPv4Internal-Addrs: 128.101.223.128 IPv4Internal-Port: 2694 SessionID: 452864154 SChannelState: 0 ..... ACK 8 MSG minotaurb@hotmail.com Bobo 144 MIME-Version: 1.0 Content-Type: application/x-msnmsgrp2p P2P-Dest: quadong@hotmail.com .....g".........................R................... MSG minotaurb@hotmail.com Bobo 165 MIME-Version: 1.0 Content-Type: application/x-msnmsgrp2p P2P-Dest: quadong@hotmail.com .(...g".....................0.....A.............This is a short file..... MSG 9 D 146 MIME-Version: 1.0 Content-Type: application/x-msnmsgrp2p P2P-Dest: minotaurb@hotmail.com .(..T............................g"...A............. ACK 9 l7-protocols-2009-05-28/README0000644000175000017500000000272110713002450015265 0ustar straitmstraitm*** WHAT'S GOING ON? *** These are patterns (protocol definitions) for the Linux layer 7 packet classifier (l7-filter). To use them, you need the kernel and iptables patches (or l7-filter userspace version) available at http://sf.net/projects/l7-filter/ . See the HOWTOs. To install these patterns into their default location, say "make install". For a nice way to view these patterns: http://l7-filter.sf.net/protocols More information on the patterns can be found at http://protocolinfo.org This wiki is intended to make it easy for the community to pool its knowledge of how to identify network protocols. *** WHAT'S IN HERE? *** The patterns in the "protocols" directory are the mainstream ones. They match protocols like HTTP, FTP, eDonkey2000, Kazaa, and so on. "extra" is for patterns of less general interest. "malware" contains patterns for viruses and worms. "file_types" contains patterns for file types. "testing" contains programs for testing the speed & accuracy of the patterns. *** CAN I HELP? *** Please report your experience with these patterns at http://protocolinfo.org Or you can write to: l7-filter-developers@lists.sf.net . (You must subscribe at http://lists.sourceforge.net/lists/listinfo/l7-filter-developers to post.) You can also e-mail Matthew Strait directly at quadong AT users.sf.net Please note that many of these patterns were NOT written by experts. So if you think a pattern is broken and you know better, you may be right! l7-protocols-2009-05-28/malware/0000755000175000017500000000000011105360020016027 5ustar straitmstraitml7-protocols-2009-05-28/malware/README0000644000175000017500000000110411105360020016703 0ustar straitmstraitmThis directory hold patterns for viruses, worms and the like. Please see also ../file_types/README # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE The patterns here now (Code Red, Nimda) are only for proof-of-concept. To usefully control the spread of a new worm through bandwidth arbitration, it will be necessary for new patterns to be written quickly in response to the new worm. Also the patterns must be more flexible than the ones presented here, as these only use simple string matching, which would be easily defeated by any reasonably clever worm. l7-protocols-2009-05-28/malware/code_red.pat0000644000175000017500000000117111105360020020301 0ustar straitmstraitm# Code Red - a worm that attacks Microsoft IIS web servers # Pattern attributes: ok fast notsofast subset # Protocol groups: worm # Wiki: http://www.protocolinfo.org/wiki/CodeRed # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE code_red /default\.ida\?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a l7-protocols-2009-05-28/malware/nimda.pat0000644000175000017500000000223511105360020017627 0ustar straitmstraitm# Nimda - a worm that attacks Microsoft IIS web servers, and MORE! # Pattern attributes: ok notsofast notsofast subset # Protocol groups: worm # Wiki: http://www.protocolinfo.org/wiki/Nimda # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE nimda GET (/scripts/root\.exe\?/c\+dir|/MSADC/root\.exe\?/c\+dir|/c/winnt/system32/cmd\.exe\?/c\+dir|/d/winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_vti_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_mem_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/msadc/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c/\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0/\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0\xaf\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x9c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%2f\.\./winnt/system32/cmd\.exe\?/c\+dir) l7-protocols-2009-05-28/testing/0000755000175000017500000000000011207603242016065 5ustar straitmstraitml7-protocols-2009-05-28/testing/README0000644000175000017500000000436210552126313016753 0ustar straitmstraitmUsing these programs, you can: - test the speed of patterns. - test whether your pattern matches random data (which is bad!). Each test can be done with either the regular expression library that the kernel version of l7-filter uses (written by Henry Spencer) or the one that the userspace version of l7-filter uses (GNU). Note that these are fairly crude tests. They are not certain to reflect actual network performance. Start by saying "make". ************************************************************************ To test the speed of your pattern, use timeit.sh Run timeit.sh with no arguments for instructions. You'll find that the Henry Spencer (kernel) library has some performance quirks. Things we've noticed: - Branches are very expensive. Testing for "foo|bar" takes much longer than twice as long as testing for "foo". - Parentheses aren't optimized out. "(foo)" takes much longer than "foo". - "^(foo|bar)" is much faster than "^foo|^bar". *********************************************************************** To test whether your pattern matches random data, run test_match.sh Run test_match.sh with no arguments for instructions. *********************************************************************** ___DEVELOPER INFORMATION___ 1) The data directory holds packet captures to test against. The file name format is: [protocol]-[optional letter]-[number]. The protocol is the protocol and possibly some information about the situation. The letter denotes which session the capture is from if there are several. The number denotes how many packets the file contains. (To simulate what l7-filter sees, the first file has only the first packet, the second has the first two packets, and so on.) (The ares data is a bit of a cheat. I let these files sit around for a long time before putting them here, so I'm not sure what they are exactly, except that they are Ares data and they clearly aren't in the 1, 1-2, 1-2-3 form described above.) 2) Everything here is a kludge held together by chewing gum and masking tape. Note that test_speed-userspace is the backend for both timeit.sh and test_match.sh for their userspace modes, but for their kernel modes, they use the separate backends test_speed-kernel and match_kernel. Yuck. l7-protocols-2009-05-28/testing/test_speed-kernel.c0000644000175000017500000000603211201720373021646 0ustar straitmstraitm/* Reads in up to MAX bytes and runs regcomp against them TIMES times, using the regular expression given on the command line. Uses the Henry Spencer V8 regular expressions which the kernel version of l7-filter uses. See ../LICENCE for copyright */ #include #include #include #include #include #include "regexp/regexp.c" #define MAX 1500 #define TIMES 100000 #define MAX_PATTERN_LEN 8192 static int hex2dec(char c) { switch (c) { case '0' ... '9': return c - '0'; case 'a' ... 'f': return c - 'a' + 10; case 'A' ... 'F': return c - 'A' + 10; default: fprintf(stderr, "hex2dec: bad value!\n"); exit(1); } } /* takes a string with \xHH escapes and returns one with the characters they stand for */ static char * pre_process(char * s) { char * result = malloc(strlen(s) + 1); int sindex = 0, rindex = 0; while( sindex < strlen(s) ) { if( sindex + 3 < strlen(s) && s[sindex] == '\\' && s[sindex+1] == 'x' && isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) { /* carefully remember to call tolower here... */ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 + hex2dec(s[sindex + 3] ) ); sindex += 3; /* 4 total */ } else result[rindex] = tolower(s[sindex]); sindex++; rindex++; } result[rindex] = '\0'; return result; } void doit(regexp * pattern, char ** argv, int verbose) { char input[MAX]; int c; for(c = 0; c < MAX; c++){ char temp = 0; while(temp == 0){ if(EOF == scanf("%c", &temp)) goto out; input[c] = temp; } } out: input[c-1] = '\0'; for(c = 0; c < MAX; c++) input[c] = tolower(input[c]); for(c = 1; c < TIMES; c++){ int result = regexec(pattern, input); if(c == 1) if(result) printf("match\t"); else printf("no_match\t"); if(TIMES/20 > 0 && c%(TIMES/20) == 0){ fprintf(stderr, "."); } } if(verbose) puts(""); else printf(" "); } // Syntax: test_speed regex [verbose] int main(int argc, char ** argv) { regexp * pattern = (regexp *)malloc(sizeof(struct regexp)); char * s = argv[1]; int patternlen, i, verbose = 0; if(argc < 2){ fprintf(stderr, "need an arg\n"); return 1; } if(argc > 2) verbose = 1; patternlen = strlen(s); if(patternlen > MAX_PATTERN_LEN){ fprintf(stderr, "Pattern too long! Max is %d\n", MAX_PATTERN_LEN); return 1; } s = pre_process(s); /* do \xHH escapes */ pattern = regcomp(s, &patternlen); if(!pattern){ fprintf(stderr, "error compiling regexp\n"); exit(1); } if(verbose) printf("running regexec \"%.16s...\" %d times\n", argv[1], TIMES); doit(pattern, argv, verbose); return 0; } l7-protocols-2009-05-28/testing/l7-parse-patterns.h0000644000175000017500000000147510552127333021541 0ustar straitmstraitm/* By Ethan Sommer and Matthew Strait , (C) Nov 2006-2007 http://l7-filter.sf.net This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. http://www.gnu.org/licenses/gpl.txt This file is synced between the userspace source code and the test suite source code. I don't think it's worth the effort to make it a proper library. */ #ifndef L7_PARSE_PATTERNS_H #define L7_PARSE_PATTERNS_H using namespace std; #include int parse_pattern_file(int & cflags, int & eflags, string & pattern, string filename); string basename(string filename); #endif l7-protocols-2009-05-28/testing/data/0000755000175000017500000000000010552610661017003 5ustar straitmstraitml7-protocols-2009-05-28/testing/data/skypeout-b-40000644000175000017500000000002210537156077021174 0ustar straitmstraitmxxE+?E+?l7-protocols-2009-05-28/testing/data/validcertssl-60000644000175000017500000000400010537156077021573 0ustar straitmstraitmgN@98532/  dboNX~JFCF b>PFnGхnl ) }{`X^\>8 k.49y uro0k0Ԡ?0  *H 01 0 UZA10U Western Cape10U Cape Town10U Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *H  premium-server@thawte.com0 050726233434Z 060808171517Z0}1 0 UUS10U Minnesota10U Northfield10U Carleton College1 0 U ITS10Ucaucus.carleton.edu00  *H 05 Y rϛFv{">1k>s.Ⱦy4M/n=-+Q[flLTl,gUۉD/ 斝=I[,|ýyQ^* dJypY# 0Hբ/< Hn>7yNS'a\`D=v^ꛭlA TFs g:H NX(>e^J5{R^Th͓K}Z͑?M+Zutևn8sS1(DSiiL7/&UT ٲq%.1Dm)Qubᇽ}q ;-E\Ӡrrps@=Z^SWV?8l4(\8 .jUh(KJb$pzC PU<Ge>}J W+0ߨp9E$*!᝵ŸhB#{z{ (0#6 Iojf[@OpCI~06-&L>uioэP1hRrcWQDC`JF]ٟz` %,r?iVN'q=^Ž8ų<*hPP#W@2(/rE-4aRiGJР&a(GUQC?1/s,2γ ;Df?='f*5~/} |8s2trf9y3xw l7-protocols-2009-05-28/testing/data/aim-30000644000175000017500000000007310537156073017641 0ustar straitmstraitm** /*  qintoauraaKZ l7-protocols-2009-05-28/testing/data/ftp-50000644000175000017500000000400010537156075017662 0ustar straitmstraitm220 Welcome to ftp.kernel.org. USER anonymous 331 Please specify the password. PASS -wget@ 230- Welcome to the 230- 230- LINUX KERNEL ARCHIVES 230- ftp.kernel.org 230- 230- "Much more than just kernels" 230- 230- IF YOU'RE ACCESSING THIS SITE VIA A WEB BROWSER 230- PLEASE USE THE HTTP URL BELOW INSTEAD! 230- 230-----> If you are looking for mirror sites, please go <---- 230-----> to mirrors.kernel.org instead <---- 230- 230-This site is provided as a public service by the Kernel Dot Org 230-Organization, Inc. Bandwidth is provided by The Internet Software 230-Consortium, Inc. This server is located in San Francisco, California, 230-USA; use in violation of any applicable laws strictly prohibited. 230- 230-Due to U.S. Exports Regulations, all cryptographic software on this 230-site is subject to the following legal notice: 230- 230- This site includes publicly available encryption source code 230- which, together with object code resulting from the compiling of 230- publicly available source code, may be exported from the United 230- States under License Exception "TSU" pursuant to 15 C.F.R. Section 230- 740.13(e). 230- 230-This legal notice applies to cryptographic software only. Please see 230-the Bureau of Industry and Security (http://www.bis.doc.gov/) for more 230-information about current U.S. regulations. 230- 230-Neither the Kernel Dot Org Organization, Inc. nor its sponsors make 230-any guarantees, explicit or implicit, about the contents of this site. 230-Use at your own risk. 230- 230-This site is accessible via the following mechanisms: 230- 230- FTP ftp://ftp.kernel.org/pub/ 230- HTTP http://www.kernel.org/pub/ 230- RSYNC rsync://rsync.kernel.org/pub/ 230- 230-NFS and SMB/CIFS are no longer available. 230- 230-For comments on this site, please contact . 230-Please do not use this address for questions that are not related to 230-the operation of this site. l7-protocols-2009-05-28/testing/data/skypeout-c-80000644000175000017500000000022610537156100021172 0ustar straitmstraitm|tgzB݇|tgzBZ]O[Z]O[Z]Ƀr$fE| ":mʾ%Z]DjKpW٥q񲣭9NZ] 'Pu T}p\Z]89Vs RRIjOӮꘇ˥ӉvBQŽHxwa+>dߍ'L #}$"l|&]Hanpע7?jʚ^yTGy&#;{)2M-u~>Vv T.$Lv&7Ӆ.&pi7ƴ]L*\Y fIL.d& [85"g7P`mXM0T1l2Fv k5UW Ptm_}9 7sưMq#HgɩA5z߄,8VR>gXS9 KK{5¥k7&3LRIaGl8ͮ!T_~)}?PW2JI"bf>z]Y%fGK{S+W '&YjZrMɾmdғ^߼9S^+_M6MuO^54M =$}:H*sy6xjPڲ 1 | n9YoN,RW!g\T53YܞB7m[,.+:poVtbݿ bmy mwFtENb=8ܸ5vyPo{6md$57OD|p_j&y*1rE ؤ-C'#%>~;w. 'ҝ Vc1>AZ^U$z<\r/ZJ2ʈ/zmiZ (0MSLå'x!ߐV@$i]rG|?xBdWv۠7^?/ U%j0ג7/z|o >A @c֗2}5G~ *D @n2mR #8.ن6wP炑 1qbM|x 5ҽD3P\vA5iZ(PmQWtyJ9MN3vs|ML}/>@Y`tO{<$iNPd7g =_v'|X^N 8%N{."|g!_TO]l) ׄT }j{]<ӌ`d2xv?txJ cQyi69'SG v|H5EymTeu?G;U»ail۰ƕK߬*TaET!Xb*00T} ;Cm [N| ŴW0aB^#(u$B~thsG6{ѓ Ok1@OMOhƌ)qQ9b2ڨ-TUE[>0má__X Li5 )nSaǩcvv30`",,uo5-*W$g:v1d1+<!Z|ԾA{Ck<. OXhY_22\כ ߣaYҢ LJg;aojd&v܈Zf#[$n:tsK-ZY?J%޻>9 j?8X'_4gJ5$ `V&ʂd:ޚM%*B |_}[3O+](+ߎg`&˒j u BYs+D4X$4u>[Jބz ä-32ҐR["(B~ϸGgN)A+,i}ɩ8tGtF%Ut8798Y|2̟!a*MᅲЄt8 :O#T P}ο׿@WAYBSZ cUM٦x-r%!A хgm15G` "sN8l~ wI**T#2/l"`;zPbf*> J3{FJa4U~YJP|k8 Q%EL  'ģ1N &َ@:tq+ȞoE3Fc {l֯P8d!Hm4%'QMjaQN7+e-2`S[4(X{U9MSf2ELbp'x8邌;?F56xU9S4+o*2^@{L5wur`qbZ1@$uH"5:w Tq+C]8HARvq"C26}N5NWft`[E~eZvujIv!;]_cߖWT}(HRSE%WuUoz((GcDrp.tݛLzmjPP< w`Iă!}o73WtGN"0'; 4L4QweڬIt\g;% {u$@.xJk%\0X":EQxMj)ew.Y#'WiOfYǤ6O$hٸ/)R?X૮Qe޽>&l7-protocols-2009-05-28/testing/data/jabber-60000644000175000017500000000400010537156074020316 0ustar straitmstraitmUQC?1/s,2γ ;Df?='f*5~/} |8s2trf9y3xwJFC@yxDc%;%P6l7-protocols-2009-05-28/testing/data/x11-40000644000175000017500000000361010537156077017511 0ustar straitmstraitml  cß $ The X.Org Foundation 0Hb 0Hb 0Hb 0Hb 0Hb 0Hb 0Hb_ 3 xu#9I#B$B%B&B'B(B)B*B9I9I9I9I9I 9I7_b BIG-REQUESTS_1\*Box.background: #e6e6e6 *Box.foreground: #000000 *Button.activeBackground: #e6e6e6 *Button.activeForeground: #000000 *Button.background: #e6e6e6 *Button.foreground: #000000 *Button.highlightBackground: #e6e6e6 *Button.highlightColor: #000000 *Canvas.activeBackground: #ffffff *Canvas.activeForeground: #000000 *Canvas.background: #ffffff *Canvas.foreground: #000000 *Canvas.highlightBackground: #ffffff *Canvas.highlightColor: #000000 *Canvas.selectbackground: #4464ac *Canvas.selectforeground: #ffffff *Checkbutton.activeBackground: #e6e6e6 *Checkbutton.activeForeground: #000000 *Checkbutton.background: #e6e6e6 *Checkbutton.foreground: #000000 *Checkbutton.highlightBackground: #e6e6e6 *Checkbutton.highlightColor: #000000 *Command.background: #e6e6e6 *Command.foreground: #000000 *Command.translations: : reset()\n : set()\n : notify() unset() *Dialog.background: #e6e6e6 *Dialog.foreground: #000000 *Entry.activeBackground: #ffffff *Entry.activeForeground: #000000 *Entry.background: #ffffff *Entry.foreground: #000000 *Entry.highlightBackground: #ffffff *Entry.highlightColor: #000000 *Entry.selectBackground: #4464ac *Entry.selectForeground: #ffffff *Form.background: #e6e6e6 *Form.foreground: #000000 *Frame.activeBackground: #e6e6e6 *Frame.activeForeground: #000000 *Frame.background: #e6e6e6 *Frame.foreground: #000000 *Frame.highlightBackgrol7-protocols-2009-05-28/testing/data/gnutella-udp-c-10000644000175000017500000000001710537156076021713 0ustar straitmstraitmL PI`IDENTrl7-protocols-2009-05-28/testing/data/stun-10000644000175000017500000000002010537156075020054 0ustar straitmstraitmPgŸi l7-protocols-2009-05-28/testing/data/ftp-20000644000175000017500000000006010537156075017661 0ustar straitmstraitm220 Welcome to ftp.kernel.org. USER anonymous l7-protocols-2009-05-28/testing/data/skypeout-b-20000644000175000017500000000000210537156077021170 0ustar straitmstraitmxxl7-protocols-2009-05-28/testing/data/skypeout-a-40000644000175000017500000000003410537156077021176 0ustar straitmstraitmۮۮEc@,Ec@,l7-protocols-2009-05-28/testing/data/winmx-10000644000175000017500000000000110537156076020225 0ustar straitmstraitm1l7-protocols-2009-05-28/testing/data/bittorrent-b-20000644000175000017500000000025710537156074021512 0ustar straitmstraitmBitTorrent protocol q`LlaRduBitTorrent protocol q`LlaRduA301-----ht2O84MO7rU  l7-protocols-2009-05-28/testing/data/http-digg-304-10000644000175000017500000000075410537156072021271 0ustar straitmstraitmGET /css/digg2.css HTTP/1.1 Host: digg.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Accept: text/css,*/*;q=0.1 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://digg.com/ Cookie: PHPSESSID=da7a8c093a0018337e27137925c855c9; style=null If-Modified-Since: Mon, 29 Aug 2005 14:03:43 GMT If-None-Match: "4dc09d-5d0a-3ff79f691adc0" l7-protocols-2009-05-28/testing/data/chikka-a-20000644000175000017500000000017310552610661020536 0ustar straitmstraitmCTPv1.2 Kamusta 66.93.17.216:39527 1168835268. Manila, Philippines! 01:001 001:002141592650 002:ormskull 003:5 004:-6 01l7-protocols-2009-05-28/testing/data/bittorrent-b-30000644000175000017500000000027610537156074021514 0ustar straitmstraitmBitTorrent protocol q`LlaRduBitTorrent protocol q`LlaRduA301-----ht2O84MO7rU  5@@ l7-protocols-2009-05-28/testing/data/validcertssl-30000644000175000017500000000272110537156076021577 0ustar straitmstraitmgN@98532/  dboNX~JFCF b>PFnGхnl ) }{`X^\>8 k.49y uro0k0Ԡ?0  *H 01 0 UZA10U Western Cape10U Cape Town10U Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *H  premium-server@thawte.com0 050726233434Z 060808171517Z0}1 0 UUS10U Minnesota10U Northfield10U Carleton College1 0 U ITS10Ucaucus.carleton.edu00  *H 05 Y rϛFv{">1k>s.Ⱦy4M/n=-+Q[flLTl,gUۉD/ 斝=I[,|ýyQ^* dJypY# 0Hբ/< Hn>7yNS'a\`D=v^ꛭlA TFs g:H NX(>e^J5{R^Th͓K}Z͑?M+Zutևn8sS1(DSiiL7/&UT ٲq%.1Dml7-protocols-2009-05-28/testing/data/skypeout-c-20000644000175000017500000000002210537156100021156 0ustar straitmstraitm|tgzB݇|tgzBl7-protocols-2009-05-28/testing/data/ftp-40000644000175000017500000000013710537156075017670 0ustar straitmstraitm220 Welcome to ftp.kernel.org. USER anonymous 331 Please specify the password. PASS -wget@ l7-protocols-2009-05-28/testing/data/ftp-30000644000175000017500000000012210537156075017661 0ustar straitmstraitm220 Welcome to ftp.kernel.org. USER anonymous 331 Please specify the password. l7-protocols-2009-05-28/testing/data/edonkey-tcp-a-20000644000175000017500000000016610537156075021537 0ustar straitmstraitmGB Mx]RB]6arloe=pr $(%8"Please visit http://sexy.sBoOb.netl7-protocols-2009-05-28/testing/data/chikka-a-10000644000175000017500000000010510552610661020530 0ustar straitmstraitmCTPv1.2 Kamusta 66.93.17.216:39527 1168835268. Manila, Philippines! l7-protocols-2009-05-28/testing/data/skypeout-b-70000644000175000017500000000015110537156077021202 0ustar straitmstraitmxxE+?E+?E+Xx0vUU)-E+ Bނ)K͔{Cm'Q$`oE+]6I]8tFca ,88d!TFV.KHy8}yCE S<߽ Nq.z,NI.q_px-ITKC l7-protocols-2009-05-28/testing/data/gnutella-connect-10000644000175000017500000000052610537156074022337 0ustar straitmstraitmGNUTELLA CONNECT/0.6 X-Max-TTL: 3 X-Dynamic-Querying: 0.1 X-Version: 4.8 X-Query-Routing: 0.1 User-Agent: LimeWire/4.4.5 Vendor-Message: 0.1 X-Ultrapeer-Query-Routing: 0.1 GGEP: 0.5 Listen-IP: 66.93.17.216:6349 Accept-Encoding: deflate Pong-Caching: 0.1 X-Guess: 0.1 X-Ultrapeer: False X-Degree: 32 X-Locale-Pref: en Remote-IP: 24.49.218.201 l7-protocols-2009-05-28/testing/data/x11-50000644000175000017500000000400010537156077017504 0ustar straitmstraitml  cß $ The X.Org Foundation 0Hb 0Hb 0Hb 0Hb 0Hb 0Hb 0Hb_ 3 xu#9I#B$B%B&B'B(B)B*B9I9I9I9I9I 9I7_b BIG-REQUESTS_1\*Box.background: #e6e6e6 *Box.foreground: #000000 *Button.activeBackground: #e6e6e6 *Button.activeForeground: #000000 *Button.background: #e6e6e6 *Button.foreground: #000000 *Button.highlightBackground: #e6e6e6 *Button.highlightColor: #000000 *Canvas.activeBackground: #ffffff *Canvas.activeForeground: #000000 *Canvas.background: #ffffff *Canvas.foreground: #000000 *Canvas.highlightBackground: #ffffff *Canvas.highlightColor: #000000 *Canvas.selectbackground: #4464ac *Canvas.selectforeground: #ffffff *Checkbutton.activeBackground: #e6e6e6 *Checkbutton.activeForeground: #000000 *Checkbutton.background: #e6e6e6 *Checkbutton.foreground: #000000 *Checkbutton.highlightBackground: #e6e6e6 *Checkbutton.highlightColor: #000000 *Command.background: #e6e6e6 *Command.foreground: #000000 *Command.translations: : reset()\n : set()\n : notify() unset() *Dialog.background: #e6e6e6 *Dialog.foreground: #000000 *Entry.activeBackground: #ffffff *Entry.activeForeground: #000000 *Entry.background: #ffffff *Entry.foreground: #000000 *Entry.highlightBackground: #ffffff *Entry.highlightColor: #000000 *Entry.selectBackground: #4464ac *Entry.selectForeground: #ffffff *Form.background: #e6e6e6 *Form.foreground: #000000 *Frame.activeBackground: #e6e6e6 *Frame.activeForeground: #000000 *Frame.background: #e6e6e6 *Frame.foreground: #000000 *Frame.highlightBackground: #e6e6e6 *Frame.highlightColor: #000000 *Label.activeBackground: #e6e6e6 *Label.activeForeground: #000000 *Label.bacl7-protocols-2009-05-28/testing/data/aim-20000644000175000017500000000002510537156072017634 0ustar straitmstraitm** / l7-protocols-2009-05-28/testing/data/skypeout-c-10000644000175000017500000000001110537156100021153 0ustar straitmstraitm|tgzBl7-protocols-2009-05-28/testing/data/skypeout-a-10000644000175000017500000000000610537156077021172 0ustar straitmstraitmۮl7-protocols-2009-05-28/testing/data/bittorrent-b-10000644000175000017500000000006110537156074021502 0ustar straitmstraitmBitTorrent protocol q`LlaRdu l7-protocols-2009-05-28/testing/data/aim-60000644000175000017500000000175410537156073017653 0ustar straitmstraitm** /*  minotaurbbKZ* 0 961849602* minotaurbb%F,.qL-AOL Instant Messenger, version 5.1.3036/WIN32  enusJ* 1 minotaurbb64.12.24.32:5190&W>[[ěgM aӣ|qKuhp%wgFqt#l.W8ealLKjK{S90;d]Ɉ)Ԩ|2E7/9bsEXq ќ# :CuoLB qt>]_qNWGemI}/4f,-KdN$uC $΢j9H7YdYÚ}X^/@K2}mDBMGߺ3RP\)$|Mhv1Γ Kk1ui¯'ω'SMm3~`|n!xDv0̷/FmU咱geP*l7-protocols-2009-05-28/testing/data/chikka-a-30000644000175000017500000000041510552610661020536 0ustar straitmstraitmCTPv1.2 Kamusta 66.93.17.216:39527 1168835268. Manila, Philippines! 01:001 001:002141592650 002:ormskull 003:5 004:-6 0101:000 032:Our system detects that you are not a registered Chikka user. To register, click on the REGISTER button in the toolbar. It's FREE! 3Fl7-protocols-2009-05-28/testing/data/yahoo-20000644000175000017500000000022510537156072020207 0ustar straitmstraitmYMSG W1dongquaYMSG`W͇{r1dongqua94y%a%(w-t|3&v+m/b+k|v*2*2&4/g-1&b&(s%l*o-5/u*s&c-u^f|o)*i/r/(4+h%b&(x)))131 l7-protocols-2009-05-28/testing/data/yahoo-10000644000175000017500000000004110537156072020202 0ustar straitmstraitmYMSG W1dongqua l7-protocols-2009-05-28/testing/data/http-wunderground-10000644000175000017500000000131210537156073022566 0ustar straitmstraitmGET /cgi-bin/findweather/getForecast?query=55418 HTTP/1.1 Host: www.wunderground.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: Dwunderground.comFRQSTR=18607055x51783:1:1440,18607055x8404:1:204,18607055,18607055,18607055; Units=metric; DT=1114369348:1321:l8; JS=ON; TID=3c12na2116nrae; TData=; AS5000=2005-08-31:TRMP-00014=1:TACO-00011=1:ADVR-00022=1:; L1756983431=0.1125460969390; ANXD=x l7-protocols-2009-05-28/testing/data/ssh-30000644000175000017500000000230610537156073017671 0ustar straitmstraitmSSH-1.99-OpenSSH_3.6.1p2 SSH-2.0-OpenSSH_3.9p1 | d[/?TւYdiffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1ssh-rsa,ssh-dssaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctraes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctrUhmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96Uhmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 none,zlib none,zlib (MdA`*2=diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1ssh-dssfaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.sefaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.seUhmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96Uhmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 none,zlib none,zlib l7-protocols-2009-05-28/testing/data/skypeout-c-90000644000175000017500000000031610537156100021173 0ustar straitmstraitm|tgzB݇|tgzBZ]O[Z]O[Z]Ƀr$fE| ":mʾ%Z]DjKpW٥q񲣭9NZ] 'Pu T}p\Z]89Vspe~X lyJ_D= OXl7-protocols-2009-05-28/testing/data/edonkey-tcp-b-10000644000175000017500000000011410537156075021530 0ustar straitmstraitmGB Mx]RB]6arloe=pr $(l7-protocols-2009-05-28/testing/data/edonkey-udp-b-10000644000175000017500000000010110537156075021526 0ustar straitmstraitm Xi>Qiz(RS1L] }V#~RowP{͢l7-protocols-2009-05-28/testing/data/x11-10000644000175000017500000000001410537156077017501 0ustar straitmstraitml l7-protocols-2009-05-28/testing/data/skypeout-a-50000644000175000017500000000004410537156077021200 0ustar straitmstraitmۮۮEc@,Ec@,Ec(~l7-protocols-2009-05-28/testing/data/bittorrent-a-30000644000175000017500000000024010537156074021502 0ustar straitmstraitmBitTorrent protocol q`LlaRduBitTorrent protocol q`LlaRdu-LT0100-dbkqZ.P-dols59 l7-protocols-2009-05-28/testing/data/chikka-b-40000644000175000017500000000046310552610661020543 0ustar straitmstraitmCTPv1.2 Kamusta 66.93.17.216:42533 1168838269. Manila, Philippines! 01:001 001:003141592650 002:ormskull 003:5 004:-6 0251:001 004:1 4441:000 016:Bob 017:Smithy 018:quadong@gmail.com 019:0 020:2 031: 022: 005: 024: 025: 026: 027:0 028:0 001:003141592650 030:0 007:Chikka 021:0 023:0 006: 051: 032: 3El7-protocols-2009-05-28/testing/data/http-digg-304-20000644000175000017500000000125210537156072021264 0ustar straitmstraitmGET /css/digg2.css HTTP/1.1 Host: digg.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Accept: text/css,*/*;q=0.1 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://digg.com/ Cookie: PHPSESSID=da7a8c093a0018337e27137925c855c9; style=null If-Modified-Since: Mon, 29 Aug 2005 14:03:43 GMT If-None-Match: "4dc09d-5d0a-3ff79f691adc0" HTTP/1.1 304 Not Modified Date: Wed, 31 Aug 2005 04:32:13 GMT Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-15 Connection: close ETag: "4dc09d-5d0a-3ff79f691adc0" l7-protocols-2009-05-28/testing/data/imap-10000644000175000017500000000005610537156074020021 0ustar straitmstraitm* OK florence.spa.umn.edu Cyrus IMAP4 v2.2.12 l7-protocols-2009-05-28/testing/data/skypeout-a-20000644000175000017500000000001410537156077021172 0ustar straitmstraitmۮۮl7-protocols-2009-05-28/testing/data/jabber-10000644000175000017500000000021210537156074020312 0ustar straitmstraitm l7-protocols-2009-05-28/testing/data/ssh-20000644000175000017500000000125710537156073017674 0ustar straitmstraitmSSH-1.99-OpenSSH_3.6.1p2 SSH-2.0-OpenSSH_3.9p1 | d[/?TւYdiffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1ssh-rsa,ssh-dssaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctraes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctrUhmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96Uhmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 none,zlib none,zlib l7-protocols-2009-05-28/testing/data/winmx-30000644000175000017500000000043510537156076020242 0ustar straitmstraitm1|8Nu/ϩXn>f{)/5!q,ۥ7M?D𿻉P]޷U6x|Vh8nP ⶥ9eqK`Q(LBM@-wN5! 9PUgOe['VLCr8 pQGuH?($&ޖw@?l9bXMbǣ 4<I]8tFca ,88d!TFV.KHy8}yCE S<߽ Nq.z,NI.q_px-ITKC ܁.pbv/?%Cf?U%H!7{`,,_M8_cj{+ըq1,47'#L+ҳ@'FfnMr4;ݍC,_lPFnGхnl ) }{`X^\>8 k.49y uro0k0Ԡ?0  *H 01 0 UZA10U Western Cape10U Cape Town10U Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *H  premium-server@thawte.com0 050726233434Z 060808171517Z0}1 0 UUS10U Minnesota10U Northfield10U Carleton College1 0 U ITS10Ucaucus.carleton.edu00  *H 05 Y rϛFv{">1k>s.Ⱦy4M/n=-+Q[flLTl,gUۉD/ 斝=I[,|ýyQ^* dJypY# 0Hբ/< Hn>7yNS'a\`D=v^ꛭlA TFs g:H NX(>e^J5{R^Th͓K}Z͑?M+Zutևn8sS1(DSiiL7/&UT ٲq%.1Dm)Qubᇽ}q ;-E\Ӡrrps@=Z^SWV?8l4(\8 .jUh(KJb$pzC PU<Ge>}J W+0ߨp9E$*!᝵ŸhB#{z{ (l7-protocols-2009-05-28/testing/data/imap-20000644000175000017500000000007410537156074020022 0ustar straitmstraitm* OK florence.spa.umn.edu Cyrus IMAP4 v2.2.12 server ready l7-protocols-2009-05-28/testing/data/yahoo-30000644000175000017500000000050110537156072020205 0ustar straitmstraitmYMSG W1dongquaYMSG`W͇{r1dongqua94y%a%(w-t|3&v+m/b+k|v*2*2&4/g-1&b&(s%l*o-5/u*s&c-u^f|o)*i/r/(4+h%b&(x)))131YMSG T0dongqua6p=BF;I=5l,P=o0;L=bn,C=32;h=oF;p=aE;R=8h;F=7B;I=cn,96U=Dm;M=A9,E=ao;I=Fh,r=6i,R=me;w=g8;C=dE,B=cn,N=Ao;1dongqua1356,0,0,1710 l7-protocols-2009-05-28/testing/data/dns-20000644000175000017500000000011410537156075017654 0ustar straitmstraitmslashdotorǵslashdotorg B#l7-protocols-2009-05-28/testing/data/ssdp-10000644000175000017500000000045610537156076020052 0ustar straitmstraitmNOTIFY * HTTP/1.1 HOST: 239.255.255.250:1900 CACHE-CONTROL: max-age=1800 Location: http://10.1.1.1:5431/dyndev/uuid:000f6639-dbac-000f-6639-dbac0032011c NT: upnp:rootdevice NTS: ssdp:alive SERVER:LINUX/2.4 UPnP/1.0 BRCM400/1.0 USN: uuid:000f6639-dbac-000f-6639-dbac0032011c::upnp:rootdevice l7-protocols-2009-05-28/testing/data/winmx-20000644000175000017500000000002110537156076020230 0ustar straitmstraitm1|8Nu/ϩXn>fl7-protocols-2009-05-28/testing/data/edonkey-tcp-b-50000644000175000017500000000170310537156075021541 0ustar straitmstraitmGB Mx]RB]6arloe=pr $( @B]y 4HOQ8xڽSN!m J-XY9cgrukbbcsLBx yo|7Na_?P'oO;UScɹ}bigPY!ABlC pHҳ`bEF׷КH@n n }!J 7 h$ ̷.)/PWw!oУEg1- G_k! $6'`NWMH2D ɘQ5’"պ,5GjPc )55'66>5պ-[5GjQaպ5&5B a@5#5>5q5@mS{Pl Ӑ1Su8GjP鐥S5֒Ւp%5p5B!$pR5SfS{Se[Pi >5B"N P2Pn Pe >5Pf ӝ5Pk Ph Pm Pg ,Oo պ/T5T0V&C$5E5q5@EN5.5AYLy狁xB a@!!!www.SEXTEENSERVER.COM Z>>> www.SEXTEENSERVER.COM TEENS - JOVENCITAS - AMATEURS - VIRGENES - VIDEOS - FOTOS - PICSsexl7-protocols-2009-05-28/testing/data/bittorrent-a-10000644000175000017500000000006110537156075021502 0ustar straitmstraitmBitTorrent protocol q`LlaRdu l7-protocols-2009-05-28/testing/data/skypeout-b-50000644000175000017500000000005710537156077021205 0ustar straitmstraitmxxE+?E+?E+Xx0vUU)-l7-protocols-2009-05-28/testing/data/jabber-30000644000175000017500000000065310537156074020325 0ustar straitmstraitm l7-protocols-2009-05-28/testing/data/edonkey-tcp-b-20000644000175000017500000000056410537156075021542 0ustar straitmstraitmGB Mx]RB]6arloe=pr $( @B]y 4HOQ8xڽSN!m J-XY9cgrukbbcsLBx yo|7Na_?P'oO;UScɹ}bigPY!ABlC pHҳ`bEF׷КH@n n }!J 7 h$ ̷.)/PWw!oУEg1- G_k! $6'`NWMHl7-protocols-2009-05-28/testing/data/aim-50000644000175000017500000000036410537156073017646 0ustar straitmstraitm** /*  qintoauraaKZ* 0 961849602* qintoauraa%F,.qL-AOL Instant Messenger, version 5.1.3036/WIN32  enusJ l7-protocols-2009-05-28/testing/data/chikka-b-30000644000175000017500000000021410552610661020534 0ustar straitmstraitmCTPv1.2 Kamusta 66.93.17.216:42533 1168838269. Manila, Philippines! 01:001 001:003141592650 002:ormskull 003:5 004:-6 0251:001 004:1 44l7-protocols-2009-05-28/testing/data/gnutella-udp-a-10000644000175000017500000000001410537156075021705 0ustar straitmstraitmGNDHPIl7-protocols-2009-05-28/testing/data/validcertssl-10000644000175000017500000000015110537156076021570 0ustar straitmstraitmgN@98532/  dboNX~l7-protocols-2009-05-28/testing/data/skypeout-b-80000644000175000017500000000020610537156100021167 0ustar straitmstraitmxxE+?E+?E+Xx0vUU)-E+ Bނ)K͔{Cm'Q$`oE+]6WFgXa鷌zC䯘w`;O]U+Ioa[ln2/U3Re^sܬle)M5iaC+Ti$uۜwhv ʽ)s8$shm4,FnBYs& l'ҙs7-dCV?H/":.G!$$w'v p[-"1}|>8y!&%M3hdհ ƀ]R-0_ڢ7eX9j|ZE>U! WԳh kʕbۧזWx-e U5$$t|uQe\7܉=;ώq5vm 0l7-protocols-2009-05-28/testing/data/skypeout-c-70000644000175000017500000000017110537156100021170 0ustar straitmstraitm|tgzB݇|tgzBZ]O[Z]O[Z]Ƀr$fE| ":mʾ%Z]DjKpW٥q񲣭9NZ] 'Pu T}p\l7-protocols-2009-05-28/testing/data/bittorrent-a-20000644000175000017500000000020610537156100021471 0ustar straitmstraitmBitTorrent protocol q`LlaRduBitTorrent protocol q`LlaRdu-LT0100-dbkqZ.P-dols l7-protocols-2009-05-28/testing/data/skypeout-a-30000644000175000017500000000002410537156077021174 0ustar straitmstraitmۮۮEc@,l7-protocols-2009-05-28/testing/data/aim-40000644000175000017500000000012610537156073017641 0ustar straitmstraitm** /*  qintoauraaKZ* 0 961849602 l7-protocols-2009-05-28/testing/data/edonkey-tcp-b-40000644000175000017500000000166710537156075021551 0ustar straitmstraitmGB Mx]RB]6arloe=pr $( @B]y 4HOQ8xڽSN!m J-XY9cgrukbbcsLBx yo|7Na_?P'oO;UScɹ}bigPY!ABlC pHҳ`bEF׷КH@n n }!J 7 h$ ̷.)/PWw!oУEg1- G_k! $6'`NWMH2D ɘQ5’"պ,5GjPc )55'66>5պ-[5GjQaպ5&5B a@5#5>5q5@mS{Pl Ӑ1Su8GjP鐥S5֒Ւp%5p5B!$pR5SfS{Se[Pi >5B"N P2Pn Pe >5Pf ӝ5Pk Ph Pm Pg ,Oo պ/T5T0V&C$5E5q5@EN5.5AYLy狁xB a@!!!www.SEXTEENSERVER.COM Z>>> www.SEXTEENSERVER.COM TEENS - JOVENCITAS - AMATEURS - VIRGENES - VIDEOS - FOTOS - PICSl7-protocols-2009-05-28/testing/data/jabber-20000644000175000017500000000057010537156074020322 0ustar straitmstraitm l7-protocols-2009-05-28/testing/data/skypeout-b-30000644000175000017500000000001210537156077021172 0ustar straitmstraitmxxE+?l7-protocols-2009-05-28/testing/data/bittorrent-b-40000644000175000017500000000400010537156075021503 0ustar straitmstraitmBitTorrent protocol q`LlaRduBitTorrent protocol q`LlaRduA301-----ht2O84MO7rU  5@@@ 5m[զwӑs$U~/HWk j nZ3ؘWSHfِTd@?YriR-~Y3aH0g$B4G3x \`ȼ,)۰.kVK.g\~kVTԠ7"yE.6:9pjNEh 3HTd`(YdSu\0Z8D<ۣhs*Oh^rqٙmv &6XaRsb>:jm#ZC1U.[̪,< Q-bRfyJU )Ƀ`xzD+ɮ0q5bDs]98FL߮}Bsn EӚ J"#4CE۲S[4xnꌛ7V@癶LjjG]v FGn:4ic;A?(ME` jKĦz]53ZFS aӶqʁHX/GJv]ص~@tOGPh645 턢MڤhZu#JKΤj~D{>#>p%6>t(:X:(9$EP;G ~ _Ay!w xhVڜ'^;O'Я.(yՕt_K0 'cITܭiNZ 6|^Qyؔw>2GK(zY}) 錎A x |]nWxQi7 M K;aܯ f|L}N!a^Z xfdSnR{>fhάxLp72U߶# ǚj*?1olͪbhfr6FY{*;v^ҚV%)VꎸYڳ">/S|wӬc3HW\ .Egrfri&ixV͢<*.'z͂2 G7]FG;AxLvN8%Yw3Բ&@%S+$:j 0Jљx,0]ko@&!qs]Blk?YLm  pVIHdܧNdni(<: Fa6s}洝>: fM p+4 nH[5HS?ݣTYskj_K(W} t ;ou#p8h[u§ͷ6:STU3Gw摅Tن;jWtbޑѳ`C}ڿ;KcB`cbh ,N$A{D^Ll@U%{GmG;-_LUOS'mᆵ]Lh5SA*uᛔ;K;JEq > H\!!]y\l7-protocols-2009-05-28/testing/data/chikka-b-20000644000175000017500000000017310552610661020537 0ustar straitmstraitmCTPv1.2 Kamusta 66.93.17.216:42533 1168838269. Manila, Philippines! 01:001 001:003141592650 002:ormskull 003:5 004:-6 02l7-protocols-2009-05-28/testing/data/validcertssl-20000644000175000017500000000255110537156076021577 0ustar straitmstraitmgN@98532/  dboNX~JFCF b>PFnGхnl ) }{`X^\>8 k.49y uro0k0Ԡ?0  *H 01 0 UZA10U Western Cape10U Cape Town10U Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *H  premium-server@thawte.com0 050726233434Z 060808171517Z0}1 0 UUS10U Minnesota10U Northfield10U Carleton College1 0 U ITS10Ucaucus.carleton.edu00  *H 05 Y rϛFv{">1k>s.Ⱦy4M/n=-+Q[flLTl,gUۉD/ 斝=I[,|ýyQ^* dJypY# 0Hբ/< Hn>7yNS'a\`D=v^ꛭlA TFs g:H NX(>e^J5{l7-protocols-2009-05-28/testing/data/ipp-10000644000175000017500000000026610537156075017667 0ustar straitmstraitm901e 3 ipp://localhost.localdomain:631/printers/home_study "this is our printer in the study" "Created by redhat-config-printer 0.6.x" "HP DeskJet 3820 Foomatic/hpijs (recommended)" l7-protocols-2009-05-28/testing/data/skypeout-c-50000644000175000017500000000007710537156100021173 0ustar straitmstraitm|tgzB݇|tgzBZ]O[Z]O[Z]Ƀr$fE| ":mʾ%l7-protocols-2009-05-28/testing/data/bittorrent-a-40000644000175000017500000000024410537156074021507 0ustar straitmstraitmBitTorrent protocol q`LlaRduBitTorrent protocol q`LlaRdu-LT0100-dbkqZ.P-dols59l7-protocols-2009-05-28/testing/data/chikka-b-60000644000175000017500000000052510552610661020544 0ustar straitmstraitmCTPv1.2 Kamusta 66.93.17.216:42533 1168838269. Manila, Philippines! 01:001 001:003141592650 002:ormskull 003:5 004:-6 0251:001 004:1 4441:000 016:Bob 017:Smithy 018:quadong@gmail.com 019:0 020:2 031: 022: 005: 024: 025: 026: 027:0 028:0 001:003141592650 030:0 007:Chikka 021:0 023:0 006: 051: 032: 3E91:000 3F30:002 001:0 002:1 44l7-protocols-2009-05-28/testing/data/skypeout-c-60000644000175000017500000000013410537156100021166 0ustar straitmstraitm|tgzB݇|tgzBZ]O[Z]O[Z]Ƀr$fE| ":mʾ%Z]DjKpW٥q񲣭9Nl7-protocols-2009-05-28/testing/data/x11-30000644000175000017500000000074010537156077017511 0ustar straitmstraitml  cß $ The X.Org Foundation 0Hb 0Hb 0Hb 0Hb 0Hb 0Hb 0Hb_ 3 xu#9I#B$B%B&B'B(B)B*B9I9I9I9I9I 9I7_b BIG-REQUESTS_l7-protocols-2009-05-28/testing/data/stun-20000644000175000017500000000011010537156100020042 0ustar straitmstraitmPgŸi $Ÿi TG# E El7-protocols-2009-05-28/testing/data/aim-10000644000175000017500000000001310537156072017630 0ustar straitmstraitm* l7-protocols-2009-05-28/testing/data/edonkey-tcp-a-10000644000175000017500000000011410537156100021514 0ustar straitmstraitmGB Mx]RB]6arloe=pr $(l7-protocols-2009-05-28/testing/data/yahoo-40000644000175000017500000000203210537156072020207 0ustar straitmstraitmYMSG W1dongquaYMSG`W͇{r1dongqua94y%a%(w-t|3&v+m/b+k|v*2*2&4/g-1&b&(s%l*o-5/u*s&c-u^f|o)*i/r/(4+h%b&(x)))131YMSG T0dongqua6p=BF;I=5l,P=o0;L=bn,C=32;h=oF;p=aE;R=8h;F=7B;I=cn,96U=Dm;M=A9,E=ao;I=Fh,r=6i,R=me;w=g8;C=dE,B=cn,N=Ao;1dongqua1356,0,0,1710YMSGWU͇{r87 8889dongqua59Y v=1&n=56gnfgim67hor&l=gk03ed6/o&p=m2f1m3qb12000300&jb=21|22|&r=bl&lg=us&intl=us; expires=Thu, 15 Apr 2010 20:00:00 GMT; path=/; domain=.yahoo.com21959T z=h8TFDBhCpFDBqbjNOgMKKqJMjY0BjU2NDFONTRPNDE-&a=QAE&sk=DAAE/2X6n.q.is&d=c2wBTlRFekFUSXhNelk1TWpNNE16WS0BYQFRQUUBdGlwAUMxVkVZRAF6egFoOFRGREJnV0E-; expires=Thu, 15 Apr 2010 20:00:00 GMT; path=/; domain=.yahoo.com21959C mg=121915319013dongqua100010110221309386400149zfMBpicR_bwxTFyvEqmo.Q--150DLvKLIhr6XsEATgaop63yQ--151jNF9DhWgxNGny1yT1pmzsA--2170YMSG͇{r0dongqua1dongqua8YMSG͇{r1436014413YMSG ͇{r90 l7-protocols-2009-05-28/testing/data/jabber-40000644000175000017500000000073510537156074020327 0ustar straitmstraitm l7-protocols-2009-05-28/testing/data/gnutella-udp-b-10000644000175000017500000000002310537156076021707 0ustar straitmstraitmGND LPO`RELAYl7-protocols-2009-05-28/testing/data/skypeout-b-90000644000175000017500000000027610537156100021177 0ustar straitmstraitmxxE+?E+?E+Xx0vUU)-E+ Bނ)K͔{Cm'Q$`oE+]6)] ~#bOKlk{-A-bC,nUl%,O0Y:yP ;;cd 5za9ܮ%+=h7TiAt99 dw_~ eS'F\CKC}3oF҆[٩8I'e;#w~KqJG \o Qxwm0,'\"z=$=J6l/&VHۣ6)xbu18QcOZNW^GwOtG^QOE1?B nBj8369 tK3V$ %]vSbV}" e`;g}BA %}u jCj%[?Պo zg#K 0눝z?:XGfG63mIVjtqC+pBB SN?2&LGs`Qi#3?‰L%QsD̐(P0FMXa^ԡxDWJ\f/ueO|N삟e9rz>8 pJ0E4 ZGYJ3/kE0[֩ijE ՝ZdIBg`*^?(6l1Mbڣ_B(&Y BH( Pђrڕ8WQno5/ߙ'f=-f 7XE`jDED:QrkX̮W}'/1+ye^`?1~:ZSD~=UϷ]ՙ;d"SKT 9#A|ɭ$?U cGڣΑubc]xp/'1c ̍#*⠽ECz @N\c Q .(l_cYUMDQA%?[9Uz섌ڬT-ܦf& /aDZ`$_Dųr' GhjЏe 4xe_H@_c탒>:K'rJUm48G< n}.|3qlC!ag .R='^=@GsG^@KҪ# 6K350/ŕ*="g^o)WQ6\hƼׅ\3k4.)_Y\B/ y&6K H28}23_|G[6('{Kf51rW؁㜶}~<Rlh<).j)?&5wzԈLvt#ȷLfNx"HסfYeqJIj-*7U#de[-ZT?0R}JU+JF;!* }ҶJb(dnEvSxzI]iPOb:(~)Rщ~VijҎZ(=k;ψ/¾u 32(ԁ%Fޛ_)\޺ v;ZblvVsթͩ4NYAFkhlSk簪CPał+` Ȉ*𙆆:vxՋ0ix5>ÛYVoMJyc,}%;@Zr^Vew&0̍".xJ/p57x3,r$LYSNh4CUꠃ.q%s#\'t?Z߲Dھ.Vsm|}2}>OdQI \JuD*-@fiz 9Qp Ya/_+>>RWE q^R@=7_k*,o/|횢6Oc(KX*0r x T;?Qn. LdQsZSvQZhs,hCwO^k8lyw'"17*b[*"r慆M*;O\-ٕ8 Hp׸Pݑ($Ugd1ʓJ}AMהݷikFiHż:br b_ x.SәWз"j}P|\ނSǘ%+V0Mٱ{QՓ`1oDX N#oMe{Bjk¹S ` "@x.Okn3do11( 5Kfȷ@N<ۊ;Bs>Rhz, mPH\äu ?sREJC0PWß(; QZ"gЗfȏI1~+oq5_'htv Ճ{ۥXJ>MR+7mUqd!^rMA0`k2Ĕ$1na0V:l0x͋Ҽ!?؊e1|;;炖^ϥeC hWe,#oѫ^w+ȢR H\C \ K"B?qҎ/TU]g< D-Ndk?!EEWsA<3l!v,ԓܠ;}jf\Y:;UV[*"e)x)3RN؛R) ͝hS :rJ-Ĝa7u? D}1ߖr6 t, 2Ft`]4 'Y|t?8-当S&. 儊]5ն%(J)QQvLzB'OZW[Z>kj`nkIhΙa|g6^r3QxjTlt <\ fG}/E)X=J_Y/Us7iRR\`AN{˪^GmAQk3\7./.롛+)k==J4sNDW1Ǥ&WJ* }}XZÁ+W1zD_MG,hAl*P"\sewt`9c>kHN8Dr,LLaZ~}ąO 1Q&|4{c֋NW #OM牟 `#3BIhtO@m]ð?kjpj@Л'[}6-cm^Ij Jmj?z~5+Ims݌^Uchg$+˙H83.kBcҥM -HbgOOK詒Z V9 (ixp@AE1(5 0|BVs$Yahh@<{!gJj9`>OT_WJC.s2ʲ[rVrR P:dċV\vnj֝J"eLHw\wgG!ΏN617>;e 1r~Hɰs PڐDh26t I ;ȶ8Hcڽ:@V*\*).V$i0E:O[ ـpZ[ w ؇v1i)kb;Y>Au 0Ҟ㨇>e2A,? kZpUԨe%(Ѻ$A=-3sӢWAN&V$HiqR AGg2!rʗ }*VяYg(ި@a—Ғ^@pοgB%Gu+khn%bIAj{0Z3P8"o{yI M_zvtI ,5rM7= RԀQ,5z!ݶ.o8; $c_phL5Mp@34IHyw+6wcwLPη3?HLï* H +{4MIПaK5k75,%$H5Jw._%}xdz$OGo2MhgDh*m2#% ZH^ճ OiHӔNk"T̫&_g> Kw{@gr;hS//.8}= >yp x>4+k] hcƖ$ +KoUɋ'=o 7dpZ+y X+y{o6*#}cVty~ubb; <ؓ(P ~ *}iYdq~eGc2k6(7iJq< ?&)BHk,m WUDN_mǗ[xV&kÕR\h!؄fqK?22u7L%ֿoNAcv^;[j!8ɬ82@٣V* bCpw_`k~NATA-}FÌ Xyx]#&XNh ?R.\ֺ},z.,C*c;ʒJI&-'w6?_v{l :㕰$8xO] 赊W-O坲z_Ŭ>9_鋥;{л#tygoc:=' ̸)#>a7OG{~ɂ}?$,[,iq2S V_M+ $}?6-&VxcV bI¹v!M t]`m,P'R؂:g҅bQxKG/ZN@'@x,k2mԎ~]#Lpmm(;"1Q5U7l#+h >3ĄǛŏ&BmACQP+ŸUa[a֟9g׮] k 14PfHetJ?["/EUNK;=^v%7%| ֢E?jJAOh%,;"u2v; K]t[)=DR&lŧI!cŁG?~"<ke;Y.8 s-ɳaʀsEZcjYߐ^D1N J[.Ɛͧhaf&:- HҦsRJWΫXӷ4gY)c6:ZBk~EG+VrR!1"BAз&v3qP#Kvʹ}ቱ\?©7kKm$Rg* \*d:s=鵻u_?QH \(PS"ylФsШS?90 2wFRlGpRBPv7+]S7:oR : !UJ_o(cϝZm[7dEcزy; Fua@#g/А?r5Z&/F:k wʡC 9]'o2vAxܚ!V6'8S_(Ԉ ^ IWhKT\fQhĝ~ZVϬW4BMVnP_5Ԅ>Eۑ+oS(Ŋ*>x:H*׳׭Ei<Djr}'m@T`FaA=tyh /%G1=Wp M9֟H[e35J0w1cmBM.?ݬzQgrGQxON^ pG݈Wg΀oBԍK>Lˌl+fdmQ =v7:#V ^vm(Nnhc4 ~2ACs9%q+#H)07{/ҩF.\Kc2ӈnÜ% (Vtlbhcpc?@,pU_ c:!bBDViTnPc[TD*#ll:sy޼yV&ue+vmlv)'ҞİAQn\s+(Nqܡ&JQ-@{Np>C4I# 1ry6զL  :u}vf}2W!0oe)Nˍ঎`)ZMmcK"L/;AĹ_XջRswS kSH B`)0$WS5_O EP/V$kLVߊSMË!#`m(O=)Z#[O IZ^D|بRu .ڲ|_sP4"]YGS28<<8d/*k ]Y!̵̺M]?-#[a>̈́V=E+SڛRñ[RR;4 +gI>8oVtT4 jˍ:d@x{S^M"`0!@ߗ%n2;z(`IxkG]ˆOݗDmgߏ+n=мrq{~3yC;D,܄Mx!oů1H6j'abAN3< ä͔nr2J`OG1m|&OW֎Iմinimnx=W4-PZ_VCl>/;lb_iteSBvPsn BLwS\ .12lkg=i`ݠWl6 16F"!P֘U}0ᜡy:KvЊ}01B7o%%Q"n!-Tx孽K3F0HLsTwR.Emus,'cWd ;)Ac,Cj=LHȵ>ogP#bnXpSJWcbM]^>δ3̔3P @[&VO~9┉_ldUh[k =Wny gR @ ս#~H}}08A hs#EIl\I_l%qPke?FaĒ1gHjU˿T1h`rq;8Ia,U}Ж Ao(*cAk{r|DPZ+Ɂ'I 6|"O!4v~%$eO *_*Iҝ3C$ƹ +0\̒}}Vò|v6[LA;(+l{u[Y٢Hsz */@cm@o@grjC+WJCG7+,4"  o9/p;.B "P`|[":wҳS:NGI}OzO! ^͸iJE('~$0E5pEM^ bH{p#҄tGv؆L]ˌR/~֘ma*}C0#~Dz 4_Nd,کŰg&gQYpnX&e`Ϯ}Џ/k^P@!HG :F<ܼٟ`{=:D&ׇ e5St7`/ݷN؅dQ )[?#;Kyk!y _sm"`94VFoƥޛv;ep!@}Dz:׎ .p H$]EQl?Y1i ҌNUO%<&Ш̾5 ,؅+ gŧ@2^ipz>~YRvV3k9;W栻aΣ^H 0Tݭ( MRS]K տ06v ûCuZ9:~6!-!'j<^;#eVl>c<{֔Js)ӥr RK )}dEIHJG/tܠ/RCno?~j=<:jS1 )S3' ]q7X?P2bPߝ@q+D2jBdR޴?v-+zrQEKv^ ^ϯ5C-?:kPCmUۓQ0cEs5m47WBrl^މwh7F$g7w1宍тoi kX uUr l?Z}9A\ 6{Vu ٗ>qbIKzi\<-qdz2)Q vn`O M!Д:Y\ֻL+8qN': Y{${*=DILPaOjWEZ۾Mjq>´3̯UΈ<!Ӈz N %. XYG^|k>'R/6| !(\ozakD=GVrjhȉ,E 15 60!ʊ{m^GV\npb ^h[rJ_B-unE؟??ŴpʹYeA%ٴoqhS.> R*a#;t i{L"uz[f]kv:ľc6rN/jGp!Mo1Gh~Ю֧\ڰhƤi 1Ϥ}*.EV6jlYA^K[lW%Ӌ69wZXb$'#*J o},ݿzl$ zMWşBY-x2x 8B$ւNӦO| Sj+;ÚMEsUmŲYd?흤˗|\YhӾ('p8 2%hh9^5nwO[= Lr5qb^%OiWgMKo3A2=轎Jg/ LcB<蒕fChR aXEo*z*0w# J-FY04K%o4UT1h;Yl;X JDƥxApkJ3wiV"ykIZ1];N+qg!|UMG\(khta 8W#Յ/qTc-Q1=ՇomzXt=C(d. ``vG1̤̏_ap!(ԻlH3WŤRJ6'4ūYļ&mq 4z+YWCq걷 t 7|GX$l|Zg^+4<IYSH0_2P!=[C5Z: hff-v7M3"lo%Z𑻇MzZϬӣ1Зp%`\V{);ψVc*vPPLS.alگք ~XYQD*oQA~ %L*[UWV0NmWm]y,GOjq3xPXu\l!:wtM7v<M5&?7u(3SZcDn,C1`9e OlѢa?K`M 2-]*5-ǒo,T-n,{5 uOzodME+sNB6@i RyټϫbXu3@纤S 6@8  Z\@⻐r[E" ᾜ4=~%)Qb de+*3 El1H__[ 4M\r@/ 3 jkc0{SɸqbI98o닮KidEݢq(v|mnCzҤ%7{+7u2{JΉ;U*kl4+ (#gZʤ(r5!r<ÈW.o\B^| IY :BV\+ ʕjEkfnϜWAZ)ln4k\gH#' ػw(2Dr,(C9Wd^#/:  U S:2ݎWHa6Pp[fQ hijA2y;+?[yeTT IExӡuУr1;sTT Љp56@ ni6R/)r$Os6;jNYsmu@BG&I7%i mͿ*~eOIeεՓM(1hDE* d'O RN$)쯣?'aV_oٕIX١ljD Xw^3VY-T֓)⺶e(=(B[:H!ߕm,*˵dݴU.g`Iܫekf社}:DogR{_ۗqk̊zoz; >q-yT8*\^֍Mݱ󚍎2o^.y]Ym!n=m~ҁwRsq2zVgbƤ%acךyN&-Aw&8rn%m`i)P Xl&{rrCwd), _O9/"3 }K5ᑇIAs_>&hf.2Lwnֵh*4ˡb"k6N V*"A<3ra>)su?wm竹XvhNwR +p;I$U'$ib}GNRAIR9ٕɌatЛ*3IKZt꨾H!\\aI.s# _SBjv.x0QgW4oǓ0  aSǼ^y ao_N\_ %Rs\V]^Y/R>^VKDx\±U0ͷ1TȂ횤v<{)˄]~],-C[m#"G~ { ǵqpnok鸣1-G$(q'w:;%cw^4Jn3ui&al7-protocols-2009-05-28/testing/data/ssh-40000644000175000017500000000234210537156073017672 0ustar straitmstraitmSSH-1.99-OpenSSH_3.6.1p2 SSH-2.0-OpenSSH_3.9p1 | d[/?TւYdiffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1ssh-rsa,ssh-dssaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctraes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctrUhmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96Uhmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 none,zlib none,zlib (MdA`*2=diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1ssh-dssfaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.sefaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.seUhmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96Uhmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 none,zlib none,zlib" l7-protocols-2009-05-28/testing/data/x11-20000644000175000017500000000064010537156077017507 0ustar straitmstraitml  cß $ The X.Org Foundation 0Hb 0Hb 0Hb 0Hb 0Hb 0Hb 0Hb_ 3 xu#9I#B$B%B&B'B(B)B*B9I9I9I9I9I 9Il7-protocols-2009-05-28/testing/data/skypeout-b-10000644000175000017500000000000110537156077021166 0ustar straitmstraitmxl7-protocols-2009-05-28/testing/data/dce-rpc-spam-b-10000644000175000017500000000167510537156077021600 0ustar straitmstraitm({ZOB+"g]оVmMicrosoft RegistryMicrosoft User!!SYSTEM ERROR - YOUR WINDOWS REGISTRY IS DAMANGED YOU NEED TO CLEAN YOUR REGISTRY IMMEDIATELY Your Windows Registry is severely corrupted and is allowing unauthorized access to your computer by internet hackers. If the Registry is not CLEANED immediately, it will lead to a COMPLETE operating system failure and the loss of your data. To fix this problem: 1. Open Internet Explorer 2. In the URL Field type - www.RegistryCleanerExpress.com 3. Note that all versions of windows are supported. 4. Once you load the program, close this window. Please note that once you visit www.RegistryCleanerExpress.com and install the cleaner program you will not receive any more reminders or pop-ups like this one. www.RegistryCleanerExpress.coml7-protocols-2009-05-28/testing/data/validcertssl-50000644000175000017500000000332210537156076021577 0ustar straitmstraitmgN@98532/  dboNX~JFCF b>PFnGхnl ) }{`X^\>8 k.49y uro0k0Ԡ?0  *H 01 0 UZA10U Western Cape10U Cape Town10U Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *H  premium-server@thawte.com0 050726233434Z 060808171517Z0}1 0 UUS10U Minnesota10U Northfield10U Carleton College1 0 U ITS10Ucaucus.carleton.edu00  *H 05 Y rϛFv{">1k>s.Ⱦy4M/n=-+Q[flLTl,gUۉD/ 斝=I[,|ýyQ^* dJypY# 0Hբ/< Hn>7yNS'a\`D=v^ꛭlA TFs g:H NX(>e^J5{R^Th͓K}Z͑?M+Zutևn8sS1(DSiiL7/&UT ٲq%.1Dm)Qubᇽ}q ;-E\Ӡrrps@=Z^SWV?8l4(\8 .jUh(KJb$pzC PU<Ge>}J W+0ߨp9E$*!᝵ŸhB#{z{ (0#6 Iojf[@OpCI~06-&L>uiol7-protocols-2009-05-28/testing/data/gnutella-20000644000175000017500000000154110537156076020711 0ustar straitmstraitmGNUTELLA CONNECT/0.6 User-Agent: Shareaza 2.1.0.0 Remote-IP: 24.255.13.79 Accept: application/x-gnutella2,application/x-gnutella-packets Accept-Encoding: deflate X-Ultrapeer: False GNUTELLA/0.6 200 OK User-Agent: Shareaza 2.1.0.0 Listen-IP: 24.255.13.79:35229 Remote-IP: 66.93.17.216 Accept: application/x-gnutella2 Content-Type: application/x-gnutella2 Accept-Encoding: deflate Content-Encoding: deflate X-Ultrapeer: True X-Try-Ultrapeers: 24.78.174.19:35636 2005-08-31T02:32Z,67.160.30.114:6346 2005-08-31T02:32Z,84.119.62.85:6346 2005-08-31T02:32Z,155.207.25.147:6346 2005-08-31T02:32Z,69.157.122.198:15948 2005-08-31T02:32Z,68.12.90.229:6346 2005-08-31T02:32Z,196.206.193.128:28526 2005-08-31T02:32Z,84.222.62.111:6346 2005-08-31T02:32Z,86.128.128.208:16511 2005-08-31T02:32Z,82.234.123.135:6346 2005-08-31T02:32Z X-Ultrapeer-Needed: False l7-protocols-2009-05-28/testing/data/edonkey-tcp-b-60000644000175000017500000000400010537156075021533 0ustar straitmstraitmGB Mx]RB]6arloe=pr $( @B]y 4HOQ8xڽSN!m J-XY9cgrukbbcsLBx yo|7Na_?P'oO;UScɹ}bigPY!ABlC pHҳ`bEF׷КH@n n }!J 7 h$ ̷.)/PWw!oУEg1- G_k! $6'`NWMH2D ɘQ5’"պ,5GjPc )55'66>5պ-[5GjQaպ5&5B a@5#5>5q5@mS{Pl Ӑ1Su8GjP鐥S5֒Ւp%5p5B!$pR5SfS{Se[Pi >5B"N P2Pn Pe >5Pf ӝ5Pk Ph Pm Pg ,Oo պ/T5T0V&C$5E5q5@EN5.5AYLy狁xB a@!!!www.SEXTEENSERVER.COM Z>>> www.SEXTEENSERVER.COM TEENS - JOVENCITAS - AMATEURS - VIRGENES - VIDEOS - FOTOS - PICSsexzo3x}|@)EQtJ$d$K*MHdȖ%!TT FQ"* snY~y63{{z:iבg:y\95|ClV޵̯i&ԛ ^.9R- %% K{e$#R )0~'x=DwF=N$eSI2srMBaaP`N1)/jd<5lwrUN [(նVG?<7秈fsOq EG}H!VpIv|+x~K^)BCB vE% >%E'p_saCzpB^Hi7%ۍz#u ),.I]pFyS-n_g-&w B>(acԆvSOU\^Mha*ROp^&Ke~z-2<} Ȕ'&l'n5meyw7\7r.AXnYJB<4 C C#G O2dH>*M+n.EqN-[’jq乎/QFހnYoŨg- n}cm=^D]dWtwֲ8/U"RSB&:P~7C{iOx?&ȮUr$6&JL]d2'K )$_v3)&&Ïlst(ǿE/rNd]>5)%Ca2B{۽,itlI]/vfen4,8Ad K>?Z6sr,V5}>哜⓯r.,hx|5n5)j ^ON REm/j=~8 ?;eٚR"ߌfSŤ2[cRll9-Q  ̞*9E{9Y/,n%|KH_$XJn.\)C75l7-protocols-2009-05-28/testing/data/gnutella-10000644000175000017500000000027510537156076020713 0ustar straitmstraitmGNUTELLA CONNECT/0.6 User-Agent: Shareaza 2.1.0.0 Remote-IP: 24.255.13.79 Accept: application/x-gnutella2,application/x-gnutella-packets Accept-Encoding: deflate X-Ultrapeer: False l7-protocols-2009-05-28/testing/data/imap-30000644000175000017500000000012110537156074020014 0ustar straitmstraitm* OK florence.spa.umn.edu Cyrus IMAP4 v2.2.12 server ready 00000000 CAPABILITY l7-protocols-2009-05-28/testing/data/ftp-10000644000175000017500000000004010537156075017656 0ustar straitmstraitm220 Welcome to ftp.kernel.org. l7-protocols-2009-05-28/testing/data/skypeout-c-40000644000175000017500000000004210537156100021162 0ustar straitmstraitm|tgzB݇|tgzBZ]O[Z]O[l7-protocols-2009-05-28/testing/timeit.sh0000755000175000017500000000667710552127015017740 0ustar straitmstraitm#!/bin/bash # "man 1 time" for details export TIME="%U seconds" add() { if ! dc -e ""; then echo you do not have dc, so I cannot add these numbers... exit 1 fi n=0 tot=0 while read n; do tot=`dc -e "$n $tot + pop" 2> /dev/null` done echo $tot seconds } # gets kernel pattern out of a file extract() { if [ -r $1 ] && [ -f $1 ]; then cat $1 | grep -v ^$ | grep -v ^# | tail -1 else echo > /dev/stderr echo Arg is not a readable file > /dev/stderr exit 1 fi } if [ ! $3 ] || [ $2 == "-h" ] || [ $2 == "--help" ]; then echo echo Syntax: ./timeit.sh patternfile kernel\|userspace all\|print\|real [data_files] echo echo \"kernel\" uses the kernel pattern and library echo \"userspace\" uses userspace pattern and library echo \"all\" tests against all characters, echo \"print\" only against printable ones, echo \"real\" against some real data. echo In \"real\" mode, if data files are specified, they are used, echo otherwise, all files in ./data/ are used. echo exit 1 fi echo if [ $2 == "kernel" ]; then echo Using the Henry Spencer \(kernel\) regex library. speedprog=./test_speed-kernel elif [ $2 == "userspace" ]; then echo Using the GNU \(userspace\) library. speedprog=./test_speed-userspace else echo Didn\'t understand what library you wanted. echo Please give either \"kernel\" or \"userspace\". exit 1 fi if [ -x ./randchars ] && [ -x ./randprintable ] && [ -x $speedprog ]; then true else echo Can\'t find randchars, randprintable or test_speed. echo They should be in this directory. Did you say \"make\"? exit 1 fi echo Timing $1 if [ $3 == "all" ]; then echo Using all characters if [ $2 == "kernel" ]; then if ! ./randchars | time $speedprog "`extract $1`" verbose; then echo $speedprog failed. > /dev/stderr exit 1 fi else if ! ./randchars | time $speedprog -f "$1" -v; then echo $speedprog failed. > /dev/stderr exit 1 fi fi elif [ $3 == "print" ]; then echo Using only printable characters if [ $2 == "kernel" ]; then if ! ./randprintable | time $speedprog "`extract $1`" verbose; then echo $speedprog failed. > /dev/stderr exit 1 fi else if ! ./randprintable | time $speedprog -f "$1" -v; then echo $speedprog failed. > /dev/stderr exit 1 fi fi elif [ $3 == "real" ]; then echo Using some real data # if this is uncommented, you can exit all at once with ctrl-C trap "rm tmp.$$; echo; exit 1" 2 if [ $4 ]; then for f in $@; do if [ -r $f ] && [ $f != $1 ] && [ $f != $2 ] && [ $f != $3 ]; then printf $f\\t #echo `extract $1` if [ $2 == "kernel" ]; then if ! cat $f | time $speedprog "`extract $1`" 2> /dev/stdout | tee -a tmp.$$; then echo $speedprog failed. > /dev/stderr exit 1 fi else if ! cat $f | time $speedprog -f "$1" 2> /dev/stdout | tee -a tmp.$$; then echo $speedprog failed. > /dev/stderr exit 1 fi fi fi done else for f in data/*; do printf $f\\t if [ $2 == "kernel" ]; then if ! cat $f | time $speedprog "`extract $1`" 2> /dev/stdout | tee -a tmp.$$; then echo $speedprog failed. > /dev/stderr exit 1 fi else if ! cat $f | time $speedprog -f "$1" 2> /dev/stdout | tee -a tmp.$$; then echo $speedprog failed. > /dev/stderr exit 1 fi fi done fi printf Total:\ cat tmp.$$ | cut -d\ -f 2 | add rm tmp.$$ else echo Please specify \"all\", \"print\" or \"real\"> /dev/stderr exit 1 fi l7-protocols-2009-05-28/testing/l7-parse-patterns.cpp0000644000175000017500000001140210556045324022066 0ustar straitmstraitm/* Functions and classes which keep track of and use regexes to classify streams of application data. By Ethan Sommer and Matthew Strait , (C) 2006-2007 http://l7-filter.sf.net This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. http://www.gnu.org/licenses/gpl.txt This file is synced between the userspace source code and the test suite source code. I don't think it's worth the effort to make it a proper library. */ using namespace std; #include #include #include #include "l7-parse-patterns.h" // Returns true if the line (from a pattern file) is a comment static int is_comment(string line) { // blank lines are comments if(line.size() == 0) return 1; // lines starting with # are comments if(line[0] == '#') return 1; // lines with only whitespace are comments for(unsigned int i = 0; i < line.size(); i++) if(!isspace(line[i])) return 0; return 1; } // Extracts the protocol name from a line // This line should be exactly the name of the file without the .pat extension // However, we also allow junk after whitespace static string get_protocol_name(string line) { string name = ""; for(unsigned int i = 0; i < line.size(); i++) { if(!isspace(line[i])) name += line[i]; else break; } return name; } // Returns the given file name from the last slash to the next dot string basename(string filename) { int lastslash = filename.find_last_of('/'); int nextdot = filename.find_first_of('.', lastslash); return filename.substr(lastslash+1, nextdot - (lastslash+1)); } // Returns, e.g. "userspace pattern" if the line is "userspace pattern=.*foo" static string attribute(string line) { return line.substr(0, line.find_first_of('=')); } // Returns, e.g. ".*foo" if the line is "userspace pattern=.*foo" static string value(string line) { return line.substr(line.find_first_of('=')+1); } // parse the regexec and regcomp flags // Returns 1 on sucess, 0 if any unrecognized flags were encountered static int parseflags(int & cflags, int & eflags, string line) { string flag = ""; cflags = 0; eflags = 0; for(unsigned int i = 0; i < line.size(); i++){ if(!isspace(line[i])) flag += line[i]; if(isspace(line[i]) || i == line.size()-1){ if(flag == "REG_EXTENDED") cflags |= REG_EXTENDED; else if(flag == "REG_ICASE") cflags |= REG_ICASE; else if(flag == "REG_NOSUB") cflags |= REG_NOSUB; else if(flag == "REG_NEWLINE") cflags |= REG_NEWLINE; else if(flag == "REG_NOTBOL") eflags |= REG_NOTBOL; else if(flag == "REG_NOTEOL") eflags |= REG_NOTEOL; else{ cerr<<"Error: encountered unknown flag in pattern file " <= 32767L) /* Probably could be 65535L. */ FAIL("regexp too big"); /* Allocate space. */ *patternsize=sizeof(regexp) + (unsigned)regsize; r = (regexp *)malloc(sizeof(regexp) + (unsigned)regsize); if (r == NULL) FAIL("out of space"); /* Second pass: emit code. */ regparse = exp; regnpar = 1; regcode = r->program; regc(MAGIC); if (reg(0, &flags) == NULL) return(NULL); /* Dig out information for optimizations. */ r->regstart = '\0'; /* Worst-case defaults. */ r->reganch = 0; r->regmust = NULL; r->regmlen = 0; scan = r->program+1; /* First BRANCH. */ if (OP(regnext(scan)) == END) { /* Only one top-level choice. */ scan = OPERAND(scan); /* Starting-point info. */ if (OP(scan) == EXACTLY) r->regstart = *OPERAND(scan); else if (OP(scan) == BOL) r->reganch++; /* * If there's something expensive in the r.e., find the * longest literal string that must appear and make it the * regmust. Resolve ties in favor of later strings, since * the regstart check works with the beginning of the r.e. * and avoiding duplication strengthens checking. Not a * strong reason, but sufficient in the absence of others. */ if (flags&SPSTART) { longest = NULL; len = 0; for (; scan != NULL; scan = regnext(scan)) if (OP(scan) == EXACTLY && strlen(OPERAND(scan)) >= len) { longest = OPERAND(scan); len = strlen(OPERAND(scan)); } r->regmust = longest; r->regmlen = len; } } return(r); } /* - reg - regular expression, i.e. main body or parenthesized thing * * Caller must absorb opening parenthesis. * * Combining parenthesis handling with the base level of regular expression * is a trifle forced, but the need to tie the tails of the branches to what * follows makes it hard to avoid. */ static char * reg(paren, flagp) int paren; /* Parenthesized? */ int *flagp; { register char *ret; register char *br; register char *ender; register int parno = 0; /* 0 makes gcc happy */ int flags; *flagp = HASWIDTH; /* Tentatively. */ /* Make an OPEN node, if parenthesized. */ if (paren) { if (regnpar >= NSUBEXP) FAIL("too many ()"); parno = regnpar; regnpar++; ret = regnode(OPEN+parno); } else ret = NULL; /* Pick up the branches, linking them together. */ br = regbranch(&flags); if (br == NULL) return(NULL); if (ret != NULL) regtail(ret, br); /* OPEN -> first. */ else ret = br; if (!(flags&HASWIDTH)) *flagp &= ~HASWIDTH; *flagp |= flags&SPSTART; while (*regparse == '|') { regparse++; br = regbranch(&flags); if (br == NULL) return(NULL); regtail(ret, br); /* BRANCH -> BRANCH. */ if (!(flags&HASWIDTH)) *flagp &= ~HASWIDTH; *flagp |= flags&SPSTART; } /* Make a closing node, and hook it on the end. */ ender = regnode((paren) ? CLOSE+parno : END); regtail(ret, ender); /* Hook the tails of the branches to the closing node. */ for (br = ret; br != NULL; br = regnext(br)) regoptail(br, ender); /* Check for proper termination. */ if (paren && *regparse++ != ')') { FAIL("unmatched ()"); } else if (!paren && *regparse != '\0') { if (*regparse == ')') { FAIL("unmatched ()"); } else FAIL("junk on end"); /* "Can't happen". */ /* NOTREACHED */ } return(ret); } /* - regbranch - one alternative of an | operator * * Implements the concatenation operator. */ static char * regbranch(flagp) int *flagp; { register char *ret; register char *chain; register char *latest; int flags; *flagp = WORST; /* Tentatively. */ ret = regnode(BRANCH); chain = NULL; while (*regparse != '\0' && *regparse != '|' && *regparse != ')') { latest = regpiece(&flags); if (latest == NULL) return(NULL); *flagp |= flags&HASWIDTH; if (chain == NULL) /* First piece. */ *flagp |= flags&SPSTART; else regtail(chain, latest); chain = latest; } if (chain == NULL) /* Loop ran zero times. */ (void) regnode(NOTHING); return(ret); } /* - regpiece - something followed by possible [*+?] * * Note that the branching code sequences used for ? and the general cases * of * and + are somewhat optimized: they use the same NOTHING node as * both the endmarker for their branch list and the body of the last branch. * It might seem that this node could be dispensed with entirely, but the * endmarker role is not redundant. */ static char * regpiece(flagp) int *flagp; { register char *ret; register char op; register char *next; int flags; ret = regatom(&flags); if (ret == NULL) return(NULL); op = *regparse; if (!ISMULT(op)) { *flagp = flags; return(ret); } if (!(flags&HASWIDTH) && op != '?') FAIL("*+ operand could be empty"); *flagp = (op != '+') ? (WORST|SPSTART) : (WORST|HASWIDTH); if (op == '*' && (flags&SIMPLE)) reginsert(STAR, ret); else if (op == '*') { /* Emit x* as (x&|), where & means "self". */ reginsert(BRANCH, ret); /* Either x */ regoptail(ret, regnode(BACK)); /* and loop */ regoptail(ret, ret); /* back */ regtail(ret, regnode(BRANCH)); /* or */ regtail(ret, regnode(NOTHING)); /* null. */ } else if (op == '+' && (flags&SIMPLE)) reginsert(PLUS, ret); else if (op == '+') { /* Emit x+ as x(&|), where & means "self". */ next = regnode(BRANCH); /* Either */ regtail(ret, next); regtail(regnode(BACK), ret); /* loop back */ regtail(next, regnode(BRANCH)); /* or */ regtail(ret, regnode(NOTHING)); /* null. */ } else if (op == '?') { /* Emit x? as (x|) */ reginsert(BRANCH, ret); /* Either x */ regtail(ret, regnode(BRANCH)); /* or */ next = regnode(NOTHING); /* null. */ regtail(ret, next); regoptail(ret, next); } regparse++; if (ISMULT(*regparse)) FAIL("nested *?+"); return(ret); } /* - regatom - the lowest level * * Optimization: gobbles an entire sequence of ordinary characters so that * it can turn them into a single node, which is smaller to store and * faster to run. Backslashed characters are exceptions, each becoming a * separate node; the code is simpler that way and it's not worth fixing. */ static char * regatom(flagp) int *flagp; { register char *ret; int flags; *flagp = WORST; /* Tentatively. */ switch (*regparse++) { case '^': ret = regnode(BOL); break; case '$': ret = regnode(EOL); break; case '.': ret = regnode(ANY); *flagp |= HASWIDTH|SIMPLE; break; case '[': { register int class; register int classend; if (*regparse == '^') { /* Complement of range. */ ret = regnode(ANYBUT); regparse++; } else ret = regnode(ANYOF); if (*regparse == ']' || *regparse == '-') regc(*regparse++); while (*regparse != '\0' && *regparse != ']') { if (*regparse == '-') { regparse++; if (*regparse == ']' || *regparse == '\0') regc('-'); else { class = UCHARAT(regparse-2)+1; classend = UCHARAT(regparse); if (class > classend+1) FAIL("invalid [] range"); for (; class <= classend; class++) regc(class); regparse++; } } else regc(*regparse++); } regc('\0'); if (*regparse != ']') FAIL("unmatched []"); regparse++; *flagp |= HASWIDTH|SIMPLE; } break; case '(': ret = reg(1, &flags); if (ret == NULL) return(NULL); *flagp |= flags&(HASWIDTH|SPSTART); break; case '\0': case '|': case ')': FAIL("internal urp"); /* Supposed to be caught earlier. */ break; case '?': case '+': case '*': FAIL("?+* follows nothing"); break; case '\\': if (*regparse == '\0') FAIL("trailing \\"); ret = regnode(EXACTLY); regc(*regparse++); regc('\0'); *flagp |= HASWIDTH|SIMPLE; break; default: { register int len; register char ender; regparse--; len = strcspn((const char *)regparse, (const char *)META); if (len <= 0) FAIL("internal disaster"); ender = *(regparse+len); if (len > 1 && ISMULT(ender)) len--; /* Back off clear of ?+* operand. */ *flagp |= HASWIDTH; if (len == 1) *flagp |= SIMPLE; ret = regnode(EXACTLY); while (len > 0) { regc(*regparse++); len--; } regc('\0'); } break; } return(ret); } /* - regnode - emit a node */ static char * /* Location. */ regnode(op) char op; { register char *ret; register char *ptr; ret = regcode; if (ret == ®dummy) { regsize += 3; return(ret); } ptr = ret; *ptr++ = op; *ptr++ = '\0'; /* Null "next" pointer. */ *ptr++ = '\0'; regcode = ptr; return(ret); } /* - regc - emit (if appropriate) a byte of code */ static void regc(b) char b; { if (regcode != ®dummy) *regcode++ = b; else regsize++; } /* - reginsert - insert an operator in front of already-emitted operand * * Means relocating the operand. */ static void reginsert(op, opnd) char op; char *opnd; { register char *src; register char *dst; register char *place; if (regcode == ®dummy) { regsize += 3; return; } src = regcode; regcode += 3; dst = regcode; while (src > opnd) *--dst = *--src; place = opnd; /* Op node, where operand used to be. */ *place++ = op; *place++ = '\0'; *place++ = '\0'; } /* - regtail - set the next-pointer at the end of a node chain */ static void regtail(p, val) char *p; char *val; { register char *scan; register char *temp; register int offset; if (p == ®dummy) return; /* Find last node. */ scan = p; for (;;) { temp = regnext(scan); if (temp == NULL) break; scan = temp; } if (OP(scan) == BACK) offset = scan - val; else offset = val - scan; *(scan+1) = (offset>>8)&0377; *(scan+2) = offset&0377; } /* - regoptail - regtail on operand of first argument; nop if operandless */ static void regoptail(p, val) char *p; char *val; { /* "Operandless" and "op != BRANCH" are synonymous in practice. */ if (p == NULL || p == ®dummy || OP(p) != BRANCH) return; regtail(OPERAND(p), val); } /* * regexec and friends */ /* * Global work variables for regexec(). */ static char *reginput; /* String-input pointer. */ static char *regbol; /* Beginning of input, for ^ check. */ static char **regstartp; /* Pointer to startp array. */ static char **regendp; /* Ditto for endp. */ /* * Forwards. */ STATIC int regtry(regexp *prog, char *string); STATIC int regmatch(char *prog); STATIC int regrepeat(char *p); #ifdef DEBUG int regnarrate = 0; void regdump(); STATIC char *regprop(char *op); #endif /* - regexec - match a regexp against a string */ int regexec(prog, string) register regexp *prog; register char *string; { register char *s; /* Be paranoid... */ if (prog == NULL || string == NULL) { printk("<3>Regexp: NULL parameter\n"); return(0); } /* Check validity of program. */ if (UCHARAT(prog->program) != MAGIC) { printk("<3>Regexp: corrupted program\n"); return(0); } /* If there is a "must appear" string, look for it. */ if (prog->regmust != NULL) { s = string; while ((s = strchr(s, prog->regmust[0])) != NULL) { if (strncmp(s, prog->regmust, prog->regmlen) == 0) break; /* Found it. */ s++; } if (s == NULL) /* Not present. */ return(0); } /* Mark beginning of line for ^ . */ regbol = string; /* Simplest case: anchored match need be tried only once. */ if (prog->reganch) return(regtry(prog, string)); /* Messy cases: unanchored match. */ s = string; if (prog->regstart != '\0') /* We know what char it must start with. */ while ((s = strchr(s, prog->regstart)) != NULL) { if (regtry(prog, s)) return(1); s++; } else /* We don't -- general case. */ do { if (regtry(prog, s)) return(1); } while (*s++ != '\0'); /* Failure. */ return(0); } /* - regtry - try match at specific point */ static int /* 0 failure, 1 success */ regtry(prog, string) regexp *prog; char *string; { register int i; register char **sp; register char **ep; reginput = string; regstartp = prog->startp; regendp = prog->endp; sp = prog->startp; ep = prog->endp; for (i = NSUBEXP; i > 0; i--) { *sp++ = NULL; *ep++ = NULL; } if (regmatch(prog->program + 1)) { prog->startp[0] = string; prog->endp[0] = reginput; return(1); } else return(0); } /* - regmatch - main matching routine * * Conceptually the strategy is simple: check to see whether the current * node matches, call self recursively to see whether the rest matches, * and then act accordingly. In practice we make some effort to avoid * recursion, in particular by going through "ordinary" nodes (that don't * need to know whether the rest of the match failed) by a loop instead of * by recursion. */ static int /* 0 failure, 1 success */ regmatch(prog) char *prog; { register char *scan; /* Current node. */ char *next; /* Next node. */ scan = prog; #ifdef DEBUG if (scan != NULL && regnarrate) fprintf(stderr, "%s(\n", regprop(scan)); #endif while (scan != NULL) { #ifdef DEBUG if (regnarrate) fprintf(stderr, "%s...\n", regprop(scan)); #endif next = regnext(scan); switch (OP(scan)) { case BOL: if (reginput != regbol) return(0); break; case EOL: if (*reginput != '\0') return(0); break; case ANY: if (*reginput == '\0') return(0); reginput++; break; case EXACTLY: { register int len; register char *opnd; opnd = OPERAND(scan); /* Inline the first character, for speed. */ if (*opnd != *reginput) return(0); len = strlen(opnd); if (len > 1 && strncmp(opnd, reginput, len) != 0) return(0); reginput += len; } break; case ANYOF: if (*reginput == '\0' || strchr(OPERAND(scan), *reginput) == NULL) return(0); reginput++; break; case ANYBUT: if (*reginput == '\0' || strchr(OPERAND(scan), *reginput) != NULL) return(0); reginput++; break; case NOTHING: break; case BACK: break; case OPEN+1: case OPEN+2: case OPEN+3: case OPEN+4: case OPEN+5: case OPEN+6: case OPEN+7: case OPEN+8: case OPEN+9: { register int no; register char *save; no = OP(scan) - OPEN; save = reginput; if (regmatch(next)) { /* * Don't set startp if some later * invocation of the same parentheses * already has. */ if (regstartp[no] == NULL) regstartp[no] = save; return(1); } else return(0); } break; case CLOSE+1: case CLOSE+2: case CLOSE+3: case CLOSE+4: case CLOSE+5: case CLOSE+6: case CLOSE+7: case CLOSE+8: case CLOSE+9: { register int no; register char *save; no = OP(scan) - CLOSE; save = reginput; if (regmatch(next)) { /* * Don't set endp if some later * invocation of the same parentheses * already has. */ if (regendp[no] == NULL) regendp[no] = save; return(1); } else return(0); } break; case BRANCH: { register char *save; if (OP(next) != BRANCH) /* No choice. */ next = OPERAND(scan); /* Avoid recursion. */ else { do { save = reginput; if (regmatch(OPERAND(scan))) return(1); reginput = save; scan = regnext(scan); } while (scan != NULL && OP(scan) == BRANCH); return(0); /* NOTREACHED */ } } break; case STAR: case PLUS: { register char nextch; register int no; register char *save; register int min; /* * Lookahead to avoid useless match attempts * when we know what character comes next. */ nextch = '\0'; if (OP(next) == EXACTLY) nextch = *OPERAND(next); min = (OP(scan) == STAR) ? 0 : 1; save = reginput; no = regrepeat(OPERAND(scan)); while (no >= min) { /* If it could work, try it. */ if (nextch == '\0' || *reginput == nextch) if (regmatch(next)) return(1); /* Couldn't or didn't -- back up. */ no--; reginput = save + no; } return(0); } break; case END: return(1); /* Success! */ break; default: printk("<3>Regexp: memory corruption\n"); return(0); break; } scan = next; } /* * We get here only if there's trouble -- normally "case END" is * the terminating point. */ printk("<3>Regexp: corrupted pointers\n"); return(0); } /* - regrepeat - repeatedly match something simple, report how many */ static int regrepeat(p) char *p; { register int count = 0; register char *scan; register char *opnd; scan = reginput; opnd = OPERAND(p); switch (OP(p)) { case ANY: count = strlen(scan); scan += count; break; case EXACTLY: while (*opnd == *scan) { count++; scan++; } break; case ANYOF: while (*scan != '\0' && strchr(opnd, *scan) != NULL) { count++; scan++; } break; case ANYBUT: while (*scan != '\0' && strchr(opnd, *scan) == NULL) { count++; scan++; } break; default: /* Oh dear. Called inappropriately. */ printk("<3>Regexp: internal foulup\n"); count = 0; /* Best compromise. */ break; } reginput = scan; return(count); } /* - regnext - dig the "next" pointer out of a node */ static char * regnext(p) register char *p; { register int offset; if (p == ®dummy) return(NULL); offset = NEXT(p); if (offset == 0) return(NULL); if (OP(p) == BACK) return(p-offset); else return(p+offset); } #ifdef DEBUG STATIC char *regprop(); /* - regdump - dump a regexp onto stdout in vaguely comprehensible form */ void regdump(r) regexp *r; { register char *s; register char op = EXACTLY; /* Arbitrary non-END op. */ register char *next; extern char *strchr(); s = r->program + 1; while (op != END) { /* While that wasn't END last time... */ op = OP(s); printf("%2d%s", s-r->program, regprop(s)); /* Where, what. */ next = regnext(s); if (next == NULL) /* Next ptr. */ printf("(0)"); else printf("(%d)", (s-r->program)+(next-s)); s += 3; if (op == ANYOF || op == ANYBUT || op == EXACTLY) { /* Literal string, where present. */ while (*s != '\0') { putchar(*s); s++; } s++; } putchar('\n'); } /* Header fields of interest. */ if (r->regstart != '\0') printf("start `%c' ", r->regstart); if (r->reganch) printf("anchored "); if (r->regmust != NULL) printf("must have \"%s\"", r->regmust); printf("\n"); } /* - regprop - printable representation of opcode */ static char * regprop(op) char *op; { register char *p; static char buf[50]; (void) strcpy(buf, ":"); switch (OP(op)) { case BOL: p = "BOL"; break; case EOL: p = "EOL"; break; case ANY: p = "ANY"; break; case ANYOF: p = "ANYOF"; break; case ANYBUT: p = "ANYBUT"; break; case BRANCH: p = "BRANCH"; break; case EXACTLY: p = "EXACTLY"; break; case NOTHING: p = "NOTHING"; break; case BACK: p = "BACK"; break; case END: p = "END"; break; case OPEN+1: case OPEN+2: case OPEN+3: case OPEN+4: case OPEN+5: case OPEN+6: case OPEN+7: case OPEN+8: case OPEN+9: sprintf(buf+strlen(buf), "OPEN%d", OP(op)-OPEN); p = NULL; break; case CLOSE+1: case CLOSE+2: case CLOSE+3: case CLOSE+4: case CLOSE+5: case CLOSE+6: case CLOSE+7: case CLOSE+8: case CLOSE+9: sprintf(buf+strlen(buf), "CLOSE%d", OP(op)-CLOSE); p = NULL; break; case STAR: p = "STAR"; break; case PLUS: p = "PLUS"; break; default: printk("<3>Regexp: corrupted opcode\n"); break; } if (p != NULL) (void) strcat(buf, p); return(buf); } #endif #if defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE) && defined(__KERNEL__) /* This shouldn't be necessary. see above --straitm */ __kernel_size_t strcspn(s1, s2) const char *s1; const char *s2; { register char *scan1; register char *scan2; register int count; count = 0; for (scan1 = (char *)s1; *scan1 != '\0'; scan1++) { for (scan2 = (char *)s2; *scan2 != '\0';) /* ++ moved down. */ if (*scan1 == *scan2++) return(count); count++; } return(count); } #endif l7-protocols-2009-05-28/testing/regexp/regexp.h0000644000175000017500000000126110537156072021033 0ustar straitmstraitm/* * Definitions etc. for regexp(3) routines. * * Caveat: this is V8 regexp(3) [actually, a reimplementation thereof], * not the System V one. */ #ifndef REGEXP_H #define REGEXP_H #define NSUBEXP 10 typedef struct regexp { char *startp[NSUBEXP]; char *endp[NSUBEXP]; char regstart; /* Internal use only. */ char reganch; /* Internal use only. */ char *regmust; /* Internal use only. */ int regmlen; /* Internal use only. */ char program[1]; /* Unwarranted chumminess with compiler. */ } regexp; regexp * regcomp(char *exp, int *patternsize); int regexec(regexp *prog, char *string); void regsub(regexp *prog, char *source, char *dest); void regerror(char *s); #endif l7-protocols-2009-05-28/testing/regexp/regmagic.h0000644000175000017500000000023110537156071021312 0ustar straitmstraitm/* * The first byte of the regexp internal "program" is actually this magic * number; the start node begins in the second byte. */ #define MAGIC 0234 l7-protocols-2009-05-28/testing/regexp/regerror.c0000644000175000017500000000013010537156072021355 0ustar straitmstraitm#if 0 void regerror(char * s) { printk("regexp(3): %s", s); /* NOTREACHED */ } #endif l7-protocols-2009-05-28/testing/regexp/regsub.c0000644000175000017500000000432410537156071021025 0ustar straitmstraitm/* * regsub * @(#)regsub.c 1.3 of 2 April 86 * * Copyright (c) 1986 by University of Toronto. * Written by Henry Spencer. Not derived from licensed software. * * Permission is granted to anyone to use this software for any * purpose on any computer system, and to redistribute it freely, * subject to the following restrictions: * * 1. The author is not responsible for the consequences of use of * this software, no matter how awful, even if they arise * from defects in it. * * 2. The origin of this software must not be misrepresented, either * by explicit claim or by omission. * * 3. Altered versions must be plainly marked as such, and must not * be misrepresented as being the original software. * * * This code was modified by Ethan Sommer to work within the kernel * (it now uses kmalloc etc..) * */ #include "regexp.h" #include "regmagic.h" #include #ifndef CHARBITS #define UCHARAT(p) ((int)*(unsigned char *)(p)) #else #define UCHARAT(p) ((int)*(p)&CHARBITS) #endif #if 0 //void regerror(char * s) //{ // printk("regexp(3): %s", s); // /* NOTREACHED */ //} #endif /* - regsub - perform substitutions after a regexp match */ void regsub(regexp * prog, char * source, char * dest) { register char *src; register char *dst; register char c; register int no; register int len; /* Not necessary and gcc doesn't like it -MLS */ /*extern char *strncpy();*/ if (prog == NULL || source == NULL || dest == NULL) { regerror("NULL parm to regsub"); return; } if (UCHARAT(prog->program) != MAGIC) { regerror("damaged regexp fed to regsub"); return; } src = source; dst = dest; while ((c = *src++) != '\0') { if (c == '&') no = 0; else if (c == '\\' && '0' <= *src && *src <= '9') no = *src++ - '0'; else no = -1; if (no < 0) { /* Ordinary character. */ if (c == '\\' && (*src == '\\' || *src == '&')) c = *src++; *dst++ = c; } else if (prog->startp[no] != NULL && prog->endp[no] != NULL) { len = prog->endp[no] - prog->startp[no]; (void) strncpy(dst, prog->startp[no], len); dst += len; if (len != 0 && *(dst-1) == '\0') { /* strncpy hit NUL. */ regerror("damaged match string"); return; } } } *dst++ = '\0'; } l7-protocols-2009-05-28/testing/randprintable.c0000644000175000017500000000040710537156071021067 0ustar straitmstraitm#include #include #include #include #include int main() { char c; srand(time(NULL) * getpid()); while(1) { c = (char)rand()%256; if(isprint(c) || isspace(c)) { printf("%c", c); } } return 0; } l7-protocols-2009-05-28/testing/test_speed-userspace.cpp0000644000175000017500000000740211201720403022714 0ustar straitmstraitm/* Reads in up to MAX bytes and runs regcomp against them TIMES times, using the regular expression given on the command line. Uses the standard GNU regular expression library which the userspace version of l7-filter uses. See ../LICENCE for copyright */ using namespace std; #include #include #include #include #include #include #include #include #include "l7-parse-patterns.h" #define MAX 512 static int hex2dec(char c) { switch (c) { case '0' ... '9': return c - '0'; case 'a' ... 'f': return c - 'a' + 10; case 'A' ... 'F': return c - 'A' + 10; default: fprintf(stderr, "hex2dec: bad value!\n"); exit(1); } } /* takes a string with \xHH escapes and returns one with the characters they stand for */ void pre_process(string & s) { char * result = (char *)malloc(s.size() + 1); unsigned int sindex = 0, rindex = 0; while( sindex < s.size() ) { if( sindex + 3 < s.size() && s[sindex] == '\\' && s[sindex+1] == 'x' && isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) { result[rindex] = hex2dec(s[sindex+2])*16 + hex2dec(s[sindex+3]); sindex += 3; /* 4 total */ } else result[rindex] = s[sindex]; sindex++; rindex++; } result[rindex] = '\0'; s = result; } void doit(regex_t * pattern, int eflags, int verbose, int nexec) { char input[MAX]; int c; for(c = 0; c < MAX; c++){ char temp = 0; while(temp == 0){ if(EOF == scanf("%c", &temp)) goto out; input[c] = temp; } } out: input[c-1] = '\0'; for(c = 0; c < nexec; c++){ int result = regexec(pattern, input, 0, 0, eflags); if(c == 0){ if(result == 0) printf("match\t"); else printf("no_match\t"); } if(nexec/20 > 0 && c%(nexec/20) == 0) fprintf(stderr, "."); } if(verbose) puts(""); else printf(" "); } void handle_cmdline(string & filename, int * nexecs, int * verbose, int argc, char ** argv) { const char * opts = "f:vh?n:"; *verbose = 0; int done = 0, gotfilename = 0; while(!done) { char c; switch(c = getopt(argc, argv, opts)) { case -1: done = 1; break; case 'f': filename = optarg; gotfilename = 1; break; case 'v': (*verbose)++; break; case 'n': *nexecs = atoi(optarg); if(*nexecs < 1){ cerr << "You're silly! Make n > 0, please.\n"; exit(1); } break; case 'h': case '?': default: printf("Usage: test_speed-userspace -f proto.pat [-v] [-v] [-n reps]\n"); exit(0); break; } } if(!gotfilename) { cerr << "Please specify a file.\n"; cerr << "Try test_speed-userspace -h\n"; exit(1); } } // Syntax: test_speed -f patternfile int main(int argc, char ** argv) { regex_t patterncomp; int verbose = 0, cflags, eflags, nexecs = 100000; string filename, patternstring; handle_cmdline(filename, &nexecs, &verbose, argc, argv); if(!parse_pattern_file(cflags, eflags, patternstring, filename)) { cerr << "Failed to get pattern from file\n"; exit(1); } if(verbose >= 2) cout << "Pattern before pre_process: " << patternstring << endl; pre_process(patternstring); /* do \xHH escapes */ if(verbose >= 2) cout << "Pattern after pre_process: " << patternstring << endl; if(regcomp(&patterncomp, patternstring.c_str(), cflags)){ fprintf(stderr, "error compiling regexp\n"); exit(1); } if(verbose) printf("running regexec %d times\n", nexecs); doit(&patterncomp, eflags, verbose, nexecs); return 0; } l7-protocols-2009-05-28/testing/Makefile0000644000175000017500000000117010552126662017534 0ustar straitmstraitmall: randchars randprintable test_speed-kernel test_speed-userspace match_kernel randchars: randchars.c gcc -O2 -o randchars randchars.c randprintable: randprintable.c gcc -O2 -o randprintable randprintable.c test_speed-kernel: test_speed-kernel.c gcc -o test_speed-kernel test_speed-kernel.c test_speed-userspace: test_speed-userspace.cpp l7-parse-patterns.cpp l7-parse-patterns.h g++ -Wall -o test_speed-userspace test_speed-userspace.cpp l7-parse-patterns.cpp match_kernel: match-kernel.c gcc -O2 -o match_kernel match-kernel.c clean: rm -f randprintable randchars test_speed-kernel test_speed-userspace match_kernel l7-protocols-2009-05-28/testing/doallspeeds.sh0000755000175000017500000000133010700673630020725 0ustar straitmstraitm#!/bin/bash # Print a complete report of speeds. # Relies on output format of ./timeit.sh if [ ! $1 ]; then userspace=1 kernel=1 elif [ $1 == "userspace" ]; then userspace=1 elif [ $1 == "kernel" ]; then kernel=1 else echo huh? Say \"userspace\", \"kernel\" or nothing \(which does both\). exit 1 fi printf proto if [ $userspace ]; then printf \\tuserspace; fi if [ $kernel ]; then printf \\tkernel; fi printf \\n for f in ../*/*.pat; do printf `basename $f .pat` if [ $userspace ]; then gtime=`./timeit.sh $f userspace real | grep Total | cut -d\ -f 2` printf \\t$gtime fi if [ $kernel ]; then htime=`./timeit.sh $f kernel real | grep Total | cut -d\ -f 2` printf \\t$htime fi printf \\n done l7-protocols-2009-05-28/testing/match-kernel.c0000644000175000017500000000571011003635551020610 0ustar straitmstraitm/* Reads in a stream of bytes and tests the first MAX of them to see if they match the regular expression passed in on the command line. Uses the Henry Spencer V8 regular expressions which the kernel version of l7-filter uses. See ../LICENCE for copyright. */ #include #include #include #include #include "regexp/regexp.c" #define MAX 512 #define MAX_PATTERN_LEN 8196 static int hex2dec(char c) { switch (c) { case '0' ... '9': return c - '0'; case 'a' ... 'f': return c - 'a' + 10; case 'A' ... 'F': return c - 'A' + 10; default: fprintf(stderr, "hex2dec: bad value!\n"); exit(1); } } /* takes a string with \xHH escapes and returns one with the characters they stand for */ static char * pre_process(char * s) { char * result = malloc(strlen(s) + 1); int sindex = 0, rindex = 0; while( sindex < strlen(s) ) { if( sindex + 3 < strlen(s) && s[sindex] == '\\' && s[sindex+1] == 'x' && isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) { /* carefully remember to call tolower here... */ result[rindex] = tolower( hex2dec(s[sindex + 2])*16 + hex2dec(s[sindex + 3] ) ); sindex += 3; /* 4 total */ } else result[rindex] = tolower(s[sindex]); sindex++; rindex++; } result[rindex] = '\0'; return result; } int main(int argc, char ** argv) { regexp * pattern = (regexp *)malloc(sizeof(struct regexp)); char * s = argv[1]; char input[MAX]; int patternlen, inputlen = 0, c = 0; if(argc != 2 || !argv[1]){ fprintf(stderr, "need exactly one arg (the pattern)\n"); return 1; } patternlen = strlen(s); if(patternlen > MAX_PATTERN_LEN){ fprintf(stderr, "Pattern is too long! Max is %d.\n", MAX_PATTERN_LEN); return 1; } // fprintf(stderr, "\"%s\"", s); s = pre_process(s); /* do \xHH escapes */ pattern = regcomp(s, &patternlen); if(!pattern){ fprintf(stderr, "Error compiling regular expression!\n"); exit(1); } /* for(c = 0; c < MAX; c++){ // assumes there's plenty to eat input[inputlen] = getchar(); inputlen++; } input[inputlen] = '\0'; */ for(c = 0; c < MAX; c++){ char temp = 0; while(temp == 0){ if(EOF == scanf("%c", &temp)) goto out; input[c] = temp; } } out: input[c-1] = '\0'; inputlen = c; for(c = 0; c < inputlen; c++) input[c] = tolower(input[c]); if(regexec(pattern, input)) puts("Match"); else puts("No match"); return 0; } l7-protocols-2009-05-28/testing/test_match.sh0000755000175000017500000000365011003771474020572 0ustar straitmstraitm#!/bin/bash extract() { if [ -r $1 ]; then # this can miss pseudo-valid files that have crap after the pattern cat $1 | grep -v ^$ | grep -v ^# | tail -1 else echo Argument is not a readable file > /dev/stderr exit 1 fi } if [ ! $1 ]; then echo Please specify a pattern or pattern file. exit 1 fi if [ ! $2 ]; then echo echo Using the userspace pattern and library. echo You can change this by saying \"kernel\" as the second argument. echo matchprog=./test_speed-userspace # no, really elif [ $2 == "kernel" ]; then echo Using the kernel pattern and library. matchprog=./match_kernel elif [ $2 == "userspace" ]; then echo Using the userspace pattern and library. matchprog=./test_speed-userspace else echo Didn\'t understand what you wanted. Using the userspace library. matchprog=./test_speed-userspace fi if [ $3 ]; then times=$3 else times=500 echo echo Doing 500 repetitions of each test. echo You can change this by giving a number as the third argument. echo fi if [ -x ./randchars ] && [ -x $matchprog ] && [ -x ./randprintable ]; then true else echo Can\'t find randchars, $matchprog or randprintable. echo They should be in this directory. Did you say \"make\"? exit 1 fi printf "Out of $times completely random streams, this many match: " pattern="`extract $1`" for f in `seq $times`; do if [ $3 ]; then printf . > /dev/stderr; fi if [ $2 ] && [ $2 == "kernel" ]; then if ! ./randchars | $matchprog "$pattern"; then exit 1; fi else if ! ./randchars | $matchprog -f $1 -n 1 -v; then exit 1; fi fi done | grep -iE '^match' -c printf "Out of $times printable random streams, this many match: " for f in `seq $times`; do if [ $3 ]; then printf . > /dev/stderr; fi if [ $2 ] && [ $2 == "kernel" ]; then if ! ./randprintable | $matchprog "$pattern"; then exit 1 fi else if ! ./randprintable | $matchprog -v -n 1 -f $1; then exit 1 fi fi done | grep -iE '^match' -c l7-protocols-2009-05-28/testing/randchars.c0000644000175000017500000000032110537156071020202 0ustar straitmstraitm#include #include #include #include #include int main() { char c; srand(time(NULL) * getpid()); while(1) printf("%c", (char)rand()%256); return 0; } l7-protocols-2009-05-28/CHANGELOG0000644000175000017500000003533611207603237015640 0ustar straitmstraitm2009 05 28 Improved sip. Removed incorrect comment from unset. Made standard number of iterations in test suite 100000 instead of 10000. Reran benchmarks on my new hardware, adjusted boundaries and recategorized patterns accordingly: 23 patterns were bumped one category slower for the kernel version and 3 (non-overlapping) patterns were bumped one category faster for the userspace version. 2009 05 10 Added runesofmagic, gtalk (in extra), dazhihui, tonghuashun. 2008 12 18 Improved/fixed rtp. 2008 11 23 Updated xunlei. Added pplive, guildwars. 2008 11 08 Updates to xunlei, kugoo, bittorrent. Added copyright lines to all pattern files. 2008 10 04 Fixed minor bug in chikka. Added possible new pattern for xunlei in comments. 2008 04 23 Testing for random matches with test_match.sh and the kernel library was completely broken. It now actually works. Added includes to testing programs for gcc 4.3 compatibility. Updated qq. 2008 02 20 Added png. 2008 02 10 Added rtp (see comments in rtp.pat). 2008 01 16 Fixed and updated flash. Added mp3. Added possibly useful comments to kugoo. 2008 01 09 Fixed typo in skypeout. This should slightly improve detection and prevent a warning message. 2007 11 22 Added battlefield2142. 2007 11 03 Simplified imesh pattern in an attempt to avoid the kernel crash that some people have reported (but that I have not been able to duplicate). Improved shoutcast pattern. Now should actually work. Reclassified imap, pop3, vnc, and irc to great. (These haven't changed in a long time, I think I understand them quite well, and I've heard no complaints.) Downgraded freenet to poor, since it almost certainly doesn't work (but I haven't retested it). 2007 10 10 Added liveforspeed. 2007 10 03 Added teamfortress2. Fixed name of http-freshdownload. Removed symlink tls.pat --> ssl.pat because it will be rejected when it checks the name. Updated some comments. Re-benchmarked all patterns and updated meta-info in files. Set boundaries for my 450MHz PIII at: * Very fast: 0–2 seconds. * Fast: 2–8 seconds. * Not so fast: 8–100 seconds. * Slow: >100 seconds 2007 07 27 Added documentation to ftp. Added armagetron. 2007 06 22 Added replaytv-ivs. 2007 05 09 Fixed smtp pattern for userspace. 2007 01 14 Added cimd and chikka. Added chikka data to testing suite. Tweaks to testing suite. 2007 01 13 Updated test suite for new pattern format. Marked skypeout as an overmatch. 2007 01 08 Slightly improved performance of bittorrent pattern. Fixed comment in msn-filetransfer. Added userspace pattern format lines to smtp and x11. The testing suite does NOT yet understand this format. 2007 01 04 Renamed testing to unset. 2007 01 03 Added radmin. 2006 12 12 Fixed some bugs in the testing programs. Made rtf and skypeout valid for both henry and gnu. 2006 12 11 Reduced equifax part of validcertssl to just "equifax secure" and made sure it could match all of ssl if followed by a known certificate authority. Upgraded socks quality to "good". Improved battlefield2 by making it more liberal. Extended test suite to include use of the GNU library which is used in the new userspace version. Fixed a long-standing quoting bug which made it impossible to see matches if the regex got mangled by bash. Updated all speeds (included both libraries' speeds). Noted several cases where the existing pattern is not valid for GNU regexps. 2006 10 18 Added tor. Added more standard/proprietary/open_source groups, but moved all such groups to the ends of the lines because they are less relevant than others. 2006 09 24 Added stun. Updated comments in msn-filetransfer and added an example to back them up. Added ares and stun to testing/data/. 2006 09 10 Added some protocol categories. Added skypeout data. Added mohaa (Medal of Honor Allied Assault). 2006 06 03 Improved "lime" packet detection in gnutella. Fixed and/or tested skypeout and skypetoskype, they now both work, at least with Skype 1.2.0.18_API on Linux, although skypeout is a rather severe overmatch (but no longer an undermatch). 2006 05 29 Reformatted wiki links for webpage parsing. Fixed gkrellm. Moved pressplay to extra/. Renamed "pattern quality" "pattern attributes". Added the attributes "superset" and "subset". Added http-freshdownload. Downgraded skypeout to "marginal". 2006 05 21 Added http-dap and imesh. 2006 05 11 Added subversion. Removed stray backslash from edonkey. 2006 04 09 Updated edonkey for some (apparently) new packet types. 2006 03 13 Improved bittorrent. It, of course, does not match the new encrypted streams, just more of the other stuff. Edited edonkey, skypeout, tsp, xunlei, battlefield2 to remove warnings about control characters. Mostly, this was just cosmetic, but in a few cases there were actually bugs. 2006 02 12 Updated WANTED. Added uucp (ha!) and a VERY preliminary version of pcanywhere. Improved msnmessenger. It now catches actual conversations and not just the logins. 2006 01 22 Modified dns and unknown so that they do not generate warnings about having control characters or nulls in hex. Improved dns. Now it matches XXX.XXX.XXX.XXX.in-addr.arpa lookups and IPv6 queries. Added thecircle. Updated msnmessenger to handle MSN Messenger 7.5's HTTP encapsulation. 2006 01 17 Improved msnmessenger pattern slightly. (I don't think it was causing any problems, but it wasn't set up to catch connections that only specified one version of MSNP. This does _not_ address the possible issue currently under discussion on the mailing list.) Fixed ares, it had a regexp syntax error. 2006 01 15 ventrilo ok -> good, skypetoskype good -> marginal. Improved gopher (it actually didn't work at all before, like anyone cared :-)). Added wiki links to every pattern file. Added http-rtsp. Improved msn-filetransfer: now should match MSNSLP. Updated comments in directconnect. 2006 01 08 17 Fixed stupid error in ventrilo. 2006 01 08 Socks marginal -> ok. Added ventrilo. 2005 12 16 Tweaked "pattern group" metadata. Reserved "networking" for protocols that are really nuts and bolts like DNS, DHCP and BGP. Clarified "internet standard" (most actually aren't officially IETF standards). Improved ares. 2005 12 14 Added teamspeak, worldofwarcraft. Added preliminary "pattern group" metadata to all of the patterns. 2005 11 20 Improved xunlei. 2005 11 05 Added dayofdefeat-source. 2005 09 12 Improved xunlei, applejuice, http. 2005 09 05 Added citrix, whois. Added x11 data for testing. 2005 09 03 irc now allows MIRC color codes. Fixed commented out dns and nntp patterns. Added a set of real data to speed testing program. Corrected/updated speed ratings of finger, dns, gopher, ftp, smtp. Made gnutella faster. Changed tls to ssl; it catches SSLv3 now. Improved validcertssl: it's faster and catches more. Added speed comments to napster and soulseek. 2005 08 24 Small improvements to napster (* --> +). Added UDP junk to bittorent, but commented out until it's confirmed. Added xunlei. 2005 08 10 Added soulseek. Noted that tsp can overmatch (saw it match soulseek). Cleaned up pattern file headers. 2005 08 09 Added napster. Made dhcp faster. 2005 08 06 Added "overmatch" to skypeout. Improved gnutella (is much faster and no longer attempts to match gnutella web cache HTTP connections). 2005 07 28 Skypeout was too long, fixed. Added checks in tests for this. Added some info to HOWTO. Improved gnutella (picks up limewire wierdness). 2005 07 17 Changed license to dual GPL/CC, since we're using CC on protocolinfo.org. Changed skypeout pattern to the scary long one, because the old one just doesn't work. Added battlefield2. Added protocolinfo advertisements. 2005 06 17 Added freenet pattern. Commented out old pattern in ares. Fixed minor typo in edonkey pattern. 2005 06 04 Improved ares. Added note to ntp. 2005 05 27 Improved ntp. Tinkered with the documentation. 2005 05 26 Added doom3 and ntp. \0d --> \x0d in quicktime and msnmessenger. Updated commented out version of vnc. Made irc much faster. 2005 05 25 Improved counterstrike and renamed it counterstrike-source for clarity. 2005 05 23 Realizing that "\x7c" is treated _exactly_ like "|" (and so forth): \x7c --> \| in battlefield1942 \x2b --> \+ in soribada \x2e --> \. in tesla Added halflife2-deathmatch. 2005 05 19 Fixed rar (had the zip pattern by accident). Fixed what I think was a typo in finger '$' --> '^'. Added trivial script, test_all.sh, to testing. 2005 05 18 Updated skype (split into skypeout and skypetoskype), counterstrike and flash. gnutella should now match gnutella 2. Added zip, rar and exe. Fixed typo: rstp --> rtsp. Tinkered with gopher. 2005 04 29 Reorganization. No functional changes. 2005 04 26 Added soribada, ares. 2005 03 13 Added poco, qq, kugoo, 100bao (all Chinese things I've never heard of...). 2005 02 06 Added sip. Tweaked "pattern quality" on a number of patterns. 2005 01 29 Improved ssh, it now matches both v1 and v2. Improved and tested fasttrack. It was overmatching in some cases, now it isn't. Moved audiogalaxy to extra/ as, from what I can tell, no one uses it (the program) anymore. 2005 01 20 - gnutella now matches UDP Gnutella packets as well as TCP. - Removed bearshare and winmx (just use gnutella). - Improved jabber. - Trivial change to x11. - Fixed httpaudio, httpvideo, httpcachehit and httpcachemiss, which were all missing a [\x09-\x0d ]. - Added ssdp. - Improved shoutcast. Now matches Icecast too. 2005 01 17 Fixed http-itunes and battlefield1942 (file names didn't match protocol names in file...). Improved yahoo. 2005 01 05 Added tls. 2004 12 29 Added xboxlive (or maybe just halo 2?). 2004 12 21 Obfuscated e-mail addresses and added some credits. 2004 12 08 Added battlefield1942. 2004 11 28 Added ^ to h323. 2004 11 22 Changed a \x18 to a . in h323. 2004 10 29 Removed "range: bytes=" from openft. This caused false positives. Added a cert authority to validcertssl and changed a . to a \. 2004 10 17 Added subspace and skype (skype pattern could use work). 2004 09 13 Added http-itunes and shoutcast. 2004 08 19 Added ciscovpn. Improved irc (it now matches BitchX connections). 2004 07 07 Added bgp. Added Makefile and spec file. 2004 07 05 Added msn-filetransfer, zmaap, lpd. Added a program to test for false matches. Removed mysql because it has too many false matches. 2004 07 01 Cleaned up http (had an extraneous line). Added httpaudio, httpvideo, httpcachehit and httpcachemiss to extras. Improved quake-halflife, bittorrent. 2004 06 27 Fixed hddtemp. Slight improvements to Yahoo, SMB. Improvements to msnmessenger. Added TSP. Small bugfix in timeit.sh 2004 06 01 RDP fixed. Quicktime added. Added "extra" directory and moved anything that was a subset of something else in there. 2004 04 22 The performance testing program didn't do \xHH escapes. Now it does. 2004 03 24 Fixed gopher, openft. Added goboogy, tesla, hotline. Added performance testing program. 2004 02 23 Improved the speed of dns, aim, directconnect, gnutella, http, imap, nntp, ncp, msnmessenger, audiogalaxy, snmp. Still slow are (starting with the worst): ssh, fasttrack, validcertssl, aim, nbns, quake-halflife, http, openft. All the rest are at least 30 times faster than the fastest of these. (With Henry Spencer's regexp implementation, which is what we currently use.) 2004 02 17 Improved HTTP. Fixed and improved gnutella. Added hddtemp. 2004 02 08 Added MUTE and openFT. 2004 01 06 Added audiogalaxy. Improved gnutella. 2004 01 02 Changed quakeworld.pat to quake-halflife.pat . Improved it (still untested, though). Changed kazaa.pat to fasttrack.pat. Improved it. 2003 12 16 Added H.323. Improved NNTP, Ident, DNS. Added "pattern quality" lines to all patterns. 2003 12 11 Added VNC. 2003 12 09 Added jpg, gif, flash. Updated file_types/README. Made edonkey work and moved it to weakpatterns. 2003 11 29 Added CVS. 2003 11 23 Changed directory structure. All patterns are now in subdirectories. Made sure that all filenames matched protocol names. Noted patterns that require multipacket support. General cleanup. 2003 11 12 Updated HOWTO to include Netfilter version, etc. Added comments regarding what I've learned from ipp2p (thanks to Eicke Friedrich) Added applejuice, quake1, quakeworld. Improved (fixed?) bittorrent. 2003 10 24 Reverted to single packet ftp pattern. Minor revisions to malware/* 2003 10 08 Added eDonkey2000 pattern. Added file_type directory (with html, ogg, pdf, perl, ps, rpm, tar and rtf). Added malware directory (with Code Red and Nimda). 2003 09 26 I need to remember to include http in all the releases! Sorry about that. Added jabber. 2003 09 24 Added socks, nntp. 2003 09 22 Releases from here on should only be used with >=0.3.0 of the kernel patch Some significant speed improvements (gopher is no longer slow enough to bring down the machine when searching large strings) and some small accuracy improvements. Moved winmx and gopher to weakpatterns. Added snmp, snmp-mon and snmp-trap 2003 09 19 Added Samba, telnet. Added weakpatterns directory, which now contains mysql, finger, netbios. 2003 09 18 Added directconnect. 2003 09 15 Added biff. Fixed pop3 again. Improved SMTP. 2003 09 14 Added rlogin. 2003 09 12 Fixed pop3. Improved HTTP. 2003 09 10 Added dns, gopher. 2003 09 05 Improved x11, yahoo. Added bearshare. Changed all patterns to use \xHH notation instead of non-printable characters. This release, therefore, MUST be used only with version >= 0.2.0 of the kernel patch. 2003 08 28 Added irc, ident, x11. Made a number of patterns more specific by adding a '^' at the beginning of the line. Could have also added some $s at the end of lines, but in anticipation of matching across packets, didn't. Improved HOWTO. 2003 08 21 Added counterstrike, live365, pressplay, winmx. Fixed gkrellm. Fixed several patterns that used uppercase letters, which can't ever match. Will fix the kernel patch soon so that this doesn't matter. Got rid of the #s in files like this one. They were annoying. Just use "*.pat" in your scripts instead of "*". Added pattern writing HOWTO. 2003 08 19 Fixed ftp. Added gkrellm. Simplified tftp. 2003 08 09 Fixed dhcp. Added tftp. Improved aim. 2003 08 08 Updated DHCP pattern. Improved pattern comments, including adding status information (i.e. how well they work) for all the patterns. Added LICENSE file so it's clear these are released as part of the code of the l7-filter project. 2003 07 07 Added rdp. 2003 06 01 Added aim, bittorrent, nbns, ncp, dhcp, rstp, ipp, msnmessenger, aimwebcontent. Removed mohaa. 2003 05 23 Added gnucleuslan, validcertssl, counterstrike, gnutella, kazaa, smtp, mohaa. 2003 05 09 Cleaned up. 2003 05 07 This is the initial release. Currently we have primitive detection of ftp, http, imap, kazaa, pop3, and ssh. Expect future releases to include both more patterns and better definitions for the above protocols. l7-protocols-2009-05-28/Makefile0000644000175000017500000000033310537156065016062 0ustar straitmstraitmall: @echo Nothing to compile, just run \'make install\' @echo \(This simply copies this directory into $(PREFIX)/etc/l7-protocols \) install: mkdir -p $(PREFIX)/etc/l7-protocols cp -R * $(PREFIX)/etc/l7-protocols l7-protocols-2009-05-28/protocols/0000755000175000017500000000000011201712625016434 5ustar straitmstraitml7-protocols-2009-05-28/protocols/x11.pat0000644000175000017500000000160311207603022017547 0ustar straitmstraitm# X Windows Version 11 - Networked GUI system used in most Unices # Pattern attributes: good notsofast veryfast # Protocol groups: remote_access x_consortium_standard # Wiki: http://www.protocolinfo.org/wiki/X11 # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # It is common for X to be tunneled through SSH. Then obviously this pattern # will not catch it. # # Specification: http://www.msu.edu/~huntharo/xwin/docs/xwindows/PROTO.pdf # Usually runs on port 6000 (6001 for the second server on a host, etc) # # This pattern has been tested. x11 # 'l' = little-endian. 'B' = big endian # ".?" is for the unused byte that comes next. If it's a null, it won't appear. # \x0b = protocol-major-version 11. # For some reason, protocol-minor-version is 0, not 6, so can't match it. # This pattern is too general. ^[lb].?\x0b userspace pattern=^[lB].?\x0b userspace flags=REG_NOSUB l7-protocols-2009-05-28/protocols/jabber.pat0000644000175000017500000000173011105357706020400 0ustar straitmstraitm# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org # Pattern attributes: good notsofast notsofast # Protocol groups: chat ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/Jabber # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested with Gaim and Gabber. It is only tested # with non-SSL mode Jabber with no proxies. # Thanks to Jan Hudec for some improvements. # Jabber seems to take a long time to set up a connection. I'm # connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets # is this: # # # No mention of my username or password yet, you'll note. jabber # Jan Engelhardt teamfortress2 ^\xff\xff\xff\xff.....*tfTeam Fortress l7-protocols-2009-05-28/protocols/applejuice.pat0000644000175000017500000000071311105357704021272 0ustar straitmstraitm# Apple Juice - P2P filesharing - http://www.applejuicenet.de # Pattern attributes: great veryfast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/AppleJuice # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested with the Linux version (version # 0,29,142,229). It matches search reqests and file transfers. applejuice # this pattern extracted from ipp2p, by Eicke Friedrich. ^ajprot\x0d\x0a l7-protocols-2009-05-28/protocols/imesh.pat0000644000175000017500000000150211207602766020257 0ustar straitmstraitm# iMesh - the native protocol of iMesh, a P2P application - http://imesh.com # Pattern attributes: ok fast notsofast # Protocol groups: p2p # Wiki: http://protocolinfo.org/wiki/iMesh # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # depending on the version of iMesh (the program), it can also use fasttrack, # gnutella and edonkey in addition to iMesh (the protocol). imesh # The first branch matches the login # The second branch matches the main non-download connection (searches, etc) # The third branch matches downloads of "premium" content # The fourth branch matches peer downloads. ^(post[\x09-\x0d -~]*................................|\x34\x80?\x0d?\xfc\xff\x04|get[\x09-\x0d -~]*Host: imsh\.download-prod\.musicnet\.com|\x02[\x01\x02]\x83.*\x02[\x01\x02]\x83) l7-protocols-2009-05-28/protocols/napster.pat0000644000175000017500000000177511105357706020640 0ustar straitmstraitm# Napster - P2P filesharing # Pattern attributes: good fast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Napster # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # All my tests show that this pattern is fast, but one user has reported that # it is slow. Your milage may vary. # # Should work for any Napster offspring, like OpenNAP. # (Yes, people still use this!) # Matches both searches and downloads. # # http://opennap.sourceforge.net/napster.txt # # This pattern has been tested and is believed to work well. napster # (client-server: length, assumed to be less than 256, login or new user login, # username, password, port, client ID, link-type | # client-client: 1, firewalled or not, username, filename) # Assumes that filenames are well-behaved ASCII strings. I have found # one case where this assumptions fails (filename had \x99 in it). ^(.[\x02\x06][!-~]+ [!-~]+ [0-9][0-9]?[0-9]?[0-9]?[0-9]? "[\x09-\x0d -~]+" ([0-9]|10)|1(send|get)[!-~]+ "[\x09-\x0d -~]+") l7-protocols-2009-05-28/protocols/stun.pat0000644000175000017500000000400511105357707020143 0ustar straitmstraitm# STUN - Simple Traversal of UDP Through NAT - RFC 3489 # Pattern attributes: ok veryfast fast # Protocol groups: networking ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/STUN # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is untested as far as I know. # Wikipedia says: "The STUN server is contacted on UDP port 3478, # however the server will hint clients to perform tests on alternate IP # and port number too (STUN servers have two IP addresses). The RFC # states that this port and IP are arbitrary." stun # \x01 is a Binding Request. \x02 is a Shared Secret Request. Binding # Requests are, experimentally, exactly 20 Bytes with three NULL Bytes. # The first NULL is part of the two byte message type field. The other # two give the message length, zero. I'm guessing that Shared Secret # Requests are similar, but I have not checked. Please read the RFC and # do experiments to find out. All other message types are responses, # and so don't matter. # # The .? allows one of the Message Transaction ID Bytes to be \x00. If # two are \x00, it will fail. This will happen 0.37% of the time, since # the Message Transaction ID is supposed to be random. If this is # unacceptable to you, add another ? to reduce this to 0.020%, but be # aware of the increased possibility of false positives. ^[\x01\x02]................?$ # From my post to the mailing list: # http://sourceforge.net/mailarchive/message.php?msg_id=36787107 # # This is a rather permissive pattern, but you can make it a little better # by combining it with another iptables rule that checks that the packet # data is exactly 20 Bytes. Of course, the second packet is longer, so # maybe that introduces more complications than benefits. # # If you're willing to wait until the second packet to make the # identification, you could use this: # # ^\x01................?\x01\x01 # # or if the Message Length is always \x24 (I'm not sure it is from your # single example): # # ^\x01................?\x01\x01\x24 l7-protocols-2009-05-28/protocols/msn-filetransfer.pat0000644000175000017500000000244611207602543022432 0ustar straitmstraitm# MSN (Micosoft Network) Messenger file transfers (MSNFTP and MSNSLP) # Pattern attributes: good fast fast # Protocol groups: chat document_retrieval proprietary # Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # http://www.hypothetic.org/docs/msn/client/file_transfer.php # NOTE! This pattern does not catch the modern type of MSN filetransfers # because they use the same TCP connection as the chat itself. See # ../example_traffic/msn_chat_and_file_transfer.txt for a demonstration. # This pattern has been tested and seems to work well. It, does, # however, require more testing with various versions of the official # MSN client as well as with clones such as Trillian, Miranda, Gaim, # etc. If you are using a MSN clone and this pattern DOES work for you, # please, also let us know. # First part matches the older MSNFTP: A MSN filetransfer is a normal # MSN connection except that the protocol is MSNFTP. Some clients # (especially Trillian) send other protocol versions besides MSNFTP # which should be matched by the [ -~]*. # Second part matches newer MSNSLP: # http://msnpiki.msnfanatic.com/index.php/MSNC:MSNSLP # This part is untested. msn-filetransfer ^(ver [ -~]*msnftp\x0d\x0aver msnftp\x0d\x0ausr|method msnmsgr:) l7-protocols-2009-05-28/protocols/dns.pat0000644000175000017500000000752511105357705017746 0ustar straitmstraitm# DNS - Domain Name System - RFC 1035 # Pattern attributes: great slow fast # Protocol groups: networking ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/DNS # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Thanks to Sebastien Bechet for TLD detection # improvements # While RFC 2181 says "Occasionally it is assumed that the Domain Name # System serves only the purpose of mapping Internet host names to data, # and mapping Internet addresses to host names. This is not correct, the # DNS is a general (if somewhat limited) hierarchical database, and can # store almost any kind of data, for almost any purpose.", we will assume # just that, because that represents the vast majority of DNS traffic. # The packet starts with a 2 byte random ID number and 2 bytes of flags that # aren't easy to match on. # The first thing that is matchable is QDCOUNT, the number of queries. # Despite the fact that you can apparently ask for up to 65535 # things at a time, usually you only ask for one and I doubt you ever ask for # zero. Let's allow up to two, just in case (even though I can't find any # situation that generates more than one). # Next comes the ANCOUNT, NSCOUNT, and ARCOUNT fields, which could be null # or some smallish number, not matchable except by length (up to 6) # The next matchable thing is the query address. The first byte indicates the # length of the first part of the address, which is limited to 63 (0x3F == '?'). # The next byte has to be a letter (for domain names) or number (for reverse lookups). # Then there can be an combination of # letters, digits, hyphens, and 0x01-0x3F length markers. # Then we check for the presence of a top-level-domain at some later point. # This is indicated by a 0x02-0x06 and at least two letters, followed by no # more than four more letters. # Note that this will miss a very few queries that are for a TLD alone. # i.e. "host museum" (195.7.77.17) # # http://www.icann.org/tlds http://www.iana.org/cctld/cctld-whois.htm # next is the QTYPE field, which has valid values 1-16 (although this # could probably be restricted further since many are rare) and \x1c for # IPv6 (and maybe more?). It should follow immediately after the TLD # (and some stripped-out nulls) # next is QCLASS, which has valid values 1-4 and 255, except 2 is never used. # I'm not sure if 3 and 4 are used, so I'll include them. 1=Internet 255=any # If we wanted to match queries and responses separately, there could be # more specifics after this for the responses. dns # here's a sane way of doing it ^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][fglmoprstuvz]?[aeop]?(um)?[\x01-\x10\x1c][\x01\x03\x04\xFF] # This way assumes that TLDs are any alpha string 2-6 characters long. # If TLDs are added, this is a good fallback. #^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?[\x01-\x10][\x01\x03\x04\xFF] # If you have more processing power than me, you can substitute this for # the [a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]? #(aero|arpa|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|pro|arpa|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|eh|er|es|et|fi|fj|fk|fm|fo|fr|ga|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw) l7-protocols-2009-05-28/protocols/gkrellm.pat0000644000175000017500000000076711105357705020620 0ustar straitmstraitm# Gkrellm - a system monitor - http://gkrellm.net # Pattern attributes: great veryfast fast # Protocol groups: monitoring open_source # Wiki: http://www.protocolinfo.org/wiki/Gkrellm # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. # Since this is not anything resembling a published protocol, it may change without # warning in new versions of gkrellm. gkrellm # tested with gkrellm 2.2.7 ^gkrellm [23].[0-9].[0-9]\x0a$ l7-protocols-2009-05-28/protocols/thecircle.pat0000644000175000017500000000100311105357707021107 0ustar straitmstraitm# The Circle - P2P application - http://thecircle.org.au # Pattern attributes: ok veryfast fast # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/The_Circle # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This is tested with The Circle 0.41c on Linux. # It likely misses some stuff. Notably, I wasn't able to test it on any # large downloads, because no one is sharing anything! thecircle ^t\x03ni.?[\x01-\x06]?t[\x01-\x05]s[\x0a\x0b](glob|who are you$|query data) l7-protocols-2009-05-28/protocols/counterstrike-source.pat0000644000175000017500000000404711105357705023355 0ustar straitmstraitm# Counterstrike (using the new "Source" engine) - network game # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Counter-Strike # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # By adam.randazzoATgmail.com counterstrike-source ^\xff\xff\xff\xff.*cstrikeCounter-Strike # These games use Steam, which is developed by Valve Software. # # This was based off of the following captured data from ethereal: # --Source-- # 0000 00 11 09 2a a8 79 00 13 10 2c 3f d7 08 00 45 20 ...*.y...,?...E # 0010 00 72 b9 f6 00 00 6b 11 b6 78 18 0e 04 cc c0 a8 .r....k..x...... # 0020 01 6a 69 87 04 65 00 5e 01 ac ff ff ff ff 49 07 .ji..e.^......I. # 0030 54 4a 27 73 20 50 6c 61 63 65 20 6f 66 20 50 61 TJ's Place of Pa # 0040 69 6e 00 64 65 5f 70 69 72 61 6e 65 73 69 00 63 in.de_piranesi.c # 0050 73 74 72 69 6b 65 00 43 6f 75 6e 74 65 72 2d 53 strike.Counter-S # 0060 74 72 69 6b 65 3a 20 53 6f 75 72 63 65 00 dc 00 trike: Source... # 0070 08 10 06 64 77 00 00 31 2e 30 2e 30 2e 31 38 00 ...dw..1.0.0.18. # 0080 # # --1.6-- # 0000 00 11 09 2a a8 79 00 13 10 2c 3f d7 08 00 45 00 ...*.y...,?...E. # 0010 00 8e c4 1a 00 00 76 11 b3 85 08 09 02 fa c0 a8 ......v......... # 0020 01 14 69 91 04 37 00 7a c9 90 ff ff ff ff 6d 38 ..i..7.z......m8 # 0030 2e 39 2e 32 2e 32 35 30 3a 32 37 30 32 35 00 49 .9.2.250:27025.I # 0040 50 20 2d 20 43 6c 61 6e 20 73 65 72 76 65 72 00 P - Clan server. # 0050 64 65 5f 64 75 73 74 32 00 63 73 74 72 69 6b 65 de_dust2.cstrike # 0060 00 43 6f 75 6e 74 65 72 2d 53 74 72 69 6b 65 00 .Counter-Strike. # 0070 0a 0c 2f 64 77 00 01 77 77 77 2e 63 6f 75 6e 74 ../dw..www.count # 0080 65 72 2d 73 74 72 69 6b 65 2e 6e 65 74 00 00 00 er-strike.net... # 0090 01 00 00 00 00 9e f7 0a 00 01 00 00 ............ # Old pattern. (Adam Randazzo says "CS 1.6 and CS: Source are the # only two versions that are playable on the Internet since Valve # disabled the WON system in favor of steam.") # cs .*dl.www.counter-strike.net l7-protocols-2009-05-28/protocols/armagetron.pat0000644000175000017500000000076511105357704021317 0ustar straitmstraitm# Armagetron Advanced - open source Tron/snake based multiplayer game # Pattern attributes: good slow notsofast # Protocol groups: open_source game # Wiki: http://protocolinfo.org/wiki/Armagetron # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Contributed to protocolinfo.org, possibly by joda.bot, who says "The # filter matches the initial transfer of configuration data. Very early # versions might not transfer the CYCLE_ Settings (before 0.2.5.x)." armagetron YCLC_E|CYEL l7-protocols-2009-05-28/protocols/yahoo.pat0000644000175000017500000000226211105357707020274 0ustar straitmstraitm# Yahoo messenger - an instant messenger protocol - http://yahoo.com # Pattern attributes: good fast fast # Protocol groups: chat proprietary # Wiki: http://www.protocolinfo.org/wiki/Yahoo_Messenger # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 5050 # # This pattern has been tested and is believed to work well. yahoo # http://www.venkydude.com/articles/yahoo.htm says: # All Yahoo commands start with YMSG. # (Well... http://ethereal.com/faq.html#q5.32 suggests that YPNS and YHOO # are also possible, so let's allow those) # The next 7 bytes contain command (packet?) length and version information # which we won't currently try to match. # L means "YAHOO_SERVICE_VERIFY" according to Ethereal # W means "encryption challenge command" (YAHOO_SERVICE_AUTH) # T means "login command" (YAHOO_SERVICE_AUTHRESP) # (there are others, i.e. 0x01 "coming online", 0x02 "going offline", # 0x04 "changing status to available", 0x06 "user message", but W and T # should appear in the first few packets.) # 0xC080 is the standard argument separator, it should appear not long # after the "type of command" byte. ^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*\xc0\x80 l7-protocols-2009-05-28/protocols/unset.pat0000644000175000017500000000047011201716477020312 0ustar straitmstraitm# Unset - Dummy pattern for unmatched connections that are still being tested unset # This pattern is ignored by the kernel. It sees that the "protocol" is # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # "testing" and always returns matched for connections that are still # being tested. . l7-protocols-2009-05-28/protocols/ares.pat0000644000175000017500000000505011105357704020102 0ustar straitmstraitm# Ares - P2P filesharing - http://aresgalaxy.sf.net # Pattern attributes: good veryfast fast undermatch # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/Ares # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This pattern catches only client-server connect messages. This is # sufficient for blocking, but not for shaping, since it doesn't catch # the actual file transfers (see below). # Original pattern by Brandon Enright # This pattern has been tested with Ares 1.8.8.2998. ares # regular expression madness: "[]Z]" means ']' or 'Z'. ^\x03[]Z].?.?\x05$ # It appears that the general packet format is: # - Two byte little endian integer giving the data length # - One byte packet type # - data # # Login packets (TCP) have the following format: # - \x03\x00 (the length appears to always be 3) # - \x5a - The login packet type. # The source code suggests that for supernodes \x5d is used instead. # - Three more bytes. I don't know the meaning of these, but for me they # are always \x06\x06\x05 (in Ares 1.8.8.2998). From the comments in IPP2P, # it seems that they are not always exactly that, but seem to always end in # \x05. # # Search packets have the following format: # - Two byte little endian integer giving the data length # A single two letter word make this \x0a # The biggest I could get it was \x4f # - Packet type = \x09 # - One byte document type: # - "all" = 00 # - "audio" = 01 # - "software" = 03 # - "video" = 05 # - "document" = 06 # - "image" = 07 # - "other" = 08 # - \x0f - I don't know what this means, but it is always this for me # - Two bytes of unknown meaning that change # - Some number search words: # - \x14 - I don't know what this means, but it is always this for me # - One byte length of the first search word # Between 2 and \x14 in my tests with Ares 1.8.8.2998 # It ignores single letter words and truncates ones longer than \x14 # - Two bytes of unknown meaning that change # - The search word (not null terminated) # This was all investigated by searching for strings in "all". Searches # can also be performed in "title" and "author". I'm not going to # bother to research these because I new realize that searches are done # on the same TCP connection as the login packets, so there is no need # to match them separately. # # File transfers appear to be encrypted or at least obfuscated. (The # files themselves, at least, are not transmitted in the clear.) I # haven't found any patterns. l7-protocols-2009-05-28/protocols/battlefield2142.pat0000644000175000017500000000101411123013233021716 0ustar straitmstraitm# Battlefield 2142 - An EA game. # Pattern attributes: ok fast fast # Protocol groups: proprietary game # Wiki: http://protocolinfo.org/wiki/Battlefield_2142 # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Submitted by Telsin. Not confirmed. battlefield2142 # gameplay|account-login|server browsing/information # Can't put a ^ on the last branch: it fails to match if you do. # This branch seems to matter very rarely, though ^(\x11\x20\x01\x90\x50\x64\x10|\xfe\xfd.?.?.?\x18|[\x01\\].?battlefield2) l7-protocols-2009-05-28/protocols/halflife2-deathmatch.pat0000644000175000017500000000053711105357705023112 0ustar straitmstraitm# Half-Life 2 Deathmatch - popular computer game # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Half-Life # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # By Clayton Macleod halflife2-deathmatch ^\xff\xff\xff\xff.*hl2mpDeathmatch l7-protocols-2009-05-28/protocols/teamspeak.pat0000644000175000017500000000112111105357707021120 0ustar straitmstraitm# TeamSpeak - VoIP application - http://goteamspeak.com # Pattern attributes: good veryfast fast # Protocol groups: voip proprietary # Wiki: http://www.protocolinfo.org/wiki/TeamSpeak # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested by Matthew Strait and verified by packet # traces by at least two other people. The meaning of f4b303 is not # known, but it seems to appear in all first packets. This pattern only # matches the actual UDP voice traffic, not the TeamSpeak web interface # or "TCP query". teamspeak ^\xf4\xbe\x03.*teamspeak l7-protocols-2009-05-28/protocols/tor.pat0000644000175000017500000000112211105357707017753 0ustar straitmstraitm# Tor - The Onion Router - used for anonymization - http://tor.eff.org # Pattern attributes: good notsofast notsofast # Protocol groups: networking # Wiki: http://protocolinfo.org/wiki/Tor # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. # # It matches on the second packet. I have no idea how the protocol # works, but this matches every stream I have made using Tor 0.1.0.16 as # a client on Linux. # # It does NOT attempt to match the HTTP request that fetches the list of # Tor servers. tor TOR1.* l7-protocols-2009-05-28/protocols/skypetoskype.pat0000644000175000017500000000105611105357706021726 0ustar straitmstraitm# Skype to Skype - UDP voice call (program to program) - http://skype.com # Pattern attributes: ok veryfast fast overmatch # Protocol groups: voip p2p proprietary # Wiki: http://www.protocolinfo.org/wiki/Skype # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This matches at least some of the general chatter that occurs when the # user isn't doing anything as well as actual calls. # Thanks to Myles Uyema, mylesuyema AT gmail.com skypetoskype # require at least 16 bytes (my limited tests always get at least 18) ^..\x02............. l7-protocols-2009-05-28/protocols/chikka.pat0000644000175000017500000000121111207602446020374 0ustar straitmstraitm# Chikka - SMS service which can be used without phones - http://chikka.com # Pattern attributes: good fast fast superset # Protocol groups: proprietary chat # Wiki: http://www.protocolinfo.org/wiki/Chikka # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Tested with Chikka Javalite on 14 Jan 2007. # The login and chat use the same TCP connection. # "Kamusta" means "Hello" in Tagalog, apparently, so that will probably # stay the same. I've only seen v1.2, but I've given it some leeway for # past and future versions. # Chikka uses CIMD as part of the login process, see cimd.pat chikka ^CTPv1\.[123] Kamusta.*\x0d\x0a$ l7-protocols-2009-05-28/protocols/subspace.pat0000644000175000017500000000133111105357707020756 0ustar straitmstraitm# Subspace - 2D asteroids-style space game - http://sscentral.com # Pattern attributes: marginal veryfast fast # Protocol groups: game # Wiki: http://www.protocolinfo.org/wiki/Subspace # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # By Myles Uyema # # This pattern matches the initial 2 packets of the client-server # 'handshake' when joining a Zone. # # The first packet is an 8 byte UDP payload sent from client # 0x00 0x01 0x?? 0x?? 0x?? 0x?? 0x11 # The next packet is a 12 byte UDP response from server # 0x00 0x10 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x01 0x00 # # l7-filter strips out the null bytes, leaving me with this pattern subspace ^\x01....\x11\x10........\x01$ l7-protocols-2009-05-28/protocols/shoutcast.pat0000644000175000017500000000226111105357706021170 0ustar straitmstraitm# Shoutcast and Icecast - streaming audio # Pattern attributes: good slow notsofast # Protocol groups: streaming_audio # Wiki: http://www.protocolinfo.org/wiki/Icecast # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 80 # # Original pattern contributed by Deepak Seshadri who says "The difference between [Shoutcast and # Icecast] is not clearly mentioned anywhere. According to this # document, my pattern would filter JUST shoutcast packets." # # Should now match both Shoutcast and Icecast. Tested with Winamp (in # 2005) and Totem using streams at dir.xiph.org (in Nov 2007). # # http://sander.vanzoest.com/talks/2002/audio_and_apache/ # http://forums.radiotoolbox.com/viewtopic.php?t=74 # http://www.icecast.org shoutcast # The first branch looks for an HTTP request that looks like it is asking for # a SHOUTcast stream. The second branch looks for the server's reply. However, # some (newer?) servers answer with "http/1.0 200 OK", not "ICY 200 OK", so # this will not work. # This pattern was discovered using Ethereal. ^get /.*icy-metadata:1|icy [1-5][0-9][0-9] [\x09-\x0d -~]*(content-type:audio|icy-) l7-protocols-2009-05-28/protocols/tftp.pat0000644000175000017500000000164311207602716020130 0ustar straitmstraitm# TFTP - Trivial File Transfer Protocol - used for bootstrapping - RFC 1350 # Pattern attributes: marginal fast fast # Protocol groups: document_retrieval ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/TFTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 69 # # This pattern is unconfirmed. tftp # The first packet from the initiating host should either be a Read Request # or a Write Request. In the other direction, it should be data packet with # block number one or an ACK with block number zero. We only attempt to match # the initiating host's packets, because the only identifying features of # the responses to them are two byte sequences (which isn't specific enough). # (\x01|\x02) = Read Request or Write Request # [ -~]* = the file name # the rest = netascii|octet|mail (case insensitivity done by the kernel) ^(\x01|\x02)[ -~]*(netascii|octet|mail) l7-protocols-2009-05-28/protocols/tesla.pat0000644000175000017500000000111011105357707020254 0ustar straitmstraitm# Tesla Advanced Communication - P2P filesharing (?) # Pattern attributes: marginal slow notsofast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Tesla # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is untested! # This is lifted from http://oofle.com/filesharing.php?app=tesla # There is no explaination of what these numbers mean. # The above page says that the first string is found only in TCP packets # and the second only in UDP. tesla \x03\x9a\x89\x22\x31\x31\x31\.\x30\x30\x20\x42\x65\x74\x61\x20|\xe2\x3c\x69\x1e\x1c\xe9 l7-protocols-2009-05-28/protocols/live365.pat0000644000175000017500000000075011105357706020351 0ustar straitmstraitm# live365 - An Internet radio site - http://live365.com # Pattern attributes: marginal notsofast notsofast # Protocol groups: streaming_audio # Wiki: http://www.protocolinfo.org/wiki/Live365 # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern was "contributed" (taken with permission) by the bandwidth # arbitrator project (www.bandwidtharbitrator.com). # # This pattern is unconfirmed. live365 # FIXME: what's going on here? membername.*session.*player l7-protocols-2009-05-28/protocols/gnutella.pat0000644000175000017500000000427511105357705020774 0ustar straitmstraitm# Gnutella - P2P filesharing # Pattern attributes: good notsofast notsofast # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/Gnutella # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This should match both Gnutella and "Gnutella2" ("Mike's protocol") # # Various clients use this protocol including Mactella, Shareaza, # GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare. # # This is tested with gtk-gnutella and Shareaza. # http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver # http://rfc-gnutella.sf.net/ # http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification # http://en.wikipedia.org/wiki/Shareaza gnutella # The first part matches UDP messages - All start with "GND", then have # a flag byte which is either \x00, \x01 or \x02, then two sequence bytes # that can be anything, then a fragment number, which must start at 1. # The rest matches TCP first client message or first server message (in case # we can't see client messages). Some parts of this are empirical rather than # document based. Assumes version is between 0.0 and 2.9. (usually is # 0.4 or 0.6). I'm guessing at many of the user-agents. # The last bit is emprical and probably only matches Limewire. ^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime) # Needlessly precise, at the expense of time #^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime) l7-protocols-2009-05-28/protocols/cvs.pat0000644000175000017500000000103411105357705017742 0ustar straitmstraitm# CVS - Concurrent Versions System # Pattern attributes: good veryfast fast # Protocol groups: version_control open_source # Wiki: http://www.protocolinfo.org/wiki/CVS # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE cvs # Matches pserver login. AUTH is for actually starting the protocol # VERIFICATION is for authenticating without starting the protocols # and GSSAPI is for using security services such as kerberos. # http://www.loria.fr/~molli/cvs/doc/cvsclient_3.html ^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\x0a l7-protocols-2009-05-28/protocols/finger.pat0000644000175000017500000000111311105357705020417 0ustar straitmstraitm# Finger - User information server - RFC 1288 # Pattern attributes: good slow slow undermatch overmatch # Protocol groups: ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/Finger # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 79 # # This pattern is lightly tested. finger # The first matches the client request, which should look like a username. # The second matches the usual UNIX reply (but remember that they are # allowed to say whatever they want) ^[a-z][a-z0-9\-_]+|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory: l7-protocols-2009-05-28/protocols/gnucleuslan.pat0000644000175000017500000000060711105357705021474 0ustar straitmstraitm# GnucleusLAN - LAN-only P2P filesharing # Pattern attributes: good notsofast notsofast # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/GnucleusLAN # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. gnucleuslan gnuclear connect/[\x09-\x0d -~]*user-agent: gnucleus [\x09-\x0d -~]*lan: l7-protocols-2009-05-28/protocols/pop3.pat0000644000175000017500000000430011207602646020027 0ustar straitmstraitm# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939 # Pattern attributes: great fast fast # Protocol groups: mail ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/POP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested somewhat. # this is a difficult protocol to match because of the relative lack of # distinguishing information. Read on. pop3 # this the most conservative pattern. It should definitely work. #^(\+ok|-err) # this pattern assumes that the server says _something_ after +ok or -err # I think this is probably the way to go. ^(\+ok |-err ) # more that 90% of servers seem to say "pop" after "+ok", but not all. #^(\+ok .*pop) # Here's another tack. I think this is my second favorite. #^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command)) # this matches the server saying "you have N messages that are M bytes", # which the client probably asks for early in the session (not tested) #\+ok [0-9]+ [0-9]+ # some sample servers: # RFC example: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us> # mail.dreamhost.com: +OK Hello there. # pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled) # mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon> # *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu> # mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready # mail.gustavus.edu: +OK POP3 solen v2001.78 server ready # mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready # mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003)) # pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting. # mail.mac.com: +OK Netscape Messaging Multiplexor ready # various error strings: #-ERR Invalid command. #-ERR invalid command #-ERR unimplemented #-ERR Invalid command, try one of: USER name, PASS string, QUIT #-ERR Unknown AUTHORIZATION state command #-ERR Unrecognized command #-ERR Unknown command: "sadf'". l7-protocols-2009-05-28/protocols/ntp.pat0000644000175000017500000000121111105357706017746 0ustar straitmstraitm# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030 # Pattern attributes: good fast fast overmatch # Protocol groups: time_synchronization ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/NTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is tested and is believed to work. # client|server # Requires the server's timestamp to be in the present or future (of 2005). # Tested with ntpdate on Linux. # Assumes version 2, 3 or 4. # Note that ntp packets are always 48 bytes, so you should match on that too. ntp ^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff]) l7-protocols-2009-05-28/protocols/replaytv-ivs.pat0000644000175000017500000000075111207602667021624 0ustar straitmstraitm# ReplayTV Internet Video Sharing - Digital Video Recorder - http://replaytv.com # Pattern attributes: good fast fast # Protocol groups: # Wiki: http://www.protocolinfo.org/wiki/ReplayTV # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Pattern by jm 409 at hot mail dot com, who says that this one "worked best". replaytv-ivs ^(get /ivs-IVSGetFileChunk|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*\x23\x23\x23\x23\x23REPLAY_CHUNK_START\x23\x23\x23\x23\x23) l7-protocols-2009-05-28/protocols/100bao.pat0000644000175000017500000000061111105357720020126 0ustar straitmstraitm# 100bao - a Chinese P2P protocol/program - http://www.100bao.com # Pattern attributes: ok veryfast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/100Bao # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Pattern written by www.routerclub.com's wsgtrsys. # The author of this pattern says it works, but this is unconfirmed. 100bao ^\x01\x01\x05\x0a l7-protocols-2009-05-28/protocols/smb.pat0000644000175000017500000000131211105357706017730 0ustar straitmstraitm# Samba/SMB - Server Message Block - Microsoft Windows filesharing # Pattern attributes: good fast notsofast # Protocol groups: document_retrieval networking proprietary # Wiki: http://www.protocolinfo.org/wiki/SMB # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # "This protocol is sometimes also referred to as the Common Internet File # System (CIFS), LanManager or NetBIOS protocol." -- "man samba" # # Actually, SMB is a higher level protocol than NetBIOS. However, the # NetBIOS header is only 4 bytes: not much to match on. # # http://www.ubiqx.org/cifs/SMB.html # # This pattern is lightly tested. smb # matches a NEGOTIATE PROTOCOL or TRANSACTION REQUEST command \xffsmb[\x72\x25] l7-protocols-2009-05-28/protocols/nbns.pat0000644000175000017500000000104411105357706020111 0ustar straitmstraitm# NBNS - NetBIOS name service # Pattern attributes: good slow notsofast # Protocol groups: networking proprietary # Wiki: http://www.protocolinfo.org/wiki/NBNS # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. # # name query # \x01\x10 means name query # # registration NB # (\x10 or )\x10 means registration # # release NB (merged with registration) # 0\x10 means release nbns # This is not a valid basic GNU regular expression. \x01\x10\x01|\)\x10\x01\x01|0\x10\x01 l7-protocols-2009-05-28/protocols/battlefield2.pat0000644000175000017500000000213611105357705021514 0ustar straitmstraitm# Battlefield 2 - An EA game. # Pattern attributes: ok slow notsofast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Battlefield_2 # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is unconfirmed except implicitly by a comment on protocolinfo. battlefield2 # gameplay|account-login|server browsing/information # See http://protocolinfo.org/wiki/Battlefield_2 # Can we put a ^ on the last branch? If so, nosofast --> veryfast # 193.85.217.35 on protocolinfo says: # The first part of the pattern, \x11\x20\x01\xa0\x98\x11, has to be # modified for different version of Battlefield 2. The gameplay part of # pattern for BF2 v1.4 is \x11\x20\x01\x30\xb9\x10\x11, and for BF2 # v1.41 is \x11\x20\x01\x50\xb9\x10\x11 # # Rather than put all of those in, I've just gone with "...?" in the # middle. ^(\x11\x20\x01...?\x11|\xfe\xfd.?.?.?.?.?.?(\x14\x01\x06|\xff\xff\xff))|[]\x01].?battlefield2 # Pattern prior to 193.85.217.35's comment on protocolinfo: #^(\x11\x20\x01\xa0\x98\x11|\xfe\xfd.?.?.?.?.?.?(\x14\x01\x06|\xff\xff\xff))|[]\x01].?battlefield2 l7-protocols-2009-05-28/protocols/http-rtsp.pat0000644000175000017500000000140311207603012021100 0ustar straitmstraitm# RTSP tunneled within HTTP # Pattern attributes: ok notsofast fast subset # Protocol groups: streaming_audio streaming_video ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/RTSP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Apple's documentation on what Quicktime does: # http://developer.apple.com/quicktime/icefloe/dispatch028.html # This is what the first part of the pattern is about # # The second part is based on the example in RFC 2326. For this part to # work, this pattern MUST be earlier in the iptables rules chain than # HTTP. Otherwise, the stream will be identified as HTTP. http-rtsp ^(get[\x09-\x0d -~]* Accept: application/x-rtsp-tunnelled|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*a=control:rtsp://) l7-protocols-2009-05-28/protocols/goboogy.pat0000644000175000017500000000075211105357705020622 0ustar straitmstraitm# GoBoogy - a Korean P2P protocol # Pattern attributes: marginal slow notsofast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/GoBoogy # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is untested and likely does not work in all cases! # # By Adam Przybyla, modified by Matthew Strait. Possibly lifted from # Josh Ballard (oofle.com). goboogy |^get /getfilebyhash\.cgi\?|^get /queue_register\.cgi\?|^get /getupdowninfo\.cgi\? l7-protocols-2009-05-28/protocols/edonkey.pat0000644000175000017500000000316411207602471020607 0ustar straitmstraitm# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others # Pattern attributes: good fast fast overmatch # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/EDonkey # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4 # and a long time ago with something else. # # In addition to matching what you might expect, this matches much of # what eMule does when you tell it to only connect to the KAD network. # I don't quite know what to make of this. # Thanks to Matt Skidmore edonkey # http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6 # # In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5. # As of April 2006, I also see some \xe4. # # God this is a mess. What an irritating protocol. # This will match about 2% of streams with random data in them! # (But fortunately much fewer than 2% of streams that are other protocols. # You can test this with the data in ../testing/) ^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$) # matches everything and too much # ^(\xe3|\xc5|\xd4) # ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me. # bandwidtharbitrator uses # e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey # no comments to explain what all the mush is, of course... l7-protocols-2009-05-28/protocols/mohaa.pat0000644000175000017500000000057011105357706020241 0ustar straitmstraitm# Medal of Honor Allied Assault - an Electronic Arts game # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Medal_of_Honor_Allied_Assault # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is written and tested by Krzysztof Maciejewski. mohaa ^\xff\xff\xff\xffgetstatus\x0a l7-protocols-2009-05-28/protocols/gopher.pat0000644000175000017500000000215711105357705020442 0ustar straitmstraitm# Gopher - A precursor to HTTP - RFC 1436 # Pattern attributes: good slow notsofast undermatch # Protocol groups: document_retrieval obsolete ietf_rfc_documented # Wiki: http://www.protocolinfo.org/wiki/Gopher # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Gopher servers usually run on TCP port 70. # # This pattern is lightly tested using gopher.dna.affrc.go.jp . gopher # This matches the server's response, but naturally only if it is a # directory listing, not if it is sending a file, because then the data # is totally arbitrary. # Matches the client saying "list what you have", then the server # response: one of the file type characters, any printable characters, a # tab, any printable characters, a tab, something that looks like a # domain name, a tab, and then a number which could be the start of a # port number. # "0About internet Gopher\tStuff:About us\trawBits.micro.umn.edu\t70" # "\r7search by keywords on protein data using wais\twaissrc:/protein_all/protein\tgopher.dna.affrc.go.jp\t70" ^[\x09-\x0d]*[1-9,+tgi][\x09-\x0d -~]*\x09[\x09-\x0d -~]*\x09[a-z0-9.]*\.[a-z][a-z].?.?\x09[1-9] l7-protocols-2009-05-28/protocols/guildwars.pat0000644000175000017500000000110211112313270021127 0ustar straitmstraitm# Guild Wars - online game - http://guildwars.com # Pattern attributes: marginal veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Guild_Wars # Copyright (C) 2008 Matthew Strait; See ../LICENSE # Contributed on protocolinfo by Greatwolf with the comment, "Guild Wars # uses encrypted data on tcp/6112 and may be impossible to match by # content. An experimental filter has been written to match Guild Wars # packets. More testing is still required to determine the effectiveness # of this pattern." guildwars ^[\x04\x05]\x0c.i\x01 l7-protocols-2009-05-28/protocols/quake1.pat0000644000175000017500000000124511105357706020343 0ustar straitmstraitm# Quake 1 - A popular computer game. # Pattern attributes: marginal veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Quake # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is untested and unconfirmed. # Info taken from http://www.gamers.org/dEngine/quake/QDP/qnp.html, # which says that it "is incomplete, inaccurate and only applies to # versions 0.91, 0.92, 1.00 and 1.01 of QUAKE" quake1 # Connection request: 80 00 00 0c 01 51 55 41 4b 45 00 03 # \x80 = control packet. # \x0c = packet length # \x01 = CCREQ_CONNECT # \x03 = protocol version (3 == 0.91, 0.92, 1.00, 1.01) ^\x80\x0c\x01quake\x03 l7-protocols-2009-05-28/protocols/hddtemp.pat0000644000175000017500000000070611105357705020601 0ustar straitmstraitm# hddtemp - Hard drive temperature reporting # Pattern attributes: great veryfast fast # Protocol groups: monitoring open_source # Wiki: http://www.protocolinfo.org/wiki/HDDtemp # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 7634 # # You're a silly person if you use this pattern. # # This pattern has been tested and is believed to work well. hddtemp ^\|/dev/[a-z][a-z][a-z]\|[0-9a-z]*\|[0-9][0-9]\|[cfk]\| l7-protocols-2009-05-28/protocols/freenet.pat0000644000175000017500000000067411105357705020610 0ustar straitmstraitm# Freenet - Anonymous information retrieval - http://freenetproject.org # Pattern attributes: poor veryfast fast # Protocol groups: p2p document_retrieval open_source # Wiki: http://www.protocolinfo.org/wiki/Freenet # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE freenet # Freenet is intentionally hard to identify... # This is empirical, only tested on one computer, and unlikely to work anymore. ^\x01[\x08\x09][\x03\x04] l7-protocols-2009-05-28/protocols/vnc.pat0000644000175000017500000000163711105357707017750 0ustar straitmstraitm# VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer # Pattern attributes: great veryfast fast # Protocol groups: remote_access # Wiki: http://www.protocolinfo.org/wiki/VNC # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # http://www.realvnc.com/documentation.html # # This pattern has been verified with vnc v3.3.7 on WinXP and Linux # # Thanks to Trevor Paskett for this pattern. vnc # Assumes single digit major and minor version numbers # This message should be all alone in the first packet, so ^$ is appropriate ^rfb 00[1-9]\.00[0-9]\x0a$ # This is a more restrictive version which assumes the version numbers # are ones actually in existance at the time of this writing, i.e. 3.3, # 3.7 and 3.8 (with some clients wrongly reporting 3.5). It should be # slightly faster, but probably not worth the extra maintenance. # ^rfb 003\.00[3578]\x0a$ l7-protocols-2009-05-28/protocols/worldofwarcraft.pat0000644000175000017500000000572211105357707022367 0ustar straitmstraitm# World of Warcraft - popular network game - http://blizzard.com/ # Pattern attributes: ok veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/World_of_Warcraft # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE worldofwarcraft ^\x06\xec\x01 # Quoth the author of this pattern, Weisskopf Beat : # I have written a pattern for wow (tested with versions 1.8.3 and # 1.8.4, german edition). It does not match the login as i think this is # uncritical, but i have added the necessary info later on. So only the # actual in-game traffic is matched. # # I hope the pattern is specific enough, otherwise one may add some # bytes from the response. # # some captured info: # # login: # # 0000: 00 02 28 00 57 6F 57 00 01 08 03 C7 12 36 38 78 ..(.WoW......68x # 0010: 00 6E 69 57 00 45 44 65 64 3C 00 00 00 C0 A8 01 .niW.EDed<...... # 0020: 22 0A 42 57 45 49 53 53 4B 4F 50 46 ".BWEISSKOPF # # 0000: 00 02 28 00 57 6F 57 00 01 08 03 C7 12 36 38 78 ..(.WoW......68x # 0010: 00 6E 69 57 00 45 44 65 64 3C 00 00 00 C0 A8 01 .niW.EDed<...... # 0020: 22 0A 42 57 45 49 53 53 4B 4F 50 46 ".BWEISSKOPF # # server asking: # # #1 # 0000: 00 06 EC 01 04 49 C5 33 .....I.3 # # #2 # 0000: 00 06 EC 01 C3 A8 6E 63 ......nc # # client response # #1 # 0000: 00 A4 ED 01 00 00 C7 12 00 00 00 00 00 00 42 57 ..............BW # 0010: 45 49 53 53 4B 4F 50 46 00 EB 35 DC 89 5A CA 6D EISSKOPF..5..Z.m # 0020: 17 95 DE 5B 74 6E 1E 5D 23 73 C6 8F 27 9F 11 12 ...[tn.]#s..'... # 0030: BB 21 01 00 00 78 9C 75 CC 41 0A 83 50 0C 84 E1 .!...x.u.A..P... # 0040: E7 3D 7A 19 75 25 D4 4D AB EB 12 5E A2 0C 8D 51 .=z.u%.M...^...Q # 0050: D2 57 04 4F DF 2E 2D A4 B3 FD 86 3F A5 EF 1A C5 .W.O..-....?.... # 0060: 71 90 F3 A3 7E E7 82 D5 C6 2E 55 CB 7E B9 FE 58 q...~.....U.~..X # 0070: 43 A5 A8 4C 10 E5 1E 86 85 B6 E8 04 63 D8 1C 06 C..L........c... # 0080: 5A A7 A9 84 D2 D9 6B 93 1C 5B 4F D9 D7 50 6E 04 Z.....k..[O..Pn. # 0090: 0E 61 20 15 8B 6B 83 13 CB FD 09 D5 7F 0C 13 3F .a ..k.........? # 00A0: DB 07 B4 EA 54 F8 ....T. # # #2 # 0000: 00 A4 ED 01 00 00 C7 12 00 00 00 00 00 00 42 57 ..............BW # 0010: 45 49 53 53 4B 4F 50 46 00 38 4C B5 95 C3 AD 25 EISSKOPF.8L....% # 0020: CB 73 48 BD 82 FC 99 63 59 AC BF F3 D0 C6 8D AB .sH....cY....... # 0030: 3D 21 01 00 00 78 9C 75 CC 41 0A 83 50 0C 84 E1 =!...x.u.A..P... # 0040: E7 3D 7A 19 75 25 D4 4D AB EB 12 5E A2 0C 8D 51 .=z.u%.M...^...Q # 0050: D2 57 04 4F DF 2E 2D A4 B3 FD 86 3F A5 EF 1A C5 .W.O..-....?.... # 0060: 71 90 F3 A3 7E E7 82 D5 C6 2E 55 CB 7E B9 FE 58 q...~.....U.~..X # 0070: 43 A5 A8 4C 10 E5 1E 86 85 B6 E8 04 63 D8 1C 06 C..L........c... # 0080: 5A A7 A9 84 D2 D9 6B 93 1C 5B 4F D9 D7 50 6E 04 Z.....k..[O..Pn. # 0090: 0E 61 20 15 8B 6B 83 13 CB FD 09 D5 7F 0C 13 3F .a ..k.........? # 00A0: DB 07 B4 EA 54 F8 ....T. l7-protocols-2009-05-28/protocols/liveforspeed.pat0000644000175000017500000000074711207602531021641 0ustar straitmstraitm# Live For Speed - A racing game. # Pattern attributes: poor fast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Live_For_Speed # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern was submitted to protocolinfo.org by 80.55.238.74 with no # explanation. It is unconfirmed. # Live For Speed S2 Alpha 0.5 X10 liveforspeed ^..\x05\x58\x0a\x1d\x03 # The same guy came by the next day and deleted the \x03 without comment... l7-protocols-2009-05-28/protocols/ventrilo.pat0000644000175000017500000000130011105357707021007 0ustar straitmstraitm# Ventrilo - VoIP - http://ventrilo.com # Pattern attributes: good fast fast # Protocol groups: voip proprietary # Wiki: http://www.protocolinfo.org/wiki/Ventrilo # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # I have tested this with Ventrilo client 2.3.0 on Windows talking to # Ventrilo server 2.3.1 (the public version) on Linux. I've done this # both within a LAN and over the Internet. In one test, I tried # monkeying around with the server settings to see if I could break the # pattern, and I couldn't. However, you can't change the port number in # the public server. # # It has also been tested by one other person in an unknown configuration. ventrilo ^..?v\$\xcf l7-protocols-2009-05-28/protocols/whois.pat0000644000175000017500000000077511105357707020315 0ustar straitmstraitm# Whois - query/response system, usually used for domain name info - RFC 3912 # Pattern attributes: good notsofast notsofast overmatch # Protocol groups: networking ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/Whois # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on TCP port 43 # # This pattern has been tested and is believed to work well. whois # Matches the query. Assumes only that it is printable ASCII without wierd # whitespace. ^[ !-~]+\x0d\x0a$ l7-protocols-2009-05-28/protocols/ipp.pat0000644000175000017500000000066511105357705017750 0ustar straitmstraitm# IP printing - a new standard for UNIX printing - RFC 2911 # Pattern attributes: good notsofast notsofast # Protocol groups: printer ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/IPP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. ipp # It's unlikely that anything else has this string, but I think we could # do a bit better... ipp:// l7-protocols-2009-05-28/protocols/tonghuashun.pat0000644000175000017500000000056411207602724021516 0ustar straitmstraitm# Tonghuashun - stock analysis and trading; Chinese - http://www.10jqka.com.cn # Pattern attributes: ok fast fast # Protocol groups: # Wiki: http://www.protocolinfo.org/wiki/Tonghuashun # Copyright (C) 2009 Matthew Strait; See ../LICENSE # Pattern contributed by liangjun without comment. tonghuashun ^(GET /docookie\.php\?uname=|\xfd\xfd\xfd\xfd\x30\x30\x30\x30\x30) l7-protocols-2009-05-28/protocols/ident.pat0000644000175000017500000000107711105357705020261 0ustar straitmstraitm# Ident - Identification Protocol - RFC 1413 # Pattern attributes: good fast fast # Protocol groups: networking ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/Ident # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 113 # # This pattern is believed to work. ident # "number , numberCRLF" possibly without the CR and/or LF. # ^$ is appropriate because the first packet should never have anything # else in it. ^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$ l7-protocols-2009-05-28/protocols/xboxlive.pat0000644000175000017500000000432311201713667021013 0ustar straitmstraitm# XBox Live - Console gaming # Pattern attributes: marginal slow notsofast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/XBox_Live # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This may match all XBox traffic, or may only match Halo 2 traffic. # We don't know yet. # # Thanks to Myles Uyema , who says: # # Analyzing packet traces using Ethereal, the Xbox typically connects # to remote users using UDP port 3074. The first frame is typically # a 156 byte UDP payload. I've only scrutinized the first 20 or so bytes. # # Each line below represents the first frame between my Xbox and a remote # player's IP address playing Halo2 on Xbox Live. # # 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 05 0f c5 62 00 f3 96 08 # 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 0f 0f c5 62 00 f3 97 09 # 00 00 00 00 00 58 80 00 00 00 00 00 82 31 9e a8 05 0f c5 62 00 f3 95 07 # 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bc 07 # 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 be 09 # 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bf 0a # 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bd 08 # 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 ba 05 # 00 00 00 00 00 58 80 00 00 00 00 00 81 87 ea 59 aa 11 ff 89 00 f3 bb 06 # 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 ca 06 # 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 cc 08 # 00 00 00 00 00 58 80 00 00 00 00 00 81 7f dd 14 f2 8e a3 a1 00 f3 c9 05 # 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 d4 0a # 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f3 c3 00 f3 d1 07 # 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 d2 08 # 00 00 00 00 00 58 80 00 00 00 00 00 8b ca 5b c0 d8 9c f8 c3 00 f3 cf 05 # 00 00 00 00 06 58 4e 00 00 00 e6 d9 6e ab 65 0d 63 9f 02 00 00 02 80 dd # 00 00 00 00 06 58 4e 00 00 00 46 e2 95 74 cd f9 bc 3d 00 00 00 00 8b ca # 00 00 00 00 06 58 4e 00 00 00 cf ce 3b 5c f5 f2 49 9a 00 00 00 00 8b ca # 00 00 00 00 06 58 4e 00 00 00 a9 c0 ac c5 16 e5 c9 92 00 00 00 00 8b ca xboxlive ^\x58\x80........\xf3|^\x06\x58\x4e l7-protocols-2009-05-28/protocols/subversion.pat0000644000175000017500000000070011105357707021347 0ustar straitmstraitm# Subversion - a version control system # Pattern attributes: ok veryfast fast # Protocol groups: version_control open_source # Wiki: http://www.protocolinfo.org/wiki/Subversion # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is UNTESTED. (But it seems straightforward enough...) # # Subversion uses TCP port 3690 by default. subversion # This is not a valid basic GNU regular expression. ^\( success \( 1 2 \( l7-protocols-2009-05-28/protocols/quake-halflife.pat0000644000175000017500000000243611105357706022035 0ustar straitmstraitm# Half Life 1 engine games (HL 1, Quake 2/3/World, Counterstrike 1.6, etc.) # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Half-Life http://www.protocolinfo.org/wiki/Counter-Strike http://www.protocolinfo.org/wiki/Day_of_Defeat # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Contributed by Laurens Blankers , who says: # # This pattern has been tested with QuakeWorld (2.30), Quake 2 (3.20), # Quake 3 (1.32), and Half-life (1.1.1.0). But may also work on other # games based on the Quake engine. # # Clayton Macleod says: # [This should match] Counter-Strike v1.6, [...] the slightly updated # Counter-Strike: Condition Zero, and the game Day Of Defeat, Team # Fortress Classic, Deathmatch Classic, Ricochet, Half-Life [1] Deathmatch, # and I imagine all the other 3rd party mods that also use this engine # will match that pattern. quake-halflife # All quake (like) protocols start with 4x 0xFF. Then the client either # issues getinfo or getchallenge. ^\xff\xff\xff\xffget(info|challenge) # A previous quake pattern allowed the connection to start with only 2 bytes # of 0xFF. This doesn't seem to ever happen, but we should keep an eye out # for it. l7-protocols-2009-05-28/protocols/telnet.pat0000644000175000017500000000123311105357707020445 0ustar straitmstraitm# Telnet - Insecure remote login - RFC 854 # Pattern attributes: good veryfast fast # Protocol groups: remote_access obsolete ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/Telnet # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 23 # # This pattern is lightly tested. telnet # Matches at least three IAC (Do|Will|Don't|Won't) commands in a row. # My telnet client sends 9 when I connect, so this should be fine. # This pattern could fail on a unchatty connection or it could be # matched by something non-telnet spewing a lot of stuff in the fb-ff range. ^\xff[\xfb-\xfe].\xff[\xfb-\xfe].\xff[\xfb-\xfe] l7-protocols-2009-05-28/protocols/h323.pat0000644000175000017500000000273611105357705017640 0ustar straitmstraitm# H.323 - Voice over IP. # Pattern attributes: ok veryfast fast # Protocol groups: voip itu-t_standard # Wiki: http://www.protocolinfo.org/wiki/H.323 # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is written without knowledge of the principles of H.323. # It has only been tested with gnomemeeting and may not work for other # clients. # # Also, it has been reported that: # "the pattern ... match[es] only first H.323 stream (conntrack for H.323 was # enabled). Also the major chunk of traffic was of RTP which went untracked." # # Also, it may very well match other things that use TPKT and # Q.931. # Note that to take full advantage of this pattern, you will need to # have connection tracking of H.323 support in your kernel. This # support is not in the stock kernel. A patch can be found at # http://netfilter.org h323 # TPKT format: http://www.ietf.org/rfc/rfc1006.txt # \x03 = TPKT version. It was 3 in May 1987 and gnomemeeting still uses 3. # ..? = null reserved byte and packet length field. # Q.931 format: http://www.freesoft.org/CIE/Topics/126.htm # \x08 = Q.931 # . = length of call reference # The next byte was: \x18 = message sent from originating side. # But based on experimentation, it seems that just . is better. # .?.?.?.?.?.?.?.?.?.?.?.?.?.?.? = call reference (0-15 bytes (0 for nulls)) # \x05 = setup message # # Yup, it doesn't actually include any H.323 protocol information. ^\x03..?\x08...?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x05 l7-protocols-2009-05-28/protocols/soulseek.pat0000644000175000017500000000131211105357707021002 0ustar straitmstraitm# Soulseek - P2P filesharing - http://slsknet.org # Pattern attributes: good fast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Soulseek # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # All my tests show that this pattern is fast, but one user has reported that # it is slow. Your milage may vary. # This has been tested and works for "pierce firewall" commands and file # transfers. It does *not* match all the various sorts of chatter that go on, # such as searches, pings and whatnot. soulseek # (Pierce firewall: in theory the token could be 4 bytes, but the last two # seem to always be zero.|download: Peer Init) ^(\x05..?|.\x01.[ -~]+\x01F..?.?.?.?.?.?.?)$ l7-protocols-2009-05-28/protocols/ncp.pat0000644000175000017500000000110411207602563017723 0ustar straitmstraitm# NCP - Novell Core Protocol # Pattern attributes: good fast fast # Protocol groups: networking proprietary # Wiki: http://www.protocolinfo.org/wiki/NCP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. # ncp request # dmdt means Request # *any length # # *any reply buffer size # "" means service request # | \x17\x17 means create a service connection # | uu means destroy service connection # ncp reply # tncp means reply # 33 means service reply ncp ^(dmdt.*\x01.*(""|\x11\x11|uu)|tncp.*33) l7-protocols-2009-05-28/protocols/tsp.pat0000644000175000017500000000104211105357707017756 0ustar straitmstraitm# TSP - Berkely UNIX Time Synchronization Protocol # Pattern attributes: good veryfast fast overmatch # Protocol groups: time_synchronization open_source # Wiki: http://www.protocolinfo.org/wiki/TSP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # http://ftp.svbug.com/ftp/pub/manuals/pdf/smm.22.timed.pdf # http://docs.freebsd.org/44doc/smm/12.timed/paper.pdf # # This pattern is barely tested. tsp # type, version (1), sequence number, 8 type specific bytes, machine name ^[\x01-\x13\x16-$]\x01.?.?.?.?.?.?.?.?.?.?[ -~]+ l7-protocols-2009-05-28/protocols/biff.pat0000644000175000017500000000106311207602434020052 0ustar straitmstraitm# Biff - new mail notification # Pattern attributes: good fast fast undermatch overmatch # Protocol groups: mail # Wiki: http://www.protocolinfo.org/wiki/Biff # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 512 # # This pattern is completely untested. biff # This is a rare case where we will specify a $ (end of line), since # this is the entirety of the communication. # something that looks like a username, an @, a number. # won't catch usernames that have strange characters in them. ^[a-z][a-z0-9]+@[1-9][0-9]+$ l7-protocols-2009-05-28/protocols/smtp.pat0000644000175000017500000000336711105357706020146 0ustar straitmstraitm# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869) # Pattern attributes: great notsofast fast # Protocol groups: mail ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/SMTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 25 # # This pattern has been tested and is believed to work well. # As usual, no text is required after "220", but all known servers have some # there. It (almost?) always has string "smtp" in it. The RFC examples # does not, so we match those too, just in case anyone has copied them # literally. # # Some examples: # 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3 # 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400 # 220 mail.ut.caldera.com ESMTP # 220 persephone.pmail.gen.nz ESMTP server ready. # 220 smtp1.superb.net ESMTP # 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready # 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4 # 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500 # 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3) # 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200 # 220-mail.email-scan.com ESMTP # 220 smaug.dreamhost.com ESMTP # 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648) # 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT) # 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700 # # RFC examples: # 220 xyz.com Simple Mail Transfer Service Ready (RFC example) # 220 dbc.mtview.ca.us SMTP service ready smtp ^220[\x09-\x0d -~]* (e?smtp|simple mail) userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail) userspace flags=REG_NOSUB REG_EXTENDED l7-protocols-2009-05-28/protocols/dazhihui.pat0000644000175000017500000000052311207602462020752 0ustar straitmstraitm# Dazhihui - stock analysis and trading; Chinese - http://www.gw.com.cn # Pattern attributes: fast fast ok # Protocol groups: # Wiki: http://www.protocolinfo.org/wiki/Dazhihui # Copyright (C) 2009 Matthew Strait; See ../LICENSE # Pattern contributed by liangjun without comment. dazhihui ^(longaccoun|qsver2auth|\x35[57]\x30|\+\x10\*) l7-protocols-2009-05-28/protocols/poco.pat0000644000175000017500000000062111105357706020111 0ustar straitmstraitm# POCO and PP365 - Chinese P2P filesharing - http://pp365.com http://poco.cn # Pattern attributes: ok veryfast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Poco # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # The author of this pattern says it works, but this is unconfirmed. # Written by www.routerclub.com wsgtrsys. poco ^\x80\x94\x0a\x01....\x1f\x9e l7-protocols-2009-05-28/protocols/ssl.pat0000644000175000017500000000116711105357707017761 0ustar straitmstraitm# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246 # Pattern attributes: good notsofast fast superset # Protocol groups: secure ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/SSL # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 443 # # This is a superset of validcertssl. For it to match, it must be first. # # This pattern has been tested and is believed to work well. ssl # Server Hello with certificate | Client Hello # This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1 ^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b) l7-protocols-2009-05-28/protocols/bittorrent.pat0000644000175000017500000000227011201717716021345 0ustar straitmstraitm# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com # Pattern attributes: good slow notsofast undermatch # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/Bittorrent # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. # It will, however, not work on bittorrent streams that are encrypted, since # it's impossible to match (well) encrypted data. bittorrent # Does not attempt to match the HTTP download of the tracker # 0x13 is the length of "bittorrent protocol" # Second two bits match UDP wierdness # Next bit matches something Azureus does # Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next # packet and perhaps this will match multiple clients. # bitcomet-specific strings contributed by liangjun. # This is not a valid GNU basic regular expression (but that's ok). ^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP] # This pattern is "fast", but won't catch as much #^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=) l7-protocols-2009-05-28/protocols/zmaap.pat0000644000175000017500000000132411105357707020263 0ustar straitmstraitm# ZMAAP - Zeroconf Multicast Address Allocation Protocol # Pattern attributes: ok veryfast fast # Protocol groups: networking ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/ZMAAP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # http://files.zeroconf.org/draft-ietf-zeroconf-zmaap-02.txt # (Note that this reference is an Internet-Draft, and therefore must # be considered a work in progress.) # # This pattern is untested! zmaap # - 4 byte magic number. # - 1 byte version. Allow 1 & 2, even though only version 1 currently exists. # - 1 byte message type,which is either 0 or 1 # - 1 byte address family. L7-filter only works in IPv4, so this is 1. ^\x1b\xd7\x3b\x48[\x01\x02]\x01?\x01 l7-protocols-2009-05-28/protocols/irc.pat0000644000175000017500000000147511207602507017731 0ustar straitmstraitm# IRC - Internet Relay Chat - RFC 1459 # Pattern attributes: great fast fast # Protocol groups: chat ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/IRC # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 6666 or 6667 # Note that chat traffic runs on these ports, but IRC-DCC traffic (which # can use much more bandwidth) uses a dynamically assigned port, so you # must have the IRC connection tracking module in your kernel to classify # this. # # This pattern has been tested and is believed to work well. irc # First thing that happens is that the client sends NICK and USER, in # either order. This allows MIRC color codes (\x02-\x0d instead of # \x09-\x0d). ^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a) l7-protocols-2009-05-28/protocols/imap.pat0000644000175000017500000000105711207602500020067 0ustar straitmstraitm# IMAP - Internet Message Access Protocol (A common e-mail protocol) # Pattern attributes: great fast fast # Protocol groups: mail ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/IMAP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This matches IMAP4 (RFC 3501) and probably IMAP2 (RFC 1176) # # This pattern has been tested and is believed to work well. # # This matches the IMAP welcome message or a noop command (which for # some unknown reason can happen at the start of a connection?) imap ^(\* ok|a[0-9]+ noop) l7-protocols-2009-05-28/protocols/directconnect.pat0000644000175000017500000000107111105357705021774 0ustar straitmstraitm# Direct Connect - P2P filesharing - http://www.neo-modus.com # Pattern attributes: good fast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Direct_Connect # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Direct Connect "hubs" listen on port 411 # http://www.dcpp.net/wiki/ # I've verified that this pattern can be used to limit direct connect # bandwidth using DC:PRO 0.2.3.149R11. directconnect # client-to-client handshake|client-to-hub login, hub speaking|client-to-hub login, client speaking ^(\$mynick |\$lock |\$key ) l7-protocols-2009-05-28/protocols/http.pat0000644000175000017500000000255211105357705020134 0ustar straitmstraitm# HTTP - HyperText Transfer Protocol - RFC 2616 # Pattern attributes: great slow notsofast superset # Protocol groups: document_retrieval ietf_draft_standard # Wiki: http://protocolinfo.org/wiki/HTTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 80 # # This pattern has been tested and is believed to work well. # # this intentionally catches the response from the server rather than # the request so that other protocols which use http (like kazaa) can be # caught based on specific http requests regardless of the ordering of # filters... also matches posts # Sites that serve really long cookies may break this by pushing the # server response too far away from the beginning of the connection. To # fix this, increase the kernel's data buffer length. http # Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616) # As specified in rfc 2616 a status code is preceeded and followed by a # space. http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019] # A slightly faster version that might be good enough: #http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019] # old pattern(s): #(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/) l7-protocols-2009-05-28/protocols/citrix.pat0000644000175000017500000000061111105357705020451 0ustar straitmstraitm# Citrix ICA - proprietary remote desktop application - http://citrix.com # Pattern attributes: marginal notsofast notsofast # Protocol groups: remote_access proprietary # Wiki: http://www.protocolinfo.org/wiki/Citrix # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is UNTESTED. # This is based on decode_citrix in dsniff 2.4. citrix \x32\x26\x85\x92\x58 l7-protocols-2009-05-28/protocols/openft.pat0000644000175000017500000000104311207602627020441 0ustar straitmstraitm# OpenFT - P2P filesharing (implemented in giFT library) # Pattern attributes: good notsofast notsofast # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/OpenFT # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Ben Efros says: # "This pattern identifies openFT P2P transfers fine. openFT is part of giFT # and is a pretty large p2p network. I would describe this pattern as pretty # weak, but it works for the giFT-based clients I've used." openft x-openftalias: [-)(0-9a-z ~.] l7-protocols-2009-05-28/protocols/dayofdefeat-source.pat0000644000175000017500000000061511105357705022724 0ustar straitmstraitm# Day of Defeat: Source - game (Half-Life 2 mod) - http://www.valvesoftware.com # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Day_of_Defeat:Source # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # By Clayton Macleod dayofdefeat-source ^\xff\xff\xff\xff.*dodDay of Defeat l7-protocols-2009-05-28/protocols/snmp.pat0000644000175000017500000000155111105357707020132 0ustar straitmstraitm# SNMP - Simple Network Management Protocol - RFC 1157 # Pattern attributes: good veryfast fast superset # Protocol groups: networking ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/SNMP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on UDP ports 161 (monitoring) and 162 (traps). # # These filters match SNMPv1 packets without fail, and are made as # specific as possible not to match any ASN.1 encoded protocols. However # these could still be matched by other protocols that use ASN.1 encoding # Contributed by Goli SriSairam # This pattern has been tested and is believed to work well. # All SNMPv1 traffic. See snmp-mon.pat and snmp-trap.pat for details. snmp ^\x02\x01\x04.+([\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30|\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43) l7-protocols-2009-05-28/protocols/sip.pat0000644000175000017500000000151711201715505017741 0ustar straitmstraitm# SIP - Session Initiation Protocol - Internet telephony - RFC 3261, 3265, etc. # Pattern attributes: good fast fast # Protocol groups: voip ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/SIP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested with the Ubiquity SIP user agent and has been # confirmed by at least one other user. # # Thanks to Ankit Desai for this pattern. Updated by tehseen sagar. # # SIP typically uses port 5060. # # This pattern is based on SIP request format as per RFC 3261. I'm not # sure about the version part. The RFC doesn't say anything about it, so # I have allowed version ranging from 0.x to 2.x. #Request-Line = Method SP Request-URI SP SIP-Version CRLF sip ^(invite|register|cancel|message|subscribe|notify) sip[\x09-\x0d -~]*sip/[0-2]\.[0-9] l7-protocols-2009-05-28/protocols/mute.pat0000644000175000017500000000064011207602551020116 0ustar straitmstraitm# MUTE - P2P filesharing - http://mute-net.sourceforge.net # Pattern attributes: marginal fast fast # Protocol groups: p2p open_source # Wiki: http://www.protocolinfo.org/wiki/MUTE # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is lightly tested. I don't know for sure that it will # match the actual file transfers. mute ^(Public|AES)Key: [0-9a-f]*\x0aEnd(Public|AES)Key\x0a$ l7-protocols-2009-05-28/protocols/runesofmagic.pat0000644000175000017500000000434411123013101021613 0ustar straitmstraitm# Runes of Magic - game - http://www.runesofmagic.com # Pattern attributes: ok veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Runes_of_Magic # Copyright (C) 2008 Matthew Strait; See ../LICENSE runesofmagic ^\x10\x03...........\x0a\x02.....\x0e # See below (this is also veryfast fast) #^\x10\x03...........?\x0a\x02.....?$ # Greatwolf captured the following: # # Server: # # 10 00 00 00 03 78 76 7a 1e 8a dd b5 95 a3 3a de .....xvz ......:. # 0a 00 00 00 02 df 85 cc cc cc ........ .. # # Client reply: # # 0e 00 00 00 02 28 82 cc cc cc 8b c9 cc cc .....(.. ...... # # Server: # # 2e 00 00 00 02 1e 7f f4 f4 f4 ef f4 f4 f4 b3 8c ........ ........ # [...] # # And says: "Bytes 10 00 00 00 03, 0a 00 00 00 02 and 0e (client reply) # were consistently present. # # ^\x10\x03...........\x0a\x02.....\x0e # # Pattern was able to match during the closed beta period. It is still # matching okay after RoM started open beta but could definitely use # more testing from others to verify effectiveness." # # Matthew Strait says: # # * If the server consistently sends those four bytes in the first packet, # it is probably wasteful to wait for the next (client) packet before # matching. # # * If we switch the match strategy to just looking at the first packet, and # the first packet is always the same (or nearly the same) length, we can # anchor (i.e. use a '$') at the end of the packet. # # * When there's a string of bytes that I don't understand and that take # different values from connection to connection, I think it's good to allow # for the possibility that at least one might be \x00, and so I'd make one # of the "." into ".?", unless you *know* that \x00 is impossible somehow. # # * All of those \xcc bytes don't look random to me. Your comments suggest # that it isn't always exactly like that, but is there always pattern of # repeated bytes or something else that might be useful? It probably isn't # necessary to exploit this, since it looks like there's already enough to # go with, but it would be nice to understand. # # So perhaps it would be an improvement to use: # # ^\x10\x03...........?\x0a\x02.....?$ # # but this depends on the assumptions I made above. l7-protocols-2009-05-28/protocols/ssdp.pat0000644000175000017500000000203611105357707020125 0ustar straitmstraitm# SSDP - Simple Service Discovery Protocol - easy discovery of network devices # Pattern attributes: good slow notsofast # Protocol groups: networking ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/SSDP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This pattern was tested only by listening to a Linksys WRT54G. However, # I expect it works in general given the simplicity of the protocol. # SSDP packets should _always_ be sent to the multicast address # 239.255.255.250, making this pattern irrelevant. (Moreover, SSDP # packets should be resitricted to local networks that have plenty of # bandwidth.) However, Microsoft, as usual, has other ideas, so maybe # it could be useful. Can't hurt, anyway. :-) # # http://www.upnp.org/download/draft_cai_ssdp_v1_03.txt # http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/protocol/ssdp.asp ssdp ^notify[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:(alive|byebye)|^m-search[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:discover l7-protocols-2009-05-28/protocols/msnmessenger.pat0000644000175000017500000000223411105357706021661 0ustar straitmstraitm# MSN Messenger - Microsoft Network chat client # Pattern attributes: good slow notsofast # Protocol groups: chat proprietary # Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually uses TCP port 1863 # http://www.hypothetic.org/docs/msn/index.php # http://msnpiki.msnfanatic.com/ # # This pattern has been tested and is believed to work well. msnmessenger # First branch: login # ver: allow versions up to 99. # I've never seen a cvr other than cvr0. Maybe this will be trouble later? # Can't anchor at the beginning because sometimes this is encapsulated in # HTTP. But either way, the first packet ends like this. # Second/Third branches: accepting/sending a message # I will assume that these can also be encapsulated in HTTP, although I have # not checked. Example of each direction: # ANS 1 quadong@hotmail.com 1139803431.29427 17522047 # USR 1 quadong@hotmail.com 530423708.968145.366138 # Branches are written entirely separately for better performance. ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$ l7-protocols-2009-05-28/protocols/qq.pat0000644000175000017500000000210711207602657017574 0ustar straitmstraitm# Tencent QQ Protocol - Chinese instant messenger protocol - http://www.qq.com # Pattern attributes: good notsofast fast # Protocol groups: chat # Wiki: http://www.protocolinfo.org/wiki/QQ # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Over six million people use QQ in China, according to wsgtrsys. # # This pattern has been tested and is believed to work well. # # QQ uses three (two?) methods to connect to server(s?). # one is udp, and another is tcp # udp protocol: the first byte is 02 and last byte is 03 # tcp protocol: the second byte is 02 and last byte is 03 # tony on protocolinfo.org says that now the *third* byte is 02: # "but when I tested on my PC, I found that when qq2007/qq2008 # use tcp protocol, the third byte instead of the second is always 02. # # So the QQ protocol changed again, or I have made a mistake, I wonder # that." # So now the pattern allows any of the first three bytes to be 02. Delete # one of the ".?" to restore to the old behaviour. # pattern written by www.routerclub.com wsgtrsys qq ^.?.?\x02.+\x03$ l7-protocols-2009-05-28/protocols/lpd.pat0000644000175000017500000000165011105357706017733 0ustar straitmstraitm# LPD - Line Printer Daemon Protocol (old-style UNIX printing) - RFC 1179 # Pattern attributes: ok fast fast # Protocol groups: printer ietf_rfc_documented # Wiki: http://www.protocolinfo.org/wiki/LPD # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is untested. lpd # print waiting jobs: ^\x01[!-~]+\x0a$ # receive a print job: ^\x02[!-~]+\x0a.[\x01\x02\x03][\x01-\x0a -~]*\x0a$ # Send queue state: ^[\x03\x04][!-~]+[\x09-\x0d]+[a-z][\x09-\x0d -~]*\x0a$ # Remove jobs: ^\x05[!-~]+[\x09-\x0d]+([a-z][!-~]*[\x09-\x0d]+[1-9][0-9]?[0-9]?|root[\x09-\x0d]+[!-~]+).*\x0a$ # This pattern looks like it might match random data once in a while, but # testing shows that this is not the case. ^(\x01[!-~]+|\x02[!-~]+\x0a.[\x01\x02\x03][\x01-\x0a -~]*|[\x03\x04][!-~]+[\x09-\x0d]+[a-z][\x09-\x0d -~]*|\x05[!-~]+[\x09-\x0d]+([a-z][!-~]*[\x09-\x0d]+[1-9][0-9]?[0-9]?|root[\x09-\x0d]+[!-~]+).*)\x0a$ l7-protocols-2009-05-28/protocols/aimwebcontent.pat0000644000175000017500000000057411105357704022015 0ustar straitmstraitm# AIM web content - ads/news content downloaded by AOL Instant Messenger # Pattern attributes: good notsofast notsofast # Protocol groups: chat document_retrieval proprietary # Wiki: http://www.protocolinfo.org/wiki/AIM # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been tested and is believed to work well. aimwebcontent user-agent:aim/ l7-protocols-2009-05-28/protocols/ssh.pat0000644000175000017500000000137011105357707017751 0ustar straitmstraitm# SSH - Secure SHell # Pattern attributes: great veryfast fast # Protocol groups: remote_access secure ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/SSH # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 22 # # http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-22.txt # # This pattern has been tested and is believed to work well. ssh ^ssh-[12]\.[0-9] # old pattern: # (diffie-hellman-group-exchange-sha1|diffie-hellman-group1-sha1.ssh-rsa|ssh-dssfaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.sefaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.seuhmac-md5|hmac-sha1|hmac-ripemd160)+ l7-protocols-2009-05-28/protocols/soribada.pat0000644000175000017500000000402611105357707020741 0ustar straitmstraitm# Soribada - A Korean P2P filesharing program/protocol - http://www.soribada.com # Pattern attributes: good slow notsofast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Soribada # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # I am told that there are three versions of this protocol, the first no # longer being used. That would probably explain why incoming searches # have two different formats... # There are three parts to Soribada protocal: # 1: Ping/Pong to establish a relationship on the net (UDP with 2 useful bytes) # 2: Searching (in two formats) (UDP with two short easy to match starts) # 3: Download requests/transfers (TCP with an obvious first packet) # 1 -- Pings/Pongs: # Requester send 2 bytes and a 6 byte response is sent back. # \x10 for the first byte and \x14-\x16 for the second. # The response is the first byte (\x10) and the second byte incremented # by 1 (\x15-\x17). # No further communication happens between the hosts except for searches. # A regex match: ^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$ # First Packet ---^^^^^^^^^^^^^^^ # Second Packet -----------------^^^^^^^^^^^^^^^^^^^^^^^ # 2 -- Search requests: # All searches are totally stateless and are only responded to if the user # actually has the file. # Both format start with a \x01 byte, have 3 "random bytes" and then 3 bytes # corasponding to one of two formats. # Format 1 is \x51\x3a\+ and format 2 is \x51\x32\x3a # A regex match: ^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a) # 3 -- Download requests: # All downloads start with "GETMP3\x0d\x0aFilename" # A regex match: ^GETMP3\x0d\x0aFilename soribada # This will match the second packet of two. # ^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$ # Again, matching this is the end of the comunication. # ^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a) # This is the start of the transfer and an easy match #^GETMP3\x0d\x0aFilename # This will match everything including the udp packet portions ^GETMP3\x0d\x0aFilename|^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a)|^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$ l7-protocols-2009-05-28/protocols/rlogin.pat0000644000175000017500000000144211207602677020450 0ustar straitmstraitm# rlogin - remote login - RFC 1282 # Pattern attributes: ok fast fast # Protocol groups: remote_access ietf_rfc_documented # Wiki: http://www.protocolinfo.org/wiki/Rlogin # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 443 # # This pattern is untested. rlogin # At least three characters (user name, user name, terminal type), # the first of which could be the first character of a user name, a # slash, then a terminal speed. (Assumes that usernames and terminal # types are alphanumeric only. I'm sure there are usernames like # "straitm-47" out there, but it's not common.) All terminal speeds # I know of end in two zeros and are between 3 and 6 digits long. # This pattern is uncomfortably general. ^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]?[0-9]?[0-9]?00 l7-protocols-2009-05-28/protocols/radmin.pat0000644000175000017500000000110511105357706020421 0ustar straitmstraitm# Famatech Remote Administrator - remote desktop for MS Windows # Pattern attributes: ok veryfast fast # Protocol groups: remote_access proprietary # Wiki: http://www.protocolinfo.org/wiki/Radmin # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern has been verified with Radmin v1.1 and v3.0beta on Win2000/XP # It has only been tested between a single pair of computers. # The first packet of every TCP stream appears to be either one of: # # 01 00 00 00 01 00 00 00 08 08 # 01 00 00 00 01 00 00 00 1b 1b radmin ^\x01\x01(\x08\x08|\x1b\x1b)$ l7-protocols-2009-05-28/protocols/bgp.pat0000644000175000017500000000147211105357705017725 0ustar straitmstraitm# BGP - Border Gateway Protocol - RFC 1771 # Pattern attributes: ok veryfast fast # Protocol groups: networking ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/BGP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is UNTESTED. bgp # "After a transport protocol connection is established, the first # message sent by each side is an OPEN message." # "If the Type of the message is OPEN, or if the Authentication Code used # in the OPEN message of the connection is zero, then the Marker must be # all ones." # Then the 2 byte length field, then the 1 byte type field (1 = OPEN). # Then the BGP version: 3 was RFC'd in 1991, 4 was RFC'd in 1995. # Could keep going, but that should be sufficient. ^\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff..?\x01[\x03\x04] l7-protocols-2009-05-28/protocols/rtsp.pat0000644000175000017500000000104111105357706020136 0ustar straitmstraitm# RTSP - Real Time Streaming Protocol - http://www.rtsp.org - RFC 2326 # Pattern attributes: good notsofast notsofast # Protocol groups: streaming_video ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/RTSP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 554 # # To take full advantage of this pattern, please see the RTSP connection # tracking patch to the Linux kernel referenced at the above site. # # This pattern has been tested and is believed to work well. rtsp rtsp/1.0 200 ok l7-protocols-2009-05-28/protocols/battlefield1942.pat0000644000175000017500000000076311105357704021755 0ustar straitmstraitm# Battlefield 1942 - An EA game # Pattern attributes: ok veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Battlefield_1942 # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Contributed by Myles Uyema # # This pattern has only been tested by one person. # tested on two original EA battlefield 1942 servers # matches the first two packets of joining a server battlefield1942 ^\x01\x11\x10\|\xf8\x02\x10\x40\x06 l7-protocols-2009-05-28/protocols/fasttrack.pat0000644000175000017500000000247011105357705021136 0ustar straitmstraitm# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc) # Pattern attributes: good slow notsofast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Fasttrack # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Tested with Kazaa Lite Resurrection 0.0.7.6F # # This appears to match the download connections well, but not the search # connections (I think they are encrypted :-( ). fasttrack # while this is a valid http request, this will be caught because # the http pattern matches the response (and therefore the next packet) # Even so, it's best to put this match earlier in the chain. # http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup # This pattern is kinda slow, but not too bad. ^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? # This isn't much faster: #^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? l7-protocols-2009-05-28/protocols/hotline.pat0000644000175000017500000000056211105357705020616 0ustar straitmstraitm# Hotline - An old P2P filesharing protocol # Pattern attributes: marginal fast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Hotline # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern is untested! # # This is lifted from http://oofle.com/filesharing.php?app=hotline hotline ^....................TRTPHOTL\x01\x02 l7-protocols-2009-05-28/protocols/nntp.pat0000644000175000017500000000150711207602614020126 0ustar straitmstraitm# NNTP - Network News Transfer Protocol - RFCs 977 and 2980 # Pattern attributes: good fast fast # Protocol groups: ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/NNTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # usually runs on port 119 # This pattern is tested and is believed to work well (but could use # more testing). nntp # matches authorized login # OR # matches unauthorized login if the server says "news" after 200/201 # (Half of the 2 servers I tested did :-), but they both required authorization # so it's quite possible that this pattern will miss some nntp traffic.) ^(20[01][\x09-\x0d -~]*AUTHINFO USER|20[01][\x09-\x0d -~]*news) # same thing, slightly more accurate, but 100+ times slower #^20[01][\x09-\x0d -~]*\x0d\x0a[\x09-\x0d -~]*AUTHINFO USER|20[01][\x09-\x0d -~]*news l7-protocols-2009-05-28/protocols/kugoo.pat0000644000175000017500000000145211207602517020274 0ustar straitmstraitm# KuGoo - a Chinese P2P program - http://www.kugoo.com # Pattern attributes: ok fast fast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/KuGoo # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE kugoo # liangjun says: "i find old pattern is not working for kugoo 2008. so i # write a new pattern of kugoo 2008 ,it's working with all of kugoo 2008 # version!" ^(\x64.....\x70....\x50\x37|\x65.+) # Pattern before 2008 11 08 # # The author of this pattern says it works, but this is unconfirmed. # Written by www.routerclub.com wsgtrsys. # # LanTian submitted \x64.+\x74\x47\x50\x37 for "KuGoo2", but adding as # another branch makes the pattern REALLY slow. If it could have a ^, that'd # be ok (still veryfast/fast). Waiting to hear. #^(\x31..\x8e|\x64.+\x74\x47\x50\x37) l7-protocols-2009-05-28/protocols/socks.pat0000644000175000017500000000212711105357707020277 0ustar straitmstraitm# SOCKS Version 5 - Firewall traversal protocol - RFC 1928 # Pattern attributes: good notsofast notsofast # Protocol groups: networking ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/SOCKS # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 1080 # Also useful: http://www.iana.org/assignments/socks-methods # # We have had two reports that this pattern works. # method request, no private methods \x05[\x01-\x08]* # method reply, assumes sucess \x05[\x01-\x08]? # method dependent sub-negotiation .* # request, ipv4 only \x05[\x01-\x03][\x01\x03].* # reply \x05[\x01-\x08]?[\x01\x03].* # username/password method # u/p request, assuming reasonable usernames and passwords # \x05[\x02-\x10][a-z][a-z0-9\-]*[\x05-\x20][!-~]* # server reply # \x05 # GSSAPI method # client initial token \x01\x01\x02.* # server reply \x01\x01\x02.* # any other method .* (all methods boil down to this until we have information # about all the commonly used ones) socks \x05[\x01-\x08]*\x05[\x01-\x08]?.*\x05[\x01-\x03][\x01\x03].*\x05[\x01-\x08]?[\x01\x03] l7-protocols-2009-05-28/protocols/rdp.pat0000644000175000017500000000130611105357706017737 0ustar straitmstraitm# RDP - Remote Desktop Protocol (used in Windows Terminal Services) # Pattern attributes: ok notsofast notsofast # Protocol groups: remote_access proprietary # Wiki: http://www.protocolinfo.org/wiki/RDP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern was submitted by Michael Leong. It has been tested under the # following conditions: "WinXP Pro with all the patches, rdesktop server # running on port 7000 instead of 3389 --> WinXP Pro Remote Desktop Client." # Also tested is WinXP to Win 2000 Server. # At least one other person has reported it to work as well. rdp rdpdr.*cliprdr.*rdpsnd # Old pattern, submitted by Daniel Weatherford. # rdpdr.*cliprdp.*rdpsnd l7-protocols-2009-05-28/protocols/validcertssl.pat0000644000175000017500000000212111207602735021643 0ustar straitmstraitm# Valid certificate SSL # Pattern attributes: good slow notsofast subset # Protocol groups: secure ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/SSL # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This matches anything claiming to use a valid certificate from a well # known certificate authority. # # This is a subset of ssl, so it needs to come first to match. # # Note that opening a website that has a valid certificate will # open one connection that matches this and many ssl connections that # only match the ssl pattern. Thus, this pattern may not be very useful. # # This pattern is believed match only the above, but may not match all # of it. # # the certificate authority info is sent in quasi plain text, if it matches # a well known certificate authority then we will assume it is a # web/imaps/etc server. Other ssl may be good too, but it should fall under # a different rule validcertssl ^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b).*(thawte|equifax secure|rsa data security, inc|verisign, inc|gte cybertrust root|entrust\.net limited) l7-protocols-2009-05-28/protocols/ciscovpn.pat0000644000175000017500000000054011105357705020774 0ustar straitmstraitm# Cisco VPN - VPN client software to a Cisco VPN server # Pattern attributes: ok veryfast fast # Protocol groups: remote_access proprietary # Wiki: http://www.protocolinfo.org/wiki/Cisco_VPN # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern contributed by Myles Uyema ciscovpn ^\x01\xf4\x01\xf4 l7-protocols-2009-05-28/protocols/unknown.pat0000644000175000017500000000044711105357707020657 0ustar straitmstraitm# Unknown - Dummy pattern for old unmatched connections. unknown # This pattern is ignored by the kernel. It sees that the "protocol" is # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # "unknown" and always returns unmatched for connections that are still # being tested. . l7-protocols-2009-05-28/protocols/pplive.pat0000644000175000017500000000057411112311577020451 0ustar straitmstraitm# PPLive - Chinese P2P streaming video - http://pplive.com # Pattern attributes: ok notsofast notsofast # Protocol groups: p2p streaming_video proprietary # Wiki: http://www.protocolinfo.org/wiki/PPLive # Copyright (C) 2008 Matthew Strait; See ../LICENSE # By liangjun, who says that it works. It may be easily improvable with # a bit more testing. pplive \x01...\xd3.+\x0c.$ l7-protocols-2009-05-28/protocols/aim.pat0000644000175000017500000000222211105357722017714 0ustar straitmstraitm# AIM - AOL instant messenger (OSCAR and TOC) # Pattern attributes: good slow notsofast # Protocol groups: chat proprietary # Wiki: http://www.protocolinfo.org/wiki/AIM # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 5190 # # This may also match ICQ traffic. # # This pattern has been tested and is believed to work well. aim # See http://gridley.res.carleton.edu/~straitm/final (and various other places) # The first bit matches OSCAR signon and data commands, but not sure what # \x03\x0b matches, but it works apparently. # The next three bits match various parts of the TOC signon process. # The third one is the magic number "*", then 0x01 for "signon", then up to four # bytes ("up to" because l7-filter strips out nulls) which contain a sequence # number (2 bytes) the data length (2 more) and 3 nulls (which don't count), # then 0x01 for the version number (not sure if there ever has been another # version) # The fourth one is a command string, followed by some stuff, then the # beginning of the "roasted" password # This pattern is too slow! ^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x l7-protocols-2009-05-28/protocols/ftp.pat0000644000175000017500000000347311105357705017751 0ustar straitmstraitm# FTP - File Transfer Protocol - RFC 959 # Pattern attributes: great notsofast fast # Protocol groups: document_retrieval ietf_internet_standard # Wiki: http://protocolinfo.org/wiki/FTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 21. Note that the data stream is on a dynamically # assigned port, which means that you will need the FTP connection # tracking module in your kernel to usefully match FTP data transfers. # # This pattern is well tested. # # Handles the first two things a server should say: # # First, the server says it's ready by sending "220". Most servers say # something after 220, even though they don't have to, and it usually # includes the string "ftp" (l7-filter is case insensitive). This # includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP # Server, and whatever ftp.microsoft.com uses. Almost all servers use only # ASCII printable characters between the "220" and the "FTP", but non-English # ones might use others. # # The next thing the server sends is a 331. All the above servers also # send something including "password" after this code. By default, we # do not match on this because it takes another packet and is more work # for regexec. ftp # by default, we allow only ASCII ^220[\x09-\x0d -~]*ftp # This covers UTF-8 as well #^220[\x09-\x0d -~\x80-\xfd]*ftp # This allows any characters and is about 4x faster than either of the above # (which are about the same as each other) #^220.*ftp # This is much slower #^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password # This pattern is more precise, but takes longer to match. (3 packets vs. 1) #^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331 # same as above, but slightly less precise and only takes 2 packets. #^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a l7-protocols-2009-05-28/protocols/dhcp.pat0000644000175000017500000000261411105357705020072 0ustar straitmstraitm# DHCP - Dynamic Host Configuration Protocol - RFC 1541 # Pattern attributes: good veryfast fast # Protocol groups: networking ietf_draft_standard # Wiki: http://www.protocolinfo.org/wiki/DHCP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on ports 67 (server) and 68 (client) # # Also matches BOOTP (Bootstrap Protocol (RFC 951)) in the case that # the "vendor specific options" are used (these options were made standard # for DHCP). # # This pattern is lightly tested. dhcp ^[\x01\x02][\x01- ]\x06.*c\x82sc # Let's break that down: # # (\x01|\x02) is for BOOTREQUEST or BOOTREPLY # Is there a demand for doing these seperately? The Packeteer does. # # [\x01-\x20] is for any of the hardware address types listed at # (http://www.iana.org/assignments/arp-parameters) and hopefully faster # ethernets too (100, 1000 and 10000mb) as well (do they share the 10mb # number?). # # \x06 for "hardware address length = 6 bytes". Does anyone use other lengths # these days? If so, this pattern won't match it as it stands. # # .* covers the hops, xid, secs, flags, ciaddr, yiaddr, siaddr, giaddr, # chaddr, sname and file fields. While this can't really be "any number # of characters" long, it doesn't seem worth it to count. # Can we make this more specific by restricting the number of hops or seconds? # # 0x63825363 is the "magic cookie" which begins the DHCP options field. l7-protocols-2009-05-28/protocols/netbios.pat0000644000175000017500000000256511105357706020625 0ustar straitmstraitm# NetBIOS - Network Basic Input Output System # Pattern attributes: marginal notsofast notsofast # Protocol groups: networking ietf_internet_standard proprietary # Wiki: http://www.protocolinfo.org/wiki/NetBIOS # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # As mentioned in smb.pat: # # "This protocol is sometimes also referred to as the Common Internet File # System (CIFS), LanManager or NetBIOS protocol." -- "man samba" # # Actually, SMB is a higher level protocol than NetBIOS. However, the # NetBIOS header is only 4 bytes: not much to match on. # # http://www.ubiqx.org/cifs/SMB.html # See also RFCs 1001 and 1002. # # This pattern attempts to match the (Session layer) NetBIOS Session request. # If sucessful, you may be able to match NetBIOS several packets earlier # than if you just waited for the easier-to-match SMB header. # # This pattern is untested. netbios # session request byte, three bytes of flags and length. Then # there should be a big mess of letters between A and P which represent # the NetBIOS names of the involved computers (with a null between them). # (40ish here, damn this regexp implementation and its lack of {40,}) \x81.?.?.[A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P] l7-protocols-2009-05-28/protocols/uucp.pat0000644000175000017500000000060311105357707020126 0ustar straitmstraitm# UUCP - Unix to Unix Copy # Pattern attributes: ok veryfast fast # Protocol groups: document_retrieval obsolete # Wiki: http://www.protocolinfo.org/wiki/UUCP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This is completely untested! (I don't know how to use UUCP...) # See http://docs.freebsd.org/info/uucp/uucp.info.The_Initial_Handshake.html uucp ^\x10here= l7-protocols-2009-05-28/protocols/pcanywhere.pat0000644000175000017500000000065011105357706021320 0ustar straitmstraitm# pcAnywhere - Symantec remote access program # Pattern attributes: marginal veryfast fast # Protocol groups: remote_access proprietary # Wiki: http://www.protocolinfo.org/wiki/PcAnywhere # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This is completely untested! # See http://www.unixwiz.net/tools/pcascan.txt pcanywhere # I think this only matches queries and not the bulk of the traffic! ^(nq|st)$ l7-protocols-2009-05-28/protocols/xunlei.pat0000644000175000017500000000667211112305515020456 0ustar straitmstraitm# Xunlei - Chinese P2P filesharing - http://xunlei.com # Pattern attributes: good slow notsofast # Protocol groups: p2p # Wiki: http://www.protocolinfo.org/wiki/Xunlei # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This has been tested by a number of people. # # Written by wsgtrsys of www.routerclub.com. Improved by VeNoMouS. # Improved more by wsgtrsys and platinum of bbs.chinaunix.net. # # Further additions of HTTP-like content by liangjunATdcuxD.Tcom, who # says: "i find old pattern is not working . so i write a new pattern of # xunlei,it's working with all of xunlei 5 version!" Matthew Strait notes # in response: # # I've looked around and I'm fairly sure that Internet Explorer 5.0 # never identifies itself as "Mozilla/4.0 (compatible; MSIE 5.00; # Windows 98)" and that Internet Explorer 6.0 never identifies itself as # either "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )" or # "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)". # The keep-alive part needs some examination too. These might validly # occur in an HTTP/1.0 connection, although I think in practical cases # they don't since there's general only one \x0d\x0a after it and/or the # next line starts with a letter (especially because it's the client # sending it). It wouldn't be crazy, though, if another protocol # (besides Xunlei) used keep-alive in a way that did match this. But # since I can't think of any examples, I'll assume it's ok for now. xunlei ^([()]|get)(...?.?.?(reg|get|query)|.+User-Agent: (Mozilla/4\.0 \(compatible; (MSIE 6\.0; Windows NT 5\.1;? ?\)|MSIE 5\.00; Windows 98\))))|Keep-Alive\x0d\x0a\x0d\x0a[26] # This was the pattern until 2008 11 08. It is safer than the above against # overmatching ordinary HTTP connections #^[()]...?.?.?(reg|get|query) # More detail: # From http://sourceforge.net/tracker/index.php?func=detail&aid=1885209&group_id=80085&atid=558668 # ############################################################################## # Date: 2008-02-03 # Sender: hydr0g3n # # Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei # pattern. It used to work in the past but not anymore. Maybe Xunlei was # updated and pattern should be adapted? # # Apparently ipp2p was edited by Chinese people to detect pplive and xunlei. # It is interesting and very recent: # http://www.chinaunix.net/jh/4/914377.html ############################################################################## # Date: 2008-02-03 # Sender: quadong # # Ok. Only some of the ipp2p function can be translated into an l7-filter # regular expression. The first part of search_xunlei can't be, since it # works by checking whether the length of the packet matches a byte in the # packet. The second part of search_xunlei becomes: # # \x20.?\x01?.?[\x01\x77]............?.?.?.?\x38 # # Or possibly: # # ^\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38 # # I'm not sure whether IPP2P looks at every packet or only the first of each # connection. # # udp_search_xunlei says: # \x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff # # Again, putting a ^ at the beginning might work: # # ^(\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff) # # So this *might* work: # # ^(\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38|\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff) # # but the ^ might be wrong and it will not match the HTTP part of Xunlei. ############################################################################## l7-protocols-2009-05-28/protocols/doom3.pat0000644000175000017500000000045211105357705020173 0ustar straitmstraitm# Doom 3 - computer game # Pattern attributes: good veryfast fast # Protocol groups: game proprietary # Wiki: http://www.protocolinfo.org/wiki/Doom # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Thanks to Clayton Macleod (cherrytwist at gmail.com). doom3 ^\xff\xffchallenge l7-protocols-2009-05-28/protocols/rtp.pat0000644000175000017500000000331511207602706017755 0ustar straitmstraitm# RTP - Real-time Transport Protocol - RFC 3550 # Pattern attributes: ok overmatch undermatch fast fast # Protocol groups: streaming_video ietf_internet_standard # Wiki: http://www.protocolinfo.org/wiki/RTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # RTP headers are *very* short and compact. They have almost nothing in # them that can be matched by l7-filter. As RTP connections take place # between even numbered ports, you should probably check for that before # applying this pattern. If you want to match them along with their # associated SIP packets, you might try setting up some iptables rules # that watch for SIP packets and then also match any other UDP packets # that are going between the same two IP addresses. # # I think we can count on the first bit being 1 and the second bit being # 0 (meaning protocol version 2). The next two bits could go either way, # but in the example I've seen, they are zero, so I'll assume they are # usually zero. The next four bits are a count of "contributing source # identifiers". I'm not sure how big that could be, but in the example # I've seen, they're zero, so I'll assume they're usually zero. So that # gives us ^\x80. The next bit is a tossup. Next is the payload type, 7 # bits. I've taken likely values from the WireShark code: 0-34, 96-127 # (decimal). The rest of the header is random numbers (sequence number, # timestamp, synchronization source identifier), so that's no help at # all. rtp ^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80 # Might also try this. It's a bit slower (one packet and not too much extra # regexec load) and a bit more accurate: #^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80.*\x80 l7-protocols-2009-05-28/protocols/skypeout.pat0000644000175000017500000001743611105357706021050 0ustar straitmstraitm# Skype to phone - UDP voice call (program to POTS phone) - http://skype.com # Pattern attributes: ok slow notsofast overmatch # Protocol groups: voip p2p proprietary # Wiki: http://www.protocolinfo.org/wiki/Skype # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Thanks to Myles Uyema, mylesuyema AT gmail.com # Taken using Ethereal traces of Windows Skype v1.2.037, same in v1.2.0.18_API # # Skype will attempt to use the same UDP port for all its connections as # configured in its options. However, this is a random port by default. # Skype has some preference for ports 80 and 443. # # Example sessions: # #SkypeOut #c6 5c bf 41 8e 8d d6 d2 08 <-- this is sometimes as short as 1 byte and #c6 5c bf 41 8e 8d d6 d2 08 <-- sometimes as long as 9 (or more?) #00 6b 2c f5 87 f1 06 #00 6b 2c f5 87 f1 06 #00 6b 2c f5 36 ea 85 #00 6b 2c f5 36 ea 85 #00 6b 2c f5 57 27 d4 #00 6b 2c f5 57 27 d4 #00 6b 2c f5 43 5b 00 #00 6b 2c f5 43 5b 00 # #SkypeOut #7e 4f e5 b8 #7e 4f e5 b8 #00 6b 88 61 80 52 93 #00 6b 88 61 80 52 93 #00 6b 88 61 1a 09 e9 #00 6b 88 61 1a 09 e9 #00 6b 88 61 47 43 c4 #00 6b 88 61 47 43 c4 skypeout # Scary. Our regular expressions suck. This is a prime candidate for # some sort of a scheme to support two different regular expressions # when there's a major difference between what the two libraries allow. # For the Henry Spencer library, there's not much that can be done # except requiring that we see the same byte twice. # This matches about %4 of random streams and 13% of printable random streams # This is slow, but not as bad as you might think. ^(\x01.?.?.?.?.?.?.?.?\x01|\x02.?.?.?.?.?.?.?.?\x02|\x03.?.?.?.?.?.?.?.?\x03|\x04.?.?.?.?.?.?.?.?\x04|\x05.?.?.?.?.?.?.?.?\x05|\x06.?.?.?.?.?.?.?.?\x06|\x07.?.?.?.?.?.?.?.?\x07|\x08.?.?.?.?.?.?.?.?\x08|\x09.?.?.?.?.?.?.?.?\x09|\x0a.?.?.?.?.?.?.?.?\x0a|\x0b.?.?.?.?.?.?.?.?\x0b|\x0c.?.?.?.?.?.?.?.?\x0c|\x0d.?.?.?.?.?.?.?.?\x0d|\x0e.?.?.?.?.?.?.?.?\x0e|\x0f.?.?.?.?.?.?.?.?\x0f|\x10.?.?.?.?.?.?.?.?\x10|\x11.?.?.?.?.?.?.?.?\x11|\x12.?.?.?.?.?.?.?.?\x12|\x13.?.?.?.?.?.?.?.?\x13|\x14.?.?.?.?.?.?.?.?\x14|\x15.?.?.?.?.?.?.?.?\x15|\x16.?.?.?.?.?.?.?.?\x16|\x17.?.?.?.?.?.?.?.?\x17|\x18.?.?.?.?.?.?.?.?\x18|\x19.?.?.?.?.?.?.?.?\x19|\x1a.?.?.?.?.?.?.?.?\x1a|\x1b.?.?.?.?.?.?.?.?\x1b|\x1c.?.?.?.?.?.?.?.?\x1c|\x1d.?.?.?.?.?.?.?.?\x1d|\x1e.?.?.?.?.?.?.?.?\x1e|\x1f.?.?.?.?.?.?.?.?\x1f|\x20.?.?.?.?.?.?.?.?\x20|\x21.?.?.?.?.?.?.?.?\x21|\x22.?.?.?.?.?.?.?.?\x22|\x23.?.?.?.?.?.?.?.?\x23|\$.?.?.?.?.?.?.?.?\$|\x25.?.?.?.?.?.?.?.?\x25|\x26.?.?.?.?.?.?.?.?\x26|\x27.?.?.?.?.?.?.?.?\x27|\(.?.?.?.?.?.?.?.?\(|\).?.?.?.?.?.?.?.?\)|\*.?.?.?.?.?.?.?.?\*|\+.?.?.?.?.?.?.?.?\+|\x2c.?.?.?.?.?.?.?.?\x2c|\x2d.?.?.?.?.?.?.?.?\x2d|\..?.?.?.?.?.?.?.?\.|\x2f.?.?.?.?.?.?.?.?\x2f|\x30.?.?.?.?.?.?.?.?\x30|\x31.?.?.?.?.?.?.?.?\x31|\x32.?.?.?.?.?.?.?.?\x32|\x33.?.?.?.?.?.?.?.?\x33|\x34.?.?.?.?.?.?.?.?\x34|\x35.?.?.?.?.?.?.?.?\x35|\x36.?.?.?.?.?.?.?.?\x36|\x37.?.?.?.?.?.?.?.?\x37|\x38.?.?.?.?.?.?.?.?\x38|\x39.?.?.?.?.?.?.?.?\x39|\x3a.?.?.?.?.?.?.?.?\x3a|\x3b.?.?.?.?.?.?.?.?\x3b|\x3c.?.?.?.?.?.?.?.?\x3c|\x3d.?.?.?.?.?.?.?.?\x3d|\x3e.?.?.?.?.?.?.?.?\x3e|\?.?.?.?.?.?.?.?.?\?|\x40.?.?.?.?.?.?.?.?\x40|\x41.?.?.?.?.?.?.?.?\x41|\x42.?.?.?.?.?.?.?.?\x42|\x43.?.?.?.?.?.?.?.?\x43|\x44.?.?.?.?.?.?.?.?\x44|\x45.?.?.?.?.?.?.?.?\x45|\x46.?.?.?.?.?.?.?.?\x46|\x47.?.?.?.?.?.?.?.?\x47|\x48.?.?.?.?.?.?.?.?\x48|\x49.?.?.?.?.?.?.?.?\x49|\x4a.?.?.?.?.?.?.?.?\x4a|\x4b.?.?.?.?.?.?.?.?\x4b|\x4c.?.?.?.?.?.?.?.?\x4c|\x4d.?.?.?.?.?.?.?.?\x4d|\x4e.?.?.?.?.?.?.?.?\x4e|\x4f.?.?.?.?.?.?.?.?\x4f|\x50.?.?.?.?.?.?.?.?\x50|\x51.?.?.?.?.?.?.?.?\x51|\x52.?.?.?.?.?.?.?.?\x52|\x53.?.?.?.?.?.?.?.?\x53|\x54.?.?.?.?.?.?.?.?\x54|\x55.?.?.?.?.?.?.?.?\x55|\x56.?.?.?.?.?.?.?.?\x56|\x57.?.?.?.?.?.?.?.?\x57|\x58.?.?.?.?.?.?.?.?\x58|\x59.?.?.?.?.?.?.?.?\x59|\x5a.?.?.?.?.?.?.?.?\x5a|\[.?.?.?.?.?.?.?.?\[|\\.?.?.?.?.?.?.?.?\\|\].?.?.?.?.?.?.?.?\]|\^.?.?.?.?.?.?.?.?\^|\x5f.?.?.?.?.?.?.?.?\x5f|\x60.?.?.?.?.?.?.?.?\x60|\x61.?.?.?.?.?.?.?.?\x61|\x62.?.?.?.?.?.?.?.?\x62|\x63.?.?.?.?.?.?.?.?\x63|\x64.?.?.?.?.?.?.?.?\x64|\x65.?.?.?.?.?.?.?.?\x65|\x66.?.?.?.?.?.?.?.?\x66|\x67.?.?.?.?.?.?.?.?\x67|\x68.?.?.?.?.?.?.?.?\x68|\x69.?.?.?.?.?.?.?.?\x69|\x6a.?.?.?.?.?.?.?.?\x6a|\x6b.?.?.?.?.?.?.?.?\x6b|\x6c.?.?.?.?.?.?.?.?\x6c|\x6d.?.?.?.?.?.?.?.?\x6d|\x6e.?.?.?.?.?.?.?.?\x6e|\x6f.?.?.?.?.?.?.?.?\x6f|\x70.?.?.?.?.?.?.?.?\x70|\x71.?.?.?.?.?.?.?.?\x71|\x72.?.?.?.?.?.?.?.?\x72|\x73.?.?.?.?.?.?.?.?\x73|\x74.?.?.?.?.?.?.?.?\x74|\x75.?.?.?.?.?.?.?.?\x75|\x76.?.?.?.?.?.?.?.?\x76|\x77.?.?.?.?.?.?.?.?\x77|\x78.?.?.?.?.?.?.?.?\x78|\x79.?.?.?.?.?.?.?.?\x79|\x7a.?.?.?.?.?.?.?.?\x7a|\{.?.?.?.?.?.?.?.?\{|\|.?.?.?.?.?.?.?.?\||\}.?.?.?.?.?.?.?.?\}|\x7e.?.?.?.?.?.?.?.?\x7e|\x7f.?.?.?.?.?.?.?.?\x7f|\x80.?.?.?.?.?.?.?.?\x80|\x81.?.?.?.?.?.?.?.?\x81|\x82.?.?.?.?.?.?.?.?\x82|\x83.?.?.?.?.?.?.?.?\x83|\x84.?.?.?.?.?.?.?.?\x84|\x85.?.?.?.?.?.?.?.?\x85|\x86.?.?.?.?.?.?.?.?\x86|\x87.?.?.?.?.?.?.?.?\x87|\x88.?.?.?.?.?.?.?.?\x88|\x89.?.?.?.?.?.?.?.?\x89|\x8a.?.?.?.?.?.?.?.?\x8a|\x8b.?.?.?.?.?.?.?.?\x8b|\x8c.?.?.?.?.?.?.?.?\x8c|\x8d.?.?.?.?.?.?.?.?\x8d|\x8e.?.?.?.?.?.?.?.?\x8e|\x8f.?.?.?.?.?.?.?.?\x8f|\x90.?.?.?.?.?.?.?.?\x90|\x91.?.?.?.?.?.?.?.?\x91|\x92.?.?.?.?.?.?.?.?\x92|\x93.?.?.?.?.?.?.?.?\x93|\x94.?.?.?.?.?.?.?.?\x94|\x95.?.?.?.?.?.?.?.?\x95|\x96.?.?.?.?.?.?.?.?\x96|\x97.?.?.?.?.?.?.?.?\x97|\x98.?.?.?.?.?.?.?.?\x98|\x99.?.?.?.?.?.?.?.?\x99|\x9a.?.?.?.?.?.?.?.?\x9a|\x9b.?.?.?.?.?.?.?.?\x9b|\x9c.?.?.?.?.?.?.?.?\x9c|\x9d.?.?.?.?.?.?.?.?\x9d|\x9e.?.?.?.?.?.?.?.?\x9e|\x9f.?.?.?.?.?.?.?.?\x9f|\xa0.?.?.?.?.?.?.?.?\xa0|\xa1.?.?.?.?.?.?.?.?\xa1|\xa2.?.?.?.?.?.?.?.?\xa2|\xa3.?.?.?.?.?.?.?.?\xa3|\xa4.?.?.?.?.?.?.?.?\xa4|\xa5.?.?.?.?.?.?.?.?\xa5|\xa6.?.?.?.?.?.?.?.?\xa6|\xa7.?.?.?.?.?.?.?.?\xa7|\xa8.?.?.?.?.?.?.?.?\xa8|\xa9.?.?.?.?.?.?.?.?\xa9|\xaa.?.?.?.?.?.?.?.?\xaa|\xab.?.?.?.?.?.?.?.?\xab|\xac.?.?.?.?.?.?.?.?\xac|\xad.?.?.?.?.?.?.?.?\xad|\xae.?.?.?.?.?.?.?.?\xae|\xaf.?.?.?.?.?.?.?.?\xaf|\xb0.?.?.?.?.?.?.?.?\xb0|\xb1.?.?.?.?.?.?.?.?\xb1|\xb2.?.?.?.?.?.?.?.?\xb2|\xb3.?.?.?.?.?.?.?.?\xb3|\xb4.?.?.?.?.?.?.?.?\xb4|\xb5.?.?.?.?.?.?.?.?\xb5|\xb6.?.?.?.?.?.?.?.?\xb6|\xb7.?.?.?.?.?.?.?.?\xb7|\xb8.?.?.?.?.?.?.?.?\xb8|\xb9.?.?.?.?.?.?.?.?\xb9|\xba.?.?.?.?.?.?.?.?\xba|\xbb.?.?.?.?.?.?.?.?\xbb|\xbc.?.?.?.?.?.?.?.?\xbc|\xbd.?.?.?.?.?.?.?.?\xbd|\xbe.?.?.?.?.?.?.?.?\xbe|\xbf.?.?.?.?.?.?.?.?\xbf|\xc0.?.?.?.?.?.?.?.?\xc0|\xc1.?.?.?.?.?.?.?.?\xc1|\xc2.?.?.?.?.?.?.?.?\xc2|\xc3.?.?.?.?.?.?.?.?\xc3|\xc4.?.?.?.?.?.?.?.?\xc4|\xc5.?.?.?.?.?.?.?.?\xc5|\xc6.?.?.?.?.?.?.?.?\xc6|\xc7.?.?.?.?.?.?.?.?\xc7|\xc8.?.?.?.?.?.?.?.?\xc8|\xc9.?.?.?.?.?.?.?.?\xc9|\xca.?.?.?.?.?.?.?.?\xca|\xcb.?.?.?.?.?.?.?.?\xcb|\xcc.?.?.?.?.?.?.?.?\xcc|\xcd.?.?.?.?.?.?.?.?\xcd|\xce.?.?.?.?.?.?.?.?\xce|\xcf.?.?.?.?.?.?.?.?\xcf|\xd0.?.?.?.?.?.?.?.?\xd0|\xd1.?.?.?.?.?.?.?.?\xd1|\xd2.?.?.?.?.?.?.?.?\xd2|\xd3.?.?.?.?.?.?.?.?\xd3|\xd4.?.?.?.?.?.?.?.?\xd4|\xd5.?.?.?.?.?.?.?.?\xd5|\xd6.?.?.?.?.?.?.?.?\xd6|\xd7.?.?.?.?.?.?.?.?\xd7|\xd8.?.?.?.?.?.?.?.?\xd8|\xd9.?.?.?.?.?.?.?.?\xd9|\xda.?.?.?.?.?.?.?.?\xda|\xdb.?.?.?.?.?.?.?.?\xdb|\xdc.?.?.?.?.?.?.?.?\xdc|\xdd.?.?.?.?.?.?.?.?\xdd|\xde.?.?.?.?.?.?.?.?\xde|\xdf.?.?.?.?.?.?.?.?\xdf|\xe0.?.?.?.?.?.?.?.?\xe0|\xe1.?.?.?.?.?.?.?.?\xe1|\xe2.?.?.?.?.?.?.?.?\xe2|\xe3.?.?.?.?.?.?.?.?\xe3|\xe4.?.?.?.?.?.?.?.?\xe4|\xe5.?.?.?.?.?.?.?.?\xe5|\xe6.?.?.?.?.?.?.?.?\xe6|\xe7.?.?.?.?.?.?.?.?\xe7|\xe8.?.?.?.?.?.?.?.?\xe8|\xe9.?.?.?.?.?.?.?.?\xe9|\xea.?.?.?.?.?.?.?.?\xea|\xeb.?.?.?.?.?.?.?.?\xeb|\xec.?.?.?.?.?.?.?.?\xec|\xed.?.?.?.?.?.?.?.?\xed|\xee.?.?.?.?.?.?.?.?\xee|\xef.?.?.?.?.?.?.?.?\xef|\xf0.?.?.?.?.?.?.?.?\xf0|\xf1.?.?.?.?.?.?.?.?\xf1|\xf2.?.?.?.?.?.?.?.?\xf2|\xf3.?.?.?.?.?.?.?.?\xf3|\xf4.?.?.?.?.?.?.?.?\xf4|\xf5.?.?.?.?.?.?.?.?\xf5|\xf6.?.?.?.?.?.?.?.?\xf6|\xf7.?.?.?.?.?.?.?.?\xf7|\xf8.?.?.?.?.?.?.?.?\xf8|\xf9.?.?.?.?.?.?.?.?\xf9|\xfa.?.?.?.?.?.?.?.?\xfa|\xfb.?.?.?.?.?.?.?.?\xfb|\xfc.?.?.?.?.?.?.?.?\xfc|\xfd.?.?.?.?.?.?.?.?\xfd|\xfe.?.?.?.?.?.?.?.?\xfe|\xff.?.?.?.?.?.?.?.?\xff) l7-protocols-2009-05-28/protocols/cimd.pat0000644000175000017500000000141111105357705020062 0ustar straitmstraitm# Computer Interface to Message Distribution, an SMSC protocol by Nokia # Pattern attributes: good notsofast notsofast subset # Protocol groups: proprietary chat # Wiki: http://www.protocolinfo.org/wiki/CIMD # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # I don't know whether CIMD is ever found by itself in a TCP connection. # I have only seen it myself as part of the Chikka login process, in # which the second and third packets (at least) are CIMD. So I am not # using a '^' at the beginning. # # This pretty well explains the pattern: # http://en.wikipedia.org/w/index.php?title=CIMD&oldid=42707583 # However, Chikka does NOT terminate the last field with a tab. # # Tested with Chikka Javalite on 14 Jan 2007. cimd \x02[0-4][0-9]:[0-9]+.*\x03$ l7-protocols-2009-05-28/groups.sh0000755000175000017500000000015610537156107016300 0ustar straitmstraitm#!/bin/bash cat */*.pat | grep -i "Protocol Groups" | cut -d\ -f 4- | tr ' ' '\n' | sort | uniq -c | sort -n l7-protocols-2009-05-28/HOWTO0000644000175000017500000000017610537156065015252 0ustar straitmstraitmFor general l7-filter HOWTO: http://l7-filter.sf.net/HOWTO For pattern writing HOWTO: http://l7-filter.sf.net/Pattern-HOWTO l7-protocols-2009-05-28/l7-protocols.spec0000644000175000017500000000157110537156101017636 0ustar straitmstraitmName: l7-protocols Summary: Protocol definitions files for l7-filter Version: FILL_THIS_IN_WITH_THE_VERSION_NUMBER Release: 1 License: GPL Group: Applications/Internet URL: http://l7-filter.sourceforge.net/ Source0: http://prdownloads.sf.net/l7-filter/%name-%version.tar.gz BuildRoot: %{_tmppath}/%{name}-buildroot %description Protocol definitions files for use with the Linux Layer 7 Packet Classifier. These files are regular expressions that define Internet protocols such as HTTP, MSN Messenger, FTP, Cisco VPN, Fasttrack, DNS, Gnutella, Quake, etc. %prep %setup -q %build %install rm -rf $RPM_BUILD_ROOT make PREFIX=$RPM_BUILD_ROOT install %clean %files %defattr(-, root, root) /etc/l7-protocols/ %changelog * Thu Dec 08 2004 FIRSTNAME LASTNAME VERSION-1 - Upgrade to VERSION * Wed Jul 07 2004 Matthew Strait 2004_07_07-1 - Initial RPM l7-protocols-2009-05-28/WANTED0000644000175000017500000000246111207603374015326 0ustar straitmstraitmBelow is a list of protocols that we might want to have. The existence of a protocol on this list does not mean that we have researched it extensively (or at all), so some (probably many) may be obsolete, unpopular, misnamed, redundant, etc. Please read HOWTO for information on writing patterns. P2P: MANOLITO (Blubster, Piolet, RockItNet) PeerCast IceShare Freecast CoolStreaming Cybersky-TV ANts P2P AsagumoWeb Avalanche (known to be vaporware as of June 2005) CAKE Chord Coral EarthStation 5 FileTopia FotoSwap GNUnet Groove iFolder konspire2b Madster/Aimster OpenExt P-Grid JXTA Peersites MojoNation Mnet Octoshape Solipsis SPIN Swarmcast WASTE WinNY Legion Chat: Gadu-gadu - a popular Polish instant messenger protocol Zephyr SMS/SMPP VoIP: GameComm - http://www.gamecomm.com/ Roger Wilco - http://rogerwilco.gamespy.com/ IPCC? - http://en.wikipedia.org/wiki/FrontRange_Solutions IAX - http://en.wikipedia.org/wiki/IAX PeerMe - http://www.peerme.com/ Megaco (a.k.a. H.248) MGCP Skinny Client Control Protocol MiNET CorNet-IP Jajah - http://en.wikipedia.org/wiki/Jajah Misc: LDAP - Lightweight Directory Access Protocol MS-SQL - Microsoft SQL Mon and Server traffic NFS - Network File System RTCP - Real-time control protocol SunRPC - Sun's Remote Procedure Calls XDMCP - X-Windows Display Manager Control Protocol l7-protocols-2009-05-28/file_types/0000755000175000017500000000000011105360007016547 5ustar straitmstraitml7-protocols-2009-05-28/file_types/README0000644000175000017500000000520211105360007017426 0ustar straitmstraitmPatterns in this directory are not for network protocols, but rather for file types. They are for cases in which you would like to promote/restrict transfer of one file type regardless of what protocol it is being transfered over. # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE Writing patterns for this directory is pretty easy. Often /usr/share/magic has everything you need to know. If you'd like something that isn't here, please ask for it. Notes: 0) Support for doing this is pretty sketchy. Proceed at your own risk. 1) These patterns cannot use the ^ and $ anchors, because although you may be matching the beginning of a file, it's not the beginning of a connection. 2) A connection may very well contain more than one file transfer and/or things other than file transfers. These will match the first file sent (or nothing if the first stuff isn't a file) and continue to apply that classification to all subsequent files of that connection, regardless of their content. For instance: - HTTP can send several files over the same connection. l7-filter can match the first one, but subsequent ones just get the original match applied to them. - SMB sends all sorts of chatter over the same TCP connection as files are sent over, so we can't match its file transfers at all. 3) Since the file starts later than the application layer protocol information, you may need to increase the number of packets and bytes examined. Use /proc/net/layer7_numpackets to increase the number of packets examined. i.e. "echo 12 > /proc/net/layer7_numpackets". To increase the number of bytes examined, you'll need to recompile your kernel. See the documentation at http://l7-filter.sf.net 4) If you want a filter for both a file type and the application layer protocol that this file type is transported over (i.e. HTML and HTTP), you've got a difficult situation. Each connection can only be classified as one thing at a time. The obvious thing is to set up a tree like this: (root) \_ HTTP | \_ HTML | \_ PDF \_ FTP \_ TAR \_ PS \_ PDF But if you do this, you'll find that the file types never match, because the connections have already been classifed by their protocol. So what's the solution? Well, you can do this instead: (root) \_ port 80 | \_ HTML | \_ PDF \_ port 21 \_ TAR \_ PS \_ PDF (Except, of course, that FTP data doesn't actually go over port 21, so some extra magic is needed there.) Or perhaps you could use IMQ to create several unrelated regions of classification. i.e. On ingress, classify and shape on protocol and on egress, classify and shape on file type. I haven't tried this. l7-protocols-2009-05-28/file_types/ogg.pat0000644000175000017500000000042211105360007020027 0ustar straitmstraitm# Ogg - Ogg Vorbis music format (not any ogg file, just vorbis) # Pattern attributes: ok notsofast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE ogg oggs.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x01vorbis l7-protocols-2009-05-28/file_types/postscript.pat0000644000175000017500000000027511105360007021473 0ustar straitmstraitm# Postscript - Printing Language # Pattern attributes: good fast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE postscript %!ps l7-protocols-2009-05-28/file_types/mp3.pat0000644000175000017500000000052711105360007017760 0ustar straitmstraitm# MP3 - Moving Picture Experts Group Audio Layer III # Pattern attributes: good notsofast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # By LanTian (chinalantian at 126 d.t com) # Only matches the standard MP3 form, non-standard files might not be matched. mp3 \x49\x44\x33\x03 l7-protocols-2009-05-28/file_types/flash.pat0000644000175000017500000000110511105360007020347 0ustar straitmstraitm# Flash - Macromedia Flash. # Pattern attributes: good slow notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Thanks to Brandon Enright {bmenrigh AT ucsd.edu} and chinalantian at # 126 dot com # Macromedia spec: # http://download.macromedia.com/pub/flash/flash_file_format_specification.pdf # See also: # http://www.digitalpreservation.gov/formats/fdd/fdd000130.shtml # http://osflash.org/flv flash # FWS = uncompressed, CWS = compressed, next byte is version number # FLV = video [FC]WS[\x01-\x09]|FLV\x01\x05\x09 l7-protocols-2009-05-28/file_types/zip.pat0000644000175000017500000000031111105360007020052 0ustar straitmstraitm# ZIP - (PK|Win)Zip archive format # Pattern attributes: good notsofast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE zip pk\x03\x04\x14 l7-protocols-2009-05-28/file_types/rpm.pat0000644000175000017500000000033111105360007020050 0ustar straitmstraitm# RPM - Redhat Package Management packages # Pattern attributes: good fast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE rpm \xed\xab\xee\xdb.?.?.?.?[1-7] l7-protocols-2009-05-28/file_types/png.pat0000644000175000017500000000061711105360007020045 0ustar straitmstraitm# PNG - Portable Network Graphics, a popular image format # Pattern attributes: good fast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Contributed by Radovan Josth. Tested at least a bit. png # drawn from /usr/share/magic \x89PNG\x0d\x0a\x1a\x0a # this is probably sufficient, but by default let's use the longer version # \x89PNG l7-protocols-2009-05-28/file_types/tar.pat0000644000175000017500000000070411105360007020044 0ustar straitmstraitm# Tar - tape archive. Standard UNIX file archiver, not just for tapes. # Pattern attributes: good notsofast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE tar # /usr/share/magic ## POSIX tar archives #257 string ustar\0 POSIX tar archive #257 string ustar\040\040\0 GNU tar archive # this is pretty general. It's not a dictionary word, but still... ustar l7-protocols-2009-05-28/file_types/gif.pat0000644000175000017500000000033611105360007020024 0ustar straitmstraitm# GIF - Popular Image format. # Pattern attributes: good notsofast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE gif # drawn from /usr/share/magic GIF8(7|9)a l7-protocols-2009-05-28/file_types/jpeg.pat0000644000175000017500000000035211105360007020202 0ustar straitmstraitm# JPEG - Joint Picture Expert Group image format. # Pattern attributes: ok fast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE jpeg # drawn from /usr/share/magic \xff\xd8 l7-protocols-2009-05-28/file_types/rar.pat0000644000175000017500000000031111105360007020034 0ustar straitmstraitm# RAR - The WinRAR archive format # Pattern attributes: good notsofast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE rar rar\x21\x1a\x07 l7-protocols-2009-05-28/file_types/exe.pat0000644000175000017500000000133011105360007020033 0ustar straitmstraitm# Executable - Microsoft PE file format. # Pattern attributes: good notsofast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Thanks to Brandon Enright [bmenrighATucsd.edu] # This pattern doesn't techincally match the PE file format but rather the # MZ stub program Microsoft uses for backwards compatibility with DOS. # That means this will correctly match DOS executables too. exe # There are two different stubs used depending on the compiler/packer. # Numerous NULL bytes have been stripped from this pattern. # This pattern may be more efficient: # \x4d\x5a\x90\x03\x04|\x4d\x5a\x50\x02\x04 # This is easier to understand: \x4d\x5a(\x90\x03|\x50\x02)\x04 l7-protocols-2009-05-28/file_types/pdf.pat0000644000175000017500000000057311105360007020033 0ustar straitmstraitm# PDF - Portable Document Format - Postscript-like format by Adobe # Pattern attributes: good fast notsofast subset # Protocol groups: file # # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This pattern has been tested and is believe to work well. # Matches PDF versions 1.0 - 1.6 (not sure if 1.6 exists yet, but it probably # will. pdf %PDF-1\.[0123456] l7-protocols-2009-05-28/file_types/perl.pat0000644000175000017500000000033511105360007020220 0ustar straitmstraitm# Perl - A scripting language by Larry Wall. # Pattern attributes: good fast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE perl \#! ?/(usr/(local/)?)?bin/perl l7-protocols-2009-05-28/file_types/rtf.pat0000644000175000017500000000032011105360007020043 0ustar straitmstraitm# RTF - Rich Text Format - an open document format # Pattern attributes: good fast notsofast subset # Protocol groups: file # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE rtf \{\\rtf[12] l7-protocols-2009-05-28/file_types/html.pat0000644000175000017500000000061211105360007020220 0ustar straitmstraitm# (X)HTML - (Extensible) Hypertext Markup Language - http://w3.org # Pattern attributes: good fast notsofast subset # Protocol groups: file # # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # This pattern has been tested and is believe to work well. # this should match any (X)HTML document from any version that conforms # even vaugly to the standards. html l7-protocols-2009-05-28/extra/0000755000175000017500000000000011201674750015541 5ustar straitmstraitml7-protocols-2009-05-28/extra/README0000644000175000017500000000050711105357772016430 0ustar straitmstraitmThis directory contains patterns that may not be of general interest, such as patterns for "protocols" that are really subsets of other protocols (example: Quicktime HTTP). For HTTP subsets, you should consider using a transparent proxy rather than l7-filter. # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE l7-protocols-2009-05-28/extra/audiogalaxy.pat0000644000175000017500000000133311207602424020551 0ustar straitmstraitm# Audiogalaxy - (defunct) Peer to Peer filesharing # Pattern attributes: ok fast fast # Protocol groups: p2p obsolete # Wiki: http://protocolinfo.org/wiki/Audiogalaxy # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # http://www.movspclr.co.uk/info/agprotocol.html # # This pattern is untested. # # To get or provide more information about this protocol and/or pattern: # http://www.protocolinfo.org/wiki/Audiogalaxy # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers audiogalaxy # (magic cookie that starts conversations)|(magic cookie that starts # 0.606W/0.608W client/server conversations and a string that should always # appear in login messages) ^(\x45\x5f\xd0\xd5|\x45\x5f.*0.60(6|8)W) l7-protocols-2009-05-28/extra/httpcachehit.pat0000644000175000017500000000131611105357772020725 0ustar straitmstraitm# HTTP - Proxy Cache hit for HyperText Transfer Protocol (RFC 2616) # Pattern attributes: good notsofast notsofast subset # Protocol groups: document_retrieval ietf_draft_standard # Wiki: http://protocolinfo.org/wiki/HTTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 80 # # Contributed by Francesco Del Degan # # This pattern has been tested and is believed to work well. # # To get or provide more information about this protocol and/or pattern: # http://www.protocolinfo.org/wiki/HTTP # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers httpcachehit http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: hit) l7-protocols-2009-05-28/extra/snmp-trap.pat0000644000175000017500000000236611105357772020204 0ustar straitmstraitm# SNMP Traps - Simple Network Management Protocol (RFC1157) # Pattern attributes: good veryfast fast subset # Protocol groups: networking ietf_internet_standard # Wiki: http://en.wikipedia.org/wiki/SNMP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on UDP ports 162 # # These filters match SNMPv1 packets without fail, and are made # as specific as possible not to match any ASN.1 encoded protocols. # However these could still be matched by other protocols that # use ASN.1 encoding # Contributed by Goli SriSairam # This pattern has been tested and is believe to work well. # # To get or provide more information about this protocol and/or pattern: # http://www.protocolinfo.org/wiki/SNMP # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers # SNMPv1 Trap # matches SNMP trap header # version \x02\x01 # community string \x04.+ # PDU type \xa4 (TRAP) # enterprise \x06.+ # agent address \x40\x04\.?.?.?.? # trap type \x02\x01.? # specific trap type \x02\x01.? # timestamp \x43 snmp-trap ^\x02\x01\x04.+\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43 l7-protocols-2009-05-28/extra/httpvideo.pat0000644000175000017500000000240611105357772020264 0ustar straitmstraitm# HTTP - Video over HyperText Transfer Protocol (RFC 2616) # Pattern attributes: good notsofast notsofast subset # Protocol groups: streaming_video document_retrieval ietf_draft_standard # Wiki: http://protocolinfo.org/wiki/HTTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 80 # # Contributed by Deepak Seshadri # # This pattern has been tested and is believed to work well. # # To get or provide more information about this protocol and/or pattern: # http://www.protocolinfo.org/wiki/HTTP # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers # # If you use this, you should be aware that: # # - they match both simple downloads of audio/video and streaming content. # # - blocking based on content-type encourages server # writers/administrators to misreport content-type (which will just make # headaches for everyone, including us), so I would strongly recommend # shaping audio/video down to a speed that discourages use of streaming # players without actually blocking it. # # - obviously, since this is a subset of HTTP, you need to match it # earlier in your iptables rules than HTTP. httpvideo http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: video) l7-protocols-2009-05-28/extra/pressplay.pat0000644000175000017500000000100311105357772020270 0ustar straitmstraitm# pressplay - A legal music distribution site - http://pressplay.com # Pattern attributes: ok notsofast notsofast # Protocol groups: document_retrieval obsolete proprietary # Wiki: http://www.protocolinfo.org/wiki/Pressplay # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # This pattern was "contributed" (taken with permission) by the bandwidth # arbitrator project (www.bandwidtharbitrator.com). # # This pattern is unconfirmed. pressplay # can we do better than this? user-agent: nsplayer l7-protocols-2009-05-28/extra/http-itunes.pat0000644000175000017500000000075011105357772020542 0ustar straitmstraitm# HTTP - iTunes (Apple's music program) # Pattern attributes: good notsofast notsofast subset # Protocol groups: streaming_audio ietf_draft_standard # Wiki: http://protocolinfo.org/wiki/HTTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Port 80 # iTunes program basically uses the HTTP protocol for its initial # communication. # Pattern contributed by Deepak Seshadri http-itunes http/(0\.9|1\.0|1\.1).*(user-agent: itunes) l7-protocols-2009-05-28/extra/gtalk.pat0000644000175000017500000000047311201713347017351 0ustar straitmstraitm# GTalk, a Jabber (XMPP) client # Pattern attributes: good veryfast fast subset # Protocol groups: chat ietf_proposed_standard # Wiki: http://www.protocolinfo.org/wiki/Jabber # Copyright (C) 2009 Matthew Strait; See ../LICENSE # See ../protocols/jabber.pat for more details gtalk ^ # # This pattern has been tested and is believed to work well. # # To get or provide more information about this protocol and/or pattern: # http://www.protocolinfo.org/wiki/HTTP # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers # # If you use this, you should be aware that: # # - they match both simple downloads of audio/video and streaming content. # # - blocking based on content-type encourages server # writers/administrators to misreport content-type (which will just make # headaches for everyone, including us), so I would strongly recommend # shaping audio/video down to a speed that discourages use of streaming # players without actually blocking it. # # - obviously, since this is a subset of HTTP, you need to match it # earlier in your iptables rules than HTTP. httpaudio http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: audio) l7-protocols-2009-05-28/extra/snmp-mon.pat0000644000175000017500000000242411105357772020022 0ustar straitmstraitm# SNMP Monitoring - Simple Network Management Protocol (RFC1157) # Pattern attributes: good veryfast fast subset # Protocol groups: networking ietf_internet_standard # Wiki: http://en.wikipedia.org/wiki/SNMP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on UDP ports 161 # # These filters match SNMPv1 packets without fail, and are made # as specific as possible not to match any ASN.1 encoded protocols. # However these could still be matched by other protocols that # use ASN.1 encoding # Contributed by Goli SriSairam # This pattern has been tested and is believe to work well. # # To get or provide more information about this protocol and/or pattern: # http://www.protocolinfo.org/wiki/SNMP # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers # SNMPv1 GET/GETNEXT/SET request and response # matches SNMP header # version \x02\x01 # community \x04.+ # PDU type [\xa0-\xa3] (GET/GETNEXT/SET/GETRESPONSE) # RequestId \x02[\x01-\x04].?.?.?.? # errorStatus \x02\x01.? # errorIndex \x02\x01.? # varbinds start \x30 snmp-mon ^\x02\x01\x04.+[\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30 l7-protocols-2009-05-28/extra/http-freshdownload.pat0000644000175000017500000000112511105357772022067 0ustar straitmstraitm# HTTP by Fresh Download - http://www.freshdevices.com # Pattern attributes: good notsofast notsofast subset # Protocol groups: document_retrieval ietf_draft_standard # Wiki: http://protocolinfo.org/wiki/HTTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # Uses HTTP to download. http-freshdownload # Fresh Download identifies itself in the User-Agent field of every HTTP # request it makes. # The latest version uses "User-Agent: FreshDownload/4.40". The # additional version allowance is an attempt at "future proofing". User-Agent: FreshDownload/[456](\.[0-9][0-9]?)? l7-protocols-2009-05-28/extra/httpcachemiss.pat0000644000175000017500000000122111105357772021107 0ustar straitmstraitm# HTTP - Proxy Cache miss for HyperText Transfer Protocol (RFC 2616) # Pattern attributes: good notsofast notsofast subset # Protocol groups: document_retrieval ietf_draft_standard # Wiki: http://protocolinfo.org/wiki/HTTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Usually runs on port 80 # # This pattern has been tested and is believed to work well. # # To get or provide more information about this protocol and/or pattern: # http://www.protocolinfo.org/wiki/HTTP # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers httpcachemiss http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: miss) l7-protocols-2009-05-28/extra/http-dap.pat0000644000175000017500000000116111105357772017774 0ustar straitmstraitm# HTTP by Download Accelerator Plus - http://www.speedbit.com # Pattern attributes: good notsofast notsofast subset # Protocol groups: document_retrieval ietf_draft_standard # Wiki: http://protocolinfo.org/wiki/HTTP # Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE # # Uses HTTP to download. http-dap # DAP identifies itself in the User-Agent field of every HTTP request it # makes. This is pretty trivial to get around if speedbit.com ever # wanted to. # The latest version uses "User-Agent: DA 7.0". The additional version # allowance is an attempt at "future proofing". User-Agent: DA [678]\.[0-9] l7-protocols-2009-05-28/LICENSE0000644000175000017500000010341010537156065015427 0ustar straitmstraitmYou may distribute this software under either the GPLv2 or Creative Commons Attribution-ShareAlike 2.5. The text of each follows: *************************************************************************** GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Appendix: How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) 19yy This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. *************************************************************************** Creative Commons Legal Code Attribution-ShareAlike 2.5 CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM ITS USE. License THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. 1. Definitions a. "Collective Work" means a work, such as a periodical issue, anthology or encyclopedia, in which the Work in its entirety in unmodified form, along with a number of other contributions, constituting separate and independent works in themselves, are assembled into a collective whole. A work that constitutes a Collective Work will not be considered a Derivative Work (as defined below) for the purposes of this License. b. "Derivative Work" means a work based upon the Work or upon the Work and other pre-existing works, such as a translation, musical arrangement, dramatization, fictionalization, motion picture version, sound recording, art reproduction, abridgment, condensation, or any other form in which the Work may be recast, transformed, or adapted, except that a work that constitutes a Collective Work will not be considered a Derivative Work for the purpose of this License. For the avoidance of doubt, where the Work is a musical composition or sound recording, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered a Derivative Work for the purpose of this License. c. "Licensor" means the individual or entity that offers the Work under the terms of this License. d. "Original Author" means the individual or entity who created the Work. e. "Work" means the copyrightable work of authorship offered under the terms of this License. f. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation. g. "License Elements" means the following high-level license attributes as selected by Licensor and indicated in the title of this License: Attribution, ShareAlike. 2. Fair Use Rights. Nothing in this license is intended to reduce, limit, or restrict any rights arising from fair use, first sale or other limitations on the exclusive rights of the copyright owner under copyright law or other applicable laws. 3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below: a. to reproduce the Work, to incorporate the Work into one or more Collective Works, and to reproduce the Work as incorporated in the Collective Works; b. to create and reproduce Derivative Works; c. to distribute copies or phonorecords of, display publicly, perform publicly, and perform publicly by means of a digital audio transmission the Work including as incorporated in Collective Works; d. to distribute copies or phonorecords of, display publicly, perform publicly, and perform publicly by means of a digital audio transmission Derivative Works. e. For the avoidance of doubt, where the work is a musical composition: i. Performance Royalties Under Blanket Licenses. Licensor waives the exclusive right to collect, whether individually or via a performance rights society (e.g. ASCAP, BMI, SESAC), royalties for the public performance or public digital performance (e.g. webcast) of the Work. ii. Mechanical Rights and Statutory Royalties. Licensor waives the exclusive right to collect, whether individually or via a music rights society or designated agent (e.g. Harry Fox Agency), royalties for any phonorecord You create from the Work ("cover version") and distribute, subject to the compulsory license created by 17 USC Section 115 of the US Copyright Act (or the equivalent in other jurisdictions). f. Webcasting Rights and Statutory Royalties. For the avoidance of doubt, where the Work is a sound recording, Licensor waives the exclusive right to collect, whether individually or via a performance-rights society (e.g. SoundExchange), royalties for the public digital performance (e.g. webcast) of the Work, subject to the compulsory license created by 17 USC Section 114 of the US Copyright Act (or the equivalent in other jurisdictions). The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. All rights not expressly granted by Licensor are hereby reserved. 4. Restrictions.The license granted in Section 3 above is expressly made subject to and limited by the following restrictions: a. You may distribute, publicly display, publicly perform, or publicly digitally perform the Work only under the terms of this License, and You must include a copy of, or the Uniform Resource Identifier for, this License with every copy or phonorecord of the Work You distribute, publicly display, publicly perform, or publicly digitally perform. You may not offer or impose any terms on the Work that alter or restrict the terms of this License or the recipients' exercise of the rights granted hereunder. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties. You may not distribute, publicly display, publicly perform, or publicly digitally perform the Work with any technological measures that control access or use of the Work in a manner inconsistent with the terms of this License Agreement. The above applies to the Work as incorporated in a Collective Work, but this does not require the Collective Work apart from the Work itself to be made subject to the terms of this License. If You create a Collective Work, upon notice from any Licensor You must, to the extent practicable, remove from the Collective Work any credit as required by clause 4(c), as requested. If You create a Derivative Work, upon notice from any Licensor You must, to the extent practicable, remove from the Derivative Work any credit as required by clause 4(c), as requested. b. You may distribute, publicly display, publicly perform, or publicly digitally perform a Derivative Work only under the terms of this License, a later version of this License with the same License Elements as this License, or a Creative Commons iCommons license that contains the same License Elements as this License (e.g. Attribution-ShareAlike 2.5 Japan). You must include a copy of, or the Uniform Resource Identifier for, this License or other license specified in the previous sentence with every copy or phonorecord of each Derivative Work You distribute, publicly display, publicly perform, or publicly digitally perform. You may not offer or impose any terms on the Derivative Works that alter or restrict the terms of this License or the recipients' exercise of the rights granted hereunder, and You must keep intact all notices that refer to this License and to the disclaimer of warranties. You may not distribute, publicly display, publicly perform, or publicly digitally perform the Derivative Work with any technological measures that control access or use of the Work in a manner inconsistent with the terms of this License Agreement. The above applies to the Derivative Work as incorporated in a Collective Work, but this does not require the Collective Work apart from the Derivative Work itself to be made subject to the terms of this License. c. If you distribute, publicly display, publicly perform, or publicly digitally perform the Work or any Derivative Works or Collective Works, You must keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or (ii) if the Original Author and/or Licensor designate another party or parties (e.g. a sponsor institute, publishing entity, journal) for attribution in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; the title of the Work if supplied; to the extent reasonably practicable, the Uniform Resource Identifier, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and in the case of a Derivative Work, a credit identifying the use of the Work in the Derivative Work (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). Such credit may be implemented in any reasonable manner; provided, however, that in the case of a Derivative Work or Collective Work, at a minimum such credit will appear where any other comparable authorship credit appears and in a manner at least as prominent as such other comparable authorship credit. 5. Representations, Warranties and Disclaimer UNLESS OTHERWISE AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE MATERIALS, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7. Termination a. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Derivative Works or Collective Works from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License. b. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above. 8. Miscellaneous a. Each time You distribute or publicly digitally perform the Work or a Collective Work, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License. b. Each time You distribute or publicly digitally perform a Derivative Work, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License. c. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable. d. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent. e. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You. Creative Commons is not a party to this License, and makes no warranty whatsoever in connection with the Work. Creative Commons will not be liable to You or any party on any legal theory for any damages whatsoever, including without limitation any general, special, incidental or consequential damages arising in connection to this license. Notwithstanding the foregoing two (2) sentences, if Creative Commons has expressly identified itself as the Licensor hereunder, it shall have all rights and obligations of Licensor. Except for the limited purpose of indicating to the public that the Work is licensed under the CCPL, neither party will use the trademark "Creative Commons" or any related trademark or logo of Creative Commons without the prior written consent of Creative Commons. Any permitted use will be in compliance with Creative Commons' then-current trademark usage guidelines, as may be published on its website or otherwise made available upon request from time to time. Creative Commons may be contacted at http://creativecommons.org/.