Chinaunix首页 | 论坛 | 博客
  • 博客访问: 556368
  • 博文数量: 114
  • 博客积分: 5611
  • 博客等级: 大校
  • 技术积分: 1027
  • 用 户 组: 普通用户
  • 注册时间: 2007-04-19 08:55
文章分类

全部博文(114)

文章存档

2011年(29)

2010年(20)

2009年(1)

2008年(11)

2007年(53)

分类: LINUX

2010-06-08 10:49:18

L7-filter Supported Protocols

Below is the list of supported protocols. Note that most of the protocols are listed as needing more testing. We need your help (yes, you!) to do this. Simply reporting on how patterns are working for you is helpful. The easiest way to do this is to follow the links by patterns you use. On the wiki, post your results in the l7-filter section of each page. You can also post to l7-filter-developers(@)lists(.)sf(.)net (you must subscribe first).

To help add support for more protocols, see the .

Key to symbols

Quality

The "quality" gives a rough idea of how well the pattern works. This is a conglomerate measure of several things, including (1) how well the protocol is understood (2) how much the pattern has been tested (3) in what variety of situations the pattern has been tested and (4) what fraction of identifiable traffic is identified correctly. For details, read the pattern file or the entry.

  • [great] Great: Works.
  • [good] Good: Works as far as we know.
  • [ok] Ok: Probably works.
  • [marginal] Marginal: Might work, might not.
  • [poor] Poor: Probably doesn't work.

Speed

The protocol package includes a tool for testing pattern performance. It tests them against 122 samples of actual network data (as of the 2009-05-19 release) 100,000 times each. The following times are for a 2 GHz Opteron.

The first speed shown for a pattern in the tables below is the speed when used in the kernel (with the old V8 regular expression library). The second is the speed when used in userspace (with the modern GNU library). Note that the userspace version has a smaller spread of speeds. That is, its slowest patterns are faster and its fastest patterns are slower than the kernel version.

  • [very
fast] Very fast: 0.8–3 seconds.
  • [fast] Fast: 3–10 seconds.
  • [not
so fast] Not so fast: 10–100 seconds.
  • [slow] Slow: >100 seconds (worst as of this writing was 1750s for the kernel library and 100s for the userspace library).

Other notes

  • [overmatch] Overmatching pattern: It is either hard or impossible to write a pattern for this protocol that reliably matches only the intended protocol. In other words, use of this pattern is likely to yield false positives, so you should probably only use it in conjunction with other matches, such as port or IP number. See the comments in the pattern file and/or wiki for specifics.
  • [undermatch] Undermatching pattern: It is either hard or impossible to write a pattern for this protocol that matches all connections. For example, in a P2P protocol, it may only be able to match search requests, but not file transfers in. (However, P2P protocol patterns are not considered to undermatch as long as they match downloads.) See the comments in the pattern file and/or wiki for specifics.
  • [superset] Superset: This pattern matches traffic which is a superset of the traffic that some other patterns match. If it is ahead of one of these patterns in your iptables rules, the other patterns will never match. See the pattern file for which other patterns are involved.
  • [subset] Subset: This pattern matches traffic which is a subset of the traffic matched by some other pattern.

Groups

Protocols are marked as being in one or more "groups". Some groups refer to what sort of purpose each protocol has. These allow front-ends to treat a set of protocols in the same way without requiring the user to select (or know about) each individual protocol. For instance, an application could have a checkbox for "VoIP" rather than one for Skype, one for H.323, etc..

Other groups indicate whether a protocol is documented in an IETF RFC, whether it is standardized by any official body, a non-standard but used primarily by open source programs, or proprietary. Among other things, this is supposed to give some idea of how volatile these protocols are likely to be. IETF standards are highly unlikely to change behavior and break l7-filter's patterns suddenly. (Although if programs misimplement them, anything can happen.) Open source non-standardized protocols are somewhat more likely to change abruptly, but changes are likely to be publically documented and, of course, the source code can be read to learn about them as a last resort. Proprietary protocols can change at any time without warning. The nature of the changes may be a closely kept secret.

Not all groups that exist in the pattern files have icons shown on this page. Also, just because a protocol is not listed as being in a group does not mean that it is specifically excluded from that group. For instance, not every protocol without "secure" is insecure. We invite you to make the groups more complete by sending corrections/additions to our mailing list.

  • [P2P] P2P
  • [VoIP] VoIP
  • [Streaming 
video] Streaming video
  • [Streaming audio] Streaming audio
  • [Chat] Chat
  • [Game] Game
  • [Document retrieval] Document retrieval
  • [Networking] Networking
  • [Mail] Mail
  • [File] File
  • [Printer] Printer
  • [Remote access] Remote access
  • [Time synchronization] Time synchronization
  • [Version control] Version control
  • [Monitoring] Monitoring
  • [Secure] Secure
  • [Obsolete] Obsolete
  • [IETF proposed standard] IETF proposed standard
  • [IETF draft standard] IETF draft standard
  • [IETF standard] IETF standard
  • [ Non-standards track RFC'd]  Non-standards track RFC'd
  • [Other standard] Other standard
  • [Open source] Open source
  • [Proprietary] Proprietary

Protocols

The pattern name is what you must use when issuing l7-filter commands. The names below link to the pattern files. Select column headings to sort.

bad third line in replaytv-ivs.pat
wikinotesdescription
[very fast] [fast] ok [P2P]
100bao - a Chinese P2P protocol/program -
[slow] [not
 so fast] good [Chat][Proprietary]
AIM - AOL instant messenger (OSCAR and TOC)
[not so fast] [not so fast] good [Chat][Document retrieval][Proprietary]
AIM web content - ads/news content downloaded by AOL Instant Messenger
[very fast] [fast] great [P2P]
Apple Juice - P2P filesharing -
[very fast] [fast] good [P2P][Open source]undermatch Ares - P2P filesharing -
[slow] [not
 so fast] good [Open source][Game]
Armagetron Advanced - open source Tron/snake based multiplayer game
[very fast] [fast] ok [Game][Proprietary]
Battlefield 1942 - An EA game
[slow] [not
 so fast] ok [Game][Proprietary]
Battlefield 2 - An EA game.
[fast] [fast] ok [Proprietary][Game]
Battlefield 2142 - An EA game.
[very fast] [fast] ok [Networking][IETF draft standard]
BGP - Border Gateway Protocol - RFC 1771
[fast] [fast] good [Mail]undermatch overmatch Biff - new mail notification
[slow] [not
 so fast] good [P2P][Open source]undermatch Bittorrent - P2P filesharing / publishing tool -
[fast] [fast] good [Proprietary][Chat]superset Chikka - SMS service which can be used without phones -
[not so fast] [not so fast] good [Proprietary][Chat]subset Computer Interface to Message Distribution, an SMSC protocol by Nokia
[very fast] [fast] ok [Remote access][Proprietary]
Cisco VPN - VPN client software to a Cisco VPN server
[not so fast] [not so fast] marginal [Remote access][Proprietary]
Citrix ICA - proprietary remote desktop application -
[very fast] [fast] good [Game][Proprietary]
Counterstrike (using the new "Source" engine) - network game
[very fast] [fast] good [Version control][Open source]
CVS - Concurrent Versions System
[very fast] [fast] good [Game][Proprietary]
Day of Defeat: Source - game (Half-Life 2 mod) -
[fast] [fast] ok

Dazhihui - stock analysis and trading; Chinese -
[very fast] [fast] good [Networking][IETF draft standard]
DHCP - Dynamic Host Configuration Protocol - RFC 1541
[fast] [fast] good [P2P]
Direct Connect - P2P filesharing -
[slow] [fast] great [Networking][IETF standard]
DNS - Domain Name System - RFC 1035
[very fast] [fast] good [Game][Proprietary]
Doom 3 - computer game
[fast] [fast] good [P2P]overmatch eDonkey2000 - P2P filesharing - and others
[slow] [not
 so fast] good [P2P]
FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)
[slow] [slow] good [IETF draft standard]undermatch overmatch Finger - User information server - RFC 1288
[very fast] [fast] poor [P2P][Document retrieval][Open source]
Freenet - Anonymous information retrieval -
[not so fast] [fast] great [Document retrieval][IETF standard]
FTP - File Transfer Protocol - RFC 959
[very fast] [fast] great [Monitoring][Open source]
Gkrellm - a system monitor -
[not so fast] [not so fast] good [P2P][Open source]
GnucleusLAN - LAN-only P2P filesharing
[not so fast] [not so fast] good [P2P][Open source]
Gnutella - P2P filesharing
[slow] [not
 so fast] marginal [P2P]
GoBoogy - a Korean P2P protocol
[slow] [not
 so fast] good [Document retrieval][Obsolete][ Non-standards track RFC'd]undermatch Gopher - A precursor to HTTP - RFC 1436
[very fast] [fast] marginal [Game][Proprietary]
Guild Wars - online game -
[very fast] [fast] ok [VoIP][Other standard]
H.323 - Voice over IP.
[very fast] [fast] good [Game][Proprietary]
Half-Life 2 Deathmatch - popular computer game
[very fast] [fast] great [Monitoring][Open source]
hddtemp - Hard drive temperature reporting
[fast] [fast] marginal [P2P]
Hotline - An old P2P filesharing protocol
[not so fast] [fast] ok [Streaming audio][Streaming video][IETF draft standard]subset RTSP tunneled within HTTP
[slow] [not
 so fast] great [Document retrieval][IETF draft standard]superset HTTP - HyperText Transfer Protocol - RFC 2616
[fast] [fast] good [Networking][IETF proposed standard]
Ident - Identification Protocol - RFC 1413
[fast] [fast] great [Mail][IETF proposed standard]
IMAP - Internet Message Access Protocol (A common e-mail protocol)
[fast] [not
 so fast] ok [P2P]
iMesh - the native protocol of iMesh, a P2P application -
[not so fast] [not so fast] good [Printer][IETF proposed standard]
IP printing - a new standard for UNIX printing - RFC 2911
[fast] [fast] great [Chat][IETF proposed standard]
IRC - Internet Relay Chat - RFC 1459
[not so fast] [not so fast] good [Chat][IETF proposed standard]
Jabber (XMPP) - open instant messenger protocol - RFC 3920 -
[fast] [fast] ok [P2P]
KuGoo - a Chinese P2P program -
[not so fast] [not so fast] marginal [Streaming audio]
live365 - An Internet radio site -
[fast] [fast] poor [Game][Proprietary]
Live For Speed - A racing game.
[fast] [fast] ok [Printer][ Non-standards track RFC'd]
LPD - Line Printer Daemon Protocol (old-style UNIX printing) - RFC 1179
[very fast] [fast] good [Game][Proprietary]
Medal of Honor Allied Assault - an Electronic Arts game
[fast] [fast] good [Chat][Document retrieval][Proprietary]
MSN (Micosoft Network) Messenger file transfers (MSNFTP and MSNSLP)
[slow] [not
 so fast] good [Chat][Proprietary]
MSN Messenger - Microsoft Network chat client
[fast] [fast] marginal [P2P][Open source]
MUTE - P2P filesharing -
[fast] [fast] good [P2P]
Napster - P2P filesharing
[slow] [not
 so fast] good [Networking][Proprietary]
NBNS - NetBIOS name service
[fast] [fast] good [Networking][Proprietary]
NCP - Novell Core Protocol
[not so fast] [not so fast] marginal [Networking][IETF standard][Proprietary]
NetBIOS - Network Basic Input Output System
[fast] [fast] good [IETF proposed standard]
NNTP - Network News Transfer Protocol - RFCs 977 and 2980
[fast] [fast] good [Time synchronization][IETF draft standard]overmatch (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030
[not so fast] [not so fast] good [P2P][Open source]
OpenFT - P2P filesharing (implemented in giFT library)
[very fast] [fast] marginal [Remote access][Proprietary]
pcAnywhere - Symantec remote access program
[very fast] [fast] ok [P2P]
POCO and PP365 - Chinese P2P filesharing -
[fast] [fast] great [Mail][IETF standard]
POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
[not so fast] [not so fast] ok [P2P][Streaming 
video][Proprietary]
PPLive - Chinese P2P streaming video -
[not so fast] [fast] good [Chat]
Tencent QQ Protocol - Chinese instant messenger protocol -
[very fast] [fast] good [Game][Proprietary]
Half Life 1 engine games (HL 1, Quake 2/3/World, Counterstrike 1.6, etc.)
[very fast] [fast] marginal [Game][Proprietary]
Quake 1 - A popular computer game.
[very fast] [fast] ok [Remote access][Proprietary]
Famatech Remote Administrator - remote desktop for MS Windows
[not so fast] [not so fast] ok [Remote access][Proprietary]
RDP - Remote Desktop Protocol (used in Windows Terminal Services)
[fast] [fast] good

ReplayTV Internet Video Sharing - Digital Video Recorder -
[fast] [fast] ok [Remote access][ Non-standards track RFC'd]
rlogin - remote login - RFC 1282
[fast] [fast] ok [Streaming video][IETF standard]undermatch overmatch RTP - Real-time Transport Protocol - RFC 3550
[not so fast] [not so fast] good [Streaming video][IETF proposed standard]
RTSP - Real Time Streaming Protocol - - RFC 2326
[very fast] [fast] ok [Game][Proprietary]
Runes of Magic - game -
[slow] [not
 so fast] good [Streaming audio]
Shoutcast and Icecast - streaming audio
[fast] [fast] good [VoIP][IETF proposed standard]
SIP - Session Initiation Protocol - Internet telephony - RFC 3261, 3265, etc.
[slow] [not
 so fast] ok [VoIP][P2P][Proprietary]overmatch Skype to phone - UDP voice call (program to POTS phone) -
[very fast] [fast] ok [VoIP][P2P][Proprietary]overmatch Skype to Skype - UDP voice call (program to program) -
[fast] [not
 so fast] good [Document retrieval][Networking][Proprietary]
Samba/SMB - Server Message Block - Microsoft Windows filesharing
[not so fast] [fast] great [Mail][IETF standard]
SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869)
[very fast] [fast] good [Networking][IETF standard]superset SNMP - Simple Network Management Protocol - RFC 1157
[not so fast] [not so fast] good [Networking][IETF proposed standard]
SOCKS Version 5 - Firewall traversal protocol - RFC 1928
[slow] [not
 so fast] good [P2P]
Soribada - A Korean P2P filesharing program/protocol -
[fast] [fast] good [P2P]
Soulseek - P2P filesharing -
[slow] [not
 so fast] good [Networking][IETF draft standard]
SSDP - Simple Service Discovery Protocol - easy discovery of network devices
[very fast] [fast] great [Remote access][Secure][IETF draft standard]
SSH - Secure SHell
[not so fast] [fast] good [Secure][IETF proposed standard]superset SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
[very fast] [fast] ok [Networking][IETF proposed standard]
STUN - Simple Traversal of UDP Through NAT - RFC 3489
[very fast] [fast] marginal [Game]
Subspace - 2D asteroids-style space game -
[very fast] [fast] ok [Version control][Open source]
Subversion - a version control system
[very fast] [fast] good [Game][Proprietary]
Team Fortress 2 - network game -
[very fast] [fast] good [VoIP][Proprietary]
TeamSpeak - VoIP application -
[very fast] [fast] good [Remote access][Obsolete][IETF standard]
Telnet - Insecure remote login - RFC 854
[slow] [not
 so fast] marginal [P2P]
Tesla Advanced Communication - P2P filesharing (?)
[fast] [fast] marginal [Document retrieval][IETF standard]
TFTP - Trivial File Transfer Protocol - used for bootstrapping - RFC 1350
[very fast] [fast] ok [P2P][Open source]
The Circle - P2P application -
[fast] [fast] ok

Tonghuashun - stock analysis and trading; Chinese -
[not so fast] [not so fast] good [Networking]
Tor - The Onion Router - used for anonymization -
[very fast] [fast] good [Time synchronization][Open source]overmatch TSP - Berkely UNIX Time Synchronization Protocol
[very fast] [fast] ok [Document retrieval][Obsolete]
UUCP - Unix to Unix Copy
[slow] [not
 so fast] good [Secure][IETF proposed standard]subset Valid certificate SSL
[fast] [fast] good [VoIP][Proprietary]
Ventrilo - VoIP -
[very fast] [fast] great [Remote access]
VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer
[not so fast] [not so fast] good [Networking][IETF draft standard]overmatch Whois - query/response system, usually used for domain name info - RFC 3912
[very fast] [fast] ok [Game][Proprietary]
World of Warcraft - popular network game -
[not so fast] [very fast] good [Remote access][Other standard]
X Windows Version 11 - Networked GUI system used in most Unices
[slow] [not
 so fast] marginal [Game][Proprietary]
XBox Live - Console gaming
[slow] [not
 so fast] good [P2P]
Xunlei - Chinese P2P filesharing -
[fast] [fast] good [Chat][Proprietary]
Yahoo messenger - an instant messenger protocol -
[very fast] [fast] ok [Networking][IETF draft standard]
ZMAAP - Zeroconf Multicast Address Allocation Protocol

Extra

These patterns were judged to be of lesser general interest than those above.

wikinotesdescription
[fast] [fast] ok [P2P][Obsolete]
Audiogalaxy - (defunct) Peer to Peer filesharing
[very fast] [fast] good [Chat][IETF proposed standard]subset GTalk, a Jabber (XMPP) client
[not so fast] [not so fast] good [Document retrieval][IETF draft standard]subset HTTP by Download Accelerator Plus -
[not so fast] [not so fast] good [Document retrieval][IETF draft standard]subset HTTP by Fresh Download - http://www.freshdevices.com
[not so fast] [not so fast] good [Streaming audio][IETF draft standard]subset HTTP - iTunes (Apple's music program)
[not so fast] [not so fast] good [Streaming audio][Document retrieval][IETF draft standard]subset HTTP - Audio over HyperText Transfer Protocol (RFC 2616)
[not so fast] [not so fast] good [Document retrieval][IETF draft standard]subset HTTP - Proxy Cache hit for HyperText Transfer Protocol (RFC 2616)
[not so fast] [not so fast] good [Document retrieval][IETF draft standard]subset HTTP - Proxy Cache miss for HyperText Transfer Protocol (RFC 2616)
[not so fast] [not so fast] good [Streaming video][Document retrieval][IETF draft standard]subset HTTP - Video over HyperText Transfer Protocol (RFC 2616)
[not so fast] [not so fast] ok [Document retrieval][Obsolete][Proprietary]
pressplay - A legal music distribution site -
[not so fast] [not so fast] good [Streaming video][Streaming audio][IETF draft standard]subset Quicktime HTTP
[very fast] [fast] good [Networking][IETF standard]subset SNMP Monitoring - Simple Network Management Protocol (RFC1157)
[very fast] [fast] good [Networking][IETF standard]subset SNMP Traps - Simple Network Management Protocol (RFC1157)

File Types

This category of patterns is for file types. This sort of matching is not the focus of l7-filter, but it can be done in some cases. It requires some extra set up, so read the .

wikinotesdescription

[not so fast] [not so fast] good [File]subset Executable - Microsoft PE file format.

[slow] [not
 so fast] good [File]subset Flash - Macromedia Flash.

[not so fast] [not so fast] good [File]subset GIF - Popular Image format.

[fast] [not
 so fast] good [File]subset (X)HTML - (Extensible) Hypertext Markup Language -

[fast] [not
 so fast] ok [File]subset JPEG - Joint Picture Expert Group image format.

[not so fast] [not so fast] good [File]subset MP3 - Moving Picture Experts Group Audio Layer III

[not so fast] [not so fast] ok [File]subset Ogg - Ogg Vorbis music format (not any ogg file, just vorbis)

[fast] [not
 so fast] good [File]subset PDF - Portable Document Format - Postscript-like format by Adobe

[fast] [not
 so fast] good [File]subset Perl - A scripting language by Larry Wall.

[fast] [not
 so fast] good [File]subset PNG - Portable Network Graphics, a popular image format

[fast] [not
 so fast] good [File]subset Postscript - Printing Language

[not so fast] [not so fast] good [File]subset RAR - The WinRAR archive format

[fast] [not
 so fast] good [File]subset RPM - Redhat Package Management packages

[fast] [not
 so fast] good [File]subset RTF - Rich Text Format - an open document format

[not so fast] [not so fast] good [File]subset Tar - tape archive. Standard UNIX file archiver, not just for tapes.

[not so fast] [not so fast] good [File]subset ZIP - (PK|Win)Zip archive format

Malware

This category is for worms, viruses, and anything else that uses the network to bother us. It doesn't appear that there is much demand for this functionality, but in case it interests you, this is a proof-of-concept. .

wikinotesdescription
[fast] [not
 so fast] ok
subset Code Red - a worm that attacks Microsoft IIS web servers
[not so fast] [not so fast] ok
subset Nimda - a worm that attacks Microsoft IIS web servers, and MORE!
阅读(2510) | 评论(0) | 转发(0) |
0

上一篇:squid的mysar实现

下一篇:SecureCRT 代码着色

给主人留下些什么吧!~~