分类: LINUX
2010-06-08 10:49:18
Below is the list of supported protocols. Note that most of the protocols are listed as needing more testing. We need your help (yes, you!) to do this. Simply reporting on how patterns are working for you is helpful. The easiest way to do this is to follow the links by patterns you use. On the wiki, post your results in the l7-filter section of each page. You can also post to l7-filter-developers(@)lists(.)sf(.)net (you must subscribe first).
To help add support for more protocols, see the .
The "quality" gives a rough idea of how well the pattern works. This is a conglomerate measure of several things, including (1) how well the protocol is understood (2) how much the pattern has been tested (3) in what variety of situations the pattern has been tested and (4) what fraction of identifiable traffic is identified correctly. For details, read the pattern file or the entry.
The protocol package includes a tool for testing pattern performance. It tests them against 122 samples of actual network data (as of the 2009-05-19 release) 100,000 times each. The following times are for a 2 GHz Opteron.
The first speed shown for a pattern in the tables below is the speed when used in the kernel (with the old V8 regular expression library). The second is the speed when used in userspace (with the modern GNU library). Note that the userspace version has a smaller spread of speeds. That is, its slowest patterns are faster and its fastest patterns are slower than the kernel version.
Protocols are marked as being in one or more "groups". Some groups refer to what sort of purpose each protocol has. These allow front-ends to treat a set of protocols in the same way without requiring the user to select (or know about) each individual protocol. For instance, an application could have a checkbox for "VoIP" rather than one for Skype, one for H.323, etc..
Other groups indicate whether a protocol is documented in an IETF RFC, whether it is standardized by any official body, a non-standard but used primarily by open source programs, or proprietary. Among other things, this is supposed to give some idea of how volatile these protocols are likely to be. IETF standards are highly unlikely to change behavior and break l7-filter's patterns suddenly. (Although if programs misimplement them, anything can happen.) Open source non-standardized protocols are somewhat more likely to change abruptly, but changes are likely to be publically documented and, of course, the source code can be read to learn about them as a last resort. Proprietary protocols can change at any time without warning. The nature of the changes may be a closely kept secret.
Not all groups that exist in the pattern files have icons shown on this page. Also, just because a protocol is not listed as being in a group does not mean that it is specifically excluded from that group. For instance, not every protocol without "secure" is insecure. We invite you to make the groups more complete by sending corrections/additions to our mailing list.
The pattern name is what you must use when issuing l7-filter commands. The names below link to the pattern files. Select column headings to sort.
bad third line in replaytv-ivs.pat| wiki | notes | description | ||||
|---|---|---|---|---|---|---|
| 100bao - a Chinese P2P protocol/program - | ||||||
| AIM - AOL instant messenger (OSCAR and TOC) | ||||||
| AIM web content - ads/news content downloaded by AOL Instant Messenger | ||||||
| Apple Juice - P2P filesharing - | ||||||
| Ares - P2P filesharing - | ||||||
| Armagetron Advanced - open source Tron/snake based multiplayer game | ||||||
| Battlefield 1942 - An EA game | ||||||
| Battlefield 2 - An EA game. | ||||||
| Battlefield 2142 - An EA game. | ||||||
| BGP - Border Gateway Protocol - RFC 1771 | ||||||
| Biff - new mail notification | ||||||
| Bittorrent - P2P filesharing / publishing tool - | ||||||
| Chikka - SMS service which can be used without phones - | ||||||
| Computer Interface to Message Distribution, an SMSC protocol by Nokia | ||||||
| Cisco VPN - VPN client software to a Cisco VPN server | ||||||
| Citrix ICA - proprietary remote desktop application - | ||||||
| Counterstrike (using the new "Source" engine) - network game | ||||||
| CVS - Concurrent Versions System | ||||||
| Day of Defeat: Source - game (Half-Life 2 mod) - | ||||||
| Dazhihui - stock analysis and trading; Chinese - | ||||||
| DHCP - Dynamic Host Configuration Protocol - RFC 1541 | ||||||
| Direct Connect - P2P filesharing - | ||||||
| DNS - Domain Name System - RFC 1035 | ||||||
| Doom 3 - computer game | ||||||
| eDonkey2000 - P2P filesharing - and others | ||||||
| FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc) | ||||||
| Finger - User information server - RFC 1288 | ||||||
| Freenet - Anonymous information retrieval - | ||||||
| FTP - File Transfer Protocol - RFC 959 | ||||||
| Gkrellm - a system monitor - | ||||||
| GnucleusLAN - LAN-only P2P filesharing | ||||||
| Gnutella - P2P filesharing | ||||||
| GoBoogy - a Korean P2P protocol | ||||||
| Gopher - A precursor to HTTP - RFC 1436 | ||||||
| Guild Wars - online game - | ||||||
| H.323 - Voice over IP. | ||||||
| Half-Life 2 Deathmatch - popular computer game | ||||||
| hddtemp - Hard drive temperature reporting | ||||||
| Hotline - An old P2P filesharing protocol | ||||||
| RTSP tunneled within HTTP | ||||||
| HTTP - HyperText Transfer Protocol - RFC 2616 | ||||||
| Ident - Identification Protocol - RFC 1413 | ||||||
| IMAP - Internet Message Access Protocol (A common e-mail protocol) | ||||||
| iMesh - the native protocol of iMesh, a P2P application - | ||||||
| IP printing - a new standard for UNIX printing - RFC 2911 | ||||||
| IRC - Internet Relay Chat - RFC 1459 | ||||||
| Jabber (XMPP) - open instant messenger protocol - RFC 3920 - | ||||||
| KuGoo - a Chinese P2P program - | ||||||
| live365 - An Internet radio site - | ||||||
| Live For Speed - A racing game. | ||||||
| LPD - Line Printer Daemon Protocol (old-style UNIX printing) - RFC 1179 | ||||||
| Medal of Honor Allied Assault - an Electronic Arts game | ||||||
| MSN (Micosoft Network) Messenger file transfers (MSNFTP and MSNSLP) | ||||||
| MSN Messenger - Microsoft Network chat client | ||||||
| MUTE - P2P filesharing - | ||||||
| Napster - P2P filesharing | ||||||
| NBNS - NetBIOS name service | ||||||
| NCP - Novell Core Protocol | ||||||
| NetBIOS - Network Basic Input Output System | ||||||
| NNTP - Network News Transfer Protocol - RFCs 977 and 2980 | ||||||
| (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030 | ||||||
| OpenFT - P2P filesharing (implemented in giFT library) | ||||||
| pcAnywhere - Symantec remote access program | ||||||
| POCO and PP365 - Chinese P2P filesharing - | ||||||
| POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939 | ||||||
| PPLive - Chinese P2P streaming video - | ||||||
| Tencent QQ Protocol - Chinese instant messenger protocol - | ||||||
| Half Life 1 engine games (HL 1, Quake 2/3/World, Counterstrike 1.6, etc.) | ||||||
| Quake 1 - A popular computer game. | ||||||
| Famatech Remote Administrator - remote desktop for MS Windows | ||||||
| RDP - Remote Desktop Protocol (used in Windows Terminal Services) | ||||||
| ReplayTV Internet Video Sharing - Digital Video Recorder - | ||||||
| rlogin - remote login - RFC 1282 | ||||||
| RTP - Real-time Transport Protocol - RFC 3550 | ||||||
| RTSP - Real Time Streaming Protocol - - RFC 2326 | ||||||
| Runes of Magic - game - | ||||||
| Shoutcast and Icecast - streaming audio | ||||||
| SIP - Session Initiation Protocol - Internet telephony - RFC 3261, 3265, etc. | ||||||
| Skype to phone - UDP voice call (program to POTS phone) - | ||||||
| Skype to Skype - UDP voice call (program to program) - | ||||||
| Samba/SMB - Server Message Block - Microsoft Windows filesharing | ||||||
| SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869) | ||||||
| SNMP - Simple Network Management Protocol - RFC 1157 | ||||||
| SOCKS Version 5 - Firewall traversal protocol - RFC 1928 | ||||||
| Soribada - A Korean P2P filesharing program/protocol - | ||||||
| Soulseek - P2P filesharing - | ||||||
| SSDP - Simple Service Discovery Protocol - easy discovery of network devices | ||||||
| SSH - Secure SHell | ||||||
| SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246 | ||||||
| STUN - Simple Traversal of UDP Through NAT - RFC 3489 | ||||||
| Subspace - 2D asteroids-style space game - | ||||||
| Subversion - a version control system | ||||||
| Team Fortress 2 - network game - | ||||||
| TeamSpeak - VoIP application - | ||||||
| Telnet - Insecure remote login - RFC 854 | ||||||
| Tesla Advanced Communication - P2P filesharing (?) | ||||||
| TFTP - Trivial File Transfer Protocol - used for bootstrapping - RFC 1350 | ||||||
| The Circle - P2P application - | ||||||
| Tonghuashun - stock analysis and trading; Chinese - | ||||||
| Tor - The Onion Router - used for anonymization - | ||||||
| TSP - Berkely UNIX Time Synchronization Protocol | ||||||
| UUCP - Unix to Unix Copy | ||||||
| Valid certificate SSL | ||||||
| Ventrilo - VoIP - | ||||||
| VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer | ||||||
| Whois - query/response system, usually used for domain name info - RFC 3912 | ||||||
| World of Warcraft - popular network game - | ||||||
| X Windows Version 11 - Networked GUI system used in most Unices | ||||||
| XBox Live - Console gaming | ||||||
| Xunlei - Chinese P2P filesharing - | ||||||
| Yahoo messenger - an instant messenger protocol - | ||||||
| ZMAAP - Zeroconf Multicast Address Allocation Protocol |
These patterns were judged to be of lesser general interest than those above.
| wiki | notes | description | ||||
|---|---|---|---|---|---|---|
| Audiogalaxy - (defunct) Peer to Peer filesharing | ||||||
| GTalk, a Jabber (XMPP) client | ||||||
| HTTP by Download Accelerator Plus - | ||||||
| HTTP by Fresh Download - http://www.freshdevices.com | ||||||
| HTTP - iTunes (Apple's music program) | ||||||
| HTTP - Audio over HyperText Transfer Protocol (RFC 2616) | ||||||
| HTTP - Proxy Cache hit for HyperText Transfer Protocol (RFC 2616) | ||||||
| HTTP - Proxy Cache miss for HyperText Transfer Protocol (RFC 2616) | ||||||
| HTTP - Video over HyperText Transfer Protocol (RFC 2616) | ||||||
| pressplay - A legal music distribution site - | ||||||
| Quicktime HTTP | ||||||
| SNMP Monitoring - Simple Network Management Protocol (RFC1157) | ||||||
| SNMP Traps - Simple Network Management Protocol (RFC1157) |
This category of patterns is for file types. This sort of matching is not the focus of l7-filter, but it can be done in some cases. It requires some extra set up, so read the .
| wiki | notes | description | ||||
|---|---|---|---|---|---|---|
| Executable - Microsoft PE file format. | ||||||
| Flash - Macromedia Flash. | ||||||
| GIF - Popular Image format. | ||||||
| (X)HTML - (Extensible) Hypertext Markup Language - | ||||||
| JPEG - Joint Picture Expert Group image format. | ||||||
| MP3 - Moving Picture Experts Group Audio Layer III | ||||||
| Ogg - Ogg Vorbis music format (not any ogg file, just vorbis) | ||||||
| PDF - Portable Document Format - Postscript-like format by Adobe | ||||||
| Perl - A scripting language by Larry Wall. | ||||||
| PNG - Portable Network Graphics, a popular image format | ||||||
| Postscript - Printing Language | ||||||
| RAR - The WinRAR archive format | ||||||
| RPM - Redhat Package Management packages | ||||||
| RTF - Rich Text Format - an open document format | ||||||
| Tar - tape archive. Standard UNIX file archiver, not just for tapes. | ||||||
| ZIP - (PK|Win)Zip archive format |
This category is for worms, viruses, and anything else that uses the network to bother us. It doesn't appear that there is much demand for this functionality, but in case it interests you, this is a proof-of-concept. .
| wiki | notes | description | ||||
|---|---|---|---|---|---|---|
| Code Red - a worm that attacks Microsoft IIS web servers | ||||||
| Nimda - a worm that attacks Microsoft IIS web servers, and MORE! |
