add layer7 patterns to iptables-mod-filter

SVN-Revision: 2519

openwrt/package/iptables/Makefile

@@ -24,6 +24,7 @@ $$(IPKG_$(1)):
 	for m in $(2); do \
 		cp -fpR $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$${m}.so $$(IDIR_$(1))/usr/lib/iptables/ ; \
 	done
+	@[ -z "$(3)" ] || $(MAKE) $(3)
 	$(RSTRIP) $$(IDIR_$(1))
 	$(IPKG_BUILD) $$(IDIR_$(1)) $(PACKAGE_DIR)
 
@@ -49,7 +50,7 @@ $(eval $(call PKG_template,IPTABLES_MOD_ULOG,iptables-mod-ulog,$(PKG_VERSION)-$(
 
 $(eval $(call IPKG_plugin_template,IPTABLES_MOD_CONNTRACK,$(IPKG_IPTABLES_MOD_CONNTRACK-m)))
 $(eval $(call IPKG_plugin_template,IPTABLES_MOD_EXTRA,$(IPKG_IPTABLES_MOD_EXTRA-m)))
-$(eval $(call IPKG_plugin_template,IPTABLES_MOD_FILTER,$(IPKG_IPTABLES_MOD_FILTER-m)))
+$(eval $(call IPKG_plugin_template,IPTABLES_MOD_FILTER,$(IPKG_IPTABLES_MOD_FILTER-m),layer7-install))
 $(eval $(call IPKG_plugin_template,IPTABLES_MOD_IMQ,$(IPKG_IPTABLES_MOD_IMQ-m)))
 $(eval $(call IPKG_plugin_template,IPTABLES_MOD_IPOPT,$(IPKG_IPTABLES_MOD_IPOPT-m)))
 $(eval $(call IPKG_plugin_template,IPTABLES_MOD_IPSEC,$(IPKG_IPTABLES_MOD_IPSEC-m)))
@@ -102,6 +103,10 @@ $(STAGING_DIR)/usr/lib/libipq.a: $(PKG_BUILD_DIR)/.built
 	mkdir -p $(STAGING_DIR)/usr/lib
 	cp -fpR $(PKG_INSTALL_DIR)/usr/lib/libipq.a $(STAGING_DIR)/usr/lib/
 
+layer7-install:
+	mkdir -p $(IDIR_IPTABLES_MOD_FILTER)/etc/l7-protocols
+	cp files/l7/*.pat $(IDIR_IPTABLES_MOD_FILTER)/etc/l7-protocols/
+
 install-dev: $(STAGING_DIR)/usr/lib/libipq.a
 
 uninstall-dev:

openwrt/package/iptables/files/l7/aim.pat

@@ -0,0 +1,27 @@
+# AIM - AOL instant messenger (OSCAR and TOC)
+# Pattern quality: good notsofast
+# Usually runs on port 5190
+#
+# This may also match ICQ traffic.
+# 
+# This pattern has been tested and is believed to work well.  If it does not
+# work for you, or you believe it could be improved, please post to 
+# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+aim
+# See http://gridley.acns.carleton.edu/~straitm/final (and various other places)
+# The first bit matches OSCAR signon and data commands, but not sure what
+# \x03\x0b matches, but it works apparently.
+# The next three bits match various parts of the TOC signon process.
+# The third one is the magic number "*", then 0x01 for "signon", then up to four
+# bytes ("up to" because l7-filter strips out nulls) which contain a sequence
+# number (2 bytes) the data length (2 more) and 3 nulls (which don't count), 
+# then 0x01 for the version number (not sure if there ever has been another 
+# version)
+# The fourth one is a command string, followed by some stuff, then the
+# beginning of the "roasted" password
+
+# This pattern is too slow!
+
+^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x

openwrt/package/iptables/files/l7/bittorrent.pat

@@ -0,0 +1,14 @@
+# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
+# Pattern quality: great veryfast
+#
+# This pattern has been tested and is believed to work well.  If it does not
+# work for you, or you believe it could be improved, please post to 
+# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+bittorrent
+
+# Does not attempt to match the HTTP download of the tracker
+# 0x13 is the length of "bittorrent protocol"
+# Second two bits match UDP wierdness, commented out until it's tested
+#^(\x13bittorrent protocol|d1:ad2:id20:|\x08'7P\)[RP])
+^\x13bittorrent protocol

openwrt/package/iptables/files/l7/edonkey-dl.pat

@@ -0,0 +1,8 @@
+# eDonkey2000 - P2P filesharing (download part) - http://edonkey2000.com
+# Pattern quality: good veryfast overmatch usepacket
+
+edonkey-dl
+
+^[\xe3\xe4\xc5\xe5\xd4](....)?[\x01\x0a\x0e\x0f\x10\x18\x19\x1b\x1c\x47\x4a\x4f\x51\x53\x54\x58\x60\x81\x90\x96\x9a\x9c\xa2]
+
+

openwrt/package/iptables/files/l7/edonkey.pat

@@ -0,0 +1,29 @@
+# eDonkey2000 - P2P filesharing - http://edonkey2000.com
+# Pattern quality: good veryfast overmatch
+#
+# Please post to l7-filter-developers@lists.sf.net as to whether this pattern 
+# works for you or not.  If you believe it could be improved please post your 
+# suggestions to that list as well. You may subscribe to this list at 
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+# Thanks to Matt Skidmore <fox AT woozle.org>
+
+edonkey
+
+# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6
+#
+# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5
+#
+# God this is a mess.  What an irritating protocol.  
+# This will match about 1% of streams with random data in them!
+
+^[\xe3\xc5\xe5\xd4](....)?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x5b\x5c\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
+
+# matches everything and too much 
+# ^(\xe3|\xc5|\xd4)
+
+# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me.
+
+# bandwidtharbitrator uses 
+# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey
+# no comments to explain what all the mush is, of course...

openwrt/package/iptables/files/l7/fasttrack.pat

@@ -0,0 +1,25 @@
+# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)
+# Pattern quality: good notsofast
+#
+# Tested with Kazaa Lite Resurrection 0.0.7.6F
+#
+# This appears to match the download connections well, but not the search
+# connections (I think they are encrypted :-( ).
+#
+# Please post to l7-filter-developers@lists.sf.net as to whether it works 
+# for you or not.  If you believe it could be improved please post your 
+# suggestions to that list as well. You may subscribe to this list at 
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+fasttrack
+# while this is a valid http request, this will be caught because
+# the http pattern matches the response (and therefore the next packet)
+# Even so, it's best to put this match earlier in the chain.
+# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup
+
+# This pattern is kinda slow, but not too bad.
+^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
+# This isn't much faster:
+#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+

openwrt/package/iptables/files/l7/ftp.pat

@@ -0,0 +1,34 @@
+# FTP - File Transfer Protocol - RFC 959
+# Pattern quality: great fast
+#
+# Usually runs on port 21.  Note that the data stream is on a dynamically
+# assigned port, which means that you will need the FTP connection 
+# tracking module in your kernel to usefully match FTP data transfers.
+# 
+# This pattern is well tested.  If it does not
+# work for you, or you believe it could be improved, please post to 
+# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+#
+# Matches the first two things a server should say.  Most servers say 
+# something after 220, even though they don't have to, and it usually
+# includes the string "ftp" (l7-filter is case insensitive).
+# This includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof 
+# FTP Server, and whatever ftp.microsoft.com uses.  Just in case, the next 
+# thing the server sends is a 331.  All the above servers also send 
+# something including "password" after this code.
+ftp
+# actually, let's just do the first for now, it's faster
+^220[\x09-\x0d -~]*ftp
+
+# This is ~10x faster if the stream starts with "220"
+#^220.*ftp
+
+# This will match more, but much slower
+#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password
+
+# This pattern is more precise, but takes longer to match. (3 packets vs. 1)
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331
+
+# same as above, but slightly less precise and only takes 2 packets.
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a

openwrt/package/iptables/files/l7/gnutella.pat

@@ -0,0 +1,36 @@
+# Gnutella - P2P filesharing
+# Pattern quality: good fast
+#
+# This should match both Gnutella and "Gnutella2" ("Mike's protocol")
+# 
+# Various clients use this protocol including Mactella, Shareaza,
+# GTK-gnutella, Gnucleus, Gnotella, LimeWire, BearShare, and iMesh.
+# 
+# This is tested with gtk-gnutella and Shareaza.
+#
+# Please report on how this pattern works for you at
+# l7-filter-developers@lists.sf.net .  If you can improve on this
+# pattern, please also post to that list. You may subscribe at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver
+# http://rfc-gnutella.sf.net/
+# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification
+# http://en.wikipedia.org/wiki/Shareaza
+
+gnutella
+
+# The first part matches UDP messages - All start with "GND", then have
+# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes
+# that can be anything, then a fragment number, which must start at 1.
+# The rest matches TCP first client message or first server message (in case 
+# we can't see client messages).  Some parts of this are empirical rather than 
+# document based.  Assumes version is between 0.0 and 2.9. (usually is
+# 0.4 or 0.6).  I'm guessing at many of the user-agents.
+# The last bit is emprical and probably only matches Limewire.
+^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|..................lime)
+
+# Needlessly precise, at the expense of time
+#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime)
+
+

openwrt/package/iptables/files/l7/http.pat

@@ -0,0 +1,28 @@
+# HTTP - HyperText Transfer Protocol - RFC 2616
+# Pattern quality: great notsofast
+# Usually runs on port 80
+#
+# This pattern has been tested and is believed to work well.  If it does not
+# work for you, or you believe it could be improved, please post to 
+# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+#
+# this intentionally catches the response from the server
+# rather than the request so that other protocols which use
+# http (like kazaa) can be caught based on specific http requests
+# regardless of the ordering of filters...
+# also matches posts
+
+# Sites that serve really long cookies may break this by pushing the
+# server response too far away from the beginning of the connection. To
+# fix this, increase the kernel's data buffer length.
+
+http
+# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616)
+# As specified in rfc 2616 a status code is preceeded and followed by a
+# space. 
+http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]
+# A slightly faster version that might be good enough:
+#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019]
+# old pattern(s):
+#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/)

openwrt/package/iptables/files/l7/ident.pat

@@ -0,0 +1,14 @@
+# Ident - Identification Protocol - RFC 1413
+# Pattern quality: good veryfast
+# Usually runs on port 113
+#
+# This pattern is believed to work.  If it does not
+# work for you, or you believe it could be improved, please post to 
+# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+ident
+# "number , numberCRLF" possibly without the CR and/or LF.
+# ^$ is appropriate because the first packet should never have anything
+# else in it.
+^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$

openwrt/package/iptables/files/l7/irc.pat

@@ -0,0 +1,20 @@
+# IRC - Internet Relay Chat - RFC 1459
+# Pattern quality: good veryfast
+#
+# Usually runs on port 6666 or 6667
+# Note that chat traffic runs on these ports, but IRC-DCC traffic (which
+# can use much more bandwidth) uses a dynamically assigned port, so you 
+# must have the IRC connection tracking module in your kernel to classify
+# this.
+#
+# This pattern has been tested and is believed to work well.  If it does not
+# work for you, or you believe it could be improved, please post to 
+# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+irc
+# First thing that happens is that the client sends NICK and USER, in 
+# either order.  This allows MIRC color codes (\x02-\x0d instead of
+# \x09-\x0d).
+^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)
+

openwrt/package/iptables/files/l7/jabber.pat

@@ -0,0 +1,24 @@
+# Jabber (XMPP) - an open instant messenger protocol - http://jabber.org
+# Pattern quality: good fast
+#
+# This pattern has been tested with Gaim and Gabber.  It is only tested 
+# with non-SSL mode Jabber with no proxies.  If it does not
+# work for you, or you believe it could be improved, please post to 
+# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+# Thanks to Jan Hudec for some improvements.
+
+# Jabber seems to take a long time to set up a connection.  I'm
+# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets
+# is this:
+# <stream:stream to='12jabber.com' xmlns='jabber:client'
+# xmlns:stream='http://etherx.jabber.org/streams'><?xml
+# version='1.0'?><stream:stream
+# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951'
+# xmlns='jabber:client' from='12jabber.com'>
+#
+# No mention of my username or password yet, you'll note.
+
+jabber
+<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber

openwrt/package/iptables/files/l7/msnmessenger.pat

@@ -0,0 +1,15 @@
+# MSN Messenger - Microsoft Network chat client
+# Pattern quality: good veryfast
+#
+# Usually uses port 1863
+# http://www.hypothetic.org/docs/msn/index.php
+#
+# This pattern has been tested and is believed to work well.  If it does not
+# work for you, or you believe it could be improved, please post to 
+# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+msnmessenger
+# ver: allow versions up to 99.
+# usr (in case ver didn't work):  
+^(ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]* cvr|usr md5 i [ -~]*)

openwrt/package/iptables/files/l7/ntp.pat

@@ -0,0 +1,17 @@
+# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030
+# Pattern quality: good veryfast overmatch 
+#
+# This pattern is tested and is believed to work. If this does not work
+# for you, or you believe it could be improved, please post to
+# l7-filter-developers@lists.sf.net .  Subscribe at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+# client|server
+# Requires the server's timestamp to be in the present or future (of 2005).
+# Tested with ntpdate on Linux.
+# Assumes version 2, 3 or 4.
+
+# Note that ntp packets are always 48 bytes, so you should match on that too.
+
+ntp
+^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff])

openwrt/package/iptables/files/l7/pop3.pat

@@ -0,0 +1,50 @@
+# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
+# Pattern quality: good veryfast
+#
+# This pattern has been tested somewhat.  If it does not
+# work for you, or you believe it could be improved, please post to 
+# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+# this is a difficult protocol to match because of the relative lack of 
+# distinguishing information.  Read on.
+pop3
+
+# this the most conservative pattern.  It should definitely work.
+#^(\+ok|-err)
+
+# this pattern assumes that the server says _something_ after +ok or -err
+# I think this is probably the way to go.
+^(\+ok |-err )
+
+# more that 90% of servers seem to say "pop" after "+ok", but not all.
+#^(\+ok .*pop)
+
+# Here's another tack. I think this is my second favorite.
+#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command))
+
+# this matches the server saying "you have N messages that are M bytes",
+# which the client probably asks for early in the session (not tested)
+#\+ok [0-9]+ [0-9]+
+
+# some sample servers:
+# RFC example:        +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
+# mail.dreamhost.com: +OK Hello there.
+# pop.carleton.edu:   +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled)
+# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon>
+# *.email.umn.edu:    +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu>
+# mail.yale.edu:      +OK POP3 pantheon-po01 v2002.81 server ready
+# mail.gustavus.edu:  +OK POP3 solen v2001.78 server ready
+# mail.reed.edu:      +OK POP3 letra.reed.edu v2002.81 server ready
+# mail.bowdoin.edu:   +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003))
+# pop.colby.edu:      +OK Qpopper (version 4.0.5) at basalt starting.
+# mail.mac.com:       +OK Netscape Messaging Multiplexor ready
+
+# various error strings:
+#-ERR Invalid command.
+#-ERR invalid command
+#-ERR unimplemented
+#-ERR Invalid command, try one of: USER name, PASS string, QUIT
+#-ERR Unknown AUTHORIZATION state command
+#-ERR Unrecognized command
+#-ERR Unknown command: "sadf'".

openwrt/package/iptables/files/l7/smtp.pat

@@ -0,0 +1,39 @@
+# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869)
+# Pattern quality: great fast
+# usually runs on port 25
+# 
+# This pattern has been tested and is believed to work well.  If it does not
+# work for you, or you believe it could be improved, please post to 
+# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+smtp
+# As usual, no text is required after "220", but all known servers have some
+# there.  It (almost?) always has string "smtp" in it.  The RFC examples
+# does not, so we match those too, just in case anyone has copied them 
+# literally.
+^220[\x09-\x0d -~]* (e?smtp|simple mail)
+
+# This is ~3x faster if the stream starts with "220" 
+#^220.* (e?smtp|simple mail)
+
+# Some examples:
+# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3
+# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400
+# 220 mail.ut.caldera.com ESMTP
+# 220 persephone.pmail.gen.nz ESMTP server ready.
+# 220 smtp1.superb.net ESMTP
+# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready
+# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4
+# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500
+# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3)
+# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200
+# 220-mail.email-scan.com ESMTP
+# 220 smaug.dreamhost.com ESMTP
+# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648)
+# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT)
+# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700
+# 
+# RFC examples:
+# 220 xyz.com Simple Mail Transfer Service Ready (RFC example)
+# 220 dbc.mtview.ca.us SMTP service ready

openwrt/package/iptables/files/l7/ssh.pat

@@ -0,0 +1,16 @@
+# SSH - Secure SHell
+# Pattern quality: great veryfast
+# usually runs on port 22
+#
+# http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-22.txt
+#
+# This pattern has been tested and is believed to work well.  If it does not
+# work for you, or you believe it could be improved, please post to 
+# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+ssh
+^ssh-[12]\.[0-9]
+
+# old pattern:
+# (diffie-hellman-group-exchange-sha1|diffie-hellman-group1-sha1.ssh-rsa|ssh-dssfaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.sefaes128-cbc|3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.seuhmac-md5|hmac-sha1|hmac-ripemd160)+

openwrt/package/iptables/files/l7/ssl.pat

@@ -0,0 +1,15 @@
+# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
+# Pattern quality: good fast
+# Usually runs on port 443
+#
+# This is a superset validcertssl.  For it to match, it must be first.
+# 
+# This pattern has been tested and is believed to work well.  If it does not
+# work for you, or you believe it could be improved, please post to
+# l7-filter-developers@lists.sf.net .  This list may be subscribed to at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+
+ssl
+# Client Hello | Server Hello with certificate
+# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1
+^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)

openwrt/package/iptables/files/l7/vnc.pat

@@ -0,0 +1,23 @@
+# VNC - Virtual Network Computing.  Also known as RFB - Remote Frame Buffer
+# Pattern quality: good fast
+# http://www.realvnc.com/documentation.html
+# 
+# This pattern has been verified with vnc v3.3.7 on WinXP and Linux
+# Please report on how this pattern works for you at
+# l7-filter-developers@lists.sf.net .  If you can improve on this pattern,
+# please also post to that list. You may subscribe at
+# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
+#
+# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern.
+
+vnc
+# Assumes single digit major and minor version numbers 
+# This message should be all alone in the first packet, so ^$ is appropriate
+^rfb 00[1-9]\.00[0-9]\x0a$
+
+# This is a more restrictive version which assumes the version numbers
+# are ones actually in existance at the time of this writing, i.e. 3.3,
+# 3.7 and 3.8 (with some clients wrongly reporting 3.5).  It should be
+# slightly faster, but probably not worth the extra maintenance. 
+# ^rfb 003\.00[3578]\x0a$
+