全力打造中国第一个ROS3.0X L7模版，如有错误请更正！！！！

wbyz20 发表于 2008-4-1 14:11:04

ROS3.0X L7模版，如有错误请更正！！！！在官方论坛下的。。。。正规表达式。
/ip firewall layer7-protocol
:if ([:len ] > 0) do={ :put "already have edonkey" } else={ add name=edonkey regexp="^[\C5\D4\E3-\E5].\?.\?.\?.\?([\01\02\05\14\15\16\18\19\1A\1B\1C\20\21\32\33\34\35\36\38\40\41\42\43\46\47\48\49\4A\4B\4C\4D\4E\4F\50\51\52\53\54\55\56\57\58[\60\81\82\90\91\93\96\97\98\99\9A\9B\9C\9E\A0\A1\A2\A3\A4]|\59................\?[ -~]|\96....\$)" }
:if ([:len ] > 0) do={ :put "already have goboogy" } else={ add name=goboogy regexp="<peerplat>|^get /getfilebyhash\\.cgi\\\?|^get /queue_register\\.cgi\\\?|^get /getupdowninfo\\.cgi\\\?" }
:if ([:len ] > 0) do={ :put "already have soribada" } else={ add name=soribada regexp="^GETMP3\0D\0AFilename|^\01.\?.\?.\?(\51\3A\\+|\51\32\3A)|^\10[\14-\16]\10[\15-\17].\?.\?.\?.\?\$" }
:if ([:len ] > 0) do={ :put "already have rdp" } else={ add name=rdp regexp="rdpdr.*cliprdr.*rdpsnd" }
:if ([:len ] > 0) do={ :put "already have gnutella" } else={ add name=gnutella regexp="^(gnd[\01\02]\?.\?.\?\01|gnutella connect/\\.\0D\0A|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv *:*/|queue * \?\?\\.\?\?\\.\?\?\\.\?\?:\?\?\?|gnutella.*content-type: application/x-gnutella|...................\?lime)" }
:if ([:len ] > 0) do={ :put "already have cvs" } else={ add name=cvs regexp="^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\0A" }
:if ([:len ] > 0) do={ :put "already have nbns" } else={ add name=nbns regexp="\01\10\01|\\)\10\01\01|0\10\01" }
:if ([:len ] > 0) do={ :put "already have shoutcast" } else={ add name=shoutcast regexp="icy [\09-\0D -~]*(content-type:audio|icy-)" }
:if ([:len ] > 0) do={ :put "already have dns" } else={ add name=dns regexp="^.\?.\?.\?.\?[\01\02].\?.\?.\?.\?.\?.\?[\01-\?][\01-\?a-z]*[\02-\06]\?\?(um)\?[\01-\10\1C][\01\03\04\FF]" }
:if ([:len ] > 0) do={ :put "already have quake-halflife" } else={ add name=quake-halflife regexp="^\FF\FF\FF\FFget(info|challenge)" }
:if ([:len ] > 0) do={ :put "already have poco" } else={ add name=poco regexp="^\80\94\0A\01....\1F\9E" }
:if ([:len ] > 0) do={ :put "already have ciscovpn" } else={ add name=ciscovpn regexp="^\01\F4\01\F4" }
:if ([:len ] > 0) do={ :put "already have x11" } else={ add name=x11 regexp="^.\?\0B" }
:if ([:len ] > 0) do={ :put "already have xboxlive" } else={ add name=xboxlive regexp="^\58\80........\F3|^\06\58\4E" }
:if ([:len ] > 0) do={ :put "already have applejuice" } else={ add name=applejuice regexp="^ajprot\0D\0A" }
:if ([:len ] > 0) do={ :put "already have zmaap" } else={ add name=zmaap regexp="^\1B\D7\3B\48[\01\02]\01\?\01" }
:if ([:len ] > 0) do={ :put "already have live365" } else={ add name=live365 regexp="membername.*session.*player" }
:if ([:len ] > 0) do={ :put "already have rlogin" } else={ add name=rlogin regexp="^+/\?\?\?00" }
:if ([:len ] > 0) do={ :put "already have http" } else={ add name=http regexp="http/(0\\.9|1\\.0|1\\.1) [\09-\0D -~]*(connection:|content-type:|content-length:|date:)|post [\09-\0D -~]* http/\\." }
:if ([:len ] > 0) do={ :put "already have sip" } else={ add name=sip regexp="^(invite|register|cancel) sip[\09-\0D -~]*sip/\\." }
:if ([:len ] > 0) do={ :put "already have pop3" } else={ add name=pop3 regexp="^(\\+ok |-err )" }
:if ([:len ] > 0) do={ :put "already have smb" } else={ add name=smb regexp="\FFsmb[\72\25]" }
:if ([:len ] > 0) do={ :put "already have quake1" } else={ add name=quake1 regexp="^\80\0C\01quake\03" }
:if ([:len ] > 0) do={ :put "already have lpd" } else={ add name=lpd regexp="^(\01[!-~]+|\02[!-~]+\0A.[\01\02\03][\01-\0A -~]*|[\03\04][!-~]+[\09-\0D]+[\09-\0D -~]*|\05[!-~]+[\09-\0D]+([!-~]*[\09-\0D]+\?\?|root[\09-\0D]+[!-~]+).*)\0A\$" }
:if ([:len ] > 0) do={ :put "already have mute" } else={ add name=mute regexp="^(Public|AES)Key: *\0AEnd(Public|AES)Key\0A\$" }
:if ([:len ] > 0) do={ :put "already have ssh" } else={ add name=ssh regexp="^ssh-\\." }
:if ([:len ] > 0) do={ :put "already have jabber" } else={ add name=jabber regexp="<stream:stream[\09-\0D ][ -~]*[\09-\0D ]xmlns=['\"]jabber" }
:if ([:len ] > 0) do={ :put "already have bittorrent" } else={ add name=bittorrent regexp="^(\13bittorrent protocol|azver\01\$|get /scrape\\\?info_hash=)|d1:ad2:id20:|\08'7P\\)" }
:if ([:len ] > 0) do={ :put "already have ncp" } else={ add name=ncp regexp="^(dmdt.*\01.*(\"\"|\11\11|uu)|tncp.*33)" }
:if ([:len ] > 0) do={ :put "already have tls" } else={ add name=tls regexp="^(.\?.\?\16\03.*\16\03|.\?.\?\01\03\01\?.*\0B)" }
:if ([:len ] > 0) do={ :put "already have directconnect" } else={ add name=directconnect regexp="^(\\\$mynick |\\\$lock |\\\$key )" }
:if ([:len ] > 0) do={ :put "already have netbios" } else={ add name=netbios regexp="\81.\?.\?." }
:if ([:len ] > 0) do={ :put "already have tftp" } else={ add name=tftp regexp="^(\01|\02)[ -~]*(netascii|octet|mail)" }
:if ([:len ] > 0) do={ :put "already have subspace" } else={ add name=subspace regexp="^\01....\11\10........\01\$" }
:if ([:len ] > 0) do={ :put "already have hotline" } else={ add name=hotline regexp="^....................TRTPHOTL\01\02" }
:if ([:len ] > 0) do={ :put "already have doom3" } else={ add name=doom3 regexp="^\FF\FFchallenge" }
:if ([:len ] > 0) do={ :put "already have ftp" } else={ add name=ftp regexp="^220[\09-\0D -~]*ftp" }
:if ([:len ] > 0) do={ :put "already have kugoo" } else={ add name=kugoo regexp="^\31..\8E" }
:if ([:len ] > 0) do={ :put "already have tsp" } else={ add name=tsp regexp="^[\01-\13\16-\$]\01.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?[ -~]+" }
:if ([:len ] > 0) do={ :put "already have battlefield1942" } else={ add name=battlefield1942 regexp="^\01\11\10\\|\F8\02\10\40\06" }
:if ([:len ] > 0) do={ :put "already have ssdp" } else={ add name=ssdp regexp="^notify[\09-\0D ]\\*[\09-\0D ]http/1\\.1[\09-\0D -~]*ssdp:(alive|byebye)|^m-search[\09-\0D ]\\*[\09-\0D ]http/1\\.1[\09-\0D -~]*ssdp:discover" }
:if ([:len ] > 0) do={ :put "already have imap" } else={ add name=imap regexp="^(\\* ok|a+ noop)" }
:if ([:len ] > 0) do={ :put "already have ares" } else={ add name=ares regexp="^\03[]Z].\?.\?\05\$" }
:if ([:len ] > 0) do={ :put "already have fasttrack" } else={ add name=fasttrack regexp="^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give \?\?\?" }
:if ([:len ] > 0) do={ :put "already have qq" } else={ add name=qq regexp="^.\?\02.+\03\$" }
:if ([:len ] > 0) do={ :put "already have 100bao" } else={ add name=100bao regexp="^\01\01\05\0A" }
:if ([:len ] > 0) do={ :put "already have aim" } else={ add name=aim regexp="^(\\*[\01\02].*\03\0B|\\*\01.\?.\?.\?.\?\01)|flapon|toc_signon.*0x" }
:if ([:len ] > 0) do={ :put "already have unknown" } else={ add name=unknown regexp="." }
:if ([:len ] > 0) do={ :put "already have msn-filetransfer" } else={ add name=msn-filetransfer regexp="^(ver [ -~]*msnftp\0D\0Aver msnftp\0D\0Ausr|method msnmsgr:)" }
:if ([:len ] > 0) do={ :put "already have yahoo" } else={ add name=yahoo regexp="^(ymsg|ypns|yhoo).\?.\?.\?.\?.\?.\?.\?.*\C0\80" }
:if ([:len ] > 0) do={ :put "already have validcertssl" } else={ add name=validcertssl regexp="^(.\?.\?\16\03.*\16\03|.\?.\?\01\03\01\?.*\0B).*(thawte|equifax secure|rsa data security, inc|verisign, inc|gte cybertrust root|entrust\\.net limited)" }
:if ([:len ] > 0) do={ :put "already have ntp" } else={ add name=ntp regexp="^([\13\1B\23\D3\DB\E3]|[\14\1C\$].......\?.\?.\?.\?.\?.\?.\?.\?.\?[\C6-\FF])" }
:if ([:len ] > 0) do={ :put "already have gnucleuslan" } else={ add name=gnucleuslan regexp="gnuclear connect/[\09-\0D -~]*user-agent: gnucleus [\09-\0D -~]*lan:" }
:if ([:len ] > 0) do={ :put "already have vnc" } else={ add name=vnc regexp="^rfb 00\\.00\0A\$" }
:if ([:len ] > 0) do={ :put "already have bgp" } else={ add name=bgp regexp="^\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF..\?\01[\03\04]" }
:if ([:len ] > 0) do={ :put "already have tesla" } else={ add name=tesla regexp="\03\9A\89\22\31\31\31\\.\30\30\20\42\65\74\61\20|\E2\3C\69\1E\1C\E9" }
:if ([:len ] > 0) do={ :put "already have openft" } else={ add name=openft regexp="x-openftalias: [-)(0-9a-z ~.]" }
:if ([:len ] > 0) do={ :put "already have h323" } else={ add name=h323 regexp="^\03..\?\08...\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?\05" }
:if ([:len ] > 0) do={ :put "already have finger" } else={ add name=finger regexp="^+|login: [\09-\0D -~]* name: [\09-\0D -~]* Directory:" }
:if ([:len ] > 0) do={ :put "already have ident" } else={ add name=ident regexp="^\?\?\?\?[\09-\0D]*,[\09-\0D]*\?\?\?\?(\0D\0A|[\0D\0A])\?\$" }
:if ([:len ] > 0) do={ :put "already have gkrellm" } else={ add name=gkrellm regexp="^gkrellm ..\0A\$" }
:if ([:len ] > 0) do={ :put "already have hddtemp" } else={ add name=hddtemp regexp="^\\|/dev/\\|*\\|\\|\\|" }
:if ([:len ] > 0) do={ :put "already have socks" } else={ add name=socks regexp="\05[\01-\08]*\05[\01-\08]\?.*\05[\01-\03][\01\03].*\05[\01-\08]\?[\01\03]" }
:if ([:len ] > 0) do={ :put "already have biff" } else={ add name=biff regexp="^+@+\$" }
:if ([:len ] > 0) do={ :put "already have dhcp" } else={ add name=dhcp regexp="^[\01\02][\01- ]\06.*c\82sc" }
:if ([:len ] > 0) do={ :put "already have smtp" } else={ add name=smtp regexp="^220[\09-\0D -~]* (e\?smtp|simple mail)" }
:if ([:len ] > 0) do={ :put "already have ipp" } else={ add name=ipp regexp="ipp://" }
:if ([:len ] > 0) do={ :put "already have msnmessenger" } else={ add name=msnmessenger regexp="ver + msnp\? [\09-\0D -~]*cvr0\0D\0A\$|usr 1 [!-~]+ +\0D\0A\$|ans 1 [!-~]+ +\0D\0A\$" }
:if ([:len ] > 0) do={ :put "already have irc" } else={ add name=irc regexp="^(nick[\09-\0D -~]*user[\09-\0D -~]*:|user[\09-\0D -~]*:[\02-\0D -~]*nick[\09-\0D -~]*\0D\0A)" }
:if ([:len ] > 0) do={ :put "already have gopher" } else={ add name=gopher regexp="^[\09-\0D]*[\09-\0D -~]*\09[\09-\0D -~]*\09*\\..\?.\?\09" }
:if ([:len ] > 0) do={ :put "already have telnet" } else={ add name=telnet regexp="^\FF[\FB-\FE].\FF[\FB-\FE].\FF[\FB-\FE]" }
:if ([:len ] > 0) do={ :put "already have snmp" } else={ add name=snmp regexp="^\02\01\04.+([\A0-\A3]\02[\01-\04].\?.\?.\?.\?\02\01.\?\02\01.\?\30|\A4\06.+\40\04.\?.\?.\?.\?\02\01.\?\02\01.\?\43)" }
:if ([:len ] > 0) do={ :put "already have nntp" } else={ add name=nntp regexp="^(20[\09-\0D -~]*AUTHINFO USER|20[\09-\0D -~]*news)" }
:if ([:len ] > 0) do={ :put "already have aimwebcontent" } else={ add name=aimwebcontent regexp="user-agent:aim/" }
:if ([:len ] > 0) do={ :put "already have rtsp" } else={ add name=rtsp regexp="rtsp/1.0 200 ok" }
:if ([:len ] > 0) do={ :put "already have skypeout" } else={ add name=skypeout regexp="^(\01.\?.\?.\?.\?.\?.\?.\?.\?\01|\02.\?.\?.\?.\?.\?.\?.\?.\?\02|\03.\?.\?.\?.\?.\?.\?.\?.\?\03|\04.\?.\?.\?.\?.\?.\?.\?.\?\04|\05.\?.\?.\?.\?.\?.\?.\?.\?\05|\06.\?.\?.\?.\?.\?.\?.\?.\?\06|\07.\?.\?.\?.\?.\?.\?.\?.\?\07|\08.\?.\?.\?.\?.\?.\?.\?.\?\08|\09.\?.\?.\?.\?.\?.\?.\?.\?\09|\0A.\?.\?.\?.\?.\?.\?.\?.\?\0A|\0B.\?.\?.\?.\?.\?.\?.\?.\?\0B|\0C.\?.\?.\?.\?.\?.\?.\?.\?\0C|\0D.\?.\?.\?.\?.\?.\?.\?.\?\0D|\0E.\?.\?.\?.\?.\?.\?.\?.\?\0E|\0F.\?.\?.\?.\?.\?.\?.\?.\?\0F|\10.\?.\?.\?.\?.\?.\?.\?.\?\10|\11.\?.\?.\?.\?.\?.\?.\?.\?\11|\12.\?.\?.\?.\?.\?.\?.\?.\?\12|\13.\?.\?.\?.\?.\?.\?.\?.\?\13|\14.\?.\?.\?.\?.\?.\?.\?.\?\14|\15.\?.\?.\?.\?.\?.\?.\?.\?\15|\16.\?.\?.\?.\?.\?.\?.\?.\?\16|\17.\?.\?.\?.\?.\?.\?.\?.\?\17|\18.\?.\?.\?.\?.\?.\?.\?.\?\18|\19.\?.\?.\?.\?.\?.\?.\?.\?\19|\1A.\?.\?.\?.\?.\?.\?.\?.\?\1A|\1B.\?.\?.\?.\?.\?.\?.\?.\?\1B|\1C.\?.\?.\?.\?.\?.\?.\?.\?\1C|\1D.\?.\?.\?.\?.\?.\?.\?.\?\1D|\1E.\?.\?.\?.\?.\?.\?.\?.\?\1E|\1F.\?.\?.\?.\?.\?.\?.\?.\?\1F|\20.\?.\?.\?.\?.\?.\?.\?.\?\20|\21.\?.\?.\?.\?.\?.\?.\?.\?\21|\22.\?.\?.\?.\?.\?.\?.\?.\?\22|\23.\?.\?.\?.\?.\?.\?.\?.\?\23|\\\$.\?.\?.\?.\?.\?.\?.\?.\?\\\$|\25.\?.\?.\?.\?.\?.\?.\?.\?\25|\26.\?.\?.\?.\?.\?.\?.\?.\?\26|\27.\?.\?.\?.\?.\?.\?.\?.\?\27|\$.\?.\?.\?.\?.\?.\?.\?.\?\\(|\$.\?.\?.\?.\?.\?.\?.\?.\?\\)|\\*.\?.\?.\?.\?.\?.\?.\?.\?\\*|\\+.\?.\?.\?.\?.\?.\?.\?.\?\\+|\2C.\?.\?.\?.\?.\?.\?.\?.\?\2C|\2D.\?.\?.\?.\?.\?.\?.\?.\?\2D|\\..\?.\?.\?.\?.\?.\?.\?.\?\\.|\2F.\?.\?.\?.\?.\?.\?.\?.\?\2F|\30.\?.\?.\?.\?.\?.\?.\?.\?\30|\31.\?.\?.\?.\?.\?.\?.\?.\?\31|\32.\?.\?.\?.\?.\?.\?.\?.\?\32|\33.\?.\?.\?.\?.\?.\?.\?.\?\33|\34.\?.\?.\?.\?.\?.\?.\?.\?\34|\35.\?.\?.\?.\?.\?.\?.\?.\?\35|\36.\?.\?.\?.\?.\?.\?.\?.\?\36|\37.\?.\?.\?.\?.\?.\?.\?.\?\37|\38.\?.\?.\?.\?.\?.\?.\?.\?\38|\39.\?.\?.\?.\?.\?.\?.\?.\?\39|\3A.\?.\?.\?.\?.\?.\?.\?.\?\3A|\3B.\?.\?.\?.\?.\?.\?.\?.\?\3B|\3C.\?.\?.\?.\?.\?.\?.\?.\?\3C|\3D.\?.\?.\?.\?.\?.\?.\?.\?\3D|\3E.\?.\?.\?.\?.\?.\?.\?.\?\3E|\\\?.\?.\?.\?.\?.\?.\?.\?.\?\\\?|\40.\?.\?.\?.\?.\?.\?.\?.\?\40|\41.\?.\?.\?.\?.\?.\?.\?.\?\41|\42.\?.\?.\?.\?.\?.\?.\?.\?\42|\43.\?.\?.\?.\?.\?.\?.\?.\?\43|\44.\?.\?.\?.\?.\?.\?.\?.\?\44|\45.\?.\?.\?.\?.\?.\?.\?.\?\45|\46.\?.\?.\?.\?.\?.\?.\?.\?\46|\47.\?.\?.\?.\?.\?.\?.\?.\?\47|\48.\?.\?.\?.\?.\?.\?.\?.\?\48|\49.\?.\?.\?.\?.\?.\?.\?.\?\49|\4A.\?.\?.\?.\?.\?.\?.\?.\?\4A|\4B.\?.\?.\?.\?.\?.\?.\?.\?\4B|\4C.\?.\?.\?.\?.\?.\?.\?.\?\4C|\4D.\?.\?.\?.\?.\?.\?.\?.\?\4D|\4E.\?.\?.\?.\?.\?.\?.\?.\?\4E|\4F.\?.\?.\?.\?.\?.\?.\?.\?\4F|\50.\?.\?.\?.\?.\?.\?.\?.\?\50|\51.\?.\?.\?.\?.\?.\?.\?.\?\51|\52.\?.\?.\?.\?.\?.\?.\?.\?\52|\53.\?.\?.\?.\?.\?.\?.\?.\?\53|\54.\?.\?.\?.\?.\?.\?.\?.\?\54|\55.\?.\?.\?.\?.\?.\?.\?.\?\55|\56.\?.\?.\?.\?.\?.\?.\?.\?\56|\57.\?.\?.\?.\?.\?.\?.\?.\?\57|\58.\?.\?.\?.\?.\?.\?.\?.\?\58|\59.\?.\?.\?.\?.\?.\?.\?.\?\59|\5A.\?.\?.\?.\?.\?.\?.\?.\?\5A|\\[.\?.\?.\?.\?.\?.\?.\?.\?\\[|\\].\?.\?.\?.\?.\?.\?.\?.\?\\]|\\].\?.\?.\?.\?.\?.\?.\?.\?\\]|\\^.\?.\?.\?.\?.\?.\?.\?.\?\\^|\5F.\?.\?.\?.\?.\?.\?.\?.\?\5F|\60.\?.\?.\?.\?.\?.\?.\?.\?\60|\61.\?.\?.\?.\?.\?.\?.\?.\?\61|\62.\?.\?.\?.\?.\?.\?.\?.\?\62|\63.\?.\?.\?.\?.\?.\?.\?.\?\63|\64.\?.\?.\?.\?.\?.\?.\?.\?\64|\65.\?.\?.\?.\?.\?.\?.\?.\?\65|\66.\?.\?.\?.\?.\?.\?.\?.\?\66|\67.\?.\?.\?.\?.\?.\?.\?.\?\67|\68.\?.\?.\?.\?.\?.\?.\?.\?\68|\69.\?.\?.\?.\?.\?.\?.\?.\?\69|\6A.\?.\?.\?.\?.\?.\?.\?.\?\6A|\6B.\?.\?.\?.\?.\?.\?.\?.\?\6B|\6C.\?.\?.\?.\?.\?.\?.\?.\?\6C|\6D.\?.\?.\?.\?.\?.\?.\?.\?\6D|\6E.\?.\?.\?.\?.\?.\?.\?.\?\6E|\6F.\?.\?.\?.\?.\?.\?.\?.\?\6F|\70.\?.\?.\?.\?.\?.\?.\?.\?\70|\71.\?.\?.\?.\?.\?.\?.\?.\?\71|\72.\?.\?.\?.\?.\?.\?.\?.\?\72|\73.\?.\?.\?.\?.\?.\?.\?.\?\73|\74.\?.\?.\?.\?.\?.\?.\?.\?\74|\75.\?.\?.\?.\?.\?.\?.\?.\?\75|\76.\?.\?.\?.\?.\?.\?.\?.\?\76|\77.\?.\?.\?.\?.\?.\?.\?.\?\77|\78.\?.\?.\?.\?.\?.\?.\?.\?\78|\79.\?.\?.\?.\?.\?.\?.\?.\?\79|\7A.\?.\?.\?.\?.\?.\?.\?.\?\7A|\\{.\?.\?.\?.\?.\?.\?.\?.\?\\{|\\|.\?.\?.\?.\?.\?.\?.\?.\?\\||\\}.\?.\?.\?.\?.\?.\?.\?.\?\\}|\7E.\?.\?.\?.\?.\?.\?.\?.\?\7E|\7F.\?.\?.\?.\?.\?.\?.\?.\?\7F|\80.\?.\?.\?.\?.\?.\?.\?.\?\80|\81.\?.\?.\?.\?.\?.\?.\?.\?\81|\82.\?.\?.\?.\?.\?.\?.\?.\?\82|\83.\?.\?.\?.\?.\?.\?.\?.\?\83|\84.\?.\?.\?.\?.\?.\?.\?.\?\84|\85.\?.\?.\?.\?.\?.\?.\?.\?\85|\86.\?.\?.\?.\?.\?.\?.\?.\?\86|\87.\?.\?.\?.\?.\?.\?.\?.\?\87|\88.\?.\?.\?.\?.\?.\?.\?.\?\88|\89.\?.\?.\?.\?.\?.\?.\?.\?\89|\8A.\?.\?.\?.\?.\?.\?.\?.\?\8A|\8B.\?.\?.\?.\?.\?.\?.\?.\?\8B|\8C.\?.\?.\?.\?.\?.\?.\?.\?\8C|\8D.\?.\?.\?.\?.\?.\?.\?.\?\8D|\8E.\?.\?.\?.\?.\?.\?.\?.\?\8E|\8F.\?.\?.\?.\?.\?.\?.\?.\?\8F|\90.\?.\?.\?.\?.\?.\?.\?.\?\90|\91.\?.\?.\?.\?.\?.\?.\?.\?\91|\92.\?.\?.\?.\?.\?.\?.\?.\?\92|\93.\?.\?.\?.\?.\?.\?.\?.\?\93|\94.\?.\?.\?.\?.\?.\?.\?.\?\94|\95.\?.\?.\?.\?.\?.\?.\?.\?\95|\96.\?.\?.\?.\?.\?.\?.\?.\?\96|\97.\?.\?.\?.\?.\?.\?.\?.\?\97|\98.\?.\?.\?.\?.\?.\?.\?.\?\98|\99.\?.\?.\?.\?.\?.\?.\?.\?\99|\9A.\?.\?.\?.\?.\?.\?.\?.\?\9A|\9B.\?.\?.\?.\?.\?.\?.\?.\?\9B|\9C.\?.\?.\?.\?.\?.\?.\?.\?\9C|\9D.\?.\?.\?.\?.\?.\?.\?.\?\9D|\9E.\?.\?.\?.\?.\?.\?.\?.\?\9E|\9F.\?.\?.\?.\?.\?.\?.\?.\?\9F|\A0.\?.\?.\?.\?.\?.\?.\?.\?\A0|\A1.\?.\?.\?.\?.\?.\?.\?.\?\A1|\A2.\?.\?.\?.\?.\?.\?.\?.\?\A2|\A3.\?.\?.\?.\?.\?.\?.\?.\?\A3|\A4.\?.\?.\?.\?.\?.\?.\?.\?\A4|\A5.\?.\?.\?.\?.\?.\?.\?.\?\A5|\A6.\?.\?.\?.\?.\?.\?.\?.\?\A6|\A7.\?.\?.\?.\?.\?.\?.\?.\?\A7|\A8.\?.\?.\?.\?.\?.\?.\?.\?\A8|\A9.\?.\?.\?.\?.\?.\?.\?.\?\A9|\AA.\?.\?.\?.\?.\?.\?.\?.\?\AA|\AB.\?.\?.\?.\?.\?.\?.\?.\?\AB|\AC.\?.\?.\?.\?.\?.\?.\?.\?\AC|\AD.\?.\?.\?.\?.\?.\?.\?.\?\AD|\AE.\?.\?.\?.\?.\?.\?.\?.\?\AE|\AF.\?.\?.\?.\?.\?.\?.\?.\?\AF|\B0.\?.\?.\?.\?.\?.\?.\?.\?\B0|\B1.\?.\?.\?.\?.\?.\?.\?.\?\B1|\B2.\?.\?.\?.\?.\?.\?.\?.\?\B2|\B3.\?.\?.\?.\?.\?.\?.\?.\?\B3|\B4.\?.\?.\?.\?.\?.\?.\?.\?\B4|\B5.\?.\?.\?.\?.\?.\?.\?.\?\B5|\B6.\?.\?.\?.\?.\?.\?.\?.\?\B6|\B7.\?.\?.\?.\?.\?.\?.\?.\?\B7|\B8.\?.\?.\?.\?.\?.\?.\?.\?\B8|\B9.\?.\?.\?.\?.\?.\?.\?.\?\B9|\BA.\?.\?.\?.\?.\?.\?.\?.\?\BA|\BB.\?.\?.\?.\?.\?.\?.\?.\?\BB|\BC.\?.\?.\?.\?.\?.\?.\?.\?\BC|\BD.\?.\?.\?.\?.\?.\?.\?.\?\BD|\BE.\?.\?.\?.\?.\?.\?.\?.\?\BE|\BF.\?.\?.\?.\?.\?.\?.\?.\?\BF|\C0.\?.\?.\?.\?.\?.\?.\?.\?\C0|\C1.\?.\?.\?.\?.\?.\?.\?.\?\C1|\C2.\?.\?.\?.\?.\?.\?.\?.\?\C2|\C3.\?.\?.\?.\?.\?.\?.\?.\?\C3|\C4.\?.\?.\?.\?.\?.\?.\?.\?\C4|\C5.\?.\?.\?.\?.\?.\?.\?.\?\C5|\C6.\?.\?.\?.\?.\?.\?.\?.\?\C6|\C7.\?.\?.\?.\?.\?.\?.\?.\?\C7|\C8.\?.\?.\?.\?.\?.\?.\?.\?\C8|\C9.\?.\?.\?.\?.\?.\?.\?.\?\C9|\CA.\?.\?.\?.\?.\?.\?.\?.\?\CA|\CB.\?.\?.\?.\?.\?.\?.\?.\?\CB|\CC.\?.\?.\?.\?.\?.\?.\?.\?\CC|\CD.\?.\?.\?.\?.\?.\?.\?.\?\CD|\CE.\?.\?.\?.\?.\?.\?.\?.\?\CE|\CF.\?.\?.\?.\?.\?.\?.\?.\?\CF|\D0.\?.\?.\?.\?.\?.\?.\?.\?\D0|\D1.\?.\?.\?.\?.\?.\?.\?.\?\D1|\D2.\?.\?.\?.\?.\?.\?.\?.\?\D2|\D3.\?.\?.\?.\?.\?.\?.\?.\?\D3|\D4.\?.\?.\?.\?.\?.\?.\?.\?\D4|\D5.\?.\?.\?.\?.\?.\?.\?.\?\D5|\D6.\?.\?.\?.\?.\?.\?.\?.\?\D6|\D7.\?.\?.\?.\?.\?.\?.\?.\?\D7|\D8.\?.\?.\?.\?.\?.\?.\?.\?\D8|\D9.\?.\?.\?.\?.\?.\?.\?.\?\D9|\DA.\?.\?.\?.\?.\?.\?.\?.\?\DA|\DB.\?.\?.\?.\?.\?.\?.\?.\?\DB|\DC.\?.\?.\?.\?.\?.\?.\?.\?\DC|\DD.\?.\?.\?.\?.\?.\?.\?.\?\DD|\DE.\?.\?.\?.\?.\?.\?.\?.\?\DE|\DF.\?.\?.\?.\?.\?.\?.\?.\?\DF|\E0.\?.\?.\?.\?.\?.\?.\?.\?\E0|\E1.\?.\?.\?.\?.\?.\?.\?.\?\E1|\E2.\?.\?.\?.\?.\?.\?.\?.\?\E2|\E3.\?.\?.\?.\?.\?.\?.\?.\?\E3|\E4.\?.\?.\?.\?.\?.\?.\?.\?\E4|\E5.\?.\?.\?.\?.\?.\?.\?.\?\E5|\E6.\?.\?.\?.\?.\?.\?.\?.\?\E6|\E7.\?.\?.\?.\?.\?.\?.\?.\?\E7|\E8.\?.\?.\?.\?.\?.\?.\?.\?\E8|\E9.\?.\?.\?.\?.\?.\?.\?.\?\E9|\EA.\?.\?.\?.\?.\?.\?.\?.\?\EA|\EB.\?.\?.\?.\?.\?.\?.\?.\?\EB|\EC.\?.\?.\?.\?.\?.\?.\?.\?\EC|\ED.\?.\?.\?.\?.\?.\?.\?.\?\ED|\EE.\?.\?.\?.\?.\?.\?.\?.\?\EE|\EF.\?.\?.\?.\?.\?.\?.\?.\?\EF|\F0.\?.\?.\?.\?.\?.\?.\?.\?\F0|\F1.\?.\?.\?.\?.\?.\?.\?.\?\F1|\F2.\?.\?.\?.\?.\?.\?.\?.\?\F2|\F3.\?.\?.\?.\?.\?.\?.\?.\?\F3|\F4.\?.\?.\?.\?.\?.\?.\?.\?\F4|\F5.\?.\?.\?.\?.\?.\?.\?.\?\F5|\F6.\?.\?.\?.\?.\?.\?.\?.\?\F6|\F7.\?.\?.\?.\?.\?.\?.\?.\?\F7|\F8.\?.\?.\?.\?.\?.\?.\?.\?\F8|\F9.\?.\?.\?.\?.\?.\?.\?.\?\F9|\FA.\?.\?.\?.\?.\?.\?.\?.\?\FA|\FB.\?.\?.\?.\?.\?.\?.\?.\?\FB|\FC.\?.\?.\?.\?.\?.\?.\?.\?\FC|\FD.\?.\?.\?.\?.\?.\?.\?.\?\FD|\FE.\?.\?.\?.\?.\?.\?.\?.\?\FE|\FF.\?.\?.\?.\?.\?.\?.\?.\?\FF)" }
:if ([:len ] > 0) do={ :put "already have skypetoskype" } else={ add name=skypetoskype regexp="^..\02............." }
:if ([:len ] > 0) do={ :put "already have counterstrike-source" } else={ add name=counterstrike-source regexp="^\FF\FF\FF\FF.*cstrikeCounter-Strike" }
:if ([:len ] > 0) do={ :put "already have halflife2-deathmatch" } else={ add name=halflife2-deathmatch regexp="^\FF\FF\FF\FF.*hl2mpDeathmatch" }
:if ([:len ] > 0) do={ :put "already have freenet" } else={ add name=freenet regexp="^\01[\08\09][\03\04]" }
:if ([:len ] > 0) do={ :put "already have battlefield2" } else={ add name=battlefield2 regexp="^(\11\20\01...\?\11|\FE\FD.\?.\?.\?.\?.\?.\?(\14\01\06|\FF\FF\FF))|[]\01].\?battlefield2" }
:if ([:len ] > 0) do={ :put "already have napster" } else={ add name=napster regexp="^(.[\02\06][!-~]+ [!-~]+ \?\?\?\? \"[\09-\0D -~]+\" (|10)|1(send|get)[!-~]+ \"[\09-\0D -~]+\")" }
:if ([:len ] > 0) do={ :put "already have soulseek" } else={ add name=soulseek regexp="^(\05..\?|.\01.[ -~]+\01F..\?.\?.\?.\?.\?.\?.\?)\$" }
:if ([:len ] > 0) do={ :put "already have xunlei" } else={ add name=xunlei regexp="^[()]...\?.\?.\?(reg|get|query)" }
:if ([:len ] > 0) do={ :put "already have ssl" } else={ add name=ssl regexp="^(.\?.\?\16\03.*\16\03|.\?.\?\01\03\01\?.*\0B)" }
:if ([:len ] > 0) do={ :put "already have citrix" } else={ add name=citrix regexp="\32\26\85\92\58" }
:if ([:len ] > 0) do={ :put "already have whois" } else={ add name=whois regexp="^[ !-~]+\0D\0A\$" }
:if ([:len ] > 0) do={ :put "already have dayofdefeat-source" } else={ add name=dayofdefeat-source regexp="^\FF\FF\FF\FF.*dodDay of Defeat" }
:if ([:len ] > 0) do={ :put "already have teamspeak" } else={ add name=teamspeak regexp="^\F4\BE\03.*teamspeak" }
:if ([:len ] > 0) do={ :put "already have worldofwarcraft" } else={ add name=worldofwarcraft regexp="^\06\EC\01" }
:if ([:len ] > 0) do={ :put "already have ventrilo" } else={ add name=ventrilo regexp="^..\?v\\\$\CF" }
:if ([:len ] > 0) do={ :put "already have http-rtsp" } else={ add name=http-rtsp regexp="^(get[\09-\0D -~]* Accept: application/x-rtsp-tunnelled|http/(0\\.9|1\\.0|1\\.1) [\09-\0D -~]*a=control:rtsp://)" }
:if ([:len ] > 0) do={ :put "already have thecircle" } else={ add name=thecircle regexp="^t\03ni.\?[\01-\06]\?t[\01-\05]s[\0A\0B](glob|who are you\$|query data)" }
:if ([:len ] > 0) do={ :put "already have uucp" } else={ add name=uucp regexp="^\10here=" }
:if ([:len ] > 0) do={ :put "already have pcanywhere" } else={ add name=pcanywhere regexp="^(nq|st)\$" }
:if ([:len ] > 0) do={ :put "already have subversion" } else={ add name=subversion regexp="^\\( success \\( 1 2 \\(" }
:if ([:len ] > 0) do={ :put "already have imesh" } else={ add name=imesh regexp="^(post[\09-\0D -~]*<PasswordHash>................................</PasswordHash><ClientVer>|\34\80\?\0D\?\FC\FF\04|get[\09-\0D -~]*Host: imsh\\.download-prod\\.musicnet\\.com|\02(\01|\02)\83.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?\02(\01|\02)\83)" }
:if ([:len ] > 0) do={ :put "already have cimd" } else={ add name=cimd regexp="\02:+.*\03\$" }
:if ([:len ] > 0) do={ :put "already have mohaa" } else={ add name=mohaa regexp="^\FF\FF\FF\FFgetstatus\0A" }
:if ([:len ] > 0) do={ :put "already have stun" } else={ add name=stun regexp="^[\01\02]................\?\$" }
:if ([:len ] > 0) do={ :put "already have tor" } else={ add name=tor regexp="TOR1.*<identity>" }
:if ([:len ] > 0) do={ :put "already have radmin" } else={ add name=radmin regexp="^\01\01(\08\08|\1B\1B)\$" }
:if ([:len ] > 0) do={ :put "already have unset" } else={ add name=unset regexp="." }
:if ([:len ] > 0) do={ :put "already have chikka" } else={ add name=chikka regexp="^CTPv1. Kamusta.*\0D\0A\$" }
:if ([:len ] > 0) do={ :put "already have replaytv-ivs" } else={ add name=replaytv-ivs regexp="^(get /ivs-IVSGetFileChunk|http/(0\\.9|1\\.0|1\\.1) [\09-\0D -~]*\23\23\23\23\23REPLAY_CHUNK_START\23\23\23\23\23)" }
:if ([:len ] > 0) do={ :put "already have armagetron" } else={ add name=armagetron regexp="YCLC_E|CYEL" }

迅雷好像有问题，不知道那位有修正下！！！

[ 本帖最后由 wbyz20 于 2008-4-1 14:23 编辑 ]

wbyz20 发表于 2008-4-1 14:14:13

QQ也有问题我用的是2008。模版是：^.?.+$
酷狗是：\x64.+\x74\x47\x50\x37
不要让我贴沉了，大家一起交流下，L7还可以做很多策略路由，我每天都在官方论坛上逛。

[ 本帖最后由 wbyz20 于 2008-4-1 14:15 编辑 ]

wbyz20 发表于 2008-4-1 14:35:43

下面这些模版是：EXE：\x4d\x5a(\x90\x03|\x50\x02)\x04
                           Flash：FLV = [\x01-\x09]|FLV\x01\x05\x09
                           GIF ：GIF8(7|9)a
                        HTML：<html.*><head>
                           JPEG：\xff\xd8
                        MP3：\x49\x44\x33\x03
                        0GG:oggs.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x01vorbis
                        PDF:%PDF-1\.
                        RAR:rar\x21\x1a\x07
                     ZIP:pk\x03\x04\x14

wbyz20 发表于 2008-4-1 14:49:27

下面是：病毒L7模版：
Nimda：GET (/scripts/root\.exe\?/c\+dir|/MSADC/root\.exe\?/c\+dir|/c/winnt/system32/cmd\.exe\?/c\+dir|/d/
winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_vti_bin/
\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/_mem_bin/\.\.%5c\.\./\.\.%5c
\.\./\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/msadc/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c/\.\.\xc1\
x1c\.\./\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x1c\.
\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0/\.\./winnt/system32/cmd\.exe\?/c\+dir|/scrip
ts/\.\.\xc0\xaf\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x9c\.\./winnt/system32/cmd\
.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/sy
stem32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/system32/cmd\.exe\?/c\+dir|/scripts/\.\.%2f\.\.
/winnt/system32/cmd\.exe\?/c\+dir)
CodeRed： [/]default[.]ida[?]+%u

wbyz20 发表于 2008-4-1 14:51:19

怎么样写L7的正规表达式：
L7-filter Pattern Writing HOWTOIt's fairly easy to add support for more protocols to l7-filter.Allyou need to do is add a new pattern file to/etc/l7-protocols.This directory and its subdirectoriesare searched (non-recursively) for pattern files. (Thus, it will find/etc/l7-protocols/http.pat and/etc/l7-protocols/protocols/http.pat, but not/etc/l7-protocols/foo/bar/http.pat.)Please considersubmitting any patterns you write for inclusion into the officialdistribution.
File formatBasic formatThe basic format is very simple:
[*]The name of the protocol on one line[*]A regular expression defining the protocol on the next line (see regular expressions below)The name of the file must match the name of the protocol.(If theprotocol is "ftp", the file must be "ftp.pat".) Lines starting with '#'and blank lines are ignored.Both the kerneland userspace versions of l7-filter willuse the given regular expression. For example, vnc.pat could be:
vnc
^rfb 00\.00\x0a$
Defining a separate userspace patternSometimes it will be desirable to define a separate regularexpression for the kernel and userspace versions or to pass a custom setof flags to the userspace version's regcomp/regexec.(See regular expressions below for why.) In this case, addeither or both of these lines after the two above:
userspace pattern=<userspace pattern>
userspace flags=<regexec and/or regcomp flags, whitespace delimited>
For example, smtp.pat could be:
smtp
^220[\x09-\x0d -~]* (e?smtp|simple mail)
userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|imple ail)
userspace flags=REG_NOSUB REG_EXTENDED
Meta-dataPattern files that are part of the official distribution need somemetadata at the top for display on the webpageand for the use of frontends. The top four lines should look likethis:
# <;Protocol name and some concise detail about the protocol>
# Pattern attributes: *
# Protocol groups: *
# Wiki: *
"Pattern attributes" give information about how good the pattern ison various scales.Attribute words can be any of undermatch,overmatch, superset, subset, great,good, ok, marginal, poor, veryfast,fast, nosofast, or slow.Any number of these maybe used. They are defined on the protocolspage.
"Protocol groups" are supposed to give frontends a way to groupsimilar protocols.Group names can be whatever you like, but shouldmatch existing names if possible.Any number may be used.Morerelevant groups should be listed first for sorting purposes. Group namesin use as of 2007-01-14 are:
[*]chat[*]document_retrieval[*]file[*]game[*]ietf_draft_standard[*]ietf_internet_standard[*]ietf_proposed_standard[*]ietf_rfc_documented[*]mail[*]monitoring[*]networking[*]obsolete[*]open_source[*]p2p[*]printer[*]proprietary[*]remote_access[*]secure[*]streaming_audio[*]streaming_video[*]time_synchronization[*]version_control[*]voip[*]worm[*]x_consortium_standard"Wiki" gives zero or more links to pagesdocumenting the pattern and other methods of identifying the protocol onprotocolinfo.org.
Regular expressionsThe kernel and userspace versions of l7-filter use differentregular expressions libraries.They use generally the same syntax, but have some differences.
General informationBecause patterns frequently need to use non-printable characters,both versions of l7-filter add perl-stylehex matching on top of their stock libraries.This uses \xHHnotation, so to match a tab, use "\x09".Note that regexpcontrol characters are still control characters evenwhen written in hex:
\x24 == $    \x28 == (
\x29 == )    \x2a == *
\x2b == +    \x2e == .
\x3f == ?    \x5b == [
\x5c == \    \x5d == ]
\x5e == ^    \x7b == { (only a control character for the userspace version)
\x7c == |    \x7d == } (only a control character for the userspace version)
Both versions of l7-filter strip out the nulls (\x00 bytes) fromnetwork data so that they can treat it as normal C strings.So (1) youcan't match on nulls and (2) fields may appear shorter than expected. For example, if a protocol has a 4 byte field and any of those bytes canbe null, it can appear to be any length from 0 to 4.
Kernel versionThe kernel version of l7-filter uses Henry Spencer's 1987implementation of Version 8 regularexpressions ("V8 regexps"), with a few modifications, noted here. V8 regexps are likely more limited than the regexps you are used to.Notably, you cannot use bounds ("foo{3}"),character classes ("[[:punct:]]") or backreferences.
Because this library does not have a flag for case-sensitivity, thekernel version of l7-filter is always case insensitive.Upper case inpatterns is identical to lower case.(This is true even if you write anuppercase letter in hex!)
The kernel version completely ignores any lines in the pattern fileafter the second non-comment line.
Userspace versionThe userspace version of l7-filter uses the GNU regular expression library, so its behaviour should bemore familiar.This library is documented in man 3 regcomp andman 7 regex.
If only one regular expression is specified in the pattern file (seefile format above), the userspace versioncompiles it with the flags REG_EXTENDED | REG_ICASE |REG_NOSUB and executes it with no flags.
If the userspace pattern and userspaceflags lines are given, the userspace pattern will be used insteadof the first one.It will be compiled and executed with the given flags.(l7-filter will sort out which flags go to regcomp and which toregexec.)
If only the userspace pattern line is given, theuserspace pattern will be compiled with REG_EXTENDED | REG_ICASE |REG_NOSUB and executed with no flags.If only theuserspace flags line is given, the single regularexpression will be compiled and executed with the given flags.
What l7-filter sees and doesIf you have set up your iptables rules correctly (see the HOWTO), l7-filter sees the data going in bothdirections in the order that it passes through the computer. Forinstance, in FTP, the firstthing it sees is "221 server ready", then "USER bob", then "331 sendpassword", then "PASS frogbeard", and so on.
l7-filter can match across packets.For instance, with the above FTPexample, the match is first attempted on "221 server ready", then on"221 server readyUser bob", then "221 server readyUSER bob331 sendpassword", so you could match it with"220.*user.*331".At each match attempt, the regexpspecial character ^ will match the beginning of the streamand $ will match the end of the last packet seen so far. Because the Linux kernel's ip_conntrack module tracks connectionlessUDP and ICMP sessions as"connections", this works with them as well as TCP.
Usually the identifying characteristics of a connection are found atthe beginning of that connection.For this reason, and to saveprocessing time, l7-filter only looks at the first 10 packets or 2kB of each connection, whichever is smaller. Any match made within this time is applied to the rest of the connectionas well.
1Yes, there should be CRLFs in there.Picky, picky.

What makes a good patternThere are two general guidelines:
1) A pattern must be neither too specific nor not specific enough.
Example 1: The pattern "bear" for Bearshare is notspecific enough.This pattern could match a wide variety ofnon-Bearshare connections.For instance, an HTTP request for http://bear.com would bematched.
Example 2: "220 .*ftp.*(\[.*\]|$.*$)" for FTP is toospecific.Not all servers send ()s or []s after their 220.In fact,servers are not even required to send the string "ftp" at any time, butthe vast majority do.Good judgement and testing are necessary forinstances such as this.
2) It should use a minimum of processing power.If it's possible toreduce the number of instances of *, + and| in your pattern, you should do so.Use the performancetesting program included in the patterns package.
3) It should complete its match on the earliest packet possible.TheFTP pattern could be "^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d-~]*\x0d\x0a331", but that won't match until the third datapacket.Instead, we use "^220[\x09-\x0d -~]*ftp", whichmatches on the first data packet.
Miscellaneous tips[\x09-\x0d -~] == printable characters, including whitespace
[\x09-\x0d ] == any whitespace
[!-~] == non-whitespace printable characters
Recommended procedure for writing patterns[*]Find and read the spec for the protocol you wish to match.If it'san Internet standard, RFCs are agood place to start, although not all standards are RFCs.If it is aproprietary protocol, it is likely that someone has written areverse-engineered spec for it. Do a general web search to find it. Skipping this step is a good way to write patterns that are overlyspecific![*]Use something like Wireshark(formerly known as Ethereal) to watch packets of this protocol go by ina typical session of its use.(If you failed to find a spec for yourprotocol, but Wireshark can parse it, reading the Wireshark source codemay also be worth your time.)[*]Write a pattern that will reliably match one of the first few packetsthat are sent in your protocol.Test it.Test its performance.[*]Send your pattern to l7-filter-developers{/-\T}lists*sf*net for itto be incorporated into the official pattern definitions (youmust subscribefirst).HOWTO send a packet dump to the mailing listIf you do not feel that you are able to do all of the above yourself,you may want to send some packets you have captured to the mailing listso that others can do the rest.In order for this to be useful, pleasefollow these guidelines:
[*]If you have never done anything like this before, use Wireshark.It's easy to use andavailable for GNU/Linux, Mac and Windows (and FreeBSD, HP-UX, NetBSD, Solaris...).Use File→Save to save thecaptured packets.[*]Make sure that you start capturing packets before the applicationthat you are testing has started using the network.l7-filter looks atthe opening packets of a connection.If these are not present in thepacket dump, it is useless.[*]If it makes sense for the protocol in question, send a recognizabletext string so that the relevant connection can be found in the packetdump.For instance, if testing an instant messenger, send a messagewith "hello hello hello."[*]Along with your capture, send us anything that could be helpful inpicking out the relevant data.For example, this could include theserver's IP address, what networkoperations you performed, the version numbers of all software used, anystrings you expect to appear in the packets (such as instant messengertext, e-mail addresses, gaming handles, etc.), etc.[*]Try not to capture an excessive number of packets.In particular:[*]Avoid having other programs use the network during your capture.Assuming their traffic is recognizable, the excess packets can befiltered out, but it's annoying.[*]Avoid sending captures that have many thousands of packets from thesame connection.All but the first few are useless.[*]However, if you are not sure when the applicationopens connections, or if it opens many simultaneous connections, itmight be necessary to send a large number of packets.This is ok.[*]Send the packets in libpcap format or something else that Wireshark can read.Do not:[*]send only a text hexdump of the packets.This is unnecessarily    hard to read.[*]send only the data portion of the packets.The TCP headers    in particular are essential for finding streams.You may       anonymize addresses if necessary, but try to avoid it.[*]compress the captured packets with anything other than gzip or    bzip2.No compression is needed unless the file is very large.If you aren't sure how to follow these guidelines, try your best andsend the result to us.If it's wrong, we'll be happy to tell you how tofix it.

[ 本帖最后由 wbyz20 于 2008-4-1 14:54 编辑 ]

专卖精品 发表于 2008-4-1 14:57:14

似乎从官方下载的脚本倒入后会乱码

wbyz20 发表于 2008-4-1 15:04:49

个别是有乱码，手动改一下。就行了

小菜.net 发表于 2008-4-1 15:09:35

第一份转贴吧？？“打造”可不能随便说。

给大家一个地址吧
http://wiki.mikrotik.com/wiki/L7

小菜.net 发表于 2008-4-1 15:09:57

http://l7-filter.sourceforge.net/protocols

小菜.net 发表于 2008-4-1 15:14:36

原帖由专卖精品于 2008-4-1 14:57 发表 http://bbs.routerclub.com/images/common/back.gif
似乎从官方下载的脚本倒入后会乱码

在winbox上看到的是乱码，因为正则表达式里面使用了很多\x转义。

在提示符状态下print一下，就是正常的正则表达试源码。

马甲发表于 2008-10-11 21:37:52

这帖子标题很有来头:)

nhzzljp 发表于 2008-10-13 10:59:50

不懂，3.Ｘ　好用吗？？

cpanda 发表于 2008-10-13 11:40:19

学习了，3.x的还没机会用，先备着

jesse 发表于 2008-10-13 23:24:47

RouterOS 使用的是普通正则表达式，而L7-filter项目里使用的是Perl正则表达式，不能从L7-filter里直接导入到RouterOS中的

cracks 发表于 2008-10-16 09:12:32

:if ([:len ] > 0) do={ :put "already have skypeout" } else={ add name=skypeout regexp="^(\01.\?.\?.\?.\?.\?.\?.\?.\?\01|\02.\?.\?.\?.\?.\?.\?.\?.\?\02|\03.\?.\?.\?.\?.\?.\?.\?.\?\03|\04.\?.\?.\?.\?.\?.\?.\?.\?\04|\05.\?.\?.\?.\?.\?.\?.\?.\?\05|\06.\?.\?.\?.\?.\?.\?.\?.\?\06|\07.\?.\?.\?.\?.\?.\?.\?.\?\07|\08.\?.\?.\?.\?.\?.\?.\?.\?\08|\09.\?.\?.\?.\?.\?.\?.\?.\?\09|\0A.\?.\?.\?.\?.\?.\?.\?.\?\0A|\0B.\?.\?.\?.\?.\?.\?.\?.\?\0B|\0C.\?.\?.\?.\?.\?.\?.\?.\?\0C|\0D.\?.\?.\?.\?.\?.\?.\?.\?\0D|\0E.\?.\?.\?.\?.\?.\?.\?.\?\0E|\0F.\?.\?.\?.\?.\?.\?.\?.\?\0F|\10.\?.\?.\?.\?.\?.\?.\?.\?\10|\11.\?.\?.\?.\?.\?.\?.\?.\?\11|\12.\?.\?.\?.\?.\?.\?.\?.\?\12|\13.\?.\?.\?.\?.\?.\?.\?.\?\13|\14.\?.\?.\?.\?.\?.\?.\?.\?\14|\15.\?.\?.\?.\?.\?.\?.\?.\?\15|\16.\?.\?.\?.\?.\?.\?.\?.\?\16|\17.\?.\?.\?.\?.\?.\?.\?.\?\17|\18.\?.\?.\?.\?.\?.\?.\?.\?\18|\19.\?.\?.\?.\?.\?.\?.\?.\?\19|\1A.\?.\?.\?.\?.\?.\?.\?.\?\1A|\1B.\?.\?.\?.\?.\?.\?.\?.\?\1B|\1C.\?.\?.\?.\?.\?.\?.\?.\?\1C|\1D.\?.\?.\?.\?.\?.\?.\?.\?\1D|\1E.\?.\?.\?.\?.\?.\?.\?.\?\1E|\1F.\?.\?.\?.\?.\?.\?.\?.\?\1F|\20.\?.\?.\?.\?.\?.\?.\?.\?\20|\21.\?.\?.\?.\?.\?.\?.\?.\?\21|\22.\?.\?.\?.\?.\?.\?.\?.\?\22|\23.\?.\?.\?.\?.\?.\?.\?.\?\23|\\\$.\?.\?.\?.\?.\?.\?.\?.\?\\\$|\25.\?.\?.\?.\?.\?.\?.\?.\?\25|\26.\?.\?.\?.\?.\?.\?.\?.\?\26|\27.\?.\?.\?.\?.\?.\?.\?.\?\27|\$.\?.\?.\?.\?.\?.\?.\?.\?\\(|\$.\?.\?.\?.\?.\?.\?.\?.\?\\)|\\*.\?.\?.\?.\?.\?.\?.\?.\?\\*|\\+.\?.\?.\?.\?.\?.\?.\?.\?\\+|\2C.\?.\?.\?.\?.\?.\?.\?.\?\2C|\2D.\?.\?.\?.\?.\?.\?.\?.\?\2D|\\..\?.\?.\?.\?.\?.\?.\?.\?\\.|\2F.\?.\?.\?.\?.\?.\?.\?.\?\2F|\30.\?.\?.\?.\?.\?.\?.\?.\?\30|\31.\?.\?.\?.\?.\?.\?.\?.\?\31|\32.\?.\?.\?.\?.\?.\?.\?.\?\32|\33.\?.\?.\?.\?.\?.\?.\?.\?\33|\34.\?.\?.\?.\?.\?.\?.\?.\?\34|\35.\?.\?.\?.\?.\?.\?.\?.\?\35|\36.\?.\?.\?.\?.\?.\?.\?.\?\36|\37.\?.\?.\?.\?.\?.\?.\?.\?\37|\38.\?.\?.\?.\?.\?.\?.\?.\?\38|\39.\?.\?.\?.\?.\?.\?.\?.\?\39|\3A.\?.\?.\?.\?.\?.\?.\?.\?\3A|\3B.\?.\?.\?.\?.\?.\?.\?.\?\3B|\3C.\?.\?.\?.\?.\?.\?.\?.\?\3C|\3D.\?.\?.\?.\?.\?.\?.\?.\?\3D|\3E.\?.\?.\?.\?.\?.\?.\?.\?\3E|\\\?.\?.\?.\?.\?.\?.\?.\?.\?\\\?|\40.\?.\?.\?.\?.\?.\?.\?.\?\40|\41.\?.\?.\?.\?.\?.\?.\?.\?\41|\42.\?.\?.\?.\?.\?.\?.\?.\?\42|\43.\?.\?.\?.\?.\?.\?.\?.\?\43|\44.\?.\?.\?.\?.\?.\?.\?.\?\44|\45.\?.\?.\?.\?.\?.\?.\?.\?\45|\46.\?.\?.\?.\?.\?.\?.\?.\?\46|\47.\?.\?.\?.\?.\?.\?.\?.\?\47|\48.\?.\?.\?.\?.\?.\?.\?.\?\48|\49.\?.\?.\?.\?.\?.\?.\?.\?\49|\4A.\?.\?.\?.\?.\?.\?.\?.\?\4A|\4B.\?.\?.\?.\?.\?.\?.\?.\?\4B|\4C.\?.\?.\?.\?.\?.\?.\?.\?\4C|\4D.\?.\?.\?.\?.\?.\?.\?.\?\4D|\4E.\?.\?.\?.\?.\?.\?.\?.\?\4E|\4F.\?.\?.\?.\?.\?.\?.\?.\?\4F|\50.\?.\?.\?.\?.\?.\?.\?.\?\50|\51.\?.\?.\?.\?.\?.\?.\?.\?\51|\52.\?.\?.\?.\?.\?.\?.\?.\?\52|\53.\?.\?.\?.\?.\?.\?.\?.\?\53|\54.\?.\?.\?.\?.\?.\?.\?.\?\54|\55.\?.\?.\?.\?.\?.\?.\?.\?\55|\56.\?.\?.\?.\?.\?.\?.\?.\?\56|\57.\?.\?.\?.\?.\?.\?.\?.\?\57|\58.\?.\?.\?.\?.\?.\?.\?.\?\58|\59.\?.\?.\?.\?.\?.\?.\?.\?\59|\5A.\?.\?.\?.\?.\?.\?.\?.\?\5A|\\[.\?.\?.\?.\?.\?.\?.\?.\?\\[|\\].\?.\?.\?.\?.\?.\?.\?.\?\\]|\\].\?.\?.\?.\?.\?.\?.\?.\?\\]|\\^.\?.\?.\?.\?.\?.\?.\?.\?\\^|\5F.\?.\?.\?.\?.\?.\?.\?.\?\5F|\60.\?.\?.\?.\?.\?.\?.\?.\?\60|\61.\?.\?.\?.\?.\?.\?.\?.\?\61|\62.\?.\?.\?.\?.\?.\?.\?.\?\62|\63.\?.\?.\?.\?.\?.\?.\?.\?\63|\64.\?.\?.\?.\?.\?.\?.\?.\?\64|\65.\?.\?.\?.\?.\?.\?.\?.\?\65|\66.\?.\?.\?.\?.\?.\?.\?.\?\66|\67.\?.\?.\?.\?.\?.\?.\?.\?\67|\68.\?.\?.\?.\?.\?.\?.\?.\?\68|\69.\?.\?.\?.\?.\?.\?.\?.\?\69|\6A.\?.\?.\?.\?.\?.\?.\?.\?\6A|\6B.\?.\?.\?.\?.\?.\?.\?.\?\6B|\6C.\?.\?.\?.\?.\?.\?.\?.\?\6C|\6D.\?.\?.\?.\?.\?.\?.\?.\?\6D|\6E.\?.\?.\?.\?.\?.\?.\?.\?\6E|\6F.\?.\?.\?.\?.\?.\?.\?.\?\6F|\70.\?.\?.\?.\?.\?.\?.\?.\?\70|\71.\?.\?.\?.\?.\?.\?.\?.\?\71|\72.\?.\?.\?.\?.\?.\?.\?.\?\72|\73.\?.\?.\?.\?.\?.\?.\?.\?\73|\74.\?.\?.\?.\?.\?.\?.\?.\?\74|\75.\?.\?.\?.\?.\?.\?.\?.\?\75|\76.\?.\?.\?.\?.\?.\?.\?.\?\76|\77.\?.\?.\?.\?.\?.\?.\?.\?\77|\78.\?.\?.\?.\?.\?.\?.\?.\?\78|\79.\?.\?.\?.\?.\?.\?.\?.\?\79|\7A.\?.\?.\?.\?.\?.\?.\?.\?\7A|\\{.\?.\?.\?.\?.\?.\?.\?.\?\\{|\\|.\?.\?.\?.\?.\?.\?.\?.\?\\||\\}.\?.\?.\?.\?.\?.\?.\?.\?\\}|\7E.\?.\?.\?.\?.\?.\?.\?.\?\7E|\7F.\?.\?.\?.\?.\?.\?.\?.\?\7F|\80.\?.\?.\?.\?.\?.\?.\?.\?\80|\81.\?.\?.\?.\?.\?.\?.\?.\?\81|\82.\?.\?.\?.\?.\?.\?.\?.\?\82|\83.\?.\?.\?.\?.\?.\?.\?.\?\83|\84.\?.\?.\?.\?.\?.\?.\?.\?\84|\85.\?.\?.\?.\?.\?.\?.\?.\?\85|\86.\?.\?.\?.\?.\?.\?.\?.\?\86|\87.\?.\?.\?.\?.\?.\?.\?.\?\87|\88.\?.\?.\?.\?.\?.\?.\?.\?\88|\89.\?.\?.\?.\?.\?.\?.\?.\?\89|\8A.\?.\?.\?.\?.\?.\?.\?.\?\8A|\8B.\?.\?.\?.\?.\?.\?.\?.\?\8B|\8C.\?.\?.\?.\?.\?.\?.\?.\?\8C|\8D.\?.\?.\?.\?.\?.\?.\?.\?\8D|\8E.\?.\?.\?.\?.\?.\?.\?.\?\8E|\8F.\?.\?.\?.\?.\?.\?.\?.\?\8F|\90.\?.\?.\?.\?.\?.\?.\?.\?\90|\91.\?.\?.\?.\?.\?.\?.\?.\?\91|\92.\?.\?.\?.\?.\?.\?.\?.\?\92|\93.\?.\?.\?.\?.\?.\?.\?.\?\93|\94.\?.\?.\?.\?.\?.\?.\?.\?\94|\95.\?.\?.\?.\?.\?.\?.\?.\?\95|\96.\?.\?.\?.\?.\?.\?.\?.\?\96|\97.\?.\?.\?.\?.\?.\?.\?.\?\97|\98.\?.\?.\?.\?.\?.\?.\?.\?\98|\99.\?.\?.\?.\?.\?.\?.\?.\?\99|\9A.\?.\?.\?.\?.\?.\?.\?.\?\9A|\9B.\?.\?.\?.\?.\?.\?.\?.\?\9B|\9C.\?.\?.\?.\?.\?.\?.\?.\?\9C|\9D.\?.\?.\?.\?.\?.\?.\?.\?\9D|\9E.\?.\?.\?.\?.\?.\?.\?.\?\9E|\9F.\?.\?.\?.\?.\?.\?.\?.\?\9F|\A0.\?.\?.\?.\?.\?.\?.\?.\?\A0|\A1.\?.\?.\?.\?.\?.\?.\?.\?\A1|\A2.\?.\?.\?.\?.\?.\?.\?.\?\A2|\A3.\?.\?.\?.\?.\?.\?.\?.\?\A3|\A4.\?.\?.\?.\?.\?.\?.\?.\?\A4|\A5.\?.\?.\?.\?.\?.\?.\?.\?\A5|\A6.\?.\?.\?.\?.\?.\?.\?.\?\A6|\A7.\?.\?.\?.\?.\?.\?.\?.\?\A7|\A8.\?.\?.\?.\?.\?.\?.\?.\?\A8|\A9.\?.\?.\?.\?.\?.\?.\?.\?\A9|\AA.\?.\?.\?.\?.\?.\?.\?.\?\AA|\AB.\?.\?.\?.\?.\?.\?.\?.\?\AB|\AC.\?.\?.\?.\?.\?.\?.\?.\?\AC|\AD.\?.\?.\?.\?.\?.\?.\?.\?\AD|\AE.\?.\?.\?.\?.\?.\?.\?.\?\AE|\AF.\?.\?.\?.\?.\?.\?.\?.\?\AF|\B0.\?.\?.\?.\?.\?.\?.\?.\?\B0|\B1.\?.\?.\?.\?.\?.\?.\?.\?\B1|\B2.\?.\?.\?.\?.\?.\?.\?.\?\B2|\B3.\?.\?.\?.\?.\?.\?.\?.\?\B3|\B4.\?.\?.\?.\?.\?.\?.\?.\?\B4|\B5.\?.\?.\?.\?.\?.\?.\?.\?\B5|\B6.\?.\?.\?.\?.\?.\?.\?.\?\B6|\B7.\?.\?.\?.\?.\?.\?.\?.\?\B7|\B8.\?.\?.\?.\?.\?.\?.\?.\?\B8|\B9.\?.\?.\?.\?.\?.\?.\?.\?\B9|\BA.\?.\?.\?.\?.\?.\?.\?.\?\BA|\BB.\?.\?.\?.\?.\?.\?.\?.\?\BB|\BC.\?.\?.\?.\?.\?.\?.\?.\?\BC|\BD.\?.\?.\?.\?.\?.\?.\?.\?\BD|\BE.\?.\?.\?.\?.\?.\?.\?.\?\BE|\BF.\?.\?.\?.\?.\?.\?.\?.\?\BF|\C0.\?.\?.\?.\?.\?.\?.\?.\?\C0|\C1.\?.\?.\?.\?.\?.\?.\?.\?\C1|\C2.\?.\?.\?.\?.\?.\?.\?.\?\C2|\C3.\?.\?.\?.\?.\?.\?.\?.\?\C3|\C4.\?.\?.\?.\?.\?.\?.\?.\?\C4|\C5.\?.\?.\?.\?.\?.\?.\?.\?\C5|\C6.\?.\?.\?.\?.\?.\?.\?.\?\C6|\C7.\?.\?.\?.\?.\?.\?.\?.\?\C7|\C8.\?.\?.\?.\?.\?.\?.\?.\?\C8|\C9.\?.\?.\?.\?.\?.\?.\?.\?\C9|\CA.\?.\?.\?.\?.\?.\?.\?.\?\CA|\CB.\?.\?.\?.\?.\?.\?.\?.\?\CB|\CC.\?.\?.\?.\?.\?.\?.\?.\?\CC|\CD.\?.\?.\?.\?.\?.\?.\?.\?\CD|\CE.\?.\?.\?.\?.\?.\?.\?.\?\CE|\CF.\?.\?.\?.\?.\?.\?.\?.\?\CF|\D0.\?.\?.\?.\?.\?.\?.\?.\?\D0|\D1.\?.\?.\?.\?.\?.\?.\?.\?\D1|\D2.\?.\?.\?.\?.\?.\?.\?.\?\D2|\D3.\?.\?.\?.\?.\?.\?.\?.\?\D3|\D4.\?.\?.\?.\?.\?.\?.\?.\?\D4|\D5.\?.\?.\?.\?.\?.\?.\?.\?\D5|\D6.\?.\?.\?.\?.\?.\?.\?.\?\D6|\D7.\?.\?.\?.\?.\?.\?.\?.\?\D7|\D8.\?.\?.\?.\?.\?.\?.\?.\?\D8|\D9.\?.\?.\?.\?.\?.\?.\?.\?\D9|\DA.\?.\?.\?.\?.\?.\?.\?.\?\DA|\DB.\?.\?.\?.\?.\?.\?.\?.\?\DB|\DC.\?.\?.\?.\?.\?.\?.\?.\?\DC|\DD.\?.\?.\?.\?.\?.\?.\?.\?\DD|\DE.\?.\?.\?.\?.\?.\?.\?.\?\DE|\DF.\?.\?.\?.\?.\?.\?.\?.\?\DF|\E0.\?.\?.\?.\?.\?.\?.\?.\?\E0|\E1.\?.\?.\?.\?.\?.\?.\?.\?\E1|\E2.\?.\?.\?.\?.\?.\?.\?.\?\E2|\E3.\?.\?.\?.\?.\?.\?.\?.\?\E3|\E4.\?.\?.\?.\?.\?.\?.\?.\?\E4|\E5.\?.\?.\?.\?.\?.\?.\?.\?\E5|\E6.\?.\?.\?.\?.\?.\?.\?.\?\E6|\E7.\?.\?.\?.\?.\?.\?.\?.\?\E7|\E8.\?.\?.\?.\?.\?.\?.\?.\?\E8|\E9.\?.\?.\?.\?.\?.\?.\?.\?\E9|\EA.\?.\?.\?.\?.\?.\?.\?.\?\EA|\EB.\?.\?.\?.\?.\?.\?.\?.\?\EB|\EC.\?.\?.\?.\?.\?.\?.\?.\?\EC|\ED.\?.\?.\?.\?.\?.\?.\?.\?\ED|\EE.\?.\?.\?.\?.\?.\?.\?.\?\EE|\EF.\?.\?.\?.\?.\?.\?.\?.\?\EF|\F0.\?.\?.\?.\?.\?.\?.\?.\?\F0|\F1.\?.\?.\?.\?.\?.\?.\?.\?\F1|\F2.\?.\?.\?.\?.\?.\?.\?.\?\F2|\F3.\?.\?.\?.\?.\?.\?.\?.\?\F3|\F4.\?.\?.\?.\?.\?.\?.\?.\?\F4|\F5.\?.\?.\?.\?.\?.\?.\?.\?\F5|\F6.\?.\?.\?.\?.\?.\?.\?.\?\F6|\F7.\?.\?.\?.\?.\?.\?.\?.\?\F7|\F8.\?.\?.\?.\?.\?.\?.\?.\?\F8|\F9.\?.\?.\?.\?.\?.\?.\?.\?\F9|\FA.\?.\?.\?.\?.\?.\?.\?.\?\FA|\FB.\?.\?.\?.\?.\?.\?.\?.\?\FB|\FC.\?.\?.\?.\?.\?.\?.\?.\?\FC|\FD.\?.\?.\?.\?.\?.\?.\?.\?\FD|\FE.\?.\?.\?.\?.\?.\?.\?.\?\FE|\FF.\?.\?.\?.\?.\?.\?.\?.\?\FF)" }
:if ([:len ] > 0) do={ :put "already have skypetoskype" } else={ add name=skypetoskype regexp="^..\02............." }

这段全是skype吗？用3.x杂封掉skype ?

页: [1] 2 3

自由的生活_软路由's Archiver

全力打造中国第一个ROS3.0X L7模版，如有错误请更正！！！！