| [475ad56] | 1 | # Gnutella - P2P filesharing
|
|---|
| 2 | # Pattern quality: good fast
|
|---|
| 3 | #
|
|---|
| 4 | # This should match both Gnutella and "Gnutella2" ("Mike's protocol")
|
|---|
| 5 | #
|
|---|
| 6 | # Various clients use this protocol including Mactella, Shareaza,
|
|---|
| 7 | # GTK-gnutella, Gnucleus, Gnotella, LimeWire, BearShare, and iMesh.
|
|---|
| 8 | #
|
|---|
| 9 | # This is tested with gtk-gnutella and Shareaza.
|
|---|
| 10 | #
|
|---|
| 11 | # Please report on how this pattern works for you at
|
|---|
| 12 | # l7-filter-developers@lists.sf.net . If you can improve on this
|
|---|
| 13 | # pattern, please also post to that list. You may subscribe at
|
|---|
| 14 | # http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
|
|---|
| 15 |
|
|---|
| 16 | # http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver
|
|---|
| 17 | # http://rfc-gnutella.sf.net/
|
|---|
| 18 | # http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification
|
|---|
| 19 | # http://en.wikipedia.org/wiki/Shareaza
|
|---|
| 20 |
|
|---|
| 21 | gnutella
|
|---|
| 22 |
|
|---|
| 23 | # The first part matches UDP messages - All start with "GND", then have
|
|---|
| 24 | # a flag byte which is either \x00, \x01 or \x02, then two sequence bytes
|
|---|
| 25 | # that can be anything, then a fragment number, which must start at 1.
|
|---|
| 26 | # The rest matches TCP first client message or first server message (in case
|
|---|
| 27 | # we can't see client messages). Some parts of this are empirical rather than
|
|---|
| 28 | # document based. Assumes version is between 0.0 and 2.9. (usually is
|
|---|
| 29 | # 0.4 or 0.6). I'm guessing at many of the user-agents.
|
|---|
| 30 | # The last bit is emprical and probably only matches Limewire.
|
|---|
| 31 | ^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|..................lime)
|
|---|
| 32 |
|
|---|
| 33 | # Needlessly precise, at the expense of time
|
|---|
| 34 | #^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime)
|
|---|
| 35 |
|
|---|
| 36 |
|
|---|
