攻防技术融入IPS 之 协议分析 's

作者：xushaopei

1 AIM ==== ^(/*[/x01/x02].*/x03/x0b|/*/x01.?.?.?.?/x01)|flapon|toc_signon.*0x
2 Apple Juice ==== ^ajprot/x0d/x0a
3 Ares ==== ^/x03[]Z].?.?/x05$
4 Battlefield 1942 ==== ^/x01/x11/x10/|/xf8/x02/x10/x40/x06
5 Battlefield 2 ==== ^(/x11/x20/x01…?/x11|/xfe/xfd.?.?.?.?.?.?(/x14/x01/x06|/xff/xff/xff))|[]/x01].?battlefield2
6 Battlefield 2142 ==== ^(/x11/x20/x01/x90/x50/x64/x10|/xfe/xfd.?.?.?/x18|[/x01//].?battlefield2)
7 Border Gateway Protocol ==== ^/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff..?/x01[/x03/x04]
8 Chikka ==== ^CTPv1/.[123] Kamusta.*/x0d/x0a$

9 cimd ==== /x02[0-4][0-9]:[0-9]+.*/x03$
10 ciscovpn ==== ^/x01/xf4/x01/xf4
11 Citrix ICA ==== /x32/x26/x85/x92/x58
12 Counterstrike ==== ^/xff/xff/xff/xff.*cstrikeCounter-Strike
13 CVS ==== ^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST/x0a
14 dayofdefeat-source ==== ^/xff/xff/xff/xff.*dodDay of Defeat
15 DHCP ==== ^[/x01/x02][/x01- ]/x06.*c/x82sc
16 Direct Connect ==== ^(/$mynick |/$lock |/$key )
17 DNS ==== ^.?.?.?.?[/x01/x02].?.?.?.?.?.?[/x01-?][a-z0-9][/x01-?a-z]*[/x02-/x06][a-z][a-z][fglmoprstuvz]?[aeop]?(um)?[/x01-/x10/x1c][/x01/x03/x04/xFF]
18 Doom 3 ==== ^/xff/xffchallenge
19 FastTrack ==== ^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
20 Finger ==== ^[a-z][a-z0-9/-_]+|login: [/x09-/x0d -~]* name: [/x09-/x0d -~]* Directory:
21 Freenet ==== ^/x01[/x08/x09][/x03/x04]
22 FTP ==== ^220[/x09-/x0d -~]*ftp
23 Gkrellm ==== ^gkrellm [23].[0-9].[0-9]/x0a$
24 GnucleusLAN ==== gnuclear connect/[/x09-/x0d -~]*user-agent: gnucleus [/x09-/x0d -~]*lan:
25 Gnutella ==== ^(gnd[/x01/x02]?.?.?/x01|gnutella connect/[012]/.[0-9]/x0d/x0a|get /uri-res/n2r/?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?/.[1-9][0-9]?[0-9]?/.[1-9][0-9]?[0-9]?/.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|……………….?lime)
26 GoBoogy ==== <peerplat>|^get /getfilebyhash/.cgi/?|^get /queue_register/.cgi/?|^get /getupdowninfo/.cgi/?
27 Gopher ==== ^[/x09-/x0d]*[1-9,+tgi][/x09-/x0d -~]*/x09[/x09-/x0d -~]*/x09[a-z0-9.]*/.[a-z][a-z].?.?/x09[1-9]
28 Guild Wars ==== ^[/x04/x05]/x0c.i/x01
29 H.323 ==== ^/x03..?/x08…?.?.?.?.?.?.?.?.?.?.?.?.?.?.?/x05
30 Half-Life 2 Deathmatch ==== ^/xff/xff/xff/xff.*hl2mpDeathmatch
31 hddtemp ==== ^/|/dev/[a-z][a-z][a-z]/|[0-9a-z]*/|[0-9][0-9]/|[cfk]/|
32 Hotline ==== ^………………..TRTPHOTL/x01/x02
33 http-rtsp ==== ^(get[/x09-/x0d -~]* Accept: application/x-rtsp-tunnelled|http/(0/.9|1/.0|1/.1) [1-5][0-9][0-9] [/x09-/x0d -~]*a=control:rtsp://)
34 HTTP ==== http/(0/.9|1/.0|1/.1) [1-5][0-9][0-9] [/x09-/x0d -~]*(connection:|content-type:|content-length:|date:)|post [/x09-/x0d -~]* http/[01]/.[019]
35 Ident ==== ^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[/x09-/x0d]*,[/x09-/x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(/x0d/x0a|[/x0d/x0a])?$
36 IMAP ==== ^(/* ok|a[0-9]+ noop)
37 iMesh ==== ^(post[/x09-/x0d -~]*<PasswordHash>…………………………..</PasswordHash><ClientVer>|/x34/x80?/x0d?/xfc/xff/x04|get[/x09-/x0d -~]*Host: imsh/.download-prod/.musicnet/.com|/x02[/x01/x02]/x83.*/x02[/x01/x02]/x83)
38 IRC ==== ^(nick[/x09-/x0d -~]*user[/x09-/x0d -~]*:|user[/x09-/x0d -~]*:[/x02-/x0d -~]*nick[/x09-/x0d -~]*/x0d/x0a)
39 jabber ==== <stream:stream[/x09-/x0d ][ -~]*[/x09-/x0d ]xmlns=[‘”]jabber
40 KuGoo ==== ^(/x31../x8e|/x64.+/x74/x47/x50/x37)
41 live365 ==== membername.*session.*player
42 liveforspeed ==== ^../x05/x58/x0a/x1d/x03
43 LPD ==== ^(/x01[!-~]+|/x02[!-~]+/x0a.[/x01/x02/x03][/x01-/x0a -~]*|[/x03/x04][!-~]+[/x09-/x0d]+[a-z][/x09-/x0d -~]*|/x05[!-~]+[/x09-/x0d]+([a-z][!-~]*[/x09-/x0d]+[1-9][0-9]?[0-9]?|root[/x09-/x0d]+[!-~]+).*)/x0a$
44 mohaa ==== ^/xff/xff/xff/xffgetstatus/x0a
45 msn-filetransfer ==== ^(ver [ -~]*msnftp/x0d/x0aver msnftp/x0d/x0ausr|method msnmsgr:)
46 MSN Messenger ==== ver [0-9]+ msnp[1-9][0-9]? [/x09-/x0d -~]*cvr0/x0d/x0a$|usr 1 [!-~]+ [0-9. ]+/x0d/x0a$|ans 1 [!-~]+ [0-9. ]+/x0d/x0a$
47 MUTE ==== ^(Public|AES)Key: [0-9a-f]*/x0aEnd(Public|AES)Key/x0a$
48 Napster ==== ^(.[/x02/x06][!-~]+ [!-~]+ [0-9][0-9]?[0-9]?[0-9]?[0-9]? “[/x09-/x0d -~]+” ([0-9]|10)|1(send|get)[!-~]+ “[/x09-/x0d -~]+”)
49 NBNS ==== /x01/x10/x01|/)/x10/x01/x01|0/x10/x01
50 NCP ==== ^(dmdt.*/x01.*(“”|/x11/x11|uu)|tncp.*33)
51 NetBIOS ==== /x81.?.?.[A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P]
52 NNTP ==== ^20[01][/x09-/x0d -~]*/x0d/x0a[/x09-/x0d -~]*AUTHINFO USER|20[01][/x09-/x0d -~]*news
53 (S)NTP ==== ^([/x13/x1b/x23/xd3/xdb/xe3]|[/x14/x1c$]…….?.?.?.?.?.?.?.?.?[/xc6-/xff])
54 OpenFT ==== x-openftalias: [-)(0-9a-z ~.]
55 pcanywhere ==== ^(nq|st)$
56 POCO ==== ^/x80/x94/x0a/x01…./x1f/x9e
57 POP3 ==== ^(/+ok [/x09-/x0d -~]*(ready|hello|pop|starting)|-err [/x09-/x0d -~]*(invalid|unknown|unimplemented|unrecognized|command))
58 PPLive ==== /x01…/xd3.+/x0c.$
59 QQ ==== ^.?.?/x02.+/x03$
60 quake-halflife ==== ^/xff/xff/xff/xffget(info|challenge)
61 quake1 ==== ^/x80/x0c/x01quake/x03
62 radmin ==== ^/x01/x01(/x08/x08|/x1b/x1b)$
63 RDP ==== rdpdr.*cliprdr.*rdpsnd
64 replaytv-ivs ==== ^(get /ivs-IVSGetFileChunk|http/(0/.9|1/.0|1/.1) [1-5][0-9][0-9] [/x09-/x0d -~]*/x23/x23/x23/x23/x23REPLAY_CHUNK_START/x23/x23/x23/x23/x23)
65 rlogin ==== ^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]?[0-9]?[0-9]?00
66 rtp ==== ^/x80[/x01-“`-/x7f/x80-/xa2/xe0-/xff]?……….*/x80
67 Shoutcast ==== ^get /.*icy-metadata:1|icy [1-5][0-9][0-9] [/x09-/x0d -~]*(content-type:audio|icy-)
68 SIP ==== ^(invite|register|cancel) sip[/x09-/x0d -~]*sip/[0-2]/.[0-9]
69 skypetoskype ==== ^../x02………….
70 smb ==== /xffsmb[/x72/x25]
71 SMTP ==== ^220[/x09-/x0d -~]* (e?smtp|simple mail)
72 SNMP ==== ^/x02/x01/x04.+([/xa0-/xa3]/x02[/x01-/x04].?.?.?.?/x02/x01.?/x02/x01.?/x30|/xa4/x06.+/x40/x04.?.?.?.?/x02/x01.?/x02/x01.?/x43)
73 SOCKS ==== /x05[/x01-/x08]*/x05[/x01-/x08]?.*/x05[/x01-/x03][/x01/x03].*/x05[/x01-/x08]?[/x01/x03]
74 Soribada ==== ^GETMP3/x0d/x0aFilename|^/x01.?.?.?(/x51/x3a/+|/x51/x32/x3a)|^/x10[/x14-/x16]/x10[/x15-/x17].?.?.?.?$
75 Soulseek ==== ^(/x05..?|./x01.[ -~]+/x01F..?.?.?.?.?.?.?)$
76 SSDP ==== ^notify[/x09-/x0d ]/*[/x09-/x0d ]http/1/.1[/x09-/x0d -~]*ssdp:(alive|byebye)|^m-search[/x09-/x0d ]/*[/x09-/x0d ]http/1/.1[/x09-/x0d -~]*ssdp:discover
77 ssh ==== ^ssh-[12]/.[0-9]
78 ssl ==== ^(.?.?/x16/x03.*/x16/x03|.?.?/x01/x03/x01?.*/x0b)
79 STUN ==== ^[/x01/x02]…………….?$
80 Subspace ==== ^/x01…./x11/x10……../x01$
81 teamfortress2 ==== ^/xff/xff/xff/xff…..*tfTeam Fortress
82 TeamSpeak ==== ^/xf4/xbe/x03.*teamspeak
83 Telnet ==== ^/xff[/xfb-/xfe]./xff[/xfb-/xfe]./xff[/xfb-/xfe]
84 Tesla ==== /x03/x9a/x89/x22/x31/x31/x31/./x30/x30/x20/x42/x65/x74/x61/x20|/xe2/x3c/x69/x1e/x1c/xe9
85 TFTP ==== ^(/x01|/x02)[ -~]*(netascii|octet|mail)
86 thecircle ==== ^t/x03ni.?[/x01-/x06]?t[/x01-/x05]s[/x0a/x0b](glob|who are you$|query data)
87 Tor ==== TOR1.*<identity>
88 tsp ==== ^[/x01-/x13/x16-$]/x01.?.?.?.?.?.?.?.?.?.?[ -~]+
89 uucp ==== ^/x10here=
90 validcertssl ==== ^(.?.?/x16/x03.*/x16/x03|.?.?/x01/x03/x01?.*/x0b).*(thawte|equifax secure|rsa data security, inc|verisign, inc|gte cybertrust root|entrust/.net limited)
91 ventrilo ==== ^..?v/$/xcf
92 vnc ==== ^rfb 00[1-9]/.00[0-9]/x0a$
93 whois ==== ^[ !-~]+/x0d/x0a$
94 worldofwarcraft ==== ^/x06/xec/x01
95 x11 ==== ^[lb].?/x0b
96 xboxlive ==== ^/x58/x80……../xf3|^/x06/x58/x4e
97 Xunlei ==== ^([()]|get)(…?.?.?(reg|get|query)|.+User-Agent: (Mozilla/4/.0 /(compatible; (MSIE 6/.0; Windows NT 5/.1;? ?/)|MSIE 5/.00; Windows 98/))))|Keep-Alive/x0d/x0a/x0d/x0a[26]
98 yahoo messenger ==== ^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*/xc0/x80
99 ZMAAP ==== ^/x1b/xd7/x3b/x48[/x01/x02]/x01?/x01

1 Executable(exe) ==== /x4d/x5a(/x90/x03|/x50/x02)/x04
2 Flash ==== [FC]WS[/x01-/x09]|FLV/x01/x05/x09
3 gif ==== GIF8(7|9)a
4 html ==== <html.*><head>
5 jpeg ==== /xff/xd8
6 mp3 ==== /x49/x44/x33/x03
7 ogg ==== oggs.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?/x01vorbis
8 pdf ==== %PDF-1/.[0123456]
9 perl ==== /#! ?/(usr/(local/)?)?bin/perl
10 png ==== /x89PNG/x0d/x0a/x1a/x0a
11 rar ==== rar/x21/x1a/x07
12 rpm ==== /xed/xab/xee/xdb.?.?.?.?[1-7]
13 rtf ==== /{//rtf[12]
14 zip ==== pk/x03/x04/x14