攻防技术融入IPS 之 协议分析
作者:xushaopei
1 AIM ==== ^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x
2 Apple Juice ==== ^ajprot\x0d\x0a
3 Ares ==== ^\x03[]Z].?.?\x05$
4 Battlefield 1942 ==== ^\x01\x11\x10\|\xf8\x02\x10\x40\x06
5 Battlefield 2 ==== ^(\x11\x20\x01…?\x11|\xfe\xfd.?.?.?.?.?.?(\x14\x01\x06|\xff\xff\xff))|[]\x01].?battlefield2
6 Battlefield 2142 ==== ^(\x11\x20\x01\x90\x50\x64\x10|\xfe\xfd.?.?.?\x18|[\x01\\].?battlefield2)
7 Border Gateway Protocol ==== ^\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff..?\x01[\x03\x04]
8 Chikka ==== ^CTPv1\.[123] Kamusta.*\x0d\x0a$
9 cimd ==== \x02[0-4][0-9]:[0-9]+.*\x03$
10 ciscovpn ==== ^\x01\xf4\x01\xf4
11 Citrix ICA ==== \x32\x26\x85\x92\x58
12 Counterstrike ==== ^\xff\xff\xff\xff.*cstrikeCounter-Strike
13 CVS ==== ^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\x0a
14 dayofdefeat-source ==== ^\xff\xff\xff\xff.*dodDay of Defeat
15 DHCP ==== ^[\x01\x02][\x01- ]\x06.*c\x82sc
16 Direct Connect ==== ^(\$mynick |\$lock |\$key )
17 DNS ==== ^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][fglmoprstuvz]?[aeop]?(um)?[\x01-\x10\x1c][\x01\x03\x04\xFF]
18 Doom 3 ==== ^\xff\xffchallenge
19 FastTrack ==== ^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
20 Finger ==== ^[a-z][a-z0-9\-_]+|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory:
21 Freenet ==== ^\x01[\x08\x09][\x03\x04]
22 FTP ==== ^220[\x09-\x0d -~]*ftp
23 Gkrellm ==== ^gkrellm [23].[0-9].[0-9]\x0a$
24 GnucleusLAN ==== gnuclear connect/[\x09-\x0d -~]*user-agent: gnucleus [\x09-\x0d -~]*lan:
25 Gnutella ==== ^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|……………….?lime)
26 GoBoogy ==== <peerplat>|^get /getfilebyhash\.cgi\?|^get /queue_register\.cgi\?|^get /getupdowninfo\.cgi\?
27 Gopher ==== ^[\x09-\x0d]*[1-9,+tgi][\x09-\x0d -~]*\x09[\x09-\x0d -~]*\x09[a-z0-9.]*\.[a-z][a-z].?.?\x09[1-9]
28 Guild Wars ==== ^[\x04\x05]\x0c.i\x01
29 H.323 ==== ^\x03..?\x08…?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x05
30 Half-Life 2 Deathmatch ==== ^\xff\xff\xff\xff.*hl2mpDeathmatch
31 hddtemp ==== ^\|/dev/[a-z][a-z][a-z]\|[0-9a-z]*\|[0-9][0-9]\|[cfk]\|
32 Hotline ==== ^………………..TRTPHOTL\x01\x02
33 http-rtsp ==== ^(get[\x09-\x0d -~]* Accept: application/x-rtsp-tunnelled|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*a=control:rtsp://)
34 HTTP ==== http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]
35 Ident ==== ^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$
36 IMAP ==== ^(\* ok|a[0-9]+ noop)
37 iMesh ==== ^(post[\x09-\x0d -~]*<PasswordHash>…………………………..</PasswordHash><ClientVer>|\x34\x80?\x0d?\xfc\xff\x04|get[\x09-\x0d -~]*Host: imsh\.download-prod\.musicnet\.com|\x02[\x01\x02]\x83.*\x02[\x01\x02]\x83)
38 IRC ==== ^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)
39 jabber ==== <stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=[‘”]jabber
40 KuGoo ==== ^(\x31..\x8e|\x64.+\x74\x47\x50\x37)
41 live365 ==== membername.*session.*player
42 liveforspeed ==== ^..\x05\x58\x0a\x1d\x03
43 LPD ==== ^(\x01[!-~]+|\x02[!-~]+\x0a.[\x01\x02\x03][\x01-\x0a -~]*|[\x03\x04][!-~]+[\x09-\x0d]+[a-z][\x09-\x0d -~]*|\x05[!-~]+[\x09-\x0d]+([a-z][!-~]*[\x09-\x0d]+[1-9][0-9]?[0-9]?|root[\x09-\x0d]+[!-~]+).*)\x0a$
44 mohaa ==== ^\xff\xff\xff\xffgetstatus\x0a
45 msn-filetransfer ==== ^(ver [ -~]*msnftp\x0d\x0aver msnftp\x0d\x0ausr|method msnmsgr:)
46 MSN Messenger ==== ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$
47 MUTE ==== ^(Public|AES)Key: [0-9a-f]*\x0aEnd(Public|AES)Key\x0a$
48 Napster ==== ^(.[\x02\x06][!-~]+ [!-~]+ [0-9][0-9]?[0-9]?[0-9]?[0-9]? “[\x09-\x0d -~]+” ([0-9]|10)|1(send|get)[!-~]+ “[\x09-\x0d -~]+”)
49 NBNS ==== \x01\x10\x01|\)\x10\x01\x01|0\x10\x01
50 NCP ==== ^(dmdt.*\x01.*(“”|\x11\x11|uu)|tncp.*33)
51 NetBIOS ==== \x81.?.?.[A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P]
52 NNTP ==== ^20[01][\x09-\x0d -~]*\x0d\x0a[\x09-\x0d -~]*AUTHINFO USER|20[01][\x09-\x0d -~]*news
53 (S)NTP ==== ^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$]…….?.?.?.?.?.?.?.?.?[\xc6-\xff])
54 OpenFT ==== x-openftalias: [-)(0-9a-z ~.]
55 pcanywhere ==== ^(nq|st)$
56 POCO ==== ^\x80\x94\x0a\x01….\x1f\x9e
57 POP3 ==== ^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command))
58 PPLive ==== \x01…\xd3.+\x0c.$
59 QQ ==== ^.?.?\x02.+\x03$
60 quake-halflife ==== ^\xff\xff\xff\xffget(info|challenge)
61 quake1 ==== ^\x80\x0c\x01quake\x03
62 radmin ==== ^\x01\x01(\x08\x08|\x1b\x1b)$
63 RDP ==== rdpdr.*cliprdr.*rdpsnd
64 replaytv-ivs ==== ^(get /ivs-IVSGetFileChunk|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*\x23\x23\x23\x23\x23REPLAY_CHUNK_START\x23\x23\x23\x23\x23)
65 rlogin ==== ^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]?[0-9]?[0-9]?00
66 rtp ==== ^\x80[\x01-“`-\x7f\x80-\xa2\xe0-\xff]?……….*\x80
67 Shoutcast ==== ^get /.*icy-metadata:1|icy [1-5][0-9][0-9] [\x09-\x0d -~]*(content-type:audio|icy-)
68 SIP ==== ^(invite|register|cancel) sip[\x09-\x0d -~]*sip/[0-2]\.[0-9]
69 skypetoskype ==== ^..\x02………….
70 smb ==== \xffsmb[\x72\x25]
71 SMTP ==== ^220[\x09-\x0d -~]* (e?smtp|simple mail)
72 SNMP ==== ^\x02\x01\x04.+([\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30|\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43)
73 SOCKS ==== \x05[\x01-\x08]*\x05[\x01-\x08]?.*\x05[\x01-\x03][\x01\x03].*\x05[\x01-\x08]?[\x01\x03]
74 Soribada ==== ^GETMP3\x0d\x0aFilename|^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a)|^\x10[\x14-\x16]\x10[\x15-\x17].?.?.?.?$
75 Soulseek ==== ^(\x05..?|.\x01.[ -~]+\x01F..?.?.?.?.?.?.?)$
76 SSDP ==== ^notify[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:(alive|byebye)|^m-search[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:discover
77 ssh ==== ^ssh-[12]\.[0-9]
78 ssl ==== ^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)
79 STUN ==== ^[\x01\x02]…………….?$
80 Subspace ==== ^\x01….\x11\x10……..\x01$
81 teamfortress2 ==== ^\xff\xff\xff\xff…..*tfTeam Fortress
82 TeamSpeak ==== ^\xf4\xbe\x03.*teamspeak
83 Telnet ==== ^\xff[\xfb-\xfe].\xff[\xfb-\xfe].\xff[\xfb-\xfe]
84 Tesla ==== \x03\x9a\x89\x22\x31\x31\x31\.\x30\x30\x20\x42\x65\x74\x61\x20|\xe2\x3c\x69\x1e\x1c\xe9
85 TFTP ==== ^(\x01|\x02)[ -~]*(netascii|octet|mail)
86 thecircle ==== ^t\x03ni.?[\x01-\x06]?t[\x01-\x05]s[\x0a\x0b](glob|who are you$|query data)
87 Tor ==== TOR1.*<identity>
88 tsp ==== ^[\x01-\x13\x16-$]\x01.?.?.?.?.?.?.?.?.?.?[ -~]+
89 uucp ==== ^\x10here=
90 validcertssl ==== ^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b).*(thawte|equifax secure|rsa data security, inc|verisign, inc|gte cybertrust root|entrust\.net limited)
91 ventrilo ==== ^..?v\$\xcf
92 vnc ==== ^rfb 00[1-9]\.00[0-9]\x0a$
93 whois ==== ^[ !-~]+\x0d\x0a$
94 worldofwarcraft ==== ^\x06\xec\x01
95 x11 ==== ^[lb].?\x0b
96 xboxlive ==== ^\x58\x80……..\xf3|^\x06\x58\x4e
97 Xunlei ==== ^([()]|get)(…?.?.?(reg|get|query)|.+User-Agent: (Mozilla/4\.0 \(compatible; (MSIE 6\.0; Windows NT 5\.1;? ?\)|MSIE 5\.00; Windows 98\))))|Keep-Alive\x0d\x0a\x0d\x0a[26]
98 yahoo messenger ==== ^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*\xc0\x80
99 ZMAAP ==== ^\x1b\xd7\x3b\x48[\x01\x02]\x01?\x01
1 Executable(exe) ==== \x4d\x5a(\x90\x03|\x50\x02)\x04
2 Flash ==== [FC]WS[\x01-\x09]|FLV\x01\x05\x09
3 gif ==== GIF8(7|9)a
4 html ==== <html.*><head>
5 jpeg ==== \xff\xd8
6 mp3 ==== \x49\x44\x33\x03
7 ogg ==== oggs.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x01vorbis
8 pdf ==== %PDF-1\.[0123456]
9 perl ==== \#! ?/(usr/(local/)?)?bin/perl
10 png ==== \x89PNG\x0d\x0a\x1a\x0a
11 rar ==== rar\x21\x1a\x07
12 rpm ==== \xed\xab\xee\xdb.?.?.?.?[1-7]
13 rtf ==== \{\\rtf[12]
14 zip ==== pk\x03\x04\x14
