MikroTik layer7-protocol

搜集自网络

  

ROSCN 071006

/ip firewall layer7-protocol  

1.qq 

^.?.?\x02.+\x03$

:if ([:len [find name=qq]] > 0) do={ :put "already have qq" } else={ add name=qq regexp="^.\?\02.+\03\$" }

/ip fi la add comment="" name=qqhttp regexp= "^\\x43.+\\x74\\x65\\x6e\\x63\\x65\\x6e\\x74.+\\x0a\$"

/ip fi la add comment="" name=qq1 regexp="^get http://"

/ip fi la add comment="" name=qq2 regexp="^connect.+\\x0D\\x0A\$"

/ip fi la add comment="" name=qq3 regexp="^.\?.\?\\x02.+\\x03\$"   

2.pcanywhere

:if ([:len [find name=pcanywhere]] > 0) do={ :put "already have pcanywhere" } else={ add name=pcanywhere regexp="^(nq|st)\$" }

3.RSTP

:if ([:len [find name=http-rtsp]] > 0) do={ :put "already have http-rtsp" } else={ add name=http-rtsp regexp="^(get[\09-\0D -~]* Accept: application/x-rtsp-tunnelled|http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\09-\0D -~]*a=control:rtsp://)" } 

4.citrix

:if ([:len [find name=citrix]] > 0) do={ :put "already have citrix" } else={ add name=citrix regexp="\32\26\85\92\58" }

5.msnmessenger

:if ([:len [find name=msnmessenger]] > 0) do={ :put "already have msnmessenger" } else={ add name=msnmessenger regexp="ver [0-9]+ msnp[1-9][0-9]\? [\09-\0D -~]*cvr0\0D\0A\$|usr 1 [!-~]+ [0-9. ]+\0D\0A\$|ans 1 [!-~]+ [0-9. ]+\0D\0A\$" } 

msger   

:if ([:len [find name=msn-filetransfer]] > 0) do={ :put "already have msn-filetransfer" } else={ add name=msn-filetransfer regexp="^(ver [ -~]*msnftp\0D\0Aver msnftp\0D\0Ausr|method msnmsgr:)" }

msn

ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$

msnlogin 

^(ver [0-9]+ msnp[1-9][0-9]? [\x09-\0d -~]* cvr|usr md5 i [ -~]*)

msnlive 

^(ver [ -~]*msnftp\x0d\x0aver msnftp\x0d\x0ausr|method msnmsgr:)

msn-filet

^ver [ -~]*msnftp\x0d\x0aver msnftp\x0d\x0ausr|^method

msn-sp 

msnmsgr:|x-msnmsgrp2p|x-msmsgscontrol\r\n

msger 

ver [0-9]+ msnp[1-9][0-9]\? [\09-\0D -~]*cvr0\0D\0A\$|usr 1 [!-~]+ [0-9. ]+\0D\0A\$|ans 1 [!-~]+ [0-9. ]+\0D\0A\$

msn-filetransfer 

^(ver [ -~]*msnftp\0D\0Aver msnftp\0D\0Ausr|method msnmsgr:) 

6.VNC

:if ([:len [find name=vnc]] > 0) do={ :put "already have vnc" } else={ add name=vnc regexp="^rfb 00[1-9]\\.00[0-9]\0A\$" }

7.yahoochat   

:if ([:len [find name=yahoo]] > 0) do={ :put "already have yahoo" } else={ add name=yahoo regexp="^(ymsg|ypns|yhoo).\?.\?.\?.\?.\?.\?.\?[lwt].*\C0\80" }

8.RDP Remote Desktop protocol 

:if ([:len [find name=rdp]] > 0) do={ :put "already have rdp" } else={ add name=rdp regexp="rdpdr.*cliprdr.*rdpsnd" }

9.cisco***     

:if ([:len [find name=cisco***]] > 0) do={ :put "already have cisco***" } else={ add name=cisco*** regexp="^\01\F4\01\F4" }

10.http

http/(0.9|1.0|1.1)[1-5][0-9][0-9][x09-x0d-~]*(connection:|content-type:|content-length:|date:)|post [x09-x0d -~]* http/[01].[019]

:if ([:len [find name=http]] > 0) do={ :put "already have http" } else={ add name=http regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\09-\0D -~]*(connection:|content-type:|content-length:|date:)|post [\09-\0D -~]* http/[01]\\.[019]" }

11.ftp

^220[x09-x0d -~]*ftp|331[x09-x0d -~]*password

:if ([:len [find name=ftp]] > 0) do={ :put "already have ftp" } else={ add name=ftp regexp="^220[\09-\0D -~]*ftp" } 

12.edonkey

:if ([:len [find name=edonkey]] > 0) do={ :put "already have edonkey" } else={ add name=edonkey regexp="^[\C5\D4\E3-\E5].\?.\?.\?.\?([\01\02\05\14\15\16\18\19\1A\1B\1C\20\21\32\33\34\35\36\38\40\41\42\43\46\47\48\49\4A\4B\4C\4D\4E\4F\50\51\52\53\54\55\56\57\58[\60\81\82\90\91\93\96\97\98\99\9A\9B\9C\9E\A0\A1\A2\A3\A4]|\59................\?[ -~]|\96....\$)" }

13.SMTp(25)

:if ([:len [find name=smtp]] > 0) do={ :put "already have smtp" } else={ add name=smtp regexp="^220[\09-\0D -~]* (e\?smtp|simple mail)" }

14.POP3(110)

:if ([:len [find name=pop3]] > 0) do={ :put "already have pop3" } else={ add name=pop3 regexp="^([url=file://+ok/]\\+ok[/url] |-err )" } 

15.SSh

:if ([:len [find name=ssh]] > 0) do={ :put "already have ssh" } else={ add name=ssh regexp="^ssh-[12]\\.[0-9]" }

16.bittorrent 

^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]

#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)  

/ip firewall layer7-protocol add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]" 

17.FLV(Macromedia Flash Video)

\x01\x05

18.kugoo 

\x64.+\x74\x47\x50\x37 

^\x64|\x65

19.mp3 

^\x67\x65\x74.+\.\x6D\x70\x33\x20.+\x31\.\x31\x0d\x0a

\x49\x44\x33\x03

20.pplive

^\xe9\x03..\x98\xab\x01 

21.swf  

[FC]WS[\x01-\x09]

22.vagaa 

^\xff\xde\xe3\xe4\xe5..\xff\xfd   

^.?\xe4|.?xe5

23.verycd

^\xe3.{1}\x00\x00\x00  

24.winbox

/ip firewall layer7-protocol add comment="" name="winbox" regexp="\12\02index"

/ip fi fi add chain=input action=drop src-address-list= layer7-protocol=winbox comment="block winbx"  

25.Thunder

^\x29\x00\x00\x00 

26.UC  

tcp ^\x01\x02\x03

27.qqgame

^\x2d\x00(\x00\x00|\xff\xff) 

28.telnet

/ip fi la add comment="" name="telnet1" regexp="^\xff[\xfb-\xfe].\xff[\xfb-\xfe].\xff[\xfb-\xfe]"

/ip fi fi add action=accept chain=input comment="" disabled=no layer7-protocol=telnet protocol=tcp 

/ip fi fi add action=passthrough chain=output comment="" disabled=no layer7-protocol=telnet protocol=tcp

29.socks

/ip fi la add comment="" name=socks regexp="\05[\01-\08]*\05[\01-\08]\?.*\05[\01-\03][\01\03].*\05[\01-\08]\?[\01\03]" 

 

new in 3.0rc6  

*) added support for L7 matcher in WinBox; 

*) added support for Intel EXPI9404PT PCI-E ethernet adpater;

                                               

l7-filter.sourceforge.net/

s ourceforge.net/projects/l7-filter/

www.clearfoundation.com/Software/l7-filter.html

l7-filter.clearfoundation.com/#application_layer_packet_classifier_for_linux

转载于:https://blog.51cto.com/763996/1173147