[prev in list] [next in list] [prev in thread] [next in thread] 

List:       l7-filter-developers
Subject:    Re: [l7-filter-developers] cant get this rule to match.
From:       Matthew Strait <quadong () users ! sourceforge ! net>
Date:       2005-09-07 14:06:41
Message-ID: Pine.LNX.4.61.0509070853240.9759 () localhost ! localdomain
[Download RAW message or body]

> hay u awake bro?

I actually tend to sleep at night.  Night == CDT (-500).

> i found out what that random p2p was, its xunlei, its not matching 
> properly. the pattern is bad thats on the site, cause from what i can 
> see is almost a better match
>
> ^[\x28\x29](...|....|.....)(query|get)

"almost a better match"?  I think it _is_ a better match.  It looks like 
there are some bytes between the [\x28\x29] and the (query|get) that are 
sometimes null and sometimes not.

> but im not sure if that should be
> ^[\x28\x29](...|....|.....(query|get)) but thats not working 100% either

Your first pattern makes more sense.  This one would match \x29 followed 
by any three bytes.

> cause i can still see get requests sometimes comming though, ideas?

Best idea I have is to look at the streams that don't match and try to 
find a pattern...  If you send me some in libpcap format, I can take a 
look.  (That's much easier to study than tcpdump output.)

-matthew


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
L7-filter-developers mailing list
L7-filter-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/l7-filter-developers
[prev in list] [next in list] [prev in thread] [next in thread]