[prev in list] [next in list] [prev in thread] [next in thread] 

List:       l7-filter-developers
Subject:    Re: [l7-filter-developers] Ventrilo
From:       Matthew Strait <quadong () users ! sourceforge ! net>
Date:       2006-01-07 19:32:50
Message-ID: Pine.LNX.4.64.0601071236440.31089 () mattdesk ! strait
[Download RAW message or body]

> Now on to ventrilo (ver. 2.3.0 on winxp sp2). They seem to use TCP 
> (different ports). Captures below (data parts only).
>
> They seem to encrypt their data, but matching seems possible (either 
> using the starting bytes of the client and/or some of the responses 
> early bytes).
>
> Any thoughts about this?

The \x56\x24\xcf does seem constant, as does the initial \x00.  My tests 
show the same thing.  I tried changing various server settings around, 
including its name, its ping settings, and its codec. None of that changed 
these bytes. So it seems that are pretty safe using the pattern:

^..?\x56\x24\xcf

I'll put that in the next release.

-matthew

PS.  The ventrilo guys are in *serious* need of these comics:
http://angryflower.com/bobsqu.gif
http://angryflower.com/plural.gif
http://angryflower.com/itsits.gif


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
L7-filter-developers mailing list
L7-filter-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/l7-filter-developers
[prev in list] [next in list] [prev in thread] [next in thread]