From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Luman" Date: Thu, 27 Mar 2003 09:35:48 +0000 Subject: RE: [LARTC] Intelligent P2P detection Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org >-----Original Message----- >From: Dawid Kuroczko [mailto:qnex@atlantis.ssw.krakow.pl] >Sent: Wednesday, March 26, 2003 10:50 PM >To: Robert Krycza=B3o >Cc: Luman; 'Kim Jensen'; lartc@mailman.ds9a.nl >Subject: RE: [LARTC] Intelligent P2P detection > [...] > >A suggestion. Something which works as more advanced "string" match. >But instead of a string, we use a "pattern". Say, something like this: > >-p tcp -m pattern --pattern "PORT %Sd, %Dd" --set ftpsession > >-p tcp -m pattern --get ftpsession -j MARK ... > >...first would look for pattern "PORT %d, %d", first being source >port (hence: %S), second destination port (hence: %D) and if such >pattern is found, it is added to a ftpsession list (similar to >ipt_recent). > >Second searches the ftpsession list for such and such ports connection >and if found it answers it's OK. :-) > >...pattern matching should accept \077 style "binary" strings, and >should not be limited to ascii-decimal "%d" port numbers. Also >binary forms, in any order. And even maybe IPs. :-))) Simple >yet powerful.. Yes, it could be. But I think, we need more, something like rule based expert system, deciding on many factors. As the result, it takes a decision, what is the content.=20 > >...[ so we code it, and some time passes and then we read announcement >that KaZaA released new version which mimicks HTTP and uses strong >cryptography to circumvent our module... Hopefully it will not come >to pass, but well... :-) Even yes, I believe that we can find some pattern in that kind of traffic, which helps us to determine that this is KaZaa, even it looks like HTTP. This is what I tried to uncover in my previous mail. Best regards, Luman _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/