#56 xunlei pattern not matching anymore

closed-fixed
patterns (14)
5
2014-08-27
2008-02-02
No

Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei pattern. It used to work in the past but not anymore. Maybe Xunlei was updated and pattern should be adapted?

Discussion

  • Christophe DUMEZ

    Logged In: YES
    user_id=849410
    Originator: YES

    Apparently ipp2p was edited by Chinese people to detect pplive and xunlei. It is interesting and very recent: http://www.chinaunix.net/jh/4/914377.html

    I hope this can help. I'm joining the file where traffic detection is done.
    File Added: ipt_ipp2p.c

     
  • Christophe DUMEZ

    ipp2p edited

     
  • Matthew Strait

    Matthew Strait - 2008-02-03

    Logged In: YES
    user_id=220960
    Originator: NO

    Ok. Only some of the ipp2p function can be translated into an l7-filter regular expression. The first part of search_xunlei can't be, since it works by checking whether the length of the packet matches a byte in the packet. The second part of search_xunlei becomes:

    \x20.?\x01?.?[\x01\x77]............?.?.?.?\x38

    Or possibly:

    ^\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38

    I'm not sure whether IPP2P looks at every packet or only the first of each connection.

    udp_search_xunlei says: \x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff

    Again, putting a ^ at the beginning might work:

    ^(\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff)

    So this *might* work:

    ^(\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38|\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff)

    but the ^ might be wrong and it will not match the HTTP part of Xunlei. Please test and let me know.

     
  • Matthew Strait

    Matthew Strait - 2008-04-24

    Logged In: YES
    user_id=220960
    Originator: NO

    Has anyone tried the pattern I gave below?

     
  • Matthew Strait

    Matthew Strait - 2008-11-23
    • status: open --> open-fixed
     
  • Matthew Strait

    Matthew Strait - 2008-11-23

    Presumably the recent changes fix this. If not, reopen.

     
  • Matthew Strait

    Matthew Strait - 2008-11-23
    • status: open-fixed --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks