>-----Original Message----- >From: Dawid Kuroczko [mailto:qnex@xxxxxxxxxxxxxxxxxxxxxx] >Sent: Wednesday, March 26, 2003 10:50 PM >To: Robert Kryczało >Cc: Luman; 'Kim Jensen'; lartc@xxxxxxxxxxxxxxx >Subject: RE: [LARTC] Intelligent P2P detection > [...] > >A suggestion. Something which works as more advanced "string" match. >But instead of a string, we use a "pattern". Say, something like this: > >-p tcp -m pattern --pattern "PORT %Sd, %Dd" --set ftpsession > >-p tcp -m pattern --get ftpsession -j MARK ... > >...first would look for pattern "PORT %d, %d", first being source >port (hence: %S), second destination port (hence: %D) and if such >pattern is found, it is added to a ftpsession list (similar to >ipt_recent). > >Second searches the ftpsession list for such and such ports connection >and if found it answers it's OK. :-) > >...pattern matching should accept \077 style "binary" strings, and >should not be limited to ascii-decimal "%d" port numbers. Also >binary forms, in any order. And even maybe IPs. :-))) Simple >yet powerful.. Yes, it could be. But I think, we need more, something like rule based expert system, deciding on many factors. As the result, it takes a decision, what is the content. > >...[ so we code it, and some time passes and then we read announcement >that KaZaA released new version which mimicks HTTP and uses strong >cryptography to circumvent our module... Hopefully it will not come >to pass, but well... :-) Even yes, I believe that we can find some pattern in that kind of traffic, which helps us to determine that this is KaZaa, even it looks like HTTP. This is what I tried to uncover in my previous mail. Best regards, Luman
