|
1
|
# AIM - AOL instant messenger (OSCAR and TOC)
|
|
2
|
# Pattern attributes: good slow notsofast
|
|
3
|
# Protocol groups: chat proprietary
|
|
4
|
# Wiki: http://www.protocolinfo.org/wiki/AIM
|
|
5
|
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
|
|
6
|
#
|
|
7
|
# Usually runs on port 5190
|
|
8
|
#
|
|
9
|
# This may also match ICQ traffic.
|
|
10
|
#
|
|
11
|
# This pattern has been tested and is believed to work well.
|
|
12
|
|
|
13
|
aim
|
|
14
|
# See http://gridley.res.carleton.edu/~straitm/final (and various other places)
|
|
15
|
# The first bit matches OSCAR signon and data commands, but not sure what
|
|
16
|
# \x03\x0b matches, but it works apparently.
|
|
17
|
# The next three bits match various parts of the TOC signon process.
|
|
18
|
# The third one is the magic number "*", then 0x01 for "signon", then up to four
|
|
19
|
# bytes ("up to" because l7-filter strips out nulls) which contain a sequence
|
|
20
|
# number (2 bytes) the data length (2 more) and 3 nulls (which don't count),
|
|
21
|
# then 0x01 for the version number (not sure if there ever has been another
|
|
22
|
# version)
|
|
23
|
# The fourth one is a command string, followed by some stuff, then the
|
|
24
|
# beginning of the "roasted" password
|
|
25
|
|
|
26
|
# This pattern is too slow!
|
|
27
|
|
|
28
|
^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x
|