|
1
|
# RTP - Real-time Transport Protocol - RFC 3550
|
|
2
|
# Pattern attributes: ok overmatch undermatch fast fast
|
|
3
|
# Protocol groups: streaming_video ietf_internet_standard
|
|
4
|
# Wiki: http://www.protocolinfo.org/wiki/RTP
|
|
5
|
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
|
|
6
|
#
|
|
7
|
# RTP headers are *very* short and compact. They have almost nothing in
|
|
8
|
# them that can be matched by l7-filter. As RTP connections take place
|
|
9
|
# between even numbered ports, you should probably check for that before
|
|
10
|
# applying this pattern. If you want to match them along with their
|
|
11
|
# associated SIP packets, you might try setting up some iptables rules
|
|
12
|
# that watch for SIP packets and then also match any other UDP packets
|
|
13
|
# that are going between the same two IP addresses.
|
|
14
|
#
|
|
15
|
# I think we can count on the first bit being 1 and the second bit being
|
|
16
|
# 0 (meaning protocol version 2). The next two bits could go either way,
|
|
17
|
# but in the example I've seen, they are zero, so I'll assume they are
|
|
18
|
# usually zero. The next four bits are a count of "contributing source
|
|
19
|
# identifiers". I'm not sure how big that could be, but in the example
|
|
20
|
# I've seen, they're zero, so I'll assume they're usually zero. So that
|
|
21
|
# gives us ^\x80. The next bit is a tossup. Next is the payload type, 7
|
|
22
|
# bits. I've taken likely values from the WireShark code: 0-34, 96-127
|
|
23
|
# (decimal). The rest of the header is random numbers (sequence number,
|
|
24
|
# timestamp, synchronization source identifier), so that's no help at
|
|
25
|
# all.
|
|
26
|
|
|
27
|
rtp
|
|
28
|
^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80
|
|
29
|
|
|
30
|
# Might also try this. It's a bit slower (one packet and not too much extra
|
|
31
|
# regexec load) and a bit more accurate:
|
|
32
|
#^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80.*\x80
|
|
33
|
|