pfSense

# Xunlei - Chinese P2P filesharing - http://xunlei.com

# Pattern attributes: good slow notsofast

# Protocol groups: p2p

# Wiki: http://www.protocolinfo.org/wiki/Xunlei

# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE

#

# This has been tested by a number of people.

#

# Written by wsgtrsys of www.routerclub.com.  Improved by VeNoMouS.

# Improved more by wsgtrsys and platinum of bbs.chinaunix.net.

#

# Further additions of HTTP-like content by liangjunATdcuxD.Tcom, who

# says: "i find old pattern is not working . so i write a new pattern of 

# xunlei,it's working with all of xunlei 5 version!"  Matthew Strait notes

# in response:

# 

# I've looked around and I'm fairly sure that Internet Explorer 5.0 

# never identifies itself as "Mozilla/4.0 (compatible; MSIE 5.00; 

# Windows 98)" and that Internet Explorer 6.0 never identifies itself as 

# either "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )" or 

# "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)".

# The keep-alive part needs some examination too.  These might validly 

# occur in an HTTP/1.0 connection, although I think in practical cases 

# they don't since there's general only one \x0d\x0a after it and/or the 

# next line starts with a letter (especially because it's the client 

# sending it).  It wouldn't be crazy, though, if another protocol 

# (besides Xunlei) used keep-alive in a way that did match this.  But 

# since I can't think of any examples, I'll assume it's ok for now.

xunlei

^([()]|get)(...?.?.?(reg|get|query)|.+User-Agent: (Mozilla/4\.0 \(compatible; (MSIE 6\.0; Windows NT 5\.1;? ?\)|MSIE 5\.00; Windows 98\))))|Keep-Alive\x0d\x0a\x0d\x0a[26]

# This was the pattern until 2008 11 08.  It is safer than the above against

# overmatching ordinary HTTP connections

#^[()]...?.?.?(reg|get|query)

# More detail:

# From http://sourceforge.net/tracker/index.php?func=detail&aid=1885209&group_id=80085&atid=558668

# 

##############################################################################

# Date: 2008-02-03

# Sender: hydr0g3n

# 

# Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei

# pattern. It used to work in the past but not anymore. Maybe Xunlei was

# updated and pattern should be adapted?

#

# Apparently ipp2p was edited by Chinese people to detect pplive and xunlei.

# It is interesting and very recent:

# http://www.chinaunix.net/jh/4/914377.html

##############################################################################

# Date: 2008-02-03

# Sender: quadong

# 

# Ok.  Only some of the ipp2p function can be translated into an l7-filter

# regular expression.  The first part of search_xunlei can't be, since it

# works by checking whether the length of the packet matches a byte in the

# packet.  The second part of search_xunlei becomes: 

# 

# \x20.?\x01?.?[\x01\x77]............?.?.?.?\x38

# 

# Or possibly:

# 

# ^\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38

# 

# I'm not sure whether IPP2P looks at every packet or only the first of each

# connection.

# 

# udp_search_xunlei says:

# \x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff

# 

# Again, putting a ^ at the beginning might work:

# 

# ^(\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff)

# 

# So this *might* work:

# 

# ^(\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38|\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff)

# 

# but the ^ might be wrong and it will not match the HTTP part of Xunlei. 

##############################################################################