File: README

package info (click to toggle)
l7-protocols 20090528-3
  • links: PTS, VCS
  • area: main
  • in suites: squeeze
  • size: 1,356 kB
  • ctags: 104
  • sloc: ansic: 1,128; cpp: 261; sh: 231; makefile: 29
file content (73 lines) | stat: -rw-r--r-- 2,690 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
 
Patterns in this directory are not for network protocols, but rather for
file types.  They are for cases in which you would like to
promote/restrict transfer of one file type regardless of what protocol
it is being transfered over.
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE

Writing patterns for this directory is pretty easy.  Often
/usr/share/magic has everything you need to know. If you'd like
something that isn't here, please ask for it.

Notes:

0) Support for doing this is pretty sketchy.  Proceed at your own risk.

1) These patterns cannot use the ^ and $ anchors, because although you
may be matching the beginning of a file, it's not the beginning of a
connection.

2) A connection may very well contain more than one file transfer and/or
things other than file transfers. These will match the first file sent
(or nothing if the first stuff isn't a file) and continue to apply that
classification to all subsequent files of that connection, regardless of
their content.  For instance:

- HTTP can send several files over the same connection.  l7-filter can
match the first one, but subsequent ones just get the original match
applied to them. 

- SMB sends all sorts of chatter over the same TCP connection as files
are sent over, so we can't match its file transfers at all.

3) Since the file starts later than the application layer protocol
information, you may need to increase the number of packets and bytes
examined.  Use /proc/net/layer7_numpackets to increase the number of
packets examined. i.e. "echo 12 > /proc/net/layer7_numpackets".
To increase the number of bytes examined, you'll need to recompile
your kernel.  See the documentation at http://l7-filter.sf.net

4) If you want a filter for both a file type and the application layer
protocol that this file type is transported over (i.e. HTML and HTTP),
you've got a difficult situation.  Each connection can only be 
classified as one thing at a time.  The obvious thing is to set up
a tree like this:

(root)
 \_ HTTP
 |   \_ HTML
 |   \_ PDF
 \_ FTP
     \_ TAR
     \_ PS
     \_ PDF

But if you do this, you'll find that the file types never match, because
the connections have already been classifed by their protocol.

So what's the solution?  Well, you can do this instead:

(root)
 \_ port 80
 |   \_ HTML
 |   \_ PDF
 \_ port 21
     \_ TAR
     \_ PS
     \_ PDF

(Except, of course, that FTP data doesn't actually go over port 21, so 
some extra magic is needed there.)

Or perhaps you could use IMQ to create several unrelated regions of
classification.  i.e. On ingress, classify and shape on protocol
and on egress, classify and shape on file type.  I haven't tried this.