搜集自网络

  
ROSCN 071006
/ip firewall layer7-protocol  
1.qq 
^.?.?\x02.+\x03$
:if ([:len [find name=qq]] > 0) do={ :put "already have qq" } else={ add name=qq regexp="^.\?\02.+\03\$" }
/ip fi la add comment="" name=qqhttp regexp= "^\\x43.+\\x74\\x65\\x6e\\x63\\x65\\x6e\\x74.+\\x0a\$"
/ip fi la add comment="" name=qq1 regexp="^get http://"
/ip fi la add comment="" name=qq2 regexp="^connect.+\\x0D\\x0A\$"
/ip fi la add comment="" name=qq3 regexp="^.\?.\?\\x02.+\\x03\$"   
2.pcanywhere
:if ([:len [find name=pcanywhere]] > 0) do={ :put "already have pcanywhere" } else={ add name=pcanywhere regexp="^(nq|st)\$" }
3.RSTP
:if ([:len [find name=http-rtsp]] > 0) do={ :put "already have http-rtsp" } else={ add name=http-rtsp regexp="^(get[\09-\0D -~]* Accept: application/x-rtsp-tunnelled|http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\09-\0D -~]*a=control:rtsp://)" } 
4.citrix
:if ([:len [find name=citrix]] > 0) do={ :put "already have citrix" } else={ add name=citrix regexp="\32\26\85\92\58" }
5.msnmessenger
:if ([:len [find name=msnmessenger]] > 0) do={ :put "already have msnmessenger" } else={ add name=msnmessenger regexp="ver [0-9]+ msnp[1-9][0-9]\? [\09-\0D -~]*cvr0\0D\0A\$|usr 1 [!-~]+ [0-9. ]+\0D\0A\$|ans 1 [!-~]+ [0-9. ]+\0D\0A\$" } 
msger   
:if ([:len [find name=msn-filetransfer]] > 0) do={ :put "already have msn-filetransfer" } else={ add name=msn-filetransfer regexp="^(ver [ -~]*msnftp\0D\0Aver msnftp\0D\0Ausr|method msnmsgr:)" }
msn
ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$
msnlogin 
^(ver [0-9]+ msnp[1-9][0-9]? [\x09-\0d -~]* cvr|usr md5 i [ -~]*)
msnlive 
^(ver [ -~]*msnftp\x0d\x0aver msnftp\x0d\x0ausr|method msnmsgr:)
msn-filet
^ver [ -~]*msnftp\x0d\x0aver msnftp\x0d\x0ausr|^method
msn-sp 
msnmsgr:|x-msnmsgrp2p|x-msmsgscontrol\r\n
msger 
ver [0-9]+ msnp[1-9][0-9]\? [\09-\0D -~]*cvr0\0D\0A\$|usr 1 [!-~]+ [0-9. ]+\0D\0A\$|ans 1 [!-~]+ [0-9. ]+\0D\0A\$
msn-filetransfer 
^(ver [ -~]*msnftp\0D\0Aver msnftp\0D\0Ausr|method msnmsgr:) 
6.VNC
:if ([:len [find name=vnc]] > 0) do={ :put "already have vnc" } else={ add name=vnc regexp="^rfb 00[1-9]\\.00[0-9]\0A\$" }
7.yahoochat   
:if ([:len [find name=yahoo]] > 0) do={ :put "already have yahoo" } else={ add name=yahoo regexp="^(ymsg|ypns|yhoo).\?.\?.\?.\?.\?.\?.\?[lwt].*\C0\80" }
8.RDP Remote Desktop protocol 
:if ([:len [find name=rdp]] > 0) do={ :put "already have rdp" } else={ add name=rdp regexp="rdpdr.*cliprdr.*rdpsnd" }
9.ciscovpn     
:if ([:len [find name=ciscovpn]] > 0) do={ :put "already have ciscovpn" } else={ add name=ciscovpn regexp="^\01\F4\01\F4" }
10.http
http/(0.9|1.0|1.1)[1-5][0-9][0-9][x09-x0d-~]*(connection:|content-type:|content-length:|date:)|post [x09-x0d -~]* http/[01].[019]
:if ([:len [find name=http]] > 0) do={ :put "already have http" } else={ add name=http regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\09-\0D -~]*(connection:|content-type:|content-length:|date:)|post [\09-\0D -~]* http/[01]\\.[019]" }
11.ftp
^220[x09-x0d -~]*ftp|331[x09-x0d -~]*password
:if ([:len [find name=ftp]] > 0) do={ :put "already have ftp" } else={ add name=ftp regexp="^220[\09-\0D -~]*ftp" } 
12.edonkey
:if ([:len [find name=edonkey]] > 0) do={ :put "already have edonkey" } else={ add name=edonkey regexp="^[\C5\D4\E3-\E5].\?.\?.\?.\?([\01\02\05\14\15\16\18\19\1A\1B\1C\20\21\32\33\34\35\36\38\40\41\42\43\46\47\48\49\4A\4B\4C\4D\4E\4F\50\51\52\53\54\55\56\57\58[\60\81\82\90\91\93\96\97\98\99\9A\9B\9C\9E\A0\A1\A2\A3\A4]|\59................\?[ -~]|\96....\$)" }
13.SMTp(25)
:if ([:len [find name=smtp]] > 0) do={ :put "already have smtp" } else={ add name=smtp regexp="^220[\09-\0D -~]* (e\?smtp|simple mail)" }
14.POP3(110)
:if ([:len [find name=pop3]] > 0) do={ :put "already have pop3" } else={ add name=pop3 regexp="^([url=file://+ok/]\\+ok[/url] |-err )" } 
15.SSh
:if ([:len [find name=ssh]] > 0) do={ :put "already have ssh" } else={ add name=ssh regexp="^ssh-[12]\\.[0-9]" }
16.bittorrent 
^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)  
/ip firewall layer7-protocol add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]" 
17.FLV(Macromedia Flash Video)
\x01\x05
18.kugoo 
\x64.+\x74\x47\x50\x37 
^\x64|\x65
19.mp3 
^\x67\x65\x74.+\.\x6D\x70\x33\x20.+\x31\.\x31\x0d\x0a
\x49\x44\x33\x03
20.pplive
^\xe9\x03..\x98\xab\x01 
21.swf  
[FC]WS[\x01-\x09]
22.vagaa 
^\xff\xde\xe3\xe4\xe5..\xff\xfd   
^.?\xe4|.?xe5
23.verycd
^\xe3.{1}\x00\x00\x00  
24.winbox
/ip firewall layer7-protocol add comment="" name="winbox" regexp="\12\02index"
/ip fi fi add chain=input action=drop src-address-list= layer7-protocol=winbox comment="block winbx"  
25.Thunder
^\x29\x00\x00\x00 
26.UC  
tcp ^\x01\x02\x03
27.qqgame
^\x2d\x00(\x00\x00|\xff\xff) 
28.telnet
/ip fi la add comment="" name="telnet1" regexp="^\xff[\xfb-\xfe].\xff[\xfb-\xfe].\xff[\xfb-\xfe]"
/ip fi fi add action=accept chain=input comment="" disabled=no layer7-protocol=telnet protocol=tcp 
/ip fi fi add action=passthrough chain=output comment="" disabled=no layer7-protocol=telnet protocol=tcp
29.socks
/ip fi la add comment="" name=socks regexp="\05[\01-\08]*\05[\01-\08]\?.*\05[\01-\03][\01\03].*\05[\01-\08]\?[\01\03]" 
 
new in 3.0rc6  
*) added support for L7 matcher in WinBox; 
*) added support for Intel EXPI9404PT PCI-E ethernet adpater;
                                               
l7-filter.sourceforge.net/
sourceforge.net/projects/l7-filter/
www.clearfoundation.com/Software/l7-filter.html
l7-filter.clearfoundation.com/#application_layer_packet_classifier_for_linux