To the moment, I saw Matthew Strait - one of l7-filter developers send a mail in L7-filter-developers Maillist yesterday. He pointed out the reason why it has many problems in matching MSN. Maybe it can help you to explain the reason why you can't match them.
QUOTE:Send L7-filter-developers mailing list submissions to
filter-developers@lists.sourceforge.net[/email]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/l7-filter-developersor, via email, send a message with subject or body 'help' to
filter-developers-request@lists.sourceforge.net[/email]
You can reach the person managing the list at
filter-developers-owner@lists.sourceforge.net[/email]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of L7-filter-developers digest..."
Today's Topics:
1. msn live file transfer modified pattern that matches MSN LIVE
7.x and 8.x (fwd) (Matthew Strait)
2. Re: msn live file transfer modified pattern that matches MSN
LIVE 7.x and 8.x (Matthew Strait)
----------------------------------------------------------------------
Message: 1
Date: Sat, 25 Aug 2007 00:14:47 -0500 (CDT)
From: Matthew Strait <
quadong@users.sourceforge.net>
Subject: [l7-filter-developers] msn live file transfer modified
pattern that matches MSN LIVE 7.x and 8.x (fwd)
To:
filter-developers@lists.sourceforge.net[/email]
Message-ID: <
Pine.LNX.4.64.0708250014200.8601@localhost.localdomain>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
---------- Forwarded message ----------
Date: Tue, 21 Aug 2007 22:10:57 -0500
From: Gabriel Orozco <
redimido@gmail.com>
To:
filter-developers-owner@lists.sourceforge.net[/email]
Subject: msn live file transfer modified pattern that matches MSN LIVE 7.x and
8.x
Hi
I was in the need to add l7filter in order to specifically be able to permit
msnmessenger but at the same time block msn-filetransfer.
My tests were good when I was using Linux, I think because gaim, pidgin and
kopete use the older protocols, however when I tried using Windows against
Windows then files went through and my filter did not noticed the transfer
at all.
After some time looking and seeing this list past emails I started Wireshark
and did a trace of a conversation with file transfer and found every message
is governed by a specific mime type, so I modified the standard pattern to
include two specific strings and I was successful in blocking file transfers
with live messenger 7.x (I really not know if the last version 8.x has
changed that behavior, I would like someone to test).
One interesting thing I found is if when you are in a conversation and try
to send or receive a file, then the whole conversation gets blocked. I think
because every packet is 'related,stablished' in netfilter... when I close
that window and restart the conversation on the new window, I am able to
chat unless I try to send a file again.
here is the pattern:
msn-filetransfer
^ver [ -~]*msnftp\x0d\x0aver msnftp\x0d\x0ausr|^method
msnmsgr:|x-msnmsgrp2p|x-msmsgscontrol
Please note these two texts (x-msnmsgrp2p and x-msmsgscontrol) are specific
to msn, and are not at the beginning of the string to be checked.
As this is my first use of l7filtering and have no previous experience
please feel free to improve the pattern, or send me comments/test results.
Thanks
--
Gabriel Orozco (Redimido)
http://redimido.glo.org.mx------------------------------
Message: 2
Date: Sat, 25 Aug 2007 00:36:12 -0500 (CDT)
From: Matthew Strait <
quadong@users.sourceforge.net>
Subject: Re: [l7-filter-developers] msn live file transfer modified
pattern that matches MSN LIVE 7.x and 8.x
To: Gabriel Orozco <
redimido@gmail.com>
Cc:
filter-developers@lists.sourceforge.net[/email]
Message-ID: <
Pine.LNX.4.64.0708250018160.8601@localhost.localdomain>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Tue, 21 Aug 2007, Gabriel Orozco wrote:
> One interesting thing I found is if when you are in a conversation and
> try to send or receive a file, then the whole conversation gets blocked.
> I think because every packet is 'related,stablished' in netfilter...
More concretely, the reason that blocking the file transfer blocks the
conversation is that they use the same TCP connection. There is no way to
use l7-filter to separate them because l7-filter operates on TCP
connections as a whole.
> msn-filetransfer
> ^ver [ -~]*msnftp\x0d\x0aver msnftp\x0d\x0ausr|^method
> msnmsgr:|x-msnmsgrp2p|x-msmsgscontrol
> As this is my first use of l7filtering and have no previous experience
> please feel free to improve the pattern, or send me comments/test
> results.
This pattern will only work for the new-style file transfers if the file
transfer starts within the first 10 packets (or whatever you have set
numpackets to). Otherwise, l7-filter will never see the "x-msnmsgrp2p" or
"x-msmsgscontrol" because it stops looking before they are sent.
Really, this kind of fine-grained control is not what l7-filter is
indended for. If you want to block file transfers because they use too
much bandwidth, you shouldn't block them, you should use QoS for rate
limiting. If you want to block them because you just don't want people
transfering files for some reason, then you need to look for a different
piece of software or a different solution altogether. (For example, if you
are afraid of viruses, I'm sure there's software that scans for them in
network traffic. For another example, if these are students in a lab,
consider using human rules instead of technological control.)
-Matthew
------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>
http://get.splunk.com/------------------------------
_______________________________________________
L7-filter-developers mailing list
filter-developers@lists.sourceforge.net[/email]
https://lists.sourceforge.net/lists/listinfo/l7-filter-developersEnd of L7-filter-developers Digest, Vol 15, Issue 9
***************************************************
