/etc/l7-protocols/protocols/xunlei.pat is in l7-protocols 20090528-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 | # Xunlei - Chinese P2P filesharing - http://xunlei.com
# Pattern attributes: good slow notsofast
# Protocol groups: p2p
# Wiki: http://www.protocolinfo.org/wiki/Xunlei
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
#
# This has been tested by a number of people.
#
# Written by wsgtrsys of www.routerclub.com. Improved by VeNoMouS.
# Improved more by wsgtrsys and platinum of bbs.chinaunix.net.
#
# Further additions of HTTP-like content by liangjunATdcuxD.Tcom, who
# says: "i find old pattern is not working . so i write a new pattern of
# xunlei,it's working with all of xunlei 5 version!" Matthew Strait notes
# in response:
#
# I've looked around and I'm fairly sure that Internet Explorer 5.0
# never identifies itself as "Mozilla/4.0 (compatible; MSIE 5.00;
# Windows 98)" and that Internet Explorer 6.0 never identifies itself as
# either "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; )" or
# "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)".
# The keep-alive part needs some examination too. These might validly
# occur in an HTTP/1.0 connection, although I think in practical cases
# they don't since there's general only one \x0d\x0a after it and/or the
# next line starts with a letter (especially because it's the client
# sending it). It wouldn't be crazy, though, if another protocol
# (besides Xunlei) used keep-alive in a way that did match this. But
# since I can't think of any examples, I'll assume it's ok for now.
xunlei
^([()]|get)(...?.?.?(reg|get|query)|.+User-Agent: (Mozilla/4\.0 \(compatible; (MSIE 6\.0; Windows NT 5\.1;? ?\)|MSIE 5\.00; Windows 98\))))|Keep-Alive\x0d\x0a\x0d\x0a[26]
# This was the pattern until 2008 11 08. It is safer than the above against
# overmatching ordinary HTTP connections
#^[()]...?.?.?(reg|get|query)
# More detail:
# From http://sourceforge.net/tracker/index.php?func=detail&aid=1885209&group_id=80085&atid=558668
#
##############################################################################
# Date: 2008-02-03
# Sender: hydr0g3n
#
# Xunlei (Chinese P2P) traffic is not matched anymore by layer7 xunlei
# pattern. It used to work in the past but not anymore. Maybe Xunlei was
# updated and pattern should be adapted?
#
# Apparently ipp2p was edited by Chinese people to detect pplive and xunlei.
# It is interesting and very recent:
# http://www.chinaunix.net/jh/4/914377.html
##############################################################################
# Date: 2008-02-03
# Sender: quadong
#
# Ok. Only some of the ipp2p function can be translated into an l7-filter
# regular expression. The first part of search_xunlei can't be, since it
# works by checking whether the length of the packet matches a byte in the
# packet. The second part of search_xunlei becomes:
#
# \x20.?\x01?.?[\x01\x77]............?.?.?.?\x38
#
# Or possibly:
#
# ^\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38
#
# I'm not sure whether IPP2P looks at every packet or only the first of each
# connection.
#
# udp_search_xunlei says:
# \x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff
#
# Again, putting a ^ at the beginning might work:
#
# ^(\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff)
#
# So this *might* work:
#
# ^(\x20.?\x01?.?[\x01\x77]............?.?.?.?\x38|\x01\x01\x01\xfe\xff\xfe\xff|\x01\x11\xa0\xfe\xff\xfe\xff)
#
# but the ^ might be wrong and it will not match the HTTP part of Xunlei.
##############################################################################
|