Hi all on this list. I am try to install pmacct + protocol classification feature and want to ask some question about it.
pmacct + pmacct_v5 base + set of .pat files from l7filter site. See results: successfully detect ftp,nntp,subversion,jabber,ssh,dns,pop3,smtp detect connection to jabber-icq gate as rtp detect ntp as edonkey don't detect http and http-ssl at all don't detect irc (tested on irc.freenode.org + irssi), whois (whois.ripn.net + console whois) False detections rtp/edonkey is a little inconvenience, but not to detect http at all is a big disappointment! I try some variants of regexp: simple HTTP/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] default http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019] second default http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019] I dump one session: query (minus binary part) GET / HTTP/1.1 Host: whois.kraft-s.ru User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5pre) Gecko/2008120802 Firefox/3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: ru,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive responce (minus binary part) HTTP/1.0 200 OK Date: Thu, 12 Nov 2009 10:55:51 GMT Server: Apache/1.3.26 (Unix) mod_perl/1.27 PHP/4.2.3 Content-Type: text/html; charset=ISO-8859-1 X-Cache: MISS from router.local X-Cache-Lookup: MISS from router.local:3128 Via: 1.0 router.local (squid/3.0.STABLE19) Proxy-Connection: close <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> - not detected. Anybody here with http classification working? ;) -- Mike _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
