Long time since I posted - this place is busy these days.
I’ve put my bofh hat on and would like a way of surgically restricting content such as Flash videos and other bandwidth/productivity sinks. Since I’m coming from a pre-3.0 era I’m not up with the new L7 filtering and it’s associated regexes and ‘best practices’.
I’ve read many posts about it here as well as the wiki and the external L7 related sites and I can’t seem to perfect what appears to be a simple match on a http ‘get’ request.
Here’s what I got that doesn’t work:
get[ -~]*/get_video[\x09-\x0d -~]*
That’s just a start - I’m trying to test matching against the start of a get, then I’ll go on and match the ‘host: *’ fields etc to get an accurate match.
The packet I’m trying to capture is represented as follows (wireshark):
GET /get_video?video_id=RoHhez7NMCc&t=OEgsToPDskLJdeEu91fZ2Zn9DViGOPLq HTTP/1.1
Host: www.youtube.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5) Gecko/2008041514 Firefox/3.0b5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Thanks.