Page 1 of 1

Need L7-Filter Help

Posted: Sat Sep 07, 2013 6:12 pm
by RaymondMeg
Hi, guys:

in china ,we have an IM software named "QQ". The login protocal is private .but a well know detail is :

A / UDP QQ Login protocol:

0x02 (first byte ,fixed)- 2bytes (Application Version) - 2bytes (commond send to server) - 2bytes (Sequence) - 4bytes(QQ number: big-endian,for example QQ number 342704420 is 146D4124 )

B/: TCP QQ Login Protocol: Add 2 bytes Packet length in udp protocol. such as

2bytes (packet length) - 0x02 (fixed)- 2bytes (Application Version) - 2bytes (commond send to server) - 2bytes (Sequence) - 4bytes(QQ number: big-endian,for example QQ number 342704420 is 146D4124 )

I want permit special QQ number ,and forbbiden others. So ,i write 2 Layer 7 rules:
name: QQ342704420 regex : ^(\x02|.?.?\x02).?.?.?.?.?.?\x14\x6d\x41\$..+\x03$
name: QQTCPUDP regex : ^(\x02|.?.?\x02).?..?..?..?..?..?..?.?.?.?.?.?.?.?.+\x03$

I also have 2 filter rules in forward chain :

index 2 filter rule : permit QQ342704420 : if l7-protocol is QQ342704420 then accept.
index 3 filter rule : forbbiden other QQ : if l7-protocol is QQTCPUDP then drop.

But , " index 3 filter rule : forbbiden other QQ " always matched .

Is there any wrong with my L7-rule ?

Raymond

Re: Need L7-Filter Help

Posted: Mon Sep 09, 2013 5:46 am
by prince90s
try it like this:
1.first offline other QQ then login again.
2.disable the first rule.

Re: Need L7-Filter Help

Posted: Mon Sep 09, 2013 7:11 am
by RaymondMeg
try it like this:
1.first offline other QQ then login again.
2.disable the first rule.
yes,it will work ,and will offline all QQ client.

but ,I want permit special QQ number ,then forbidden others.