/ip firewall layer7-protocol
add name=Tencent_QQ regexp="^.\?.\?[\\x02|\\x05]\\x22\\x27.+|^.\?.\?[\\x02|\\x\
05]\\x22\\x27.+[\\x03|\\x09]\$|^.\?.\?\\x02.+\\x03\$|^/xFE/x42../x42/x02/x\
0B/x7D/x98/x38/xE4.+"
add name=Tencent_QQGame regexp="^.\?.\?\\x2D.+[\\x25\\x62\\x0E\\xC1\\x5F\\x6C|\
\\xFF\\xFF\\x20\\xCF\\x42\\x53|\\xFF\\xFF\\x10\\x17\\x87\\xA3|\\x3E\\x7F\\\
x20\\xCF\\x42\\x53|\\x1F\\x43\\x10\\x17\\x87\\xA3]|^\\x05\\x22.+\\x03\$"
add name=PPStream regexp="^.\?.\?\\c.+\\c"
add name=QQMusic regexp=\
"(^\\xFE.\?.\?.\?.\?\\xCF|^get.+\\qqmusic.\?\\qq.+\\qqmusic)"
add name=QQLive regexp="(^get.+\\video.\?\\qq.+\\flv|^\\xFE.\?.\?.\?.\?\\xD3|^\
get.+\\video.\?\\qq.+\\mp4)"
add name=KuGou regexp=\
"(^post.+\\x0D\\x0A\\x0D\\x0A|^http.+\\x0D\\x0A\\x0D\\x0A|^e)"
add name=HTTP regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\t-\r -~]*(con\
nection:|content-type:|content-length:|date:)|post [\t-\r -~]* http/[01]\\\
.[019]"
add name=HTTP-IMG regexp="\\.jpg|\\.png|\\.gif|\\.bmp|\\.jpeg"
add name=HTTP-WEB regexp=\
"\\.jsp|\\.shtml|\\.html|\\.htm|\\.php|\\.asp|\\.aspx|\\.cgi"
add name=NetTV regexp=\
"^.*get.+(\\.flv|\\.f4v|\\.hlv|\\.rm|\\.swf|\\.wma|\\.mp4|\\.mp3).*\$"
add name=HTTP-File-Download regexp="^.*get.+(\\.iso|\\.exe|\\.zip|\\.rar|\\.7z\
|\\.gho|\\.pdf|\\.avi|\\.mkv|\\.wmv|\\.wav|\\.flac|\\.ape|\\.msi).*\$"
add name=QQSP regexp="(^\\x03.\?\\xE1\\x8D|^\\x02\\x02|^\\x04\\x1E)"
add name=DNS regexp="^.\?.\?.\?.\?[\\x01\\x02].\?.\?.\?.\?.\?.\?[\\x01-\?][a-z\
0-9][\\x01-\?a-z]*[\\x02-\\x06][a-z][a-z][fglmoprstuvz]\?[aeop]\?(um)\?[\\\
x01-\\x10\\x1c][\\x01\\x03\\x04\\xFF]"
add name=HTTP-JPG regexp="^.*(post|POST|get|GET).+\\.jpg.+\\http"
add name=P2P-DNS regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|b\
tjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meg anova|ful\
ldls|btbot|fenopy|gpirate|commonbits).*\$"
add name=HTTPS regexp=\
"^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add name=Telnet regexp=\
"^\\xff[\\xfb-\\xfe].\\xff[\\xfb-\\xfe].\\xff[\\xfb-\\xfe]"
add name=SSH regexp="^ssh-[12]\\.[0-9]"
add name=STun regexp="^[\\x01\\x02]................\?\$"
add name=TFTP regexp="^(\\x01|\\x02)[ -~]*(netascii|octet|mail)"
add name=TOR regexp=TOR1.*<identity>
add name=Whois regexp="^[ !-~]+\\x0d\\x0a\$"
add name=XunLei regexp="^([()]|get)(...\?.\?.\?(reg|get|query)|.+User-Agent: (\
Mozilla/4\\.0 \\(compatible; (MSIE 6\\.0; Windows NT 5\\.1;\? \?\\)|MSIE 5\
\\.00; Windows 98\\))))|Keep-Alive\\x0d\\x0a\\x0d\\x0a[26]\r\
\n"
add name=TSP regexp=\
"^[\\x01-\\x13\\x16-\$]\\x01.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?[ -~]+"
add name=VNC regexp="^rfb 00[1-9]\\.00[0-9]\\x0a\$"
add name=Socks regexp="\\x05[\\x01-\\x08]*\\x05[\\x01-\\x08]\?.*\\x05[\\x01-\\\
x03][\\x01\\x03].*\\x05[\\x01-\\x08]\?[\\x01\\x03]"
add name=SNMP regexp="^\\x02\\x01\\x04.+([\\xa0-\\xa3]\\x02[\\x01-\\x04].\?.\?\
.\?.\?\\x02\\x01.\?\\x02\\x01.\?\\x30|\\xa4\\x06.+\\x40\\x04.\?.\?.\?.\?\\\
x02\\x01.\?\\x02\\x01.\?\\x43)"
add name=SMTP regexp="^220[\\x09-\\x0d -~]* (e\?smtp|simple mail)\r\
\nuserspace pattern=^220[\\x09-\\x0d -~]* (E\?SMTP|[Ss]imple [Mm]ail)\r\
\nuserspace flags=REG_NOSUB REG_EXTENDED"
add name=SSDP regexp="^notify[\\x09-\\x0d ]\\*[\\x09-\\x0d ]http/1\\.1[\\x09-\
\\x0d -~]*ssdp:(alive|byebye)|^m-search[\\x09-\\x0d ]\\*[\\x09-\\x0d ]http\
/1\\.1[\\x09-\\x0d -~]*ssdp:discover\r\
\n"
add name=SMB regexp="\\xffsmb[\\x72\\x25]"
add name=SIP regexp="^(invite|register|cancel|message|subscribe|notify) sip[\\\
x09-\\x0d -~]*sip/[0-2]\\.[0-9]"
add comment="Skype to phone - UDP voice call (program to POTS phone)" name=\
SkypeOutPhone regexp="^(\\x01.\?.\?.\?.\?.\?.\?.\?.\?\\x01|\\x02.\?.\?.\?.\
\?.\?.\?.\?.\?\\x02|\\x03.\?.\?.\?.\?.\?.\?.\?.\?\\x03|\\x04.\?.\?.\?.\?.\
\?.\?.\?.\?\\x04|\\x05.\?.\?.\?.\?.\?.\?.\?.\?\\x05|\\x06.\?.\?.\?.\?.\?.\
\?.\?.\?\\x06|\\x07.\?.\?.\?.\?.\?.\?.\?.\?\\x07|\\x08.\?.\?.\?.\?.\?.\?.\
\?.\?\\x08|\\x09.\?.\?.\?.\?.\?.\?.\?.\?\\x09|\\x0a.\?.\?.\?.\?.\?.\?.\?.\
\?\\x0a|\\x0b.\?.\?.\?.\?.\?.\?.\?.\?\\x0b|\\x0c.\?.\?.\?.\?.\?.\?.\?.\?\\\
x0c|\\x0d.\?.\?.\?.\?.\?.\?.\?.\?\\x0d|\\x0e.\?.\?.\?.\?.\?.\?.\?.\?\\x0e|\
\\x0f.\?.\?.\?.\?.\?.\?.\?.\?\\x0f|\\x10.\?.\?.\?.\?.\?.\?.\?.\?\\x10|\\x1\
1.\?.\?.\?.\?.\?.\?.\?.\?\\x11|\\x12.\?.\?.\?.\?.\?.\?.\?.\?\\x12|\\x13.\?\
.\?.\?.\?.\?.\?.\?.\?\\x13|\\x14.\?.\?.\?.\?.\?.\?.\?.\?\\x14|\\x15.\?.\?.\
\?.\?.\?.\?.\?.\?\\x15|\\x16.\?.\?.\?.\?.\?.\?.\?.\?\\x16|\\x17.\?.\?.\?.\
\?.\?.\?.\?.\?\\x17|\\x18.\?.\?.\?.\?.\?.\?.\?.\?\\x18|\\x19.\?.\?.\?.\?.\
\?.\?.\?.\?\\x19|\\x1a.\?.\?.\?.\?.\?.\?.\?.\?\\x1a|\\x1b.\?.\?.\?.\?.\?.\
\?.\?.\?\\x1b|\\x1c.\?.\?.\?.\?.\?.\?.\?.\?\\x1c|\\x1d.\?.\?.\?.\?.\?.\?.\
\?.\?\\x1d|\\x1e.\?.\?.\?.\?.\?.\?.\?.\?\\x1e|\\x1f.\?.\?.\?.\?.\?.\?.\?.\
\?\\x1f|\\x20.\?.\?.\?.\?.\?.\?.\?.\?\\x20|\\x21.\?.\?.\?.\?.\?.\?.\?.\?\\\
x21|\\x22.\?.\?.\?.\?.\?.\?.\?.\?\\x22|\\x23.\?.\?.\?.\?.\?.\?.\?.\?\\x23|\
\\\$.\?.\?.\?.\?.\?.\?.\?.\?\\\$|\\x25.\?.\?.\?.\?.\?.\?.\?.\?\\x25|\\x26.\
\?.\?.\?.\?.\?.\?.\?.\?\\x26|\\x27.\?.\?.\?.\?.\?.\?.\?.\?\\x27|\\(.\?.\?.\
\?.\?.\?.\?.\?.\?\\(|\\).\?.\?.\?.\?.\?.\?.\?.\?\\)|\\*.\?.\?.\?.\?.\?.\?.\
\?.\?\\*|\\+.\?.\?.\?.\?.\?.\?.\?.\?\\+|\\x2c.\?.\?.\?.\?.\?.\?.\?.\?\\x2c\
|\\x2d.\?.\?.\?.\?.\?.\?.\?.\?\\x2d|\\..\?.\?.\?.\?.\?.\?.\?.\?\\.|\\x2f.\
\?.\?.\?.\?.\?.\?.\?.\?\\x2f|\\x30.\?.\?.\?.\?.\?.\?.\?.\?\\x30|\\x31.\?.\
\?.\?.\?.\?.\?.\?.\?\\x31|\\x32.\?.\?.\?.\?.\?.\?.\?.\?\\x32|\\x33.\?.\?.\
\?.\?.\?.\?.\?.\?\\x33|\\x34.\?.\?.\?.\?.\?.\?.\?.\?\\x34|\\x35.\?.\?.\?.\
\?.\?.\?.\?.\?\\x35|\\x36.\?.\?.\?.\?.\?.\?.\?.\?\\x36|\\x37.\?.\?.\?.\?.\
\?.\?.\?.\?\\x37|\\x38.\?.\?.\?.\?.\?.\?.\?.\?\\x38|\\x39.\?.\?.\?.\?.\?.\
\?.\?.\?\\x39|\\x3a.\?.\?.\?.\?.\?.\?.\?.\?\\x3a|\\x3b.\?.\?.\?.\?.\?.\?.\
\?.\?\\x3b|\\x3c.\?.\?.\?.\?.\?.\?.\?.\?\\x3c|\\x3d.\?.\?.\?.\?.\?.\?.\?.\
\?\\x3d|\\x3e.\?.\?.\?.\?.\?.\?.\?.\?\\x3e|\\\?.\?.\?.\?.\?.\?.\?.\?.\?\\\
\?|\\x40.\?.\?.\?.\?.\?.\?.\?.\?\\x40|\\x41.\?.\?.\?.\?.\?.\?.\?.\?\\x41|\
\\x42.\?.\?.\?.\?.\?.\?.\?.\?\\x42|\\x43.\?.\?.\?.\?.\?.\?.\?.\?\\x43|\\x4\
4.\?.\?.\?.\?.\?.\?.\?.\?\\x44|\\x45.\?.\?.\?.\?.\?.\?.\?.\?\\x45|\\x46.\?\
.\?.\?.\?.\?.\?.\?.\?\\x46|\\x47.\?.\?.\?.\?.\?.\?.\?.\?\\x47|\\x48.\?.\?.\
\?.\?.\?.\?.\?.\?\\x48|\\x49.\?.\?.\?.\?.\?.\?.\?.\?\\x49|\\x4a.\?.\?.\?.\
\?.\?.\?.\?.\?\\x4a|\\x4b.\?.\?.\?.\?.\?.\?.\?.\?\\x4b|\\x4c.\?.\?.\?.\?.\
\?.\?.\?.\?\\x4c|\\x4d.\?.\?.\?.\?.\?.\?.\?.\?\\x4d|\\x4e.\?.\?.\?.\?.\?.\
\?.\?.\?\\x4e|\\x4f.\?.\?.\?.\?.\?.\?.\?.\?\\x4f|\\x50.\?.\?.\?.\?.\?.\?.\
\?.\?\\x50|\\x51.\?.\?.\?.\?.\?.\?.\?.\?\\x51|\\x52.\?.\?.\?.\?.\?.\?.\?.\
\?\\x52|\\x53.\?.\?.\?.\?.\?.\?.\?.\?\\x53|\\x54.\?.\?.\?.\?.\?.\?.\?.\?\\\
x54|\\x55.\?.\?.\?.\?.\?.\?.\?.\?\\x55|\\x56.\?.\?.\?.\?.\?.\?.\?.\?\\x56|\
\\x57.\?.\?.\?.\?.\?.\?.\?.\?\\x57|\\x58.\?.\?.\?.\?.\?.\?.\?.\?\\x58|\\x5\
9.\?.\?.\?.\?.\?.\?.\?.\?\\x59|\\x5a.\?.\?.\?.\?.\?.\?.\?.\?\\x5a|\\[.\?.\
\?.\?.\?.\?.\?.\?.\?\\[|\\\\.\?.\?.\?.\?.\?.\?.\?.\?\\\\|\\].\?.\?.\?.\?.\
\?.\?.\?.\?\\]|\\^.\?.\?.\?.\?.\?.\?.\?.\?\\^|\\x5f.\?.\?.\?.\?.\?.\?.\?.\
\?\\x5f|\\x60.\?.\?.\?.\?.\?.\?.\?.\?\\x60|\\x61.\?.\?.\?.\?.\?.\?.\?.\?\\\
x61|\\x62.\?.\?.\?.\?.\?.\?.\?.\?\\x62|\\x63.\?.\?.\?.\?.\?.\?.\?.\?\\x63|\
\\x64.\?.\?.\?.\?.\?.\?.\?.\?\\x64|\\x65.\?.\?.\?.\?.\?.\?.\?.\?\\x65|\\x6\
6.\?.\?.\?.\?.\?.\?.\?.\?\\x66|\\x67.\?.\?.\?.\?.\?.\?.\?.\?\\x67|\\x68.\?\
.\?.\?.\?.\?.\?.\?.\?\\x68|\\x69.\?.\?.\?.\?.\?.\?.\?.\?\\x69|\\x6a.\?.\?.\
\?.\?.\?.\?.\?.\?\\x6a|\\x6b.\?.\?.\?.\?.\?.\?.\?.\?\\x6b|\\x6c.\?.\?.\?.\
\?.\?.\?.\?.\?\\x6c|\\x6d.\?.\?.\?.\?.\?.\?.\?.\?\\x6d|\\x6e.\?.\?.\?.\?.\
\?.\?.\?.\?\\x6e|\\x6f.\?.\?.\?.\?.\?.\?.\?.\?\\x6f|\\x70.\?.\?.\?.\?.\?.\
\?.\?.\?\\x70|\\x71.\?.\?.\?.\?.\?.\?.\?.\?\\x71|\\x72.\?.\?.\?.\?.\?.\?.\
\?.\?\\x72|\\x73.\?.\?.\?.\?.\?.\?.\?.\?\\x73|\\x74.\?.\?.\?.\?.\?.\?.\?.\
\?\\x74|\\x75.\?.\?.\?.\?.\?.\?.\?.\?\\x75|\\x76.\?.\?.\?.\?.\?.\?.\?.\?\\\
x76|\\x77.\?.\?.\?.\?.\?.\?.\?.\?\\x77|\\x78.\?.\?.\?.\?.\?.\?.\?.\?\\x78|\
\\x79.\?.\?.\?.\?.\?.\?.\?.\?\\x79|\\x7a.\?.\?.\?.\?.\?.\?.\?.\?\\x7a|\\{.\
\?.\?.\?.\?.\?.\?.\?.\?\\{|\\|.\?.\?.\?.\?.\?.\?.\?.\?\\||\\}.\?.\?.\?.\?.\
\?.\?.\?.\?\\}|\\x7e.\?.\?.\?.\?.\?.\?.\?.\?\\x7e|\\x7f.\?.\?.\?.\?.\?.\?.\
\?.\?\\x7f|\\x80.\?.\?.\?.\?.\?.\?.\?.\?\\x80|\\x81.\?.\?.\?.\?.\?.\?.\?.\
\?\\x81|\\x82.\?.\?.\?.\?.\?.\?.\?.\?\\x82|\\x83.\?.\?.\?.\?.\?.\?.\?.\?\\\
x83|\\x84.\?.\?.\?.\?.\?.\?.\?.\?\\x84|\\x85.\?.\?.\?.\?.\?.\?.\?.\?\\x85|\
\\x86.\?.\?.\?.\?.\?.\?.\?.\?\\x86|\\x87.\?.\?.\?.\?.\?.\?.\?.\?\\x87|\\x8\
8.\?.\?.\?.\?.\?.\?.\?.\?\\x88|\\x89.\?.\?.\?.\?.\?.\?.\?.\?\\x89|\\x8a.\?\
.\?.\?.\?.\?.\?.\?.\?\\x8a|\\x8b.\?.\?.\?.\?.\?.\?.\?.\?\\x8b|\\x8c.\?.\?.\
\?.\?.\?.\?.\?.\?\\x8c|\\x8d.\?.\?.\?.\?.\?.\?.\?.\?\\x8d|\\x8e.\?.\?.\?.\
\?.\?.\?.\?.\?\\x8e|\\x8f.\?.\?.\?.\?.\?.\?.\?.\?\\x8f|\\x90.\?.\?.\?.\?.\
\?.\?.\?.\?\\x90|\\x91.\?.\?.\?.\?.\?.\?.\?.\?\\x91|\\x92.\?.\?.\?.\?.\?.\
\?.\?.\?\\x92|\\x93.\?.\?.\?.\?.\?.\?.\?.\?\\x93|\\x94.\?.\?.\?.\?.\?.\?.\
\?.\?\\x94|\\x95.\?.\?.\?.\?.\?.\?.\?.\?\\x95|\\x96.\?.\?.\?.\?.\?.\?.\?.\
\?\\x96|\\x97.\?.\?.\?.\?.\?.\?.\?.\?\\x97|\\x98.\?.\?.\?.\?.\?.\?.\?.\?\\\
x98|\\x99.\?.\?.\?.\?.\?.\?.\?.\?\\x99|\\x9a.\?.\?.\?.\?.\?.\?.\?.\?\\x9a|\
\\x9b.\?.\?.\?.\?.\?.\?.\?.\?\\x9b|\\x9c.\?.\?.\?.\?.\?.\?.\?.\?\\x9c|\\x9\
d.\?.\?.\?.\?.\?.\?.\?.\?\\x9d|\\x9e.\?.\?.\?.\?.\?.\?.\?.\?\\x9e|\\x9f.\?\
.\?.\?.\?.\?.\?.\?.\?\\x9f|\\xa0.\?.\?.\?.\?.\?.\?.\?.\?\\xa0|\\xa1.\?.\?.\
\?.\?.\?.\?.\?.\?\\xa1|\\xa2.\?.\?.\?.\?.\?.\?.\?.\?\\xa2|\\xa3.\?.\?.\?.\
\?.\?.\?.\?.\?\\xa3|\\xa4.\?.\?.\?.\?.\?.\?.\?.\?\\xa4|\\xa5.\?.\?.\?.\?.\
\?.\?.\?.\?\\xa5|\\xa6.\?.\?.\?.\?.\?.\?.\?.\?\\xa6|\\xa7.\?.\?.\?.\?.\?.\
\?.\?.\?\\xa7|\\xa8.\?.\?.\?.\?.\?.\?.\?.\?\\xa8|\\xa9.\?.\?.\?.\?.\?.\?.\
\?.\?\\xa9|\\xaa.\?.\?.\?.\?.\?.\?.\?.\?\\xaa|\\xab.\?.\?.\?.\?.\?.\?.\?.\
\?\\xab|\\xac.\?.\?.\?.\?.\?.\?.\?.\?\\xac|\\xad.\?.\?.\?.\?.\?.\?.\?.\?\\\
xad|\\xae.\?.\?.\?.\?.\?.\?.\?.\?\\xae|\\xaf.\?.\?.\?.\?.\?.\?.\?.\?\\xaf|\
\\xb0.\?.\?.\?.\?.\?.\?.\?.\?\\xb0|\\xb1.\?.\?.\?.\?.\?.\?.\?.\?\\xb1|\\xb\
2.\?.\?.\?.\?.\?.\?.\?.\?\\xb2|\\xb3.\?.\?.\?.\?.\?.\?.\?.\?\\xb3|\\xb4.\?\
.\?.\?.\?.\?.\?.\?.\?\\xb4|\\xb5.\?.\?.\?.\?.\?.\?.\?.\?\\xb5|\\xb6.\?.\?.\
\?.\?.\?.\?.\?.\?\\xb6|\\xb7.\?.\?.\?.\?.\?.\?.\?.\?\\xb7|\\xb8.\?.\?.\?.\
\?.\?.\?.\?.\?\\xb8|\\xb9.\?.\?.\?.\?.\?.\?.\?.\?\\xb9|\\xba.\?.\?.\?.\?.\
\?.\?.\?.\?\\xba|\\xbb.\?.\?.\?.\?.\?.\?.\?.\?\\xbb|\\xbc.\?.\?.\?.\?.\?.\
\?.\?.\?\\xbc|\\xbd.\?.\?.\?.\?.\?.\?.\?.\?\\xbd|\\xbe.\?.\?.\?.\?.\?.\?.\
\?.\?\\xbe|\\xbf.\?.\?.\?.\?.\?.\?.\?.\?\\xbf|\\xc0.\?.\?.\?.\?.\?.\?.\?.\
\?\\xc0|\\xc1.\?.\?.\?.\?.\?.\?.\?.\?\\xc1|\\xc2.\?.\?.\?.\?.\?.\?.\?.\?\\\
xc2|\\xc3.\?.\?.\?.\?.\?.\?.\?.\?\\xc3|\\xc4.\?.\?.\?.\?.\?.\?.\?.\?\\xc4|\
\\xc5.\?.\?.\?.\?.\?.\?.\?.\?\\xc5|\\xc6.\?.\?.\?.\?.\?.\?.\?.\?\\xc6|\\xc\
7.\?.\?.\?.\?.\?.\?.\?.\?\\xc7|\\xc8.\?.\?.\?.\?.\?.\?.\?.\?\\xc8|\\xc9.\?\
.\?.\?.\?.\?.\?.\?.\?\\xc9|\\xca.\?.\?.\?.\?.\?.\?.\?.\?\\xca|\\xcb.\?.\?.\
\?.\?.\?.\?.\?.\?\\xcb|\\xcc.\?.\?.\?.\?.\?.\?.\?.\?\\xcc|\\xcd.\?.\?.\?.\
\?.\?.\?.\?.\?\\xcd|\\xce.\?.\?.\?.\?.\?.\?.\?.\?\\xce|\\xcf.\?.\?.\?.\?.\
\?.\?.\?.\?\\xcf|\\xd0.\?.\?.\?.\?.\?.\?.\?.\?\\xd0|\\xd1.\?.\?.\?.\?.\?.\
\?.\?.\?\\xd1|\\xd2.\?.\?.\?.\?.\?.\?.\?.\?\\xd2|\\xd3.\?.\?.\?.\?.\?.\?.\
\?.\?\\xd3|\\xd4.\?.\?.\?.\?.\?.\?.\?.\?\\xd4|\\xd5.\?.\?.\?.\?.\?.\?.\?.\
\?\\xd5|\\xd6.\?.\?.\?.\?.\?.\?.\?.\?\\xd6|\\xd7.\?.\?.\?.\?.\?.\?.\?.\?\\\
xd7|\\xd8.\?.\?.\?.\?.\?.\?.\?.\?\\xd8|\\xd9.\?.\?.\?.\?.\?.\?.\?.\?\\xd9|\
\\xda.\?.\?.\?.\?.\?.\?.\?.\?\\xda|\\xdb.\?.\?.\?.\?.\?.\?.\?.\?\\xdb|\\xd\
c.\?.\?.\?.\?.\?.\?.\?.\?\\xdc|\\xdd.\?.\?.\?.\?.\?.\?.\?.\?\\xdd|\\xde.\?\
.\?.\?.\?.\?.\?.\?.\?\\xde|\\xdf.\?.\?.\?.\?.\?.\?.\?.\?\\xdf|\\xe0.\?.\?.\
\?.\?.\?.\?.\?.\?\\xe0|\\xe1.\?.\?.\?.\?.\?.\?.\?.\?\\xe1|\\xe2.\?.\?.\?.\
\?.\?.\?.\?.\?\\xe2|\\xe3.\?.\?.\?.\?.\?.\?.\?.\?\\xe3|\\xe4.\?.\?.\?.\?.\
\?.\?.\?.\?\\xe4|\\xe5.\?.\?.\?.\?.\?.\?.\?.\?\\xe5|\\xe6.\?.\?.\?.\?.\?.\
\?.\?.\?\\xe6|\\xe7.\?.\?.\?.\?.\?.\?.\?.\?\\xe7|\\xe8.\?.\?.\?.\?.\?.\?.\
\?.\?\\xe8|\\xe9.\?.\?.\?.\?.\?.\?.\?.\?\\xe9|\\xea.\?.\?.\?.\?.\?.\?.\?.\
\?\\xea|\\xeb.\?.\?.\?.\?.\?.\?.\?.\?\\xeb|\\xec.\?.\?.\?.\?.\?.\?.\?.\?\\\
xec|\\xed.\?.\?.\?.\?.\?.\?.\?.\?\\xed|\\xee.\?.\?.\?.\?.\?.\?.\?.\?\\xee|\
\\xef.\?.\?.\?.\?.\?.\?.\?.\?\\xef|\\xf0.\?.\?.\?.\?.\?.\?.\?.\?\\xf0|\\xf\
1.\?.\?.\?.\?.\?.\?.\?.\?\\xf1|\\xf2.\?.\?.\?.\?.\?.\?.\?.\?\\xf2|\\xf3.\?\
.\?.\?.\?.\?.\?.\?.\?\\xf3|\\xf4.\?.\?.\?.\?.\?.\?.\?.\?\\xf4|\\xf5.\?.\?.\
\?.\?.\?.\?.\?.\?\\xf5|\\xf6.\?.\?.\?.\?.\?.\?.\?.\?\\xf6|\\xf7.\?.\?.\?.\
\?.\?.\?.\?.\?\\xf7|\\xf8.\?.\?.\?.\?.\?.\?.\?.\?\\xf8|\\xf9.\?.\?.\?.\?.\
\?.\?.\?.\?\\xf9|\\xfa.\?.\?.\?.\?.\?.\?.\?.\?\\xfa|\\xfb.\?.\?.\?.\?.\?.\
\?.\?.\?\\xfb|\\xfc.\?.\?.\?.\?.\?.\?.\?.\?\\xfc|\\xfd.\?.\?.\?.\?.\?.\?.\
\?.\?\\xfd|\\xfe.\?.\?.\?.\?.\?.\?.\?.\?\\xfe|\\xff.\?.\?.\?.\?.\?.\?.\?.\
\?\\xff)"
add comment="Skype to Skype - UDP voice call (program to program)" name=\
SkypeToSkype regexp="^..\\x02............."
add comment="Valid certificate SSL" name=ValidCertSSL regexp="^(.\?.\?\\x16\\x\
03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b).*(thawte|equifax secure|rsa\
\_data security, inc|verisign, inc|gte cybertrust root|entrust\\.net limit\
ed)"
add comment="X Windows Version 11 - Networked GUI system used in most Unices" \
name=X11 regexp="^[lb].\?\\x0b\r\
\nuserspace pattern=^[lB].\?\\x0b\r\
\nuserspace flags=REG_NOSUB"
add comment="Yahoo messenger - an instant messenger protocol" name=\
YahooMessager regexp=\
"^(ymsg|ypns|yhoo).\?.\?.\?.\?.\?.\?.\?[lwt].*\\xc0\\x80"
add name=HTTP-Audio regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0\
-9][\\x09-\\x0d -~]*(content-type: audio)"
add name=SNMP-Mon regexp="^\\x02\\x01\\x04.+[\\xa0-\\xa3]\\x02[\\x01-\\x04].\?\
.\?.\?.\?\\x02\\x01.\?\\x02\\x01.\?\\x30"
add name=HTTP-iTunes regexp=\
"http/(0\\.9|1\\.0|1\\.1).*(user-agent: itunes)\r\
\n"
add name=HTTP-Video regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][0-9][0\
-9][\\x09-\\x0d -~]*(content-type: video)"
add name=Gtalk regexp="^<stream:stream to=\"gmail\\.com\""
add name="HTTP-Fresh Download" regexp=\
"User-Agent: FreshDownload/[456](\\.[0-9][0-9]\?)\?"
add name="HTTP Download Accelerator Plus" regexp=\
"User-Agent: DA [678]\\.[0-9]"
add name="HTTP Cache Hit" regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5][\
0-9][0-9][\\x09-\\x0d -~]*(x-cache: hit)"
add name="HTTP Cache Miss" regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5]\
[0-9][0-9][\\x09-\\x0d -~]*(x-cache: miss)"
add name="SNMP Trap" regexp="^\\x02\\x01\\x04.+\\xa4\\x06.+\\x40\\x04.\?.\?.\?\
.\?\\x02\\x01.\?\\x02\\x01.\?\\x43"
add name="Xbox Live" regexp="^\\x58\\x80........\\xf3|^\\x06\\x58\\x4e"
add name=RTSP regexp="rtsp/1.0 200 ok"
add name=RTP regexp=\
"^\\x80[\\x01-\"`-\\x7f\\x80-\\xa2\\xe0-\\xff]\?..........*\\x80"
add name=ShoutCast regexp="^get /.*icy-metadata:1|icy [1-5][0-9][0-9] [\\x09-\
\\x0d -~]*(content-type:audio|icy-)"
add name=RDP regexp=rdpdr.*cliprdr.*rdpsnd
add name="Tencent QQ With Mikrotik" regexp="^.\?.\?\\x02.+\\x03\$"
add name=PPLive regexp="\\x01...\\xd3.+\\x0c.\$"
add name=NCP regexp="^(dmdt.*\\x01.*(\"\"|\\x11\\x11|uu)|tncp.*33)"
add name=NTP regexp="^([\\x13\\x1b\\x23\\xd3\\xdb\\xe3]|[\\x14\\x1c\$].......\
\?.\?.\?.\?.\?.\?.\?.\?.\?[\\xc6-\\xff])"
add name=NetBios regexp="\\x81.\?.\?.[A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][\
A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P]\
[A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P\
][A-P][A-P]"
add name=NNTP regexp=\
"^(20[01][\\x09-\\x0d -~]*AUTHINFO USER|20[01][\\x09-\\x0d -~]*news)"
add comment="P2P File Share" name=NapSter regexp="^(.[\\x02\\x06][!-~]+ [!-~]+\
\_[0-9][0-9]\?[0-9]\?[0-9]\?[0-9]\? \"[\\x09-\\x0d -~]+\" ([0-9]|10)|1(sen\
d|get)[!-~]+ \"[\\x09-\\x0d -~]+\")"
add comment="Open P2P" name=OpenFT regexp="x-openftalias: [-)(0-9a-z ~.]"
add comment="NetBIOS name service" name=NBns regexp=\
"\\x01\\x10\\x01|\\)\\x10\\x01\\x01|0\\x10\\x01"
add name="MUTE P2P" regexp=\
"^(Public|AES)Key: [0-9a-f]*\\x0aEnd(Public|AES)Key\\x0a\$"
add name=POP3 regexp="^(\\+ok |-err )"
add comment="Famatech Remote Administrator - remote desktop for MS Windows" \
name=RAdmin regexp="^\\x01\\x01(\\x08\\x08|\\x1b\\x1b)\$"
add comment="MSN Messenger - Microsoft Network chat client" name=\
"MSN Messenger" regexp="ver [0-9]+ msnp[1-9][0-9]\? [\\x09-\\x0d -~]*cvr0\
\\x0d\\x0a\$|usr 1 [!-~]+ [0-9. ]+\\x0d\\x0a\$|ans 1 [!-~]+ [0-9. ]+\\x0d\
\\x0a\$\r\
\n"
add comment=\
"MSN (Micosoft Network) Messenger file transfers (MSNFTP and MSNSLP)" \
name="MSN File Transfer" regexp=\
"^(ver [ -~]*msnftp\\x0d\\x0aver msnftp\\x0d\\x0ausr|method msnmsgr:)"
add name=Live365 regexp="membername.*session.*player\r\
\n"
add comment="Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http\
://jabber.org" name=Jabber regexp=\
"<stream:stream[\\x09-\\x0d ][ -~]*[\\x09-\\x0d ]xmlns=['\"]jabber"
add name=IRC regexp="^(nick[\\x09-\\x0d -~]*user[\\x09-\\x0d -~]*:|user[\\x09-\
\\x0d -~]*:[\\x02-\\x0d -~]*nick[\\x09-\\x0d -~]*\\x0d\\x0a)"
add name=IMAP regexp="^(\\* ok|a[0-9]+ noop)"
add comment="iMesh - the native protocol of iMesh, a P2P application - http://\
imesh.com" name=iMesh regexp="^(post[\\x09-\\x0d -~]*<PasswordHash>.......\
.........................</PasswordHash><ClientVer>|\\x34\\x80\?\\x0d\?\\x\
fc\\xff\\x04|get[\\x09-\\x0d -~]*Host: imsh\\.download-prod\\.musicnet\\.c\
om|\\x02[\\x01\\x02]\\x83.*\\x02[\\x01\\x02]\\x83)"
add name="HTTP RTSP" regexp="^(get[\\x09-\\x0d -~]* Accept: application/x-rtsp\
-tunnelled|http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x09-\\x0d -~]*a=con\
trol:rtsp://)"
add comment="Ident - Identification Protocol - RFC 1413" name=Ident regexp="^[\
1-9][0-9]\?[0-9]\?[0-9]\?[0-9]\?[\\x09-\\x0d]*,[\\x09-\\x0d]*[1-9][0-9]\?[\
0-9]\?[0-9]\?[0-9]\?(\\x0d\\x0a|[\\x0d\\x0a])\?\$"
add name="HotLine P2P" regexp="^....................TRTPHOTL\\x01\\x02"
add name="DNS With Mikrotik" regexp="(aero|arpa|biz|com|coop|edu|gov|info|int|\
mil|museum|name|net|org|pro|arpa|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at\
|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|c\
d|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|\
eh|er|es|et|fi|fj|fk|fm|fo|fr|ga|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt\
|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|k\
g|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|\
mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no\
|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|s\
a|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|sv|sy|sz|tc|td|tf|tg|th|tj|\
tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf\
|ws|ye|yt|yu|za|zm|zw)"
add name=FastTrack regexp="^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ \
-~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: \
kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^g\
ive [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]\?[0-9]\?[0-9]\?"
add comment="Finger - User information server - RFC 1288" name=Finger regexp="\
^[a-z][a-z0-9\\-_]+|login: [\\x09-\\x0d -~]* name: [\\x09-\\x0d -~]* Direc\
tory: "
add name="Edonkey P2P" regexp="^[\\xc5\\xd4\\xe3-\\xe5].\?.\?.\?.\?([\\x01\\x0\
2\\x05\\x14\\x15\\x16\\x18\\x19\\x1a\\x1b\\x1c\\x20\\x21\\x32\\x33\\x34\\x\
35\\x36\\x38\\x40\\x41\\x42\\x43\\x46\\x47\\x48\\x49\\x4a\\x4b\\x4c\\x4d\\\
x4e\\x4f\\x50\\x51\\x52\\x53\\x54\\x55\\x56\\x57\\x58[\\x60\\x81\\x82\\x90\
\\x91\\x93\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9e\\xa0\\xa1\\xa2\\xa3\\xa\
4]|\\x59................\?[ -~]|\\x96....\$)"
add name=FreeNet regexp="^\\x01[\\x08\\x09][\\x03\\x04]"
add name=FTP regexp="^220[\\x09-\\x0d -~]*ftp"
add name=DCHP regexp="^[\\x01\\x02][\\x01- ]\\x06.*c\\x82sc"
add name="Direct Connect P2P" regexp="^(\\\$mynick |\\\$lock |\\\$key )"
add comment=\
"Citrix ICA - proprietary remote desktop application - http://citrix.com" \
name="Citrix ICA" regexp="\\x32\\x26\\x85\\x92\\x58"
add name="BitTorrent P2P" regexp="^(\\x13bittorrent protocol|azver\\x01\$|get \
/scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET\
\_/data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment="Mail Protocol" name=Biff regexp="^[a-z][a-z0-9]+@[1-9][0-9]+\$"
add name=BGP regexp="^\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\
\\xff\\xff\\xff\\xff\\xff..\?\\x01[\\x03\\x04]"
add name="Apple Juice P2P" regexp="^ajprot\\x0d\\x0a"
add name="Ares P2P" regexp="^\\x03[]Z].\?.\?\\x05\$"
add name=Telegram regexp="^.+(telegram.com).*\$"
add name=Youtube regexp="^.+(youtube.com|googlevideo.com).*\$"
add name=WhatsApp regexp="^.+(whatsapp.com).*\$"
add name=Facebook regexp="^.+(facebook.com|fbcdn.net).*\$"
add name=Instagram regexp="^.+(instagram.com).*\$"
add name=Twitter regexp="^.+(twitter.com|twimg.com).*\$"
add name=Signal regexp="^.+(signal.com|whispersystems.com).*\$"
add name=Netflix regexp="^.+(netflix.com).*\$"
add name=Iflix regexp="^.+(iflix.com).*\$"
add name=Tiktok regexp="^.+(tiktok.com|musical.ly).*\$"