QoS Filter Definitions

From DD-WRT Wiki

Jump to: navigation, search

This is a dump of /etc/l7-protocols/* in DD-WRT, automatically formatted using a PHP script, so pardon its somewhat crude layout.

These are the definitions that DD-WRT uses to classify packets using the QoS filter. As you can see, it's far more than just port numbers...

Contents

[edit] extra

audiogalaxy
^(\x45\x5f\xd0\xd5|\x45\x5f.*0.60(6|8)W)
gtalk
^<stream:stream to="gmail\.com"
http-dap
User-Agent: DA [678]\.[0-9]
http-freshdownload
User-Agent: FreshDownload/[456](\.[0-9][0-9]?)?
http-itunes
http/(0\.9|1\.0|1\.1).*(user-agent: itunes)
httpaudio
http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: audio)
httpcachehit
http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: hit)
httpcachemiss
http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(x-cache: miss)
httpvideo
http/(0\.9|1\.0|1\.1)[\x09-\x0d ][1-5][0-9][0-9][\x09-\x0d -~]*(content-type: video)
pressplay
user-agent: nsplayer
quicktime
user-agent: quicktime \(qtver=[0-9].[0-9].[0-9];os=[\x09-\x0d -~]+\)\x0d\x0a
snmp-mon
^\x02\x01\x04.+[\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30
snmp-trap
^\x02\x01\x04.+\xa4\x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43

[edit] file_types

exe
\x4d\x5a(\x90\x03|\x50\x02)\x04
flash
[FC]WS[\x01-\x09]|FLV\x01\x05\x09
gif
GIF8(7|9)a
html
<html.*><head>
jpeg
\xff\xd8
mp3
\x49\x44\x33\x03
ogg
oggs.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x01vorbis
pdf
%PDF-1\.[0123456]
perl
\#! ?/(usr/(local/)?)?bin/perl
png
\x89PNG\x0d\x0a\x1a\x0a
postscript
%!ps
rar
rar\x21\x1a\x07
rpm
\xed\xab\xee\xdb.?.?.?.?[1-7]
rtf
\{\\rtf[12]
tar
ustar
zip
pk\x03\x04\x14

[edit] malware

code_red
/default\.ida\?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN­NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN­NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%­u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9­090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
nimda
GET (/scripts/root\.exe\?/c\+dir|/MSADC/root\.exe\?/c\+dir|/c/winnt/sys­tem32/cmd\.exe\?/c\+dir|/d/winnt/sys­tem32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/sys­tem32/cmd\.exe\?/c\+dir|/_vti_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/sys­tem32/cmd\.exe\?/c\+dir|/_mem_bin/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c\.\./winnt/sys­tem32/cmd\.exe\?/c\+dir|/msadc/\.\.%5c\.\./\.\.%5c\.\./\.\.%5c/\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./\.\.\xc1\x1c\.\./winnt/sys­tem32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x1c\.\./winnt/sys­tem32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0/\.\./winnt/sys­tem32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc0\xaf\.\./winnt/sys­tem32/cmd\.exe\?/c\+dir|/scripts/\.\.\xc1\x9c\.\./winnt/sys­tem32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/sys­tem32/cmd\.exe\?/c\+dir|/scripts/\.\.%35c\.\./winnt/sys­tem32/cmd\.exe\?/c\+dir|/scripts/\.\.%5c\.\./winnt/sys­tem32/cmd\.exe\?/c\+dir|/scripts/\.\.%2f\.\./winnt/sys­tem32/cmd\.exe\?/c\+dir)

[edit] protocols

100bao
^\x01\x01\x05\x0a
aim
^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x
aimwebcontent
user-agent:aim/
applejuice
^ajprot\x0d\x0a
ares
^\x03[]Z].?.?\x05$
armagetron
YCLC_E|CYEL
battlefield1942
^\x01\x11\x10\|\xf8\x02\x10\x40\x06
battlefield2
^(\x11\x20\x01...?\x11|\xfe\xfd.?.?.?.?.?.?(\x14\x01\x06|\xff\xff\xff))|[]\x01].­?battlefield2
battlefield2142
^(\x11\x20\x01\x90\x50\x64\x10|\xfe\xfd.?.?.?\x18|[\x01\\].?battlefield2)
bgp
^\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff..?\x01[\x03\x0­4]
biff
^[a-z][a-z0-9]+@[1-9][0-9]+$
bittorrent
^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
bt
^\x13bittorrent protocol|d1:ad2:id20:|\x08'7P\)[RP]|^\x04\x17\x27\x10\x19\x80|^get (.*)User-Agent: bittorrent|^azver\x01$|^get /(scrape|announce)\?info_hash=|^.?.?.?.?.?.?[0-9]_BitTorrent
bt1
^get (/task/bt/.*|/task_recommend.*|/issupported )http/*[\x09-\x0d -~]
bt2
^get (/announce.php\?info_hash=.*|/announce\?info_hash=.*|/announce.php\?passkey=.*|/announce\?passkey=.*|/\?info_hash=.*|/data\?fid=.*)http/*[\x09-\x0d -~]
bt3
^\x01
chikka
^CTPv1\.[123] Kamusta.*\x0d\x0a$
cimd
\x02[0-4][0-9]:[0-9]+.*\x03$
ciscovpn
^\x01\xf4\x01\xf4
citrix
\x32\x26\x85\x92\x58
clubbox
^get .*host: .*\.clubbox\.co\.kr
counterstrike-source
^\xff\xff\xff\xff.*cstrikeCounter-Strike
cvs
^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\x0a
dayofdefeat-source
^\xff\xff\xff\xff.*dodDay of Defeat
dazhihui
^(longaccoun|qsver2auth|\x35[57]\x30|\+\x10\*)
dhcp
^[\x01\x02][\x01- ]\x06.*c\x82sc
directconnect
^(\$mynick |\$lock |\$key )
dns
^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z]­[fglmoprstuvz]?[aeop]?(um)?[\x01-\x10\x1c][\x01\x03\x04\xFF]
doom3
^\xff\xffchallenge
edonkey
^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x­21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x­4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\­x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
fasttrack
^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
finger
^[a-z][a-z0-9\-_]+|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory:
freegate_dns
\x05\x61\x7a\x78\x64\x66\x03\x63\x6f\x6d
freegate_http
^(get$|get $|get /$|get /g$|get /gw$|get /gwt$|get /gwt/.*gapvm\.dontexist)
freenet
^\x01[\x08\x09][\x03\x04]
ftp
^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331
gkrellm
^gkrellm [23].[0-9].[0-9]\x0a$
gnucleuslan
gnuclear connect/[\x09-\x0d -~]*user-agent: gnucleus [\x09-\x0d -~]*lan:
gnutella
^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh|foxy|mxie)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime)
goboogy
<peerplat>|^get /getfilebyhash\.cgi\?|^get /queue_register\.cgi\?|^get /getupdowninfo\.cgi\?
gogobox
^get .*host: .*.gogobox.com.tw
gopher
^[\x09-\x0d]*[1-9,+tgi][\x09-\x0d -~]*\x09[\x09-\x0d -~]*\x09[a-z0-9.]*\.[a-z][a-z].?.?\x09[1-9]
gtalk1
^\x80\x4c\x01\x03\x01\x33\x10\x04\x05\x0a\x01\x80\x07.\x03\x80\x09\x06\x40\x64\x­62\x03\x06\x02\x80\x04\x80\x13\x12\x63
gtalk2
^(get|post) (/mail/channel/bind\?|/talkgadget/popout?.*host: talkgadget.google.com)
gtalk_file
^\x02\xf0
gtalk_file_1
^get /create_session .*x-google-relay-auth.*x-session-type .*/session/share
gtalk_vista
^<stream:.*gmail.com.*jabber:client
guildwars
^[\x04\x05]\x0c.i\x01
h323
^\x03..?\x08...?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x05
halflife2-deathmatch
^\xff\xff\xff\xff.*hl2mpDeathmatch
hamachi1
^..\x01\x12
hddtemp
^\|/dev/[a-z][a-z][a-z]\|[0-9a-z]*\|[0-9][0-9]\|[cfk]\|
hotline
^....................TRTPHOTL\x01\x02
hotspot-shield
^.?\x20.*@metrofreefivpn\.com
http-rtsp
^(get[\x09-\x0d -~]* Accept: application/x-rtsp-tunnelled|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*a=control:rtsp://)
http
http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]
icq_file
\x82\x22\x44\x45\x53\x54
icq_file_1
^post /data\?.*filexfer
icq_file_2
filexfer
icq_login
^(\*\x01.?.?.?.?\x01$)|^get /hello http/(0\.9|1\.0|1\.1)[\x09-\x0d\ -~].*host: http\.proxy\.icq\.com|^get /hello(.*)host: .*\.icq\.com[\x09-\x0d\ -~]
ident
^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0­-9]?(\x0d\x0a|[\x0d\x0a])?$
imap
^(\* ok|a[0-9]+ noop)
imesh
^(post[\x09-\x0d -~]*<PasswordHash>................................</PasswordHash><ClientVer>|\x34\x80?\x0d?\xfc\xff\x04|get[\x09-\x0d -~]*Host: imsh\.download-prod\.musicnet\.com|\x02[\x01\x02]\x83.*\x02[\x01\x02]\x83)
ipp
ipp://
irc
^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)
jabber
<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber
kugoo
^(\x64.....\x70....\x50\x37|\x65.+)
live365
membername.*session.*player
liveforspeed
^..\x05\x58\x0a\x1d\x03
lpd
^(\x01[!-~]+|\x02[!-~]+\x0a.[\x01\x02\x03][\x01-\x0a -~]*|[\x03\x04][!-~]+[\x09-\x0d]+[a-z][\x09-\x0d -~]*|\x05[!-~]+[\x09-\x0d]+([a-z][!-~]*[\x09-\x0d]+[1-9][0-9]?[0-9]?|root[\x09-\x0d]+[!-~]+).*)\x0a$
mohaa
^\xff\xff\xff\xffgetstatus\x0a
msn-filetransfer
^(ver [ -~]*msnftp\x0d\x0aver msnftp\x0d\x0ausr|method msnmsgr:)
msnmessenger
ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$
mute
^(Public|AES)Key: [0-9a-f]*\x0aEnd(Public|AES)Key\x0a$
napster
^(.[\x02\x06][!-~]+ [!-~]+ [0-9][0-9]?[0-9]?[0-9]?[0-9]? "[\x09-\x0d -~]+" ([0-9]|10)|1(send|get)[!-~]+ "[\x09-\x0d -~]+")
nbns
\x01\x10\x01|\)\x10\x01\x01|0\x10\x01
ncp
^(dmdt.*\x01.*(""|\x11\x11|uu)|tncp.*33)
netbios
\x81.?.?.[A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][­A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][­A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P]
nntp
^(20[01][\x09-\x0d -~]*AUTHINFO USER|20[01][\x09-\x0d -~]*news)
ntp
^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff])
openft
x-openftalias: [-)(0-9a-z ~.]
pcanywhere
^(nq|st)$
poco
^\x80\x94\x0a\x01....\x1f\x9e
pop3
^(\+ok |-err )
pplive
\x01...\xd3.+\x0c.$
pre_icq_login
^(\*|get)
pre_msn_login
^(ver|get|post)
pre_urlblock
^get
pre_yahoo_login
^(ymsg|ypns|yhoo|post)
qianlong
^\x24\x1c
qq
^.?.?\x02.+\x03$
qqdownload_1
^\x02.*\x38.\x87\x58\xea.\x82\x08.*\x03$
qqdownload_2
^\xfe
qqdownload_3
^(get|post) /.*http/*[\x09-\x0d -~].*host: (.*\.soso.com|121.14.74.41)[\x09-\x0d -~]
qqfile
^(post|get) /\?ver=.*user-agent: qqclient\x0d\x0a
qqgame
\x31\x32\x33\x34\x35\x36\x37\x38
qqlive
^\x02
qqlive2
^get /.*\.video\.qq\.com/flv
qq_login
^(.?\x02.+\x03$|(\x01|\x03).+\x02.+\x03$)
qq_login_1
^.?.?\x02.*\x03$
qq_tcp_file
^\x04.*\x03$
qq_udp_file
^\x03\x01\x65
quake-halflife
^\xff\xff\xff\xffget(info|challenge)
quake1
^\x80\x0c\x01quake\x03
radmin
^\x01\x01(\x08\x08|\x1b\x1b)$
rdp
rdpdr.*cliprdr.*rdpsnd
replaytv-ivs
^(get /ivs-IVSGetFileChunk|http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*\x23\x23\x23\x23\x23REPLAY_CHUNK_START\x23\x23\x23\x23\x23)
rlogin
^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]?[0-9]?[0-9]?00
rtp
^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80
rtsp
rtsp/1.0 200 ok
runesofmagic
^\x10\x03...........\x0a\x02.....\x0e
shoutcast
^get /.*icy-metadata:1|icy [1-5][0-9][0-9] [\x09-\x0d -~]*(content-type:audio|icy-)
sip
^(invite|register|cancel|message|subscribe|notify) sip[\x09-\x0d -~]*sip/[0-2]\.[0-9]
skypeout
^(\x01.?.?.?.?.?.?.?.?\x01|\x02.?.?.?.?.?.?.?.?\x02|\x03.?.?.?.?.?.?.?.?\x03|\x0­4.?.?.?.?.?.?.?.?\x04|\x05.?.?.?.?.?.?.?.?\x05|\x06.?.?.?.?.?.?.?.?\x06|\x07.?.?­.?.?.?.?.?.?\x07|\x08.?.?.?.?.?.?.?.?\x08|\x09.?.?.?.?.?.?.?.?\x09|\x0a.?.?.?.?.­?.?.?.?\x0a|\x0b.?.?.?.?.?.?.?.?\x0b|\x0c.?.?.?.?.?.?.?.?\x0c|\x0d.?.?.?.?.?.?.?­.?\x0d|\x0e.?.?.?.?.?.?.?.?\x0e|\x0f.?.?.?.?.?.?.?.?\x0f|\x10.?.?.?.?.?.?.?.?\x1­0|\x11.?.?.?.?.?.?.?.?\x11|\x12.?.?.?.?.?.?.?.?\x12|\x13.?.?.?.?.?.?.?.?\x13|\x1­4.?.?.?.?.?.?.?.?\x14|\x15.?.?.?.?.?.?.?.?\x15|\x16.?.?.?.?.?.?.?.?\x16|\x17.?.?­.?.?.?.?.?.?\x17|\x18.?.?.?.?.?.?.?.?\x18|\x19.?.?.?.?.?.?.?.?\x19|\x1a.?.?.?.?.­?.?.?.?\x1a|\x1b.?.?.?.?.?.?.?.?\x1b|\x1c.?.?.?.?.?.?.?.?\x1c|\x1d.?.?.?.?.?.?.?­.?\x1d|\x1e.?.?.?.?.?.?.?.?\x1e|\x1f.?.?.?.?.?.?.?.?\x1f|\x20.?.?.?.?.?.?.?.?\x2­0|\x21.?.?.?.?.?.?.?.?\x21|\x22.?.?.?.?.?.?.?.?\x22|\x23.?.?.?.?.?.?.?.?\x23|\$.­?.?.?.?.?.?.?.?\$|\x25.?.?.?.?.?.?.?.?\x25|\x26.?.?.?.?.?.?.?.?\x26|\x27.?.?.?.?­.?.?.?.?\x27|\(.?.?.?.?.?.?.?.?\(|\).?.?.?.?.?.?.?.?\)|
skypetoskype
^..\x02.............
smb
\xffsmb[\x72\x25]
smtp
^220[\x09-\x0d -~]* (e?smtp|simple mail)
snmp
^\x02\x01\x04.+([\xa0-\xa3]\x02[\x01-\x04].?.?.?.?\x02\x01.?\x02\x01.?\x30|\xa4\­x06.+\x40\x04.?.?.?.?\x02\x01.?\x02\x01.?\x43)
socks
\x05[\x01-\x08]*\x05[\x01-\x08]?.*\x05[\x01-\x03][\x01\x03].*\x05[\x01-\x08]?[\x­01\x03]
soribada
^GETMP3\x0d\x0aFilename|^\x01.?.?.?(\x51\x3a\+|\x51\x32\x3a)|^\x10[\x14-\x16]\x1­0[\x15-\x17].?.?.?.?$
soulseek
^(\x05..?|.\x01.[ -~]+\x01F..?.?.?.?.?.?.?)$
ssdp
^notify[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:(alive|byebye)|^m-search[\x09-\x0d ]\*[\x09-\x0d ]http/1\.1[\x09-\x0d -~]*ssdp:discover
ssh
^ssh-[12]\.[0-9]
ssl
^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)
stun
^[\x01\x02]................?$
subspace
^\x01....\x11\x10........\x01$
subversion
^\( success \( 1 2 \(
teamfortress2
^\xff\xff\xff\xff.....*tfTeam Fortress
teamspeak
^\xf4\xbe\x03.*teamspeak
teamviewer
^\x17
teamviewer1
^(post|get) /d(out|in).aspx?.*client=dyngate
telnet
^\xff[\xfb-\xfe].\xff[\xfb-\xfe].\xff[\xfb-\xfe]
tesla
\x03\x9a\x89\x22\x31\x31\x31\.\x30\x30\x20\x42\x65\x74\x61\x20|\xe2\x3c\x69\x1e\­x1c\xe9
tftp
^(\x01|\x02)[ -~]*(netascii|octet|mail)
thecircle
^t\x03ni.?[\x01-\x06]?t[\x01-\x05]s[\x0a\x0b](glob|who are you$|query data)
thunder5_see
^(get|post) /.*http/*[\x09-\x0d -~].*host: .*\.xunlei.com[\x09-\x0d -~]
thunder5_tcp
^((^get .*http/1\.1\x0d\x0aaccept: \*/\*\x0d\x0acache-control: no-cache\x0d\x0aconnection: keep-alive\x0d\x0a.*pragma: no-cache\x0d\x0a.*user-agent: mozilla/4\.0 \(compatible; msie 6\.0; windows nt 5\.1; sv1; \.net clr 1\.1\.4322; \.net clr 2\.0\.50727\)\x0d\x0a\x0d\x0a$)|(post (/.*http/*[\x09-\x0d -~].*host: .*sandai.­net|/ http/1\..\x0d\x0ahost: .*:80\x0d\x0acontent-type: application/octet-stream\x0d\x0a)))
tonghuashun
^(GET /docookie\.php\?uname=|\xfd\xfd\xfd\xfd\x30\x30\x30\x30\x30)
tor
TOR1.*<identity>
tsp
^[\x01-\x13\x16-$]\x01.?.?.?.?.?.?.?.?.?.?[ -~]+
unknown
(Nothing there!)
unset
uucp
^\x10here=
validcertssl
^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b).*(thawte|equifax secure|rsa data security, inc|verisign, inc|gte cybertrust root|entrust\.net limited)
ventrilo
^..?v\$\xcf
vnc
^rfb 00[1-9]\.00[0-9]\x0a$
webmail_163
^(get|post) .*host:.*\.mail\.(163\.com|126\.com|yeah\.net)\x0d\x0a
webmail_gmail
get (http://mail.google.com/mail/|/mail/)?.*host: mail\.google\.com\x0d\x0a
webmail_hinet
^post ((http://webmail\.hinet\.net/login\.do|/login\.do).*host: webmail\.|(http://webmail1\.hinet\.net/cgi-bin/login\.cgi|/cgi-bin/login\.cgi).*host: webmail1\.)hinet\.net\x0d\x0a
webmail_hotmail
^get (http://.*mail\.live\.com/mail/|/mail/).*host: .*mail\.live\.com\x0d\x0a
webmail_pchome
^(post|get) .*host: mail.pchome.com.tw\x0d\x0a
webmail_qq
^(get|post) /cgi-bin/login.*host:.*(\.mail\.qq|\.foxmail)\.com\x0d\x0a
webmail_seednet
^(post|get) .*host: webmail.seed.net.tw
webmail_sina
^(post|get) .*host: (mail\.sina\.com\.cn|mp\.sina\.com\.tw)\x0d\x0a
webmail_sohu
^(get|post) .*host: .*mail\.sohu\.com\x0d\x0a
webmail_tom
^(get|post).*host: (login\.mail|pass)\.tom.com\x0d\x0a
webmail_url
^post (http://www\.url\.com\.tw/sgllogon/|/sgllogon/)sgllogon\.asp.*host: www\.url\.com\.tw\x0d\x0a
webmail_yahoo
get (http://.*mail\.yahoo\.com/ym/login|/ym/login)?.*host: .*mail\.yahoo\.com\x0d\x0a
webmail_yam
^(get|post).*host: mail.yam.com
whois
^[ !-~]+\x0d\x0a$
worldofwarcraft
^\x06\xec\x01
x11
^[lb].?\x0b
xboxlive
^\x58\x80........\xf3|^\x06\x58\x4e
xunlei
^([()]|get)(...?.?.?(reg|get|query)|.+User-Agent: (Mozilla/4\.0 \(compatible; (MSIE 6\.0; Windows NT 5\.1;? ?\)|MSIE 5\.00; Windows 98\))))|Keep-Alive\x0d\x0a\x0d\x0a[26]
yahoo
^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*\xc0\x80
yahoo_camera
^(ymsg(.*)ystatus=1..47..0|ymsg(.*)49..webcaminvite)
yahoo_file
^(get|post) /relay\?(.*domain=\.yahoo\.com|token=.*recver=)
yahoo_login
^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[a-z]+|^post(.*)(ymsg|ypns|yhoo).?.?.?.?.?.?.?[a-­z]+
yahoo_voice
^ymsg.?.?.?.?.?.?.?[j]+
zmaap
^\x1b\xd7\x3b\x48[\x01\x02]\x01?\x01

[edit] PHP source code of formatting script

<?php
if (isset($_FILES["zipfile"]["name"])) {
	$zipfile = zip_open($_FILES["zipfile"]["tmp_name"]);
	if (!$zipfile) {
		echo 'Not a ZIP file uploaded. Aborting.';
		break 2;
	}
	while ($file = zip_read($zipfile)) {
		$filepath = zip_entry_name($file);
		$fh = zip_entry_open($zipfile,$file);
		$path = explode('/',$filepath);
		$path = array_map('trim',$path);
		$last = end($path);
		if (!empty($last)) {
			$script = trim(zip_entry_read($file));
			$eval = '$root';
			foreach ($path as $bit) {
				if ($bit == $last) $bit = substr($bit,0,-4);
				$eval .= '[\''.addslashes($bit).'\']';
			}
			// yes, I know, eval is evil, but it's the only easy way to allow for
			//  dynamic array generation based on path level. plus, addslashes. it's ok.
			$eval .= '= $script;';
			eval($eval);
		}
	}
	zip_close($zipfile);
	var_dump($root);
	echo '<hr><pre>';
	$category = array_keys($root);
	foreach ($category as $thiscat) {
		echo "== $thiscat ==\r\n";
		foreach ($root[$thiscat] as $type => $regex) {
			echo "; $type\r\n";
			if (strpos($regex,"\r\n")) $regex = explode("\r\n",$regex);
			else $regex = explode("\n",$regex);
			if (isset($regex[1])) $regex = htmlspecialchars($regex[1]);
			else $regex = '(Nothing there!)';
			echo ': &lt;nowiki&gt;';
			while (strlen($regex) > 0) {
				$chunk = substr($regex,0,80);
				if ((strlen($chunk) == 80) && !strpos($chunk,' ')) $chunk .= '&shy;';
				echo htmlspecialchars($chunk);
				$regex = substr($regex,80);
			}
			echo "&lt;/nowiki&gt;\r\n";
		}
	}
	echo '</pre>';
}
?>
build l7-protocols page from zipped folder structure here...<br>
<form method="POST" enctype="multipart/form-data">
<input type="file" name="zipfile"><br>
<input type="submit">
</form>