Layer 7 - adding regex

roymayr · Apr 26, 2012, 4:57 PM

About a year ago,here (http://forum.pfsense.org/index.php/topic,33198.0.html) was suggested to add regex to be used in Layer 7 shaping…. (last comment).
After reading and searching here and there, I have no idea how to do it. Any help?

roymayr · Apr 27, 2012, 12:46 AM

Since my bandwidth is being eaten by youtube fans, I was testing Layer 7 to shape it, using "httpvideo"… and probably it will help with other sites too.
I wanted to do the same with FB and other sites. That is why I'm trying to add regular expressions to the list, if possible, as suggested in the other topic. But I don't know how to do it...

thanks for any feedback on this.

jimp · May 1, 2012, 4:56 PM

Look in /usr/local/share/protocols at the .pat files there. You can copy one of those, change the name of the file (and the name inside the file) and put your regex there.

Or if you have a file already, make sure it matches the format, and upload it in the L7 GUI.

demoso · May 1, 2012, 7:43 PM

I would love a detailed explanation on how to do this also if someone would be so kind! I currently have a bridged pfsense setup. Firewall wide open and am only shaping traffic using the L7 protocols. It works shaping traffic on youtube and other sites but not all video sites. www.wwe.com is one of the sites that don't seem to be shaped. So I would love to know how to create a regex file and place it in the proper directory to do this.

Thanks!

jimp · May 1, 2012, 7:50 PM

As I said above, grab one of the existing pattern files, edit it to do what you want, then upload it in the L7 part of the GUI.

It's really not all that hard, though you need to take care that the regex in the pattern is valid.

demoso · May 1, 2012, 8:09 PM

Thanks for you help. Okay I know where to put the file I just don't know how to edit it. I know everything after # is a comment and the rest is the actual code I need to edit but I'm not sure what to put? I put the exe.pat file below. If you want tell me what I should change to shape www.wwe.com I would appreciate it! Sorry complete noob!

Executable - Microsoft PE file format.

Pattern attributes: good notsofast notsofast subset

Protocol groups: file

Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE

Thanks to Brandon Enright [bmenrighATucsd.edu]

This pattern doesn't techincally match the PE file format but rather the

MZ stub program Microsoft uses for backwards compatibility with DOS.

That means this will correctly match DOS executables too.

exe

There are two different stubs used depending on the compiler/packer.

Numerous NULL bytes have been stripped from this pattern.

This pattern may be more efficient:

\x4d\x5a\x90\x03\x04|\x4d\x5a\x50\x02\x04

This is easier to understand:

\x4d\x5a(\x90\x03|\x50\x02)\x04

jimp · May 1, 2012, 8:22 PM

If you need that much help to form a regex, I'm afraid I can't help you, and it's beyond the scope of this thread.

There are many files there so there are plenty of examples.

roymayr · May 9, 2012, 8:55 PM

@jimp:

Look in /usr/local/share/protocols at the .pat files there. You can copy one of those, change the name of the file (and the name inside the file) and put your regex there.

Or if you have a file already, make sure it matches the format, and upload it in the L7 GUI.

Thanks jimp!! This is exactly what I was looking/asking for. Great. Thanks a lot!

roymayr · May 10, 2012, 1:09 PM

Here is a link that was quite informative to me about Layer 7 and protocols: http://l7-filter.sourceforge.net/protocols
Of course, a reading about regular expressions is a must. Thanks Google!