1# STUN - Simple Traversal of UDP Through NAT - RFC 3489 2# Pattern attributes: ok veryfast fast 3# Protocol groups: networking ietf_proposed_standard 4# Wiki: http://www.protocolinfo.org/wiki/STUN 5# 6# This pattern is untested as far as I know. 7 8# Wikipedia says: "The STUN server is contacted on UDP port 3478, 9# however the server will hint clients to perform tests on alternate IP 10# and port number too (STUN servers have two IP addresses). The RFC 11# states that this port and IP are arbitrary." 12 13stun 14# \x01 is a Binding Request. \x02 is a Shared Secret Request. Binding 15# Requests are, experimentally, exactly 20 Bytes with three NULL Bytes. 16# The first NULL is part of the two byte message type field. The other 17# two give the message length, zero. I'm guessing that Shared Secret 18# Requests are similar, but I have not checked. Please read the RFC and 19# do experiments to find out. All other message types are responses, 20# and so don't matter. 21# 22# The .? allows one of the Message Transaction ID Bytes to be \x00. If 23# two are \x00, it will fail. This will happen 0.37% of the time, since 24# the Message Transaction ID is supposed to be random. If this is 25# unacceptable to you, add another ? to reduce this to 0.020%, but be 26# aware of the increased possibility of false positives. 27^[\x01\x02]................?$ 28 29# From my post to the mailing list: 30# http://sourceforge.net/mailarchive/message.php?msg_id=36787107 31# 32# This is a rather permissive pattern, but you can make it a little better 33# by combining it with another iptables rule that checks that the packet 34# data is exactly 20 Bytes. Of course, the second packet is longer, so 35# maybe that introduces more complications than benefits. 36# 37# If you're willing to wait until the second packet to make the 38# identification, you could use this: 39# 40# ^\x01................?\x01\x01 41# 42# or if the Message Length is always \x24 (I'm not sure it is from your 43# single example): 44# 45# ^\x01................?\x01\x01\x24 46