1# RTP - Real-time Transport Protocol - RFC 3550
2# Pattern attributes: marginal overmatch undermatch veryfast fast
3# Protocol groups: streaming_video ietf_internet_standard
4# Wiki: http://www.protocolinfo.org/wiki/RTP
5#
6# RTP headers are *very* short and compact.  They have almost nothing in 
7# them that can be matched by l7-filter.  If you want to match them 
8# along with their associated SIP packets, I think the best way might be 
9# to set up some iptables rules that watch for SIP packets and then also 
10# match any other UDP packets that are going between the same two IP 
11# addresses.
12#
13# However, I will attempt a pattern anyway.  This is UNTESTED!
14# 
15# I think we can count on the first bit being 1 and the second bit being 
16# 0 (meaning protocol version 2). The next two bits could go either way, 
17# but in the example I've seen, they are zero, so I'll assume they are 
18# usually zero.  The next four bits are a count of "contributing source 
19# identifiers".  I'm not sure how big that could be, but in the example 
20# I've seen, they're zero, so I'll assume they're usually zero. So that 
21# gives us ^\x80.  The marker bit that comes next is probably zero for 
22# the first packet, although that's not a sure thing.  Next is the 
23# payload type, 7 bits that might usually only take a few values, but 
24# maybe not. In the example I've seen, it's zero, which (with a zero 
25# marker bit) means it looks to l7-filter like it's not there at all.  
26# The rest of the header is random numbers (sequence number, timestamp, 
27# synchronization source identifier), so that's no help at all.
28#
29# I think the best we could do is to watch to see if several \x80 bytes 
30# come in with a small number of bytes between them.  This makes all the 
31# above assumptions and also assumes that the first packet has no 
32# payload and not too much trailing gargage.  So this will definitely not
33# work all the time.  It clearly also might match other stuff.
34
35rtp
36^\x80......?.?.?.?.?.?.?.?.?.?.?.?.?\x80
37
38# Might also try this.  It's a bit slower (one packet and not too much extra
39# regexec load) and a bit more accurate:
40#^\x80......?.?.?.?.?.?.?.?.?.?.?.?.?\x80.*\x80
41