Application-specific payload bit strings

--- Thomas Karagiannis ---

last modified November 5, 2004.


	----------------------------------------------------
Numbers in parenthesis denote the beggining byte in the payload where each string is found.
If there is no number the string is found at the beggining of the payload.
"plen" denotes the size of the payload. \x denotes hex.
&& denotes AND, || denotes OR. 
plen - 2 = (1) denotes that the payload length minus 2 is given by the first byte in the payload



----------------------- UDP Bit Strings -------------------------

--- eDonkey ---

  \xe3, \xc5 (all UDP flow packets must begin with one of these bytes)
 
--- Gnutella ---

   \x47\x4e\x44 , \x00\x01\x00\x00\x00\x00\x00 (16 , plen=23), "LIME" (23) , \x01\x01\x00\x1f\x00\x00\x00 (16)
   
--- FastTrack ---

   \x27\x00\x00\x00\x29\x80 , \x27\x00\x00\x00\xa9\x80 , \x28\x00\x00\x00\x29\x00, \x28\x00\x00\x00\xa9\x00 , 
   \x29\x00\x00\x00\x29 , \x29\x00\x00\x00\xa9 , \xc0\x28 , \xc1 (plen=7), \x2a (plen=5)
   
--- Direct Connect --- 

    "$SR " , "$Pin"	   
    
--- Soribada/ Goboogy  ---
   
   \x10 (plen=2) , \x51\x3a\x2b (3) , "<peerplat>"
   
--- Mp2p ---

   \x00\x00\x00 (2)  &&  ( \x00 (5) || \x01 (5) ||  \x02 (5) || \x03 (5) || \x04 (5) )            
   
--- irc --- 

   "USERNAME"
   
--- DNS ---       
    (\x00\x01\x00 (4) && \x00 (8) && \x00" (10) ) && ( \x00 (7)|| \x01 (7) ),
    \x01\x02\x00\x07\xd1\x86\x3f\xc3
    
--- Gaming ---
 
    \xff\xff\xff\xff && (  "details" (4) || "players" (4) || "ping" (4) || \x6d (4) || "getstatus" (4) || "getinfo" (4) ||
    "status" (4) || "infoResponse" (4) ) , 
    
    \x00\x00 (2) && \x00 (6) && ( \xc0 (7) || \x40 (7) || \x80) , 
    
    "hostname" (5), \xfe\xfd\x00\xd6 , \x00\xd6\x2b\x7d
    
    \x5c && ( "status" (1) || "game" (1) || "death" (1) || "kill" (1) || "keyhash" (1) || "info" (1) ) , 
    
    \x00\x00\x00\x0 && \x02\x00\x02\x00\x37 (12)
    
    
--- streaming --- 

    "applicat" (8)
    
--- PeerEnabler ---

    "CL" && \x00 (4)
    
--- SpamAssasin ---

    \x00 && \x04\x02\x00\x00\x00\x01 (2)
    
--- SNMP --- 

    \x30 &&  ( plen - 2 = (1) || plen - 4 = (2)(3)
    
    
    
    
----------------------- TCP Bit Strings -------------------------    
    
  
--- eDonkey ---  

  \xe3\x19 && \x00\x00 (3)
  \xe3\x19 && \x28\x00 (3)
  \xe3\x01 && \x00\x00 (3)
  \xe3\x11 && \x00\x00 (3)
  \xe3\x14 && \x00\x00 (3)
  \xe3\x15 && \x00\x00 (3)
  \xc5\x3f && \x00\x00 (3)
  \xe3\x42 && \x00\x00 (3)
  \xe3\x48 && \x00\x00 (3)
  \xe3\x29 && \x00\x00 (3)
  \xc5\x0d && \x00\x00 (3)
  \xe3\x41 && \x00\x00 (3)
  \xc5\x32 && \x00\x00 (3)
  \xc5\x5e && \x00\x00 (3)
  \xe3\x45 && \x00\x00 (3)
  \xe3\x62 && \x00\x00 (3)
  \xe3\x63 && \x00\x00 (3)
  	
--- Gnutella ---    
 
   "GNUTELLA" , "X-Query" , "X-Guess" , "X-Ultrap" , "X-Ext-" , "X-Try-" , "X-Degree" , "X-Lo" , "X-Max-" , "X-Version",
   "X-Dynami" , "Server: Mor" , "Server: Lim" , "User-Agent: Lime" , "Vendor-Message: " , "GET /uri"  , "Busy Queued" (33) ,
   "HTTP/1.1 503 Que" , "HTTP/1.1 503 Ful" , "HTTP/1.1 503 Not"
   
--- FastTrack --- 

   "GIVE " , "GET /.hash" , "Retry-After:" (17) , "Content-Range:" (14) 
   
--- Dirrect Connect ---

   "$Send" , "$Get" , "$Dir", "$ConnectT" , "$Supports" , "$Hello" , "$MyINFO" , "$Search "
   "$MyNick", "$Quit " , "$Key " , "$RevConn"  , "$Version " , "$Lock " , "$HubName"
   
--- BitTorrent -- 

   \x13\x42\x69\x74  , \x00\x00\x00\x05\x04\x00\x00 ,  \x00\x00\x00\x0d\x06\x00\x00 , \x00\x00\x40\x09\x07\x00\x00
   "GET /announce?" ,  "GET /torrents/" , "GET /scrape", "info_hash" (in the url of an HTTP request)
   
--- soulseek ---

   plen-4 = (0) && 	
   
   ( \x01\x00\x00\x00  || \x03\x00\x00\x00 || \x07\x00\x00\x00 || \x05\x00\x00\x00 || \x12\x00\x00\x00 || x1a\x00\x00\x00
    || x09\x00\x00\x00 || \x28\x00\x00\x00 || \x29\x00\x00\x00 || \x2a\x00\x00\x00 | \x41\x00\x00\x00 || \x20\x00\x00\x00 )
    
  \x00\x00\x03\x31\x00\x00 (2)  
  
--- winmx --- 
   
      \x31 (plen=1) , "SEND" (plen=4) , "GET" (plen=3) (within the first 6 pakcets of the flow only)
      \x50\x4e\x41\x00\x68\x56
  
--- Ares --- 

  "GET hash:" , "PUSH " , "GET sha1:" ,  "HTTP/1.1 503 Bus" 
	 
--- MP2P ---

   "MD5 "  , "GO!!" , "SIZ " , "STR "
   
--- GoBoogy/Soribada --- 

   "GOT\x0d\x0aPro" , "goboogy" , "boogy" , "GET /gethashinfo" , "GET /getupdownin" , "GET /peer" , "GET /queue" , 
   "GET /?p2pmethod="	
   
--- PeerEnabler ---

   "GET /.file" , "GET /.sig" , "CDN0/0" , "CL" && \x00 (4)
   
--- GoToMyPc --- 

   "GET /jedi?reques"  , "GET /1?"  && "=" (14) ,  \x4d\x01\x00\x00 (plen=4)
   
 --- SSH ---
 
     "SSH"
   
--- WEB --- 
  
     "GET /" , "POST " , "HEAD " , "HTTP/1." , "SEARCH" , "PROPFIND" ,  "HTTP" ,  "GET "
     
--- FTP ---
    
     "CWD " , "PASV" , "PORT " , "200 PORT" , "PWD\x0d\x0a" , "250 OK. Current" , "221" && bye\x2e\x0d\x0a" (end of payload) , 
     "220" && \x2e\x0d\x0a (end of payload)
     
--- SMB ---
 
    "\xffSMB" (4)  , \x81\x00\x00\x44\x20\x43\x4b\x46 , \x82\x00\x00\x00 (plen=4) , "No listen" , "no tcp" , \x2a (plen=1) , 
    "rctcpo" , \x83\x00\x00\x01 (plen=5) 
    
--- nntp ---

     "CHECK <" , "TAKETHIS <" , "check <" ,  "takethis <" , "LISTGROUP" , "ARTICLE " , "\x0d\x0a=ybegin" ,  
     ("MODE " || "mode ") && ("READER" (5) || "STREAM" (5) || "reader" (5) || "stream" (5) )
     
--- mail ---

     "354 Enter mail" , "250 " && ( "OK" (4) || "Ok" (4) || "ok" (4) || "sender" (4) || "recipient"  (4) ),
     "MAIL " , "DATA\x0d\x0a" , "RSET\x0d\x0a" ,  "EHLO" ,  "Received:" , "+OK " , "RCPT TO" , "STAT\x0d\x0a"
     "* OK " , "DONE\x0d\x0a" , "* STATUS" , "* FLAGS" , "INBOX\x0d\x0a" , "ompleted\x0d\x0a" (end of payload)

---  ssh/ssl ---

        \x80 && plen-2 = (1)
        (\x03\x00 (1) || \x03\x01 (1) ) && (\x14 || \x15 || \x16 || \x17) (within the frist 5 packets of the flow only)
        
--- chat ---

   "PNG\x0d\x0a" (plen<10)  , "USR " , "CVR " && (4) is digit , "QNG "   && (4) is digit , "CHG "  && (4) is digit  , 
   "NLN IDL " , "NLN NLN " , "YMSG" && \x00 (6) , \x2a\x05 && x00\x00 (4) && plen =6   , \x50\x4e\x41\x00\x01
   "MSG " , "JOI " , \x2a\x02 && ( "UPDATE_BUD" (6) || ( "\x00" (4) && "\x00" (6) "\x00" (8) "\x00\x00" (10) ) )
   
--- irc --- 

   "PONG " , "JOIN " , "NICK " , ":irc" ,    "PING " , "PRIVMSG " , "WHO " , "WATCH " , "USERHOST "
   
--- MySQL ---

   \x03  (4) && ( "SELECT" (5)|| "select" (5), "INSERT" (5), "show"(5) , update" (5), "UPDATE"(5) , "SHOW" (5), "insert" (5))
   
--- streaming ---
 
   "MMS " (12) , "RTSP/1" , "_PARAME" (3) , "PLAY rtsp"    , "ICY " , "connected\x0d\0a\x0d\0a" , "\x00\x00ML20" (10) 
   
---  SpamAssasin ---

   "a=" &&  "\x26" (3) && ( "g" (2) || "c" (2) )
   "a=" && \x0d\x0a (3) && plen=5
   "sn=" && "\x26srl (4) , "-nsl" , "cn=razor"
   
--- Gaming --- 

    "\xc2\x00" (plen=5)
    \x02\x00 (8) && \x00\x00 (4) && \x00 (1)  && ("creat" (11) , "play" (11) , "users_" (10)
    "\x00\x06app_so\x00\x00\x00"