1
# NNTP - Network News Transfer Protocol - RFCs 977 and 2980
2
# Pattern quality: good veryfast
3
# usually runs on port 119
5
# This pattern is tested and is believed to work well (but could use
6
# more testing). If it does not work for you, or you believe it could
7
# be improved, please post to l7-filter-developers@lists.sf.net . This
8
# list may be subscribed to at
9
# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers
12
# matches authorized login
14
# matches unauthorized login if the server says "news" after 200/201
15
# (Half of the 2 servers I tested did :-), but they both required authorization
16
# so it's quite possible that this pattern will miss some nntp traffic.)
17
^(20[01][\x09-\x0d -~]*AUTHINFO USER|20[01][\x09-\x0d -~]*news)
19
# same thing, slightly more accurate, but 100+ times slower
20
#^20[01][\x09-\x0d -~]*\x0d\x0a[\x09-\x0d -~]*AUTHINFO USER|20[01][\x09-\x0d -~]*news