Hi Mike, I see all of those signatures actually working by picking some sites randomly with wget. This is with 0.12.0rc3 but honestly speaking there has not been any major work related to the classification part for the past 3-4 years.
I would suggest a couple of checks: * see if HTTP traffic is reaped by some other classifier, but i guess you might have already checked that. * see if the HTTP classifier is written correctly. Not referring only to the regexp but to the overall syntax. The implemented format is *veeery* sensible to tabs, spaces, white lines, etc. So try to keep it essential. Strip comments and empty lines out. Let me know. Cheers, Paolo On Mon, Nov 16, 2009 at 01:13:03PM +0300, Mike Lykov wrote: > Hi all on this list. > > I am try to install pmacct + protocol classification feature and want to ask > some question about it. > > pmacct + pmacct_v5 base + set of .pat files from l7filter site. See results: > > successfully detect ftp,nntp,subversion,jabber,ssh,dns,pop3,smtp > detect connection to jabber-icq gate as rtp > detect ntp as edonkey > don't detect http and http-ssl at all > don't detect irc (tested on irc.freenode.org + irssi), whois (whois.ripn.net > + console whois) > > False detections rtp/edonkey is a little inconvenience, but not to > detect http at all is a big disappointment! > > I try some variants of regexp: > simple HTTP/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] > default http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d > -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* > http/[01]\.[019] > second default http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* > http/[01]\.[019] > > [ ... ] > > Anybody here with http classification working? ;) _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
