diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2022-09-14 10:44:16 +0200 |
|---|---|---|
| committer | Toni <matzeton@googlemail.com> | 2022-09-14 17:52:01 +0200 |
| commit | 9ce4d40d1490fb0f89d9d5eb6d249529cbd60513 (patch) | |
| tree | 60c75381e87229f696b306f64266206b342c6213 | |
| parent | 7571f48392ef3b79eb25b94f1da6932a137c4f02 (diff) | |
Remove a case of guessed sub-classification
This code is triggered only for "unknown" flows with a valid
sni/hostname.
Why in that case the guessed classification should be
something like `DNS/Subprotocol_depending_on_hostname`? Why DNS as
master and not HTTP or TLS or QUIC?
Furthermore, I have not been able to trigger a positive match from that
lookup. I strongly think that if we had a valid subprotocol, we would
have a valid master in the first place.
In doubt, remove it completely.
As a follow up, we should investigate why some dissectors (the HTTP one,
at least) set the sni/hostname field without setting a valid protocol,
in the first place.
This behaviour seems quite suspicious, if not plainly buggy.
| -rw-r--r-- | src/lib/ndpi_main.c | 11 | ||||
| -rw-r--r-- | tests/result/fuzz-2006-06-26-2594.pcap.out | 4 | ||||
| -rw-r--r-- | tests/result/http_guessed_host_and_guessed.pcapng.out | 4 |
3 files changed, 4 insertions, 15 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index c44391c85..7a01827ab 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -5788,17 +5788,6 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st confidence = NDPI_CONFIDENCE_DPI_PARTIAL; } - if(flow->host_server_name[0] != '\0') { - ndpi_protocol_match_result ret_match; - - ndpi_match_host_subprotocol(ndpi_str, flow, (char *) flow->host_server_name, - strlen((const char *) flow->host_server_name), &ret_match, - NDPI_PROTOCOL_DNS); - - if(ret_match.protocol_id != NDPI_PROTOCOL_UNKNOWN) - guessed_host_protocol_id = ret_match.protocol_id; - } - *protocol_was_guessed = 1; ndpi_set_detected_protocol(ndpi_str, flow, guessed_host_protocol_id, guessed_protocol_id, confidence); } diff --git a/tests/result/fuzz-2006-06-26-2594.pcap.out b/tests/result/fuzz-2006-06-26-2594.pcap.out index ea9276842..133e48e1e 100644 --- a/tests/result/fuzz-2006-06-26-2594.pcap.out +++ b/tests/result/fuzz-2006-06-26-2594.pcap.out @@ -14,8 +14,8 @@ LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -Automa host: 255/0 (search/found) -Automa domain: 248/0 (search/found) +Automa host: 254/0 (search/found) +Automa domain: 247/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 38/0 (search/found) Automa common alpns: 0/0 (search/found) diff --git a/tests/result/http_guessed_host_and_guessed.pcapng.out b/tests/result/http_guessed_host_and_guessed.pcapng.out index 51a013bf2..f646a1472 100644 --- a/tests/result/http_guessed_host_and_guessed.pcapng.out +++ b/tests/result/http_guessed_host_and_guessed.pcapng.out @@ -10,8 +10,8 @@ LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -Automa host: 2/0 (search/found) -Automa domain: 2/0 (search/found) +Automa host: 1/0 (search/found) +Automa domain: 1/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) |