diff options
| author | Toni <matzeton@googlemail.com> | 2021-07-13 15:10:18 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-07-13 15:10:18 +0200 |
| commit | e4453938d5329daaa0ea682bba55d354759c077e (patch) | |
| tree | 52516639956d30eff17ff3c0a7b5e903ee89524e | |
| parent | cccf794265dee24f25e16f21753972b20f7593c5 (diff) | |
Improved dnscrypt midstream detection. (#1241)
* fixed skype false-positive detection of dnscrypt traffic
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | src/lib/protocols/dnscrypt.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/skype.c | 9 | ||||
| -rw-r--r-- | tests/pcap/dnscrypt_skype_false_positive.pcapng | bin | 0 -> 2720 bytes | |||
| -rw-r--r-- | tests/result/dnscrypt_skype_false_positive.pcapng.out | 7 |
4 files changed, 17 insertions, 1 deletions
diff --git a/src/lib/protocols/dnscrypt.c b/src/lib/protocols/dnscrypt.c index 6c89466f1..af147614a 100644 --- a/src/lib/protocols/dnscrypt.c +++ b/src/lib/protocols/dnscrypt.c @@ -38,7 +38,7 @@ void ndpi_search_dnscrypt(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "search dnscrypt\n"); - if (flow->packet_counter > 2) + if (flow->packet_counter > 3) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index 0c2c0f675..9e17f32a1 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -35,6 +35,15 @@ static int ndpi_check_skype_udp_again(struct ndpi_detection_module_struct *ndpi_ const uint8_t crc_len = sizeof(flow->l4.udp.skype_crc); const uint8_t crc_offset = id_flags_iv_crc_len - crc_len; + if (flow->packet_counter > 2) + { + /* + * Process only one packet after the initial packet received. + * This is required to prevent fals-positives with other protocols e.g. dnscrypt. + */ + return 0; + } + if ((payload_len >= id_flags_iv_crc_len) && (packet->payload[2] == 0x02 /* Payload flag */ )) { u_int8_t detected = 1; diff --git a/tests/pcap/dnscrypt_skype_false_positive.pcapng b/tests/pcap/dnscrypt_skype_false_positive.pcapng Binary files differnew file mode 100644 index 000000000..36b614a73 --- /dev/null +++ b/tests/pcap/dnscrypt_skype_false_positive.pcapng diff --git a/tests/result/dnscrypt_skype_false_positive.pcapng.out b/tests/result/dnscrypt_skype_false_positive.pcapng.out new file mode 100644 index 000000000..044da2e9e --- /dev/null +++ b/tests/result/dnscrypt_skype_false_positive.pcapng.out @@ -0,0 +1,7 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 4 (4.00 pkts/flow) + +DNScrypt 6 2380 1 + + 1 UDP 192.168.2.100:46858 <-> 212.47.228.136:443 [proto: 208/DNScrypt][cat: Network/14][3 pkts/1662 bytes <-> 3 pkts/718 bytes][Goodput ratio: 92/82][5137.13 sec][bytes ratio: 0.397 (Upload)][IAT c2s/s2c min/avg/max/stddev: 300005/300005 2568548/2568547 4837091/4837089 2268543/2268542][Pkt Len c2s/s2c min/avg/max/stddev: 554/154 554/239 554/282 0/60][PLAIN TEXT (OYy Tp)][Plen Bins: 0,0,0,16,0,0,0,33,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |