diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-12-22 21:41:32 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-22 21:41:32 +0100 |
| commit | 5fafe8374a5cc0cc890053c5bf0cb81b3bda80c9 (patch) | |
| tree | 41a82c662550d5aaab0c31e45875106c61e3949e | |
| parent | e9d5e72fb58d5989673487c4b4ef4584d8694467 (diff) | |
postgres: improve detection (#1831)
Remove some dead code (found via coverage report)
| -rw-r--r-- | src/lib/protocols/ajp.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/ftp_control.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/ftp_data.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/mqtt.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/non_tcp_udp.c | 7 | ||||
| -rw-r--r-- | src/lib/protocols/ookla.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/postgres.c | 47 | ||||
| -rw-r--r-- | src/lib/protocols/rsync.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/sopcast.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/steam.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/z3950.c | 3 | ||||
| -rw-r--r-- | tests/pcap/pgsql.pcap | bin | 5357 -> 10345 bytes | |||
| -rw-r--r-- | tests/result/pgsql.pcap.out | 18 |
14 files changed, 39 insertions, 73 deletions
diff --git a/src/lib/protocols/ajp.c b/src/lib/protocols/ajp.c index 5a8dd00dd..75a99345a 100644 --- a/src/lib/protocols/ajp.c +++ b/src/lib/protocols/ajp.c @@ -110,12 +110,6 @@ static void ndpi_check_ajp(struct ndpi_detection_module_struct *ndpi_struct, void ndpi_search_ajp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - // Break after 20 packets. - if(flow->packet_counter > 20) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } - NDPI_LOG_DBG(ndpi_struct, "search AJP\n"); ndpi_check_ajp(ndpi_struct, flow); diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 855232ecd..298f0967f 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -105,13 +105,10 @@ static u_int16_t checkPort(u_int16_t port) { switch(port) { case DNS_PORT: return(NDPI_PROTOCOL_DNS); - break; case LLMNR_PORT: return(NDPI_PROTOCOL_LLMNR); - break; case MDNS_PORT: return(NDPI_PROTOCOL_MDNS); - break; } return(0); diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index 2566e55da..edc41e5f6 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -563,8 +563,6 @@ static int ndpi_ftp_control_check_response(struct ndpi_flow_struct *flow, printf("%s() [%.*s]\n", __FUNCTION__, (int)payload_len, payload); #endif - if(payload_len == 0) return(1); - switch(payload[0]) { case '1': case '2': @@ -573,14 +571,12 @@ static int ndpi_ftp_control_check_response(struct ndpi_flow_struct *flow, if(flow->l4.tcp.ftp_imap_pop_smtp.auth_found == 1) flow->l4.tcp.ftp_imap_pop_smtp.auth_tls = 1; return(1); - break; case '4': case '5': flow->l4.tcp.ftp_imap_pop_smtp.auth_failed = 1; flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; return(1); - break; } return 0; diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c index 11c04744b..d532a6c66 100644 --- a/src/lib/protocols/ftp_data.c +++ b/src/lib/protocols/ftp_data.c @@ -250,12 +250,6 @@ static void ndpi_check_ftp_data(struct ndpi_detection_module_struct *ndpi_struct void ndpi_search_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - /* Break after 20 packets. */ - if(flow->packet_counter > 20) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } - NDPI_LOG_DBG(ndpi_struct, "search FTP_DATA\n"); ndpi_check_ftp_data(ndpi_struct, flow); } diff --git a/src/lib/protocols/mqtt.c b/src/lib/protocols/mqtt.c index 66eebc8a7..2e66e1bdc 100644 --- a/src/lib/protocols/mqtt.c +++ b/src/lib/protocols/mqtt.c @@ -90,9 +90,6 @@ void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "search Mqtt\n"); struct ndpi_packet_struct *packet = &ndpi_struct->packet; - if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { - return; - } if (flow->packet_counter > 10) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. mandatory header not found!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); diff --git a/src/lib/protocols/non_tcp_udp.c b/src/lib/protocols/non_tcp_udp.c index 44ae5ac01..c023029e6 100644 --- a/src/lib/protocols/non_tcp_udp.c +++ b/src/lib/protocols/non_tcp_udp.c @@ -40,13 +40,6 @@ void ndpi_search_in_non_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - - if (packet->iph == NULL) { - if (packet->iphv6 == NULL) - return; - } - switch (flow->l4_proto) { case NDPI_IPSEC_PROTOCOL_ESP: case NDPI_IPSEC_PROTOCOL_AH: diff --git a/src/lib/protocols/ookla.c b/src/lib/protocols/ookla.c index f3aec6e68..137b0a2a3 100644 --- a/src/lib/protocols/ookla.c +++ b/src/lib/protocols/ookla.c @@ -100,10 +100,8 @@ void ndpi_search_ookla(struct ndpi_detection_module_struct* ndpi_struct, struct } else { if(sport == ookla_port) addr = packet->iph->saddr; - else if(dport == ookla_port) - addr = packet->iph->daddr; else - goto ookla_exclude; + addr = packet->iph->daddr; #ifdef OOKLA_DEBUG printf("=>>>>>>>> [OOKLA IPv4] Searching %u\n", addr); diff --git a/src/lib/protocols/postgres.c b/src/lib/protocols/postgres.c index fbefd44b5..a55f0ad45 100644 --- a/src/lib/protocols/postgres.c +++ b/src/lib/protocols/postgres.c @@ -40,7 +40,6 @@ void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - u_int16_t size; if (flow->l4.tcp.postgres_stage == 0) { //SSL @@ -60,6 +59,16 @@ void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct flow->l4.tcp.postgres_stage = 3 + packet->packet_direction; return; } + //GSS + if (packet->payload_packet_len > 7 && + packet->payload[4] == 0x04 && + packet->payload[5] == 0xd2 && + packet->payload[6] == 0x16 && + packet->payload[7] == 0x30 && + ntohl(get_u_int32_t(packet->payload, 0)) == packet->payload_packet_len) { + flow->l4.tcp.postgres_stage = 5 + packet->packet_direction; + return; + } } else { if (flow->l4.tcp.postgres_stage == 2 - packet->packet_direction) { //SSL accepted @@ -76,7 +85,7 @@ void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct } } //no SSL - if (flow->l4.tcp.postgres_stage == 4 - packet->packet_direction) + if (flow->l4.tcp.postgres_stage == 4 - packet->packet_direction) { if (packet->payload_packet_len > 8 && ntohl(get_u_int32_t(packet->payload, 5)) < 10 && ntohl(get_u_int32_t(packet->payload, 1)) == (uint32_t)packet->payload_packet_len - 1 && packet->payload[0] == 0x52) { @@ -84,29 +93,25 @@ void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct ndpi_int_postgres_add_connection(ndpi_struct, flow); return; } - if (flow->l4.tcp.postgres_stage == 6 - && ntohl(get_u_int32_t(packet->payload, 1)) == (uint32_t)packet->payload_packet_len - 1 && packet->payload[0] == 'p') { - NDPI_LOG_INFO(ndpi_struct, "found postgres asymmetrically\n"); - ndpi_int_postgres_add_connection(ndpi_struct, flow); - return; - } - if (flow->l4.tcp.postgres_stage == 5 && packet->payload[0] == 'R') { - if (ntohl(get_u_int32_t(packet->payload, 1)) == (uint32_t)packet->payload_packet_len - 1) { - NDPI_LOG_INFO(ndpi_struct, "found postgres asymmetrically\n"); + if (packet->payload_packet_len > 8 && + ntohl(get_u_int32_t(packet->payload, 5)) == 0 && + ntohl(get_u_int32_t(packet->payload, 1)) == 8 && packet->payload[0] == 0x52) { + NDPI_LOG_INFO(ndpi_struct, "PostgreSQL detected, no SSL, auth succ, multiple msg\n"); ndpi_int_postgres_add_connection(ndpi_struct, flow); return; } - size = (u_int16_t)ntohl(get_u_int32_t(packet->payload, 1)) + 1; - if (size > 0 && size - 1 < packet->payload_packet_len && packet->payload[size - 1] == 'S') { - if ((size + get_u_int32_t(packet->payload, (size + 1))) == packet->payload_packet_len) { - NDPI_LOG_INFO(ndpi_struct, "found postgres asymmetrically\n"); - ndpi_int_postgres_add_connection(ndpi_struct, flow); - return; - } + } + //GSS + if (flow->l4.tcp.postgres_stage == 6 - packet->packet_direction) { + //GSS accepted + if (packet->payload_packet_len == 1 && packet->payload[0] == 'G') { + NDPI_LOG_INFO(ndpi_struct, "PostgreSQL detected, GSS accepted\n"); + ndpi_int_postgres_add_connection(ndpi_struct, flow); + return; } - size += get_u_int32_t(packet->payload, (size + 1)) + 1; - if (size > 0 && size - 1 < packet->payload_packet_len && packet->payload[size - 1] == 'S') { - NDPI_LOG_INFO(ndpi_struct, "found postgres asymmetrically\n"); + //GSS denied + if (packet->payload_packet_len == 1 && packet->payload[0] == 'N') { + NDPI_LOG_INFO(ndpi_struct, "PostgreSQL detected, GSS denied\n"); ndpi_int_postgres_add_connection(ndpi_struct, flow); return; } diff --git a/src/lib/protocols/rsync.c b/src/lib/protocols/rsync.c index eeda3dce8..ba5b114ee 100644 --- a/src/lib/protocols/rsync.c +++ b/src/lib/protocols/rsync.c @@ -50,8 +50,6 @@ void ndpi_search_rsync(struct ndpi_detection_module_struct *ndpi_struct, struct NDPI_LOG_INFO(ndpi_struct, "found rsync\n"); ndpi_int_rsync_add_connection(ndpi_struct, flow); } - } else { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/sopcast.c b/src/lib/protocols/sopcast.c index 7d44cabaa..b903538cc 100644 --- a/src/lib/protocols/sopcast.c +++ b/src/lib/protocols/sopcast.c @@ -51,9 +51,6 @@ __forceinline static #endif u_int8_t ndpi_int_is_sopcast_tcp(const u_int8_t * payload, const u_int16_t payload_len) { - if (payload_len != 54) - return 0; - if (payload[2] != payload[3] - 4 && payload[2] != payload[3] + 4) return 0; diff --git a/src/lib/protocols/steam.c b/src/lib/protocols/steam.c index 0dc993245..a53d12848 100644 --- a/src/lib/protocols/steam.c +++ b/src/lib/protocols/steam.c @@ -243,7 +243,7 @@ static void ndpi_check_steam_udp3(struct ndpi_detection_module_struct *ndpi_stru } /* This is a packet in another direction. Check if we find the proper response. */ - if ((payload_len == 0) || ((payload_len == 8) && (packet->payload[0] == 0x3a) && (packet->payload[1] == 0x18) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x00))) { + if ((payload_len == 8) && (packet->payload[0] == 0x3a) && (packet->payload[1] == 0x18) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x00)) { NDPI_LOG_INFO(ndpi_struct, "found STEAM\n"); ndpi_int_steam_add_connection(ndpi_struct, flow); } else { @@ -281,10 +281,6 @@ void ndpi_search_steam(struct ndpi_detection_module_struct *ndpi_struct, struct return; } - /* skip marked packets */ - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) - return; - NDPI_LOG_DBG(ndpi_struct, "search STEAM\n"); ndpi_check_steam_http(ndpi_struct, flow); diff --git a/src/lib/protocols/z3950.c b/src/lib/protocols/z3950.c index 18a06c1ec..279d8bf91 100644 --- a/src/lib/protocols/z3950.c +++ b/src/lib/protocols/z3950.c @@ -40,9 +40,6 @@ static int z3950_parse_sequences(struct ndpi_packet_struct const * const packet, int cur_sequences = 0; u_int8_t pdu_type; - if(packet->payload_packet_len < 2) - return(-1); - pdu_type = packet->payload[0] & 0x1F; if(((pdu_type < 20) || (pdu_type > 36)) && ((pdu_type < 43) || (pdu_type > 48))) diff --git a/tests/pcap/pgsql.pcap b/tests/pcap/pgsql.pcap Binary files differindex 9cff11581..273523fe8 100644 --- a/tests/pcap/pgsql.pcap +++ b/tests/pcap/pgsql.pcap diff --git a/tests/result/pgsql.pcap.out b/tests/result/pgsql.pcap.out index ee3b82a46..a8c024ee9 100644 --- a/tests/result/pgsql.pcap.out +++ b/tests/result/pgsql.pcap.out @@ -1,8 +1,8 @@ Guessed flow protos: 0 -DPI Packets (TCP): 12 (6.00 pkts/flow) -Confidence DPI : 2 (flows) -Num dissector calls: 260 (130.00 diss/flow) +DPI Packets (TCP): 36 (6.00 pkts/flow) +Confidence DPI : 6 (flows) +Num dissector calls: 780 (130.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -16,11 +16,15 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 4/0 (search/found) +Patricia risk mask: 12/0 (search/found) Patricia risk: 0/0 (search/found) -Patricia protocols: 4/0 (search/found) +Patricia protocols: 12/0 (search/found) -PostgreSQL 39 4709 2 +PostgreSQL 88 8913 6 1 TCP 127.0.0.1:45930 <-> 127.0.0.1:5432 [proto: 19/PostgreSQL][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Database/11][12 pkts/1366 bytes <-> 12 pkts/1664 bytes][Goodput ratio: 41/52][15.40 sec][bytes ratio: -0.098 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1002/1011 8826/8907 2767/2792][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 114/139 327/348 73/104][PLAIN TEXT (database)][Plen Bins: 8,41,0,16,0,8,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 TCP 127.0.0.1:45931 <-> 127.0.0.1:5432 [proto: 19/PostgreSQL][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Database/11][7 pkts/705 bytes <-> 8 pkts/974 bytes][Goodput ratio: 33/45][0.12 sec][bytes ratio: -0.160 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/14 45/40 18/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/122 222/251 52/72][PLAIN TEXT (database)][Plen Bins: 14,28,14,0,14,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 172.16.20.244:59039 <-> 172.16.20.75:5432 [proto: 19/PostgreSQL][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Database/11][10 pkts/924 bytes <-> 6 pkts/911 bytes][Goodput ratio: 27/56][0.01 sec][bytes ratio: 0.007 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 1/2 3/7 1/3][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 92/152 175/455 38/139][PLAIN TEXT (database)][Plen Bins: 37,12,25,12,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 127.0.0.1:45931 <-> 127.0.0.1:5432 [proto: 19/PostgreSQL][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Database/11][7 pkts/705 bytes <-> 8 pkts/974 bytes][Goodput ratio: 33/45][0.12 sec][bytes ratio: -0.160 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/14 45/40 18/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 101/122 222/251 52/72][PLAIN TEXT (database)][Plen Bins: 14,28,14,0,14,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 172.16.20.244:59037 <-> 172.16.20.75:5432 [proto: 19/PostgreSQL][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Database/11][8 pkts/628 bytes <-> 5 pkts/363 bytes][Goodput ratio: 14/7][0.00 sec][bytes ratio: 0.267 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/2 0/1 2/2 1/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 78/73 146/90 26/9][PLAIN TEXT (database)][Plen Bins: 75,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 TCP 172.16.20.244:59036 <-> 172.16.20.75:5432 [proto: 19/PostgreSQL][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Database/11][6 pkts/416 bytes <-> 4 pkts/273 bytes][Goodput ratio: 2/0][0.16 sec][bytes ratio: 0.208 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 31/76 151/152 60/76][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 69/68 78/74 5/3][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 TCP 172.16.20.244:59038 <-> 172.16.20.75:5432 [proto: 19/PostgreSQL][IP: 0/Unknown][ClearText][Confidence: DPI][cat: Database/11][6 pkts/416 bytes <-> 4 pkts/273 bytes][Goodput ratio: 2/0][0.02 sec][bytes ratio: 0.208 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/9 17/18 7/9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 69/68 78/74 5/3][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |