diff options
| author | Toni <matzeton@googlemail.com> | 2022-11-15 08:59:45 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-15 08:59:45 +0100 |
| commit | b5e8d86def96fa86a8495070a477ce3b5ce71b49 (patch) | |
| tree | cc858bff345698019c6b2ae7b7c296b22f23e8a2 | |
| parent | cd41ab7c8f4c5d20efff5c39a2f805277f6d8dc3 (diff) | |
Improved Teamspeak3 License/Weblist detection. (#1802)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | src/lib/protocols/teamspeak.c | 37 | ||||
| -rw-r--r-- | tests/pcap/teamspeak3.pcap | bin | 2143 -> 42463 bytes | |||
| -rw-r--r-- | tests/result/teamspeak3.pcap.out | 17 |
3 files changed, 46 insertions, 8 deletions
diff --git a/src/lib/protocols/teamspeak.c b/src/lib/protocols/teamspeak.c index 6dfe89f75..1a3acdb22 100644 --- a/src/lib/protocols/teamspeak.c +++ b/src/lib/protocols/teamspeak.c @@ -42,6 +42,7 @@ void ndpi_search_teamspeak(struct ndpi_detection_module_struct *ndpi_struct, str { NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK udp\n"); ndpi_int_teamspeak_add_connection(ndpi_struct, flow); + return; } } else if(packet->tcp != NULL) { /* https://github.com/Youx/soliloque-server/wiki/Connection-packet */ @@ -51,12 +52,48 @@ void ndpi_search_teamspeak(struct ndpi_detection_module_struct *ndpi_struct, str { NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK tcp\n"); ndpi_int_teamspeak_add_connection(ndpi_struct, flow); + return; } /* http://www.imfirewall.com/en/protocols/teamSpeak.htm */ } } + if (packet->udp != NULL) + { + if (packet->payload_packet_len == 16 && + packet->payload[0] == 0x01 && packet->payload[3] == 0x02 && + get_u_int32_t(packet->payload, 11) == 0x00000000 && packet->payload[15] == 0x00) + { + goto ts3_license_weblist; + } + + if ((packet->payload_packet_len == 4 || packet->payload_packet_len == 8) && + packet->payload[0] == 0x01 && packet->payload[3] == 0x01) + { + goto ts3_license_weblist; + } + + if (packet->payload_packet_len == 5 && + packet->payload[0] == 0x01 && packet->payload[3] == 0x02 && + packet->payload[4] == 0x00) + { + goto ts3_license_weblist; + } + } + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; + +ts3_license_weblist: + if (flow->packet_counter == 3) + { + NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK license/weblist\n"); + ndpi_int_teamspeak_add_connection(ndpi_struct, flow); + return; + } + if (flow->packet_counter >= 3) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } } void init_teamspeak_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, diff --git a/tests/pcap/teamspeak3.pcap b/tests/pcap/teamspeak3.pcap Binary files differindex 31f06b82f..a5ba2df0b 100644 --- a/tests/pcap/teamspeak3.pcap +++ b/tests/pcap/teamspeak3.pcap diff --git a/tests/result/teamspeak3.pcap.out b/tests/result/teamspeak3.pcap.out index bc099a559..e86e15193 100644 --- a/tests/result/teamspeak3.pcap.out +++ b/tests/result/teamspeak3.pcap.out @@ -1,8 +1,8 @@ Guessed flow protos: 0 -DPI Packets (UDP): 1 (1.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 61 (61.00 diss/flow) +DPI Packets (UDP): 4 (2.00 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 203 (101.50 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -15,10 +15,11 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 2/0 (search/found) -Patricia risk: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) +Patricia risk mask: 4/0 (search/found) +Patricia risk: 2/0 (search/found) +Patricia protocols: 4/0 (search/found) -TeamSpeak 13 1911 1 +TeamSpeak 589 33015 2 - 1 UDP 10.0.0.1:53187 -> 10.0.0.2:9987 [proto: 162/TeamSpeak][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][13 pkts/1911 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][37.01 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 387/0 1301/0 449/0][Pkt Len c2s/s2c min/avg/max/stddev: 76/0 147/0 230/0 77/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 0,53,0,0,0,46,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 193.31.25.70:2011 <-> 51.68.181.92:2010 [proto: 162/TeamSpeak][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][288 pkts/14976 bytes <-> 288 pkts/16128 bytes][Goodput ratio: 19/12][85808.12 sec][bytes ratio: -0.037 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/4 300028/300028 600231/600231 300023/300023][Pkt Len c2s/s2c min/avg/max/stddev: 46/56 52/56 58/56 6/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 10.0.0.1:53187 -> 10.0.0.2:9987 [proto: 162/TeamSpeak][IP: 0/Unknown][ClearText][Confidence: DPI][cat: VoIP/10][13 pkts/1911 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][37.01 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 387/0 1301/0 449/0][Pkt Len c2s/s2c min/avg/max/stddev: 76/0 147/0 230/0 77/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (DDDDDDffffff)][Plen Bins: 0,53,0,0,0,46,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |