Prohibit MPEG-DASH to set HTTP as application protocol. (#1560)

Signed-off-by: lns <matzeton@googlemail.com>

4 files changed, 20 insertions, 11 deletions

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index f30857577..88c207c9e 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -1110,10 +1110,10 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
 	      /* Let's check for Wordpress */
 	      char *slash = strchr(flow->http.url, '/');
 
-	      if(
-		 ((flow->http.method == NDPI_HTTP_METHOD_POST) && (strncmp(slash, "/wp-admin/", 10) == 0))
-		 || ((flow->http.method == NDPI_HTTP_METHOD_GET) && (strncmp(slash, "/wp-content/uploads/", 20) == 0))
-		 ) {
+	      if(slash != NULL &&
+		 (((flow->http.method == NDPI_HTTP_METHOD_POST) && (strncmp(slash, "/wp-admin/", 10) == 0))
+		 || ((flow->http.method == NDPI_HTTP_METHOD_GET) && (strncmp(slash, "/wp-content/uploads/", 20) == 0))		 
+		 )) {
 		/* Example of popular exploits https://www.wordfence.com/blog/2022/05/millions-of-attacks-target-tatsu-builder-plugin/ */
 		ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Possible Wordpress Exploit");
 	      }
diff --git a/src/lib/protocols/mpegdash.c b/src/lib/protocols/mpegdash.c
index 6be2c1fe5..0e2ac1944 100644
--- a/src/lib/protocols/mpegdash.c
+++ b/src/lib/protocols/mpegdash.c
@@ -31,8 +31,15 @@
 static void ndpi_int_mpegdash_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
                                              struct ndpi_flow_struct *flow)
 {
-  ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id,
-                             NDPI_PROTOCOL_MPEGDASH, NDPI_CONFIDENCE_DPI);
+  if (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN ||
+      flow->guessed_host_protocol_id == NDPI_PROTOCOL_HTTP)
+  {
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MPEGDASH, NDPI_PROTOCOL_HTTP,
+                               NDPI_CONFIDENCE_DPI);
+  } else {
+    ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_MPEGDASH,
+                               NDPI_CONFIDENCE_DPI);
+  }
 }
 
 void ndpi_search_mpegdash_http(struct ndpi_detection_module_struct *ndpi_struct,
diff --git a/tests/pcap/mpeg-dash.pcap b/tests/pcap/mpeg-dash.pcap
index 71fdfb2c6..eaf6e75c4 100644
--- a/tests/pcap/mpeg-dash.pcap
+++ b/tests/pcap/mpeg-dash.pcap
diff --git a/tests/result/mpeg-dash.pcap.out b/tests/result/mpeg-dash.pcap.out
index f64effeab..919d6638a 100644
--- a/tests/result/mpeg-dash.pcap.out
+++ b/tests/result/mpeg-dash.pcap.out
@@ -1,10 +1,12 @@
 Guessed flow protos:	0
 
-DPI Packets (TCP):	6	(2.00 pkts/flow)
-Confidence DPI              : 3 (flows)
+DPI Packets (TCP):	10	(2.50 pkts/flow)
+Confidence DPI              : 4 (flows)
 
 AmazonAWS	9	2693	3
+MpegDash	4	1976	1
 
-	1	TCP 54.161.101.85:80 <-> 192.168.2.105:59144 [proto: 291.265/MpegDash.AmazonAWS][ClearText][Confidence: DPI][cat: Media/1][2 pkts/1649 bytes <-> 2 pkts/323 bytes][Goodput ratio: 92/59][0.01 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (OHTTP/1.1 200 OK)][Plen Bins: 0,0,33,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0]
-	2	TCP 192.168.2.105:59142 <-> 54.161.101.85:80 [proto: 291.265/MpegDash.AmazonAWS][ClearText][Confidence: DPI][cat: Cloud/13][3 pkts/390 bytes <-> 1 pkts/74 bytes][Goodput ratio: 47/0][0.10 sec][Hostname/SNI: livesim.dashif.org][User-Agent: VLC/3.0.16 LibVLC/3.0.16][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (IGET /livesim/sts)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	3	TCP 192.168.2.105:59146 -> 54.161.101.85:80 [proto: 291.265/MpegDash.AmazonAWS][ClearText][Confidence: DPI][cat: Cloud/13][1 pkts/257 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][< 1 sec][Hostname/SNI: livesim.dashif.org][User-Agent: VLC/3.0.16 LibVLC/3.0.16][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (GET /livesim/sts)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 10.84.1.81:60926 <-> 166.248.152.10:80 [proto: 7.291/HTTP.MpegDash][ClearText][Confidence: DPI][cat: Media/1][2 pkts/456 bytes <-> 2 pkts/1520 bytes][Goodput ratio: 72/92][0.30 sec][Hostname/SNI: gdl.news-cdn.site][URL: gdl.news-cdn.site/as/bigo-ad-creatives/3s3/2lOTA7.mp4][StatusCode: 200][User-Agent: Mozilla/5.0 (Linux; Android 11; SM-A715F Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/89.0.4389.105 Mobile Safari/537.36][Risk: ** Suspicious DGA Domain name **][Risk Score: 100][PLAIN TEXT (GET /as/bigo)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0]
+	2	TCP 54.161.101.85:80 <-> 192.168.2.105:59144 [proto: 291.265/MpegDash.AmazonAWS][ClearText][Confidence: DPI][cat: Media/1][2 pkts/1649 bytes <-> 2 pkts/323 bytes][Goodput ratio: 92/59][0.01 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (OHTTP/1.1 200 OK)][Plen Bins: 0,0,33,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0]
+	3	TCP 192.168.2.105:59142 <-> 54.161.101.85:80 [proto: 291.265/MpegDash.AmazonAWS][ClearText][Confidence: DPI][cat: Cloud/13][3 pkts/390 bytes <-> 1 pkts/74 bytes][Goodput ratio: 47/0][0.10 sec][Hostname/SNI: livesim.dashif.org][User-Agent: VLC/3.0.16 LibVLC/3.0.16][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (IGET /livesim/sts)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	TCP 192.168.2.105:59146 -> 54.161.101.85:80 [proto: 291.265/MpegDash.AmazonAWS][ClearText][Confidence: DPI][cat: Cloud/13][1 pkts/257 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][< 1 sec][Hostname/SNI: livesim.dashif.org][User-Agent: VLC/3.0.16 LibVLC/3.0.16][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (GET /livesim/sts)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]