aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNardi Ivan <nardi.ivan@gmail.com>2023-06-18 11:55:01 +0200
committerIvan Nardi <12729895+IvanNardi@users.noreply.github.com>2023-06-21 10:38:44 +0200
commit570c75d6019872610b0cbde981e25edcda5f6754 (patch)
treeddcd9e0ce2b3d5fa063d1d22e5681f259f15bd7b
parent2ac240ce6aafdae26b9b1117127595506074cda1 (diff)
STUN: fix detection over TCP
TCP framing is optional
-rw-r--r--src/lib/protocols/stun.c50
-rw-r--r--tests/cfgs/default/pcap/stun.pcapbin27210 -> 29574 bytes
-rw-r--r--tests/cfgs/default/pcap/stun_wa_call.pcapng (renamed from tests/cfgs/default/pcap/stun_wa.pcapng)bin153968 -> 153968 bytes
-rw-r--r--tests/cfgs/default/result/stun.pcap.out14
-rw-r--r--tests/cfgs/default/result/stun_wa_call.pcapng.out (renamed from tests/cfgs/default/result/stun_wa.pcapng.out)0
5 files changed, 38 insertions, 26 deletions
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 4b822f6c5..e8cdaa699 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -208,7 +208,7 @@ typedef enum {
static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
const u_int8_t * payload,
- const u_int16_t payload_length,
+ u_int16_t payload_length,
u_int16_t *app_proto) {
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
u_int16_t msg_type, msg_len;
@@ -239,6 +239,18 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
msg_type = ntohs(*((u_int16_t*)payload));
msg_len = ntohs(*((u_int16_t*)&payload[2]));
+ /* With tcp, we might have multiple msg in the same TCP pkt.
+ Parse only the first one. TODO */
+ if(packet->tcp) {
+ if(msg_len + 20 > payload_length)
+ return(NDPI_IS_NOT_STUN);
+ /* Let's hope that classic-stun is no more used over TCP */
+ if(ntohl(*((u_int32_t *)&payload[4])) != 0x2112A442)
+ return(NDPI_IS_NOT_STUN);
+
+ payload_length = msg_len + 20;
+ }
+
if((msg_type == 0) || ((msg_len+20) != payload_length))
return(NDPI_IS_NOT_STUN);
@@ -508,26 +520,24 @@ static void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, s
app_proto = NDPI_PROTOCOL_UNKNOWN;
- if(packet->tcp) {
- /* STUN may be encapsulated in TCP packets */
- if((packet->payload_packet_len >= 22)
- && ((ntohs(get_u_int16_t(packet->payload, 0)) + 2) == packet->payload_packet_len)) {
- /* TODO there could be several STUN packets in a single TCP packet so maybe the detection could be
- * improved by checking only the STUN packet of given length */
-
- if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload + 2,
- packet->payload_packet_len - 2, &app_proto) == NDPI_IS_STUN) {
- ndpi_int_stun_add_connection(ndpi_struct, flow, app_proto);
- return;
- }
+ /* STUN may be encapsulated in TCP packets with a special TCP framing described in RFC 4571 */
+ if(packet->tcp &&
+ packet->payload_packet_len >= 22 &&
+ ((ntohs(get_u_int16_t(packet->payload, 0)) + 2) == packet->payload_packet_len)) {
+ /* TODO there could be several STUN packets in a single TCP packet so maybe the detection could be
+ * improved by checking only the STUN packet of given length */
+
+ if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload + 2,
+ packet->payload_packet_len - 2, &app_proto) == NDPI_IS_STUN) {
+ ndpi_int_stun_add_connection(ndpi_struct, flow, app_proto);
+ return;
+ }
+ } else { /* UDP or TCP without framing */
+ if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload,
+ packet->payload_packet_len, &app_proto) == NDPI_IS_STUN) {
+ ndpi_int_stun_add_connection(ndpi_struct, flow, app_proto);
+ return;
}
- }
-
- /* UDP */
- if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload,
- packet->payload_packet_len, &app_proto) == NDPI_IS_STUN) {
- ndpi_int_stun_add_connection(ndpi_struct, flow, app_proto);
- return;
}
if(flow->stun.num_pkts >= MAX_NUM_STUN_PKTS ||
diff --git a/tests/cfgs/default/pcap/stun.pcap b/tests/cfgs/default/pcap/stun.pcap
index 653c09e04..aceefec22 100644
--- a/tests/cfgs/default/pcap/stun.pcap
+++ b/tests/cfgs/default/pcap/stun.pcap
Binary files differ
diff --git a/tests/cfgs/default/pcap/stun_wa.pcapng b/tests/cfgs/default/pcap/stun_wa_call.pcapng
index 0acec81fb..0acec81fb 100644
--- a/tests/cfgs/default/pcap/stun_wa.pcapng
+++ b/tests/cfgs/default/pcap/stun_wa_call.pcapng
Binary files differ
diff --git a/tests/cfgs/default/result/stun.pcap.out b/tests/cfgs/default/result/stun.pcap.out
index 2abd58e29..4dc337934 100644
--- a/tests/cfgs/default/result/stun.pcap.out
+++ b/tests/cfgs/default/result/stun.pcap.out
@@ -1,13 +1,13 @@
Guessed flow protos: 0
-DPI Packets (TCP): 4 (4.00 pkts/flow)
+DPI Packets (TCP): 7 (3.50 pkts/flow)
DPI Packets (UDP): 17 (5.67 pkts/flow)
-Confidence DPI : 4 (flows)
-Num dissector calls: 582 (145.50 diss/flow)
+Confidence DPI : 5 (flows)
+Num dissector calls: 588 (117.60 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/3/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
-LRU cache stun: 4/34/0 (insert/search/found)
+LRU cache stun: 6/38/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
@@ -17,10 +17,11 @@ Automa domain: 0/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 1/0 (search/found)
Automa common alpns: 0/0 (search/found)
-Patricia risk mask: 6/0 (search/found)
+Patricia risk mask: 8/0 (search/found)
Patricia risk: 2/0 (search/found)
-Patricia protocols: 4/2 (search/found)
+Patricia protocols: 6/2 (search/found)
+Skype_TeamsCall 15 2124 1
STUN 62 7620 2
GoogleHangoutDuo 33 6292 1
FacebookVoip 75 10554 1
@@ -29,3 +30,4 @@ FacebookVoip 75 10554 1
2 UDP 192.168.12.169:49153 <-> 142.250.82.99:3478 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 4][cat: VoIP/10][18 pkts/2856 bytes <-> 15 pkts/3436 bytes][Goodput ratio: 74/82][2.12 sec][bytes ratio: -0.092 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 8/0 88/153 699/625 177/222][Pkt Len c2s/s2c min/avg/max/stddev: 107/76 159/229 588/1240 107/297][PLAIN TEXT (BwlkYDtFJ)][Plen Bins: 0,6,57,21,6,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]
3 UDP [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603]:56880 <-> [2a38:e156:8167:a333:face:b00c::24d9]:3478 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 11][cat: Network/14][21 pkts/1722 bytes <-> 21 pkts/2226 bytes][Goodput ratio: 24/41][191.49 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/2 9451/9451 10358/10358 2441/2441][Pkt Len c2s/s2c min/avg/max/stddev: 82/106 82/106 82/106 0/0][PLAIN TEXT (WOBTrOXR)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4 TCP 87.47.100.17:3478 <-> 54.1.57.155:37257 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][9 pkts/1494 bytes <-> 11 pkts/2178 bytes][Goodput ratio: 60/67][0.95 sec][Hostname/SNI: apps-host.com][bytes ratio: -0.186 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 104/96 267/252 102/93][Pkt Len c2s/s2c min/avg/max/stddev: 74/94 166/198 234/354 41/65][PLAIN TEXT (Unauthorized)][Plen Bins: 10,0,15,21,42,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 5 TCP 10.77.110.51:41588 <-> 10.206.50.239:42000 [VLAN: 1611][proto: 78.38/STUN.Skype_TeamsCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][7 pkts/1006 bytes <-> 8 pkts/1118 bytes][Goodput ratio: 58/57][1.05 sec][bytes ratio: -0.053 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 189/134 369/399 144/153][Pkt Len c2s/s2c min/avg/max/stddev: 70/64 144/140 164/172 31/43][Plen Bins: 0,0,25,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/stun_wa.pcapng.out b/tests/cfgs/default/result/stun_wa_call.pcapng.out
index bf73201c1..bf73201c1 100644
--- a/tests/cfgs/default/result/stun_wa.pcapng.out
+++ b/tests/cfgs/default/result/stun_wa_call.pcapng.out