Skinny: rework and improve classification (#1625)

author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2022-07-03 19:25:00 +0200
committer: GitHub <noreply@github.com> 2022-07-03 19:25:00 +0200
commit: 422d0025421565f56be4e75d1217fb96fcf41dc8 (patch)
tree: 8d73feb343a66ebc08ff4957697f88dc0b348070
parent: eed47acfc8532486a830404268def82cb0794f77 (diff)
4 files changed, 67 insertions, 19 deletions
diff --git a/src/lib/protocols/skinny.c b/src/lib/protocols/skinny.c
index 9a0d23d21..c9b4ebe45 100644
--- a/src/lib/protocols/skinny.c
+++ b/src/lib/protocols/skinny.c
@@ -23,6 +23,7 @@
 
 #include "ndpi_api.h"
 
+/* Reference: Wiresahrk: epan/dissectors/packet-skinny.c */
 
 static void ndpi_int_skinny_add_connection(struct ndpi_detection_module_struct
 					   *ndpi_struct, struct ndpi_flow_struct *flow)
@@ -30,35 +31,62 @@ static void ndpi_int_skinny_add_connection(struct ndpi_detection_module_struct
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKINNY, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
 }
 
+static int is_valid_version(u_int32_t version)
+{
+  if(version == 0x00 || /* Basic msg type */
+     version == 0x0A || /* V10 */
+     version == 0x0B || /* V11 */
+     version == 0x0F || /* V15 */
+     version == 0x10 || /* V16 */
+     version == 0x11 || /* V17 */
+     version == 0x12 || /* V18 */
+     version == 0x13 || /* V19 */
+     version == 0x14 || /* V20 */
+     version == 0x15 || /* V21 */
+     version == 0x16)   /* V22 */
+    return 1;
+  return 0;
+}
+
+static int is_valid_opcode(u_int32_t opcode)
+{
+  /* A loose check */
+  if(opcode <= 0x009F ||
+     (opcode >= 0x0100 && opcode <= 0x0160) ||
+     (opcode == 0x8000) ||
+     (opcode >= 0x8100 && opcode <= 0x8101))
+    return 1;
+  return 0;
+}
+
 void ndpi_search_skinny(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
 {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-  u_int16_t dport = 0, sport = 0;
-  const char pattern_9_bytes[9] = { 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-  const char pattern_8_bytes[8] = { 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-  const char keypadmsg_8_bytes[8] = { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
-  const char selectmsg_8_bytes[8] = { 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+  u_int16_t dport, sport;
 
   NDPI_LOG_DBG(ndpi_struct, "search for SKINNY\n");
 
   if(packet->tcp != NULL) {
     sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest);
     NDPI_LOG_DBG2(ndpi_struct, "calculating SKINNY over tcp\n");
-    if (dport == 2000  && ((packet->payload_packet_len == 24 &&
-			    memcmp(&packet->payload[0], keypadmsg_8_bytes, 8) == 0) 
-			   || ((packet->payload_packet_len == 64) && memcmp(&packet->payload[0], pattern_8_bytes, 8) == 0))) {
-      NDPI_LOG_INFO(ndpi_struct, "found skinny\n");
-      ndpi_int_skinny_add_connection(ndpi_struct, flow);
-    } else if (sport == 2000 && ((packet->payload_packet_len == 28 &&
-				 memcmp(&packet->payload[0], selectmsg_8_bytes, 8) == 0 ) ||
-	       (packet->payload_packet_len == 44 &&
-		memcmp(&packet->payload[0], pattern_9_bytes, 9) == 0))) {
-      NDPI_LOG_INFO(ndpi_struct, "found skinny\n");
-      ndpi_int_skinny_add_connection(ndpi_struct, flow);
+    if((dport == 2000 || sport == 2000) &&
+       (packet->payload_packet_len >= 12)) {
+      u_int32_t data_length, version, opcode;
+
+      data_length = le32toh(get_u_int32_t(packet->payload, 0));
+      version = le32toh(get_u_int32_t(packet->payload, 4));
+      opcode = le32toh(get_u_int32_t(packet->payload, 8));
+
+      if(data_length + 8 == packet->payload_packet_len &&
+         is_valid_version(version) &&
+         is_valid_opcode(opcode)) {
+        NDPI_LOG_INFO(ndpi_struct, "found skinny\n");
+        ndpi_int_skinny_add_connection(ndpi_struct, flow);
+	return;
+      }
     }
-  } else {
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
   }
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 
diff --git a/tests/pcap/skinny.pcap b/tests/pcap/skinny.pcap
new file mode 100644
index 000000000..cda98c63a
--- /dev/null
+++ b/tests/pcap/skinny.pcap
diff --git a/tests/result/sccp_hw_conf_register.pcapng.out b/tests/result/sccp_hw_conf_register.pcapng.out
index 5bbfc395c..a7f974e62 100644
--- a/tests/result/sccp_hw_conf_register.pcapng.out
+++ b/tests/result/sccp_hw_conf_register.pcapng.out
@@ -1,6 +1,6 @@
 Guessed flow protos:	0
 
-DPI Packets (TCP):	15	(15.00 pkts/flow)
+DPI Packets (TCP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
 
 CiscoSkinny	17	1522	1
diff --git a/tests/result/skinny.pcap.out b/tests/result/skinny.pcap.out
new file mode 100644
index 000000000..19eed6562
--- /dev/null
+++ b/tests/result/skinny.pcap.out
@@ -0,0 +1,20 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	3	(1.00 pkts/flow)
+DPI Packets (UDP):	5	(1.00 pkts/flow)
+DPI Packets (other):	1	(1.00 pkts/flow)
+Confidence DPI              : 9 (flows)
+
+ICMP	2	140	1
+RTP	2871	614394	5
+CiscoSkinny	94	10114	3
+
+	1	UDP 192.168.195.58:32144 <-> 192.168.195.50:17718 [proto: 87/RTP][ClearText][Confidence: DPI][cat: Media/1][730 pkts/156220 bytes <-> 712 pkts/152368 bytes][Goodput ratio: 80/80][7.28 sec][bytes ratio: 0.012 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/7 20/20 9/9][Pkt Len c2s/s2c min/avg/max/stddev: 214/214 214/214 214/214 0/0][PLAIN TEXT (zwwtvutz)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	UDP 192.168.195.58:32150 -> 192.168.193.24:9395 [proto: 87/RTP][ClearText][Confidence: DPI][cat: Media/1][365 pkts/78110 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.28 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (zwwtvutz)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	UDP 192.168.195.58:32152 -> 192.168.193.24:9396 [proto: 87/RTP][ClearText][Confidence: DPI][cat: Media/1][356 pkts/76184 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.10 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (wskptvv)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	UDP 192.168.195.50:17726 -> 192.168.193.24:9399 [proto: 87/RTP][ClearText][Confidence: DPI][cat: Media/1][355 pkts/75970 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.08 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (wskptvv)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	UDP 192.168.195.50:17732 -> 192.168.193.24:9400 [proto: 87/RTP][ClearText][Confidence: DPI][cat: Media/1][353 pkts/75542 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][7.04 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 20/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 214/0 214/0 214/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (xwwsvyux)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	TCP 192.168.195.58:49399 <-> 192.168.193.12:2000 [proto: 164/CiscoSkinny][ClearText][Confidence: DPI][cat: VoIP/10][20 pkts/1628 bytes <-> 28 pkts/3570 bytes][Goodput ratio: 30/56][11.13 sec][bytes ratio: -0.374 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/0 734/479 5931/5892 1663/1376][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 81/128 242/378 41/88][PLAIN TEXT (RIX Meeting Room)][Plen Bins: 45,22,0,0,16,6,3,0,0,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	TCP 192.168.193.12:2000 <-> 192.168.195.50:51532 [proto: 164/CiscoSkinny][ClearText][Confidence: DPI][cat: VoIP/10][24 pkts/3166 bytes <-> 20 pkts/1624 bytes][Goodput ratio: 58/30][22.92 sec][bytes ratio: 0.322 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/5 699/417 6999/3582 1749/1018][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 132/81 546/242 116/41][PLAIN TEXT (RIX Meeting Room)][Plen Bins: 50,22,0,0,14,3,3,0,0,3,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	ICMP 192.168.195.50:0 -> 192.168.195.58:0 [proto: 81/ICMP][ClearText][Confidence: DPI][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	TCP 192.168.195.58:50917 <-> 10.16.2.25:2000 [proto: 164/CiscoSkinny][ClearText][Confidence: DPI][cat: VoIP/10][1 pkts/66 bytes <-> 1 pkts/60 bytes][Goodput ratio: 18/0][0.06 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2022-07-03 19:25:00 +0200
committer	GitHub <noreply@github.com>	2022-07-03 19:25:00 +0200
commit	422d0025421565f56be4e75d1217fb96fcf41dc8 (patch)
tree	8d73feb343a66ebc08ff4957697f88dc0b348070
parent	eed47acfc8532486a830404268def82cb0794f77 (diff)