aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIvan Nardi <12729895+IvanNardi@users.noreply.github.com>2022-07-03 20:28:58 +0200
committerGitHub <noreply@github.com>2022-07-03 20:28:58 +0200
commitfaaff58620feabe3221c75ef9b503e1c459b795a (patch)
tree24277a827e4a5891d157bd6407eb896ac7d12e5c
parent50c0212df1a11b62d870d9be25d64d03b8e957cb (diff)
TargusDataspeed: avoid false positives (#1628)
TargusDataspeed dissector doesn't perform any real DPI checks but it only looks at the TCP/UDP ports. Delete it, and use standard logic to classify these flows by port.
Diffstat
-rw-r--r--src/include/ndpi_protocols.h1
-rw-r--r--src/lib/ndpi_main.c5
-rw-r--r--src/lib/protocols/targus_getdata.c75
-rw-r--r--tests/pcap/targusdataspeed_false_positives.pcapbin0 -> 1027 bytes
-rw-r--r--tests/result/synscan.pcap.out9
-rw-r--r--tests/result/targusdataspeed_false_positives.pcap.out9
6 files changed, 14 insertions, 85 deletions
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h
index 25395c1fa..f7b33064a 100644
--- a/src/include/ndpi_protocols.h
+++ b/src/include/ndpi_protocols.h
@@ -206,7 +206,6 @@ void init_modbus_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i
void init_capwap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_zabbix_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_wireguard_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
-void init_targus_getdata_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_dnp3_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_104_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_s7comm_dissector(struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index f8764b4b0..25b558b0a 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1775,7 +1775,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TARGUS_GETDATA,
"TargusDataspeed", NDPI_PROTOCOL_CATEGORY_NETWORK,
ndpi_build_default_ports(ports_a, 5001, 5201, 0, 0, 0) /* TCP */,
- ndpi_build_default_ports(ports_b, 5001, 5201, 0, 0, 0) /* UDP */);
+ ndpi_build_default_ports(ports_b, 5001, 5201, 0, 0, 0) /* UDP */); /* Missing dissector: port based only */
ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_AMAZON_VIDEO,
"AmazonVideo", NDPI_PROTOCOL_CATEGORY_CLOUD,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
@@ -4364,9 +4364,6 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
/* Amazon_Video */
init_amazon_video_dissector(ndpi_str, &a, detection_bitmask);
- /* Targus Getdata */
- init_targus_getdata_dissector(ndpi_str, &a, detection_bitmask);
-
/* S7 comm */
init_s7comm_dissector(ndpi_str, &a, detection_bitmask);
diff --git a/src/lib/protocols/targus_getdata.c b/src/lib/protocols/targus_getdata.c
deleted file mode 100644
index 4fa002807..000000000
--- a/src/lib/protocols/targus_getdata.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * targus_getdata.c
- *
- * Copyright (C) 2018 by ntop.org
- *
- * This file is part of nDPI, an open source deep packet inspection
- * library based on the OpenDPI and PACE technology by ipoque GmbH
- *
- * nDPI is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * nDPI is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TARGUS_GETDATA
-
-#include "ndpi_api.h"
-
-static void ndpi_check_targus_getdata(struct ndpi_detection_module_struct *ndpi_struct,
- struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-
- if(packet->iph) {
- u_int16_t targus_getdata_port = ntohs(5201);
- u_int16_t complex_link_port = ntohs(5001);
-
- if(((packet->tcp != NULL) && ((packet->tcp->dest == targus_getdata_port)
- || (packet->tcp->source == targus_getdata_port)
- || (packet->tcp->dest == complex_link_port)
- || (packet->tcp->source == complex_link_port)))
- || ((packet->udp != NULL) && ((packet->udp->dest == targus_getdata_port)
- || (packet->udp->source == targus_getdata_port)
- || (packet->udp->dest == complex_link_port)
- || (packet->udp->source == complex_link_port)))) {
-
- NDPI_LOG_INFO(ndpi_struct, "found targus getdata used for speedtest\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TARGUS_GETDATA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
- return;
- }
- }
-
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-}
-
-void ndpi_search_targus_getdata(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
- NDPI_LOG_DBG(ndpi_struct, "search targus getdata\n");
-
- /* skip marked packets */
- if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_TARGUS_GETDATA)
- ndpi_check_targus_getdata(ndpi_struct, flow);
-}
-
-
-void init_targus_getdata_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
-{
- ndpi_set_bitmask_protocol_detection("TARGUS_GETDATA", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_TARGUS_GETDATA,
- ndpi_search_targus_getdata,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP,
- SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-}
diff --git a/tests/pcap/targusdataspeed_false_positives.pcap b/tests/pcap/targusdataspeed_false_positives.pcap
new file mode 100644
index 000000000..bf148b5b7
--- /dev/null
+++ b/tests/pcap/targusdataspeed_false_positives.pcap
Binary files differ
diff --git a/tests/result/synscan.pcap.out b/tests/result/synscan.pcap.out
index d25e65b93..d75ec10ae 100644
--- a/tests/result/synscan.pcap.out
+++ b/tests/result/synscan.pcap.out
@@ -1,9 +1,8 @@
-Guessed flow protos: 1990
+Guessed flow protos: 1992
DPI Packets (TCP): 2011 (1.01 pkts/flow)
Confidence Unknown : 1868 (flows)
-Confidence Match by port : 124 (flows)
-Confidence DPI : 2 (flows)
+Confidence Match by port : 126 (flows)
Unknown 1872 108584 1868
FTP_CONTROL 2 116 2
@@ -108,7 +107,7 @@ iSCSI 2 116 2
47 TCP 172.16.0.8:36050 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
48 TCP 172.16.0.8:36050 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No client to server traffic / Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
49 TCP 172.16.0.8:36050 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 50 TCP 172.16.0.8:36050 -> 64.13.134.52:5001 [proto: 243/TargusDataspeed][ClearText][Confidence: DPI][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 50 TCP 172.16.0.8:36050 -> 64.13.134.52:5001 [proto: 243/TargusDataspeed][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
51 TCP 172.16.0.8:36050 -> 64.13.134.52:5060 [proto: 100/SIP][ClearText][Confidence: Match by port][cat: VoIP/10][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
52 TCP 172.16.0.8:36050 -> 64.13.134.52:5061 [proto: 100/SIP][ClearText][Confidence: Match by port][cat: VoIP/10][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
53 TCP 172.16.0.8:36050 -> 64.13.134.52:5432 [proto: 19/PostgreSQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
@@ -169,7 +168,7 @@ iSCSI 2 116 2
108 TCP 172.16.0.8:36051 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
109 TCP 172.16.0.8:36051 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No client to server traffic / Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
110 TCP 172.16.0.8:36051 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 111 TCP 172.16.0.8:36051 -> 64.13.134.52:5001 [proto: 243/TargusDataspeed][ClearText][Confidence: DPI][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 111 TCP 172.16.0.8:36051 -> 64.13.134.52:5001 [proto: 243/TargusDataspeed][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
112 TCP 172.16.0.8:36051 -> 64.13.134.52:5060 [proto: 100/SIP][ClearText][Confidence: Match by port][cat: VoIP/10][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
113 TCP 172.16.0.8:36051 -> 64.13.134.52:5061 [proto: 100/SIP][ClearText][Confidence: Match by port][cat: VoIP/10][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
114 TCP 172.16.0.8:36051 -> 64.13.134.52:5432 [proto: 19/PostgreSQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/targusdataspeed_false_positives.pcap.out b/tests/result/targusdataspeed_false_positives.pcap.out
new file mode 100644
index 000000000..73bc9079a
--- /dev/null
+++ b/tests/result/targusdataspeed_false_positives.pcap.out
@@ -0,0 +1,9 @@
+Guessed flow protos: 2
+
+DPI Packets (UDP): 4 (2.00 pkts/flow)
+Confidence DPI (cache) : 2 (flows)
+
+BitTorrent 4 939 2
+
+ 1 UDP 10.0.2.15:23994 <-> 89.64.45.227:5201 [proto: 37/BitTorrent][ClearText][Confidence: DPI (cache)][cat: Download/7][1 pkts/140 bytes <-> 1 pkts/345 bytes][Goodput ratio: 70/88][0.72 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic / Expected on port 6771,51413][PLAIN TEXT (target20)][Plen Bins: 0,0,0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 2 UDP 10.0.2.15:23994 <-> 79.164.55.123:5001 [proto: 37/BitTorrent][ClearText][Confidence: DPI (cache)][cat: Download/7][1 pkts/140 bytes <-> 1 pkts/314 bytes][Goodput ratio: 70/86][0.07 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic / Expected on port 6771,51413][PLAIN TEXT (target20)][Plen Bins: 0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Powered by cgit, Themed by Ted Yin.