Fix category for mail sessions (#1621)

Close #629

2 files changed, 27 insertions, 5 deletions

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 2fddf99a6..4bd63db54 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -7408,13 +7408,33 @@ const char *ndpi_category_get_name(struct ndpi_detection_module_struct *ndpi_str
 
 /* ****************************************************** */
 
+static int category_depends_on_master(int proto)
+{
+  switch(proto) {
+  case NDPI_PROTOCOL_MAIL_POP:
+  case NDPI_PROTOCOL_MAIL_SMTP:
+  case NDPI_PROTOCOL_MAIL_IMAP:
+  case NDPI_PROTOCOL_MAIL_POPS:
+  case NDPI_PROTOCOL_MAIL_SMTPS:
+  case NDPI_PROTOCOL_MAIL_IMAPS:
+	  return 1;
+  }
+  return 0;
+}
+
+/* ****************************************************** */
+
 ndpi_protocol_category_t ndpi_get_proto_category(struct ndpi_detection_module_struct *ndpi_str,
 						 ndpi_protocol proto) {
   if(proto.category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)
     return(proto.category);
 
-  /* simple rule: sub protocol first, master after */
-  else if((proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) ||
+  /* Simple rule: sub protocol first, master after, with some exceptions (i.e. mail) */
+
+  if(category_depends_on_master(proto.master_protocol)) {
+    if(ndpi_is_valid_protoId(proto.master_protocol))
+      return(ndpi_str->proto_defaults[proto.master_protocol].protoCategory);
+  } else if((proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) ||
 	  (ndpi_str->proto_defaults[proto.app_protocol].protoCategory != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)) {
     if(ndpi_is_valid_protoId(proto.app_protocol))
       return(ndpi_str->proto_defaults[proto.app_protocol].protoCategory);
@@ -7735,7 +7755,8 @@ static u_int16_t ndpi_automa_match_string_subprotocol(struct ndpi_detection_modu
     flow->detected_protocol_stack[1] = master_protocol_id,
     flow->detected_protocol_stack[0] = matching_protocol_id;
     flow->confidence = NDPI_CONFIDENCE_DPI;
-    if(flow->category == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)
+    if(!category_depends_on_master(master_protocol_id) &&
+       flow->category == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)
       flow->category = ret_match->protocol_category;
 
     return(flow->detected_protocol_stack[0]);
@@ -7838,7 +7859,8 @@ int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struc
 
   if(subproto != NDPI_PROTOCOL_UNKNOWN) {
     ndpi_set_detected_protocol(ndpi_struct, flow, subproto, master_protocol, NDPI_CONFIDENCE_DPI);
-    ndpi_int_change_category(ndpi_struct, flow, ret_match.protocol_category);
+    if(!category_depends_on_master(master_protocol))
+      ndpi_int_change_category(ndpi_struct, flow, ret_match.protocol_category);
     return(1);
   } else
     return(0);
diff --git a/tests/result/smtp-starttls.pcap.out b/tests/result/smtp-starttls.pcap.out
index 2e739cd24..c031fd8af 100644
--- a/tests/result/smtp-starttls.pcap.out
+++ b/tests/result/smtp-starttls.pcap.out
@@ -5,4 +5,4 @@ Confidence DPI              : 1 (flows)
 
 Google	36	8403	1
 
-	1	TCP 10.0.0.1:57406 <-> 173.194.68.26:25 [proto: 3.126/SMTP.Google][ClearText][Confidence: DPI][cat: Web/5][17 pkts/2514 bytes <-> 19 pkts/5889 bytes][Goodput ratio: 55/79][0.48 sec][Hostname/SNI: mx.google.com][bytes ratio: -0.402 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30/24 156/103 42/26][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 148/310 752/1484 168/444][PLAIN TEXT (x.google.com ESMTP s4)][Plen Bins: 23,18,13,9,4,4,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0]
+	1	TCP 10.0.0.1:57406 <-> 173.194.68.26:25 [proto: 3.126/SMTP.Google][ClearText][Confidence: DPI][cat: Email/3][17 pkts/2514 bytes <-> 19 pkts/5889 bytes][Goodput ratio: 55/79][0.48 sec][Hostname/SNI: mx.google.com][bytes ratio: -0.402 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30/24 156/103 42/26][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 148/310 752/1484 168/444][PLAIN TEXT (x.google.com ESMTP s4)][Plen Bins: 23,18,13,9,4,4,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0]