aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNardi Ivan <nardi.ivan@gmail.com>2022-09-06 12:02:23 +0200
committerToni <matzeton@googlemail.com>2022-09-06 14:58:31 +0200
commit1b3de449a1192a2d834f43901f4dd8b45edbf011 (patch)
tree179c7b4b47e614152f184c97a1ccf55e2e09a3dd
parent37f918322c0a489b5143a987c8f1a44a6f78a6f3 (diff)
HTTP: correctly set the classification protocols
Classification should always be set via `ndpi_set_detected_protocol()` to be sure to set a correct `confidence` value, too. Having a "known" protocol stack with `NDPI_CONFIDENCE_UNKNOWN` as confidence, is not valid. This code in HTTP dissector likely needs some more thoughts (the classification itself of the attached example doesn't make a lot of sense), but the goal of this commit is only to always have a valid `confidence` value.
Diffstat
3 files changed, 25 insertions, 2 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index f9d6abd90..5a088c7c8 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -762,8 +762,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
if(ndpi_struct->proto_defaults[flow->guessed_protocol_id].subprotocol_count == 0) {
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN &&
flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) {
- flow->detected_protocol_stack[0] = flow->guessed_host_protocol_id;
- flow->detected_protocol_stack[1] = flow->guessed_protocol_id;
+ ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, flow->guessed_protocol_id, NDPI_CONFIDENCE_DPI);
}
}
}
diff --git a/tests/pcap/http_guessed_host_and_guessed.pcapng b/tests/pcap/http_guessed_host_and_guessed.pcapng
new file mode 100644
index 000000000..ec293a101
--- /dev/null
+++ b/tests/pcap/http_guessed_host_and_guessed.pcapng
Binary files differ
diff --git a/tests/result/http_guessed_host_and_guessed.pcapng.out b/tests/result/http_guessed_host_and_guessed.pcapng.out
new file mode 100644
index 000000000..ca0436e21
--- /dev/null
+++ b/tests/result/http_guessed_host_and_guessed.pcapng.out
@@ -0,0 +1,24 @@
+Guessed flow protos: 1
+
+DPI Packets (TCP): 1 (1.00 pkts/flow)
+Confidence DPI : 1 (flows)
+Num dissector calls: 2 (2.00 diss/flow)
+LRU cache ookla: 0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache zoom: 0/0/0 (insert/search/found)
+LRU cache stun: 0/0/0 (insert/search/found)
+LRU cache tls_cert: 0/0/0 (insert/search/found)
+LRU cache mining: 0/0/0 (insert/search/found)
+LRU cache msteams: 0/0/0 (insert/search/found)
+Automa host: 1/0 (search/found)
+Automa domain: 1/0 (search/found)
+Automa tls cert: 0/0 (search/found)
+Automa risk mask: 0/0 (search/found)
+Automa common alpns: 0/0 (search/found)
+Patricia risk mask: 2/0 (search/found)
+Patricia risk: 0/0 (search/found)
+Patricia protocols: 2/2 (search/found)
+
+Alibaba 1 123 1
+
+ 1 TCP 170.33.13.5:110 -> 192.168.0.1:179 [proto: 2.274/POP3.Alibaba][ClearText][Confidence: DPI][cat: Email/3][1 pkts/123 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][< 1 sec][Hostname/SNI: pornhub.com][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (6 HTTP/1.1)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Powered by cgit, Themed by Ted Yin.