diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2025-05-27 19:11:35 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-05-27 19:11:35 +0200 |
| commit | 1f5378efb801006bdbc7579e98e6417d07d1f082 (patch) | |
| tree | 2627e526464c270ad9cd47b1b728a56b1f7a207b | |
| parent | 1e3cc3938bbcce220b7ffbf04cdd18e45eb61e42 (diff) | |
Allow to specify default ports also via range (#2856)
Ad a trivial example, update SIP configuration to use range
| -rw-r--r-- | src/include/ndpi_typedefs.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 92 | ||||
| -rw-r--r-- | tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out | 2 |
3 files changed, 66 insertions, 30 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index c1f712b19..70a305938 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1203,7 +1203,7 @@ typedef struct ndpi_proto_defaults { u_int16_t *subprotocols; u_int32_t subprotocol_count; u_int16_t protoId, dissector_idx; - u_int16_t tcp_default_ports[MAX_DEFAULT_PORTS], udp_default_ports[MAX_DEFAULT_PORTS]; + ndpi_port_range tcp_default_ports[MAX_DEFAULT_PORTS], udp_default_ports[MAX_DEFAULT_PORTS]; ndpi_protocol_breed_t protoBreed; ndpi_protocol_qoe_category_t qoeCategory; } ndpi_proto_defaults_t; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 58a0bc221..e5e95e506 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -409,6 +409,28 @@ u_int16_t ndpi_map_ndpi_id_to_user_proto_id(struct ndpi_detection_module_struct /* ************************************************************************************* */ +static ndpi_port_range *ndpi_build_default_ports_range(ndpi_port_range *ports, u_int16_t portA_low, u_int16_t portA_high, + u_int16_t portB_low, u_int16_t portB_high, u_int16_t portC_low, + u_int16_t portC_high, u_int16_t portD_low, u_int16_t portD_high, + u_int16_t portE_low, u_int16_t portE_high) { + int i = 0; + + ports[i].port_low = portA_low, ports[i].port_high = portA_high; + i++; + ports[i].port_low = portB_low, ports[i].port_high = portB_high; + i++; + ports[i].port_low = portC_low, ports[i].port_high = portC_high; + i++; + ports[i].port_low = portD_low, ports[i].port_high = portD_high; + i++; + ports[i].port_low = portE_low, ports[i].port_high = portE_high; + + return(ports); +} + + +/* ************************************************************************************* */ + ndpi_port_range *ndpi_build_default_ports(ndpi_port_range *ports, u_int16_t portA, u_int16_t portB, u_int16_t portC, u_int16_t portD, u_int16_t portE) { int i = 0; @@ -652,9 +674,8 @@ void ndpi_set_proto_defaults(struct ndpi_detection_module_struct *ndpi_str, addDefaultPort(ndpi_str, &tcpDefPorts[j], &ndpi_str->proto_defaults[protoId], 0, &ndpi_str->tcpRoot, __FUNCTION__, __LINE__); - /* No port range, just the lower port */ - ndpi_str->proto_defaults[protoId].tcp_default_ports[j] = tcpDefPorts[j].port_low; - ndpi_str->proto_defaults[protoId].udp_default_ports[j] = udpDefPorts[j].port_low; + ndpi_str->proto_defaults[protoId].tcp_default_ports[j] = tcpDefPorts[j]; + ndpi_str->proto_defaults[protoId].udp_default_ports[j] = udpDefPorts[j]; } } @@ -1497,8 +1518,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SIP, "SIP", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, - ndpi_build_default_ports(ports_a, 5060, 5061, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 5060, 5061, 0, 0, 0) /* UDP */); + ndpi_build_default_ports_range(ports_a, 5060, 5061, 0, 0, 0, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports_range(ports_b, 5060, 5061, 0, 0, 0, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TRUPHONE, "TruPhone", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, @@ -8927,17 +8948,26 @@ static void fpc_check_eval(struct ndpi_detection_module_struct *ndpi_str, /* ********************************************************************************* */ -static char* ndpi_expected_ports_str(u_int16_t *default_ports, char *str, u_int str_len) { +static char* ndpi_expected_ports_str(ndpi_port_range *default_ports, char *str, u_int str_len) { + int rc; + str[0] = '\0'; - if(default_ports[0] != 0) { + if(default_ports[0].port_low != 0) { u_int8_t i, offset; offset = snprintf(str, str_len, "Expected on port "); - for(i=0; (i<MAX_DEFAULT_PORTS) && (default_ports[i] != 0); i++) { - int rc = snprintf(&str[offset], str_len-offset, "%s%u", - (i > 0) ? "," : "", default_ports[i]); + for(i=0; (i<MAX_DEFAULT_PORTS) && (default_ports[i].port_low != 0); i++) { + if(default_ports[i].port_low == default_ports[i].port_high) + rc = snprintf(&str[offset], str_len-offset, "%s%u", + (i > 0) ? "," : "", + default_ports[i].port_low); + else + rc = snprintf(&str[offset], str_len-offset, "%s%u-%u", + (i > 0) ? "," : "", + default_ports[i].port_low, + default_ports[i].port_high); if(rc > 0) offset += rc; @@ -9133,7 +9163,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio && ((ret.proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) || (ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN)) ) { default_ports_tree_node_t *found; - u_int16_t *default_ports; + ndpi_port_range *default_ports; if(packet->udp) found = ndpi_get_guessed_protocol_id(ndpi_str, IPPROTO_UDP, @@ -9163,8 +9193,9 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio */ u_int8_t found = 0, i; - for(i=0; (i<MAX_DEFAULT_PORTS) && (default_ports[i] != 0); i++) { - if(default_ports[i] == ntohs(flow->s_port)) { + for(i=0; (i<MAX_DEFAULT_PORTS) && (default_ports[i].port_low != 0); i++) { + if(default_ports[i].port_low >= ntohs(flow->s_port) && + default_ports[i].port_high <= ntohs(flow->s_port)) { found = 1; break; } @@ -9176,7 +9207,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio if((r == NULL) || ((r->proto->protoId != ret.proto.app_protocol) && (r->proto->protoId != ret.proto.master_protocol))) { - if(default_ports && (default_ports[0] != 0)) { + if(default_ports && (default_ports[0].port_low != 0)) { char str[64]; ndpi_set_risk(ndpi_str, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, @@ -9185,12 +9216,15 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio } } } - } else if((!ndpi_is_ntop_protocol(&ret)) && default_ports && (default_ports[0] != 0)) { + } else if((!ndpi_is_ntop_protocol(&ret)) && default_ports && (default_ports[0].port_low != 0)) { u_int8_t found = 0, i, num_loops = 0; check_default_ports: - for(i=0; (i<MAX_DEFAULT_PORTS) && (default_ports[i] != 0); i++) { - if((default_ports[i] == ntohs(flow->c_port)) || (default_ports[i] == ntohs(flow->s_port))) { + for(i=0; (i<MAX_DEFAULT_PORTS) && (default_ports[i].port_low != 0); i++) { + if((default_ports[i].port_low >= ntohs(flow->c_port) && + default_ports[i].port_high <= ntohs(flow->c_port)) || + (default_ports[i].port_low >= ntohs(flow->s_port) && + default_ports[i].port_high <= ntohs(flow->s_port))) { found = 1; break; } @@ -9214,7 +9248,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio || ((r->proto->protoId != ret.proto.app_protocol) && (r->proto->protoId != ret.proto.master_protocol))) { if(ret.proto.app_protocol != NDPI_PROTOCOL_FTP_DATA) { - u_int16_t *default_ports; + ndpi_port_range *default_ports; if(packet->udp) default_ports = ndpi_str->proto_defaults[ret.proto.master_protocol ? ret.proto.master_protocol : ret.proto.app_protocol].udp_default_ports; @@ -9223,7 +9257,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio else default_ports = NULL; - if(default_ports && (default_ports[0] != 0)) { + if(default_ports && (default_ports[0].port_low != 0)) { char str[64]; ndpi_set_risk(ndpi_str, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, @@ -10358,22 +10392,24 @@ int ndpi_get_category_id(struct ndpi_detection_module_struct *ndpi_str, char *ca /* ****************************************************** */ -static char *default_ports_string(char *ports_str,u_int16_t *default_ports){ +static char *default_ports_string(char *ports_str, ndpi_port_range *default_ports){ //dont display zero ports on help screen - if (default_ports[0] == 0) + if (default_ports[0].port_low == 0) //- for readability return "-"; int j=0; do { - //max port len 5(eg 65535) + comma + nul - char port[7]; - sprintf(port,"%d,",default_ports[j]); + char port[18]; + if(default_ports[j].port_low == default_ports[j].port_high) + sprintf(port,"%d,",default_ports[j].port_low); + else + sprintf(port,"%d-%d,",default_ports[j].port_low, default_ports[j].port_high); strcat(ports_str,port); j++; - } while (j < MAX_DEFAULT_PORTS && default_ports[j]!= 0); + } while (j < MAX_DEFAULT_PORTS && default_ports[j].port_low != 0); //remove last comma ports_str[strlen(ports_str)-1] = '\0'; @@ -10391,9 +10427,9 @@ void ndpi_dump_protocols(struct ndpi_detection_module_struct *ndpi_str, FILE *du if(!ndpi_str || !dump_out) return; for(i = 0; i < (int) ndpi_str->ndpi_num_supported_protocols; i++) { - //max port size(eg 65535) * 5 + 4 commas + nul - char udp_ports[30] = ""; - char tcp_ports[30] = ""; + + char udp_ports[128] = ""; + char tcp_ports[128] = ""; fprintf(dump_out, "%3d %8d %-22s %-10s %-8s %-12s %-18s %-31s %-31s\n", i, ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, i), diff --git a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out index f26b3ebb6..12d34132b 100644 --- a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out +++ b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out @@ -64,7 +64,7 @@ Unrated 33 4066 33 21 UDP 192.86.1.2:5060 -> 200.68.120.99:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: VoIP/10][1 pkts/417 bytes -> 0 pkts/0 bytes][Goodput ratio: 90/0][< 1 sec][Risk: ** Susp Entropy **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Entropy: 5.584 (Executable?)][PLAIN TEXT (CANCEL qip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 22 UDP 192.168.1.2:4292 -> 200.68.37.115:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 100/SIP, Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/417 bytes -> 0 pkts/0 bytes][Goodput ratio: 90/0][< 1 sec][SIP From: "arik" <sip:8166j6@voip.brurjula.net>;tag=6433ef9][SIP To: <sip:97239287044@voip.hrujula.neô>][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (CANCEL sip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 23 UDP 192.169.1.2:5060 -> 200.68.120.81:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 100/SIP, Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/417 bytes -> 0 pkts/0 bytes][Goodput ratio: 90/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (CANCEL sip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 24 UDP 192.168.1.2:4901 -> 200.68.120.81:29440 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 100/SIP, Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/389 bytes -> 0 pkts/0 bytes][Goodput ratio: 68/0][< 1 sec][SIP From: "arik" <sip:816666@vSip.brurju…a.net>;tag=6433ef9][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 5060,5061][PLAIN TEXT (ACK sip)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 24 UDP 192.168.1.2:4901 -> 200.68.120.81:29440 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 100/SIP, Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/389 bytes -> 0 pkts/0 bytes][Goodput ratio: 68/0][< 1 sec][SIP From: "arik" <sip:816666@vSip.brurju…a.net>;tag=6433ef9][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic / Expected on port 5060-5061][PLAIN TEXT (ACK sip)][Plen Bins: 0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 25 UDP 192.168.1.2:5060 -> 212.242.33.201:5060 [proto: 100/SIP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 100/SIP, Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/366 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][< 1 sec][SIP From: "arik" <sip:35104ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (ACK sip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 26 UDP 192.168.1.2:2795 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 4][cat: Network/14][3 pkts/228 bytes <-> 1 pkts/128 bytes][Goodput ratio: 45/67][4.36 sec][Hostname/SNI: sip.cybercity.dk][212.242.33.35][DNS Id: 0xe2ef][PLAIN TEXT (cybercity)][Plen Bins: 0,75,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 27 UDP 192.168.1.2:2830 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 4][cat: Network/14][3 pkts/228 bytes <-> 1 pkts/128 bytes][Goodput ratio: 45/67][4.37 sec][Hostname/SNI: sip.cybercity.dk][212.242.33.35][DNS Id: 0x4d35][PLAIN TEXT (cybercity)][Plen Bins: 0,75,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |