Improved line protocol dissection with heuristic

2 files changed, 35 insertions, 7 deletions

diff --git a/src/lib/protocols/line.c b/src/lib/protocols/line.c
index d49dd4c27..738e3e2c8 100644
--- a/src/lib/protocols/line.c
+++ b/src/lib/protocols/line.c
@@ -42,10 +42,38 @@ static void ndpi_search_line(struct ndpi_detection_module_struct *ndpi_struct,
 
   NDPI_LOG_DBG(ndpi_struct, "searching LineCall\n");
 
+  if(packet->iph && (flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_LINE)) {
+    /*
+      The heuristic below (coming from reverse engineering packet traces)
+      will apply only to IPv4 and Line IP addresses. This is to avoid puttin
+      false positives in other nDPI-decoded protocols.
+    */
+
+    if ((packet->payload_packet_len == 110 &&
+	 ndpi_struct->packet.payload[0] == 0xB6 &&  ndpi_struct->packet.payload[1] == 0x18 && ndpi_struct->packet.payload[2] == 0x00 && ndpi_struct->packet.payload[3] == 0x6A) ||
+	(packet->payload_packet_len >= 738 && (ndpi_struct->packet.payload[0] == 0xDA || ndpi_struct->packet.payload[0] == 0xDB) &&
+	 ndpi_struct->packet.payload[4] == 0x06 && ndpi_struct->packet.payload[5] == 0x02) ||
+	(packet->payload_packet_len >= 150 && (ndpi_struct->packet.payload[0] == 0xD9 || ndpi_struct->packet.payload[0] == 0xD8) &&
+	 ((ndpi_struct->packet.payload[1] & 0xF0) == 0x90 || (ndpi_struct->packet.payload[1] & 0xF0) == 0xD0 || (ndpi_struct->packet.payload[1] & 0xF0) == 0xE0) && ndpi_struct->packet.payload[4] == 0x06 &&
+	 ndpi_struct->packet.payload[5] == 0x02)) {
+      ndpi_int_line_add_connection(ndpi_struct, flow);
+      return;
+    }
+
+    if ((packet->payload_packet_len == 46 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xb6130006) ||
+	(packet->payload_packet_len == 8 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xb6070004) ||
+	(packet->payload_packet_len == 16 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xb609000c) ||
+	(ndpi_struct->packet.payload[0] == 0xD0 &&
+	 (ndpi_struct->packet.payload[1] == 0xB3 || ndpi_struct->packet.payload[1] == 0xB4
+	  || ndpi_struct->packet.payload[1] == 0xDA || ndpi_struct->packet.payload[1] == 0xDB))) {
+      ndpi_int_line_add_connection(ndpi_struct, flow);
+      return;
+    }
+  }
+
   /* Some "random" UDP packets before the standard RTP stream:
      it seems that the 4th bytes of these packets is some kind of packet
      number. Look for 4 packets per direction with consecutive numbers. */
-
   if(packet->payload_packet_len > 10) {
     if(flow->l4.udp.line_pkts[packet->packet_direction] == 0) {
       flow->l4.udp.line_base_cnt[packet->packet_direction] = packet->payload[3];
diff --git a/tests/cfgs/default/result/line.pcap.out b/tests/cfgs/default/result/line.pcap.out
index dc1b56fa2..ca018e034 100644
--- a/tests/cfgs/default/result/line.pcap.out
+++ b/tests/cfgs/default/result/line.pcap.out
@@ -1,11 +1,11 @@
 Guessed flow protos:	0
 
 DPI Packets (TCP):	13	(6.50 pkts/flow)
-DPI Packets (UDP):	40	(13.33 pkts/flow)
+DPI Packets (UDP):	3	(1.00 pkts/flow)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 605 (121.00 diss/flow)
+Num dissector calls: 308 (61.60 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
-LRU cache bittorrent: 0/9/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
 LRU cache tls_cert:   0/0/0 (insert/search/found)
@@ -30,8 +30,8 @@ JA3 Host Stats:
 	1	 10.200.3.125             	 1      
 
 
-	1	UDP 10.200.3.125:51161 <-> 147.92.169.90:29070 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 23][cat: VoIP/10][55 pkts/14935 bytes <-> 66 pkts/16136 bytes][Goodput ratio: 85/83][8.68 sec][bytes ratio: -0.039 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 22/145 225/7269 38/970][Pkt Len c2s/s2c min/avg/max/stddev: 72/72 272/244 895/584 229/209][Plen Bins: 2,28,23,15,1,0,0,0,0,0,1,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	UDP 10.200.3.125:51161 <-> 147.92.169.90:29070 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 1][cat: VoIP/10][55 pkts/14935 bytes <-> 66 pkts/16136 bytes][Goodput ratio: 85/83][8.68 sec][bytes ratio: -0.039 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 22/145 225/7269 38/970][Pkt Len c2s/s2c min/avg/max/stddev: 72/72 272/244 895/584 229/209][Plen Bins: 2,28,23,15,1,0,0,0,0,0,1,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	2	TCP 10.200.3.125:57841 <-> 147.92.165.194:443 [proto: 91/TLS][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 5][cat: Web/5][31 pkts/6628 bytes <-> 41 pkts/4871 bytes][Goodput ratio: 75/51][85.95 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1025/720 14545/14632 2971/2537][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 214/119 3192/388 546/101][Plen Bins: 0,50,10,15,0,5,2,0,5,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]
 	3	TCP 10.200.3.125:58160 <-> 147.92.242.232:443 [proto: 91.315/TLS.Line][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 8][cat: Chat/9][16 pkts/4057 bytes <-> 21 pkts/5423 bytes][Goodput ratio: 78/78][70.05 sec][Hostname/SNI: uts-front.line-apps.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1][bytes ratio: -0.144 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 5755/2607 29999/29999 11001/7538][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 254/258 627/1514 230/419][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: ca75ea4a95a9164cc96e372d7d075183][ServerNames: *.line-apps.com,line-apps.com][JA3S: 567bb420d39046dbfd1f68b558d86382][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018][Subject: C=JP, ST=Tokyo-to, L=Shinjuku-ku, O=LINE Corporation, CN=*.line-apps.com][Certificate SHA-1: 3C:37:D7:AB:BE:E6:5A:A5:BE:14:62:C8:21:8C:BC:E3:3E:A8:3E:96][Firefox][Validity: 2020-08-17 06:21:02 - 2022-11-13 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 5,15,5,0,0,15,0,0,5,15,5,0,0,0,0,0,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]
-	4	UDP 10.0.2.15:50835 <-> 125.209.252.210:20610 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 9][cat: VoIP/10][28 pkts/5296 bytes <-> 22 pkts/3942 bytes][Goodput ratio: 78/77][1.93 sec][bytes ratio: 0.147 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 64/59 602/533 152/133][Pkt Len c2s/s2c min/avg/max/stddev: 72/78 189/179 914/782 220/158][Plen Bins: 2,58,4,0,4,8,2,6,6,2,0,2,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	5	UDP 10.200.3.125:51170 <-> 147.92.169.90:29070 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/898 bytes <-> 5 pkts/1046 bytes][Goodput ratio: 77/80][8.07 sec][bytes ratio: -0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1999/1999 2009/2009 2038/2037 17/16][Pkt Len c2s/s2c min/avg/max/stddev: 174/198 180/209 202/254 11/22][Plen Bins: 0,0,0,0,80,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	UDP 10.0.2.15:50835 <-> 125.209.252.210:20610 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 1][cat: VoIP/10][28 pkts/5296 bytes <-> 22 pkts/3942 bytes][Goodput ratio: 78/77][1.93 sec][bytes ratio: 0.147 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 64/59 602/533 152/133][Pkt Len c2s/s2c min/avg/max/stddev: 72/78 189/179 914/782 220/158][Plen Bins: 2,58,4,0,4,8,2,6,6,2,0,2,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	UDP 10.200.3.125:51170 <-> 147.92.169.90:29070 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/898 bytes <-> 5 pkts/1046 bytes][Goodput ratio: 77/80][8.07 sec][bytes ratio: -0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1999/1999 2009/2009 2038/2037 17/16][Pkt Len c2s/s2c min/avg/max/stddev: 174/198 180/209 202/254 11/22][Plen Bins: 0,0,0,0,80,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]