Removed false positives from CoAP protocol

Improved DNS detection Added misisng default DropBox port Fix for #154 Added sample pcap of Tor traffic for regression testing
author: Luca Deri <deri@ntop.org> 2016-06-19 21:25:58 +0200
committer: Luca Deri <deri@ntop.org> 2016-06-19 21:25:58 +0200
commit: adbba699887af89e89e14d55ea614677750b02f4 (patch)
tree: 6fb8e26f5c90b050699f7c2d2c2afba636f767e6
parent: 6c83cd627f13649a62dc9d5821fb5a0397951b81 (diff)
8 files changed, 64 insertions, 24 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index e51407592..deb61b681 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -633,7 +633,7 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) {
 
   /* Preferences */
   ndpi_thread_info[thread_id].workflow->ndpi_struct->http_dont_dissect_response = 0;
-  ndpi_thread_info[thread_id].workflow->ndpi_struct->dns_dissect_response = 1;
+  ndpi_thread_info[thread_id].workflow->ndpi_struct->dns_dissect_response = 0;
 
   ndpi_workflow_set_flow_detected_callback(ndpi_thread_info[thread_id].workflow,
 					   on_protocol_discovered, (void *)(uintptr_t)thread_id);
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index fa32146a9..cbac5cf8b 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1365,6 +1365,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			    no_master, "QUIC",
 			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			    ndpi_build_default_ports(ports_b, 443, 80, 0, 0, 0) /* UDP */);
+    ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DROPBOX,
+			    no_master,
+			    no_master, "Dropbox",
+			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+			    ndpi_build_default_ports(ports_b, 17500, 0, 0, 0, 0) /* UDP */);
     ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_EAQ,
 			    no_master,
 			    no_master, "EAQ",
diff --git a/src/lib/protocols/coap.c b/src/lib/protocols/coap.c
index cddf31b7e..5f8e97863 100644
--- a/src/lib/protocols/coap.c
+++ b/src/lib/protocols/coap.c
@@ -72,7 +72,7 @@ struct ndpi_coap_hdr
    [164] = "5.04 Gateway Timeout",
    [165] = "5.05 Proxying Not Supported"
 **/
-  
+
 
 /**
  * Entry point when protocol is identified.
@@ -84,6 +84,20 @@ static void ndpi_int_coap_add_connection (struct ndpi_detection_module_struct *n
 }
 
 /**
+ * Check if the default port is acceptable 
+ *
+ * UDP Port 5683 (mandatory)
+ * UDP Ports 61616-61631 compressed 6lowPAN
+ */
+static int isCoAPport(u_int16_t port) {
+  if((port == 5683)
+     || ((port >= 61616) && (port <= 61631)))
+    return(1);
+  else
+    return(0);
+}
+
+/**
  * Dissector function that searches CoAP headers
  */
 void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct,
@@ -91,22 +105,24 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct,
 {
   struct ndpi_packet_struct *packet = &flow->packet;
   struct ndpi_coap_hdr * h = (struct ndpi_coap_hdr*) packet->payload;
-	
+
   if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) {
     return;
   }
 
   // search for udp packet
   if(packet->udp != NULL) {
-    
-    // header too short
-    if(packet->payload_packet_len < 4) {
-      
+    u_int16_t s_port = ntohs(flow->packet.udp->source);
+    u_int16_t d_port = ntohs(flow->packet.udp->dest);
+
+    if((!isCoAPport(s_port) && !isCoAPport(s_port))
+       || (packet->payload_packet_len < 4) // header too short
+       ) {
       NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "excluding Coap\n");
       NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COAP);
       return;
     }
-    
+
     NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "calculating coap over udp.\n");
 
     // check values in header
@@ -116,21 +132,21 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct,
 	  if((h->code >= 0 && h->code <= 5) || (h->code >= 65 && h->code <= 69) ||
 	     (h->code >= 128  && h->code <= 134) || (h->code >= 140 && h->code <= 143) ||
 	     (h->code >= 160 && h->code <= 165)) {
-	       
+
 	    NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "Coap found...\n");
 	    ndpi_int_coap_add_connection(ndpi_struct,flow);
 	    return;
 	  }
 	}
       }
-    } 
+    }
   }
-  
+
   NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Coap ...\n");
   NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COAP);
   return;
-
 }
+
 /**
  * Entry point for the ndpi library
  */
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index f95ebbc36..7ee114579 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -126,8 +126,6 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
 	} else
 	  invalid = 1;
 	
-	if(ndpi_struct->dns_dissect_response)
-	  return; /* The response will set the verdict */
       } else {
 	/* DNS Reply */
 
@@ -198,11 +196,18 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
 
 	off++;
       }
+
       flow->host_server_name[j] = '\0';
 
       flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries,
 	flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs);
 
+      if(j > 0)
+	ndpi_match_host_subprotocol(ndpi_struct, flow, 
+				    (char *)flow->host_server_name,
+				    strlen((const char*)flow->host_server_name),
+				    NDPI_PROTOCOL_DNS);
+
 #ifdef DNS_DEBUG		
       printf("[%s:%d] [num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n",
 	     __FILE__, __LINE__,
@@ -210,14 +215,11 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
 	     flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name
 	     );
 #endif
-
-      if(j > 0)
-	ndpi_match_host_subprotocol(ndpi_struct, flow, 
-				    (char *)flow->host_server_name,
-				    strlen((const char*)flow->host_server_name),
-				    NDPI_PROTOCOL_DNS);
     
       if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
+	if(is_query && ndpi_struct->dns_dissect_response)
+	  return; /* The response will set the verdict */
+	
 	/**
 	   Do not set the protocol with DNS if ndpi_match_host_subprotocol() has
 	   matched a subprotocol
diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c
index f51de95d2..3e53b4224 100644
--- a/src/lib/protocols/dropbox.c
+++ b/src/lib/protocols/dropbox.c
@@ -44,7 +44,6 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct,
   u_int32_t payload_len = packet->payload_packet_len;
 
   if(packet->udp != NULL) {
-
     u_int16_t dropbox_port = htons(DB_LSP_PORT);
 
     if((packet->udp->source == dropbox_port)
diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c
index 7903bf511..cb926d5f0 100644
--- a/src/lib/protocols/tor.c
+++ b/src/lib/protocols/tor.c
@@ -24,7 +24,7 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct,
 
   if((certificate == NULL)
      || (strlen(certificate) < 6)
-     || !(strncmp(certificate, "www.", 4)))
+     || (strncmp(certificate, "www.", 4)))
     return(0);
 
   // printf("***** [SSL] %s(): %s\n", __FUNCTION__, certificate);
@@ -39,10 +39,11 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct,
 
   len = strlen(name);
   
-  if(len > 6) {
+  if(len >= 5) {
     for(i = 0; name[i+1] != '\0'; i++) {
+      // printf("***** [SSL] %s(): [%d][%c]", __FUNCTION__, i, name[i]);
+      
       if((name[i] >= '0') && (name[i] <= '9')) {
-
 	if(prev_num != 1) {
 	  numbers_found++;
 
diff --git a/tests/pcap/tor.pcap b/tests/pcap/tor.pcap
new file mode 100644
index 000000000..bf5b43649
--- /dev/null
+++ b/tests/pcap/tor.pcap
diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out
new file mode 100644
index 000000000..b6008355d
--- /dev/null
+++ b/tests/result/tor.pcap.out
@@ -0,0 +1,17 @@
+NetBIOS	1	252	1
+DHCPV6	6	906	1
+DropBox	10	1860	1
+Skype	1	60	1
+Tor	3676	3014362	7
+
+	1	UDP 192.168.1.1:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][10 pkts/1860 bytes]
+	2	UDP [fe80::c583:1972:5728:7323]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][6 pkts/906 bytes]
+	3	TCP 212.83.155.250:443 <-> 192.168.1.252:51174 [proto: 163/Tor][32 pkts/10431 bytes][SSL client: www.t3i3ru.com]
+	4	TCP 46.59.52.31:443 <-> 192.168.1.252:51111 [proto: 163/Tor][34 pkts/11142 bytes][SSL client: www.e6r5p57kbafwrxj3plz.com]
+	5	TCP 91.143.93.242:443 <-> 192.168.1.252:51175 [proto: 163/Tor][38 pkts/12520 bytes][SSL client: www.gfu7hbxpfp.com]
+	6	TCP 157.56.30.46:443 <-> 192.168.1.252:51104 [proto: 91.125/SSL.Skype][1 pkts/60 bytes]
+	7	UDP 192.168.1.252:138 <-> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/252 bytes]
+	8	TCP 38.229.70.53:443 <-> 192.168.1.252:51112 [proto: 163/Tor][1576 pkts/1388792 bytes][SSL client: www.q4cyamnc6mtokjurvdclt.com]
+	9	TCP 38.229.70.53:443 <-> 192.168.1.252:51176 [proto: 163/Tor][1826 pkts/1513278 bytes][SSL client: www.jmts2id.com]
+	10	TCP 62.210.137.230:443 <-> 192.168.1.252:51185 [proto: 163/Tor][29 pkts/9661 bytes][SSL client: www.6gyip7tqim7sieb.com]
+	11	TCP 91.143.93.242:443 <-> 192.168.1.252:51110 [proto: 163/Tor][141 pkts/68538 bytes][SSL client: www.ct7ctrgb6cr7.com]
author	Luca Deri <deri@ntop.org>	2016-06-19 21:25:58 +0200
committer	Luca Deri <deri@ntop.org>	2016-06-19 21:25:58 +0200
commit	adbba699887af89e89e14d55ea614677750b02f4 (patch)
tree	6fb8e26f5c90b050699f7c2d2c2afba636f767e6
parent	6c83cd627f13649a62dc9d5821fb5a0397951b81 (diff)