Improved AppleStore detection

Modified string search matching to match the longest match (and not the first one)

2 files changed, 21 insertions, 12 deletions

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index a1a501edf..528bf84a5 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -91,7 +91,7 @@ static ndpi_network host_protocol_list[] = {
    { 0xC60BFB20 /* 198.11.251.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP },
    { 0xD02B73C0 /* 208.43.115.192/27 */, 27, NDPI_PROTOCOL_WHATSAPP },
    { 0xD02B7A80 /* 208.43.122.128/27 */, 27, NDPI_PROTOCOL_WHATSAPP },
-   
+
 
   /*
     WeChat
@@ -859,7 +859,7 @@ static ndpi_network host_protocol_list[] = {
   { 0xAC100010 /* 172.16.0.16/32 */, 32, NDPI_PROTOCOL_BITTORRENT },
   { 0xB2A4F550 /* 178.164.245.80/32 */, 32, NDPI_PROTOCOL_BITTORRENT },
   { 0xAE597B3E /* 174.89.123.62/32 */, 32, NDPI_PROTOCOL_BITTORRENT },
-  
+
 
   /*
     Tor
@@ -7987,6 +7987,10 @@ ndpi_protocol_match host_match[] = {
   { ".icloud.com",			"AppleiCloud",		NDPI_PROTOCOL_APPLE_ICLOUD, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
   { "iosapps.itunes.apple.com",		"AppleStore",		NDPI_PROTOCOL_APPLESTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_ACCEPTABLE }, /* iOS */
   { "osxapps.itunes.apple.com",		"AppleStore",		NDPI_PROTOCOL_APPLESTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_ACCEPTABLE }, /* MacOS */
+  { "buy.itunes.apple.com",		"AppleStore",		NDPI_PROTOCOL_APPLESTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_ACCEPTABLE },
+  { "su.itunes.apple.com",		"AppleStore",		NDPI_PROTOCOL_APPLESTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_ACCEPTABLE },
+  { "se.itunes.apple.com",		"AppleStore",		NDPI_PROTOCOL_APPLESTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_ACCEPTABLE },
+  { "myapp.itunes.apple.com",		"AppleStore",		NDPI_PROTOCOL_APPLESTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_ACCEPTABLE },
   { "swscan.apple.com",	   	        "AppleStore",		NDPI_PROTOCOL_APPLESTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_ACCEPTABLE },
   { "itunes-apple.com",		        "AppleStore",		NDPI_PROTOCOL_APPLESTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_ACCEPTABLE },
   { "itunes.apple.com",			"AppleiTunes",		NDPI_PROTOCOL_APPLE_ITUNES, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN },
@@ -8020,7 +8024,7 @@ ndpi_protocol_match host_match[] = {
 
   { "android.clients.google.com",       "PlayStore",		NDPI_PROTOCOL_PLAYSTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_ACCEPTABLE },
   { "ggpht.com",                        "PlayStore",		NDPI_PROTOCOL_PLAYSTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_ACCEPTABLE },
-  
+
   { "google.",				"Google",		NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
   { ".google.",				"Google",		NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
   { ".gstatic.com",			"Google",		NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
@@ -8096,7 +8100,7 @@ ndpi_protocol_match host_match[] = {
 
   { ".spotify.",			"Spotify",		NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
   { "audio-fa.scdn.co",			"Spotify",		NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
-  
+
 
   { ".pandora.com",			"Pandora",		NDPI_PROTOCOL_PANDORA,  NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
 
@@ -8308,7 +8312,7 @@ ndpi_protocol_match content_match[] = {
   - www.fgd2iwya7vinfutj5wq5we.net
 
   See also DGA (Domain Generation Algorithm)
-  
+
   In essence www.<name>.com|net
 
   To do things properly we should check if host name in the certificate
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index b721b98cd..52a7d7222 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1637,11 +1637,14 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 static int ac_match_handler(AC_MATCH_t *m, void *param) {
   int *matching_protocol_id = (int*)param;
 
-  /* Stopping to the first match. We might consider searching
-   * for the more specific match, paying more cpu cycles. */
+  /*
+    Return 1 for stopping to the first match.
+    We might consider searching for the more
+    specific match, paying more cpu cycles. 
+  */
   *matching_protocol_id = m->patterns[0].rep.number;
 
-  return 1; /* 0 to continue searching, !0 to stop */
+  return 0; /* 0 to continue searching, !0 to stop */
 }
 
 /* ******************************************************************** */
@@ -4615,9 +4618,9 @@ char* ndpi_strnstr(const char *s, const char *find, size_t slen) {
 int ndpi_match_prefix(const u_int8_t *payload, size_t payload_len,
 		      const char *str, size_t str_len)
 {
-  return str_len <= payload_len
-    ? memcmp(payload, str, str_len) == 0
-    : 0;
+  int rc = str_len <= payload_len ? memcmp(payload, str, str_len) == 0 : 0;
+  
+  return rc;
 }
 
 /* ****************************************************** */
@@ -4628,7 +4631,8 @@ int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_stru
   int matching_protocol_id = NDPI_PROTOCOL_UNKNOWN;
   AC_TEXT_t ac_input_text;
   ndpi_automa *automa = is_host_match ? &ndpi_struct->host_automa : &ndpi_struct->content_automa;
-
+  int rc;
+  
   if((automa->ac_automa == NULL) || (string_to_match_len == 0)) return(NDPI_PROTOCOL_UNKNOWN);
 
   if(!automa->ac_automa_finalized) {
@@ -4638,6 +4642,7 @@ int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_stru
 
   ac_input_text.astring = string_to_match, ac_input_text.length = string_to_match_len;
   ac_automata_search(((AC_AUTOMATA_t*)automa->ac_automa), &ac_input_text, (void*)&matching_protocol_id);
+  
   ac_automata_reset(((AC_AUTOMATA_t*)automa->ac_automa));
 
   return(matching_protocol_id);