Teamviewer: varius fixes (#2228)

We already have a generic (and up to date) logic to handle ip addresses: remove that stale list. Teamviewer uses TCP and UDP, both; we can't access `flow->l4.udp`. According to a comment, we set the flow risk `NDPI_DESKTOP_OR_FILE_SHARING_SESSION` only for the UDP flows.
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-01-02 11:22:43 +0100
committer: GitHub <noreply@github.com> 2024-01-02 11:22:43 +0100
commit: d886a6107fd05a9e41de8ec3414cb4b353bda10e (patch)
tree: 4d5e186b4976ee9cd0b99b3f72081646f4437f04
parent: 2796bc9b4712e98f69091784b25f236d2a7a415c (diff)
5 files changed, 21 insertions, 44 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index af13a8fa8..792aea9ee 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -849,9 +849,6 @@ struct ndpi_flow_tcp_struct {
   /* NDPI_PROTOCOL_LOTUS_NOTES */
   u_int8_t lotus_notes_packet_id;
 
-  /* NDPI_PROTOCOL_TEAMVIEWER */
-  u_int8_t teamviewer_stage;
-
   /* NDPI_PROTOCOL_ZMQ */
   u_int8_t prev_zmq_pkt_len;
   u_char prev_zmq_pkt[10];
@@ -892,9 +889,6 @@ struct ndpi_flow_udp_struct {
   /* NDPI_PROTOCOL_SKYPE */
   u_int8_t skype_crc[4];
 
-  /* NDPI_PROTOCOL_TEAMVIEWER */
-  u_int8_t teamviewer_stage;
-
   /* NDPI_PROTOCOL_EAQ */
   u_int8_t eaq_pkt_id;
   u_int32_t eaq_sequence;
@@ -1455,6 +1449,8 @@ struct ndpi_flow_struct {
   /* NDPI_PROTOCOL_OOKLA */
   u_int8_t ookla_stage : 1;
 
+  /* NDPI_PROTOCOL_TEAMVIEWER */
+  u_int8_t teamviewer_stage : 3;
 
   /* NDPI_PROTOCOL_OPENVPN */
   u_int8_t ovpn_session_id[2][8];
diff --git a/src/lib/protocols/teamviewer.c b/src/lib/protocols/teamviewer.c
index 4c0df2e61..4ed7f1269 100644
--- a/src/lib/protocols/teamviewer.c
+++ b/src/lib/protocols/teamviewer.c
@@ -43,32 +43,12 @@ static void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struc
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
 
   NDPI_LOG_DBG(ndpi_struct, "search teamwiewer\n");
-  /*
-    TeamViewer
-    178.77.120.0/25
-
-    http://myip.ms/view/ip_owners/144885/Teamviewer_Gmbh.html
-  */
-  if(packet->iph) {
-    u_int32_t src = ntohl(packet->iph->saddr);
-    u_int32_t dst = ntohl(packet->iph->daddr);
-
-    /* 95.211.37.195 - 95.211.37.203 */
-    if(((src >= 1607673283) && (src <= 1607673291))
-       || ((dst >= 1607673283) && (dst <= 1607673291))
-       || ((src & 0xFFFFFF80 /* 255.255.255.128 */) == 0xB24D7800 /* 178.77.120.0 */)
-       || ((dst & 0xFFFFFF80 /* 255.255.255.128 */) == 0xB24D7800 /* 178.77.120.0 */)
-       ) {
-      ndpi_int_teamview_add_connection(ndpi_struct, flow);
-      return;
-    }
-  }
 
   if (packet->udp != NULL) {
     if (packet->payload_packet_len > 13) {
       if (packet->payload[0] == 0x00 && packet->payload[11] == 0x17 && packet->payload[12] == 0x24) { /* byte 0 is a counter/seq number, and at the start is 0 */
-	flow->l4.udp.teamviewer_stage++;
-	if (flow->l4.udp.teamviewer_stage == 4 ||
+	flow->teamviewer_stage++;
+	if (flow->teamviewer_stage == 4 ||
 	    packet->udp->dest == ntohs(5938) || packet->udp->source == ntohs(5938)) {
 	  ndpi_int_teamview_add_connection(ndpi_struct, flow);
 	  ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found TeamViewer"); /* Remote assistance (UDP only) */
@@ -80,19 +60,18 @@ static void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struc
   else if(packet->tcp != NULL) {
     if (packet->payload_packet_len > 2) {
       if (packet->payload[0] == 0x17 && packet->payload[1] == 0x24) {
-	flow->l4.udp.teamviewer_stage++;
-	if (flow->l4.udp.teamviewer_stage == 4 ||
+	flow->teamviewer_stage++;
+	if (flow->teamviewer_stage == 4 ||
 	    packet->tcp->dest == ntohs(5938) || packet->tcp->source == ntohs(5938)) {
 	  ndpi_int_teamview_add_connection(ndpi_struct, flow);
 	}
 	return;
       }
-      else if (flow->l4.udp.teamviewer_stage) {
+      else if (flow->teamviewer_stage) {
 	if (packet->payload[0] == 0x11 && packet->payload[1] == 0x30) {
-	  flow->l4.udp.teamviewer_stage++;
-	  if (flow->l4.udp.teamviewer_stage == 4) {
+	  flow->teamviewer_stage++;
+	  if (flow->teamviewer_stage == 4) {
 	    ndpi_int_teamview_add_connection(ndpi_struct, flow);
-	    ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found TeamViewer"); /* Remote assistance (UDP only) */
 	  }
 	}
 	return;
diff --git a/tests/cfgs/default/pcap/ossfuzz_seed_fake_traces_2.pcapng b/tests/cfgs/default/pcap/ossfuzz_seed_fake_traces_2.pcapng
index deb318357..260633932 100644
--- a/tests/cfgs/default/pcap/ossfuzz_seed_fake_traces_2.pcapng
+++ b/tests/cfgs/default/pcap/ossfuzz_seed_fake_traces_2.pcapng
diff --git a/tests/cfgs/default/result/irc.pcap.out b/tests/cfgs/default/result/irc.pcap.out
index daf93dc49..b27949f20 100644
--- a/tests/cfgs/default/result/irc.pcap.out
+++ b/tests/cfgs/default/result/irc.pcap.out
@@ -1,6 +1,6 @@
 DPI Packets (TCP):	7	(7.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 169 (169.00 diss/flow)
+Num dissector calls: 168 (168.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
diff --git a/tests/cfgs/default/result/ossfuzz_seed_fake_traces_2.pcapng.out b/tests/cfgs/default/result/ossfuzz_seed_fake_traces_2.pcapng.out
index 70c397dc4..ad251174b 100644
--- a/tests/cfgs/default/result/ossfuzz_seed_fake_traces_2.pcapng.out
+++ b/tests/cfgs/default/result/ossfuzz_seed_fake_traces_2.pcapng.out
@@ -1,10 +1,10 @@
 Guessed flow protos:	1
 
-DPI Packets (TCP):	18	(6.00 pkts/flow)
+DPI Packets (TCP):	30	(7.50 pkts/flow)
 DPI Packets (UDP):	4	(2.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Confidence DPI              : 4 (flows)
-Num dissector calls: 690 (138.00 diss/flow)
+Confidence DPI              : 5 (flows)
+Num dissector calls: 912 (152.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
@@ -22,15 +22,17 @@ Patricia risk mask:   0/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   10/0 (search/found)
+Patricia protocols:   12/0 (search/found)
 Patricia protocols IPv6: 0/0 (search/found)
 
 PostgreSQL	10	689	1
 Usenet	12	1099	2
+TeamViewer	59	31448	1
 WireGuard	4	592	2
 
-	1	TCP 172.16.20.244:59038 <-> 172.16.20.75:5432 [proto: 19/PostgreSQL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Database/11][6 pkts/416 bytes <-> 4 pkts/273 bytes][Goodput ratio: 2/0][0.02 sec][bytes ratio: 0.208 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/9 17/18 7/9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 69/68 78/74 5/3][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	2	TCP 172.26.235.166:55630 <-> 172.30.92.62:119 [proto: 93/Usenet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Web/5][4 pkts/293 bytes <-> 2 pkts/264 bytes][Goodput ratio: 7/47][0.02 sec][bytes ratio: 0.052 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/17 6/17 17/17 8/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 73/132 87/190 9/58][PLAIN TEXT (200 Leafnode NNTP Daemon)][Plen Bins: 50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	3	TCP 192.168.190.20:55630 <-> 192.168.190.5:119 [proto: 93/Usenet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Web/5][4 pkts/278 bytes <-> 2 pkts/264 bytes][Goodput ratio: 2/47][0.02 sec][bytes ratio: 0.026 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/17 6/17 17/17 8/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 70/132 74/190 4/58][PLAIN TEXT (200 Leafnode NNTP Daemon)][Plen Bins: 50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	4	UDP 10.9.0.1:43462 <-> 10.9.0.2:51820 [proto: 206/WireGuard][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: VPN/2][1 pkts/190 bytes <-> 1 pkts/106 bytes][Goodput ratio: 77/60][0.00 sec][Plen Bins: 0,0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	5	UDP 10.147.205.42:43462 <-> 10.45.123.132:51820 [proto: 206/WireGuard][IP: 0/Unknown][Encrypted][Confidence: Match by port][DPI packets: 2][cat: VPN/2][1 pkts/190 bytes <-> 1 pkts/106 bytes][Goodput ratio: 77/60][0.00 sec][Plen Bins: 0,0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.0.1:8787 <-> 10.10.10.1:32177 [proto: 148/TeamViewer][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 12][cat: RemoteAccess/12][25 pkts/14755 bytes <-> 34 pkts/16693 bytes][Goodput ratio: 90/89][2.12 sec][bytes ratio: -0.062 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 79/59 277/257 105/90][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 590/491 1514/1514 585/593][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (XDsiBZ)][Plen Bins: 0,19,2,5,2,0,0,0,0,0,0,5,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,2,15,5,0,2,2,2,0,0,0,0,0,0,29,0,0]
+	2	TCP 172.16.20.244:59038 <-> 172.16.20.75:5432 [proto: 19/PostgreSQL][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Database/11][6 pkts/416 bytes <-> 4 pkts/273 bytes][Goodput ratio: 2/0][0.02 sec][bytes ratio: 0.208 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4/9 17/18 7/9][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 69/68 78/74 5/3][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	TCP 172.26.235.166:55630 <-> 172.30.92.62:119 [proto: 93/Usenet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Web/5][4 pkts/293 bytes <-> 2 pkts/264 bytes][Goodput ratio: 7/47][0.02 sec][bytes ratio: 0.052 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/17 6/17 17/17 8/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 73/132 87/190 9/58][PLAIN TEXT (200 Leafnode NNTP Daemon)][Plen Bins: 50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	TCP 192.168.190.20:55630 <-> 192.168.190.5:119 [proto: 93/Usenet][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Web/5][4 pkts/278 bytes <-> 2 pkts/264 bytes][Goodput ratio: 2/47][0.02 sec][bytes ratio: 0.026 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/17 6/17 17/17 8/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 70/132 74/190 4/58][PLAIN TEXT (200 Leafnode NNTP Daemon)][Plen Bins: 50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	UDP 10.9.0.1:43462 <-> 10.9.0.2:51820 [proto: 206/WireGuard][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: VPN/2][1 pkts/190 bytes <-> 1 pkts/106 bytes][Goodput ratio: 77/60][0.00 sec][Plen Bins: 0,0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	UDP 10.147.205.42:43462 <-> 10.45.123.132:51820 [proto: 206/WireGuard][IP: 0/Unknown][Encrypted][Confidence: Match by port][DPI packets: 2][cat: VPN/2][1 pkts/190 bytes <-> 1 pkts/106 bytes][Goodput ratio: 77/60][0.00 sec][Plen Bins: 0,0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-01-02 11:22:43 +0100
committer	GitHub <noreply@github.com>	2024-01-02 11:22:43 +0100
commit	d886a6107fd05a9e41de8ec3414cb4b353bda10e (patch)
tree	4d5e186b4976ee9cd0b99b3f72081646f4437f04
parent	2796bc9b4712e98f69091784b25f236d2a7a415c (diff)