Merge branch 'dev' of https://github.com/ntop/nDPI into dev

author: Luca Deri <deri@ntop.org> 2019-03-08 15:59:26 +0000
committer: Luca Deri <deri@ntop.org> 2019-03-08 15:59:26 +0000
commit: aaa686b9fe4887196d6295f746e9c67465907912 (patch)
tree: 77d78d1c131b9610e0738037a72fb33ea8a65060 /src/lib/ndpi_main.c
parent: 03b0aa7185261f34dc60f1ac72ff142c5758f20d (diff)
parent: 59f683858b2b8f28e88b9348b75fef5164665964 (diff)
1 files changed, 46 insertions, 23 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 01b25a1b8..936f47dac 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1198,14 +1198,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			    no_master, "SkypeCall", NDPI_PROTOCOL_CATEGORY_VOIP,
 			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
-    ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE_49,
+    ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TIKTOK,
 			    0 /* can_have_a_subprotocol */, no_master,
-			    no_master, "Free_49", NDPI_PROTOCOL_CATEGORY_VOIP,
-			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
-			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
-    ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE_49,
-			    0 /* can_have_a_subprotocol */, no_master,
-			    no_master, "SkypeCall", NDPI_PROTOCOL_CATEGORY_VOIP,
+			    no_master, "TikTok", NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK,
 			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
     ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TEREDO,
@@ -1991,21 +1986,42 @@ static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) {
 	 m->match_num, m->patterns->astring);
 #endif
 
+  {
+    char *whatfound = strstr(buf, m->patterns->astring);
+
+#ifdef MATCH_DEBUG
+    printf("[NDPI] %s() [searching=%s][pattern=%s][%s][%c]\n", 
+	   __FUNCTION__, buf,  m->patterns->astring, 
+	   whatfound ? whatfound : "<NULL>",
+	   whatfound[-1]);
+#endif
+
+    /*
+      The patch below allows in case of pattern ws.amazon.com
+      to avoid matching aws.amazon.com whereas a.ws.amazon.com
+      has to match
+     */
+    if(whatfound && (whatfound != buf)
+       && (m->patterns->astring[0] != '.')  /* The searched patter does not start with . */
+       && strchr(m->patterns->astring, '.') /* The matched pattern has a . (e.g. numeric or sym IPs) */
+       && (whatfound[-1] != '.') 
+       )
+      return(0);
+  }
+
   /*
     Return 1 for stopping to the first match.
     We might consider searching for the more
     specific match, paying more cpu cycles.
   */
-
   memcpy(match, &m->patterns[0].rep, sizeof(AC_REP_t));
 
   if(((buf_len >= min_len) && (strncmp(&buf[buf_len-min_len], m->patterns->astring, min_len) == 0))
      || (strncmp(buf, m->patterns->astring, min_len) == 0) /* begins with */
-     )
-    {
+     ) {
 #ifdef MATCH_DEBUG
       printf("Found match [%s][%s] [len: %u][proto_id: %u]\n",
-	     buf, m->patterns->astring, min_len, *matching_protocol_id);
+	     buf, m->patterns->astring, min_len , *matching_protocol_id);
 #endif
     return(1); /* If the pattern found matches the string at the beginning we stop here */
   } else
@@ -2301,8 +2317,8 @@ int ndpi_match_string(void *_automa, char *string_to_match) {
 int ndpi_match_string_id(void *_automa, char *string_to_match, unsigned long *id) {
   AC_TEXT_t ac_input_text;
   AC_AUTOMATA_t *automa = (AC_AUTOMATA_t*)_automa;
-  AC_REP_t match = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_UNRATED };
-  
+  AC_REP_t match = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_UNRATED }; 
+
   *id = -1;
   if((automa == NULL)
      || (string_to_match == NULL)
@@ -2338,11 +2354,14 @@ static int hyperscanCustomEventHandler(unsigned int id,
 
 /* *********************************************** */
 
-static int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_struct,
+int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_struct,
 				      char *name, unsigned long *id) {
-  /* printf("[NDPI] %s(%s)\n", __FUNCTION__, name); */
+#ifdef DEBUG
+  printf("[NDPI] %s(%s) [enable_category_substring_match: %u]\n", 
+	 __FUNCTION__, name, ndpi_struct->enable_category_substring_match);
+#endif
 
-  if(!ndpi_struct->enable_category_substring_match) {
+  if(ndpi_struct->enable_category_substring_match == 0) {
     if(ndpi_struct->custom_categories.hostnames_hash == NULL)
       return(-1);
     else {
@@ -2731,7 +2750,8 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod,
       if(sscanf(value, "%u-%u", (u_int32_t *)&range.port_low, (u_int32_t *)&range.port_high) != 2)
 	range.port_low = range.port_high = atoi(&elem[4]);
       if(do_add)
-	addDefaultPort(ndpi_mod, &range, def, 1 /* Custom user proto */, is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot, __FUNCTION__,__LINE__);
+	addDefaultPort(ndpi_mod, &range, def, 1 /* Custom user proto */,
+		       is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot, __FUNCTION__,__LINE__);
       else
 	removeDefaultPort(&range, def, is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot);
     } else if(is_ip) {
@@ -4358,19 +4378,20 @@ int ndpi_enable_loaded_categories(struct ndpi_detection_module_struct *ndpi_str)
 /* ********************************************************************************* */
 
 int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
-				 const struct ndpi_iphdr *iph,
+				 u_int32_t saddr,
+				 u_int32_t daddr,
 				 ndpi_protocol *ret) {
   if(ndpi_struct->custom_categories.categories_loaded) {
       prefix_t prefix;
       patricia_node_t *node;
-      
+
       /* Make sure all in network byte order otherwise compares wont work */
-      fill_prefix_v4(&prefix, (struct in_addr *)&iph->saddr,
+      fill_prefix_v4(&prefix, (struct in_addr *)&saddr,
 		     32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits);
       node = ndpi_patricia_search_best(ndpi_struct->custom_categories.ipAddresses, &prefix);
 
       if(!node) {
-	fill_prefix_v4(&prefix, (struct in_addr *)&iph->daddr,
+	fill_prefix_v4(&prefix, (struct in_addr *)&daddr,
 		       32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits);
 	node = ndpi_patricia_search_best(ndpi_struct->custom_categories.ipAddresses, &prefix);
       }
@@ -4385,12 +4406,14 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str
   return 0;
 }
 
+/* ********************************************************************************* */
+
 void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
 				 struct ndpi_flow_struct *flow,
 				 ndpi_protocol *ret) {
   if(ndpi_struct->custom_categories.categories_loaded) {
     if(flow->packet.iph) {
-      if(ndpi_fill_ip_protocol_category(ndpi_struct, flow->packet.iph, ret)) {
+      if(ndpi_fill_ip_protocol_category(ndpi_struct, flow->packet.iph->saddr, flow->packet.iph->daddr, ret)) {
         flow->category = ret->category;
         return;
       }
@@ -4435,7 +4458,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
 
   if(ndpi_struct->ndpi_log_level >= NDPI_LOG_TRACE)
   	NDPI_LOG(flow ? flow->detected_protocol_stack[0]:NDPI_PROTOCOL_UNKNOWN,
-		  ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n");
+		 ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n");
   if(flow == NULL)
     return(ret);
author	Luca Deri <deri@ntop.org>	2019-03-08 15:59:26 +0000
committer	Luca Deri <deri@ntop.org>	2019-03-08 15:59:26 +0000
commit	aaa686b9fe4887196d6295f746e9c67465907912 (patch)
tree	77d78d1c131b9610e0738037a72fb33ea8a65060 /src/lib/ndpi_main.c
parent	03b0aa7185261f34dc60f1ac72ff142c5758f20d (diff)
parent	59f683858b2b8f28e88b9348b75fef5164665964 (diff)