aboutsummaryrefslogtreecommitdiff
path: root/src/lib/ndpi_main.c
diff options
context:
space:
mode:
authorLuca Deri <deri@ntop.org>2019-03-08 15:59:26 +0000
committerLuca Deri <deri@ntop.org>2019-03-08 15:59:26 +0000
commitaaa686b9fe4887196d6295f746e9c67465907912 (patch)
tree77d78d1c131b9610e0738037a72fb33ea8a65060 /src/lib/ndpi_main.c
parent03b0aa7185261f34dc60f1ac72ff142c5758f20d (diff)
parent59f683858b2b8f28e88b9348b75fef5164665964 (diff)
Merge branch 'dev' of https://github.com/ntop/nDPI into dev
Diffstat (limited to 'src/lib/ndpi_main.c')
-rw-r--r--src/lib/ndpi_main.c69
1 files changed, 46 insertions, 23 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 01b25a1b8..936f47dac 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1198,14 +1198,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, "SkypeCall", NDPI_PROTOCOL_CATEGORY_VOIP,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE_49,
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TIKTOK,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "Free_49", NDPI_PROTOCOL_CATEGORY_VOIP,
- ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
- ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE_49,
- 0 /* can_have_a_subprotocol */, no_master,
- no_master, "SkypeCall", NDPI_PROTOCOL_CATEGORY_VOIP,
+ no_master, "TikTok", NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TEREDO,
@@ -1991,21 +1986,42 @@ static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) {
m->match_num, m->patterns->astring);
#endif
+ {
+ char *whatfound = strstr(buf, m->patterns->astring);
+
+#ifdef MATCH_DEBUG
+ printf("[NDPI] %s() [searching=%s][pattern=%s][%s][%c]\n",
+ __FUNCTION__, buf, m->patterns->astring,
+ whatfound ? whatfound : "<NULL>",
+ whatfound[-1]);
+#endif
+
+ /*
+ The patch below allows in case of pattern ws.amazon.com
+ to avoid matching aws.amazon.com whereas a.ws.amazon.com
+ has to match
+ */
+ if(whatfound && (whatfound != buf)
+ && (m->patterns->astring[0] != '.') /* The searched patter does not start with . */
+ && strchr(m->patterns->astring, '.') /* The matched pattern has a . (e.g. numeric or sym IPs) */
+ && (whatfound[-1] != '.')
+ )
+ return(0);
+ }
+
/*
Return 1 for stopping to the first match.
We might consider searching for the more
specific match, paying more cpu cycles.
*/
-
memcpy(match, &m->patterns[0].rep, sizeof(AC_REP_t));
if(((buf_len >= min_len) && (strncmp(&buf[buf_len-min_len], m->patterns->astring, min_len) == 0))
|| (strncmp(buf, m->patterns->astring, min_len) == 0) /* begins with */
- )
- {
+ ) {
#ifdef MATCH_DEBUG
printf("Found match [%s][%s] [len: %u][proto_id: %u]\n",
- buf, m->patterns->astring, min_len, *matching_protocol_id);
+ buf, m->patterns->astring, min_len , *matching_protocol_id);
#endif
return(1); /* If the pattern found matches the string at the beginning we stop here */
} else
@@ -2301,8 +2317,8 @@ int ndpi_match_string(void *_automa, char *string_to_match) {
int ndpi_match_string_id(void *_automa, char *string_to_match, unsigned long *id) {
AC_TEXT_t ac_input_text;
AC_AUTOMATA_t *automa = (AC_AUTOMATA_t*)_automa;
- AC_REP_t match = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_UNRATED };
-
+ AC_REP_t match = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_UNRATED };
+
*id = -1;
if((automa == NULL)
|| (string_to_match == NULL)
@@ -2338,11 +2354,14 @@ static int hyperscanCustomEventHandler(unsigned int id,
/* *********************************************** */
-static int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_struct,
+int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_struct,
char *name, unsigned long *id) {
- /* printf("[NDPI] %s(%s)\n", __FUNCTION__, name); */
+#ifdef DEBUG
+ printf("[NDPI] %s(%s) [enable_category_substring_match: %u]\n",
+ __FUNCTION__, name, ndpi_struct->enable_category_substring_match);
+#endif
- if(!ndpi_struct->enable_category_substring_match) {
+ if(ndpi_struct->enable_category_substring_match == 0) {
if(ndpi_struct->custom_categories.hostnames_hash == NULL)
return(-1);
else {
@@ -2731,7 +2750,8 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod,
if(sscanf(value, "%u-%u", (u_int32_t *)&range.port_low, (u_int32_t *)&range.port_high) != 2)
range.port_low = range.port_high = atoi(&elem[4]);
if(do_add)
- addDefaultPort(ndpi_mod, &range, def, 1 /* Custom user proto */, is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot, __FUNCTION__,__LINE__);
+ addDefaultPort(ndpi_mod, &range, def, 1 /* Custom user proto */,
+ is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot, __FUNCTION__,__LINE__);
else
removeDefaultPort(&range, def, is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot);
} else if(is_ip) {
@@ -4358,19 +4378,20 @@ int ndpi_enable_loaded_categories(struct ndpi_detection_module_struct *ndpi_str)
/* ********************************************************************************* */
int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
- const struct ndpi_iphdr *iph,
+ u_int32_t saddr,
+ u_int32_t daddr,
ndpi_protocol *ret) {
if(ndpi_struct->custom_categories.categories_loaded) {
prefix_t prefix;
patricia_node_t *node;
-
+
/* Make sure all in network byte order otherwise compares wont work */
- fill_prefix_v4(&prefix, (struct in_addr *)&iph->saddr,
+ fill_prefix_v4(&prefix, (struct in_addr *)&saddr,
32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits);
node = ndpi_patricia_search_best(ndpi_struct->custom_categories.ipAddresses, &prefix);
if(!node) {
- fill_prefix_v4(&prefix, (struct in_addr *)&iph->daddr,
+ fill_prefix_v4(&prefix, (struct in_addr *)&daddr,
32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits);
node = ndpi_patricia_search_best(ndpi_struct->custom_categories.ipAddresses, &prefix);
}
@@ -4385,12 +4406,14 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str
return 0;
}
+/* ********************************************************************************* */
+
void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
ndpi_protocol *ret) {
if(ndpi_struct->custom_categories.categories_loaded) {
if(flow->packet.iph) {
- if(ndpi_fill_ip_protocol_category(ndpi_struct, flow->packet.iph, ret)) {
+ if(ndpi_fill_ip_protocol_category(ndpi_struct, flow->packet.iph->saddr, flow->packet.iph->daddr, ret)) {
flow->category = ret->category;
return;
}
@@ -4435,7 +4458,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
if(ndpi_struct->ndpi_log_level >= NDPI_LOG_TRACE)
NDPI_LOG(flow ? flow->detected_protocol_stack[0]:NDPI_PROTOCOL_UNKNOWN,
- ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n");
+ ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n");
if(flow == NULL)
return(ret);