diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-03-30 17:13:51 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-03-30 17:13:51 +0200 |
| commit | 4d11941d322b95728048446bb9d0a2d5fbb552f9 (patch) | |
| tree | 3ae81f2a5e4dea35f21ee73191fceda280b0c704 /src/lib/ndpi_main.c | |
| parent | 3e06bcce8dc558239c4a7e33e936adde8c05791f (diff) | |
Ookla: rework detection (#1922)
The logic of the LRU cache has been changed: once we know an ip has
connected to an Ookla server, all the following (unknown) flows (for
a short time interval) from the same ip to the port 8080 are treated
as Ookla ones.
Most of the changes in this commit are about introducing the concept of
"aggressive detection". In some cases, to properly detect a
protocol we might use some statistical/behavior logic that, from one
side, let us to identify the protocol more often but, from the other
side, might lead to some false positives.
To allow the user/application to easily detect when such logic has been
triggered, the new confidence value `NDPI_CONFIDENCE_DPI_AGGRESSIVE` has been
added.
It is always possible to disable/configure this kind of logic via the
API.
Detection of Ookla flows using plain TLS over port 8080 is the first
example of aggressive detection in nDPI.
Tested with:
* Android 9.0 with app 4.8.3
* Ubuntu 20.04 with Firefox 110
* Win 10 with app 1.15 and 1.16
* Win 10 with Chrome 108, Edge 108 and Firefox 106
Diffstat (limited to 'src/lib/ndpi_main.c')
| -rw-r--r-- | src/lib/ndpi_main.c | 56 |
1 files changed, 55 insertions, 1 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index f4266d87d..dc5834549 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -198,6 +198,10 @@ extern void ndpi_unset_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, ndpi_risk_enum r); extern u_int32_t make_mining_key(struct ndpi_flow_struct *flow); extern int stun_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +extern void ookla_add_to_cache(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); +extern int ookla_search_into_cache(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); /* Forward */ static int addDefaultPort(struct ndpi_detection_module_struct *ndpi_str, @@ -2932,7 +2936,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs ndpi_str->msteams_cache_num_entries = 1024; ndpi_str->stun_zoom_cache_num_entries = 1024; - ndpi_str->ookla_cache_ttl = 0; + ndpi_str->ookla_cache_ttl = 120; /* sec */ ndpi_str->bittorrent_cache_ttl = 0; ndpi_str->zoom_cache_ttl = 0; ndpi_str->stun_cache_ttl = 0; @@ -2946,6 +2950,8 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs ndpi_str->opportunistic_tls_pop_enabled = 1; ndpi_str->opportunistic_tls_ftp_enabled = 1; + ndpi_str->aggressiveness_ookla = NDPI_AGGRESSIVENESS_OOKLA_TLS; + for(i = 0; i < NUM_CUSTOM_CATEGORIES; i++) ndpi_snprintf(ndpi_str->custom_category_labels[i], CUSTOM_CATEGORY_LABEL_LEN, "User custom category %u", (unsigned int) (i + 1)); @@ -6254,6 +6260,13 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st ret.app_protocol = flow->detected_protocol_stack[0]; } + /* Does it looks like Ookla? */ + if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && + ntohs(flow->s_port) == 8080 && ookla_search_into_cache(ndpi_str, flow)) { + ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); + ret.app_protocol = flow->detected_protocol_stack[0]; + } + /* Classification by-port is the last resort */ if(enable_guess && ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) { @@ -8052,6 +8065,9 @@ const char *ndpi_confidence_get_name(ndpi_confidence_t confidence) case NDPI_CONFIDENCE_MATCH_BY_IP: return "Match by IP"; + case NDPI_CONFIDENCE_DPI_AGGRESSIVE: + return "DPI (aggressive)"; + default: return NULL; } @@ -8572,6 +8588,11 @@ int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struc ndpi_set_detected_protocol(ndpi_struct, flow, subproto, master_protocol, NDPI_CONFIDENCE_DPI); if(!category_depends_on_master(master_protocol)) ndpi_int_change_category(ndpi_struct, flow, ret_match.protocol_category); + + if(subproto == NDPI_PROTOCOL_OOKLA) { + ookla_add_to_cache(ndpi_struct, flow); + } + return(1); } else return(0); @@ -9643,3 +9664,36 @@ int ndpi_get_opportunistic_tls(struct ndpi_detection_module_struct *ndpi_struct, return -1; } } + +/* ******************************************************************** */ + +int ndpi_set_protocol_aggressiveness(struct ndpi_detection_module_struct *ndpi_struct, + u_int16_t proto, u_int32_t value) +{ + if(!ndpi_struct) + return -1; + + switch(proto) { + case NDPI_PROTOCOL_OOKLA: + ndpi_struct->aggressiveness_ookla = value; + return 0; + default: + return -1; + } +} + +/* ******************************************************************** */ + +u_int32_t ndpi_get_protocol_aggressiveness(struct ndpi_detection_module_struct *ndpi_struct, + u_int16_t proto) +{ + if(!ndpi_struct) + return -1; + + switch(proto) { + case NDPI_PROTOCOL_OOKLA: + return ndpi_struct->aggressiveness_ookla; + default: + return -1; + } +} |