diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2021-11-24 10:46:48 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-11-24 10:46:48 +0100 |
| commit | a8ffcd8bb0273d59600c6310a80b81206096c113 (patch) | |
| tree | 2a62911824363509ea5e7c69afa189e98556e495 /src/lib/protocols/http.c | |
| parent | fd02e1b3043eecc5711eb8254aadaa3f43ca7503 (diff) | |
Rework how hostname/SNI info is saved (#1330)
Looking at `struct ndpi_flow_struct` the two bigger fields are
`host_server_name[240]` (mainly for HTTP hostnames and DNS domains) and
`protos.tls_quic.client_requested_server_name[256]`
(for TLS/QUIC SNIs).
This commit aims to reduce `struct ndpi_flow_struct` size, according to
two simple observations:
1) maximum one of these two fields is used for each flow. So it seems safe
to merge them;
2) even if hostnames/SNIs might be very long, in practice they are rarely
longer than a fews tens of bytes. So, using a (single) large buffer is a
waste of memory for all kinds of flows. If we need to truncate the name,
we keep the *last* characters, easing domain matching.
Analyzing some real traffic, it seems safe to assume that the vast
majority of hostnames/SNIs is shorter than 80 bytes.
Hostnames/SNIs are always converted to lowercase.
Attention was given so as to be sure that unit-tests outputs are not
affected by this change.
Because of a bug, TLS/QUIC SNI were always truncated to 64 bytes (the
*first* 64 ones): as a consequence, there were some "Suspicious DGA
domain name" and "TLS Certificate Mismatch" false positives.
Diffstat (limited to 'src/lib/protocols/http.c')
| -rw-r--r-- | src/lib/protocols/http.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index cef8b3cfc..bc0ca1fc2 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -371,8 +371,8 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp if(double_col) double_col[0] = '\0'; if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, - (char *)flow->host_server_name, - strlen((const char *)flow->host_server_name)) == 0) { + flow->host_server_name, + strlen(flow->host_server_name)) == 0) { if(flow->http.url && ((strstr(flow->http.url, ":8080/downloading?n=0.") != NULL) || (strstr(flow->http.url, ":8080/upload?n=0.") != NULL))) { @@ -566,12 +566,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->host_line.len, packet->host_line.ptr); /* Copy result for nDPI apps */ - len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1); - strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len); - flow->host_server_name[len] = '\0'; + ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len); flow->extra_packets_func = NULL; /* We're good now */ - if(len > 0) ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1); + if(strlen(flow->host_server_name) > 0) ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1); if(packet->forwarded_line.ptr) { len = ndpi_min(packet->forwarded_line.len, sizeof(flow->http.nat_ip)-1); |