diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-01-11 15:23:39 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-11 15:23:39 +0100 |
| commit | 3a087e951d96f509c75344ad6791591e10e4f1cd (patch) | |
| tree | e1c83179768f1445610bf060917700f17fce908f /src/lib/protocols/http.c | |
| parent | a2916d2e4c19aff56979b1dafa7edd0c7d3c17fe (diff) | |
Add a "confidence" field about the reliability of the classification. (#1395)
As a general rule, the higher the confidence value, the higher the
"reliability/precision" of the classification.
In other words, this new field provides an hint about "how" the flow
classification has been obtained.
For example, the application may want to ignore classification "by-port"
(they are not real DPI classifications, after all) or give a second
glance at flows classified via LRU caches (because of false positives).
Setting only one value for the confidence field is a bit tricky: more
work is probably needed in the next future to tweak/fix/improve the logic.
Diffstat (limited to 'src/lib/protocols/http.c')
| -rw-r--r-- | src/lib/protocols/http.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 99a49ab2d..a33cd6f00 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -341,9 +341,9 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd // ndpi_int_reset_protocol(flow); ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) ? - flow->detected_protocol_stack[1] : NDPI_PROTOCOL_HTTP - ); - + flow->detected_protocol_stack[1] : NDPI_PROTOCOL_HTTP, + NDPI_CONFIDENCE_DPI); + /* This is necessary to inform the core to call this dissector again */ flow->check_extra_packets = 1; flow->max_extra_packets_to_check = 8; @@ -410,7 +410,7 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp ((strstr(flow->http.url, ":8080/downloading?n=0.") != NULL) || (strstr(flow->http.url, ":8080/upload?n=0.") != NULL))) { /* This looks like Ookla speedtest */ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_HTTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); } } } @@ -614,7 +614,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(packet->server_line.ptr != NULL && (packet->server_line.len > 7)) { if(strncmp((const char *)packet->server_line.ptr, "ntopng ", 7) == 0) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTOP, NDPI_PROTOCOL_HTTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTOP, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); NDPI_CLR_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); } } @@ -759,7 +759,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ */ if(strncmp((const char *)packet->content_line.ptr, "application/ocsp-", 17) == 0) { NDPI_LOG_DBG2(ndpi_struct, "Found OCSP\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OCSP, NDPI_PROTOCOL_HTTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OCSP, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); } } } @@ -1123,14 +1123,15 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if((packet->http_url_name.len > 7) && (!strncasecmp((const char*) packet->http_url_name.ptr, "http://", 7))) { NDPI_LOG_INFO(ndpi_struct, "found HTTP_PROXY\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_PROXY, flow->detected_protocol_stack[0]); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_PROXY, flow->detected_protocol_stack[0], NDPI_CONFIDENCE_DPI); check_content_type_and_change_protocol(ndpi_struct, flow); } if(filename_start == 8 && (strncasecmp((const char *)packet->payload, "CONNECT ", 8) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found HTTP_CONNECT\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_CONNECT, - (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP) ? flow->detected_protocol_stack[0] : NDPI_PROTOCOL_UNKNOWN); + (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP) ? flow->detected_protocol_stack[0] : NDPI_PROTOCOL_UNKNOWN, + NDPI_CONFIDENCE_DPI); check_content_type_and_change_protocol(ndpi_struct, flow); } |