Improved RTSP detection and fixed HTTP false-positive. Fixes #1229. (#1266)

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni <matzeton@googlemail.com> 2021-07-31 23:31:49 +0200
committer: GitHub <noreply@github.com> 2021-07-31 23:31:49 +0200
commit: ad57af9f79b3c69e2312fda109b83ce132448fd7 (patch)
tree: 4bab48b9376e324f369a2c6e3b4b9048a6818587 /src/lib/protocols/http.c
parent: ce597b4806dd96d9b8d7d1e43560b9c85e71f80c (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 647bd6c2b..a2dd25f3c 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -963,8 +963,17 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
       NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
       http_bitmask_exclude_other(flow);
       return;
-    } else
-      ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB);
+    } else {
+      /* This check is required as RTSP is pretty similiar to HTTP (prevent false-positives). */
+      if (strncmp((const char *)packet->payload + filename_start,
+                  "rtsp://", ndpi_min(7, packet->payload_packet_len - filename_start)) == 0)
+      {
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+        return;
+      } else {
+        ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB);
+      }
+    }
 
     NDPI_LOG_DBG2(ndpi_struct,
 		  "Filename HTTP found: %d, we look for line info..\n", filename_start);
author	Toni <matzeton@googlemail.com>	2021-07-31 23:31:49 +0200
committer	GitHub <noreply@github.com>	2021-07-31 23:31:49 +0200
commit	ad57af9f79b3c69e2312fda109b83ce132448fd7 (patch)
tree	4bab48b9376e324f369a2c6e3b4b9048a6818587 /src/lib/protocols/http.c
parent	ce597b4806dd96d9b8d7d1e43560b9c85e71f80c (diff)