diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-01-11 15:23:39 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-11 15:23:39 +0100 |
| commit | 3a087e951d96f509c75344ad6791591e10e4f1cd (patch) | |
| tree | e1c83179768f1445610bf060917700f17fce908f /src/lib/protocols/irc.c | |
| parent | a2916d2e4c19aff56979b1dafa7edd0c7d3c17fe (diff) | |
Add a "confidence" field about the reliability of the classification. (#1395)
As a general rule, the higher the confidence value, the higher the
"reliability/precision" of the classification.
In other words, this new field provides an hint about "how" the flow
classification has been obtained.
For example, the application may want to ignore classification "by-port"
(they are not real DPI classifications, after all) or give a second
glance at flows classified via LRU caches (because of false positives).
Setting only one value for the confidence field is a bit tricky: more
work is probably needed in the next future to tweak/fix/improve the logic.
Diffstat (limited to 'src/lib/protocols/irc.c')
| -rw-r--r-- | src/lib/protocols/irc.c | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 7bf7399f7..6ff3af836 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -36,9 +36,9 @@ timestamp = time_err[t1]; \ less = t1;}}} -static void ndpi_int_irc_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +static void ndpi_int_irc_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, ndpi_confidence_t confidence) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IRC, NDPI_PROTOCOL_UNKNOWN); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IRC, NDPI_PROTOCOL_UNKNOWN, confidence); } @@ -180,7 +180,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det || ntohs(get_u_int16_t(packet->payload, 2)) == 0x2000)) { NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1460,1460,1176,<-4096||8192"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return 1; } /* case 2: len 1448, len 1448, len 1200 several times in one direction, than len = 4, 4096, 8192 in the other direction */ @@ -211,7 +211,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det || ntohs(get_u_int16_t(packet->payload, 2)) == 0x2000)) { NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1448,1448,1200,<-4096||8192"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return 1; } /* case 3: several packets with len 1380, 1200, 1024, 1448, 1248, @@ -228,7 +228,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det || ntohs(get_u_int16_t(packet->payload, 2)) == 2760)) { NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1380,<-1380||2760"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return 1; } if (packet->payload_packet_len == 1200 && ((flow->l4.tcp.irc_stage2 == 0 && flow->l4.tcp.irc_direction == 0) @@ -243,7 +243,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det || ntohs(get_u_int16_t(packet->payload, 2)) == 2400)) { NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1200,<-1200||2400"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return 1; } if (packet->payload_packet_len == 1024 && ((flow->l4.tcp.irc_stage2 == 0 && flow->l4.tcp.irc_direction == 0) @@ -258,7 +258,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det || ntohs(get_u_int16_t(packet->payload, 2)) == 2048)) { NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1024,<-1024||2048"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return 1; } if (packet->payload_packet_len == 1248 && ((flow->l4.tcp.irc_stage2 == 0 && flow->l4.tcp.irc_direction == 0) @@ -273,7 +273,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det || ntohs(get_u_int16_t(packet->payload, 2)) == 2496)) { NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1248,<-1248||2496"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return 1; } if (packet->payload_packet_len == 1448 @@ -288,7 +288,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det || ntohs(get_u_int16_t(packet->payload, 2)) == 2896)) { NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1448,<-1448||2896"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return 1; } /* case 4 : five packets with len = 1448, one with len 952, than one packet from other direction len = 8192 */ @@ -311,7 +311,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det && flow->l4.tcp.irc_stage2 == 14 && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && ntohs(get_u_int16_t(packet->payload, 2)) == 8192) { NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1448,1448,1448,1448,1448,952,<-8192"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return 1; } /* case 5: len 1024, len 1448, len 1448, len 1200, len 1448, len 600 */ @@ -344,7 +344,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det && flow->l4.tcp.irc_stage2 == 19 && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && ntohs(get_u_int16_t(packet->payload, 2)) == 7168) { NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1024,1448,1448,1200,1448,600,<-7168"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return 1; } /* -> 1024, 1380, -> 2404 */ @@ -357,7 +357,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det && flow->l4.tcp.irc_stage2 == 20 && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && ntohs(get_u_int16_t(packet->payload, 2)) == 2404) { NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1024,1380 <-2404"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return 1; } @@ -421,7 +421,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (dst->irc_port[counter] == sport || dst->irc_port[counter] == dport) { dst->last_time_port_used[counter] = packet->current_time_ms; NDPI_LOG_INFO(ndpi_struct, "found IRC: dest port matched with the DCC port"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); return; } } @@ -431,7 +431,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (src->irc_port[counter] == sport || src->irc_port[counter] == dport) { src->last_time_port_used[counter] = packet->current_time_ms; NDPI_LOG_INFO(ndpi_struct, "found IRC: Source port matched with the DCC port"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); return; } } @@ -462,14 +462,14 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc flow->l4.tcp.irc_3a_counter++; if (flow->l4.tcp.irc_3a_counter == 7) { /* ':' == 0x3a */ NDPI_LOG_INFO(ndpi_struct, "found irc. 0x3a. seven times."); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); goto detected_irc; } } } if (flow->l4.tcp.irc_3a_counter == 7) { /* ':' == 0x3a */ NDPI_LOG_INFO(ndpi_struct, "found irc. 0x3a. seven times."); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); goto detected_irc; } } @@ -488,7 +488,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc "USER, NICK, PASS, NOTICE, PRIVMSG one time"); if (flow->l4.tcp.irc_stage == 2) { NDPI_LOG_INFO(ndpi_struct, "found irc"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); flow->l4.tcp.irc_stage = 3; } if (flow->l4.tcp.irc_stage == 1) { @@ -509,7 +509,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (packet->line[c].len > 4 && (memcmp(packet->line[c].ptr, "NICK ", 5) == 0 || memcmp(packet->line[c].ptr, "USER ", 5) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found IRC: two icq signal words in the same packet"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); flow->l4.tcp.irc_stage = 3; return; } @@ -525,7 +525,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc || memcmp(packet->line[c].ptr, "USER ", 5) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found IRC: two icq signal words in the same packet"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); flow->l4.tcp.irc_stage = 3; return; } @@ -576,7 +576,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc && (memcmp(packet->payload + http_content_ptr_len, "item=", 5) == 0) && (ndpi_check_for_cmd(ndpi_struct, flow) != 0))) { NDPI_LOG_INFO(ndpi_struct, "found IRC: Nickname, cmd, one time"); - ndpi_int_irc_add_connection(ndpi_struct, flow); + ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; } } |