diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-07-03 19:25:00 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-07-03 19:25:00 +0200 |
| commit | 422d0025421565f56be4e75d1217fb96fcf41dc8 (patch) | |
| tree | 8d73feb343a66ebc08ff4957697f88dc0b348070 /src/lib/protocols/skinny.c | |
| parent | eed47acfc8532486a830404268def82cb0794f77 (diff) | |
Skinny: rework and improve classification (#1625)
Diffstat (limited to 'src/lib/protocols/skinny.c')
| -rw-r--r-- | src/lib/protocols/skinny.c | 64 |
1 files changed, 46 insertions, 18 deletions
diff --git a/src/lib/protocols/skinny.c b/src/lib/protocols/skinny.c index 9a0d23d21..c9b4ebe45 100644 --- a/src/lib/protocols/skinny.c +++ b/src/lib/protocols/skinny.c @@ -23,6 +23,7 @@ #include "ndpi_api.h" +/* Reference: Wiresahrk: epan/dissectors/packet-skinny.c */ static void ndpi_int_skinny_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -30,35 +31,62 @@ static void ndpi_int_skinny_add_connection(struct ndpi_detection_module_struct ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKINNY, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } +static int is_valid_version(u_int32_t version) +{ + if(version == 0x00 || /* Basic msg type */ + version == 0x0A || /* V10 */ + version == 0x0B || /* V11 */ + version == 0x0F || /* V15 */ + version == 0x10 || /* V16 */ + version == 0x11 || /* V17 */ + version == 0x12 || /* V18 */ + version == 0x13 || /* V19 */ + version == 0x14 || /* V20 */ + version == 0x15 || /* V21 */ + version == 0x16) /* V22 */ + return 1; + return 0; +} + +static int is_valid_opcode(u_int32_t opcode) +{ + /* A loose check */ + if(opcode <= 0x009F || + (opcode >= 0x0100 && opcode <= 0x0160) || + (opcode == 0x8000) || + (opcode >= 0x8100 && opcode <= 0x8101)) + return 1; + return 0; +} + void ndpi_search_skinny(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - u_int16_t dport = 0, sport = 0; - const char pattern_9_bytes[9] = { 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - const char pattern_8_bytes[8] = { 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - const char keypadmsg_8_bytes[8] = { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - const char selectmsg_8_bytes[8] = { 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + u_int16_t dport, sport; NDPI_LOG_DBG(ndpi_struct, "search for SKINNY\n"); if(packet->tcp != NULL) { sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); NDPI_LOG_DBG2(ndpi_struct, "calculating SKINNY over tcp\n"); - if (dport == 2000 && ((packet->payload_packet_len == 24 && - memcmp(&packet->payload[0], keypadmsg_8_bytes, 8) == 0) - || ((packet->payload_packet_len == 64) && memcmp(&packet->payload[0], pattern_8_bytes, 8) == 0))) { - NDPI_LOG_INFO(ndpi_struct, "found skinny\n"); - ndpi_int_skinny_add_connection(ndpi_struct, flow); - } else if (sport == 2000 && ((packet->payload_packet_len == 28 && - memcmp(&packet->payload[0], selectmsg_8_bytes, 8) == 0 ) || - (packet->payload_packet_len == 44 && - memcmp(&packet->payload[0], pattern_9_bytes, 9) == 0))) { - NDPI_LOG_INFO(ndpi_struct, "found skinny\n"); - ndpi_int_skinny_add_connection(ndpi_struct, flow); + if((dport == 2000 || sport == 2000) && + (packet->payload_packet_len >= 12)) { + u_int32_t data_length, version, opcode; + + data_length = le32toh(get_u_int32_t(packet->payload, 0)); + version = le32toh(get_u_int32_t(packet->payload, 4)); + opcode = le32toh(get_u_int32_t(packet->payload, 8)); + + if(data_length + 8 == packet->payload_packet_len && + is_valid_version(version) && + is_valid_opcode(opcode)) { + NDPI_LOG_INFO(ndpi_struct, "found skinny\n"); + ndpi_int_skinny_add_connection(ndpi_struct, flow); + return; + } } - } else { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } |