diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-01-02 11:22:43 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-02 11:22:43 +0100 |
| commit | d886a6107fd05a9e41de8ec3414cb4b353bda10e (patch) | |
| tree | 4d5e186b4976ee9cd0b99b3f72081646f4437f04 /src/lib/protocols/teamviewer.c | |
| parent | 2796bc9b4712e98f69091784b25f236d2a7a415c (diff) | |
Teamviewer: varius fixes (#2228)
We already have a generic (and up to date) logic to handle ip addresses:
remove that stale list.
Teamviewer uses TCP and UDP, both; we can't access `flow->l4.udp`.
According to a comment, we set the flow risk
`NDPI_DESKTOP_OR_FILE_SHARING_SESSION` only for the UDP flows.
Diffstat (limited to 'src/lib/protocols/teamviewer.c')
| -rw-r--r-- | src/lib/protocols/teamviewer.c | 35 |
1 files changed, 7 insertions, 28 deletions
diff --git a/src/lib/protocols/teamviewer.c b/src/lib/protocols/teamviewer.c index 4c0df2e61..4ed7f1269 100644 --- a/src/lib/protocols/teamviewer.c +++ b/src/lib/protocols/teamviewer.c @@ -43,32 +43,12 @@ static void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struc struct ndpi_packet_struct *packet = &ndpi_struct->packet; NDPI_LOG_DBG(ndpi_struct, "search teamwiewer\n"); - /* - TeamViewer - 178.77.120.0/25 - - http://myip.ms/view/ip_owners/144885/Teamviewer_Gmbh.html - */ - if(packet->iph) { - u_int32_t src = ntohl(packet->iph->saddr); - u_int32_t dst = ntohl(packet->iph->daddr); - - /* 95.211.37.195 - 95.211.37.203 */ - if(((src >= 1607673283) && (src <= 1607673291)) - || ((dst >= 1607673283) && (dst <= 1607673291)) - || ((src & 0xFFFFFF80 /* 255.255.255.128 */) == 0xB24D7800 /* 178.77.120.0 */) - || ((dst & 0xFFFFFF80 /* 255.255.255.128 */) == 0xB24D7800 /* 178.77.120.0 */) - ) { - ndpi_int_teamview_add_connection(ndpi_struct, flow); - return; - } - } if (packet->udp != NULL) { if (packet->payload_packet_len > 13) { if (packet->payload[0] == 0x00 && packet->payload[11] == 0x17 && packet->payload[12] == 0x24) { /* byte 0 is a counter/seq number, and at the start is 0 */ - flow->l4.udp.teamviewer_stage++; - if (flow->l4.udp.teamviewer_stage == 4 || + flow->teamviewer_stage++; + if (flow->teamviewer_stage == 4 || packet->udp->dest == ntohs(5938) || packet->udp->source == ntohs(5938)) { ndpi_int_teamview_add_connection(ndpi_struct, flow); ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found TeamViewer"); /* Remote assistance (UDP only) */ @@ -80,19 +60,18 @@ static void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struc else if(packet->tcp != NULL) { if (packet->payload_packet_len > 2) { if (packet->payload[0] == 0x17 && packet->payload[1] == 0x24) { - flow->l4.udp.teamviewer_stage++; - if (flow->l4.udp.teamviewer_stage == 4 || + flow->teamviewer_stage++; + if (flow->teamviewer_stage == 4 || packet->tcp->dest == ntohs(5938) || packet->tcp->source == ntohs(5938)) { ndpi_int_teamview_add_connection(ndpi_struct, flow); } return; } - else if (flow->l4.udp.teamviewer_stage) { + else if (flow->teamviewer_stage) { if (packet->payload[0] == 0x11 && packet->payload[1] == 0x30) { - flow->l4.udp.teamviewer_stage++; - if (flow->l4.udp.teamviewer_stage == 4) { + flow->teamviewer_stage++; + if (flow->teamviewer_stage == 4) { ndpi_int_teamview_add_connection(ndpi_struct, flow); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found TeamViewer"); /* Remote assistance (UDP only) */ } } return; |