Added Zoom protocol support removing invalid STUN/Skype detections

4 files changed, 19 insertions, 241 deletions

diff --git a/src/lib/protocols/ps_vue.c b/src/lib/protocols/ps_vue.c
deleted file mode 100644
index a608c96c6..000000000
--- a/src/lib/protocols/ps_vue.c
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- * ps_vue.c
- *
- * Copyright (C) 2018 by ntop.org
- *
- * This file is part of nDPI, an open source deep packet inspection
- * library based on the OpenDPI and PACE technology by ipoque GmbH
- *
- * nDPI is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * nDPI is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PS_VUE
-
-#include "ndpi_api.h"
-
-static u_int8_t ps_vue_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin) {
-  return((ndpi_network_ptree_match(ndpi_struct, pin) == NDPI_PROTOCOL_PS_VUE) ? 1 : 0);
-}
-
-/* ******************************************* */
-
-static u_int8_t is_ps_vue_flow(struct ndpi_detection_module_struct *ndpi_struct,
-                             struct ndpi_flow_struct *flow) {
-  struct ndpi_packet_struct *packet = &flow->packet;
-
-  if(packet->iph) {
-    struct in_addr saddr, daddr;
-
-    saddr.s_addr = packet->iph->saddr;
-    daddr.s_addr = packet->iph->daddr;
-
-    if(ps_vue_ptree_match(ndpi_struct, &saddr) ||
-       ps_vue_ptree_match(ndpi_struct, &daddr)) {
-      return(1);
-    }
-  }
-
-  return(0);
-}
-
-static void ndpi_check_ps_vue(struct ndpi_detection_module_struct *ndpi_struct,
-				  struct ndpi_flow_struct *flow) {
-
-  NDPI_LOG_DBG(ndpi_struct, "search ps_vue video \n");
-
-  if (is_ps_vue_flow(ndpi_struct, flow)){
-    NDPI_LOG_INFO(ndpi_struct, "found ps_vue\n");
-
-    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PS_VUE,
-                               NDPI_PROTOCOL_UNKNOWN);
-    return;
-  } else {
-      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-  }
-}
-
-void ndpi_search_ps_vue(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
-  struct ndpi_packet_struct *packet = &flow->packet;
-
-  NDPI_LOG_DBG(ndpi_struct, "search ps_vue\n");
-
-  /* skip marked packets */
-  if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_PS_VUE)
-    ndpi_check_ps_vue(ndpi_struct, flow);
-}
-
-
-void init_ps_vue_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
-{
-  ndpi_set_bitmask_protocol_detection("PS_VUE", ndpi_struct, detection_bitmask, *id,
-				      NDPI_PROTOCOL_PS_VUE,
-				      ndpi_search_ps_vue,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD,
-				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
-				      ADD_TO_DETECTION_BITMASK);
-  *id += 1;
-}
diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c
index 2f3aac2f6..8ada5d997 100644
--- a/src/lib/protocols/skype.c
+++ b/src/lib/protocols/skype.c
@@ -23,13 +23,6 @@
 
 #include "ndpi_api.h"
 
-static void ndpi_skype_report_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
-  /* printf("-> payload_len=%u\n", flow->packet.payload_packet_len); */
-  
-  NDPI_LOG_INFO(ndpi_struct, "found skype\n");
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE);
-}
-
 static int is_port(u_int16_t a, u_int16_t b, u_int16_t c) {
   return(((a == c) || (b == c)) ? 1 : 0);
 }
@@ -60,7 +53,11 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s
 	   ((payload_len >= 16)
 	    && (packet->payload[0] != 0x30) /* Avoid invalid SNMP detection */
 	    && (packet->payload[2] == 0x02))) {
-	  ndpi_skype_report_protocol(ndpi_struct, flow);
+
+	  if(is_port(sport, dport, 8801))
+	    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZOOM, NDPI_PROTOCOL_UNKNOWN);
+	  else
+	    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE);
 	}
       }
       
@@ -90,7 +87,7 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s
 	/* printf("[SKYPE] %u/%u\n", ntohs(packet->tcp->source), ntohs(packet->tcp->dest)); */
 	
 	NDPI_LOG_INFO(ndpi_struct, "found skype\n");
-	ndpi_skype_report_protocol(ndpi_struct, flow);
+	  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE);
       } else {
 	// printf("NO [SKYPE] payload_len=%u\n", payload_len);
       }
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 9475192da..cef2a1b31 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -144,7 +144,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 					   const u_int16_t payload_length) {
   u_int16_t msg_type, msg_len;
   struct stun_packet_header *h = (struct stun_packet_header*)payload;
-
+  int rc;
+  
   /* STUN over TCP does not look good */
   if (flow->packet.tcp)
     return(NDPI_IS_NOT_STUN);
@@ -319,6 +320,11 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 #endif
 
         switch(attribute) {
+	case 0x0103:
+          flow->guessed_host_protocol_id = NDPI_PROTOCOL_ZOOM;
+          return NDPI_IS_STUN;
+	  break;
+	  
         case 0x4000:
         case 0x4001:
         case 0x4002:
@@ -457,15 +463,12 @@ udp_stun_found:
   printf("==>> NDPI_PROTOCOL_WHATSAPP_CALL\n");
 #endif
 
-  if ((ntohs(packet->udp->source) == 3478) || (ntohs(packet->udp->dest) == 3478)) {
-      flow->guessed_host_protocol_id = (is_messenger_ip_address(ntohl(packet->iph->saddr)) ||
-          is_messenger_ip_address(ntohl(packet->iph->daddr))) ? NDPI_PROTOCOL_MESSENGER :
-                                                                NDPI_PROTOCOL_WHATSAPP_CALL;
-  } else
-    flow->guessed_host_protocol_id = (is_google_ip_address(ntohl(packet->iph->saddr)) ||
-        is_google_ip_address(ntohl(packet->iph->daddr))) ? NDPI_PROTOCOL_HANGOUT_DUO : NDPI_PROTOCOL_WHATSAPP_CALL;
-
-  int rc = (flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN;
+  if(is_messenger_ip_address(ntohl(packet->iph->saddr)) || is_messenger_ip_address(ntohl(packet->iph->daddr)))      
+    flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER;
+  else if(is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr)))
+    flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
+  
+  rc = (flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN;
 
   return rc;
 }
diff --git a/src/lib/protocols/zoom.c b/src/lib/protocols/zoom.c
deleted file mode 100644
index 341fb1c0f..000000000
--- a/src/lib/protocols/zoom.c
+++ /dev/null
@@ -1,130 +0,0 @@
-/*
- * zoom.c
- *
- * Copyright (C) 2018 by ntop.org
- *
- * This file is part of nDPI, an open source deep packet inspection
- * library based on the OpenDPI and PACE technology by ipoque GmbH
- *
- * nDPI is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * nDPI is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ZOOM
-
-#include "ndpi_api.h"
-
-static u_int8_t is_zoom_tcp_port(struct ndpi_flow_struct *flow) {
-
-  struct ndpi_packet_struct *packet = &flow->packet;
-  u_int16_t dport = ntohs(packet->tcp->dest);
-
-  if((dport == 8801) || (dport == 8802) || (dport == 5090) || (dport == 5091)){
-    return 1;
-  }
-  return 0;
-}
-
-static u_int8_t is_zoom_udp_port(struct ndpi_flow_struct *flow) {
-
-  struct ndpi_packet_struct *packet = &flow->packet;
-  u_int16_t dport = ntohs(packet->tcp->dest);
-
-  if((dport == 3478) || (dport == 3479) || (dport == 5090) ||
-     (dport >= 8801 && dport <= 8810) || (dport >= 20000 && dport <= 64000)){
-    return 1;
-  }
-  return 0;
-}
-
-static u_int8_t zoom_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin) {
-  return((ndpi_network_ptree_match(ndpi_struct, pin) == NDPI_PROTOCOL_ZOOM) ? 1 : 0);
-}
-
-/* ******************************************* */
-
-static u_int8_t is_zoom_flow(struct ndpi_detection_module_struct *ndpi_struct,
-                             struct ndpi_flow_struct *flow) {
-  struct ndpi_packet_struct *packet = &flow->packet;
-
-  if(packet->iph) {
-    struct in_addr daddr;
-
-    daddr.s_addr = packet->iph->daddr;
-
-    if(zoom_ptree_match(ndpi_struct, &daddr)) {
-      return(1);
-    }
-  }
-
-  return(0);
-}
-
-static void ndpi_check_zoom(struct ndpi_detection_module_struct *ndpi_struct,
-				  struct ndpi_flow_struct *flow) {
-
-  struct ndpi_packet_struct *packet = &flow->packet;
-    
-  NDPI_LOG_DBG(ndpi_struct, "search Zoom video \n");
-
-  if(packet->tcp != NULL)
-    {
-      if (is_zoom_flow(ndpi_struct, flow) && is_zoom_tcp_port(flow)){
-        NDPI_LOG_INFO(ndpi_struct, "found zoom on tcp\n");
-
-        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZOOM,
-                                   NDPI_PROTOCOL_UNKNOWN);
-        return;
-      }
-    }
-  else if(packet->udp != NULL)
-    {
-      if (is_zoom_flow(ndpi_struct, flow) && is_zoom_udp_port(flow)){
-        NDPI_LOG_INFO(ndpi_struct, "found zoom on udp\n");
-
-        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZOOM,
-                                   NDPI_PROTOCOL_UNKNOWN);
-        return;
-      }
-    }
-  else
-    {
-      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-    }
-}
-
-void ndpi_search_zoom(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
-  struct ndpi_packet_struct *packet = &flow->packet;
-
-  NDPI_LOG_DBG(ndpi_struct, "search zoom\n");
-
-  /* skip marked packets */
-  if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_ZOOM)
-    ndpi_check_zoom(ndpi_struct, flow);
-}
-
-
-void init_zoom_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
-{
-  ndpi_set_bitmask_protocol_detection("Zoom", ndpi_struct, detection_bitmask, *id,
-				      NDPI_PROTOCOL_ZOOM,
-				      ndpi_search_zoom,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD,
-				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
-				      ADD_TO_DETECTION_BITMASK);
-  *id += 1;
-}