False positive fixes

2 files changed, 12 insertions, 3 deletions

diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c
index 70e5a33c0..21ab1c472 100644
--- a/src/lib/protocols/h323.c
+++ b/src/lib/protocols/h323.c
@@ -25,7 +25,11 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n
 
   NDPI_LOG_DBG(ndpi_struct, "search H323\n");
 
-  if(packet->tcp != NULL) {
+  /*
+    The TPKT protocol is used by ISO 8072 (on port 102)
+    and H.323. So this check below is to avoid ambiguities
+  */
+  if((packet->tcp != NULL) && (packet->tcp->dest != ntohs(102))) {
     NDPI_LOG_DBG2(ndpi_struct, "calculated dport over tcp\n");
 
     /* H323  */
@@ -62,7 +66,7 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n
 	  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 	  return;
 	}
-      }    
+      }
   } else if(packet->udp != NULL) {
     sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest);
     NDPI_LOG_DBG2(ndpi_struct, "calculated dport over udp\n");
diff --git a/src/lib/protocols/mssql_tds.c b/src/lib/protocols/mssql_tds.c
index 8e6b40c5b..06da37515 100644
--- a/src/lib/protocols/mssql_tds.c
+++ b/src/lib/protocols/mssql_tds.c
@@ -51,7 +51,12 @@ void ndpi_search_mssql_tds(struct ndpi_detection_module_struct *ndpi_struct, str
 
   NDPI_LOG_DBG(ndpi_struct, "search mssql_tds\n");
 
-  if(packet->payload_packet_len < sizeof(struct tds_packet_header)) {
+  if((packet->payload_packet_len < sizeof(struct tds_packet_header))
+     /*
+       The TPKT protocol used by ISO 8072 (on port 102) is similar
+       to this potocol and it can cause false positives 
+     */
+     || (packet->tcp->dest == ntohs(102))) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }