All protocols should be excluded sooner or later (#1969)

For a lot of protocols, reduce the number of packets after which the
protocols dissector gives up.
The values are quite arbitary, tring to not impact on classification

23 files changed, 62 insertions, 27 deletions

diff --git a/src/lib/protocols/afp.c b/src/lib/protocols/afp.c
index b55c4d4c7..685c8a103 100644
--- a/src/lib/protocols/afp.c
+++ b/src/lib/protocols/afp.c
@@ -56,6 +56,8 @@ static void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, st
 	the initial connection, we need to discard these packets
 	as they are not an indication that this flow is not AFP	
       */
+      if(flow->packet_counter > 5)
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
       return;
     }
 
diff --git a/src/lib/protocols/amqp.c b/src/lib/protocols/amqp.c
index 42afb122a..2998cb357 100644
--- a/src/lib/protocols/amqp.c
+++ b/src/lib/protocols/amqp.c
@@ -69,6 +69,8 @@ static void ndpi_search_amqp(struct ndpi_detection_module_struct *ndpi_struct, s
 			}
 		}
 	}
+	if(flow->packet_counter > 5)
+		NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 
diff --git a/src/lib/protocols/checkmk.c b/src/lib/protocols/checkmk.c
index c0b857430..60aeefb43 100644
--- a/src/lib/protocols/checkmk.c
+++ b/src/lib/protocols/checkmk.c
@@ -40,6 +40,8 @@ static void ndpi_search_checkmk(struct ndpi_detection_module_struct *ndpi_struct
 {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
 
+  NDPI_LOG_DBG(ndpi_struct, "search Checkmk\n");
+
   if (packet->payload_packet_len >= 15) {
 
     if(packet->payload_packet_len > 128) {
@@ -48,6 +50,8 @@ static void ndpi_search_checkmk(struct ndpi_detection_module_struct *ndpi_struct
 	the initial connection, we need to discard these packets
 	as they are not an indication that this flow is not AFP
       */
+      if(flow->packet_counter > 6)
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
       return;
     }
 
@@ -58,13 +62,13 @@ static void ndpi_search_checkmk(struct ndpi_detection_module_struct *ndpi_struct
     if (packet->payload_packet_len >= 15 && packet->payload_packet_len < 100
         && memcmp(packet->payload, "<<<check_mk>>>", 14) == 0) {
 
-      NDPI_LOG(NDPI_PROTOCOL_CHECKMK, ndpi_struct, NDPI_LOG_DEBUG, "Check_MK: Flow detected.\n");
+      NDPI_LOG_DBG(ndpi_struct, "Check_MK: Flow detected.\n");
       ndpi_int_checkmk_add_connection(ndpi_struct, flow);
       return;
     }
   }
 
-  NDPI_LOG(NDPI_PROTOCOL_CHECKMK, ndpi_struct, NDPI_LOG_DEBUG, "Check_MK excluded.\n");
+  NDPI_LOG_DBG(ndpi_struct, "Check_MK excluded.\n");
   NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CHECKMK);
 }
 
diff --git a/src/lib/protocols/corba.c b/src/lib/protocols/corba.c
index b8c453acc..f22905ea4 100644
--- a/src/lib/protocols/corba.c
+++ b/src/lib/protocols/corba.c
@@ -41,8 +41,11 @@ static void ndpi_search_corba(struct ndpi_detection_module_struct *ndpi_struct,
        memcmp(packet->payload, "GIOP", 4) == 0) {
       NDPI_LOG_INFO(ndpi_struct, "found corba\n");
       ndpi_int_corba_add_connection(ndpi_struct, flow);
+      return;
     }
   }
+  if(flow->packet_counter > 5)
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 
diff --git a/src/lib/protocols/csgo.c b/src/lib/protocols/csgo.c
index fc298e781..80002fc0a 100644
--- a/src/lib/protocols/csgo.c
+++ b/src/lib/protocols/csgo.c
@@ -32,6 +32,8 @@ static void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, s
   if(packet->udp != NULL) {
     if(packet->payload_packet_len < sizeof(uint32_t)) {
       NDPI_LOG_DBG2(ndpi_struct, "Short csgo packet\n");
+      if(flow->packet_counter > 5)
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
       return;
     }
 
diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c
index 12f8c5746..a3971a521 100644
--- a/src/lib/protocols/dhcp.c
+++ b/src/lib/protocols/dhcp.c
@@ -185,7 +185,8 @@ static void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struc
           i += len + 2;
         }
       }
-    }
+    } else
+      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
   }
 }
 
diff --git a/src/lib/protocols/edonkey.c b/src/lib/protocols/edonkey.c
index be1fae412..4dcc85ec9 100644
--- a/src/lib/protocols/edonkey.c
+++ b/src/lib/protocols/edonkey.c
@@ -159,8 +159,8 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct,
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   u_int32_t payload_len = packet->payload_packet_len;
  
-  /* Break after 20 packets. */
-  if(flow->packet_counter > 20) {
+  /* Break after 10 packets. */
+  if(flow->packet_counter > 10) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }
diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c
index 944c0aecb..34c37ddf0 100644
--- a/src/lib/protocols/ftp_control.c
+++ b/src/lib/protocols/ftp_control.c
@@ -37,6 +37,7 @@ extern void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *
 static void ndpi_int_ftp_control_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
 						struct ndpi_flow_struct *flow) {
 
+  NDPI_LOG_INFO(ndpi_struct, "found FTP_CONTROL\n");
   flow->host_server_name[0] = '\0'; /* Remove any data set by other dissectors (eg. SMTP) */
   ndpi_set_detected_protocol(ndpi_struct, flow,
 			     NDPI_PROTOCOL_FTP_CONTROL, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
diff --git a/src/lib/protocols/nats.c b/src/lib/protocols/nats.c
index 5bcaa52ce..da44e5d87 100644
--- a/src/lib/protocols/nats.c
+++ b/src/lib/protocols/nats.c
@@ -44,9 +44,12 @@ static void ndpi_search_nats_tcp(struct ndpi_detection_module_struct *ndpi_struc
   /* Check connection over TCP */
   NDPI_LOG_DBG(ndpi_struct, "search NATS\n");
 
-  if(packet->tcp && (packet->payload_packet_len > 4)) {
+  if(packet->tcp) {
     int i;
 
+    if(packet->payload_packet_len <= 4)
+      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+
     for(i=0; commands[i] != NULL; i++) {
       int len = ndpi_min(strlen(commands[i]), packet->payload_packet_len);
       int rc = strncmp((const char *)packet->payload, commands[i], len);
diff --git a/src/lib/protocols/oracle.c b/src/lib/protocols/oracle.c
index b9be7102d..96012b31c 100644
--- a/src/lib/protocols/oracle.c
+++ b/src/lib/protocols/oracle.c
@@ -50,13 +50,17 @@ static void ndpi_search_oracle(struct ndpi_detection_module_struct *ndpi_struct,
 		 && (packet->payload[3] == 0x00)))) {
       NDPI_LOG_INFO(ndpi_struct, "found oracle\n");
       ndpi_int_oracle_add_connection(ndpi_struct, flow);
+      return;
     } else if (packet->payload_packet_len == 213 && packet->payload[0] == 0x00 &&
                packet->payload[1] == 0xd5 && packet->payload[2] == 0x00 &&
                packet->payload[3] == 0x00 ) {
       NDPI_LOG_INFO(ndpi_struct, "found oracle\n");
       ndpi_int_oracle_add_connection(ndpi_struct, flow);
+      return;
     }
   }
+  if(flow->packet_counter > 5)
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 
diff --git a/src/lib/protocols/radius.c b/src/lib/protocols/radius.c
index fe32812b8..77e84e731 100644
--- a/src/lib/protocols/radius.c
+++ b/src/lib/protocols/radius.c
@@ -57,13 +57,12 @@ static void ndpi_check_radius(struct ndpi_detection_module_struct *ndpi_struct,
        && (ntohs(h->len) == payload_len)) {
       NDPI_LOG_INFO(ndpi_struct, "Found radius\n");
       ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RADIUS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-
       return;
     }
-    
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-    return;
   }
+  if(flow->packet_counter > 3)
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+  return;
 }
 
 static void ndpi_search_radius(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
diff --git a/src/lib/protocols/redis_net.c b/src/lib/protocols/redis_net.c
index c9bceb050..1891d86d9 100644
--- a/src/lib/protocols/redis_net.c
+++ b/src/lib/protocols/redis_net.c
@@ -33,8 +33,8 @@ static void ndpi_int_redis_add_connection(struct ndpi_detection_module_struct *n
 static void ndpi_check_redis(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   
-  /* Break after 20 packets. */
-  if(flow->packet_counter > 20) {
+  /* Break after 10 packets. */
+  if(flow->packet_counter > 10) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }
diff --git a/src/lib/protocols/rsync.c b/src/lib/protocols/rsync.c
index 580276e9c..0daf25510 100644
--- a/src/lib/protocols/rsync.c
+++ b/src/lib/protocols/rsync.c
@@ -40,17 +40,20 @@ static void ndpi_search_rsync(struct ndpi_detection_module_struct *ndpi_struct,
   if(packet->tcp) {
     NDPI_LOG_DBG2(ndpi_struct, "calculating RSYNC over tcp\n");
     /*
-     * Should match: memcmp(packet->payload, "@RSYNCD: 28", 14) == 0)
+     * Should match: memcmp(packet->payload, "@RSYNCD:", 8) == 0)
      */
-    if (packet->payload_packet_len == 12 && packet->payload[0] == 0x40 &&
+    if (packet->payload_packet_len >= 8 && packet->payload[0] == 0x40 &&
 	packet->payload[1] == 0x52 && packet->payload[2] == 0x53 &&
 	packet->payload[3] == 0x59 && packet->payload[4] == 0x4e &&
 	packet->payload[5] == 0x43 && packet->payload[6] == 0x44 &&
 	packet->payload[7] == 0x3a ) {
       NDPI_LOG_INFO(ndpi_struct, "found rsync\n");
       ndpi_int_rsync_add_connection(ndpi_struct, flow);
+      return;
     }
   }
+  if(flow->packet_counter > 5)
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 
diff --git a/src/lib/protocols/rtcp.c b/src/lib/protocols/rtcp.c
index e79738fd4..daa6c986f 100644
--- a/src/lib/protocols/rtcp.c
+++ b/src/lib/protocols/rtcp.c
@@ -37,6 +37,9 @@ static void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
       NDPI_LOG_INFO(ndpi_struct, "found rtcp\n");
       ndpi_int_rtcp_add_connection(ndpi_struct, flow);
     }
+
+    if(flow->packet_counter > 3)
+      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
   } else if(packet->udp != NULL) {
     /* Let's check first the RTCP packet length */
     u_int16_t len, offset = 0, rtcp_section_len;
diff --git a/src/lib/protocols/rtmp.c b/src/lib/protocols/rtmp.c
index d20ec3747..db0c7bcaf 100644
--- a/src/lib/protocols/rtmp.c
+++ b/src/lib/protocols/rtmp.c
@@ -40,8 +40,8 @@ static void ndpi_check_rtmp(struct ndpi_detection_module_struct *ndpi_struct, st
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   u_int32_t payload_len = packet->payload_packet_len;
   
-  /* Break after 20 packets. */
-  if (flow->packet_counter > 20) {
+  /* Break after 13 packets. */
+  if (flow->packet_counter > 13) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }
@@ -50,7 +50,10 @@ static void ndpi_check_rtmp(struct ndpi_detection_module_struct *ndpi_struct, st
   if(flow->rtmp_stage == 0) {
     NDPI_LOG_DBG2(ndpi_struct, "RTMP stage 0: \n");
      
-    if ((payload_len >= 4) && ((packet->payload[0] == 0x03) || (packet->payload[0] == 0x06))) {
+    if ((payload_len >= 9) &&
+	((packet->payload[0] == 0x03) || (packet->payload[0] == 0x06)) &&
+	/* https://en.wikipedia.org/w/index.php?title=Real-Time_Messaging_Protocol&section=12#Handshake */
+	get_u_int32_t(packet->payload, 5) == 0) {
       NDPI_LOG_DBG2(ndpi_struct, "Possible RTMP request detected, we will look further for the response\n");
        
       /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c
index df70fdfca..0b06c2dac 100644
--- a/src/lib/protocols/sip.c
+++ b/src/lib/protocols/sip.c
@@ -180,7 +180,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct
 
   /* add bitmask for tcp only, some stupid udp programs
    * send a very few (< 10 ) packets before invite (mostly a 0x0a0x0d, but just search the first 3 payload_packets here */
-  if(packet->udp != NULL && flow->packet_counter < 20) {
+  if(packet->udp != NULL && flow->packet_counter < 10) {
     NDPI_LOG_DBG2(ndpi_struct, "need next packet\n");
     return;
   }
diff --git a/src/lib/protocols/socks45.c b/src/lib/protocols/socks45.c
index 3d7d43799..7bc73af2e 100644
--- a/src/lib/protocols/socks45.c
+++ b/src/lib/protocols/socks45.c
@@ -39,8 +39,8 @@ static void ndpi_check_socks4(struct ndpi_detection_module_struct *ndpi_struct,
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   u_int32_t payload_len = packet->payload_packet_len;
 
-  /* Break after 20 packets. */
-  if(flow->packet_counter > 20) {
+  /* Break after 10 packets. */
+  if(flow->packet_counter > 10) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }
@@ -80,8 +80,8 @@ static void ndpi_check_socks5(struct ndpi_detection_module_struct *ndpi_struct,
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   u_int32_t payload_len = packet->payload_packet_len;
 
-  /* Break after 20 packets. */
-  if(flow->packet_counter > 20) {
+  /* Break after 10 packets. */
+  if(flow->packet_counter > 10) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }
diff --git a/src/lib/protocols/someip.c b/src/lib/protocols/someip.c
index be8391821..a256c82fb 100644
--- a/src/lib/protocols/someip.c
+++ b/src/lib/protocols/someip.c
@@ -98,7 +98,7 @@ static void ndpi_search_someip(struct ndpi_detection_module_struct *ndpi_struct,
   const struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   
   if (packet->payload_packet_len < 16) {
-    NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,
+    NDPI_LOG_DBG(ndpi_struct,
 	     "Excluding SOME/IP .. mandatory header not found (not enough data for all fields)\n");
     NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP);
     return;
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 97ba37b4d..8eeb28260 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -491,7 +491,8 @@ static void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, s
     return;
   }
 
-  if(flow->stun.num_pkts >= MAX_NUM_STUN_PKTS)
+  if(flow->stun.num_pkts >= MAX_NUM_STUN_PKTS ||
+     flow->packet_counter > 10)
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 
   if(flow->packet_counter > 0) {
diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c
index 1c42f3e21..48674ee5b 100644
--- a/src/lib/protocols/ubntac2.c
+++ b/src/lib/protocols/ubntac2.c
@@ -74,7 +74,6 @@ static void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct
 	
 	ndpi_int_ubntac2_add_connection(ndpi_struct, flow);
       }
-      return;
     }
   }
 
diff --git a/src/lib/protocols/viber.c b/src/lib/protocols/viber.c
index 702da205b..08d42426b 100644
--- a/src/lib/protocols/viber.c
+++ b/src/lib/protocols/viber.c
@@ -83,6 +83,9 @@ static void ndpi_search_viber(struct ndpi_detection_module_struct *ndpi_struct,
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }
+
+  if(flow->packet_counter > 3)
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 
diff --git a/src/lib/protocols/xbox.c b/src/lib/protocols/xbox.c
index 015bf52e6..c701b0edb 100644
--- a/src/lib/protocols/xbox.c
+++ b/src/lib/protocols/xbox.c
@@ -91,6 +91,8 @@ static void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, s
     }
 #endif
   }
+  if(flow->packet_counter >= 5)
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 
diff --git a/src/lib/protocols/zeromq.c b/src/lib/protocols/zeromq.c
index 8667d1994..6f86b856c 100644
--- a/src/lib/protocols/zeromq.c
+++ b/src/lib/protocols/zeromq.c
@@ -37,8 +37,8 @@ static void ndpi_check_zmq(struct ndpi_detection_module_struct *ndpi_struct, str
   u_char p1[] =  { 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x7f };
   u_char p2[] =  { 0x28, 0x66, 0x6c, 0x6f, 0x77, 0x00 };
 
-  /* Break after 17 packets. */
-  if(flow->packet_counter > 17) {
+  /* Break after 10 packets. */
+  if(flow->packet_counter > 10) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }