diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-03-09 22:37:35 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-09 22:37:35 +0100 |
| commit | 7aee856aa063f7861be7e7fe2970ba014391d9bf (patch) | |
| tree | b02873c5d63cb1ade981a437bbf4c1cfdf19a66f /src/lib | |
| parent | f646a4bce036edfd26215b5875fe81473dbb175d (diff) | |
Extend tests coverage (#1476)
Now there is at least one flow under `tests/pcap` for 249 protocols out
of the 284 ones supported by nDPI.
The 35 protocols without any tests are:
* P2P/sharing protocols: DIRECT_DOWNLOAD_LINK, OPENFT, FASTTRACK,
EDONKEY, SOPCAST, THUNDER, APPLEJUICE, DIRECTCONNECT, STEALTHNET
* games: CSGO, HALFLIFE2, ARMAGETRON, CROSSFIRE, DOFUS, FIESTA,
FLORENSIA, GUILDWARS, MAPLESTORY, WORLD_OF_KUNG_FU
* voip/streaming: VHUA, ICECAST, SHOUTCAST, TVUPLAYER, TRUPHONE
* other: AYIYA, SOAP, TARGUS_GETDATA, RPC, ZMQ, REDIS, VMWARE, NOE,
LOTUS_NOTES, EGP, SAP
Most of these protocols (expecially the P2P and games ones) have been
inherited by OpenDPI and have not been updated since then: even if they
are still used, the detection rules might be outdated.
However code coverage (of `lib/protocols`) only increases from 65.6% to
68.9%.
Improve Citrix, Corba, Fix, Aimini, Megaco, PPStream, SNMP and Some/IP
dissection.
Treat IPP as a HTTP sub protocol.
Fix Cassandra false positives.
Remove `NDPI_PROTOCOL_QQLIVE` and `NDPI_PROTOCOL_REMOTE_SCAN`:
these protocol ids are defined but they are never used.
Remove Collectd support: its code has never been called. If someone is
really interested in this protocol, we can re-add it later, updating the
dissector.
Add decoding of PPI (Per-Packet Information) data link type.
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 16 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 19 | ||||
| -rw-r--r-- | src/lib/protocols/aimini.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/cassandra.c | 7 | ||||
| -rw-r--r-- | src/lib/protocols/citrix.c | 50 | ||||
| -rw-r--r-- | src/lib/protocols/collectd.c | 54 | ||||
| -rw-r--r-- | src/lib/protocols/corba.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/fix.c | 7 | ||||
| -rw-r--r-- | src/lib/protocols/ipp.c | 81 | ||||
| -rw-r--r-- | src/lib/protocols/lisp.c | 40 | ||||
| -rw-r--r-- | src/lib/protocols/megaco.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/snmp_proto.c | 136 | ||||
| -rw-r--r-- | src/lib/protocols/someip.c | 25 | ||||
| -rw-r--r-- | src/lib/protocols/xdmcp.c | 2 |
14 files changed, 188 insertions, 260 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 323d7116e..34ca02ac1 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -1297,7 +1297,7 @@ static ndpi_protocol_match host_match[] = { ".m.me", "Messenger", NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, /* Pandora */ - { ".pandora.com", "Pandora", NDPI_PROTOCOL_PANDORA, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "pandora.com", "Pandora", NDPI_PROTOCOL_PANDORA, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, { ".torproject.org", "Tor", NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_DEFAULT_LEVEL }, @@ -1334,7 +1334,7 @@ static ndpi_protocol_match host_match[] = { ".waze.com", "Waze", NDPI_PROTOCOL_WAZE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "wazespeechactiviation-pa.googleapis.com", "Waze", NDPI_PROTOCOL_WAZE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, - { ".deezer.com", "Deezer", NDPI_PROTOCOL_DEEZER, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "deezer.com", "Deezer", NDPI_PROTOCOL_DEEZER, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, /* Microsoft + Azure */ { ".wpc.v0cdn.net", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }, @@ -1523,7 +1523,7 @@ static ndpi_protocol_match host_match[] = { ".licdn.com", "LinkedIn", NDPI_PROTOCOL_LINKEDIN, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, { ".sndcdn.com", "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, - { ".soundcloud.com", "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "soundcloud.com", "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "getrockerbox.com", "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "web.telegram.org", "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, @@ -1733,6 +1733,13 @@ static ndpi_protocol_match host_match[] = { "sonicwall.com", "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { ".rsa.com", "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "iqiyi.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "iqiyipic.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "iq.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "qy.net", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "qiyipic.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "ppstream.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { NULL, NULL, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL } }; @@ -1771,10 +1778,7 @@ static ndpi_category_match category_match[] = { { "baidu.com", NDPI_PROTOCOL_CATEGORY_WEB }, { "icq.com", NDPI_PROTOCOL_CATEGORY_CHAT }, { "quickplay.com", NDPI_PROTOCOL_CATEGORY_STREAMING }, - { ".iqiyi.com", NDPI_PROTOCOL_CATEGORY_STREAMING }, - { ".qiyi.com", NDPI_PROTOCOL_CATEGORY_STREAMING }, { ".71.am", NDPI_PROTOCOL_CATEGORY_STREAMING }, - { ".qiyipic.com", NDPI_PROTOCOL_CATEGORY_STREAMING }, { ".1kxun.", NDPI_PROTOCOL_CATEGORY_STREAMING }, { "tcad.wedolook.com", NDPI_PROTOCOL_CATEGORY_STREAMING }, { ".rapidvideo.com", NDPI_PROTOCOL_CATEGORY_STREAMING }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 14eb06062..7b7d592af 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -961,6 +961,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, NDPI_PROTOCOL_GNUTELLA, NDPI_PROTOCOL_MAPLESTORY, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_WORLDOFWARCRAFT, NDPI_PROTOCOL_THUNDER, NDPI_PROTOCOL_IRC, + NDPI_PROTOCOL_IPP, NDPI_PROTOCOL_MATCHED_BY_CONTENT, NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS); /* NDPI_PROTOCOL_HTTP can have (content-matched) subprotocols */ ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MDNS, @@ -1186,8 +1187,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "TVUplayer", NDPI_PROTOCOL_CATEGORY_VIDEO, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_QQLIVE, - "QQLive", NDPI_PROTOCOL_CATEGORY_VIDEO, + ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_61, + "FREE61", NDPI_PROTOCOL_CATEGORY_VIDEO, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_THUNDER, @@ -1558,10 +1559,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "LLMNR", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 5355, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 5355, 0, 0, 0, 0) /* UDP */); /* Missing dissector: port based only */ - ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_REMOTE_SCAN, - "RemoteScan", NDPI_PROTOCOL_CATEGORY_NETWORK, - ndpi_build_default_ports(ports_a, 6077, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 6078, 0, 0, 0, 0) /* UDP */); /* Missing dissector: port based only */ + ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_FREE_155, + "FREE155", NDPI_PROTOCOL_CATEGORY_NETWORK, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_H323, "H323", NDPI_PROTOCOL_CATEGORY_VOIP, ndpi_build_default_ports(ports_a, 1719, 1720, 0, 0, 0) /* TCP */, @@ -1614,10 +1615,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "Whois-DAS", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 43, 4343, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ - ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_COLLECTD, - "Collectd", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, + ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE_171, + "FREE171", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 25826, 0, 0, 0, 0)); /* UDP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOCKS, "SOCKS", NDPI_PROTOCOL_CATEGORY_WEB, ndpi_build_default_ports(ports_a, 1080, 0, 0, 0, 0), /* TCP */ diff --git a/src/lib/protocols/aimini.c b/src/lib/protocols/aimini.c index 61158dda3..c0d8327a9 100644 --- a/src/lib/protocols/aimini.c +++ b/src/lib/protocols/aimini.c @@ -227,8 +227,10 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct { if ((LINE_STARTS(packet->http_url_name, "/download/") == 1 || LINE_STARTS(packet->http_url_name, "/player/") == 1 || + LINE_STARTS(packet->http_url_name, "/webcounter/") == 1 || LINE_STARTS(packet->http_url_name, "/play/") == 1 || - LINE_STARTS(packet->http_url_name, "/member/") == 1) && + LINE_STARTS(packet->http_url_name, "/search/") == 1 || + LINE_STARTS(packet->http_url_name, "/member/") == 1) && (LINE_ENDS(packet->host_line, ".aimini.net") == 1 || LINE_ENDS(packet->host_line, ".aimini.com") == 1)) { diff --git a/src/lib/protocols/cassandra.c b/src/lib/protocols/cassandra.c index 15b3b0015..058590ba9 100644 --- a/src/lib/protocols/cassandra.c +++ b/src/lib/protocols/cassandra.c @@ -110,13 +110,18 @@ void ndpi_search_cassandra(struct ndpi_detection_module_struct *ndpi_struct, { struct ndpi_packet_struct *packet = &ndpi_struct->packet; + NDPI_LOG_DBG(ndpi_struct, "search Cassandra\n"); + if (packet->tcp) { if (packet->payload_packet_len >= CASSANDRA_HEADER_LEN && ndpi_check_valid_cassandra_version(get_u_int8_t(packet->payload, 0)) && ndpi_check_valid_cassandra_flags(get_u_int8_t(packet->payload, 1)) && ndpi_check_valid_cassandra_opcode(get_u_int8_t(packet->payload, 4)) && le32toh(get_u_int32_t(packet->payload, 5)) <= CASSANDRA_MAX_BODY_SIZE && - le32toh(get_u_int32_t(packet->payload, 5)) >= (uint32_t) (packet->payload_packet_len - CASSANDRA_HEADER_LEN)) { + le32toh(get_u_int32_t(packet->payload, 5)) >= (uint32_t) (packet->payload_packet_len - CASSANDRA_HEADER_LEN) && + flow->l4.tcp.h323_valid_packets == 0 /* To avoid clashing with H323 */ && + flow->socks4_stage == 0 /* To avoid clashing with SOCKS */) { + NDPI_LOG_INFO(ndpi_struct, "found Cassandra\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CASSANDRA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); return; } diff --git a/src/lib/protocols/citrix.c b/src/lib/protocols/citrix.c index 6a9aa25b9..740dfca8b 100644 --- a/src/lib/protocols/citrix.c +++ b/src/lib/protocols/citrix.c @@ -35,40 +35,26 @@ static void ndpi_check_citrix(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int32_t payload_len = packet->payload_packet_len; - if(packet->tcp != NULL) { - flow->l4.tcp.citrix_packet_id++; - - if((flow->l4.tcp.citrix_packet_id == 3) - /* We have seen the 3-way handshake */ - && flow->l4.tcp.seen_syn - && flow->l4.tcp.seen_syn_ack - && flow->l4.tcp.seen_ack) { - if(payload_len == 6) { - char citrix_header[] = { 0x07, 0x07, 0x49, 0x43, 0x41, 0x00 }; - - if(memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found citrix\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - } - return; - } else if(payload_len > 22) { - char citrix_header[] = { 0x1a, 0x43, 0x47, 0x50, 0x2f, 0x30, 0x31 }; - - if((memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) - || (ndpi_strnstr((const char *)packet->payload, "Citrix.TcpProxyService", payload_len) != NULL)) { - NDPI_LOG_INFO(ndpi_struct, "found citrix\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - } - return; - } - - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } else if(flow->l4.tcp.citrix_packet_id > 3) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + if(payload_len == 6) { + char citrix_header[] = { 0x7F, 0x7F, 0x49, 0x43, 0x41, 0x00 }; + + if(memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found citrix\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; + } + } else if(payload_len > 22) { + char citrix_header[] = { 0x1a, 0x43, 0x47, 0x50, 0x2f, 0x30, 0x31 }; + + if((memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) + || (ndpi_strnstr((const char *)packet->payload, "Citrix.TcpProxyService", payload_len) != NULL)) { + NDPI_LOG_INFO(ndpi_struct, "found citrix\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; } - - return; } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_citrix(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/collectd.c b/src/lib/protocols/collectd.c deleted file mode 100644 index f9535ab91..000000000 --- a/src/lib/protocols/collectd.c +++ /dev/null @@ -1,54 +0,0 @@ -/* - * collectd.c - * - * Copyright (C) 2014-22 - ntop.org - * - * nDPI is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * nDPI is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * - */ - - -#include "ndpi_protocol_ids.h" - -#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_COLLECTD - -#include "ndpi_api.h" - - -void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - u_int len = 0; - - NDPI_LOG_DBG(ndpi_struct, "search collectd\n"); - - if (packet->udp == NULL) return; - - - while(len < packet->payload_packet_len) { - // u_int16_t elem_type = ntohs(*((u_int16_t*)&packet->payload[len])); - u_int16_t elem_len = ntohs(*((u_int16_t*)&packet->payload[len+2])); - - if (elem_len == 0) break; - - len += elem_len; - } - - if(len == packet->payload_packet_len) { - NDPI_LOG_INFO(ndpi_struct, "found COLLECTD\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_COLLECTD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - } else { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } -} diff --git a/src/lib/protocols/corba.c b/src/lib/protocols/corba.c index c994b756c..bcd8ab0ba 100644 --- a/src/lib/protocols/corba.c +++ b/src/lib/protocols/corba.c @@ -37,8 +37,8 @@ void ndpi_search_corba(struct ndpi_detection_module_struct *ndpi_struct, struct if(packet->tcp != NULL) { NDPI_LOG_DBG2(ndpi_struct, "calculating CORBA over tcp\n"); /* Corba General Inter-ORB Protocol -> GIOP */ - if ((packet->payload_packet_len >= 24 && packet->payload_packet_len <= 144) && - memcmp(packet->payload, "GIOP", 4) == 0) { + if(packet->payload_packet_len >= 24 && + memcmp(packet->payload, "GIOP", 4) == 0) { NDPI_LOG_INFO(ndpi_struct, "found corba\n"); ndpi_int_corba_add_connection(ndpi_struct, flow); } diff --git a/src/lib/protocols/fix.c b/src/lib/protocols/fix.c index dcfce6065..dc477341a 100644 --- a/src/lib/protocols/fix.c +++ b/src/lib/protocols/fix.c @@ -36,11 +36,10 @@ void ndpi_search_fix(struct ndpi_detection_module_struct *ndpi_struct, struct nd if(packet->tcp && packet->payload_packet_len > 5) { // 8= if(packet->payload[0] == 0x38 && packet->payload[1] == 0x3d) { - // FIX. + // FIX if(packet->payload[2] == 0x46 && packet->payload[3] == 0x49 && - packet->payload[4] == 0x58 && - packet->payload[5] == 0x2e) { + packet->payload[4] == 0x58) { NDPI_LOG_INFO(ndpi_struct, "found FIX\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); @@ -68,7 +67,7 @@ void init_fix_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 ndpi_set_bitmask_protocol_detection("FIX", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_FIX, ndpi_search_fix, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; diff --git a/src/lib/protocols/ipp.c b/src/lib/protocols/ipp.c index 57edee6ad..546bfaea3 100644 --- a/src/lib/protocols/ipp.c +++ b/src/lib/protocols/ipp.c @@ -30,83 +30,28 @@ static void ndpi_int_ipp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow/* , ndpi_protocol_type_t protocol_type */) + struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IPP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_IPP, NDPI_CONFIDENCE_DPI); } void ndpi_search_ipp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - u_int8_t i; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; - NDPI_LOG_DBG(ndpi_struct, "search ipp\n"); + NDPI_LOG_DBG(ndpi_struct, "search ipp\n"); - if (packet->payload_packet_len > 20) { + /* Treat IPP as a HTTP sub-protocol */ - NDPI_LOG_DBG2(ndpi_struct, - "searching for a payload with a pattern like 'number(1to8)blanknumber(1to3)ipp://.\n"); - /* this pattern means that there is a printer saying that his state is idle, - * means that he is not printing anything at the moment */ - i = 0; + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP && + flow->http.method == NDPI_HTTP_METHOD_POST && + LINE_STARTS(packet->http_url_name, "/ipp/") == 1) { + NDPI_LOG_INFO(ndpi_struct, "found ipp\n"); + ndpi_int_ipp_add_connection(ndpi_struct, flow); + return; + } - if (packet->payload[i] < '0' || packet->payload[i] > '9') { - NDPI_LOG_DBG2(ndpi_struct, "payload does not begin with a number\n"); - goto search_for_next_pattern; - } - - for (;;) { - i++; - if (!((packet->payload[i] >= '0' && packet->payload[i] <= '9') || - (packet->payload[i] >= 'a' && packet->payload[i] <= 'f') || - (packet->payload[i] >= 'A' && packet->payload[i] <= 'F')) || i > 8) { - NDPI_LOG_DBG2(ndpi_struct, - "read symbols while the symbol is a number.\n"); - break; - } - } - - if (packet->payload[i++] != ' ') { - NDPI_LOG_DBG2(ndpi_struct, "there is no blank following the number\n"); - goto search_for_next_pattern; - } - - if (packet->payload[i] < '0' || packet->payload[i] > '9') { - NDPI_LOG_DBG2(ndpi_struct, "no number following the blank\n"); - goto search_for_next_pattern; - } - - for (;;) { - i++; - if (packet->payload[i] < '0' || packet->payload[i] > '9' || i > 12) { - NDPI_LOG_DBG2(ndpi_struct, - "read symbols while the symbol is a number.\n"); - break; - } - } - - if (memcmp(&packet->payload[i], " ipp://", 7) != 0) { - NDPI_LOG_DBG2(ndpi_struct, "the string ' ipp://' does not follow\n"); - goto search_for_next_pattern; - } - - NDPI_LOG_INFO(ndpi_struct, "found ipp\n"); - ndpi_int_ipp_add_connection(ndpi_struct, flow); - return; - } - - search_for_next_pattern: - - if (packet->payload_packet_len > 3 && memcmp(packet->payload, "POST", 4) == 0) { - ndpi_parse_packet_line_info(ndpi_struct, flow); - if (packet->content_line.ptr != NULL && packet->content_line.len > 14 - && memcmp(packet->content_line.ptr, "application/ipp", 15) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found ipp via POST ... application/ipp\n"); - ndpi_int_ipp_add_connection(ndpi_struct, flow); - return; - } - } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/lisp.c b/src/lib/protocols/lisp.c index 403355772..a1a2dafbb 100644 --- a/src/lib/protocols/lisp.c +++ b/src/lib/protocols/lisp.c @@ -24,8 +24,8 @@ #include "ndpi_api.h" -#define LISP_PORT 4341 -#define LISP_PORT1 4342 +#define LISP_PORT 4341 /* Only UDP */ +#define LISP_PORT1 4342 /* TCP and UDP */ static void ndpi_int_lisp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, @@ -39,23 +39,35 @@ static void ndpi_check_lisp(struct ndpi_detection_module_struct *ndpi_struct, st { struct ndpi_packet_struct *packet = &ndpi_struct->packet; + u_int16_t lisp_port1 = htons(LISP_PORT1); + u_int16_t lisp_port = htons(LISP_PORT); if(packet->udp != NULL) { - - u_int16_t lisp_port = htons(LISP_PORT); - u_int16_t lisp_port1 = htons(LISP_PORT1); - - if(((packet->udp->source == lisp_port) - && (packet->udp->dest == lisp_port)) || - ((packet->udp->source == lisp_port1) - && (packet->udp->dest == lisp_port1)) ) { - + if((packet->udp->source == lisp_port && packet->udp->dest == lisp_port) || + (packet->udp->source == lisp_port1 && packet->udp->dest == lisp_port1)) { + NDPI_LOG_INFO(ndpi_struct, "found lisp\n"); + ndpi_int_lisp_add_connection(ndpi_struct, flow, 0); + return; + } + } else { + /* See draft-kouvelas-lisp-map-server-reliable-transport-07 */ + if(packet->tcp->source == lisp_port1 || + packet->tcp->dest == lisp_port1) { + if(packet->payload_packet_len >= 8) { + u_int16_t msg_len = ntohs(*(u_int16_t *)&packet->payload[2]); + if(msg_len >= packet->payload_packet_len && + /* End marker: we don't handle fragmented messages */ + packet->payload[packet->payload_packet_len - 1] == 0xE9 && + packet->payload[packet->payload_packet_len - 2] == 0xAD && + packet->payload[packet->payload_packet_len - 3] == 0xAC && + packet->payload[packet->payload_packet_len - 4] == 0x9F) { NDPI_LOG_INFO(ndpi_struct, "found lisp\n"); ndpi_int_lisp_add_connection(ndpi_struct, flow, 0); - return; - + return; + } } } + } NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } @@ -78,7 +90,7 @@ void init_lisp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int ndpi_set_bitmask_protocol_detection("LISP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_LISP, ndpi_search_lisp, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; diff --git a/src/lib/protocols/megaco.c b/src/lib/protocols/megaco.c index 8c6f0a347..e9430b377 100644 --- a/src/lib/protocols/megaco.c +++ b/src/lib/protocols/megaco.c @@ -34,7 +34,8 @@ void ndpi_search_megaco(struct ndpi_detection_module_struct *ndpi_struct, if(packet->udp != NULL) { if((packet->payload_packet_len > 4 && packet->payload[0] == '!' && packet->payload[1] == '/' && - packet->payload[2] == '1' && packet->payload[3] == ' ' && packet->payload[4] == '[') + packet->payload[2] == '1' && packet->payload[3] == ' ' && + (packet->payload[4] == '[' || packet->payload[4] == '<')) || (packet->payload_packet_len > 9 && packet->payload[0] == 'M' && packet->payload[1] == 'E' && packet->payload[2] == 'G' && packet->payload[3] == 'A' && packet->payload[4] == 'C' && packet->payload[5] == 'O' && packet->payload[6] == '/' && diff --git a/src/lib/protocols/snmp_proto.c b/src/lib/protocols/snmp_proto.c index 59b97e596..c4c2b95b9 100644 --- a/src/lib/protocols/snmp_proto.c +++ b/src/lib/protocols/snmp_proto.c @@ -24,6 +24,8 @@ #include "ndpi_api.h" +/* #define SNMP_DEBUG */ + static void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -31,6 +33,7 @@ static void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, static void ndpi_int_snmp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + NDPI_LOG_INFO(ndpi_struct, "found SNMP\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SNMP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } @@ -51,65 +54,110 @@ static int ndpi_search_snmp_again(struct ndpi_detection_module_struct *ndpi_stru /* *************************************************************** */ +static int get_int(const unsigned char *payload, int payload_len, u_int16_t *value_len) +{ + int value = -1; + + if(payload_len <=0) + return value; + + if(payload[0] <= 0x80) { + *value_len = 1; + value = payload[0]; + } else if(payload[0] == 0x81 && payload_len >=2) { + *value_len = 2; + value = payload[1]; + } else if(payload[0] == 0x82 && payload_len >=3) { + *value_len = 3; + value = payload[1] << 8 | payload[2]; + } + return value; +} + + + +/* *************************************************************** */ + void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t snmp_port = htons(161), trap_port = htons(162); - u_int8_t version; - - if((packet->payload_packet_len <= 32) - ||(packet->payload[0] != 0x30) - || (((version = packet->payload[4]) != 0 /* SNMPv1 */) - && ((version = packet->payload[4]) != 1 /* SNMPv2c */) - && ((version = packet->payload[4]) != 3 /* SNMPv3 */)) - || ((packet->udp->source != snmp_port) - && (packet->udp->dest != snmp_port) - && (packet->udp->dest != trap_port)) - /* version */ - || ((packet->payload[1] + 2) != packet->payload_packet_len)) { + + if((packet->udp->source != snmp_port) && + (packet->udp->dest != snmp_port) && + (packet->udp->source != trap_port) && + (packet->udp->dest != trap_port)) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } else { - if((version == 0) || (version == 1)) { - u_int8_t community_len = packet->payload[6]; - u_int8_t snmp_primitive_offset = 7 + community_len; + return; + } - if(snmp_primitive_offset < packet->payload_packet_len) { - u_int8_t snmp_primitive = packet->payload[snmp_primitive_offset] & 0xF; + if(packet->payload_packet_len > 16 && packet->payload[0] == 0x30) { + u_int16_t len_length = 0, offset; + int len; - if(snmp_primitive == 2 /* Get Response */) { - u_int8_t error_status_offset = 17 + community_len; - - if(error_status_offset < packet->payload_packet_len) { - u_int8_t error_status = packet->payload[error_status_offset]; + len = get_int(&packet->payload[1], packet->payload_packet_len - 1, &len_length); -#ifdef SNMP_DEBUG - printf("-> %u [offset: %u][primitive: %u]\n", - error_status, error_status_offset, snmp_primitive); -#endif - - flow->extra_packets_func = NULL; /* We're good now */ + if(len > 2 && + 1 + len_length + len == packet->payload_packet_len && + (packet->payload[1 + len_length + 2] == 0 /* SNMPv1 */ || + packet->payload[1 + len_length + 2] == 1 /* SNMPv2c */ || + packet->payload[1 + len_length + 2] == 3 /* SNMPv3 */)) { - if(error_status != 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED); - } - } + if(flow->extra_packets_func == NULL) { + ndpi_int_snmp_add_connection(ndpi_struct, flow); } - } - ndpi_int_snmp_add_connection(ndpi_struct, flow); + offset = 1 + len_length + 2; + if((packet->payload[offset] == 0 /* SNMPv1 */ || + packet->payload[offset] == 1 /* SNMPv2c */) && + (offset + 2 < packet->payload_packet_len)) { + + if(flow->extra_packets_func == NULL) { + /* This is necessary to inform the core to call this dissector again */ + flow->check_extra_packets = 1; + flow->max_extra_packets_to_check = 8; + flow->extra_packets_func = ndpi_search_snmp_again; + } - if(flow->extra_packets_func == NULL) { - /* This is necessary to inform the core to call this dissector again */ - flow->check_extra_packets = 1; - flow->max_extra_packets_to_check = 8; - flow->extra_packets_func = ndpi_search_snmp_again; + u_int8_t community_len = packet->payload[offset + 2]; + u_int8_t snmp_primitive_offset = offset + 2 + 1 + community_len; + + if(snmp_primitive_offset < packet->payload_packet_len) { + u_int8_t snmp_primitive = packet->payload[snmp_primitive_offset] & 0xF; + + if(snmp_primitive == 2 /* Get Response */ && + snmp_primitive_offset + 1 < packet->payload_packet_len) { + offset = snmp_primitive_offset + 1; + get_int(&packet->payload[offset], packet->payload_packet_len - offset, &len_length); + offset += len_length + 1; + if(offset < packet->payload_packet_len) { + len = get_int(&packet->payload[offset], packet->payload_packet_len - offset, &len_length); + + u_int8_t error_status_offset = offset + len_length + len + 2; + + if(error_status_offset < packet->payload_packet_len) { + u_int8_t error_status = packet->payload[error_status_offset]; + +#ifdef SNMP_DEBUG + printf("-> %u [offset: %u][primitive: %u]\n", + error_status, error_status_offset, snmp_primitive); +#endif + + flow->extra_packets_func = NULL; /* We're good now */ + + if(error_status != 0) + ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED); + } + } + } + } + } + return; } - - return; } -} -/* *************************************************************** */ + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); +} void init_snmp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { diff --git a/src/lib/protocols/someip.c b/src/lib/protocols/someip.c index 50a823ec0..c99e8d27c 100644 --- a/src/lib/protocols/someip.c +++ b/src/lib/protocols/someip.c @@ -71,12 +71,6 @@ enum MAGIC_COOKIE_CONSTANTS{ MC_INTERFACE_VERSION = 0x01 }; -enum DEFAULT_PROTOCOL_PORTS{ - PORT_DEFAULT_CLIENT = 30491, - PORT_DEFAULT_SERVER = 30501, - PORT_DEFAULT_SD = 30490 -}; - /** * Entry point when protocol is identified. */ @@ -151,6 +145,7 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int8_t interface_version = (packet->payload[13]); u_int8_t message_type = (u_int8_t) (packet->payload[14]); + message_type &= (~0x20); /* Clear TP bit */ NDPI_LOG_DBG2(ndpi_struct,"====>>>> SOME/IP message type: [%d]\n",message_type); if ((message_type != SOMEIP_REQUEST) && (message_type != SOMEIP_REQUEST_NO_RETURN) && (message_type != SOMEIP_NOTIFICATION) && (message_type != SOMEIP_REQUEST_ACK) && @@ -201,23 +196,7 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG2(ndpi_struct, "SOME/IP-SD currently not supported [%d]\n", message_type); } - //Filtering by port. - //This check is NOT a 100% thing - these ports are mentioned in the documentation but the documentation also states they haven't been approved by IANA yet, and that the user is free to use different ports. - //This is is PURELY for demo purposes and the rest of the check must be filled in later on! - if (flow->l4_proto == IPPROTO_UDP){ - if ((packet->udp->dest == ntohs(PORT_DEFAULT_CLIENT)) || (packet->udp->dest == ntohs(PORT_DEFAULT_SERVER)) || (packet->udp->dest == ntohs(PORT_DEFAULT_SD))) { - ndpi_int_someip_add_connection(ndpi_struct, flow); - return; - } - } - if (flow->l4_proto == IPPROTO_TCP){ - if ((packet->tcp->dest == ntohs(PORT_DEFAULT_CLIENT)) || (packet->tcp->dest == ntohs(PORT_DEFAULT_SERVER))) { - ndpi_int_someip_add_connection(ndpi_struct, flow); - return; - } - } - - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + ndpi_int_someip_add_connection(ndpi_struct, flow); } /** * Entry point for the ndpi library diff --git a/src/lib/protocols/xdmcp.c b/src/lib/protocols/xdmcp.c index f8cbed095..c3c908ce4 100644 --- a/src/lib/protocols/xdmcp.c +++ b/src/lib/protocols/xdmcp.c @@ -69,7 +69,7 @@ void init_xdmcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in ndpi_set_bitmask_protocol_detection("XDMCP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_XDMCP, ndpi_search_xdmcp, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); |