diff options
| author | Luca Deri <deri@ntop.org> | 2024-08-07 11:35:17 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2024-08-07 11:38:41 +0200 |
| commit | fc4fb4d409c43af8b9bdbd9d0cf8d9b742408f26 (patch) | |
| tree | c13a9e82256804cd9fad2d9fb5816e1c0f549081 /src/lib | |
| parent | 653175e72421822aeb7a60af14c07004dc6368e4 (diff) | |
Fixed probing attempt risk that was creating false positives
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_main.c | 31 |
1 files changed, 11 insertions, 20 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index c82fdb10b..b64b928a1 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -7694,11 +7694,17 @@ static void ndpi_check_tcp_flags(struct ndpi_flow_struct *flow) { /* ******************************************************************** */ static void ndpi_check_probing_attempt(struct ndpi_flow_struct *flow) { - if(flow->l4_proto == IPPROTO_TCP) { + /* TODO: check UDP traffic too */ + + if((flow->l4_proto == IPPROTO_TCP) + && (flow->l4.tcp.cli2srv_tcp_flags & TH_PUSH) + && (flow->l4.tcp.srv2cli_tcp_flags & TH_PUSH)) { if(flow->packet_direction_with_payload_observed[0] && flow->packet_direction_with_payload_observed[1]) { /* Both directions observed */ - + /* Nothing to do */ + } else { + /* Skipping rules where an early match might be confused with a probing attempt */ if(flow->confidence == NDPI_CONFIDENCE_DPI) { switch(flow->detected_protocol_stack[0]) { case NDPI_PROTOCOL_SSH: @@ -7707,31 +7713,16 @@ static void ndpi_check_probing_attempt(struct ndpi_flow_struct *flow) { break; case NDPI_PROTOCOL_TLS: - case NDPI_PROTOCOL_QUIC: + /* case NDPI_PROTOCOL_QUIC: */ case NDPI_PROTOCOL_MAIL_SMTPS: case NDPI_PROTOCOL_MAIL_POPS: case NDPI_PROTOCOL_MAIL_IMAPS: case NDPI_PROTOCOL_DTLS: if(flow->host_server_name[0] == '\0') - ndpi_set_risk(flow, NDPI_PROBING_ATTEMPT, "TLS/QUIC Probing"); + ndpi_set_risk(flow, NDPI_PROBING_ATTEMPT, "TLS Probing"); break; } - } - } else { - switch(flow->confidence) { - case NDPI_CONFIDENCE_MATCH_BY_PORT: - case NDPI_CONFIDENCE_NBPF: - case NDPI_CONFIDENCE_DPI_PARTIAL_CACHE: - case NDPI_CONFIDENCE_DPI_CACHE: - case NDPI_CONFIDENCE_MATCH_BY_IP: - case NDPI_CONFIDENCE_CUSTOM_RULE: - /* Skipping rules where an early match might be confused with a probing attempt */ - break; - - default: - ndpi_set_risk(flow, NDPI_PROBING_ATTEMPT, - "TCP connection with unidirectional traffic"); - } + } } } } |