Fixed syslog false negatives.improved/syslog-false-negatives

 - RSH vs Syslog may still happen for midstream traffic

Signed-off-by: lns <matzeton@googlemail.com>

2 files changed, 3 insertions, 2 deletions

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 88730350a..9be024642 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1032,7 +1032,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SYSLOG,
 			  "Syslog", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS,
-			  ndpi_build_default_ports(ports_a, 514, 0, 0, 0, 0) /* TCP */,
+			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 514, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DHCP,
 			  "DHCP", NDPI_PROTOCOL_CATEGORY_NETWORK,
diff --git a/src/lib/protocols/syslog.c b/src/lib/protocols/syslog.c
index 866e0a0c0..1b072de07 100644
--- a/src/lib/protocols/syslog.c
+++ b/src/lib/protocols/syslog.c
@@ -73,7 +73,8 @@ void ndpi_search_syslog(struct ndpi_detection_module_struct
         if (ndpi_isalnum(packet->payload[i]) == 0)
         {
             if (packet->payload[i] == ' ' || packet->payload[i] == ':' ||
-                packet->payload[i] == '=')
+                packet->payload[i] == '=' || packet->payload[i] == '[' ||
+                packet->payload[i] == '-')
             {
                 break;
             }