Improved tor detection to limit false positives

author: Luca Deri <deri@ntop.org> 2018-07-17 18:21:06 +0200
committer: Luca Deri <deri@ntop.org> 2018-07-17 18:21:06 +0200
commit: 34dfe7d375e4fb3bf987f250f260b5b1a7cd15bb (patch)
tree: 4618db88a5d501ee8d1e46f0bf01deb07142f27b /src/lib
parent: 06789406ad322933284a6118040c41e2ed116f0b (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c
index 462833db0..134f191c3 100644
--- a/src/lib/protocols/tor.c
+++ b/src/lib/protocols/tor.c
@@ -22,7 +22,7 @@ static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct
 
 int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct,
 		    struct ndpi_flow_struct *flow, char *certificate) {  
-  int prev_num = 0, numbers_found = 0, num_found = 0, i, len;
+  int prev_num = 0, numbers_found = 0, num_found = 0, i, len, num_impossible = 0;
   char dummy[48], *dot, *name;
 
   if(certificate == NULL)
@@ -73,12 +73,11 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct,
       if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, &name[i])) {
 	num_found++;
       } else if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) {
-	ndpi_int_tor_add_connection(ndpi_struct, flow);
-	return(1);
+	num_impossible++;
       }
     }
 
-    if(num_found == 0) {
+    if((num_found == 0) || (num_impossible > 1)) {
       ndpi_int_tor_add_connection(ndpi_struct, flow);
       return(1);
     } else {
author	Luca Deri <deri@ntop.org>	2018-07-17 18:21:06 +0200
committer	Luca Deri <deri@ntop.org>	2018-07-17 18:21:06 +0200
commit	34dfe7d375e4fb3bf987f250f260b5b1a7cd15bb (patch)
tree	4618db88a5d501ee8d1e46f0bf01deb07142f27b /src/lib
parent	06789406ad322933284a6118040c41e2ed116f0b (diff)