signal: improve detection of chats and calls (#2637)

author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-12-04 16:14:27 +0100
committer: GitHub <noreply@github.com> 2024-12-04 16:14:27 +0100
commit: 83ce341796197822e2cde8576a8290c8f87a726a (patch)
tree: 648aeb98727ddea2f58d95c7ce2091462e995a24 /src/lib
parent: d31b35d012f239784ffe854a93a46d8d97a6b6c5 (diff)
2 files changed, 14 insertions, 1 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 39b063adc..8f76f3291 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -1067,7 +1067,12 @@ static ndpi_protocol_match host_match[] =
    { "ubuntu.com",                            "UbuntuONE",        NDPI_PROTOCOL_UBUNTUONE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { "signal.org",                            "Signal",           NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
-   { "whispersystems.org",            "Signal",           NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { "whispersystems.org",                    "Signal",           NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { "signal.art",                            "Signal",           NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { "signal.group",                          "Signal",           NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { "signal.link",                           "Signal",           NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { "signal.me",                             "Signal",           NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { "signal.tube",                           "Signal",           NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { "musical.ly",                            "TikTok",           NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "byteoversea.com",                       "TikTok",           NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 3747d76d0..0ead2a0ea 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -485,6 +485,14 @@ int is_stun(struct ndpi_detection_module_struct *ndpi_struct,
     break;
   }
 
+  /* See https://support.signal.org/hc/en-us/articles/360007320291-Firewall-and-Internet-settings.
+     Since the check is quite weak, give time to other applications to kick in */
+  if(flow->packet_counter > 4 && !flow->stun.is_turn &&
+     !is_subclassification_real(flow) &&
+     (ntohs(flow->c_port) == 10000 || ntohs(flow->s_port) == 10000)) {
+     *app_proto = NDPI_PROTOCOL_SIGNAL_VOIP;
+  }
+
   off = STUN_HDR_LEN;
   while(off + 4 < payload_length) {
     u_int16_t attribute = ntohs(*((u_int16_t *)&payload[off]));
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-12-04 16:14:27 +0100
committer	GitHub <noreply@github.com>	2024-12-04 16:14:27 +0100
commit	83ce341796197822e2cde8576a8290c8f87a726a (patch)
tree	648aeb98727ddea2f58d95c7ce2091462e995a24 /src/lib
parent	d31b35d012f239784ffe854a93a46d8d97a6b6c5 (diff)