diff options
| author | Luca <deri@ntop.org> | 2015-07-11 16:04:58 +0200 |
|---|---|---|
| committer | Luca <deri@ntop.org> | 2015-07-11 16:04:58 +0200 |
| commit | 2f347a33d8564ebb9f2bf42d344398912f682898 (patch) | |
| tree | 40bec29c9066ab267c8794fa239a73f8a16bffa0 /src | |
| parent | 436af982fdbb9e71237d9e6c6a045db9df96e166 (diff) | |
Fixes for issues #40 -> #52
Implemented sub-protocol detection for SSL/HTTP/HTTPS
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_api.h | 8 | ||||
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 16 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 19 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 26 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 7 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 76 | ||||
| -rw-r--r-- | src/lib/protocols/ssl.c | 4 |
7 files changed, 103 insertions, 53 deletions
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index d3fff5cfd..30948706b 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -173,11 +173,13 @@ extern "C" { u_int8_t proto, u_int32_t shost, u_int16_t sport, u_int32_t dhost, u_int16_t dport); ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t proto, u_int32_t shost, u_int16_t sport, u_int32_t dhost, u_int16_t dport); - int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, char *string_to_match, u_int string_to_match_len); + int ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, char *string_to_match, u_int string_to_match_len, + u_int16_t master_protocol_id); int ndpi_match_content_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - char *string_to_match, u_int string_to_match_len); + char *string_to_match, u_int string_to_match_len, + u_int16_t master_protocol_id); int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_struct, ndpi_automa *automa, char *bigram_to_match); char* ndpi_protocol2name(struct ndpi_detection_module_struct *ndpi_mod, ndpi_protocol proto, char *buf, u_int buf_len); diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 67b6189b7..bd31f50b6 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -220,7 +220,7 @@ #define NDPI_SERVICE_GOOGLE 126 #define NDPI_SERVICE_NETFLIX 133 #define NDPI_SERVICE_LASTFM 134 -#define NDPI_SERVICE_GROOVESHARK 135 +#define NDPI_SERVICE_WAZE 135 #define NDPI_SERVICE_APPLE 140 #define NDPI_SERVICE_WHATSAPP 142 #define NDPI_SERVICE_APPLE_ICLOUD 143 @@ -237,7 +237,7 @@ #define NDPI_SERVICE_YAHOO NDPI_PROTOCOL_YAHOO /* Tomasz Bujlow <tomasz@skatnet.dk> */ #define NDPI_SERVICE_PANDORA 187 #define NDPI_PROTOCOL_EAQ 190 -#define NDPI_SERVICE_MEU 191 +#define NDPI_SERVICE_TIMMEU 191 #define NDPI_SERVICE_TORCEDOR 192 #define NDPI_SERVICE_KAKAOTALK 193 /* KakaoTalk Chat (no voice call) */ #define NDPI_SERVICE_KAKAOTALK_VOICE 194 /* KakaoTalk Voice */ @@ -246,9 +246,19 @@ #define NDPI_SERVICE_TIM 197 /* Traffic for tim.com.br and tim.it */ #define NDPI_PROTOCOL_MPEGTS 198 #define NDPI_SERVICE_SNAPCHAT 199 +#define NDPI_SERVICE_SIMET 200 +#define NDPI_SERVICE_OPENSIGNAL 201 +#define NDPI_SERVICE_99TAXI 202 +#define NDPI_SERVICE_EASYTAXI 203 +#define NDPI_SERVICE_GLOBOTV 204 +#define NDPI_SERVICE_TIMSOMDECHAMADA 205 +#define NDPI_SERVICE_TIMMENU 206 +#define NDPI_SERVICE_TIMPORTASABERTAS 207 +#define NDPI_SERVICE_TIMRECARGA 208 +#define NDPI_SERVICE_TIMBETA 209 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_SERVICE_SNAPCHAT +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_SERVICE_TIMBETA #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index af29a9e50..496797b7e 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7282,6 +7282,9 @@ static ndpi_network host_protocol_list[] = { { 0xC709F98C, 32, NDPI_SERVICE_TWITCH }, { 0xC709F9C5, 32, NDPI_SERVICE_TWITCH }, +/* Simet - 200.160.4.0/24 */ +{ 0xC8A00400, 24, NDPI_SERVICE_SIMET }, + { 0x0, 0, 0 } }; @@ -7330,7 +7333,6 @@ ndpi_protocol_match host_match[] = { { "maps.gstatic.com", "GoogleMaps", NDPI_SERVICE_GOOGLE_MAPS, NDPI_PROTOCOL_ACCEPTABLE }, { ".gmail.", "GMail", NDPI_SERVICE_GMAIL, NDPI_PROTOCOL_SAFE }, { "mail.google.", "GMail", NDPI_SERVICE_GMAIL, NDPI_PROTOCOL_SAFE }, - { ".grooveshark.com", "GrooveShark", NDPI_SERVICE_GROOVESHARK, NDPI_PROTOCOL_FUN }, { ".last.fm", "LastFM", NDPI_SERVICE_LASTFM, NDPI_PROTOCOL_FUN }, { "msn.com", "MSN", NDPI_SERVICE_MSN, NDPI_PROTOCOL_FUN }, { "netflix.com", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, @@ -7363,7 +7365,7 @@ ndpi_protocol_match host_match[] = { { ".spotify.", "Spotify", NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_FUN }, { ".pandora.com", "Pandora", NDPI_SERVICE_PANDORA, NDPI_PROTOCOL_FUN }, { ".torproject.org", "Tor", NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, - { "appmeutim.tim.com.br", "Meu", NDPI_SERVICE_MEU, NDPI_PROTOCOL_ACCEPTABLE }, + { "appmeutim.tim.com.br", "TIM_Meu", NDPI_SERVICE_TIMMEU, NDPI_PROTOCOL_ACCEPTABLE }, { ".timtorcedor.com.br", "Torcedor", NDPI_SERVICE_TORCEDOR, NDPI_PROTOCOL_ACCEPTABLE }, { ".kakao.com", "KakaoTalk", NDPI_SERVICE_KAKAOTALK, NDPI_PROTOCOL_FUN }, { "ttvnw.net", "Twitch", NDPI_SERVICE_TWITCH, NDPI_PROTOCOL_FUN }, @@ -7378,6 +7380,19 @@ ndpi_protocol_match host_match[] = { { "feelinsonice-hrd.appspot.com", "Snapchat", NDPI_SERVICE_SNAPCHAT, NDPI_PROTOCOL_FUN }, { "feelinsonice.com", "Snapchat", NDPI_SERVICE_SNAPCHAT, NDPI_PROTOCOL_FUN }, + { ".waze.com", "Waze", NDPI_SERVICE_WAZE, NDPI_PROTOCOL_ACCEPTABLE }, + { "simet-", "Simet", NDPI_SERVICE_SIMET, NDPI_PROTOCOL_ACCEPTABLE }, + { "opensignal.com", "OpenSignal", NDPI_SERVICE_OPENSIGNAL, NDPI_PROTOCOL_ACCEPTABLE }, + { "99taxis.com", "99Taxi", NDPI_SERVICE_99TAXI, NDPI_PROTOCOL_ACCEPTABLE }, + { "easytaxis.com", "EasyTaxi", NDPI_SERVICE_EASYTAXI, NDPI_PROTOCOL_ACCEPTABLE }, + { ".globo.com", "GloboTV", NDPI_SERVICE_GLOBOTV, NDPI_PROTOCOL_ACCEPTABLE }, + { ".glbimg.com", "GloboTV", NDPI_SERVICE_GLOBOTV, NDPI_PROTOCOL_ACCEPTABLE }, + { "timsomdechamada.com.br", "SomDeChamada", NDPI_SERVICE_TIMSOMDECHAMADA, NDPI_PROTOCOL_ACCEPTABLE }, + { ".tim.acotelbr.com.br", "TIM_Menu", NDPI_SERVICE_TIMMENU, NDPI_PROTOCOL_ACCEPTABLE }, + { ".timbeta.com.br", "TIM_Beta", NDPI_SERVICE_TIMBETA, NDPI_PROTOCOL_ACCEPTABLE }, + { "tim-geoportal.geoportal3d.com.br", "TIM_PortasAbertas", NDPI_SERVICE_TIMPORTASABERTAS, NDPI_PROTOCOL_ACCEPTABLE }, + { ".m4u.com.br", "TIM_Recarga", NDPI_SERVICE_TIMRECARGA, NDPI_PROTOCOL_ACCEPTABLE }, + { NULL, 0 } }; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index cad78df5c..ec2e320e5 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4156,7 +4156,8 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct if((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP)) { rc = ndpi_search_tcp_or_udp_raw(ndpi_struct, proto, shost, dhost, sport, dport); if(rc != NDPI_PROTOCOL_UNKNOWN) { - ret.protocol = rc; + ret.protocol = rc, + ret.master_protocol = ndpi_guess_protocol_id(ndpi_struct, proto, sport, dport); return(ret); } @@ -4306,7 +4307,8 @@ char* ndpi_strnstr(const char *s, const char *find, size_t slen) { static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, ndpi_automa *automa, struct ndpi_flow_struct *flow, - char *string_to_match, u_int string_to_match_len) { + char *string_to_match, u_int string_to_match_len, + u_int16_t master_protocol_id) { int matching_protocol_id; struct ndpi_packet_struct *packet = &flow->packet; AC_TEXT_t ac_input_text; @@ -4333,14 +4335,14 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str strncpy(m, string_to_match, len); m[len] = '\0'; - printf("[NDPI] ndpi_match_string_subprotocol(%s): %s\n", m, ndpi_struct->proto_defaults[matching_protocol_id].protoName); + printf("[NDPI] ndpi_match_host_subprotocol(%s): %s\n", m, ndpi_struct->proto_defaults[matching_protocol_id].protoName); } #endif if(matching_protocol_id != NDPI_PROTOCOL_UNKNOWN) { /* Move the protocol on slot 0 down one position */ - packet->detected_protocol_stack[1] = packet->detected_protocol_stack[0]; - packet->detected_protocol_stack[0] = matching_protocol_id; + packet->detected_protocol_stack[1] = master_protocol_id, + packet->detected_protocol_stack[0] = matching_protocol_id; flow->detected_protocol_stack[0] = packet->detected_protocol_stack[0], flow->detected_protocol_stack[1] = packet->detected_protocol_stack[1]; @@ -4358,20 +4360,24 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str /* ****************************************************** */ -int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, +int ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - char *string_to_match, u_int string_to_match_len) { + char *string_to_match, u_int string_to_match_len, + u_int16_t master_protocol_id) { return(ndpi_automa_match_string_subprotocol(ndpi_struct, &ndpi_struct->host_automa, - flow, string_to_match, string_to_match_len)); + flow, string_to_match, string_to_match_len, + master_protocol_id)); } /* ****************************************************** */ int ndpi_match_content_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - char *string_to_match, u_int string_to_match_len) { + char *string_to_match, u_int string_to_match_len, + u_int16_t master_protocol_id) { return(ndpi_automa_match_string_subprotocol(ndpi_struct, &ndpi_struct->content_automa, - flow, string_to_match, string_to_match_len)); + flow, string_to_match, string_to_match_len, + master_protocol_id)); } /* ****************************************************** */ diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 089ea913d..787f9f4d7 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -265,9 +265,10 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd #endif if(ndpi_struct->match_dns_host_names) - ndpi_match_string_subprotocol(ndpi_struct, flow, + ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, - strlen((const char*)flow->host_server_name)); + strlen((const char*)flow->host_server_name), + NDPI_PROTOCOL_DNS); } i++; @@ -284,7 +285,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { /* - Do not set the protocol with DNS if ndpi_match_string_subprotocol() has + Do not set the protocol with DNS if ndpi_match_host_subprotocol() has matched a subprotocol */ NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "found DNS.\n"); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 92c3404b7..aea36a634 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -177,7 +177,8 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc */ if(((ntohl(packet->iph->saddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0xC73B9400 /* 199.59.148.0 */) || ((ntohl(packet->iph->daddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0xC73B9400 /* 199.59.148.0 */)) { - packet->detected_protocol_stack[0] = NDPI_SERVICE_TWITTER; + packet->detected_protocol_stack[0] = NDPI_SERVICE_TWITTER, + packet->detected_protocol_stack[1] = NDPI_PROTOCOL_HTTP; return; } @@ -188,7 +189,8 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc */ if(((ntohl(packet->iph->saddr) & 0xFFFFE000 /* 255.255.224.0 */) == 0x4535E000 /* 69.53.224.0 */) || ((ntohl(packet->iph->daddr) & 0xFFFFE000 /* 255.255.224.0 */) == 0x4535E000 /* 69.53.224.0 */)) { - packet->detected_protocol_stack[0] = NDPI_SERVICE_NETFLIX; + packet->detected_protocol_stack[0] = NDPI_SERVICE_NETFLIX, + packet->detected_protocol_stack[1] = NDPI_PROTOCOL_HTTP; return; } } @@ -196,7 +198,7 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) { /* Try matching subprotocols */ - // ndpi_match_string_subprotocol(ndpi_struct, flow, (char*)packet->host_line.ptr, packet->host_line.len); + // ndpi_match_host_subprotocol(ndpi_struct, flow, (char*)packet->host_line.ptr, packet->host_line.len); /* NOTE @@ -207,9 +209,13 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc if(!ndpi_struct->http_dont_dissect_response) { if(flow->http.url && flow->http_detected) - ndpi_match_string_subprotocol(ndpi_struct, flow, (char *)&flow->http.url[7], strlen((const char *)&flow->http.url[7])); + ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)&flow->http.url[7], + strlen((const char *)&flow->http.url[7]), + NDPI_PROTOCOL_HTTP); } else - ndpi_match_string_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, strlen((const char *)flow->host_server_name)); + ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, + strlen((const char *)flow->host_server_name), + NDPI_PROTOCOL_HTTP); } } @@ -344,10 +350,13 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "User Agent Type Line found %.*s\n", packet->user_agent_line.len, packet->user_agent_line.ptr); +#if 0 if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) ndpi_match_content_subprotocol(ndpi_struct, flow, (char*)packet->user_agent_line.ptr, - packet->user_agent_line.len); + packet->user_agent_line.len, + NDPI_PROTOCOL_HTTP); +#endif } /* check for host line */ @@ -358,10 +367,11 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->host_line.len, packet->host_line.ptr); if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) - ndpi_match_content_subprotocol(ndpi_struct, flow, - (char*)packet->host_line.ptr, - packet->host_line.len); - + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char*)packet->host_line.ptr, + packet->host_line.len, + NDPI_PROTOCOL_HTTP); + /* Copy result for nDPI apps */ len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1); strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len); @@ -376,16 +386,18 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) && ((ndpi_struct->http_dont_dissect_response) || flow->http_detected)) - ndpi_match_string_subprotocol(ndpi_struct, flow, + ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, - strlen((const char *)flow->host_server_name)); + strlen((const char *)flow->host_server_name), + NDPI_PROTOCOL_HTTP); if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) && ((ndpi_struct->http_dont_dissect_response) || flow->http_detected) && (packet->http_origin.len > 0)) - ndpi_match_string_subprotocol(ndpi_struct, flow, + ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)packet->http_origin.ptr, - packet->http_origin.len); + packet->http_origin.len, + NDPI_PROTOCOL_HTTP); if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP) { @@ -427,7 +439,9 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->content_line.len, packet->content_line.ptr); if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) - ndpi_match_content_subprotocol(ndpi_struct, flow, (char*)packet->content_line.ptr, packet->content_line.len); + ndpi_match_content_subprotocol(ndpi_struct, flow, + (char*)packet->content_line.ptr, packet->content_line.len, + NDPI_PROTOCOL_HTTP); } /* check user agent here too */ @@ -761,7 +775,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct u_int16_t filename_start; /* Check if we so far detected the protocol in the request or not. */ - if (flow->l4.tcp.http_stage == 0) { + if(flow->l4.tcp.http_stage == 0) { flow->http_detected = 0; NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP stage %d: \n", @@ -770,10 +784,10 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct filename_start = http_request_url_offset(ndpi_struct, flow); - if (filename_start == 0) { + if(filename_start == 0) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Filename HTTP not found, we look for possible truncate flow...\n"); - if (packet->payload_packet_len >= 7 && memcmp(packet->payload, "HTTP/1.", 7) == 0) { + if(packet->payload_packet_len >= 7 && memcmp(packet->payload, "HTTP/1.", 7) == 0) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP response found (truncated flow ?)\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); @@ -791,7 +805,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct ndpi_parse_packet_line_info(ndpi_struct, flow); - if (packet->parsed_lines <= 1) { + if(packet->parsed_lines <= 1) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Found just one line, we will look further for the next packet...\n"); @@ -832,8 +846,6 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP START Found, we will look for sub-protocols (content and host)...\n"); - check_content_type_and_change_protocol(ndpi_struct, flow); - if(packet->host_line.ptr != NULL) { /* nDPI is pretty scrupoulous about HTTP so it waits until the @@ -852,21 +864,23 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 } + check_content_type_and_change_protocol(ndpi_struct, flow); + return; } } NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: REQUEST NOT HTTP CONFORM\n"); http_bitmask_exclude(flow); - } else if ((flow->l4.tcp.http_stage == 1) || (flow->l4.tcp.http_stage == 2)) { + } else if((flow->l4.tcp.http_stage == 1) || (flow->l4.tcp.http_stage == 2)) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP stage %u: \n", flow->l4.tcp.http_stage); /* At first check, if this is for sure a response packet (in another direction. If not, if http is detected do nothing now and return, * otherwise check the second packet for the http request . */ - if ((flow->l4.tcp.http_stage - packet->packet_direction) == 1) { + if((flow->l4.tcp.http_stage - packet->packet_direction) == 1) { - if (flow->http_detected) + if(flow->http_detected) return; NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, @@ -874,9 +888,9 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct ndpi_parse_packet_line_info(ndpi_struct, flow); - if (packet->parsed_lines <= 1) { + if(packet->parsed_lines <= 1) { /* wait some packets in case request is split over more than 2 packets */ - if (flow->packet_counter < 5) { + if(flow->packet_counter < 5) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "line still not finished, search next packet\n"); return; @@ -889,7 +903,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } } // http://www.slideshare.net/DSPIP/rtsp-analysis-wireshark - if (packet->line[0].len >= 9 + if(packet->line[0].len >= 9 && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Found HTTP.\n"); @@ -906,7 +920,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct /* This is a packet in another direction. Check if we find the proper response. */ /* We have received a response for a previously identified partial HTTP request */ - if ((packet->parsed_lines == 1) && (packet->packet_direction == 1 /* server -> client */)) { + if((packet->parsed_lines == 1) && (packet->packet_direction == 1 /* server -> client */)) { /* In apache if you do "GET /\n\n" the response comes without any header so we can assume that this can be the case @@ -918,14 +932,14 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } /* If we already detected the http request, we can add the connection and then check for the sub-protocol*/ - if (flow->http_detected) + if(flow->http_detected) ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); /* Parse packet line and we look for the subprotocols */ ndpi_parse_packet_line_info(ndpi_struct, flow); check_content_type_and_change_protocol(ndpi_struct, flow); - if (packet->empty_line_position_set != 0 || flow->l4.tcp.http_empty_line_seen == 1) { + if(packet->empty_line_position_set != 0 || flow->l4.tcp.http_empty_line_seen == 1) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "empty line. check_http_payload.\n"); check_http_payload(ndpi_struct, flow); } @@ -941,7 +955,7 @@ void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &flow->packet; /* Break after 20 packets. */ - if (flow->packet_counter > 20) { + if(flow->packet_counter > 20) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Exclude HTTP.\n"); http_bitmask_exclude(flow); return; diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 12a198498..b113bf197 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -307,7 +307,9 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s printf("***** [SSL] %s\n", certificate); #endif - if(ndpi_match_string_subprotocol(ndpi_struct, flow, certificate, strlen(certificate)) != NDPI_PROTOCOL_UNKNOWN) + if(ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, + strlen(certificate), + NDPI_PROTOCOL_SSL) != NDPI_PROTOCOL_UNKNOWN) return(rc); /* Fix courtesy of Gianluca Costa <g.costa@xplico.org> */ #ifdef NDPI_PROTOCOL_TOR |