eDonkey: improve/update classification (#2410)

eDonkey is definitely not as used as >10 years ago, but it seems it is
still active.

While having a basic TCP support seems easy, identification over UDP doesn't
work and it is hard to do it rightly (packets might be only 2 bytes long):
remove it.

Credits to V.G <v.gavrilov@securitycode.ru>

2 files changed, 15 insertions, 166 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index f5e6ac803..9b5e294da 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1469,9 +1469,6 @@ struct ndpi_flow_struct {
   /* NDPI_PROTOCOL_SOCKS */
   u_int8_t socks5_stage:2, socks4_stage:2;      // 0 - 3
 
-  /* NDPI_PROTOCOL_EDONKEY */
-  u_int8_t edonkey_stage:2;	                // 0 - 3
-
   /* NDPI_PROTOCOL_FTP_CONTROL */
   u_int8_t ftp_control_stage:2;
 
diff --git a/src/lib/protocols/edonkey.c b/src/lib/protocols/edonkey.c
index 389ca587d..96561a95b 100644
--- a/src/lib/protocols/edonkey.c
+++ b/src/lib/protocols/edonkey.c
@@ -1,9 +1,7 @@
 /*
  * edonkey.c
  *
- * Copyright (C) 2014 Tomasz Bujlow <tomasz@skatnet.dk>
- *
- * The signature is based on the Libprotoident library.
+ * Copyright (C) 2024 - ntop.org and contributors
  *
  * This file is part of nDPI, an open source deep packet inspection
  * library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -30,179 +28,33 @@
 #include "ndpi_api.h"
 #include "ndpi_private.h"
 
-
 static void ndpi_int_edonkey_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
+  NDPI_LOG_INFO(ndpi_struct, "found EDONKEY\n");
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_EDONKEY, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
 }
 
-static int ndpi_edonkey_payload_check(const u_int8_t *data, u_int32_t len) {
-  if((len >= 4) && (data[0] == 0xe3) && (data[2] == 0x00) && (data[3] == 0x00))
-    return 1;
-  
-  if((len >= 4) && (data[0] == 0xc5) && (data[2] == 0x00) && (data[3] == 0x00))
-    return 1;  
-  
-  if((len >= 2) && (data[0] == 0xe5) && (data[1] == 0x43))
-    return 1;
-  
-  if((len >= 4) && (data[0] == 0xe5) && (data[1] == 0x08) && (data[2] == 0x78) && (data[3] == 0xda))
-    return 1;
-
-  if((len >= 4) && (data[0] == 0xe5) && (data[1] == 0x28) && (data[2] == 0x78) && (data[3] == 0xda))
-    return 1;
-
-  if((len >= 2) && (data[0] == 0xc5) && (data[1] == 0x90))
-    return 1;
-
-  if((len >= 2) && (data[0] == 0xc5) && (data[1] == 0x91))
-    return 1;
-
-  if((len == 2) && (data[0] == 0xc5) && (data[1] == 0x92))
-    return 1;
-
-  if((len == 2) && (data[0] == 0xc5) && (data[1] == 0x93))
-    return 1;
-
-  if((len >= 38 && len <= 70) && (data[0] == 0xc5) && (data[1] == 0x94))
-    return 1;
-
-  if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x9a))
-    return 1;
-
-  if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x9b))
-    return 1;
-
-  if((len == 6) && (data[0] == 0xe3) && (data[1] == 0x96))
-    return 1;
-
-  if((len <= 34 && ((len - 2) % 4 == 0)) && (data[0] == 0xe3) && (data[1] == 0x97))
-    return 1;
-
-  if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x92))
-    return 1;
-
-  if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x94))
-    return 1;
-
-  if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x98))
-    return 1;
-
-  if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x99))
-    return 1;
-
-  if((len == 6) && (data[0] == 0xe3) && (data[1] == 0xa2))
-    return 1;
-
-  if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0xa3))
-    return 1;
-
-  if((len == 27) && (data[0] == 0xe4) && (data[1] == 0x00))
-    return 1;
-
-  if((len == 529) && (data[0] == 0xe4) && (data[1] == 0x08))
-    return 1;
-
-  if((len == 18) && (data[0] == 0xe4) && (data[1] == 0x01) && (data[2] == 0x00) && (data[3] == 0x00))
-    return 1;
-
-  if((len == 523) && (data[0] == 0xe4) && (data[1] == 0x09))
-    return 1;
-
-  if((len == 35) && (data[0] == 0xe4) && (data[1] == 0x21))
-    return 1;
-
-  if((len == 19) && (data[0] == 0xe4) && (data[1] == 0x4b))
-    return 1;
-
-  if((len >= 2) && (data[0] == 0xe4) && (data[1] == 0x11))
-    return 1;
-
-  if((len == 22 || len == 38 || len == 28) && (data[0] == 0xe4) && (data[1] == 0x19))
-    return 1;
-
-  if((len == 35) && (data[0] == 0xe4) && (data[1] == 0x20))
-    return 1;
-
-  if((len == 27) && (data[0] == 0xe4) && (data[1] == 0x18))
-    return 1;
-
-  if((len == 27) && (data[0] == 0xe4) && (data[1] == 0x10))
-    return 1;
-
-  if((len == 6) && (data[0] == 0xe4) && (data[1] == 0x58))
-    return 1;
-
-  if((len == 4) && (data[0] == 0xe4) && (data[1] == 0x50))
-    return 1;
-
-  if((len == 36) && (data[0] == 0xe4) && (data[1] == 0x52))
-    return 1;
-
-  if((len == 48) && (data[0] == 0xe4) && (data[1] == 0x40))
-    return 1;
-
-  if((len == 225) && (data[0] == 0xe4) && (data[1] == 0x43))
-    return 1;
-
-  if((len == 19) && (data[0] == 0xe4) && (data[1] == 0x48))
-    return 1;
-
-  if((len == 119 || len == 69 || len == 294) && (data[0] == 0xe4) && (data[1] == 0x29))
-    return 1;
-
-  if((len == 119 || len == 69 || len == 294 || len == 44 || len == 269) && (data[0] == 0xe4) && (data[1] == 0x28))
-    return 1;
-
-  return 0;
-}
-
-static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
+static void ndpi_search_edonkey(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-  u_int32_t payload_len = packet->payload_packet_len;
- 
-  /* Break after 10 packets. */
-  if(flow->packet_counter > 10) {
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-    return;
-  }
-
-  /* Check if we so far detected the protocol in the request or not. */
-  if(flow->edonkey_stage == 0) {
-    NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage 0: \n");
+  u_int8_t protocol;
+  u_int32_t message_length;
 
-    if(ndpi_edonkey_payload_check(packet->payload, payload_len)) {
-      NDPI_LOG_DBG2(ndpi_struct, "Possible EDONKEY request detected, we will look further for the response\n");
+  NDPI_LOG_DBG(ndpi_struct, "search EDONKEY\n");
 
-      /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
-      flow->edonkey_stage = packet->packet_direction + 1;
-    } else
+  if(packet->payload_packet_len > 5) {
+    protocol = packet->payload[0];
+    /* 0xE3: Edonkey, 0xC5: eMule extensions, 0xD4: eMule compressed */
+    if(protocol != 0xE3 && protocol != 0xC5 && protocol != 0xD4) {
       NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-  } else {
-    NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage %u: \n", flow->edonkey_stage);
-
-    /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
-    if((flow->edonkey_stage - packet->packet_direction) == 1) {
       return;
     }
-
-    /* This is a packet in another direction. Check if we find the proper response. */
-    if(ndpi_edonkey_payload_check(packet->payload, payload_len)) {
-      NDPI_LOG_INFO(ndpi_struct, "found EDONKEY\n");
+    message_length = packet->payload_packet_len - 5;
+    if(message_length == le32toh(get_u_int32_t(packet->payload, 1))) {
       ndpi_int_edonkey_add_connection(ndpi_struct, flow);
-    } else {
-      NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to EDONKEY, resetting the stage to 0\n");
-      flow->edonkey_stage = 0;
+      return;
     }
   }
 
-  if(flow->packet_counter > 5)
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);    
-}
-
-static void ndpi_search_edonkey(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
-  NDPI_LOG_DBG(ndpi_struct, "search EDONKEY\n");
-
-  ndpi_check_edonkey(ndpi_struct, flow);
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 
@@ -211,7 +63,7 @@ void init_edonkey_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_
   ndpi_set_bitmask_protocol_detection("eDonkey", ndpi_struct, *id,
 				      NDPI_PROTOCOL_EDONKEY,
 				      ndpi_search_edonkey,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);