Initial work for supporting HotspotShield VPN detection

3 files changed, 31 insertions, 1 deletions

diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index 891354745..cfb5897ba 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -260,9 +260,10 @@
 #define NDPI_SERVICE_DEEZER                             210
 #define NDPI_SERVICE_INSTAGRAM                          211 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> */
 #define NDPI_SERVICE_MICROSOFT                          212
+#define NDPI_SERVICE_HOTSPOT_SHIELD                     215
 
 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */
-#define NDPI_LAST_IMPLEMENTED_PROTOCOL			NDPI_PROTOCOL_TEREDO
+#define NDPI_LAST_IMPLEMENTED_PROTOCOL			NDPI_SERVICE_HOTSPOT_SHIELD
 
 #define NDPI_MAX_SUPPORTED_PROTOCOLS                    (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1)
 #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS                   (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL)
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index fe7b39b52..5e0210d71 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -7289,6 +7289,12 @@ static ndpi_network host_protocol_list[] = {
   /* Simet - 200.160.4.0/24 */
   { 0xC8A00400, 24, NDPI_SERVICE_SIMET },
 
+  /*
+    AnchorFree (Hotspot Shield)
+    AnchorFree Inc. AFNETWORK-1 (NET-74-115-0-0-1) 74.115.0.0 - 74.115.7.255
+  */
+  { 0x4A730000, 21, NDPI_SERVICE_HOTSPOT_SHIELD },
+
   { 0x0, 0, 0 }
 };
 
@@ -7409,6 +7415,8 @@ ndpi_protocol_match host_match[] = {
   { "update.microsoft.com",             "WindowsUpdate",        NDPI_SERVICE_WINDOWS_UPDATE, NDPI_PROTOCOL_ACCEPTABLE },
   { ".windowsupdate.com",               "WindowsUpdate",        NDPI_SERVICE_WINDOWS_UPDATE, NDPI_PROTOCOL_ACCEPTABLE },
   { "worldofwarcraft.com",              "WorldOfWarcraft",      NDPI_PROTOCOL_WORLDOFWARCRAFT, NDPI_PROTOCOL_FUN },
+  { ".anchorfree.",                     "HotspotShield",        NDPI_SERVICE_HOTSPOT_SHIELD, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS },
+  { "hotspotshield.com",                "HotspotShield",        NDPI_SERVICE_HOTSPOT_SHIELD, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS },
   { NULL, 0 }
 };
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index f88651443..9514a5943 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1164,6 +1164,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			    no_master, "WorldOfWarcraft",
 			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+    ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_SERVICE_HOTSPOT_SHIELD,
+			    no_master,
+			    no_master, "HotspotShield",
+			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
     ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_TELNET,
 			    no_master,
 			    no_master, "Telnet",
@@ -3411,6 +3416,22 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
   } else
     ret.protocol = flow->detected_protocol_stack[0];
 
+  
+  if((ret.master_protocol == NDPI_PROTOCOL_UNKNOWN) && flow->packet.iph) {
+    struct ndpi_packet_struct *packet = &flow->packet;
+
+    if((ret.master_protocol = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&packet->iph->saddr)) == NDPI_PROTOCOL_UNKNOWN)
+      ret.master_protocol = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&packet->iph->daddr);
+
+    /* Swap proocols in case of success */
+    if(ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) {
+      u_int8_t t = ret.master_protocol;
+
+      ret.master_protocol = ret.protocol;
+      ret.protocol = t;
+    }
+  }
+
   return(ret);
 }