diff options
| author | Liam Wilson <37528501+liwilson1@users.noreply.github.com> | 2024-09-27 19:23:22 +1200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-27 09:23:22 +0200 |
| commit | cdda369e92d7581242c0c436d76569faf9860056 (patch) | |
| tree | 6708accaf79ae8954945eed01238d1328cadfef3 /src | |
| parent | 288c1f5c22789660b272ed95fcfada43f7d9e35c (diff) | |
Add enable/disable guessing using client IP/port (#2569)
Add configurable options for whether to include client port or client IP
in the flow's protocol guesses. This defaults to include both client
port/IP if the protocol is not guessed with the server IP/port.
This is intended for when flow direction detection is enabled, so we
know that sport = client port, dport = server port.
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_private.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 11 |
2 files changed, 10 insertions, 3 deletions
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 0bb3af0f1..3aa17ed3c 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -201,6 +201,8 @@ struct ndpi_detection_module_config_struct { int compute_entropy; int fpc_enabled; int guess_ip_before_port; + int use_client_ip_in_guess; + int use_client_port_in_guess; char filename_config[CFG_MAX_LEN]; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index e70fb87ec..3e16ca5c1 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4394,6 +4394,8 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) { static default_ports_tree_node_t *ndpi_get_guessed_protocol_id(struct ndpi_detection_module_struct *ndpi_str, u_int8_t proto, u_int16_t sport, u_int16_t dport) { default_ports_tree_node_t node; + /* Set use_sport to config value if direction detection is enabled */ + int use_sport = ndpi_str->cfg.direction_detect_enabled ? ndpi_str->cfg.use_client_port_in_guess : 1; if(sport && dport) { const void *ret; @@ -4402,7 +4404,7 @@ static default_ports_tree_node_t *ndpi_get_guessed_protocol_id(struct ndpi_detec ret = ndpi_tfind(&node, (proto == IPPROTO_TCP) ? (void *) &ndpi_str->tcpRoot : (void *) &ndpi_str->udpRoot, default_ports_tree_node_t_cmp); - if(ret == NULL) { + if(ret == NULL && use_sport) { node.default_port = sport; ret = ndpi_tfind(&node, (proto == IPPROTO_TCP) ? (void *) &ndpi_str->tcpRoot : (void *) &ndpi_str->udpRoot, default_ports_tree_node_t_cmp); @@ -7425,6 +7427,7 @@ u_int16_t ndpi_guess_host_protocol_id(struct ndpi_detection_module_struct *ndpi_ struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_str->packet; u_int16_t ret = NDPI_PROTOCOL_UNKNOWN; + int use_client = ndpi_str->cfg.use_client_ip_in_guess; if(packet->iph) { struct in_addr addr; @@ -7433,7 +7436,7 @@ u_int16_t ndpi_guess_host_protocol_id(struct ndpi_detection_module_struct *ndpi_ addr.s_addr = flow->s_address.v4; ret = ndpi_network_port_ptree_match(ndpi_str, &addr, flow->s_port); - if(ret == NDPI_PROTOCOL_UNKNOWN) { + if(ret == NDPI_PROTOCOL_UNKNOWN && use_client) { addr.s_addr = flow->c_address.v4; ret = ndpi_network_port_ptree_match(ndpi_str, &addr, flow->c_port); } @@ -7444,7 +7447,7 @@ u_int16_t ndpi_guess_host_protocol_id(struct ndpi_detection_module_struct *ndpi_ addr = *(struct in6_addr *)&flow->s_address.v6; ret = ndpi_network_port_ptree6_match(ndpi_str, &addr, flow->s_port); - if(ret == NDPI_PROTOCOL_UNKNOWN) { + if(ret == NDPI_PROTOCOL_UNKNOWN && use_client) { addr = *(struct in6_addr *)&flow->c_address.v6; ret = ndpi_network_port_ptree6_match(ndpi_str, &addr, flow->c_port); } @@ -11510,6 +11513,8 @@ static const struct cfg_param { { NULL, "packets_limit_per_flow", "32", "0", "255", CFG_PARAM_INT, __OFF(max_packets_to_process), NULL }, { NULL, "flow.direction_detection", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(direction_detect_enabled), NULL }, { NULL, "flow.track_payload", "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(track_payload_enabled), NULL }, + { NULL, "flow.use_client_ip_in_guess", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(use_client_ip_in_guess), NULL}, + { NULL, "flow.use_client_port_in_guess", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(use_client_port_in_guess), NULL}, { NULL, "tcp_ack_payload_heuristic", "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tcp_ack_paylod_heuristic), NULL }, { NULL, "fully_encrypted_heuristic", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(fully_encrypted_heuristic), NULL }, { NULL, "libgcrypt.init", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(libgcrypt_init), NULL }, |