H323: fix false positives (#1916)

3 files changed, 12 insertions, 9 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 6fa9d5581..d3ccd208c 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -728,9 +728,6 @@ struct ndpi_flow_tcp_struct {
   /* NDPI_PROTOCOL_IRC */
   u_int8_t irc_stage;
 
-  /* NDPI_PROTOCOL_H323 */
-  u_int8_t h323_valid_packets;
-
   /* NDPI_PROTOCOL_GNUTELLA */
   u_int8_t gnutella_msg_id[3];
 
@@ -1576,6 +1573,9 @@ struct ndpi_flow_struct {
   u_int16_t all_packets_counter;
   u_int16_t packet_direction_complete_counter[2];      // can be 0 - 65000
 
+  /* NDPI_PROTOCOL_H323 */
+  u_int8_t h323_valid_packets;
+
   /* NDPI_PROTOCOL_BITTORRENT */
   u_int8_t bittorrent_stage;		      // can be 0 - 255
   u_int8_t bt_check_performed : 1;
diff --git a/src/lib/protocols/cassandra.c b/src/lib/protocols/cassandra.c
index 25180ac31..56c536bb1 100644
--- a/src/lib/protocols/cassandra.c
+++ b/src/lib/protocols/cassandra.c
@@ -119,7 +119,7 @@ static void ndpi_search_cassandra(struct ndpi_detection_module_struct *ndpi_stru
         ndpi_check_valid_cassandra_opcode(get_u_int8_t(packet->payload, 4)) &&
         ntohl(get_u_int32_t(packet->payload, 5)) <= CASSANDRA_MAX_BODY_SIZE &&
         ntohl(get_u_int32_t(packet->payload, 5)) >= (uint32_t) (packet->payload_packet_len - CASSANDRA_HEADER_LEN) &&
-        flow->l4.tcp.h323_valid_packets == 0 /* To avoid clashing with H323 */ &&
+        flow->h323_valid_packets == 0 /* To avoid clashing with H323 */ &&
         flow->socks4_stage == 0 /* To avoid clashing with SOCKS */) {
       if (flow->packet_counter > 3)
       {
diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c
index bb088b239..d0e4e8a20 100644
--- a/src/lib/protocols/h323.c
+++ b/src/lib/protocols/h323.c
@@ -68,9 +68,9 @@ static void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, s
 	  }
 	}
 
-	flow->l4.tcp.h323_valid_packets++;
+	flow->h323_valid_packets++;
 
-	if(flow->l4.tcp.h323_valid_packets >= 2) {
+	if(flow->h323_valid_packets >= 2) {
 	  NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n");
 	  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
 	}
@@ -103,9 +103,12 @@ static void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, s
 	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
 	return;
       } else if(packet->payload_packet_len >= 20 && packet->payload_packet_len <= 117) {
-	NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n");
-	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-	return;
+	/* This check is quite generic: let's check another packet...*/
+	flow->h323_valid_packets++;
+	if(flow->h323_valid_packets >= 2) {
+	  NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n");
+	  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+	}
       } else {
 	NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 	return;