Removed bittorrent false positive detection

author: Luca Deri <deri@ntop.org> 2020-05-20 23:14:09 +0200
committer: Luca Deri <deri@ntop.org> 2020-05-20 23:14:09 +0200
commit: 329eff069ee93ea6b2f032899dae0b33f551f3ae (patch)
tree: e7fb8cbb99c3552f02749437ebbd6b49021640c8 /src
parent: b7e666e465f138ae48ab81976726e67deed12701 (diff)
1 files changed, 8 insertions, 16 deletions
diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c
index f1c62d431..9f7620558 100644
--- a/src/lib/protocols/bittorrent.c
+++ b/src/lib/protocols/bittorrent.c
@@ -43,7 +43,7 @@ struct ndpi_utp_hdr {
   u_int16_t sequence_nr, ack_nr;
 };
 
-static u_int8_t is_utp_pkt(const u_int8_t *payload, u_int payload_len) {
+static u_int8_t is_utpv1_pkt(const u_int8_t *payload, u_int payload_len) {
   struct ndpi_utp_hdr *h = (struct ndpi_utp_hdr*)payload;
 
   if(payload_len < sizeof(struct ndpi_utp_hdr)) return(0);
@@ -52,6 +52,9 @@ static u_int8_t is_utp_pkt(const u_int8_t *payload, u_int payload_len) {
   if(h->next_extension > 2)         return(0);
   if(ntohl(h->window_size) > 65565) return(0);
 
+  if((h->window_size == 0) && (payload_len != sizeof(struct ndpi_utp_hdr)))
+    return(0);
+  
   return(1);
 }
 
@@ -433,14 +436,10 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st
 	  u_int8_t v0_extension = packet->payload[17];
 	  u_int8_t v0_flags     = packet->payload[18];
 
-	  /* Check if this is protocol v1 */
-	  u_int8_t v1_version     = packet->payload[0];
-	  u_int8_t v1_extension   = packet->payload[1];
-	  u_int32_t v1_window_size = *((u_int32_t*)&packet->payload[12]);
-
-	  if(is_utp_pkt(packet->payload, packet->payload_packet_len))
+	  if(is_utpv1_pkt(packet->payload, packet->payload_packet_len)) {
+	    bt_proto = ndpi_strnstr((const char *)&packet->payload[20], "BitTorrent protocol", packet->payload_packet_len-20);
 	    goto bittorrent_found;
-	  else if((packet->payload[0]== 0x60)
+	  } else if((packet->payload[0]== 0x60)
 	     && (packet->payload[1]== 0x0)
 	     && (packet->payload[2]== 0x0)
 	     && (packet->payload[3]== 0x0)
@@ -448,14 +447,7 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st
 	    /* Heuristic */
 	    bt_proto = ndpi_strnstr((const char *)&packet->payload[20], "BitTorrent protocol", packet->payload_packet_len-20);
 	    goto bittorrent_found;
-      /* CSGO/DOTA conflict */
-	  } else if(flow->packet_counter > 8 && ((v1_version & 0x0f) == 1)
-		    && ((v1_version >> 4) < 5 /* ST_NUM_STATES */)
-		    && (v1_extension      < 3 /* EXT_NUM_EXT */)
-		    && (v1_window_size    < 32768 /* 32k */)
-		    ) {
-	    bt_proto = ndpi_strnstr((const char *)&packet->payload[20], "BitTorrent protocol", packet->payload_packet_len-20);
-	    goto bittorrent_found;
+	    /* CSGO/DOTA conflict */
 	  } else if((v0_flags < 6 /* ST_NUM_STATES */) && (v0_extension < 3 /* EXT_NUM_EXT */)) {
 	    u_int32_t ts = ntohl(*((u_int32_t*)&(packet->payload[4])));
 	    u_int32_t now;
author	Luca Deri <deri@ntop.org>	2020-05-20 23:14:09 +0200
committer	Luca Deri <deri@ntop.org>	2020-05-20 23:14:09 +0200
commit	329eff069ee93ea6b2f032899dae0b33f551f3ae (patch)
tree	e7fb8cbb99c3552f02749437ebbd6b49021640c8 /src
parent	b7e666e465f138ae48ab81976726e67deed12701 (diff)