diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-09-17 18:03:46 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-17 18:03:46 +0200 |
| commit | 85485ea28c25492b4b847074a198e608e4a29b5d (patch) | |
| tree | 0ab6bb342a340c317c2dc0612fc6f58c1c830d3c /src | |
| parent | 9d07cf28114eaa6232e93248b2346710ae635bf3 (diff) | |
OpenVPN: heuristic: add a simple check to avoid false positives (#2560)
We should have too big packets during the initial handshake
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/protocols/openvpn.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/lib/protocols/openvpn.c b/src/lib/protocols/openvpn.c index 1c63f5ecd..bf34bf3a9 100644 --- a/src/lib/protocols/openvpn.c +++ b/src/lib/protocols/openvpn.c @@ -417,6 +417,10 @@ static int search_heur_opcode(struct ndpi_detection_module_struct* ndpi_struct, iter, offset, pdu_len); if(pdu_len < 14) return 1; /* Exclude */ + if(pdu_len > 4 * 1500) { /* 4 full size packets: simple threshold to avoid false positives */ + NDPI_LOG_DBG2(ndpi_struct, "Heur-opcode: pdu_len %d too big. Exclude\n", pdu_len); + return 1; /* Exclude */ + } rc = search_heur_opcode_common(ndpi_struct, flow, *(ovpn_payload + offset + 2)); NDPI_LOG_DBG2(ndpi_struct, "Heur-opcode: TCP, rc %d\n", rc); if(rc > 0) /* Exclude || Found --> stop */ |