Enhanced MS teams STUN/Azure detection

author: Luca <deri@ntop.org> 2023-05-10 16:28:34 +0200
committer: Luca <deri@ntop.org> 2023-05-10 16:28:34 +0200
commit: 98f029a091c01f36f5c3d004b58e1b8942edfee6 (patch)
tree: 2f1c594e73af66da21f3c134bcc5425927c30690 /src
parent: 7d5e4d0f7e82fbcffeef0dc9b695d3f7f701d5aa (diff)
2 files changed, 32 insertions, 3 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 44a86a5dd..01ef91998 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -660,10 +660,11 @@ static ndpi_protocol_match host_match[] =
    { "e4593.dspg.akamaiedge.net",                  "Skype_Teams",            NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "e4593.g.akamaiedge.net",                     "Skype_Teams",            NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "*.gateway.messenger.live.com",               "Skype_Teams",            NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
-   { "teams.live.com",                             "Skype_Teams",            NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "skype-calling-missedcallsregistrar-",        "Skype_Teams",            NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "teams.cloudapp.net",                         "Skype_Teams",            NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
+   
+   
    { ".tuenti.com",                              "Tuenti",           NDPI_PROTOCOL_TUENTI, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { ".twttr.com",                                "Twitter",          NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -918,7 +919,8 @@ static ndpi_protocol_match host_match[] =
    { ".onenote.",                               "Microsoft365",    NDPI_PROTOCOL_MICROSOFT_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { ".cloud.microsoft",                        "Microsoft365",    NDPI_PROTOCOL_MICROSOFT_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "whiteboard.microsoft.com",                "Microsoft365",    NDPI_PROTOCOL_MICROSOFT_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
-
+   { "events.data.microsoft.com",               "Microsoft365",    NDPI_PROTOCOL_MICROSOFT_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   
    { "cloudflare.com",      "Cloudflare",       NDPI_PROTOCOL_CLOUDFLARE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { "d295hzzivaok4k.cloudfront.net","OpenDNS",      NDPI_PROTOCOL_OPENDNS, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 4f481a747..576abee7c 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -5974,6 +5974,24 @@ static u_int32_t make_msteams_key(struct ndpi_flow_struct *flow) {
 
 /* ********************************************************************************* */
 
+static void ndpi_reconcile_msteams(struct ndpi_detection_module_struct *ndpi_str,
+				   struct ndpi_flow_struct *flow) {
+  if((flow->l4_proto == IPPROTO_UDP) && (ndpi_str->packet.udp != NULL)) {
+    u_int16_t sport = ntohs(ndpi_str->packet.udp->source);
+    u_int16_t dport = ntohs(ndpi_str->packet.udp->dest);
+    
+    if(
+      ((sport >= 3478) && (sport <= 3481))
+      || ((dport >= 3478) && (dport <= 3481))) {	
+      ndpi_int_change_protocol(ndpi_str, flow,
+			       NDPI_PROTOCOL_SKYPE_TEAMS, flow->detected_protocol_stack[1],
+			       NDPI_CONFIDENCE_DPI_PARTIAL);
+    }
+  }  
+}
+
+/* ********************************************************************************* */
+
 static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_str,
 				     struct ndpi_flow_struct *flow,
 				     ndpi_protocol *ret) {
@@ -5993,12 +6011,16 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
   // printf("====>> %u.%u [%u]\n", ret->master_protocol, ret->app_protocol, flow->detected_protocol_stack[0]);
 
   switch(ret->app_protocol) {
+  case NDPI_PROTOCOL_MICROSOFT_AZURE:
+    ndpi_reconcile_msteams(ndpi_str, flow);
+    break;
+    
     /*
       Skype for a host doing MS Teams means MS Teams
       (MS Teams uses Skype as transport protocol for voice/video)
     */
   case NDPI_PROTOCOL_MSTEAMS:
-    if(flow->l4_proto == IPPROTO_TCP) {
+    if(flow && (flow->l4_proto == IPPROTO_TCP)) {
       // printf("====>> NDPI_PROTOCOL_MSTEAMS\n");
 
       if(ndpi_str->msteams_cache)
@@ -6009,6 +6031,11 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
     }
     break;
 
+  case NDPI_PROTOCOL_STUN:
+    if(flow && (flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_MICROSOFT_AZURE))
+      ndpi_reconcile_msteams(ndpi_str, flow);
+    break;
+      
   case NDPI_PROTOCOL_NETFLOW:
   case NDPI_PROTOCOL_SFLOW:
   case NDPI_PROTOCOL_RTP:
author	Luca <deri@ntop.org>	2023-05-10 16:28:34 +0200
committer	Luca <deri@ntop.org>	2023-05-10 16:28:34 +0200
commit	98f029a091c01f36f5c3d004b58e1b8942edfee6 (patch)
tree	2f1c594e73af66da21f3c134bcc5425927c30690 /src
parent	7d5e4d0f7e82fbcffeef0dc9b695d3f7f701d5aa (diff)