Improved connection refused detection

author: Luca Deri <deri@ntop.org> 2023-01-25 22:18:50 +0100
committer: Luca Deri <deri@ntop.org> 2023-01-25 22:18:50 +0100
commit: eea99564308fffca675918506a6e12f7a4f71a6f (patch)
tree: e299e04fd5adbfc16f525e7df02e0422c0eb86e5 /src
parent: b2a8b48386cfdb166568d3cb9943ddd1aad88d49 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 4160a6e0e..2f53d9e48 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -6069,9 +6069,14 @@ static void ndpi_check_tcp_flags(struct ndpi_detection_module_struct *ndpi_str,
 
   if((flow->l4.tcp.cli2srv_tcp_flags & TH_SYN)
      && (flow->l4.tcp.srv2cli_tcp_flags & TH_RST)
-     && (flow->all_packets_counter < 5 /* Ignore connections terminated by RST but that exchanged data */)
+     && (flow->all_packets_counter < 5 /* Ignore connections terminated by RST but that exchanged data (3WH + RST) */)
      )
-    ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "Connection refused");
+    ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "Connection refused (server)");
+  else if((flow->l4.tcp.cli2srv_tcp_flags & TH_SYN)
+	  && (flow->l4.tcp.cli2srv_tcp_flags & TH_RST)
+	  && (flow->all_packets_counter < 5 /* Ignore connections terminated by RST but that exchanged data (3WH + RST) */)
+     )
+    ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "Connection refused (client)");
   else if((flow->l4.tcp.srv2cli_tcp_flags & TH_RST) && (flow->packet_direction_counter[1 /* server -> client */] == 1))
     ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP probing attempt");
 }
author	Luca Deri <deri@ntop.org>	2023-01-25 22:18:50 +0100
committer	Luca Deri <deri@ntop.org>	2023-01-25 22:18:50 +0100
commit	eea99564308fffca675918506a6e12f7a4f71a6f (patch)
tree	e299e04fd5adbfc16f525e7df02e0422c0eb86e5 /src
parent	b2a8b48386cfdb166568d3cb9943ddd1aad88d49 (diff)