HTTP, QUIC, TLS: allow to disable sub-classification (#2533)

author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-09-03 12:35:45 +0200
committer: GitHub <noreply@github.com> 2024-09-03 12:35:45 +0200
commit: 338eedd05b034991f1960898ca7680e65d7901f6 (patch)
tree: 3f09e5d966c97382803c707abcf94f221e05aa24 /src
parent: 2d040247a77c96a8411477e8ad38c0e07a5e1b54 (diff)
4 files changed, 29 insertions, 7 deletions
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
index 4001e9bbc..3688061ca 100644
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@@ -236,6 +236,9 @@ struct ndpi_detection_module_config_struct {
   int tls_ja3c_fingerprint_enabled;
   int tls_ja3s_fingerprint_enabled;
   int tls_ja4c_fingerprint_enabled;
+  int tls_subclassification_enabled;
+
+  int quic_subclassification_enabled;
 
   int smtp_opportunistic_tls_enabled;
 
@@ -257,6 +260,7 @@ struct ndpi_detection_module_config_struct {
   int dns_parse_response_enabled;
 
   int http_parse_response_enabled;
+  int http_subclassification_enabled;
 
   int ookla_aggressiveness;
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 18e941fab..d74afa61a 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -11386,6 +11386,9 @@ static const struct cfg_param {
   { "tls",           "metadata.ja3c_fingerprint",               "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3c_fingerprint_enabled), NULL },
   { "tls",           "metadata.ja3s_fingerprint",               "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja3s_fingerprint_enabled), NULL },
   { "tls",           "metadata.ja4c_fingerprint",               "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_ja4c_fingerprint_enabled), NULL },
+  { "tls",           "subclassification",                       "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_subclassification_enabled), NULL },
+
+  { "quic",          "subclassification",                       "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(quic_subclassification_enabled), NULL },
 
   { "smtp",          "tls_dissection",                          "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(smtp_opportunistic_tls_enabled), NULL },
 
@@ -11407,6 +11410,7 @@ static const struct cfg_param {
   { "dns",           "process_response",                        "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(dns_parse_response_enabled), NULL },
 
   { "http",          "process_response",                        "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(http_parse_response_enabled), NULL },
+  { "http",          "subclassification",                       "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(http_subclassification_enabled), NULL },
 
   { "ookla",         "dpi.aggressiveness",                      "0x01", "0", "1", CFG_PARAM_INT, __OFF(ookla_aggressiveness), NULL },
 
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index bf365c46f..bf26467da 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -466,6 +466,11 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp
   u_int16_t master_protocol;
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
 
+  if(!ndpi_struct->cfg.http_subclassification_enabled) {
+    NDPI_LOG_DBG2(ndpi_struct, "Skip sub-protocol check because subclassification is disabled\n");
+    return;
+  }
+
   master_protocol = NDPI_PROTOCOL_HTTP;
   if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)
     master_protocol = flow->detected_protocol_stack[1];
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 88f92d0d5..0bdcf216b 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -337,7 +337,8 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct
 				int is_from_client) {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
 
-  if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) {
+  if(ndpi_struct->cfg.tls_subclassification_enabled &&
+     flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) {
     /* Subprotocol not yet set */
 
     if(ndpi_struct->tls_cert_cache) {
@@ -689,11 +690,13 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
 		      }
 		    }
 
-		    if(!flow->protos.tls_quic.subprotocol_detected)
+		    if(ndpi_struct->cfg.tls_subclassification_enabled &&
+		       !flow->protos.tls_quic.subprotocol_detected) {
 		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), dNSName, dNSName_len)) {
 			flow->protos.tls_quic.subprotocol_detected = 1;
 		        ndpi_unset_risk(flow, NDPI_NUMERIC_IP_HOST);
 		      }
+		    }
 
 		    i += len;
 		  } else {
@@ -726,7 +729,8 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
   if(rdn_len && (flow->protos.tls_quic.subjectDN == NULL)) {
     flow->protos.tls_quic.subjectDN = ndpi_strdup(rdnSeqBuf);
 
-    if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) {
+    if(ndpi_struct->cfg.tls_subclassification_enabled &&
+       flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) {
       /* No idea what is happening behind the scenes: let's check the certificate */
       u_int32_t val;
       int rc = ndpi_match_string_value(ndpi_struct->tls_cert_subject_automa.ac_automa,
@@ -2325,10 +2329,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		    }
 
 		    if(!is_quic) {
-		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), sni, sni_len))
+		      if(ndpi_struct->cfg.tls_subclassification_enabled &&
+		         ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), sni, sni_len))
 		        flow->protos.tls_quic.subprotocol_detected = 1;
 		    } else {
-		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, sni, sni_len))
+		      if(ndpi_struct->cfg.quic_subclassification_enabled &&
+		         ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, sni, sni_len))
 		        flow->protos.tls_quic.subprotocol_detected = 1;
 		    }
 
@@ -2614,8 +2620,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		    /* Without SNI matching we can try to sub-classify the flow via ALPN.
 		       Note that this happens only on very rare cases, not the common ones
 		       ("h2", "http/1.1", ...). Usefull for asymmetric traffic */
-		    if(!flow->protos.tls_quic.subprotocol_detected)
-	              tls_subclassify_by_alpn(ndpi_struct, flow);
+		    if(!flow->protos.tls_quic.subprotocol_detected) {
+		      if((is_quic && ndpi_struct->cfg.quic_subclassification_enabled) ||
+		         (!is_quic && ndpi_struct->cfg.tls_subclassification_enabled))
+	                tls_subclassify_by_alpn(ndpi_struct, flow);
+		    }
 		  }
 		}
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-09-03 12:35:45 +0200
committer	GitHub <noreply@github.com>	2024-09-03 12:35:45 +0200
commit	338eedd05b034991f1960898ca7680e65d7901f6 (patch)
tree	3f09e5d966c97382803c707abcf94f221e05aa24 /src
parent	2d040247a77c96a8411477e8ad38c0e07a5e1b54 (diff)