Telegram: improve identification

Follow up of 31c706c3dbbf0afc4c8e0a6d0bb6f20796296549 and
75485e177ccc4fafcc62dd46c6917d5b735cf7d2.

Allow fast classification by ip, but give time to other dissectors to
kick in (for example, the TLS code for the Telegram Web flows).

Even if we don't classify it anymore at the very first packet (i.e. SYN)
we fully classify Telegram traffic at the first packet with payload, as
*any* other protocol.
This way, we always have the proper category, the proper confidence
for the UDP flows and we don't overwrite previous classifications (TLS
or ICMP)

Remove old and stale identification logic for TCP flows

3 files changed, 15 insertions, 23 deletions

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 064b50311..69e542884 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -995,6 +995,8 @@ static ndpi_protocol_match host_match[] =
    { "web.telegram.org",                    "Telegram",         NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "tdesktop.com",                              "Telegram",         NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "tupdate.com",                                "Telegram",         NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { "t.me",                                       "Telegram",         NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { "telegram.me",                                "Telegram",         NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { ".pastebin.com",                          "Pastebin",         NDPI_PROTOCOL_PASTEBIN, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "pastebin.com",                             "Pastebin",         NDPI_PROTOCOL_PASTEBIN, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_DEFAULT_LEVEL },
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index b16f26016..ba7157031 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -8454,14 +8454,6 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio
   /* Zoom cache */
   if((ret.app_protocol == NDPI_PROTOCOL_ZOOM) && (flow->l4_proto == IPPROTO_TCP))
     ndpi_add_connection_as_zoom(ndpi_str, flow);
-
-  /*
-    Telegram
-    With MTProto 2.0 telegram is no longr TLS-based (altoug based on TCP/443) so
-    we need to detect it with Telegram IPs
-  */
-  if(ret.protocol_by_ip == NDPI_PROTOCOL_TELEGRAM)
-    ret.app_protocol = NDPI_PROTOCOL_TELEGRAM, flow->confidence = NDPI_CONFIDENCE_MATCH_BY_IP;
   
   if(ndpi_str->cfg.fully_encrypted_heuristic &&
      ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && /* Only for unknown traffic */
diff --git a/src/lib/protocols/telegram.c b/src/lib/protocols/telegram.c
index 8c9d18866..23f7cca51 100644
--- a/src/lib/protocols/telegram.c
+++ b/src/lib/protocols/telegram.c
@@ -31,8 +31,9 @@
 #include "ndpi_private.h"
 
 static void ndpi_int_telegram_add_connection(struct ndpi_detection_module_struct
-                                             *ndpi_struct, struct ndpi_flow_struct *flow) {
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+                                             *ndpi_struct, struct ndpi_flow_struct *flow,
+					     ndpi_confidence_t confidence) {
+  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_UNKNOWN, confidence);
   NDPI_LOG_INFO(ndpi_struct, "found telegram\n");
 }
 
@@ -51,18 +52,15 @@ static void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struc
   NDPI_LOG_DBG(ndpi_struct, "search telegram\n");
 
   if(packet->tcp != NULL) {
-    if(packet->payload_packet_len > 56) {
-      u_int16_t dport = ntohs(packet->tcp->dest);
-      /* u_int16_t sport = ntohs(packet->tcp->source); */
-
-      if(packet->payload[0] == 0xef && (dport == 443 || dport == 80 || dport == 25)) {
-        if(packet->payload[1] == 0x7f) {
-          ndpi_int_telegram_add_connection(ndpi_struct, flow);
-        } else if(packet->payload[1]*4 <= packet->payload_packet_len - 1) {
-          ndpi_int_telegram_add_connection(ndpi_struct, flow);
-        }
-        return;
-      }
+    /* With MTProto 2.0 telegram via app is no longer TLS-based (althought based on TCP/443) so
+       we need to detect it with Telegram IPs.
+       Basically, we want a fast classification by ip. Note that, real Telegram traffic over
+       TLS (i.e. Telegram Web) is correctly classified as TLS/Telegram because TLS dissector
+       already kicked in.
+       Let's check every port for the time being */
+    if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_TELEGRAM) {
+      ndpi_int_telegram_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_MATCH_BY_IP);
+      return;
     }
   } else if(packet->udp != NULL) {
     /*
@@ -94,7 +92,7 @@ static void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struc
 	}
 
 	if(found == 12)	{
-	  ndpi_int_telegram_add_connection(ndpi_struct, flow);
+	  ndpi_int_telegram_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
 	  return;
 	}
       }