diff options
| author | Luca Deri <deri@ntop.org> | 2020-05-30 19:33:13 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-05-30 19:33:13 +0200 |
| commit | b6eef17e54999586b6aef8f545c87de4d3ec0ab3 (patch) | |
| tree | 4f652ed73067a74a0e2f28aacb20cc36b900d140 /src | |
| parent | 374a24a1fb373617be23d7cbb397b47d23a5ffda (diff) | |
Added check to avoid producing alerts for known protocol on unknown port when using TLS
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/ndpi_main.c | 33 |
1 files changed, 30 insertions, 3 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index a062cdc8c..65600b74f 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4356,9 +4356,34 @@ static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) { /* ********************************************************************************* */ +static int ndpi_check_protocol_port_mismatch_exceptions(struct ndpi_detection_module_struct *ndpi_str, + struct ndpi_flow_struct *flow, + ndpi_default_ports_tree_node_t *expected_proto, + ndpi_protocol *returned_proto) { + /* + For TLS (and other protocols) it is not simple to guess the exact protocol so before + triggering an alert we need to make sure what we have exhausted all the possible + options available + */ + + if(returned_proto->master_protocol == NDPI_PROTOCOL_TLS) { + switch(expected_proto->proto->protoId) { + case NDPI_PROTOCOL_MAIL_IMAPS: + case NDPI_PROTOCOL_MAIL_POPS: + case NDPI_PROTOCOL_MAIL_SMTPS: + return(1); /* This is a reasonable exception */ + break; + } + } + + return(0); +} + +/* ********************************************************************************* */ + static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, - ndpi_protocol *ret) { + struct ndpi_flow_struct *flow, + ndpi_protocol *ret) { /* Skype for a host doing MS Teams means MS Teams (MS Teams uses Skype as transport protocol for voice/video) @@ -4661,7 +4686,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct && (found->proto->protoId != NDPI_PROTOCOL_UNKNOWN) && (found->proto->protoId != ret.master_protocol)) { // printf("******** %u / %u\n", found->proto->protoId, ret.master_protocol); - NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + + if(!ndpi_check_protocol_port_mismatch_exceptions(ndpi_str, flow, found, &ret)) + NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); } else if(default_ports && (default_ports[0] != 0)) { u_int8_t found = 0, i; |