diff options
| author | Toni <matzeton@googlemail.com> | 2024-04-03 14:10:21 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-03 14:10:21 +0200 |
| commit | 41eef9246c6a3055e3876e3dd7aeaadecb4b76c0 (patch) | |
| tree | 275c7300abf2233e8d89896a3a888ada01fef4bb /src | |
| parent | b5e8bc22147d37011621ae62b680742c8fa105dc (diff) | |
Disable `-Wno-unused-parameter -Wno-unused-function`. (#2358)
* unused parameters and functions pollute the code and decrease readability
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src')
54 files changed, 520 insertions, 537 deletions
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 2fcc9f14f..38fac3add 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -359,49 +359,41 @@ extern "C" { * Get the main protocol of the passed flows for the detected module * * - * @par ndpi_struct = the detection module * @par flow = the flow given for the detection module * @return the ID of the master protocol detected * */ - u_int16_t ndpi_get_flow_masterprotocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow); + u_int16_t ndpi_get_flow_masterprotocol(struct ndpi_flow_struct *flow); /** * Get the app protocol of the passed flows for the detected module * * - * @par ndpi_struct = the detection module * @par flow = the flow given for the detection module * @return the ID of the app protocol detected * */ - u_int16_t ndpi_get_flow_appprotocol(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow); + u_int16_t ndpi_get_flow_appprotocol(struct ndpi_flow_struct *flow); /** * Get the category of the passed flows for the detected module * * - * @par ndpi_struct = the detection module * @par flow = the flow given for the detection module * @return the ID of the category * */ - ndpi_protocol_category_t ndpi_get_flow_category(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow); + ndpi_protocol_category_t ndpi_get_flow_category(struct ndpi_flow_struct *flow); /** * Get the ndpi protocol data of the passed flows for the detected module * * - * @par ndpi_struct = the detection module * @par flow = the flow given for the detection module * @par ndpi_proto = the output struct where to store the requested information * */ - void ndpi_get_flow_ndpi_proto(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, + void ndpi_get_flow_ndpi_proto(struct ndpi_flow_struct *flow, struct ndpi_proto * ndpi_proto); /** @@ -551,15 +543,13 @@ extern "C" { * Same as ndpi_protocol2name() with the difference that the numeric protocol * name is returned * - * @par ndpi_mod = the detection module * @par proto = the struct ndpi_protocol contain the protocols name * @par buf = the buffer to write the name of the protocols * @par buf_len = the length of the buffer * @return the buffer contains the master_protocol and protocol name * */ - char* ndpi_protocol2id(struct ndpi_detection_module_struct *ndpi_mod, - ndpi_protocol proto, char *buf, u_int buf_len); + char* ndpi_protocol2id(ndpi_protocol proto, char *buf, u_int buf_len); /** * Find out if a given category is custom/user-defined @@ -596,13 +586,11 @@ extern "C" { * Check if subprotocols of the specified master protocol are just * informative (and not real) * - * @par mod = the detection module * @par protoId = the (master) protocol identifier to query * @return 1 = the subprotocol is informative, 0 otherwise. * */ - u_int8_t ndpi_is_subprotocol_informative(struct ndpi_detection_module_struct *ndpi_mod, - u_int16_t protoId); + u_int8_t ndpi_is_subprotocol_informative(u_int16_t protoId); /** * Set hostname-based protocol @@ -690,8 +678,7 @@ extern "C" { * @return the string name of the breed ID * */ - char* ndpi_get_proto_breed_name(struct ndpi_detection_module_struct *ndpi_struct, - ndpi_protocol_breed_t breed_id); + char* ndpi_get_proto_breed_name(ndpi_protocol_breed_t breed_id); /** * Return the ID of the protocol @@ -880,35 +867,29 @@ extern "C" { /** * Retrieve information for HTTP flows * - * @par ndpi_mod = the detection module * @par flow = the detected flow * @return the HTTP method information about the flow * */ - ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_mod, - struct ndpi_flow_struct *flow); + ndpi_http_method ndpi_get_http_method(struct ndpi_flow_struct *flow); /** * Get the HTTP url * - * @par ndpi_mod = the detection module * @par flow = the detected flow * @return the HTTP method information about the flow * */ - char* ndpi_get_http_url(struct ndpi_detection_module_struct *ndpi_mod, - struct ndpi_flow_struct *flow); + char* ndpi_get_http_url(struct ndpi_flow_struct *flow); /** * Get the HTTP content-type * - * @par ndpi_mod = the detection module * @par flow = the detected flow * @return the HTTP method information about the flow * */ - char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_mod, - struct ndpi_flow_struct *flow); + char* ndpi_get_http_content_type(struct ndpi_flow_struct *flow); /* NDPI_PROTOCOL_TOR */ /** @@ -1102,15 +1083,14 @@ extern "C" { int ndpi_flowv6_flow_hash(u_int8_t l4_proto, struct ndpi_in6_addr *src_ip, struct ndpi_in6_addr *dst_ip, u_int16_t src_port, u_int16_t dst_port, u_int8_t icmp_type, u_int8_t icmp_code, u_char *hash_buf, u_int8_t hash_buf_len); - u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow); + u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndpi_str, + struct ndpi_flow_struct *flow); u_int8_t ndpi_is_safe_ssl_cipher(u_int32_t cipher); const char* ndpi_cipher2str(u_int32_t cipher, char unknown_cipher[8]); const char* ndpi_tunnel2str(ndpi_packet_tunnel tt); u_int16_t ndpi_guess_host_protocol_id(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); - int ndpi_has_human_readeable_string(struct ndpi_detection_module_struct *ndpi_struct, - char *buffer, u_int buffer_size, + int ndpi_has_human_readeable_string(char *buffer, u_int buffer_size, u_int8_t min_string_match_len, /* Will return 0 if no string > min_string_match_len have been found */ char *outbuf, u_int outbuf_len); /* Return a flow info string (summarized). Does only work for DNS/HTTP/TLS/QUIC. */ @@ -1788,8 +1768,7 @@ extern "C" { ndpi_risk_enum ndpi_validate_url(char *url); - u_int8_t ndpi_is_protocol_detected(struct ndpi_detection_module_struct *ndpi_str, - ndpi_protocol proto); + u_int8_t ndpi_is_protocol_detected(ndpi_protocol proto); void ndpi_serialize_risk(ndpi_serializer *serializer, ndpi_risk risk); void ndpi_serialize_risk_score(ndpi_serializer *serializer, ndpi_risk_enum risk); void ndpi_serialize_confidence(ndpi_serializer *serializer, ndpi_confidence_t confidence); diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index d262a5108..7012fd8ec 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -106,13 +106,10 @@ extern "C" { ndpi_protocol_category_t protoCategory, ndpi_port_range *tcpDefPorts, ndpi_port_range *udpDefPorts); - void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, ndpi_risk_enum r, + void ndpi_set_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r, char *risk_message); - void ndpi_unset_risk(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, ndpi_risk_enum r); - int ndpi_isset_risk(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, ndpi_risk_enum r); + void ndpi_unset_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r); + int ndpi_isset_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r); int ndpi_is_printable_buffer(u_int8_t const * const buf, size_t len); int ndpi_normalize_printable_string(char * const str, size_t len); int ndpi_is_valid_hostname(char * const str, size_t len); diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 38b2fbf25..b26803a3c 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -469,21 +469,21 @@ struct ndpi_detection_module_struct { #else /* not defined NDPI_ENABLE_DEBUG_MESSAGES */ # ifdef WIN32 -# define NDPI_LOG(...) {} -# define NDPI_LOG_ERR(...) {} -# define NDPI_LOG_INFO(...) {} -# define NDPI_LOG_DBG(...) {} -# define NDPI_LOG_DBG2(...) {} +# define NDPI_LOG(mod, ...) { (void)mod; } +# define NDPI_LOG_ERR(mod, ...) { (void)mod; } +# define NDPI_LOG_INFO(mod, ...) { (void)mod; } +# define NDPI_LOG_DBG(mod, ...) { (void)mod; } +# define NDPI_LOG_DBG2(mod, ...) { (void)mod; } # else # define NDPI_LOG(proto, mod, log_level, args...) { /* printf(args); */ } # ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -# define NDPI_LOG_ERR(mod, args...) { printf(args); } +# define NDPI_LOG_ERR(mod, args...) { (void)mod; printf(args); } # else -# define NDPI_LOG_ERR(mod, args...) { /* printf(args); */ } +# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } # endif -# define NDPI_LOG_INFO(mod, args...) { /* printf(args); */ } -# define NDPI_LOG_DBG(mod, args...) { /* printf(args); */ } -# define NDPI_LOG_DBG2(mod, args...) { /* printf(args); */ } +# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } +# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } +# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } # endif #endif /* NDPI_ENABLE_DEBUG_MESSAGES */ @@ -558,16 +558,14 @@ void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_struct u_int16_t lower_detected_protocol, ndpi_confidence_t confidence); -void reset_detected_protocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow); +void reset_detected_protocol(struct ndpi_flow_struct *flow); void ndpi_set_detected_protocol_keeping_master(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, u_int16_t detected_protocol, ndpi_confidence_t confidence); -void change_category(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +void change_category(struct ndpi_flow_struct *flow, ndpi_protocol_category_t protocol_category); @@ -576,8 +574,7 @@ char *ndpi_user_agent_set(struct ndpi_flow_struct *flow, const u_int8_t *value, void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_parse_packet_line_info_any(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow); +void ndpi_parse_packet_line_info_any(struct ndpi_detection_module_struct *ndpi_struct); void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str); u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str, @@ -593,7 +590,6 @@ u_int8_t ends_with(struct ndpi_detection_module_struct *ndpi_struct, u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int8_t protocol, u_int32_t saddr, u_int32_t daddr); u_int32_t ip_port_hash_funct(u_int32_t ip, u_int16_t port); @@ -655,8 +651,7 @@ const uint8_t *get_crypto_data(struct ndpi_detection_module_struct *ndpi_struct, /* RTP */ int is_valid_rtp_payload_type(uint8_t type); -int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow); +int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct); u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_type); /* Bittorrent */ diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 34ee039fe..fbc630683 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -18,6 +18,9 @@ ifneq ($(OS),Windows_NT) CFLAGS += -fPIC -DPIC endif CFLAGS += -I. -I../include -Ithird_party/include -DNDPI_LIB_COMPILATION @NDPI_CFLAGS@ @GPROF_CFLAGS@ @CUSTOM_NDPI@ @ADDITIONAL_INCS@ +CFLAGS_third_party/src/gcrypt_light.c := -Wno-unused-parameter +CFLAGS_third_party/src/ahocorasick.c := -Wno-unused-function -Wno-unused-parameter +CFLAGS_third_party/src/roaring.c := -Wno-unused-function -Wno-attributes LDFLAGS += @NDPI_LDFLAGS@ LIBS = @ADDITIONAL_LIBS@ @LIBS@ @GPROF_LIBS@ @@ -66,7 +69,7 @@ $(NDPI_LIB_SHARED): $(OBJECTS) ln -fs $(NDPI_LIB_SHARED) $(NDPI_LIB_SHARED_BASE).$(NDPI_VERSION_MAJOR) %.o: %.c $(HEADERS) Makefile - $(CC) $(CPPFLAGS) $(CFLAGS) -c $< -o $@ + $(CC) $(CPPFLAGS) $(CFLAGS) $(CFLAGS_$<) -c $< -o $@ clean: /bin/rm -f $(NDPI_LIB_STATIC) $(OBJECTS) *.o *.so *.lo libndpi.so* diff --git a/src/lib/ndpi_geoip.c b/src/lib/ndpi_geoip.c index 599eaf6e0..3b7d09d5d 100644 --- a/src/lib/ndpi_geoip.c +++ b/src/lib/ndpi_geoip.c @@ -60,6 +60,9 @@ int ndpi_load_geoip(struct ndpi_detection_module_struct *ndpi_str, return(0); #else + (void)ndpi_str; + (void)ip_city_data; + (void)ip_as_data; return(-3); #endif } @@ -73,6 +76,8 @@ void ndpi_free_geoip(struct ndpi_detection_module_struct *ndpi_str) { ndpi_free(ndpi_str->mmdb_city); ndpi_free(ndpi_str->mmdb_as); +#else + (void)ndpi_str; #endif } @@ -103,6 +108,10 @@ int ndpi_get_geoip_asn(struct ndpi_detection_module_struct *ndpi_str, char *ip, return(0); } +#else + (void)ndpi_str; + (void)ip; + (void)asn; #endif return(-2); @@ -158,6 +167,13 @@ int ndpi_get_geoip_country_continent(struct ndpi_detection_module_struct *ndpi_s return(0); } +#else + (void)ndpi_str; + (void)ip; + (void)country_code; + (void)country_code_len; + (void)continent; + (void)continent_len; #endif return(-2); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index a3af95174..517df9800 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -216,7 +216,7 @@ static int addDefaultPort(struct ndpi_detection_module_struct *ndpi_str, const char *_func, int _line); static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet); -static void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, +static void ndpi_int_change_protocol(struct ndpi_flow_struct *flow, u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol, ndpi_confidence_t confidence); @@ -448,7 +448,7 @@ void ndpi_set_proto_category(struct ndpi_detection_module_struct *ndpi_str, u_in - HTTP/SSL are NOT informative as SSL.Facebook (likely) means that this is SSL (HTTPS) traffic containg Facebook traffic. */ -u_int8_t ndpi_is_subprotocol_informative(struct ndpi_detection_module_struct *ndpi_str, u_int16_t protoId) { +u_int8_t ndpi_is_subprotocol_informative(u_int16_t protoId) { if(!ndpi_is_valid_protoId(protoId)) return(0); @@ -471,6 +471,11 @@ void ndpi_exclude_protocol(struct ndpi_detection_module_struct *ndpi_str, struct (*(ndpi_str->ndpi_debug_printf))(protocol_id, ndpi_str, NDPI_LOG_DEBUG, _file, _func, _line, "exclude %s\n", ndpi_get_proto_name(ndpi_str, protocol_id)); } +#else + (void)ndpi_str; + (void)_file; + (void)_func; + (void)_line; #endif NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, protocol_id); } @@ -625,6 +630,9 @@ static int addDefaultPort(struct ndpi_detection_module_struct *ndpi_str, default_ports_tree_node_t **root, const char *_func, int _line) { + (void)_func; + (void)_line; + u_int32_t port; for(port = range->port_low; port <= range->port_high; port++) { @@ -2779,8 +2787,7 @@ int ndpi_load_ipv4_ptree(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************* */ -static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str, - void *ptree, ndpi_network host_list[]) { +static void ndpi_init_ptree_ipv4(void *ptree, ndpi_network host_list[]) { int i; for(i = 0; host_list[i].network != 0x0; i++) { @@ -3016,6 +3023,10 @@ void ndpi_debug_printf(unsigned int proto, struct ndpi_detection_module_struct * } else { printf("Proto: %u, %s", proto, str); } +#else + (void)file_name; + (void)func_name; + (void)line_number; #endif } @@ -3027,6 +3038,9 @@ void set_ndpi_debug_function(struct ndpi_detection_module_struct *ndpi_str, ndpi #ifdef NDPI_ENABLE_DEBUG_MESSAGES if(ndpi_str) ndpi_str->ndpi_debug_printf = ndpi_debug_printf; +#else + (void)ndpi_str; + (void)ndpi_debug_printf; #endif } @@ -3246,7 +3260,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(struct ndpi_glob ndpi_exit_detection_module(ndpi_str); return NULL; } - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, host_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, host_protocol_list); ndpi_str->ip_risk_mask_ptree = ndpi_patricia_new(32 /* IPv4 */); @@ -3454,199 +3468,199 @@ int ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str) } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_AMAZON_AWS)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_amazon_aws_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_amazon_aws_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_amazon_aws_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_MICROSOFT_AZURE)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_microsoft_azure_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_microsoft_azure_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_microsoft_azure_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_CACHEFLY)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_cachefly_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_cachefly_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_cachefly_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_CLOUDFLARE)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_cloudflare_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_cloudflare_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_cloudflare_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_GOOGLE)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_google_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_google_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_google_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_GOOGLE_CLOUD)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_google_cloud_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_google_cloud_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_google_cloud_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_MICROSOFT_365)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_microsoft_365_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_microsoft_365_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_microsoft_365_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_MS_ONE_DRIVE)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_ms_one_drive_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_ms_one_drive_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_ms_one_drive_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_MS_OUTLOOK)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_ms_outlook_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_ms_outlook_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_ms_outlook_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_SKYPE_TEAMS)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_skype_teams_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_skype_teams_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_skype_teams_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_PROTONVPN)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_protonvpn_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_protonvpn_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_protonvpn_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_TOR)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_tor_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_tor_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_tor_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_WHATSAPP)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_whatsapp_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_whatsapp_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_whatsapp_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_ETHEREUM)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_ethereum_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_ethereum_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_ethereum_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_ZOOM)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_zoom_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_zoom_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_zoom_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_MULLVAD)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_mullvad_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_mullvad_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_mullvad_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_TELEGRAM)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_telegram_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_telegram_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_telegram_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_APPLE)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_apple_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_apple_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_apple_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_TWITTER)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_twitter_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_twitter_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_twitter_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_NETFLIX)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_netflix_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_netflix_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_netflix_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_WEBEX)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_webex_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_webex_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_webex_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_TEAMVIEWER)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_teamviewer_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_teamviewer_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_teamviewer_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_FACEBOOK)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_facebook_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_facebook_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_facebook_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_TENCENT)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_tencent_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_tencent_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_tencent_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_OPENDNS)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_opendns_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_opendns_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_opendns_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_DROPBOX)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_dropbox_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_dropbox_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_dropbox_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_STARCRAFT)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_starcraft_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_starcraft_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_starcraft_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_UBUNTUONE)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_ubuntuone_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_ubuntuone_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_ubuntuone_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_TWITCH)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_twitch_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_twitch_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_twitch_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_HOTSPOT_SHIELD)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_hotspot_shield_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_hotspot_shield_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_hotspot_shield_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_GITHUB)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_github_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_github_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_github_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_STEAM)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_steam_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_steam_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_steam_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_BLOOMBERG)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_bloomberg_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_bloomberg_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_bloomberg_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_EDGECAST)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_edgecast_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_edgecast_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_edgecast_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_GOTO)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_goto_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_goto_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_goto_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_RIOTGAMES)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_riotgames_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_riotgames_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_riotgames_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_THREEMA)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_threema_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_threema_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_threema_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_ALIBABA)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_alibaba_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_alibaba_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_alibaba_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_AVAST)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_avast_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_avast_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_avast_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_DISCORD)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_discord_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_discord_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_discord_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_LINE)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_line_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_line_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_line_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_VK)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_vk_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_vk_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_vk_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_YANDEX)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_yandex_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_yandex_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_yandex_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_YANDEX_CLOUD)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_yandex_cloud_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_yandex_cloud_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_yandex_cloud_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_DISNEYPLUS)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_disneyplus_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_disneyplus_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_disneyplus_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_HULU)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_hulu_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_hulu_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_hulu_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_EPICGAMES)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_epicgames_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_epicgames_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_epicgames_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_NVIDIA)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_nvidia_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_nvidia_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_nvidia_protocol_list_6); } if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_ROBLOX)) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_roblox_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->protocols_ptree, ndpi_protocol_roblox_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols_ptree6, ndpi_protocol_roblox_protocol_list_6); } @@ -3658,15 +3672,15 @@ int ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str) } if(ndpi_str->cfg.risk_anonymous_subscriber_list_icloudprivaterelay_enabled) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->ip_risk_ptree, ndpi_anonymous_subscriber_icloud_private_relay_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->ip_risk_ptree, ndpi_anonymous_subscriber_icloud_private_relay_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->ip_risk_ptree6, ndpi_anonymous_subscriber_icloud_private_relay_protocol_list_6); } if(ndpi_str->cfg.risk_anonymous_subscriber_list_protonvpn_enabled) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->ip_risk_ptree, ndpi_anonymous_subscriber_protonvpn_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->ip_risk_ptree, ndpi_anonymous_subscriber_protonvpn_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->ip_risk_ptree6, ndpi_anonymous_subscriber_protonvpn_protocol_list_6); } if(ndpi_str->cfg.risk_crawler_bot_list_enabled) { - ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->ip_risk_ptree, ndpi_http_crawler_bot_protocol_list); + ndpi_init_ptree_ipv4(ndpi_str->ip_risk_ptree, ndpi_http_crawler_bot_protocol_list); ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->ip_risk_ptree6, ndpi_http_crawler_bot_protocol_list_6); } } @@ -4326,7 +4340,7 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str /* Run some basic consistency tests */ if(packet->payload_packet_len < sizeof(struct ndpi_icmphdr)) { - ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, NULL); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); } else { u_int8_t icmp_type = (u_int8_t)packet->payload[0]; u_int8_t icmp_code = (u_int8_t)packet->payload[1]; @@ -4334,7 +4348,7 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str /* https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml */ if(((icmp_type >= 44) && (icmp_type <= 252)) || (icmp_code > 15)) - ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, NULL); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); if(packet->payload_packet_len > sizeof(struct ndpi_icmphdr)) { flow->entropy = ndpi_entropy(packet->payload + sizeof(struct ndpi_icmphdr), @@ -4344,12 +4358,12 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str char str[32]; snprintf(str, sizeof(str), "Entropy %.2f", flow->entropy); - ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_ENTROPY, str); + ndpi_set_risk(flow, NDPI_SUSPICIOUS_ENTROPY, str); } u_int16_t chksm = icmp4_checksum(packet->payload, packet->payload_packet_len); if(chksm) { - ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, NULL); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); } } } @@ -4370,7 +4384,7 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str /* Run some basic consistency tests */ if(packet->payload_packet_len < sizeof(struct ndpi_icmp6hdr)) - ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, NULL); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); else { u_int8_t icmp6_type = (u_int8_t)packet->payload[0]; u_int8_t icmp6_code = (u_int8_t)packet->payload[1]; @@ -4378,7 +4392,7 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str /* https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6 */ if(((icmp6_type >= 5) && (icmp6_type <= 127)) || ((icmp6_code >= 156) && (icmp6_type != 255))) - ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, NULL); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); } } return(NDPI_PROTOCOL_IP_ICMPV6); @@ -4928,6 +4942,8 @@ int load_category_file_fd(struct ndpi_detection_module_struct *ndpi_str, unsigned int failed_lines = 0; unsigned int lines_read = 0; + (void)lines_read; + if(!ndpi_str || !fd || !ndpi_str->protocols_ptree) return(0); @@ -5386,6 +5402,7 @@ void ndpi_set_bitmask_protocol_detection(char *label, struct ndpi_detection_modu struct ndpi_flow_struct *flow), const NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_bitmask, u_int8_t b_save_bitmask_unknow, u_int8_t b_add_detection_bitmask) { + (void)label; /* Compare specify protocol bitmask with main detection bitmask */ @@ -6406,7 +6423,7 @@ static u_int8_t ndpi_detection_get_l4_internal(struct ndpi_detection_module_stru const struct ndpi_ipv6hdr *iph_v6 = NULL; u_int16_t l4len = 0; const u_int8_t *l4ptr = NULL; - u_int8_t l4protocol = 0; + u_int8_t l4protocol = 0; if(l3 == NULL || l3_len < sizeof(struct ndpi_iphdr)) return(1); @@ -6882,9 +6899,9 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s u_int8_t flags = ((u_int8_t*)tcph)[13]; if(flags == 0) - ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP NULL scan"); + ndpi_set_risk(flow, NDPI_TCP_ISSUES, "TCP NULL scan"); else if(flags == (TH_FIN | TH_PUSH | TH_URG)) - ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP XMAS scan"); + ndpi_set_risk(flow, NDPI_TCP_ISSUES, "TCP XMAS scan"); if(ndpi_str->cfg.direction_detect_enabled && (tcph->source != tcph->dest)) @@ -6892,7 +6909,7 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s if(packet->packet_direction == 0 /* cli -> srv */) { if(flags == TH_FIN) - ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP FIN scan"); + ndpi_set_risk(flow, NDPI_TCP_ISSUES, "TCP FIN scan"); flow->l4.tcp.cli2srv_tcp_flags |= flags; } else @@ -7062,11 +7079,11 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s ; /* multicast or broadcast */ else { if(flow->packet_direction_complete_counter[flow->client_packet_direction] == 0) - ndpi_set_risk(ndpi_str, flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No client to server traffic"); /* Should never happen */ + ndpi_set_risk(flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No client to server traffic"); /* Should never happen */ else if(flow->packet_direction_complete_counter[!flow->client_packet_direction] == 0) - ndpi_set_risk(ndpi_str, flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No server to client traffic"); + ndpi_set_risk(flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No server to client traffic"); else { - ndpi_unset_risk(ndpi_str, flow, NDPI_UNIDIRECTIONAL_TRAFFIC); /* Clear bit */ + ndpi_unset_risk(flow, NDPI_UNIDIRECTIONAL_TRAFFIC); /* Clear bit */ } } } @@ -7301,7 +7318,7 @@ static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi u_int8_t d_match = ((dport >= 3478) && (dport <= 3481)) ? 1 : 0; if(s_match || d_match) { - ndpi_int_change_protocol(ndpi_str, flow, + ndpi_int_change_protocol(flow, NDPI_PROTOCOL_SKYPE_TEAMS, master, /* Keep the same confidence */ flow->confidence); @@ -7319,8 +7336,7 @@ static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi /* ********************************************************************************* */ -static int ndpi_reconcile_msteams_call_udp_port(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, +static int ndpi_reconcile_msteams_call_udp_port(struct ndpi_flow_struct *flow, u_int16_t sport, u_int16_t dport) { /* @@ -7347,15 +7363,14 @@ static int ndpi_reconcile_msteams_call_udp_port(struct ndpi_detection_module_str /* ********************************************************************************* */ -static void ndpi_reconcile_msteams_call_udp(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow) { +static void ndpi_reconcile_msteams_call_udp(struct ndpi_flow_struct *flow) { if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_SKYPE_TEAMS_CALL) { if(flow->l4_proto == IPPROTO_UDP) { u_int16_t sport = ntohs(flow->c_port); u_int16_t dport = ntohs(flow->s_port); - if(ndpi_reconcile_msteams_call_udp_port(ndpi_str, flow, sport, dport) == 0) - ndpi_reconcile_msteams_call_udp_port(ndpi_str, flow, dport, sport); + if(ndpi_reconcile_msteams_call_udp_port(flow, sport, dport) == 0) + ndpi_reconcile_msteams_call_udp_port(flow, dport, sport); } } } @@ -7408,13 +7423,13 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s case NDPI_PROTOCOL_RTP: case NDPI_PROTOCOL_COLLECTD: /* Remove NDPI_UNIDIRECTIONAL_TRAFFIC from unidirectional protocols */ - ndpi_unset_risk(ndpi_str, flow, NDPI_UNIDIRECTIONAL_TRAFFIC); + ndpi_unset_risk(flow, NDPI_UNIDIRECTIONAL_TRAFFIC); break; case NDPI_PROTOCOL_SYSLOG: case NDPI_PROTOCOL_MDNS: if(flow->l4_proto == IPPROTO_UDP) - ndpi_unset_risk(ndpi_str, flow, NDPI_UNIDIRECTIONAL_TRAFFIC); + ndpi_unset_risk(flow, NDPI_UNIDIRECTIONAL_TRAFFIC); break; case NDPI_PROTOCOL_TLS: @@ -7432,12 +7447,12 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s make_msteams_key(flow, 1 /* client */), &dummy, 0 /* Don't remove it as it can be used for other connections */, ndpi_get_current_time(flow))) { - ndpi_int_change_protocol(ndpi_str, flow, + ndpi_int_change_protocol(flow, NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI_PARTIAL); } } else if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_TELEGRAM) { - ndpi_int_change_protocol(ndpi_str, flow, + ndpi_int_change_protocol(flow, flow->guessed_protocol_id_by_ip, flow->detected_protocol_stack[0], NDPI_CONFIDENCE_DPI_PARTIAL); } @@ -7461,16 +7476,16 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s } } - ndpi_reconcile_msteams_call_udp(ndpi_str, flow); + ndpi_reconcile_msteams_call_udp(flow); break; case NDPI_PROTOCOL_RDP: - ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ break; case NDPI_PROTOCOL_ANYDESK: if(flow->l4_proto == IPPROTO_TCP) /* TCP only */ - ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found AnyDesk"); /* Remote assistance */ + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found AnyDesk"); /* Remote assistance */ break; /* Generic container for microsoft subprotocols */ @@ -7480,7 +7495,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s case NDPI_PROTOCOL_MS_ONE_DRIVE: case NDPI_PROTOCOL_MS_OUTLOOK: case NDPI_PROTOCOL_SKYPE_TEAMS: - ndpi_int_change_protocol(ndpi_str, flow, + ndpi_int_change_protocol(flow, flow->guessed_protocol_id_by_ip, flow->detected_protocol_stack[1], NDPI_CONFIDENCE_DPI_PARTIAL); break; @@ -7491,7 +7506,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s case NDPI_PROTOCOL_GOOGLE: switch(flow->guessed_protocol_id_by_ip) { case NDPI_PROTOCOL_GOOGLE_CLOUD: - ndpi_int_change_protocol(ndpi_str, flow, + ndpi_int_change_protocol(flow, flow->guessed_protocol_id_by_ip, flow->detected_protocol_stack[1], NDPI_CONFIDENCE_DPI_PARTIAL); @@ -7510,7 +7525,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s case NDPI_PROTOCOL_UNSAFE: case NDPI_PROTOCOL_POTENTIALLY_DANGEROUS: case NDPI_PROTOCOL_DANGEROUS: - ndpi_set_risk(ndpi_str, flow, NDPI_UNSAFE_PROTOCOL, NULL); + ndpi_set_risk(flow, NDPI_UNSAFE_PROTOCOL, NULL); break; default: /* Nothing to do */ @@ -7635,22 +7650,21 @@ static void ndpi_add_connection_as_zoom(struct ndpi_detection_module_struct *ndp As these conditions won't happen with nDPI protocol-detected protocols it is not necessary to call this function elsewhere */ -static void ndpi_check_tcp_flags(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow) { +static void ndpi_check_tcp_flags(struct ndpi_flow_struct *flow) { // printf("[TOTAL] %u / %u [tot: %u]\n", flow->packet_direction_complete_counter[0], flow->packet_direction_complete_counter[1], flow->all_packets_counter); if((flow->l4.tcp.cli2srv_tcp_flags & TH_SYN) && (flow->l4.tcp.srv2cli_tcp_flags & TH_RST) && (flow->packet_counter == 0 /* Ignore connections terminated by RST but that exchanged data (3WH + RST) */) ) - ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "Connection refused (server)"); + ndpi_set_risk(flow, NDPI_TCP_ISSUES, "Connection refused (server)"); else if((flow->l4.tcp.cli2srv_tcp_flags & TH_SYN) && (flow->l4.tcp.cli2srv_tcp_flags & TH_RST) && (flow->packet_counter == 0 /* Ignore connections terminated by RST but that exchanged data (3WH + RST) */) ) - ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "Connection refused (client)"); + ndpi_set_risk(flow, NDPI_TCP_ISSUES, "Connection refused (client)"); else if((flow->l4.tcp.srv2cli_tcp_flags & TH_RST) && (flow->packet_direction_complete_counter[1 /* server -> client */] == 1)) - ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP probing attempt"); + ndpi_set_risk(flow, NDPI_TCP_ISSUES, "TCP probing attempt"); } /* ********************************************************************************* */ @@ -7668,7 +7682,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st return(ret); if(flow->l4_proto == IPPROTO_TCP) - ndpi_check_tcp_flags(ndpi_str, flow); + ndpi_check_tcp_flags(flow); /* Init defaults */ ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; @@ -7723,7 +7737,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st /* TODO: not sure about the best "order" among fully encrypted logic, classification by-port and classification by-ip...*/ if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && flow->first_pkt_fully_encrypted == 1) { - ndpi_set_risk(ndpi_str, flow, NDPI_FULLY_ENCRYPTED, NULL); + ndpi_set_risk(flow, NDPI_FULLY_ENCRYPTED, NULL); } /* Classification by-port */ @@ -8031,7 +8045,7 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str ret->custom_category_userdata = node->custom_user_data; if((ret->category == CUSTOM_CATEGORY_MALWARE) && (match_client == false)) { - ndpi_set_risk(ndpi_str, flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host"); + ndpi_set_risk(flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host"); } return(1); @@ -8077,7 +8091,7 @@ int ndpi_fill_ip6_protocol_category(struct ndpi_detection_module_struct *ndpi_st ret->custom_category_userdata = node->custom_user_data; if((ret->category == CUSTOM_CATEGORY_MALWARE) && (match_client == false)) { - ndpi_set_risk(ndpi_str, flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host"); + ndpi_set_risk(flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host"); } return(1); @@ -8145,9 +8159,7 @@ static int ndpi_is_ntop_protocol(ndpi_protocol *ret) { /* ********************************************************************************* */ -static int ndpi_check_protocol_port_mismatch_exceptions(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, - default_ports_tree_node_t *expected_proto, +static int ndpi_check_protocol_port_mismatch_exceptions(default_ports_tree_node_t *expected_proto, ndpi_protocol *returned_proto) { /* For TLS (and other protocols) it is not simple to guess the exact protocol so before @@ -8416,7 +8428,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio ) { // printf("******** %u / %u\n", found->proto->protoId, ret.master_protocol); - if(!ndpi_check_protocol_port_mismatch_exceptions(ndpi_str, flow, found, &ret)) { + if(!ndpi_check_protocol_port_mismatch_exceptions(found, &ret)) { /* Before triggering the alert we need to make some extra checks - the protocol found is not running on the port we have found @@ -8454,7 +8466,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio } str[offset] = '\0'; - ndpi_set_risk(ndpi_str, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, str); + ndpi_set_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, str); } } } @@ -8486,7 +8498,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio if((r == NULL) || ((r->proto->protoId != ret.app_protocol) && (r->proto->protoId != ret.master_protocol))) - ndpi_set_risk(ndpi_str, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT,NULL); + ndpi_set_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT,NULL); } } @@ -8516,7 +8528,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio } if(net_risk != NDPI_NO_RISK) - ndpi_set_risk(ndpi_str, flow, net_risk, NULL); + ndpi_set_risk(flow, net_risk, NULL); flow->tree_risk_checked = 1; } @@ -8715,7 +8727,7 @@ struct header_line { struct ndpi_int_one_line_struct *line; }; -static void parse_single_packet_line(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) +static void parse_single_packet_line(struct ndpi_detection_module_struct *ndpi_str) { struct ndpi_packet_struct *packet = &ndpi_str->packet; struct ndpi_int_one_line_struct *line; @@ -8886,7 +8898,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, packet->line[packet->parsed_lines].len = (u_int16_t)(((size_t) &packet->payload[a]) - ((size_t) packet->line[packet->parsed_lines].ptr)); - parse_single_packet_line(ndpi_str, flow); + parse_single_packet_line(ndpi_str); if(packet->line[packet->parsed_lines].len == 0) { packet->empty_line_position = a; @@ -8909,14 +8921,14 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, (u_int16_t)(((size_t) &packet->payload[packet->payload_packet_len]) - ((size_t) packet->line[packet->parsed_lines].ptr)); - parse_single_packet_line(ndpi_str, flow); + parse_single_packet_line(ndpi_str); packet->parsed_lines++; } } /* ********************************************************************************* */ -void ndpi_parse_packet_line_info_any(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { +void ndpi_parse_packet_line_info_any(struct ndpi_detection_module_struct *ndpi_str) { struct ndpi_packet_struct *packet = &ndpi_str->packet; u_int32_t a; u_int16_t end = packet->payload_packet_len; @@ -8986,14 +8998,14 @@ void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, s ndpi_confidence_t confidence) { ndpi_protocol ret; - ndpi_int_change_protocol(ndpi_str, flow, upper_detected_protocol, lower_detected_protocol, confidence); + ndpi_int_change_protocol(flow, upper_detected_protocol, lower_detected_protocol, confidence); ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; ndpi_reconcile_protocols(ndpi_str, flow, &ret); } /* ********************************************************************************* */ -void reset_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { +void reset_detected_protocol(struct ndpi_flow_struct *flow) { flow->detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; flow->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN; flow->confidence = NDPI_CONFIDENCE_UNKNOWN; @@ -9001,36 +9013,36 @@ void reset_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, stru /* ********************************************************************************* */ -u_int16_t ndpi_get_flow_masterprotocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { +u_int16_t ndpi_get_flow_masterprotocol(struct ndpi_flow_struct *flow) { return(flow->detected_protocol_stack[1]); } /* ********************************************************************************* */ -u_int16_t ndpi_get_flow_appprotocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { +u_int16_t ndpi_get_flow_appprotocol(struct ndpi_flow_struct *flow) { return(flow->detected_protocol_stack[0]); } /* ********************************************************************************* */ -ndpi_protocol_category_t ndpi_get_flow_category(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) +ndpi_protocol_category_t ndpi_get_flow_category(struct ndpi_flow_struct *flow) { return(flow->category); } /* ********************************************************************************* */ -void ndpi_get_flow_ndpi_proto(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, +void ndpi_get_flow_ndpi_proto(struct ndpi_flow_struct *flow, struct ndpi_proto * ndpi_proto) { - ndpi_proto->master_protocol = ndpi_get_flow_masterprotocol(ndpi_str, flow); - ndpi_proto->app_protocol = ndpi_get_flow_appprotocol(ndpi_str, flow); - ndpi_proto->category = ndpi_get_flow_category(ndpi_str, flow); + ndpi_proto->master_protocol = ndpi_get_flow_masterprotocol(flow); + ndpi_proto->app_protocol = ndpi_get_flow_appprotocol(flow); + ndpi_proto->category = ndpi_get_flow_category(flow); } /* ********************************************************************************* */ -static void ndpi_int_change_flow_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, +static void ndpi_int_change_flow_protocol(struct ndpi_flow_struct *flow, u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol, ndpi_confidence_t confidence) { flow->detected_protocol_stack[0] = upper_detected_protocol, @@ -9045,7 +9057,7 @@ static void ndpi_int_change_flow_protocol(struct ndpi_detection_module_struct *n * what it does is: * 1.update the flow protocol stack with the new protocol */ -static void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, +static void ndpi_int_change_protocol(struct ndpi_flow_struct *flow, u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol, ndpi_confidence_t confidence) { if((upper_detected_protocol == NDPI_PROTOCOL_UNKNOWN) && (lower_detected_protocol != NDPI_PROTOCOL_UNKNOWN)) @@ -9054,12 +9066,12 @@ static void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_s if(upper_detected_protocol == lower_detected_protocol) lower_detected_protocol = NDPI_PROTOCOL_UNKNOWN; - ndpi_int_change_flow_protocol(ndpi_str, flow, upper_detected_protocol, lower_detected_protocol, confidence); + ndpi_int_change_flow_protocol(flow, upper_detected_protocol, lower_detected_protocol, confidence); } /* ********************************************************************************* */ -void change_category(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, +void change_category(struct ndpi_flow_struct *flow, ndpi_protocol_category_t protocol_category) { flow->category = protocol_category; } @@ -9195,7 +9207,7 @@ ndpi_protocol ndpi_guess_undetected_protocol_v4(struct ndpi_detection_module_str if((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP)) { if(shost && dhost) - rc = ndpi_search_tcp_or_udp_raw(ndpi_str, flow, proto, shost, dhost); + rc = ndpi_search_tcp_or_udp_raw(ndpi_str, flow, shost, dhost); else rc = NDPI_PROTOCOL_UNKNOWN; @@ -9233,8 +9245,7 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct /* ****************************************************** */ -char *ndpi_protocol2id(struct ndpi_detection_module_struct *ndpi_str, - ndpi_protocol proto, char *buf, u_int buf_len) { +char *ndpi_protocol2id(ndpi_protocol proto, char *buf, u_int buf_len) { if((proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) && (proto.master_protocol != proto.app_protocol)) { if(proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) ndpi_snprintf(buf, buf_len, "%u.%u", proto.master_protocol, proto.app_protocol); @@ -9464,8 +9475,7 @@ ndpi_protocol_breed_t ndpi_get_proto_breed(struct ndpi_detection_module_struct * /* ****************************************************** */ -char *ndpi_get_proto_breed_name(struct ndpi_detection_module_struct *ndpi_str, - ndpi_protocol_breed_t breed_id) { +char *ndpi_get_proto_breed_name(ndpi_protocol_breed_t breed_id) { switch(breed_id) { case NDPI_PROTOCOL_SAFE: return("Safe"); @@ -9533,7 +9543,7 @@ void ndpi_dump_protocols(struct ndpi_detection_module_struct *ndpi_str, FILE *du ndpi_str->proto_defaults[i].protoName, ndpi_get_l4_proto_name(ndpi_get_l4_proto_info(ndpi_str, i)), ndpi_str->proto_defaults[i].isAppProtocol ? "" : "X", - ndpi_get_proto_breed_name(ndpi_str, ndpi_str->proto_defaults[i].protoBreed), + ndpi_get_proto_breed_name(ndpi_str->proto_defaults[i].protoBreed), ndpi_category_get_name(ndpi_str, ndpi_str->proto_defaults[i].protoCategory)); } @@ -9790,7 +9800,7 @@ void ndpi_check_subprotocol_risk(struct ndpi_detection_module_struct *ndpi_str, switch(subprotocol_id) { case NDPI_PROTOCOL_ANYDESK: - ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found AnyDesk"); /* Remote assistance */ + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found AnyDesk"); /* Remote assistance */ break; } } @@ -9831,7 +9841,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ char str[64] = { '\0' }; strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1)); - ndpi_set_risk(ndpi_str, flow, NDPI_RISKY_DOMAIN, str); + ndpi_set_risk(flow, NDPI_RISKY_DOMAIN, str); } } @@ -9840,7 +9850,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ char str[64] = { '\0' }; strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1)); - ndpi_set_risk(ndpi_str, flow, NDPI_PUNYCODE_IDN, str); + ndpi_set_risk(flow, NDPI_PUNYCODE_IDN, str); } return(rc); @@ -9868,7 +9878,7 @@ int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struc if(subproto != NDPI_PROTOCOL_UNKNOWN) { ndpi_set_detected_protocol(ndpi_struct, flow, subproto, master_protocol, NDPI_CONFIDENCE_DPI); if(!category_depends_on_master(master_protocol)) - change_category(ndpi_struct, flow, ret_match.protocol_category); + change_category(flow, ret_match.protocol_category); if(subproto == NDPI_PROTOCOL_OOKLA) { ookla_add_to_cache(ndpi_struct, flow); @@ -10031,6 +10041,8 @@ static void __lru_cache_lock(struct ndpi_lru_cache *c) if(c->shared) { pthread_mutex_lock(&c->mutex); } +#else + (void)c; #endif } @@ -10040,6 +10052,8 @@ static void __lru_cache_unlock(struct ndpi_lru_cache *c) if(c->shared) { pthread_mutex_unlock(&c->mutex); } +#else + (void)c; #endif } @@ -10153,7 +10167,7 @@ int ndpi_get_lru_cache_stats(struct ndpi_global_context *g_ctx, 1 - Additional dissection is possible */ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow) { + struct ndpi_flow_struct *flow) { NDPI_LOG_DBG2(ndpi_str, "Protos (%u.%u): %d\n", flow->detected_protocol_stack[0], flow->detected_protocol_stack[1], @@ -10346,7 +10360,6 @@ u_int8_t ends_with(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t ends_len = strlen(ends); u_int8_t rc; - if(str_len < ends_len) return(0); rc = (strncmp(&str[str_len-ends_len], ends, ends_len) != 0) ? 0 : 1; @@ -10398,7 +10411,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, if(rc) { if(flow) - ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); + ndpi_set_risk(flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); } return(rc); @@ -10545,7 +10558,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, || ((max_domain_element_len >= 19 /* word too long. Example bbcbedxhgjmdobdprmen.com */) && ((num_char_repetitions > 1) || (num_digits > 1))) ) { if(flow) { - ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); + ndpi_set_risk(flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); } NDPI_LOG_DBG2(ndpi_str, "[DGA] Found!"); @@ -10699,7 +10712,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, NDPI_LOG_DBG2(ndpi_str, "[DGA] Result: %u\n", rc); if(rc && flow) - ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); + ndpi_set_risk(flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); return(rc); } @@ -10852,6 +10865,11 @@ static ndpi_cfg_error _set_param_enable_disable(struct ndpi_detection_module_str const char *proto) { int *variable = (int *)_variable; + (void)ndpi_str; + (void)min_value; + (void)max_value; + (void)proto; + if(strcmp(value, "1") == 0 || strcmp(value, "enable") == 0) { *variable = 1; @@ -10877,6 +10895,9 @@ static ndpi_cfg_error _set_param_int(struct ndpi_detection_module_struct *ndpi_s const char *errstrp; long val; + (void)ndpi_str; + (void)proto; + val = ndpi_strtonum(value, LONG_MIN, LONG_MAX, &errstrp, 0); if(errstrp) { return NDPI_CFG_INVALID_PARAM; @@ -10898,6 +10919,8 @@ static ndpi_cfg_error _set_param_int(struct ndpi_detection_module_struct *ndpi_s static char *_get_param_int(void *_variable, const char *proto, char *buf, int buf_len) { int *variable = (int *)_variable; + (void)proto; + snprintf(buf, buf_len, "%d", *variable); buf[buf_len - 1] = '\0'; return buf; @@ -10908,6 +10931,8 @@ static char *_get_param_int(void *_variable, const char *proto, char *buf, int b static char *_get_param_string(void *_variable, const char *proto, char *buf, int buf_len) { char *variable = (char *)_variable; + (void)proto; + snprintf(buf, buf_len, "%s", variable); buf[buf_len - 1] = '\0'; return buf; @@ -10921,6 +10946,11 @@ static ndpi_cfg_error _set_param_filename(struct ndpi_detection_module_struct *n const char *proto) { char *variable = (char *)_variable; + (void)ndpi_str; + (void)min_value; + (void)max_value; + (void)proto; + if(value == NULL) { /* Valid value */ variable[0] = '\0'; return NDPI_CFG_OK; @@ -10985,6 +11015,10 @@ static ndpi_cfg_error _set_param_protocol_enable_disable(struct ndpi_detection_m NDPI_PROTOCOL_BITMASK *bitmask = (NDPI_PROTOCOL_BITMASK *)_variable; u_int16_t proto_id; + (void)ndpi_str; + (void)min_value; + (void)max_value; + if(strcmp(proto, "any") == 0 || strcmp(proto, "all") == 0 || strcmp(proto, "$PROTO_NAME_OR_ID") == 0) { @@ -11023,6 +11057,9 @@ static int clbk_only_with_global_ctx(struct ndpi_detection_module_struct *ndpi_s { int *variable = (int *)_variable; + (void)proto; + (void)param; + /* Integer set > 0 only if there is a global context */ if(*variable > 0 && !ndpi_str->g_ctx) { *variable = 0; diff --git a/src/lib/ndpi_serializer.c b/src/lib/ndpi_serializer.c index 639703f7e..137d18c2f 100644 --- a/src/lib/ndpi_serializer.c +++ b/src/lib/ndpi_serializer.c @@ -505,11 +505,13 @@ static inline void ndpi_serialize_single_float(ndpi_private_serializer *serializ /* ********************************** */ /* TODO: fix portability across platforms */ +#if 0 static inline void ndpi_serialize_single_double(ndpi_private_serializer *serializer, double s) { memcpy(&serializer->buffer.data[serializer->status.buffer.size_used], &s, sizeof(s)); serializer->status.buffer.size_used += sizeof(double); } +#endif /* ********************************** */ diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index fec1c7568..048f1572a 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -718,8 +718,7 @@ static inline int ndpi_is_valid_char(char c) { /* ******************************************************************** */ -static int ndpi_find_non_eng_bigrams(struct ndpi_detection_module_struct *ndpi_struct, - char *str) { +static int ndpi_find_non_eng_bigrams(char *str) { char s[3]; if((ndpi_isdigit(str[0]) && ndpi_isdigit(str[1])) @@ -737,8 +736,7 @@ static int ndpi_find_non_eng_bigrams(struct ndpi_detection_module_struct *ndpi_s /* #define PRINT_STRINGS 1 */ -int ndpi_has_human_readeable_string(struct ndpi_detection_module_struct *ndpi_struct, - char *buffer, u_int buffer_size, +int ndpi_has_human_readeable_string(char *buffer, u_int buffer_size, u_int8_t min_string_match_len, char *outbuf, u_int outbuf_len) { u_int ret = 0, i, do_cr = 0, len = 0, o_idx = 0, being_o_idx = 0; @@ -752,7 +750,7 @@ int ndpi_has_human_readeable_string(struct ndpi_detection_module_struct *ndpi_st for(i=0; i<buffer_size-2; i++) { if(ndpi_is_valid_char(buffer[i]) && ndpi_is_valid_char(buffer[i+1]) - && ndpi_find_non_eng_bigrams(ndpi_struct, &buffer[i])) { + && ndpi_find_non_eng_bigrams(&buffer[i])) { #ifdef PRINT_STRINGS printf("%c%c", buffer[i], buffer[i+1]); #endif @@ -1130,7 +1128,7 @@ void ndpi_serialize_proto(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_risk(serializer, risk); ndpi_serialize_confidence(serializer, confidence); ndpi_serialize_string_string(serializer, "proto", ndpi_protocol2name(ndpi_struct, l7_protocol, buf, sizeof(buf))); - ndpi_serialize_string_string(serializer, "proto_id", ndpi_protocol2id(ndpi_struct, l7_protocol, buf, sizeof(buf))); + ndpi_serialize_string_string(serializer, "proto_id", ndpi_protocol2id(l7_protocol, buf, sizeof(buf))); ndpi_serialize_string_string(serializer, "proto_by_ip", ndpi_get_proto_name(ndpi_struct, l7_protocol.protocol_by_ip)); ndpi_serialize_string_uint32(serializer, "proto_by_ip_id", l7_protocol.protocol_by_ip); @@ -1138,7 +1136,7 @@ void ndpi_serialize_proto(struct ndpi_detection_module_struct *ndpi_struct, ndpi_protocol_breed_t breed = ndpi_get_proto_breed(ndpi_struct, (l7_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN ? l7_protocol.app_protocol : l7_protocol.master_protocol)); - ndpi_serialize_string_string(serializer, "breed", ndpi_get_proto_breed_name(ndpi_struct, breed)); + ndpi_serialize_string_string(serializer, "breed", ndpi_get_proto_breed_name(breed)); if(l7_protocol.category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) { ndpi_serialize_string_uint32(serializer, "category_id", l7_protocol.category); @@ -1883,8 +1881,7 @@ ndpi_risk_enum ndpi_validate_url(char *url) { /* ******************************************************************** */ -u_int8_t ndpi_is_protocol_detected(struct ndpi_detection_module_struct *ndpi_str, - ndpi_protocol proto) { +u_int8_t ndpi_is_protocol_detected(ndpi_protocol proto) { if((proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) || (proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) || (proto.category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)) @@ -2500,13 +2497,12 @@ void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************************************** */ -void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, ndpi_risk_enum r, +void ndpi_set_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r, char *risk_message) { if(!flow) return; /* Check if the risk is not yet set */ - if(!ndpi_isset_risk(ndpi_str, flow, r)) { + if(!ndpi_isset_risk(flow, r)) { ndpi_risk v = 1ull << r; /* In case there is an exception set, take it into account */ @@ -2557,9 +2553,8 @@ void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************************************** */ -void ndpi_unset_risk(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, ndpi_risk_enum r) { - if(ndpi_isset_risk(ndpi_str, flow, r)) { +void ndpi_unset_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r) { + if(ndpi_isset_risk(flow, r)) { u_int8_t i, j; ndpi_risk v = 1ull << r; @@ -2584,8 +2579,7 @@ void ndpi_unset_risk(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************************************** */ -int ndpi_isset_risk(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, ndpi_risk_enum r) { +int ndpi_isset_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r) { ndpi_risk v = 1ull << r; return(((flow->risk & v) == v) ? 1 : 0); diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index d1c9dd323..f80bb0d36 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -509,8 +509,7 @@ static u_int8_t is_port(u_int16_t a, u_int16_t b, u_int16_t what) { /* ************************************* */ static void ndpi_skip_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - struct ndpi_packet_struct *packet) { + struct ndpi_flow_struct *flow) { if(search_into_bittorrent_cache(ndpi_struct, flow)) ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 0, NDPI_CONFIDENCE_DPI_CACHE); else @@ -553,7 +552,7 @@ static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_str if((ntohs(packet->udp->source) < 1024) || (ntohs(packet->udp->dest) < 1024) /* High ports only */) { - ndpi_skip_bittorrent(ndpi_struct, flow, packet); + ndpi_skip_bittorrent(ndpi_struct, flow); return; } @@ -639,12 +638,12 @@ static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_str return; } - ndpi_skip_bittorrent(ndpi_struct, flow, packet); + ndpi_skip_bittorrent(ndpi_struct, flow); } } if(flow->packet_counter > 8) { - ndpi_skip_bittorrent(ndpi_struct, flow, packet); + ndpi_skip_bittorrent(ndpi_struct, flow); } } diff --git a/src/lib/protocols/bjnp.c b/src/lib/protocols/bjnp.c index bf7e24b75..91277ecda 100644 --- a/src/lib/protocols/bjnp.c +++ b/src/lib/protocols/bjnp.c @@ -6,8 +6,7 @@ #include "ndpi_private.h" static void ndpi_int_bjnp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) { + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BJNP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } @@ -25,7 +24,7 @@ static void ndpi_check_bjnp(struct ndpi_detection_module_struct *ndpi_struct, st || (memcmp((const char *)packet->payload, "MFNP", 4) == 0) ) { NDPI_LOG_INFO(ndpi_struct, "found bjnp\n"); - ndpi_int_bjnp_add_connection(ndpi_struct, flow, 0); + ndpi_int_bjnp_add_connection(ndpi_struct, flow); return; } } diff --git a/src/lib/protocols/btlib.c b/src/lib/protocols/btlib.c index 7223167e8..ae3c1e365 100644 --- a/src/lib/protocols/btlib.c +++ b/src/lib/protocols/btlib.c @@ -154,7 +154,7 @@ static void print_safe_str(char *msg,bt_parse_data_cb_t *cbd) { #define STREQ(a,b) !strcmp(a,b) -void cb_data(bt_parse_data_cb_t *cbd,int *ret) { +void cb_data(bt_parse_data_cb_t *cbd) { struct bt_parse_protocol *p = &(cbd->p); const u_int8_t *s; const char *ss; @@ -432,7 +432,7 @@ const u_int8_t *bt_decode(const u_int8_t *b, size_t *l, int *ret, bt_parse_data_ do { b = bt_decode(b,l,ret,cbd); if(*ret < 0 || *l == 0) goto bad_data; - cb_data(cbd,ret); + cb_data(cbd); if(*ret < 0) goto bad_data; cbd->t = 0; } while (*b != 'e' && *l != 0); @@ -455,7 +455,7 @@ const u_int8_t *bt_decode(const u_int8_t *b, size_t *l, int *ret, bt_parse_data_ } b = bt_decode(b,l,ret,cbd); if(*ret < 0 || *l == 0) goto bad_data; - cb_data(cbd,ret); + cb_data(cbd); if(*ret < 0) goto bad_data; cbd->t = 0; *ls = 0; diff --git a/src/lib/protocols/can.c b/src/lib/protocols/can.c index fc12866a8..0f1e1e243 100644 --- a/src/lib/protocols/can.c +++ b/src/lib/protocols/can.c @@ -67,7 +67,7 @@ static void ndpi_search_can(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_can_add_connection(ndpi_struct, flow); if (can_header->version != 0x01) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid CAN Header"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid CAN Header"); } } diff --git a/src/lib/protocols/collectd.c b/src/lib/protocols/collectd.c index f9ec9a783..4e37a0768 100644 --- a/src/lib/protocols/collectd.c +++ b/src/lib/protocols/collectd.c @@ -103,14 +103,13 @@ static int ndpi_int_collectd_check_type(u_int16_t block_type) static int ndpi_int_collectd_dissect_hostname(struct ndpi_flow_struct * const flow, struct ndpi_packet_struct const * const packet, - u_int16_t block_offset, u_int16_t block_length) + u_int16_t block_length) { return (ndpi_hostname_sni_set(flow, &packet->payload[4], block_length, NDPI_HOSTNAME_NORM_ALL) == NULL); } static int ndpi_int_collectd_dissect_username(struct ndpi_flow_struct * const flow, - struct ndpi_packet_struct const * const packet, - u_int16_t block_offset) + struct ndpi_packet_struct const * const packet) { u_int16_t username_length = ntohs(get_u_int16_t(packet->payload, 4)); @@ -134,7 +133,7 @@ static void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struc struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; u_int16_t num_blocks; u_int16_t block_offset = 0, block_type, block_length; - u_int16_t hostname_offset, hostname_length = 0; + u_int16_t hostname_length = 0; NDPI_LOG_DBG(ndpi_struct, "search collectd\n"); @@ -158,7 +157,6 @@ static void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struc * Dissect the hostname later, when we are sure that it is * the collectd protocol. */ - hostname_offset = block_offset; if(block_length > 4) hostname_length = block_length - 4; /* Ignore type and length fields */ } else if (block_type == COLELCTD_TYPE_ENCR_AES256) { @@ -169,7 +167,7 @@ static void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struc */ if (block_length != packet->payload_packet_len || block_length < COLLECTD_ENCR_AES256_MIN_BLOCK_SIZE || - ndpi_int_collectd_dissect_username(flow, packet, block_offset) != 0) + ndpi_int_collectd_dissect_username(flow, packet) != 0) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } else { @@ -187,10 +185,9 @@ static void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struc } if (hostname_length > 0 && - ndpi_int_collectd_dissect_hostname(flow, packet, hostname_offset, - hostname_length) != 0) + ndpi_int_collectd_dissect_hostname(flow, packet, hostname_length) != 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid collectd Header"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid collectd Header"); } ndpi_int_collectd_add_connection(ndpi_struct, flow); diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c index edf8125f6..838d5f292 100644 --- a/src/lib/protocols/dcerpc.c +++ b/src/lib/protocols/dcerpc.c @@ -35,7 +35,7 @@ static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DCERPC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } -static bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet, struct ndpi_flow_struct *flow) +static bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet) { if((packet->tcp != NULL) && (packet->payload_packet_len >= 64) @@ -48,7 +48,7 @@ static bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet, str return false; } -static bool is_connectionless_dcerpc(struct ndpi_packet_struct *packet, struct ndpi_flow_struct *flow) +static bool is_connectionless_dcerpc(struct ndpi_packet_struct *packet) { u_int16_t fragment_len; @@ -83,7 +83,7 @@ static void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &ndpi_struct->packet; NDPI_LOG_DBG(ndpi_struct, "search DCERPC\n"); - if (is_connection_oriented_dcerpc(packet, flow) || is_connectionless_dcerpc(packet, flow)) { + if (is_connection_oriented_dcerpc(packet) || is_connectionless_dcerpc(packet)) { NDPI_LOG_INFO(ndpi_struct, "found DCERPC\n"); ndpi_int_dcerpc_add_connection(ndpi_struct, flow); return; diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 95f3626c9..70b8cd451 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -44,8 +44,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, /* *********************************************** */ -static void ndpi_check_dns_type(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ndpi_check_dns_type(struct ndpi_flow_struct *flow, u_int16_t dns_type) { /* https://en.wikipedia.org/wiki/List_of_DNS_record_types */ @@ -93,7 +92,7 @@ static void ndpi_check_dns_type(struct ndpi_detection_module_struct *ndpi_struct case 106: case 107: case 259: - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Obsolete DNS record type"); + ndpi_set_risk(flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Obsolete DNS record type"); break; } } @@ -321,7 +320,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, x++; } } else { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid DNS Header"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid DNS Header"); return(1 /* invalid */); } } else { @@ -351,10 +350,10 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, snprintf(str, sizeof(str), "DNS Error Code %s", dns_error_code2string(flow->protos.dns.reply_code, buf, sizeof(buf))); - ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, str); + ndpi_set_risk(flow, NDPI_ERROR_CODE_DETECTED, str); } else { - if(ndpi_isset_risk(ndpi_struct, flow, NDPI_SUSPICIOUS_DGA_DOMAIN)) { - ndpi_set_risk(ndpi_struct, flow, NDPI_RISKY_DOMAIN, "DGA Name Query with no Error Code"); + if(ndpi_isset_risk(flow, NDPI_SUSPICIOUS_DGA_DOMAIN)) { + ndpi_set_risk(flow, NDPI_RISKY_DOMAIN, "DGA Name Query with no Error Code"); } } @@ -431,7 +430,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, rsp_ttl = ntohl(*((u_int32_t*)&packet->payload[x+2])); if(rsp_ttl == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_MINOR_ISSUES, "DNS Record with zero TTL"); + ndpi_set_risk(flow, NDPI_MINOR_ISSUES, "DNS Record with zero TTL"); #ifdef DNS_DEBUG printf("[DNS] TTL = %u\n", rsp_ttl); @@ -439,7 +438,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, #endif if(found == 0) { - ndpi_check_dns_type(ndpi_struct, flow, rsp_type); + ndpi_check_dns_type(flow, rsp_type); flow->protos.dns.rsp_type = rsp_type; } @@ -755,7 +754,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st #ifdef DNS_DEBUG printf("[DNS] Invalid query len [%u >= %u]\n", i+4, packet->payload_packet_len); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid DNS Query Lenght"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid DNS Query Lenght"); break; } else { idx = i+5, num_queries++; @@ -767,7 +766,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st ndpi_hostname_sni_set(flow, (const u_int8_t *)_hostname, len, is_mdns ? NDPI_HOSTNAME_NORM_LC : NDPI_HOSTNAME_NORM_ALL); if (hostname_is_valid == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, NULL); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, NULL); dot = strchr(_hostname, '.'); if(dot) { @@ -779,7 +778,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st and this might be an issue or indicate an exfiltration */ - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Long DNS host name"); + ndpi_set_risk(flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Long DNS host name"); } } @@ -867,7 +866,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st char str[48]; snprintf(str, sizeof(str), "%u Bytes DNS Packet", packet->payload_packet_len); - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_LARGE_PACKET, str); + ndpi_set_risk(flow, NDPI_DNS_LARGE_PACKET, str); } if(packet->iph != NULL) { @@ -877,14 +876,14 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st /* 0: fragmented; 1: not fragmented */ if((flags & 0x20) || (iph_is_valid_and_not_fragmented(packet->iph, packet->l3_packet_len) == 0)) { - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED, NULL); + ndpi_set_risk(flow, NDPI_DNS_FRAGMENTED, NULL); } } else if(packet->iphv6 != NULL) { /* IPv6 */ const struct ndpi_ip6_hdrctl *ip6_hdr = &packet->iphv6->ip6_hdr; if(ip6_hdr->ip6_un1_nxt == 0x2C /* Next Header: Fragment Header for IPv6 (44) */) { - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED, NULL); + ndpi_set_risk(flow, NDPI_DNS_FRAGMENTED, NULL); } } } diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index eed06d4d5..2ac2f7d8a 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -32,8 +32,7 @@ #define DB_LSP_PORT 17500 static void ndpi_int_dropbox_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) { + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } @@ -49,7 +48,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, if(payload_len > 10) { if(ndpi_strnstr((const char *)packet->payload, "\"host_int\"", payload_len) != NULL) { NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); - ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); + ndpi_int_dropbox_add_connection(ndpi_struct, flow); return; } } @@ -57,7 +56,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, if(payload_len > 10) { if(ndpi_strnstr((const char *)packet->payload, "Bus17Cmd", payload_len) != NULL) { NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); - ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); + ndpi_int_dropbox_add_connection(ndpi_struct, flow); return; } } diff --git a/src/lib/protocols/fastcgi.c b/src/lib/protocols/fastcgi.c index 6a1baa758..a9f9113d3 100644 --- a/src/lib/protocols/fastcgi.c +++ b/src/lib/protocols/fastcgi.c @@ -204,7 +204,7 @@ static void ndpi_search_fastcgi(struct ndpi_detection_module_struct *ndpi_struct if (fcgi_parse_params(flow, packet) != 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid FastCGI PARAMS header"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid FastCGI PARAMS header"); ndpi_int_fastcgi_add_connection(ndpi_struct, flow, NULL); } else { ndpi_match_host_subprotocol(ndpi_struct, flow, @@ -218,10 +218,10 @@ static void ndpi_search_fastcgi(struct ndpi_detection_module_struct *ndpi_struct char str[128]; snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str); /* This looks like an attack */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, NULL); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, NULL); } ndpi_int_fastcgi_add_connection(ndpi_struct, flow, &ret_match); } diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index ce7903397..7118ff295 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -42,8 +42,7 @@ static void ndpi_int_ftp_control_add_connection(struct ndpi_detection_module_str /* *************************************************************** */ -static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static int ndpi_ftp_control_check_request(struct ndpi_flow_struct *flow, const u_int8_t *payload, size_t payload_len) { #ifdef FTP_DEBUG @@ -59,7 +58,7 @@ static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *n snprintf(buf, sizeof(buf), "Found FTP username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); return 1; } @@ -555,8 +554,7 @@ static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *n /* *************************************************************** */ static int ndpi_ftp_control_check_response(struct ndpi_flow_struct *flow, - const u_int8_t *payload, - size_t payload_len) { + const u_int8_t *payload) { #ifdef FTP_DEBUG printf("%s() [%.*s]\n", __FUNCTION__, (int)payload_len, payload); #endif @@ -604,8 +602,8 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str if(flow->ftp_control_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "FTP_CONTROL stage 0: \n"); - if((payload_len > 0) && ndpi_ftp_control_check_request(ndpi_struct, - flow, packet->payload, payload_len)) { + if((payload_len > 0) && ndpi_ftp_control_check_request(flow, + packet->payload, payload_len)) { NDPI_LOG_DBG2(ndpi_struct, "Possible FTP_CONTROL request detected, we will look further for the response..\n"); @@ -627,7 +625,7 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str } /* This is a packet in another direction. Check if we find the proper response. */ - if((payload_len > 0) && ndpi_ftp_control_check_response(flow, packet->payload, payload_len)) { + if((payload_len > 0) && ndpi_ftp_control_check_response(flow, packet->payload)) { NDPI_LOG_INFO(ndpi_struct, "found FTP_CONTROL\n"); #ifdef FTP_DEBUG diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c index 567669e3d..048097156 100644 --- a/src/lib/protocols/ftp_data.c +++ b/src/lib/protocols/ftp_data.c @@ -34,7 +34,7 @@ static void ndpi_int_ftp_data_add_connection(struct ndpi_detection_module_struct ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FTP_DATA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } -static int ndpi_match_ftp_data_port(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +static int ndpi_match_ftp_data_port(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; /* Check connection over TCP */ @@ -46,7 +46,7 @@ static int ndpi_match_ftp_data_port(struct ndpi_detection_module_struct *ndpi_st return 0; } -static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int32_t payload_len = packet->payload_packet_len; @@ -70,7 +70,7 @@ static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *nd return 0; } -static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int32_t payload_len = packet->payload_packet_len; @@ -235,9 +235,9 @@ static void ndpi_check_ftp_data(struct ndpi_detection_module_struct *ndpi_struct */ if(ndpi_seen_flow_beginning(flow)) { if((packet->payload_packet_len > 0) - && (ndpi_match_file_header(ndpi_struct, flow) - || ndpi_match_ftp_data_directory(ndpi_struct, flow) - || ndpi_match_ftp_data_port(ndpi_struct, flow) + && (ndpi_match_file_header(ndpi_struct) + || ndpi_match_ftp_data_directory(ndpi_struct) + || ndpi_match_ftp_data_port(ndpi_struct) ) ) { NDPI_LOG_INFO(ndpi_struct, "found FTP_DATA request\n"); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 8e4c60a5f..8c3da111c 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -68,7 +68,7 @@ static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_st ) ; else - ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER, msg); + ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, msg); } /* *********************************************** */ @@ -160,7 +160,7 @@ static void ndpi_http_check_human_redeable_content(struct ndpi_detection_module_ snprintf(str, sizeof(str), "Susp content %02X%02X%02X%02X", content[0], content[1], content[2], content[3]); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_CONTENT, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_CONTENT, str); } } } @@ -198,7 +198,7 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi /* Final checks */ - if(ndpi_isset_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER) + if(ndpi_isset_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER) && flow->http.user_agent && flow->http.content_type) { if(((strncmp((const char *)flow->http.user_agent, "Java/", 5) == 0)) && @@ -209,7 +209,7 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi https://corelight.com/blog/detecting-log4j-exploits-via-zeek-when-java-downloads-java */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); } } @@ -217,7 +217,7 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi } if((flow->http.user_agent == NULL) || (flow->http.user_agent[0] == '\0')) - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); } /* *********************************************** */ @@ -391,8 +391,7 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd /* ************************************************************* */ -static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, char *ua) { +static void setHttpUserAgent(struct ndpi_flow_struct *flow, char *ua) { if( !strcmp(ua, "Windows NT 5.0")) ua = "Windows 2000"; else if(!strcmp(ua, "Windows NT 5.1")) ua = "Windows XP"; else if(!strcmp(ua, "Windows NT 5.2")) ua = "Windows Server 2003"; @@ -427,7 +426,7 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp if(packet->server_line.len > 7 && strncmp((const char *)packet->server_line.ptr, "ntopng ", 7) == 0) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTOP, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); - ndpi_unset_risk(ndpi_struct, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + ndpi_unset_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); } /* Matching on Content-Type. @@ -529,7 +528,7 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp (strstr(flow->http.url, "delivery.mp.microsoft.com/") || strstr(flow->http.url, "download.windowsupdate.com/")) && strstr(flow->http.user_agent, "Microsoft-Delivery-Optimization/") && - ndpi_isset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST)) { + ndpi_isset_risk(flow, NDPI_NUMERIC_IP_HOST)) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WINDOWS_UPDATE, master_protocol, NDPI_CONFIDENCE_DPI); } @@ -560,8 +559,7 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp /* ************************************************************* */ -static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ndpi_check_user_agent(struct ndpi_flow_struct *flow, char const *ua, size_t ua_len) { char *double_slash; @@ -595,7 +593,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru char str[64]; snprintf(str, sizeof(str), "UA %s", ua); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); } } } @@ -606,7 +604,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru char str[64]; snprintf(str, sizeof(str), "UA %s", ua); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); } if((double_slash = strstr(ua, "://")) != NULL) { @@ -616,14 +614,14 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru char str[64]; snprintf(str, sizeof(str), "UA %s", ua); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); } } } /* no else */ if(!strncmp(ua, "jndi:ldap://", 12)) /* Log4J */ { - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); } else if( (ua_len < 4) /* Too short */ || (ua_len > 256) /* Too long */ @@ -631,7 +629,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru || strchr(ua, '{') || strchr(ua, '}') ) { - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Suspicious Log4J"); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Suspicious Log4J"); } /* @@ -648,7 +646,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru snprintf(str, sizeof(str), "UA %s", ua); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_CRAWLER_BOT, str); + ndpi_set_risk(flow, NDPI_HTTP_CRAWLER_BOT, str); } } @@ -710,15 +708,15 @@ void http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct, } if(token) - setHttpUserAgent(ndpi_struct, flow, token); + setHttpUserAgent(flow, token); } } } } if(ndpi_user_agent_set(flow, ua_ptr, ua_ptr_len) != NULL) { - ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); - ndpi_check_user_agent(ndpi_struct, flow, flow->http.user_agent, ua_ptr_len); + ndpi_unset_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); + ndpi_check_user_agent(flow, flow->http.user_agent, ua_ptr_len); } else { NDPI_LOG_DBG2(ndpi_struct, "Could not set HTTP user agent (already set?)\n"); } @@ -729,8 +727,7 @@ void http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct, /* ************************************************************* */ -static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ndpi_check_numeric_ip(struct ndpi_flow_struct *flow, char *ip, u_int ip_len) { char buf[22], *double_dot; struct in_addr ip_addr; @@ -746,21 +743,20 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru char str[64]; snprintf(str, sizeof(str), "Found host %s", buf); - ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, str); + ndpi_set_risk(flow, NDPI_NUMERIC_IP_HOST, str); } } /* ************************************************************* */ -static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ndpi_check_http_url(struct ndpi_flow_struct *flow, char *url) { if(strstr(url, "<php>") != NULL /* PHP code in the URL */) - ndpi_set_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "PHP code in URL"); + ndpi_set_risk(flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "PHP code in URL"); else if(strncmp(url, "/shell?", 7) == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "Possible WebShell detected"); + ndpi_set_risk(flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "Possible WebShell detected"); else if(strncmp(url, "/.", 2) == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "URL starting with dot"); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "URL starting with dot"); } /* ************************************************************* */ @@ -768,8 +764,7 @@ static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct #define MIN_APACHE_VERSION 2004000 /* 2.4.X [https://endoflife.date/apache] */ #define MIN_NGINX_VERSION 1022000 /* 1.22.0 [https://endoflife.date/nginx] */ -static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ndpi_check_http_server(struct ndpi_flow_struct *flow, const char *server, u_int server_len) { if(server[0] != '\0') { if(server_len > 7) { @@ -790,10 +785,10 @@ static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_str if((off == 7) && (version < MIN_APACHE_VERSION)) { snprintf(msg, sizeof(msg), "Obsolete Apache server %s", buf); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg); + ndpi_set_risk(flow, NDPI_HTTP_OBSOLETE_SERVER, msg); } else if((off == 6) && (version < MIN_NGINX_VERSION)) { snprintf(msg, sizeof(msg), "Obsolete nginx server %s", buf); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg); + ndpi_set_risk(flow, NDPI_HTTP_OBSOLETE_SERVER, msg); } } } @@ -801,7 +796,7 @@ static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_str /* Check server content */ for(i=0; i<server_len; i++) { if(!ndpi_isprint(server[i])) { - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, "Suspicious Agent"); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, "Suspicious Agent"); break; } } @@ -828,7 +823,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(ndpi_isdigit(packet->host_line.ptr[0]) && (packet->host_line.len < 21)) - ndpi_check_numeric_ip(ndpi_struct, flow, (char*)packet->host_line.ptr, packet->host_line.len); + ndpi_check_numeric_ip(flow, (char*)packet->host_line.ptr, packet->host_line.len); flow->http.url = ndpi_malloc(len); if(flow->http.url) { @@ -859,7 +854,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ flow->http.url[offset] = '\0'; } - ndpi_check_http_url(ndpi_struct, flow, &flow->http.url[host_end]); + ndpi_check_http_url(flow, &flow->http.url[host_end]); } } @@ -868,7 +863,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ (u_int16_t)packet->http_method.len); if(packet->server_line.ptr != NULL) - ndpi_check_http_server(ndpi_struct, flow, (const char *)packet->server_line.ptr, packet->server_line.len); + ndpi_check_http_server(flow, (const char *)packet->server_line.ptr, packet->server_line.len); if(packet->user_agent_line.ptr != NULL) { http_process_user_agent(ndpi_struct, flow, packet->user_agent_line.ptr, packet->user_agent_line.len); @@ -905,7 +900,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ "Basic", packet->authorization_line.len) || ndpi_strncasestr((const char*)packet->authorization_line.ptr, "Digest", packet->authorization_line.len)) { - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found credentials in HTTP Auth Line"); } } @@ -963,10 +958,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ char str[128]; snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str); /* This looks like an attack */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, NULL); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, NULL); } double_col = strchr((char*)flow->host_server_name, ':'); @@ -980,7 +975,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ snprintf(msg, sizeof(msg), "Expected %s, found %s", ndpi_intoav4(ntohl(ndpi_struct->packet.iph->daddr), buf, sizeof(buf)), flow->host_server_name); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, msg); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, msg); } } } @@ -1038,7 +1033,7 @@ static struct l_string { }; static const char *http_fs = "CDGHOPR"; -static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; unsigned int i; @@ -1117,7 +1112,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1126,7 +1121,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1135,7 +1130,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1144,7 +1139,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1153,7 +1148,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1162,7 +1157,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1171,7 +1166,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1180,7 +1175,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1189,7 +1184,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } @@ -1219,7 +1214,7 @@ static void parse_response_code(struct ndpi_detection_module_struct *ndpi_struct if(flow->http.response_status_code >= 400) { snprintf(ec, sizeof(ec), "HTTP Error Code %u", flow->http.response_status_code); - ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, ec); + ndpi_set_risk(flow, NDPI_ERROR_CODE_DETECTED, ec); if(flow->http.url != NULL) { /* Let's check for Wordpress */ @@ -1230,19 +1225,18 @@ static void parse_response_code(struct ndpi_detection_module_struct *ndpi_struct || ((flow->http.method == NDPI_HTTP_METHOD_GET) && (strncmp(slash, "/wp-content/uploads/", 20) == 0)) )) { /* Example of popular exploits https://www.wordfence.com/blog/2022/05/millions-of-attacks-target-tatsu-builder-plugin/ */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Possible Wordpress Exploit"); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Possible Wordpress Exploit"); } } } } } -static int is_request(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +static int is_request(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t filename_start; - filename_start = http_request_url_offset(ndpi_struct, flow); + filename_start = http_request_url_offset(ndpi_struct); /* This check is required as RTSP is pretty similiar to HTTP */ if(filename_start > 0 && strncasecmp((const char *)packet->payload + filename_start, @@ -1251,8 +1245,7 @@ static int is_request(struct ndpi_detection_module_struct *ndpi_struct, return filename_start; } -static int is_response(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +static int is_response(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; if(packet->payload_packet_len >= 7 && strncasecmp((const char *)packet->payload, "HTTP/1.", 7) == 0) @@ -1309,7 +1302,7 @@ static void process_request(struct ndpi_detection_module_struct *ndpi_struct, if(flow->http.user_agent == NULL || flow->http.user_agent[0] == '\0') { - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); } } @@ -1324,7 +1317,7 @@ static void process_response(struct ndpi_detection_module_struct *ndpi_struct, } static void reset(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { + struct ndpi_flow_struct *flow) { NDPI_LOG_DBG2(ndpi_struct, "Reset status and risks\n"); @@ -1371,19 +1364,19 @@ static void reset(struct ndpi_detection_module_struct *ndpi_struct, /* Reset flow risks. We should reset only those risks triggered by the previous HTTP response... */ /* TODO */ - ndpi_unset_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); - ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_CONTENT); - ndpi_unset_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); - ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); - ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_CRAWLER_BOT); - ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); - ndpi_unset_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION); - ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER); - ndpi_unset_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS); - ndpi_unset_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); - ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER); - ndpi_unset_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED); - ndpi_unset_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET); + ndpi_unset_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER); + ndpi_unset_risk(flow, NDPI_HTTP_SUSPICIOUS_CONTENT); + ndpi_unset_risk(flow, NDPI_POSSIBLE_EXPLOIT); + ndpi_unset_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); + ndpi_unset_risk(flow, NDPI_HTTP_CRAWLER_BOT); + ndpi_unset_risk(flow, NDPI_NUMERIC_IP_HOST); + ndpi_unset_risk(flow, NDPI_URL_POSSIBLE_RCE_INJECTION); + ndpi_unset_risk(flow, NDPI_HTTP_OBSOLETE_SERVER); + ndpi_unset_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS); + ndpi_unset_risk(flow, NDPI_INVALID_CHARACTERS); + ndpi_unset_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER); + ndpi_unset_risk(flow, NDPI_ERROR_CODE_DETECTED); + ndpi_unset_risk(flow, NDPI_MALFORMED_PACKET); } static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, @@ -1393,13 +1386,13 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct NDPI_LOG_DBG(ndpi_struct, "http_stage %d dir %d req/res %d/%d\n", flow->l4.tcp.http_stage, packet->packet_direction, - is_request(ndpi_struct, flow), is_response(ndpi_struct, flow)); + is_request(ndpi_struct), is_response(ndpi_struct)); if(flow->l4.tcp.http_stage == 0) { /* Start: waiting for (the beginning of) a request */ - filename_start = is_request(ndpi_struct, flow); + filename_start = is_request(ndpi_struct); if(filename_start == 0) { /* Flow starting with a response? */ - if(is_response(ndpi_struct, flow)) { + if(is_response(ndpi_struct)) { NDPI_LOG_DBG2(ndpi_struct, "Response where a request were expected\n"); /* This is tricky. Two opposing goals: 1) We want to correctly match request with response!! -> Skip this response @@ -1436,7 +1429,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct /* Another pkt from the same direction (probably another fragment of the request) Keep lookng for the response */ NDPI_LOG_DBG2(ndpi_struct, "Another piece of request\n"); - filename_start = is_request(ndpi_struct, flow); + filename_start = is_request(ndpi_struct); if(filename_start > 0) { /* Probably a new, separated request (asymmetric flow or missing pkts?). What should we do? We definitely don't want to mix data from different @@ -1452,7 +1445,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct ndpi_parse_packet_line_info(ndpi_struct, flow); check_content_type_and_change_protocol(ndpi_struct, flow); return; - } else if(is_response(ndpi_struct, flow)) { + } else if(is_response(ndpi_struct)) { NDPI_LOG_DBG2(ndpi_struct, "Response where expected\n"); process_response(ndpi_struct, flow); @@ -1469,7 +1462,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct /* Another pkt from the same direction (probably another fragment of the response) Keep lookng for the request */ NDPI_LOG_DBG2(ndpi_struct, "Another piece of response\n"); - if(is_response(ndpi_struct, flow)) { + if(is_response(ndpi_struct)) { /* See the comment above about how we handle consecutive requests/responses */ if(flow->l4.tcp.http_asymmetric_stage < 2) flow->l4.tcp.http_asymmetric_stage++; @@ -1525,8 +1518,7 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc /* ********************************* */ -ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +ndpi_http_method ndpi_get_http_method(struct ndpi_flow_struct *flow) { if(!flow) { return(NDPI_HTTP_METHOD_UNKNOWN); } else @@ -1535,8 +1527,7 @@ ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_ /* ********************************* */ -char* ndpi_get_http_url(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +char* ndpi_get_http_url(struct ndpi_flow_struct *flow) { if((!flow) || (!flow->http.url)) return(""); else @@ -1545,8 +1536,7 @@ char* ndpi_get_http_url(struct ndpi_detection_module_struct *ndpi_struct, /* ********************************* */ -char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +char* ndpi_get_http_content_type(struct ndpi_flow_struct *flow) { if((!flow) || (!flow->http.content_type)) return(""); else diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index b910e2628..38967a781 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -44,7 +44,7 @@ static void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_st if((packet->payload_packet_len < 500 && packet->payload_packet_len >= 7 && memcmp(packet->payload, "SOURCE ", 7) == 0) || flow->l4.tcp.icecast_stage) { - ndpi_parse_packet_line_info_any(ndpi_struct, flow); + ndpi_parse_packet_line_info_any(ndpi_struct); NDPI_LOG_DBG2(ndpi_struct, "Icecast lines=%d\n", packet->parsed_lines); for (i = 0; i < packet->parsed_lines; i++) { if(packet->line[i].ptr != NULL && packet->line[i].len > 4 diff --git a/src/lib/protocols/ipsec.c b/src/lib/protocols/ipsec.c index fdd08cb6f..9a3e519df 100644 --- a/src/lib/protocols/ipsec.c +++ b/src/lib/protocols/ipsec.c @@ -43,7 +43,7 @@ static void ndpi_int_ipsec_add_connection(struct ndpi_detection_module_struct * return; case ISAKMP_MALFORMED: NDPI_LOG_INFO(ndpi_struct, "found malformed ISAKMP (UDP)\n"); - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid IPSec/ISAKMP Header"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid IPSec/ISAKMP Header"); break; case ISAKMP_V1: NDPI_LOG_INFO(ndpi_struct, "found ISAKMPv1 (UDP)\n"); diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 354e27fd1..c316a557c 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -35,7 +35,7 @@ static void ndpi_int_irc_add_connection(struct ndpi_detection_module_struct *ndp ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IRC, NDPI_PROTOCOL_UNKNOWN, confidence); } -static u_int8_t ndpi_check_for_NOTICE_or_PRIVMSG(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +static u_int8_t ndpi_check_for_NOTICE_or_PRIVMSG(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; @@ -60,7 +60,7 @@ static u_int8_t ndpi_check_for_NOTICE_or_PRIVMSG(struct ndpi_detection_module_st } -static u_int8_t ndpi_check_for_Nickname(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +static u_int8_t ndpi_check_for_Nickname(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t i, packetl = packet->payload_packet_len; @@ -82,7 +82,7 @@ static u_int8_t ndpi_check_for_Nickname(struct ndpi_detection_module_struct *ndp return 0; } -static u_int8_t ndpi_check_for_cmd(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +static u_int8_t ndpi_check_for_cmd(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t i; @@ -369,7 +369,7 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct if (memcmp(packet->payload, ":", 1) == 0) { if (packet->payload[packet->payload_packet_len - 2] != 0x0d && packet->payload[packet->payload_packet_len - 1] == 0x0a) { - ndpi_parse_packet_line_info_any(ndpi_struct, flow); + ndpi_parse_packet_line_info_any(ndpi_struct); } else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) { ndpi_parse_packet_line_info(ndpi_struct, flow); } else { @@ -396,7 +396,7 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct if ((memcmp(packet->payload, "USER ", 5) == 0) || (memcmp(packet->payload, "NICK ", 5) == 0) || (memcmp(packet->payload, "PASS ", 5) == 0) - || (memcmp(packet->payload, ":", 1) == 0 && ndpi_check_for_NOTICE_or_PRIVMSG(ndpi_struct, flow) != 0) + || (memcmp(packet->payload, ":", 1) == 0 && ndpi_check_for_NOTICE_or_PRIVMSG(ndpi_struct) != 0) || (memcmp(packet->payload, "PONG ", 5) == 0) || (memcmp(packet->payload, "PING ", 5) == 0) || (memcmp(packet->payload, "JOIN ", 5) == 0) @@ -414,7 +414,7 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct sp[0] = '\0'; snprintf(msg, sizeof(msg), "Found IRC username (%s)", buf); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); } NDPI_LOG_DBG2(ndpi_struct, @@ -450,7 +450,7 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct } } else if (packet->payload[packet->payload_packet_len - 1] == 0x0a) { - ndpi_parse_packet_line_info_any(ndpi_struct, flow); + ndpi_parse_packet_line_info_any(ndpi_struct); if (packet->parsed_lines > 1) { NDPI_LOG_DBG2(ndpi_struct, "packet contains more than one line"); for (c = 1; c < packet->parsed_lines; c++) { @@ -504,10 +504,10 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct if ((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC) && (flow->l4.tcp.irc_stage == 1)) { if ((((packet->payload_packet_len - http_content_ptr_len) > 10) && (memcmp(packet->payload + http_content_ptr_len, "interface=", 10) == 0) - && (ndpi_check_for_Nickname(ndpi_struct, flow) != 0)) + && (ndpi_check_for_Nickname(ndpi_struct) != 0)) || (((packet->payload_packet_len - http_content_ptr_len) > 5) && (memcmp(packet->payload + http_content_ptr_len, "item=", 5) == 0) - && (ndpi_check_for_cmd(ndpi_struct, flow) != 0))) { + && (ndpi_check_for_cmd(ndpi_struct) != 0))) { NDPI_LOG_INFO(ndpi_struct, "found IRC: Nickname, cmd, one time"); ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; @@ -523,7 +523,7 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct if (packet->payload[packet->payload_packet_len - 2] != 0x0d && packet->payload[packet->payload_packet_len - 1] == 0x0a) { NDPI_LOG_DBG2(ndpi_struct, "ndpi_parse_packet_line_info_any(ndpi_struct, flow);"); - ndpi_parse_packet_line_info_any(ndpi_struct, flow); + ndpi_parse_packet_line_info_any(ndpi_struct); } else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) { ndpi_parse_packet_line_info(ndpi_struct, flow); } else { diff --git a/src/lib/protocols/lisp.c b/src/lib/protocols/lisp.c index a124d6aee..b66a2e52d 100644 --- a/src/lib/protocols/lisp.c +++ b/src/lib/protocols/lisp.c @@ -29,8 +29,7 @@ #define LISP_PORT1 4342 /* TCP and UDP */ static void ndpi_int_lisp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_LISP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); @@ -47,7 +46,7 @@ static void ndpi_check_lisp(struct ndpi_detection_module_struct *ndpi_struct, st if((packet->udp->source == lisp_port && packet->udp->dest == lisp_port) || (packet->udp->source == lisp_port1 && packet->udp->dest == lisp_port1)) { NDPI_LOG_INFO(ndpi_struct, "found lisp\n"); - ndpi_int_lisp_add_connection(ndpi_struct, flow, 0); + ndpi_int_lisp_add_connection(ndpi_struct, flow); return; } } else { @@ -63,7 +62,7 @@ static void ndpi_check_lisp(struct ndpi_detection_module_struct *ndpi_struct, st packet->payload[packet->payload_packet_len - 3] == 0xAC && packet->payload[packet->payload_packet_len - 4] == 0x9F) { NDPI_LOG_INFO(ndpi_struct, "found lisp\n"); - ndpi_int_lisp_add_connection(ndpi_struct, flow, 0); + ndpi_int_lisp_add_connection(ndpi_struct, flow); return; } } diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c index 1b8b31287..dd47704ea 100644 --- a/src/lib/protocols/mail_imap.c +++ b/src/lib/protocols/mail_imap.c @@ -186,7 +186,7 @@ static void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_ snprintf(buf, sizeof(buf), "Found IMAP username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); pwd = strtok_r(NULL, " \"\r\n", &saveptr); if(pwd) { diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c index 5741eba0e..0cb4512d7 100644 --- a/src/lib/protocols/mail_pop.c +++ b/src/lib/protocols/mail_pop.c @@ -88,7 +88,7 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod snprintf(buf, sizeof(buf), "Found username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); flow->l4.tcp.pop_command_bitmask |= POP_BIT_USER; return 1; @@ -100,7 +100,7 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod sizeof(flow->l4.tcp.ftp_imap_pop_smtp.password), 5, packet->payload, packet->payload_packet_len); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); flow->l4.tcp.pop_command_bitmask |= POP_BIT_PASS; return 1; } else if((packet->payload[0] == 'C' || packet->payload[0] == 'c') diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index 66f40c6ee..f27e43ffe 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -66,8 +66,7 @@ static void smtpInitExtraPacketProcessing(struct ndpi_flow_struct *flow); /* **************************************** */ -static void get_credentials_auth_plain(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void get_credentials_auth_plain(struct ndpi_flow_struct *flow, const u_int8_t *line, u_int16_t line_len) { u_int8_t buf[255]; @@ -102,7 +101,7 @@ static void get_credentials_auth_plain(struct ndpi_detection_module_struct *ndpi snprintf(buf, sizeof(buf), "Found username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); if(1 + user_len + 1 < out_len) { unsigned int pwd_len; @@ -222,7 +221,7 @@ static void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_ } else if(packet->line[a].ptr[5] == 'P' || packet->line[a].ptr[5] == 'p') { flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_AUTH_PLAIN; /* AUTH PLAIN: username and pwd here */ - get_credentials_auth_plain(ndpi_struct, flow, + get_credentials_auth_plain(flow, packet->line[a].ptr, packet->line[a].len); flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; } @@ -262,7 +261,7 @@ static void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_ snprintf(msg, sizeof(msg), "Found SMTP username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); } else if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0') { /* Password */ u_int8_t buf[48]; @@ -287,7 +286,7 @@ static void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_ ndpi_free(out); } - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; } else { diff --git a/src/lib/protocols/munin.c b/src/lib/protocols/munin.c index 06e50d3a6..6ca9ca9c3 100644 --- a/src/lib/protocols/munin.c +++ b/src/lib/protocols/munin.c @@ -64,7 +64,7 @@ static void ndpi_search_munin(struct ndpi_detection_module_struct *ndpi_struct, if (packet->payload[packet->payload_packet_len - 1] != '\n') { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); return; } @@ -73,7 +73,7 @@ static void ndpi_search_munin(struct ndpi_detection_module_struct *ndpi_struct, { ndpi_hostname_sni_set(flow, packet->payload + NDPI_STATICSTRING_LEN(munin_prefix), host_len, NDPI_HOSTNAME_NORM_ALL); } else { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); } } diff --git a/src/lib/protocols/natpmp.c b/src/lib/protocols/natpmp.c index 4c259c91c..ccb025c89 100644 --- a/src/lib/protocols/natpmp.c +++ b/src/lib/protocols/natpmp.c @@ -122,7 +122,7 @@ static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_st if (natpmp_is_valid(packet, &natpmp_type) == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid NATPMP Header"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid NATPMP Header"); return 0; } @@ -136,7 +136,7 @@ static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_st flow->protos.natpmp.external_port = ntohs(get_u_int16_t(packet->payload, 6)); if (flow->protos.natpmp.internal_port == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Request Port Mapping: Internal port must not 0"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Request Port Mapping: Internal port must not 0"); } break; case NATPMP_RESPONSE_ADDRESS: @@ -144,7 +144,7 @@ static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_st flow->protos.natpmp.external_address.ipv4 = get_u_int32_t(packet->payload, 8); if (flow->protos.natpmp.result_code != 0 && flow->protos.natpmp.external_address.ipv4 != 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Address Response: Result code indicates an error, but External IPv4 Address is set"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Address Response: Result code indicates an error, but External IPv4 Address is set"); } break; case NATPMP_RESPONSE_UDP_MAPPING: @@ -154,7 +154,7 @@ static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_st flow->protos.natpmp.external_port = ntohs(get_u_int16_t(packet->payload, 10)); if (flow->protos.natpmp.internal_port == 0 || flow->protos.natpmp.external_port == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Port Mapping Response: Internal/External port must not 0"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Port Mapping Response: Internal/External port must not 0"); } break; } diff --git a/src/lib/protocols/nintendo.c b/src/lib/protocols/nintendo.c index 29cf1bbbf..7c46439ff 100644 --- a/src/lib/protocols/nintendo.c +++ b/src/lib/protocols/nintendo.c @@ -29,8 +29,7 @@ #include "ndpi_private.h" static void ndpi_int_nintendo_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) { + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NINTENDO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } @@ -46,7 +45,7 @@ static void ndpi_search_nintendo(struct ndpi_detection_module_struct *ndpi_struc if(memcmp(payload, nintendo_pattern, 5) == 0) { NDPI_LOG_INFO(ndpi_struct, "found nintendo\n"); - ndpi_int_nintendo_add_connection(ndpi_struct, flow, 0); + ndpi_int_nintendo_add_connection(ndpi_struct, flow); return; } } diff --git a/src/lib/protocols/nomachine.c b/src/lib/protocols/nomachine.c index 33cf71dc9..21319a2aa 100644 --- a/src/lib/protocols/nomachine.c +++ b/src/lib/protocols/nomachine.c @@ -35,7 +35,7 @@ static void ndpi_int_nomachine_add_connection(struct ndpi_detection_module_struc NDPI_LOG_INFO(ndpi_struct, "found NoMachine\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NOMACHINE, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found NoMachine"); + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found NoMachine"); } static void ndpi_search_nomachine(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 89a6730e7..4734433e0 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -643,7 +643,8 @@ static int quic_get_pn_cipher_algo(int cipher_algo, int *hp_cipher_mode) * algorithm output. */ static int quic_hp_cipher_prepare(struct ndpi_detection_module_struct *ndpi_struct, - quic_hp_cipher *hp_cipher, int hash_algo, int cipher_algo, uint8_t *secret, u_int32_t version) + quic_hp_cipher *hp_cipher, int hash_algo, int cipher_algo, + uint8_t *secret, u_int32_t version) { #if 0 /* Clear previous state (if any). */ @@ -674,7 +675,8 @@ static int quic_hp_cipher_prepare(struct ndpi_detection_module_struct *ndpi_stru return 1; } static int quic_pp_cipher_prepare(struct ndpi_detection_module_struct *ndpi_struct, - quic_pp_cipher *pp_cipher, int hash_algo, int cipher_algo, int cipher_mode, uint8_t *secret, u_int32_t version) + quic_pp_cipher *pp_cipher, int hash_algo, int cipher_algo, + int cipher_mode, uint8_t *secret, u_int32_t version) { #if 0 /* Clear previous state (if any). */ @@ -699,7 +701,8 @@ static int quic_pp_cipher_prepare(struct ndpi_detection_module_struct *ndpi_stru return 1; } static int quic_ciphers_prepare(struct ndpi_detection_module_struct *ndpi_struct, - quic_ciphers *ciphers, int hash_algo, int cipher_algo, int cipher_mode, uint8_t *secret, u_int32_t version) + quic_ciphers *ciphers, int hash_algo, int cipher_algo, + int cipher_mode, uint8_t *secret, u_int32_t version) { int ret; @@ -981,7 +984,7 @@ static int quic_derive_initial_secrets(struct ndpi_detection_module_struct *ndpi static uint8_t *decrypt_initial_packet(struct ndpi_detection_module_struct *ndpi_struct, const uint8_t *orig_dest_conn_id, uint8_t orig_dest_conn_id_len, - const uint8_t *dest_conn_id, uint8_t dest_conn_id_len, + uint8_t dest_conn_id_len, uint8_t source_conn_id_len, uint32_t version, uint32_t *clear_payload_len) { @@ -1049,8 +1052,7 @@ static uint8_t *decrypt_initial_packet(struct ndpi_detection_module_struct *ndpi quic_ciphers_reset(&ciphers); return NULL; } - quic_decrypt_message(ndpi_struct, - &ciphers.pp_cipher, &packet->payload[0], pn_offset + payload_length, + quic_decrypt_message(ndpi_struct, &ciphers.pp_cipher, &packet->payload[0], pn_offset + payload_length, offset, first_byte, pkn_len, packet_number, &decryption); quic_ciphers_reset(&ciphers); @@ -1370,7 +1372,7 @@ static uint8_t *get_clear_payload(struct ndpi_detection_module_struct *ndpi_stru clear_payload = decrypt_initial_packet(ndpi_struct, flow->l4.udp.quic_orig_dest_conn_id, flow->l4.udp.quic_orig_dest_conn_id_len, - dest_conn_id, dest_conn_id_len, + dest_conn_id_len, source_conn_id_len, version, clear_payload_len); } @@ -1470,10 +1472,10 @@ void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, char str[128]; snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str); /* This looks like an attack */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, NULL); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, NULL); } sni_found = 1; @@ -1501,12 +1503,11 @@ void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, /* Add check for missing SNI */ if(flow->host_server_name[0] == '\0') { /* This is a bit suspicious */ - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI, NULL); + ndpi_set_risk(flow, NDPI_TLS_MISSING_SNI, NULL); } } -static int may_be_gquic_rej(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) +static int may_be_gquic_rej(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; void *ptr; @@ -1527,7 +1528,7 @@ static int may_be_gquic_rej(struct ndpi_detection_module_struct *ndpi_struct, } static int may_be_0rtt(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, uint32_t *version) + uint32_t *version) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int8_t first_byte; @@ -1683,7 +1684,7 @@ static int may_be_initial_pkt(struct ndpi_detection_module_struct *ndpi_struct, /* ***************************************************************** */ static int eval_extra_processing(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) + struct ndpi_flow_struct *flow) { u_int32_t version = flow->protos.tls_quic.quic_version; @@ -1783,8 +1784,7 @@ static int ndpi_search_quic_extra(struct ndpi_detection_module_struct *ndpi_stru return 0; } -static int is_vn(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) +static int is_vn(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int32_t version; @@ -1845,7 +1845,7 @@ static int ndpi_search_quic_extra_vn(struct ndpi_detection_module_struct *ndpi_s return 1; /* Keep going */ if(flow->l4.udp.quic_vn_pair == 0) { - if(is_vn(ndpi_struct, flow)) { + if(is_vn(ndpi_struct)) { NDPI_LOG_DBG(ndpi_struct, "Valid VN\n"); flow->l4.udp.quic_vn_pair = 1; return 1; @@ -1892,7 +1892,7 @@ static void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, is_initial_quic = may_be_initial_pkt(ndpi_struct, &version); if(!is_initial_quic) { if(!is_ch_reassembler_pending(flow)) { /* Better safe than sorry */ - ret = may_be_0rtt(ndpi_struct, flow, &version); + ret = may_be_0rtt(ndpi_struct, &version); if(ret == 1) { NDPI_LOG_DBG(ndpi_struct, "Found 0-RTT, keep looking for Initial\n"); flow->l4.udp.quic_0rtt_found = 1; @@ -1910,7 +1910,7 @@ static void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.tls_quic.quic_version = 0; /* unknown */ return; } - ret = may_be_gquic_rej(ndpi_struct, flow); + ret = may_be_gquic_rej(ndpi_struct); if(ret == 1) { NDPI_LOG_INFO(ndpi_struct, "GQUIC REJ\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); diff --git a/src/lib/protocols/radmin.c b/src/lib/protocols/radmin.c index 174c8e3f7..6554b0074 100644 --- a/src/lib/protocols/radmin.c +++ b/src/lib/protocols/radmin.c @@ -36,7 +36,7 @@ static void ndpi_int_radmin_add_connection(struct ndpi_detection_module_struct * ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RADMIN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found Radmin"); + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found Radmin"); } static void ndpi_search_radmin(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/raknet.c b/src/lib/protocols/raknet.c index c7b52ad38..8aeaddc2d 100644 --- a/src/lib/protocols/raknet.c +++ b/src/lib/protocols/raknet.c @@ -47,8 +47,7 @@ static size_t raknet_dissect_ip(struct ndpi_packet_struct * const packet, size_t return (packet->payload[offset] == 0x04 ? 4 : 16); } -static int is_custom_version(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) +static int is_custom_version(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; unsigned char magic[] = { 0x00, 0xFF, 0xFF, 0x00, 0xFE, 0xFE, 0xFE, 0xFE, @@ -104,7 +103,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, */ if (flow->packet_counter == 1) { - flow->l4.udp.raknet_custom = is_custom_version(ndpi_struct, flow); + flow->l4.udp.raknet_custom = is_custom_version(ndpi_struct); } if (packet->payload_packet_len < 7) diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c index f641f7690..9c42f0055 100644 --- a/src/lib/protocols/rdp.c +++ b/src/lib/protocols/rdp.c @@ -36,7 +36,7 @@ static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndp struct ndpi_flow_struct *flow) { NDPI_LOG_INFO(ndpi_struct, "found RDP\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ } static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/rsh.c b/src/lib/protocols/rsh.c index 6addb7404..6048e2f54 100644 --- a/src/lib/protocols/rsh.c +++ b/src/lib/protocols/rsh.c @@ -139,7 +139,7 @@ static void ndpi_search_rsh(struct ndpi_detection_module_struct * ndpi_struct, flow->protos.rsh.command) < 0) str[0] = '\0'; - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, str); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, str); } return; diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index b88c6afcd..afa5e2bf2 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -84,8 +84,7 @@ static int is_valid_rtcp_payload_type(uint8_t type) return (type >= 192 && type <= 213); } -int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) +int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int8_t padding, csrc_count, ext_header; @@ -170,7 +169,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, return; } - is_rtp = is_rtp_or_rtcp(ndpi_struct, flow); + is_rtp = is_rtp_or_rtcp(ndpi_struct); if(is_rtp == IS_RTP) { if(flow->l4.udp.rtp_stage == 2) { if(flow->l4.udp.line_pkts[0] >= 2 && flow->l4.udp.line_pkts[1] >= 2) { diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index dd6b2a346..b6963584c 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -30,8 +30,7 @@ #include "ndpi_private.h" static void ndpi_int_sip_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) { + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SIP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } @@ -65,7 +64,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip NOTIFY\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } @@ -73,14 +72,14 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct && (memcmp(&packet_payload[9], "SIP:", 4) == 0 || memcmp(&packet_payload[9], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip REGISTER\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "INVITE ", 7) == 0 || memcmp(packet_payload, "invite ", 7) == 0) && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip INVITE\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } @@ -92,20 +91,20 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct /* if(memcmp(packet_payload, "SIP/2.0 200 OK", 14) == 0 || memcmp(packet_payload, "sip/2.0 200 OK", 14) == 0) { NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 0K\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } */ if(memcmp(packet_payload, "SIP/2.0 ", 8) == 0 || memcmp(packet_payload, "sip/2.0 ", 8) == 0) { NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 *\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "BYE ", 4) == 0 || memcmp(packet_payload, "bye ", 4) == 0) && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip BYE\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } @@ -113,7 +112,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct && ((memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0) || (memcmp(&packet_payload[4], "TEL:", 4) == 0 || memcmp(&packet_payload[4], "tel:", 4) == 0))) { NDPI_LOG_INFO(ndpi_struct, "found sip ACK\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } @@ -121,21 +120,21 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct && ((memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0) || (memcmp(&packet_payload[7], "TEL:", 4) == 0 || memcmp(&packet_payload[7], "tel:", 4) == 0))) { NDPI_LOG_INFO(ndpi_struct, "found sip CANCEL\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "PUBLISH ", 8) == 0 || memcmp(packet_payload, "publish ", 8) == 0) && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip PUBLISH\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "SUBSCRIBE ", 10) == 0 || memcmp(packet_payload, "subscribe ", 10) == 0) && (memcmp(&packet_payload[10], "SIP:", 4) == 0 || memcmp(&packet_payload[10], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip SUBSCRIBE\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } @@ -143,7 +142,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct if((memcmp(packet_payload, "MESSAGE ", 8) == 0 || memcmp(packet_payload, "message ", 8) == 0) && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip MESSAGE\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } @@ -153,28 +152,28 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct && ((memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0) || (memcmp(&packet_payload[8], "TEL:", 4) == 0 || memcmp(&packet_payload[8], "tel:", 4) == 0))) { NDPI_LOG_INFO(ndpi_struct, "found sip OPTIONS\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "REFER ", 6) == 0 || memcmp(packet_payload, "refer ", 6) == 0) && (memcmp(&packet_payload[6], "SIP:", 4) == 0 || memcmp(&packet_payload[6], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip REFER\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "PRACK ", 6) == 0 || memcmp(packet_payload, "prack ", 6) == 0) && (memcmp(&packet_payload[6], "SIP:", 4) == 0 || memcmp(&packet_payload[6], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip PRACK\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "INFO ", 5) == 0 || memcmp(packet_payload, "info ", 5) == 0) && (memcmp(&packet_payload[5], "SIP:", 4) == 0 || memcmp(&packet_payload[5], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip INFO\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } } diff --git a/src/lib/protocols/slp.c b/src/lib/protocols/slp.c index 81c1cabd9..e7fd6b105 100644 --- a/src/lib/protocols/slp.c +++ b/src/lib/protocols/slp.c @@ -285,7 +285,7 @@ static void ndpi_dissect_slp_v2(struct ndpi_detection_module_struct *ndpi_struct } } else if (url_entry_count_offset > 0 && packet->payload_packet_len > sizeof(*hdr) + url_entry_count_offset + 2) { if (slp_dissect_url_entries(ndpi_struct, flow, sizeof(*hdr) + url_entry_count_offset) != 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid URL entries"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid URL entries"); } } else if (packet->payload_packet_len > sizeof(*hdr) + url_offset + 2) { url_length_or_count = ntohs(*(uint16_t *)&packet->payload[sizeof(*hdr) + url_offset]); // FID_SrvReg or FID_SrvDeReg diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c index ead48f0a0..b0255cb63 100644 --- a/src/lib/protocols/smb.c +++ b/src/lib/protocols/smb.c @@ -52,7 +52,7 @@ static void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct if(packet->payload[8] != 0x72) /* Skip Negotiate request */ { NDPI_LOG_INFO(ndpi_struct, "found SMBv1\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(ndpi_struct, flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1"); + ndpi_set_risk(flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1"); } return; } else if(memcmp(&packet->payload[4], smbv2, sizeof(smbv2)) == 0) { diff --git a/src/lib/protocols/snmp_proto.c b/src/lib/protocols/snmp_proto.c index 75e829126..632365bb9 100644 --- a/src/lib/protocols/snmp_proto.c +++ b/src/lib/protocols/snmp_proto.c @@ -129,7 +129,7 @@ static void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, char str[64]; snprintf(str, sizeof(str), "SNMP Error %d", error_status); - ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, str); + ndpi_set_risk(flow, NDPI_ERROR_CODE_DETECTED, str); } } } diff --git a/src/lib/protocols/spotify.c b/src/lib/protocols/spotify.c index 4bb9ce452..7f40ca6dc 100644 --- a/src/lib/protocols/spotify.c +++ b/src/lib/protocols/spotify.c @@ -30,8 +30,7 @@ static void ndpi_int_spotify_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } @@ -50,7 +49,7 @@ static void ndpi_check_spotify(struct ndpi_detection_module_struct *ndpi_struct, if(payload_len >= 7) { if(memcmp(packet->payload, "SpotUdp", 7) == 0) { NDPI_LOG_INFO(ndpi_struct, "found spotify udp dissector\n"); - ndpi_int_spotify_add_connection(ndpi_struct, flow, 0); + ndpi_int_spotify_add_connection(ndpi_struct, flow); return; } } @@ -62,7 +61,7 @@ static void ndpi_check_spotify(struct ndpi_detection_module_struct *ndpi_struct, packet->payload[6] == 0x52 && (packet->payload[7] == 0x0e || packet->payload[7] == 0x0f) && packet->payload[8] == 0x50 ) { NDPI_LOG_INFO(ndpi_struct, "found spotify tcp dissector\n"); - ndpi_int_spotify_add_connection(ndpi_struct, flow, 0); + ndpi_int_spotify_add_connection(ndpi_struct, flow); } } diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index d950ede95..fb5e200b8 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -68,8 +68,7 @@ typedef struct { /* ************************************************************************ */ -static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ssh_analyze_signature_version(struct ndpi_flow_struct *flow, char *str_to_check, u_int8_t is_client_signature) { @@ -122,8 +121,7 @@ static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *n /* ************************************************************************ */ -static void ssh_analyse_cipher(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ssh_analyse_cipher(struct ndpi_flow_struct *flow, char *ciphers, u_int cipher_len, u_int8_t is_client_signature) { @@ -179,7 +177,7 @@ static void ssh_analyse_cipher(struct ndpi_detection_module_struct *ndpi_struct, char str[64]; snprintf(str, sizeof(str), "Found cipher %s", obsolete_ciphers[found_obsolete_cipher]); - ndpi_set_risk(ndpi_struct, flow, + ndpi_set_risk(flow, (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER), str); } @@ -218,8 +216,7 @@ static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct /* ************************************************************************ */ -static u_int16_t concat_hash_string(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static u_int16_t concat_hash_string(struct ndpi_flow_struct *flow, struct ndpi_packet_struct *packet, char *buf, u_int8_t client_hash) { u_int32_t offset = 22, len, buf_out_len = 0, max_payload_len = packet->payload_packet_len-sizeof(u_int32_t); @@ -262,7 +259,7 @@ static u_int16_t concat_hash_string(struct ndpi_detection_module_struct *ndpi_st goto invalid_payload; strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); - ssh_analyse_cipher(ndpi_struct, flow, (char*)&packet->payload[offset], len, 1 /* client */); + ssh_analyse_cipher(flow, (char*)&packet->payload[offset], len, 1 /* client */); buf_out_len += len; buf[buf_out_len++] = ';'; } @@ -283,7 +280,7 @@ static u_int16_t concat_hash_string(struct ndpi_detection_module_struct *ndpi_st goto invalid_payload; strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); - ssh_analyse_cipher(ndpi_struct, flow, (char*)&packet->payload[offset], len, 0 /* server */); + ssh_analyse_cipher(flow, (char*)&packet->payload[offset], len, 0 /* server */); buf_out_len += len; buf[buf_out_len++] = ';'; } @@ -417,7 +414,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->protos.ssh.client_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); - ssh_analyze_signature_version(ndpi_struct, flow, flow->protos.ssh.client_signature, 1); + ssh_analyze_signature_version(flow, flow->protos.ssh.client_signature, 1); #ifdef SSH_DEBUG printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); @@ -437,7 +434,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->protos.ssh.server_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); - ssh_analyze_signature_version(ndpi_struct, flow, flow->protos.ssh.server_signature, 0); + ssh_analyze_signature_version(flow, flow->protos.ssh.server_signature, 0); #ifdef SSH_DEBUG printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); @@ -469,7 +466,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct if(packet->packet_direction == 0 /* client */) { u_char fingerprint_client[16]; - len = concat_hash_string(ndpi_struct, flow, packet, hassh_buf, 1 /* client */); + len = concat_hash_string(flow, packet, hassh_buf, 1 /* client */); ndpi_MD5Init(&ctx); ndpi_MD5Update(&ctx, (const unsigned char *)hassh_buf, len); @@ -491,7 +488,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct } else { u_char fingerprint_server[16]; - len = concat_hash_string(ndpi_struct, flow, packet, hassh_buf, 0 /* server */); + len = concat_hash_string(flow, packet, hassh_buf, 0 /* server */); ndpi_MD5Init(&ctx); ndpi_MD5Update(&ctx, (const unsigned char *)hassh_buf, len); diff --git a/src/lib/protocols/starcraft.c b/src/lib/protocols/starcraft.c index d04f2a381..a4d130e8e 100644 --- a/src/lib/protocols/starcraft.c +++ b/src/lib/protocols/starcraft.c @@ -48,7 +48,7 @@ static u_int8_t sc2_match_logon_ip(struct ndpi_packet_struct* packet) transfer generated by the user interaction with the client, e.g. chatting or looking at someone's match history. The current way to detect this is plain dumb packet matching. */ -static u_int8_t ndpi_check_starcraft_tcp(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) +static u_int8_t ndpi_check_starcraft_tcp(struct ndpi_detection_module_struct* ndpi_struct) { struct ndpi_packet_struct* packet = &ndpi_struct->packet; @@ -132,7 +132,7 @@ static void ndpi_search_starcraft(struct ndpi_detection_module_struct* ndpi_stru } } else if (packet->tcp != NULL) { - result = ndpi_check_starcraft_tcp(ndpi_struct, flow); + result = ndpi_check_starcraft_tcp(ndpi_struct); if (result == 1) { NDPI_LOG_INFO(ndpi_struct, "Found Starcraft 2 [Client, TCP]\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STARCRAFT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 305feabf1..4f25420a7 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -417,8 +417,7 @@ int is_stun(struct ndpi_detection_module_struct *ndpi_struct, return 1; } -static int keep_extra_dissection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) +static int keep_extra_dissection(struct ndpi_flow_struct *flow) { if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No subclassification */) return 1; @@ -518,10 +517,10 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct, old_proto_stack[1] = flow->detected_protocol_stack[1]; /* TODO: right way? It is a bit scary... do we need to reset something else too? */ - reset_detected_protocol(ndpi_struct, flow); + reset_detected_protocol(flow); /* We keep the category related to STUN traffic */ /* STUN often triggers this risk; clear it. TODO: clear other risks? */ - ndpi_unset_risk(ndpi_struct, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + ndpi_unset_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); /* Give room for DTLS handshake, where we might have retransmissions and fragments */ @@ -589,7 +588,7 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "QUIC range. Unexpected\n"); } else if(first_byte <= 191) { - rtp_rtcp = is_rtp_or_rtcp(ndpi_struct, flow); + rtp_rtcp = is_rtp_or_rtcp(ndpi_struct); if(rtp_rtcp == IS_RTP) { NDPI_LOG_DBG(ndpi_struct, "RTP (dir %d)\n", packet->packet_direction); NDPI_LOG_INFO(ndpi_struct, "Found RTP over STUN\n"); @@ -621,7 +620,7 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct, } else { NDPI_LOG_DBG(ndpi_struct, "QUIC range. Unexpected\n"); } - return keep_extra_dissection(ndpi_struct, flow); + return keep_extra_dissection(flow); } /* ************************************************************ */ diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c index 2f3e37f72..59d137b50 100644 --- a/src/lib/protocols/tcp_udp.c +++ b/src/lib/protocols/tcp_udp.c @@ -25,7 +25,6 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int8_t protocol, u_int32_t saddr, u_int32_t daddr) /* host endianess */ { u_int16_t rc; @@ -56,7 +55,6 @@ void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, st if(packet->iph /* IPv4 Only: we need to support packet->iphv6 at some point */) { proto = ndpi_search_tcp_or_udp_raw(ndpi_struct, flow, - flow->l4_proto, ntohl(packet->iph->saddr), ntohl(packet->iph->daddr)); diff --git a/src/lib/protocols/teamviewer.c b/src/lib/protocols/teamviewer.c index 4ed7f1269..49b7a5862 100644 --- a/src/lib/protocols/teamviewer.c +++ b/src/lib/protocols/teamviewer.c @@ -51,7 +51,7 @@ static void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struc if (flow->teamviewer_stage == 4 || packet->udp->dest == ntohs(5938) || packet->udp->source == ntohs(5938)) { ndpi_int_teamview_add_connection(ndpi_struct, flow); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found TeamViewer"); /* Remote assistance (UDP only) */ + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found TeamViewer"); /* Remote assistance (UDP only) */ } return; } diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index d543c6efa..035bcc862 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -65,7 +65,7 @@ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, return(1); flow->protos.telnet.password_detected = 1; - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); flow->protos.telnet.password[flow->protos.telnet.character_id] = '\0'; return(0); } @@ -99,7 +99,7 @@ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, snprintf(buf, sizeof(buf), "Found Telnet username (%s)", flow->protos.telnet.username); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); return(1); } @@ -146,8 +146,7 @@ __mingw_forceinline static #else __forceinline static #endif -u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t a; @@ -189,7 +188,7 @@ static void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct *ndpi_str struct ndpi_flow_struct *flow) { NDPI_LOG_DBG(ndpi_struct, "search telnet\n"); - if(search_iac(ndpi_struct, flow) == 1) { + if(search_iac(ndpi_struct) == 1) { if(flow->l4.tcp.telnet_stage == 2) { NDPI_LOG_INFO(ndpi_struct, "found telnet\n"); ndpi_int_telnet_add_connection(ndpi_struct, flow); diff --git a/src/lib/protocols/thrift.c b/src/lib/protocols/thrift.c index 1e1749b9f..d9be27ca5 100644 --- a/src/lib/protocols/thrift.c +++ b/src/lib/protocols/thrift.c @@ -113,29 +113,27 @@ static int thrift_validate_type(uint8_t message_type) return message_type < TMT_TYPE_MAX; } -static void thrift_set_method(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void thrift_set_method(struct ndpi_flow_struct *flow, char const * const method, size_t method_length) { if (thrift_validate_method(method, method_length) == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, "Invalid method name"); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, "Invalid method name"); flow->protos.thrift.method[0] = '\0'; } else { strncpy(flow->protos.thrift.method, method, ndpi_min(sizeof(flow->protos.thrift.method), method_length)); } } -static void thrift_set_type(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void thrift_set_type(struct ndpi_flow_struct *flow, uint8_t message_type) { if (message_type == TMT_INVALID_TMESSAGE_TYPE) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid message type"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid message type"); } flow->protos.thrift.message_type = message_type; if (message_type == TMT_EXCEPTION) { - ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, "Apache Thrift Exception"); + ndpi_set_risk(flow, NDPI_ERROR_CODE_DETECTED, "Apache Thrift Exception"); } } @@ -168,8 +166,8 @@ static void ndpi_dissect_strict_hdr(struct ndpi_detection_module_struct *ndpi_st ndpi_int_thrift_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); - thrift_set_method(ndpi_struct, flow, strict_hdr->method, method_length); - thrift_set_type(ndpi_struct, flow, strict_hdr->message_type); + thrift_set_method(flow, strict_hdr->method, method_length); + thrift_set_type(flow, strict_hdr->message_type); } static void ndpi_dissect_compact_hdr(struct ndpi_detection_module_struct *ndpi_struct, @@ -200,8 +198,8 @@ static void ndpi_dissect_compact_hdr(struct ndpi_detection_module_struct *ndpi_s ndpi_int_thrift_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); - thrift_set_method(ndpi_struct, flow, compact_hdr->method, compact_hdr->method_length); - thrift_set_type(ndpi_struct, flow, compact_hdr->message_type); + thrift_set_method(flow, compact_hdr->method, compact_hdr->method_length); + thrift_set_type(flow, compact_hdr->message_type); } static void ndpi_search_thrift_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/tivoconnect.c b/src/lib/protocols/tivoconnect.c index 4bfd041e9..208e3f8ae 100644 --- a/src/lib/protocols/tivoconnect.c +++ b/src/lib/protocols/tivoconnect.c @@ -55,7 +55,7 @@ static void dissect_tivoconnect_data(struct ndpi_detection_module_struct *ndpi_s if (value == NULL) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Missing value type in TiViConnect beacon"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Missing value type in TiViConnect beacon"); continue; } value++; @@ -108,7 +108,7 @@ static void dissect_tivoconnect_data(struct ndpi_detection_module_struct *ndpi_s if ((size_t)(key - payload) != payload_len) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "TiViConnect beacon malformed packet"); } } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 7e9552004..882f463fb 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -149,9 +149,7 @@ static u_int32_t __get_master(struct ndpi_detection_module_struct *ndpi_struct, /* **************************************** */ -static int ndpi_search_tls_memory(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - const u_int8_t *payload, +static int ndpi_search_tls_memory(const u_int8_t *payload, u_int16_t payload_len, u_int32_t seq, message_t *message) { @@ -354,7 +352,7 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI_CACHE); flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, cached_proto); - ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); + ndpi_unset_risk(flow, NDPI_NUMERIC_IP_HOST); } } } @@ -450,7 +448,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct char str[64]; snprintf(str, sizeof(str), "Invalid issuerDN %s", flow->protos.tls_quic.issuerDN); - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str); } } @@ -528,7 +526,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct snprintf(str, sizeof(str), "TLS Cert lasts %u days", (flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) / 86400); - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG, str); /* Certificate validity longer than 13 months */ + ndpi_set_risk(flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG, str); /* Certificate validity longer than 13 months */ } if((time_sec < flow->protos.tls_quic.notBefore) || (time_sec > flow->protos.tls_quic.notAfter)) { @@ -543,7 +541,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct strftime(e, sizeof(e), "%d/%b/%Y %H:%M:%S", ndpi_gmtime_r(&theTime, &result)); snprintf(str, sizeof(str), "%s - %s", b, e); - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED, str); /* Certificate expired */ + ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_EXPIRED, str); /* Certificate expired */ } else if((time_sec > flow->protos.tls_quic.notBefore) && (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->cfg.tls_certificate_expire_in_x_days * 86400)))) { char str[96], b[32], e[32]; @@ -557,7 +555,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct strftime(e, sizeof(e), "%d/%b/%Y %H:%M:%S", ndpi_gmtime_r(&theTime, &result)); snprintf(str, sizeof(str), "%s - %s", b, e); - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE, str); /* Certificate almost expired */ + ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE, str); /* Certificate almost expired */ } } } @@ -642,10 +640,10 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct here that will create false positives */ if(ndpi_normalize_printable_string(dNSName, dNSName_len) == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, dNSName); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, dNSName); /* This looks like an attack */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, NULL); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, NULL); } if(matched_name == 0) { @@ -692,7 +690,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct if(!flow->protos.tls_quic.subprotocol_detected) if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), dNSName, dNSName_len)) { flow->protos.tls_quic.subprotocol_detected = 1; - ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); + ndpi_unset_risk(flow, NDPI_NUMERIC_IP_HOST); } i += len; @@ -700,7 +698,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct #if DEBUG_TLS printf("[TLS] Leftover %u bytes", packet->payload_packet_len - i); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, NULL); + ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, NULL); break; } } else { @@ -712,7 +710,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct char str[128]; snprintf(str, sizeof(str), "%s vs %s", flow->host_server_name, flow->protos.tls_quic.server_names); - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_MISMATCH, str); /* Certificate mismatch */ + ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_MISMATCH, str); /* Certificate mismatch */ } } } @@ -737,7 +735,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, proto_id); - ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); + ndpi_unset_risk(flow, NDPI_NUMERIC_IP_HOST); if(ndpi_struct->tls_cert_cache) { u_int64_t key = make_tls_cert_key(packet, 0 /* from the server */); @@ -754,7 +752,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct if(ndpi_check_issuerdn_risk_exception(ndpi_struct, flow->protos.tls_quic.issuerDN)) return; /* This is a trusted DN */ - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SELFSIGNED_CERTIFICATE, flow->protos.tls_quic.subjectDN); + ndpi_set_risk(flow, NDPI_TLS_SELFSIGNED_CERTIFICATE, flow->protos.tls_quic.subjectDN); } #if DEBUG_TLS @@ -783,7 +781,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, if((packet->payload_packet_len != (length + 4 + (is_dtls ? 8 : 0))) || (packet->payload[1] != 0x0) || certificates_offset >= packet->payload_packet_len) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, NULL); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); return(-1); /* Invalid length */ } @@ -792,7 +790,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, packet->payload[certificates_offset - 1]; if((packet->payload[certificates_offset - 3] != 0x0) || ((certificates_length+3) != length)) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, NULL); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); return(-2); /* Invalid length */ } @@ -869,7 +867,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_sha1_hashmap, sha1_str, sha1_siz * 2, NULL); if(rc1 == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_SHA1_CERTIFICATE, sha1_str); + ndpi_set_risk(flow, NDPI_MALICIOUS_SHA1_CERTIFICATE, sha1_str); } } @@ -987,7 +985,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, } message = &flow->tls_quic.message[packet->packet_direction]; - if(ndpi_search_tls_memory(ndpi_struct, flow, packet->payload, + if(ndpi_search_tls_memory(packet->payload, packet->payload_packet_len, ntohl(packet->tcp->seq), message) == -1) return 0; /* Error -> stop */ @@ -1058,7 +1056,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t alert_level = message->buffer[5]; if(alert_level == 2 /* Warning (1), Fatal (2) */) - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_FATAL_ALERT, NULL); + ndpi_set_risk(flow, NDPI_TLS_FATAL_ALERT, NULL); } u_int16_t const alert_len = ntohs(*(u_int16_t const *)&message->buffer[3]); @@ -1176,7 +1174,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, suited than NDPI_CONFIDENCE_DPI_CACHE */ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI_AGGRESSIVE); /* TLS over port 8080 usually triggers that risk; clear it */ - ndpi_unset_risk(ndpi_struct, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + ndpi_unset_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); flow->extra_packets_func = NULL; return(0); /* That's all */ } else { @@ -1286,11 +1284,11 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct, } if(handshake_frag_off == 0) { - rc = ndpi_search_tls_memory(ndpi_struct, flow, &block[13], + rc = ndpi_search_tls_memory(&block[13], handshake_frag_len + 12, handshake_frag_off, message); } else { - rc = ndpi_search_tls_memory(ndpi_struct, flow, &block[13 + 12], + rc = ndpi_search_tls_memory(&block[13 + 12], handshake_frag_len, handshake_frag_off + 12, message); } @@ -1472,7 +1470,7 @@ static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struc str[str_len - 1] = '\0'; } - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, str); + ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN, str); break; } @@ -1518,7 +1516,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, printf("[TLS] extension length exceeds remaining packet length: %u > %u.\n", extension_len, packet->payload_packet_len - extension_payload_offset); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, NULL); + ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, NULL); return; } @@ -1560,7 +1558,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("[TLS] suspicious extension id: %u\n", extension_id); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); + ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); return; } } @@ -1577,7 +1575,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); + ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); return; } } @@ -1601,8 +1599,7 @@ static int u_int16_t_cmpfunc(const void * a, const void * b) { return(*(u_int16_ /* **************************************** */ -static void ndpi_compute_ja4(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ndpi_compute_ja4(struct ndpi_flow_struct *flow, u_int32_t quic_version, union ja_info *ja) { u_int8_t tmp_str[JA_STR_LEN]; @@ -1680,7 +1677,7 @@ static void ndpi_compute_ja4(struct ndpi_detection_module_struct *ndpi_struct, break; } - ja_str[3] = ndpi_isset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST) ? 'i' : 'd', ja_str_len = 4; + ja_str[3] = ndpi_isset_risk(flow, NDPI_NUMERIC_IP_HOST) ? 'i' : 'd', ja_str_len = 4; /* JA4_a */ rc = ndpi_snprintf(&ja_str[ja_str_len], ja_max_len - ja_str_len, "%02u%02u%c%c_", @@ -1827,7 +1824,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, char unknown_cipher[8]; snprintf(str, sizeof(str), "Cipher %s", ndpi_cipher2str(ja.server.cipher[0], unknown_cipher)); - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_WEAK_CIPHER, str); + ndpi_set_risk(flow, NDPI_TLS_WEAK_CIPHER, str); } flow->protos.tls_quic.server_cipher = ja.server.cipher[0]; @@ -1916,12 +1913,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, s_offset += alpn_len, alpn_str_len += alpn_len;; } else { alpn_str[alpn_str_len] = '\0'; - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); + ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); break; } } else { alpn_str[alpn_str_len] = '\0'; - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); + ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); break; } } /* while */ @@ -1932,7 +1929,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, printf("Server TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len); #endif if(ndpi_normalize_printable_string(alpn_str, alpn_str_len) == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, alpn_str); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, alpn_str); if(flow->protos.tls_quic.negotiated_alpn == NULL) flow->protos.tls_quic.negotiated_alpn = ndpi_strdup(alpn_str); @@ -2055,7 +2052,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, snprintf(str, sizeof(str), "%s", ndpi_ssl_version2str(buf, sizeof(buf), flow->protos.tls_quic.ssl_version, &unknown_tls_version)); - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_OBSOLETE_VERSION, str); + ndpi_set_risk(flow, NDPI_TLS_OBSOLETE_VERSION, str); } if((session_id_len+base_offset+3) > packet->payload_packet_len) @@ -2264,10 +2261,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, printf("[TLS] SNI: [%s]\n", sni); #endif if(ndpi_is_valid_hostname((char *)&packet->payload[offset+extension_offset+5], len) == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, sni); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, sni); /* This looks like an attack */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, NULL); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, NULL); } if(!is_quic) { @@ -2280,7 +2277,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if((flow->protos.tls_quic.subprotocol_detected == 0) && (check_sni_is_numeric_ip(sni) == 1)) { - ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, sni); + ndpi_set_risk(flow, NDPI_NUMERIC_IP_HOST, sni); } if(ndpi_check_dga_name(ndpi_struct, flow, sni, 1, 0)) { @@ -2733,8 +2730,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("UA [%.*s]\n", (int)param_len, &packet->payload[s_offset]); #endif - http_process_user_agent(ndpi_struct, flow, - &packet->payload[s_offset], param_len); + http_process_user_agent(ndpi_struct, flow, &packet->payload[s_offset], param_len); break; } s_offset += param_len; @@ -2820,12 +2816,12 @@ compute_ja3c: NULL); if(rc1 == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_JA3, flow->protos.tls_quic.ja3_client); + ndpi_set_risk(flow, NDPI_MALICIOUS_JA3, flow->protos.tls_quic.ja3_client); } } if(ndpi_struct->cfg.tls_ja4c_fingerprint_enabled) { - ndpi_compute_ja4(ndpi_struct, flow, quic_version, &ja); + ndpi_compute_ja4(flow, quic_version, &ja); } /* End JA3/JA4 */ } @@ -2834,14 +2830,14 @@ compute_ja3c: if((flow->protos.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */ && !(flow->stun.maybe_dtls == 1 && is_dtls && use_srtp) /* Webrtc traffic */ && (flow->protos.tls_quic.advertised_alpns == NULL) /* No ALPN */) { - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_NOT_CARRYING_HTTPS, "No ALPN"); + ndpi_set_risk(flow, NDPI_TLS_NOT_CARRYING_HTTPS, "No ALPN"); } /* Suspicious Domain Fronting: https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */ if(flow->protos.tls_quic.encrypted_sni.esni && flow->host_server_name[0] != '\0') { - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE, "Found ESNI w/o SNI"); + ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE, "Found ESNI w/o SNI"); } /* Add check for missing SNI */ @@ -2851,7 +2847,7 @@ compute_ja3c: && (flow->protos.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */ ) { /* This is a bit suspicious */ - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI, NULL); + ndpi_set_risk(flow, NDPI_TLS_MISSING_SNI, NULL); if(flow->protos.tls_quic.advertised_alpns != NULL) { char buf[256], *tmp, *item; @@ -2863,7 +2859,7 @@ compute_ja3c: while(item != NULL) { if(item[0] == 'h') { /* Example 'h2' */ - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_ALPN_SNI_MISMATCH, NULL); + ndpi_set_risk(flow, NDPI_TLS_ALPN_SNI_MISMATCH, NULL); break; } else item = strtok_r(NULL, ",", &tmp); diff --git a/src/lib/protocols/vnc.c b/src/lib/protocols/vnc.c index 52c644224..33010046e 100644 --- a/src/lib/protocols/vnc.c +++ b/src/lib/protocols/vnc.c @@ -52,7 +52,7 @@ static void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) { NDPI_LOG_INFO(ndpi_struct, "found vnc\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found VNC"); /* Remote assistance */ + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found VNC"); /* Remote assistance */ return; } } diff --git a/src/lib/protocols/z3950.c b/src/lib/protocols/z3950.c index 1d1028f4e..96ae80560 100644 --- a/src/lib/protocols/z3950.c +++ b/src/lib/protocols/z3950.c @@ -35,7 +35,6 @@ static void ndpi_int_z3950_add_connection(struct ndpi_detection_module_struct *n /* ***************************************************************** */ static int z3950_parse_sequences(struct ndpi_packet_struct const * const packet, - struct ndpi_flow_struct *flow, int max_sequences) { size_t payload_offset = 2; int cur_sequences = 0; @@ -92,7 +91,7 @@ static void ndpi_search_z3950(struct ndpi_detection_module_struct *ndpi_struct, if(packet->tcp != NULL && packet->payload_packet_len >= 6 && flow->packet_counter >= 1 && flow->packet_counter <= 8) { - int ret = z3950_parse_sequences(packet, flow, minimum_expected_sequences); + int ret = z3950_parse_sequences(packet, minimum_expected_sequences); if(ret < 0) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); diff --git a/src/lib/protocols/zattoo.c b/src/lib/protocols/zattoo.c index 66743aeec..aba720243 100644 --- a/src/lib/protocols/zattoo.c +++ b/src/lib/protocols/zattoo.c @@ -34,7 +34,7 @@ __mingw_forceinline static #else __forceinline static #endif -u_int8_t ndpi_int_zattoo_user_agent_set(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +u_int8_t ndpi_int_zattoo_user_agent_set(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; @@ -90,7 +90,7 @@ static void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, * that might be changed later */ ndpi_parse_packet_line_info(ndpi_struct, flow); - if(ndpi_int_zattoo_user_agent_set(ndpi_struct, flow)) { + if(ndpi_int_zattoo_user_agent_set(ndpi_struct)) { NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with pattern GET / or POST /\n"); ZATTOO_DETECTED; |