diff options
| -rw-r--r-- | example/protos.txt | 6 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 31 |
3 files changed, 22 insertions, 17 deletions
diff --git a/example/protos.txt b/example/protos.txt index b80e4cf57..560baf296 100644 --- a/example/protos.txt +++ b/example/protos.txt @@ -49,8 +49,8 @@ ip:54.80.47.130@AmazonPrime # # For IPs, the flow risk is put in AND (source IP mask OR destination IP mask) # For Flows with a hostname (e.g. TLS) the risk is also put in AND with the host_risk_mask -ip_risk_mask:192.168.1.6=0 -ip_risk_mask:10.196.157.228=0 -host_risk_mask:"api-global.netflix.com"=0 +#ip_risk_mask:192.168.1.0/24=0 +#ip_risk_mask:10.196.157.228=0 +#host_risk_mask:".local"=0 diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index a8bc466f6..486af76ed 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1301,7 +1301,7 @@ struct ndpi_flow_struct { /* HTTP host or DNS query */ u_char host_server_name[240]; u_int8_t initial_binary_bytes[8], initial_binary_bytes_len; - u_int8_t risk_checked:1, ip_risk_mask_evaluated:1, _notused:6; + u_int8_t risk_checked:1, ip_risk_mask_evaluated:1, host_risk_mask_evaluated:1, _notused:7; ndpi_risk host_risk_mask; /* Stores the flow risk mask for flow peers */ ndpi_risk risk; /* Issues found with this flow [bitmask of ndpi_risk] */ diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 2a5d1864b..80342b32d 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2056,20 +2056,25 @@ static void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndp if(flow->risk == 0) return; /* Nothing to do */ host = ndpi_get_flow_name(flow); - - if(host && (host[0] != '\0')) { - /* Check host exception */ - ndpi_automa *automa = &ndpi_str->host_risk_mask_automa; - - if(automa->ac_automa) { - AC_TEXT_t ac_input_text; - AC_REP_t match; - - ac_input_text.astring = host, ac_input_text.length = strlen(host); - ac_input_text.option = 0; + + if(!flow->host_risk_mask_evaluated) { + if(host && (host[0] != '\0')) { + /* Check host exception */ + ndpi_automa *automa = &ndpi_str->host_risk_mask_automa; - if(ac_automata_search(automa->ac_automa, &ac_input_text, &match) > 0) - flow->risk &= match.number64; + if(automa->ac_automa) { + AC_TEXT_t ac_input_text; + AC_REP_t match; + + ac_input_text.astring = host, ac_input_text.length = strlen(host); + ac_input_text.option = 0; + + if(ac_automata_search(automa->ac_automa, &ac_input_text, &match) > 0) + flow->risk &= match.number64; + } + + /* Used to avoid double checks (e.g. in DNS req/rsp) */ + flow->host_risk_mask_evaluated = 1; } } |