3 files changed, 29 insertions, 22 deletions

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index c8f880d49..44736a3a2 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -441,7 +441,10 @@ void switch_extra_dissection_to_tls_obfuscated_heur(struct ndpi_detection_module
 {
   NDPI_LOG_DBG(ndpi_struct, "Switching to TLS Obfuscated heuristic\n");
 
-  flow->tls_quic.obfuscated_heur_state = ndpi_calloc(1, sizeof(struct tls_obfuscated_heuristic_state));
+  if(flow->tls_quic.obfuscated_heur_state == NULL)
+    flow->tls_quic.obfuscated_heur_state = ndpi_calloc(1, sizeof(struct tls_obfuscated_heuristic_state));
+  else /* If state has been already allocated (because of NDPI_HEURISTICS_TLS_OBFUSCATED_PLAIN) reset it */
+    memset(flow->tls_quic.obfuscated_heur_state, '\0', sizeof(struct tls_obfuscated_heuristic_state));
 
   /* "* 2" to take into account ACKs. The "real" check is performend against
      "tls_heuristics_max_packets" in tls_obfuscated_heur_search, as expected */
@@ -3377,23 +3380,24 @@ static void ndpi_search_tls_wrapper(struct ndpi_detection_module_struct *ndpi_st
     else
       rc = ndpi_search_tls_tcp(ndpi_struct, flow);
 
-    if(rc == 0)
+     /* We should check for this TLS heuristic if:
+      * the feature is enabled
+      * this flow doesn't seem a real TLS/DTLS one
+      * we are not here from STUN code or from opportunistic tls path (mails/ftp)
+      * with TCP, we got the 3WHS (so that we can process the beginning of the flow)
+      */
+    if(rc == 0 &&
+       (ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_PLAIN) &&
+       flow->stun.maybe_dtls == 0 &&
+       flow->tls_quic.from_opportunistic_tls == 0 &&
+       ((flow->l4_proto == IPPROTO_TCP && ndpi_seen_flow_beginning(flow)) ||
+        flow->l4_proto == IPPROTO_UDP) &&
+       !is_flow_addr_informative(flow) /* The proxy server is likely hosted on some cloud providers */ ) {
       flow->tls_quic.obfuscated_heur_state = ndpi_calloc(1, sizeof(struct tls_obfuscated_heuristic_state));
+    }
   }
 
-  /* We should check for this TLS heuristic if:
-     * the feature is enabled
-     * this flow doesn't seem a real TLS/DTLS one
-     * we are not here from STUN code or from opportunistic tls path (mails/ftp)
-     * with TCP, we got the 3WHS (so that we can process the beginning of the flow)
-  */
-  if(flow->tls_quic.obfuscated_heur_state &&
-     (ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_PLAIN) &&
-     flow->stun.maybe_dtls == 0 &&
-     flow->tls_quic.from_opportunistic_tls == 0 &&
-     ((flow->l4_proto == IPPROTO_TCP && ndpi_seen_flow_beginning(flow)) ||
-      flow->l4_proto == IPPROTO_UDP) &&
-     !is_flow_addr_informative(flow) /* The proxy server is likely hosted on some cloud providers */ ) {
+  if(flow->tls_quic.obfuscated_heur_state) {
     tls_obfuscated_heur_search_again(ndpi_struct, flow);
   } else if(rc == 0) {
     if(packet->udp != NULL || flow->stun.maybe_dtls)
diff --git a/tests/cfgs/default/pcap/false_positives.pcapng b/tests/cfgs/default/pcap/false_positives.pcapng
index 9d8720ebf..788a2cfdb 100644
--- a/tests/cfgs/default/pcap/false_positives.pcapng
+++ b/tests/cfgs/default/pcap/false_positives.pcapng
diff --git a/tests/cfgs/default/result/false_positives.pcapng.out b/tests/cfgs/default/result/false_positives.pcapng.out
index 9014ecd93..ed9bef576 100644
--- a/tests/cfgs/default/result/false_positives.pcapng.out
+++ b/tests/cfgs/default/result/false_positives.pcapng.out
@@ -1,16 +1,17 @@
+DPI Packets (TCP):	4	(4.00 pkts/flow)
 DPI Packets (UDP):	18	(3.60 pkts/flow)
 Confidence Unknown          : 1 (flows)
-Confidence DPI              : 4 (flows)
-Num dissector calls: 838 (167.60 diss/flow)
+Confidence DPI              : 5 (flows)
+Num dissector calls: 854 (142.33 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
 LRU cache tls_cert:   0/0/0 (insert/search/found)
 LRU cache mining:     0/1/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
-LRU cache fpc_dns:    0/5/0 (insert/search/found)
-Automa host:          0/0 (search/found)
-Automa domain:        0/0 (search/found)
+LRU cache fpc_dns:    0/6/0 (insert/search/found)
+Automa host:          1/0 (search/found)
+Automa domain:        1/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     0/0 (search/found)
 Automa common alpns:  0/0 (search/found)
@@ -18,19 +19,21 @@ Patricia risk mask:   6/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   10/0 (search/found)
+Patricia protocols:   12/0 (search/found)
 Patricia protocols IPv6: 0/0 (search/found)
 
 Unknown	6	460	1
+HTTP	4	973	1
 RTP	110	19309	4
 
-Acceptable                     110 19309         4            
+Acceptable                     114 20282         5            
 Unrated                          6 460           1            
 
 	1	UDP 10.192.92.81:52070 <-> 10.136.43.69:21048 [VLAN: 20][proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][15 pkts/3330 bytes <-> 15 pkts/3330 bytes][Goodput ratio: 77/77][0.30 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 19/19 19/19 20/20 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 222/222 222/222 222/222 0/0][PLAIN TEXT (UUUUUUUUUUUUU)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	2	UDP 10.126.70.67:23784 <-> 10.236.7.225:50160 [VLAN: 107][proto: 87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][18 pkts/3924 bytes <-> 12 pkts/2616 bytes][Goodput ratio: 79/79][0.34 sec][bytes ratio: 0.200 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/19 20/20 20/20 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 218/218 218/218 218/218 0/0][PLAIN TEXT (UUUUUUUUU)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	3	UDP 10.102.45.249:31046 <-> 10.133.48.100:21176 [VLAN: 10][proto: GTP:87/RTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][22 pkts/2860 bytes <-> 8 pkts/989 bytes][Goodput ratio: 34/30][0.44 sec][bytes ratio: 0.486 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/19 22/19 44/20 15/0][Pkt Len c2s/s2c min/avg/max/stddev: 130/113 130/124 130/130 0/8][Plen Bins: 10,90,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	4	UDP 10.133.32.101:36408 -> 10.110.31.25:1272 [VLAN: 10][proto: GTP:87/RTP][IP: 0/Unknown][Stream Content: Audio][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 3][cat: Media/1][20 pkts/2260 bytes -> 0 pkts/0 bytes][Goodput ratio: 24/0][0.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 19/0 20/0 21/0 1/0][Pkt Len c2s/s2c min/avg/max/stddev: 113/0 113/0 113/0 0/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	TCP 10.140.231.26:61202 <-> 159.65.12.169:443 [VLAN: 113][proto: GTP:7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: Web/5][2 pkts/557 bytes <-> 2 pkts/416 bytes][Goodput ratio: 58/45][0.20 sec][Hostname/SNI: wludo.superkinglabs.com][URL: wludo.superkinglabs.com:443/ws][StatusCode: 101][Server: nginx/1.12.2][Risk: ** Known Proto on Non Std Port **** HTTP Susp User-Agent **** HTTP Obsolete Server **][Risk Score: 200][Risk Info: Empty or missing User-Agent / Expected on port 80 / Obsolete nginx server 1.12.2][PLAIN TEXT (GET /ws HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 
 
 Undetected flows: