diff options
| -rw-r--r-- | src/lib/ndpi_main.c | 33 | ||||
| -rw-r--r-- | tests/pcap/imaps.pcap | bin | 0 -> 5540 bytes | |||
| -rw-r--r-- | tests/result/imaps.pcap.out | 8 |
3 files changed, 38 insertions, 3 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index a062cdc8c..65600b74f 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4356,9 +4356,34 @@ static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) { /* ********************************************************************************* */ +static int ndpi_check_protocol_port_mismatch_exceptions(struct ndpi_detection_module_struct *ndpi_str, + struct ndpi_flow_struct *flow, + ndpi_default_ports_tree_node_t *expected_proto, + ndpi_protocol *returned_proto) { + /* + For TLS (and other protocols) it is not simple to guess the exact protocol so before + triggering an alert we need to make sure what we have exhausted all the possible + options available + */ + + if(returned_proto->master_protocol == NDPI_PROTOCOL_TLS) { + switch(expected_proto->proto->protoId) { + case NDPI_PROTOCOL_MAIL_IMAPS: + case NDPI_PROTOCOL_MAIL_POPS: + case NDPI_PROTOCOL_MAIL_SMTPS: + return(1); /* This is a reasonable exception */ + break; + } + } + + return(0); +} + +/* ********************************************************************************* */ + static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, - ndpi_protocol *ret) { + struct ndpi_flow_struct *flow, + ndpi_protocol *ret) { /* Skype for a host doing MS Teams means MS Teams (MS Teams uses Skype as transport protocol for voice/video) @@ -4661,7 +4686,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct && (found->proto->protoId != NDPI_PROTOCOL_UNKNOWN) && (found->proto->protoId != ret.master_protocol)) { // printf("******** %u / %u\n", found->proto->protoId, ret.master_protocol); - NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + + if(!ndpi_check_protocol_port_mismatch_exceptions(ndpi_str, flow, found, &ret)) + NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); } else if(default_ports && (default_ports[0] != 0)) { u_int8_t found = 0, i; diff --git a/tests/pcap/imaps.pcap b/tests/pcap/imaps.pcap Binary files differnew file mode 100644 index 000000000..c038b57e2 --- /dev/null +++ b/tests/pcap/imaps.pcap diff --git a/tests/result/imaps.pcap.out b/tests/result/imaps.pcap.out new file mode 100644 index 000000000..85fa9f3ec --- /dev/null +++ b/tests/result/imaps.pcap.out @@ -0,0 +1,8 @@ +ntop 20 5196 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.1.8 1 + + + 1 TCP 192.168.1.8:50506 <-> 167.99.215.164:993 [proto: 91.26/TLS.ntop][cat: Network/14][10 pkts/1220 bytes <-> 10 pkts/3976 bytes][Goodput ratio: 45/83][0.33 sec][bytes ratio: -0.530 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 33/22 77/43 26/19][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 122/398 293/1506 78/557][TLSv1.2][Client: mail.ntop.org][JA3C: 4923a265be4d81c68ecda45bb89cdf6a][ServerNames: mail.ntop.org][JA3S: b653c251b0ee54c3088fe7bb997cf59d][Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3][Subject: CN=mail.ntop.org][Certificate SHA-1: F1:9A:35:30:96:57:5E:56:81:28:2C:D9:45:A5:83:21:9E:E8:C5:DF][Validity: 2020-04-18 00:15:22 - 2020-07-17 00:15:22][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] |