diff options
| -rw-r--r-- | src/lib/protocols/blizzard.c | 38 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/blizzard.pcap | bin | 33392 -> 86128 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/blizzard.pcap.out | 31 |
3 files changed, 52 insertions, 17 deletions
diff --git a/src/lib/protocols/blizzard.c b/src/lib/protocols/blizzard.c index 62d434360..6c566a4a6 100644 --- a/src/lib/protocols/blizzard.c +++ b/src/lib/protocols/blizzard.c @@ -31,6 +31,8 @@ static void search_blizzard_tcp(struct ndpi_detection_module_struct* ndpi_struct { struct ndpi_packet_struct* packet = &ndpi_struct->packet; char wow_string[] = "WORLD OF WARCRAFT CONNECTION"; + char overwatch2_string_c[] = "HELLO PRO CLIENT\0"; + char overwatch2_string_s[] = "HELLO PRO SERVER\0"; NDPI_LOG_DBG(ndpi_struct, "search Blizzard\n"); @@ -53,7 +55,7 @@ static void search_blizzard_tcp(struct ndpi_detection_module_struct* ndpi_struct /* Pattern found on Hearthstone */ if(packet->payload_packet_len >= 8 && le32toh(*(uint32_t *)&packet->payload[4]) == (u_int32_t)(packet->payload_packet_len - 8)) { - NDPI_LOG_INFO(ndpi_struct, "Found Blizzard\n"); + NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (Hearthstone)\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); return; } @@ -68,6 +70,18 @@ static void search_blizzard_tcp(struct ndpi_detection_module_struct* ndpi_struct return; } + /* Pattern found on Overwatch2 */ + if((packet->payload_packet_len == NDPI_STATICSTRING_LEN(overwatch2_string_c) && + memcmp(packet->payload, overwatch2_string_c, NDPI_STATICSTRING_LEN(overwatch2_string_c)) == 0) || + (packet->payload_packet_len == NDPI_STATICSTRING_LEN(overwatch2_string_s) && + memcmp(packet->payload, overwatch2_string_s, NDPI_STATICSTRING_LEN(overwatch2_string_s)) == 0)) { + NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (overwatch2)\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; + } + + /* TODO: other patterns */ + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } @@ -86,14 +100,32 @@ static void search_blizzard_udp(struct ndpi_detection_module_struct* ndpi_struct /* First pkt send by the server */ (packet->payload_packet_len == 15 && packet->payload[14] == 1)) { - NDPI_LOG_INFO(ndpi_struct, "Found Blizzard\n"); + NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (Warcraft Ramble; pattern 1)\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); return; } /* First pkt send by the client */ if(packet->payload_packet_len == 23 && ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "\xff\xff\xff\xff\xa3\x1f\xb6\x1e\x00\x00\x40\x01\x00\x00\x00\x00\x00\x00\x00\x04\x03\x02\x01")) { - NDPI_LOG_INFO(ndpi_struct, "Found Blizzard\n"); + NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (Warcraft Ramble; pattern 2)\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; + } + + /* Patterns found on Overwatch2 */ + /* Some kind of ping */ + if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_BLIZZARD && + packet->payload_packet_len == 40 && + *(uint32_t *)&packet->payload[17] == 0 /* Seq number starting from 0 */) { + NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (overwatch2; pattern 1)\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; + } + if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_BLIZZARD && + packet->payload_packet_len == 50 && + ((*(uint64_t *)&packet->payload[32] == 0 && *(uint64_t *)&packet->payload[40] == 0) /* First pkt from client */ || + (*(uint64_t *)&packet->payload[0] == 0 && *(uint64_t *)&packet->payload[8] == 0)) /* First pkt from server */) { + NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (overwatch2; pattern 2)\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); return; } diff --git a/tests/cfgs/default/pcap/blizzard.pcap b/tests/cfgs/default/pcap/blizzard.pcap Binary files differindex dfdd34b25..30e54db09 100644 --- a/tests/cfgs/default/pcap/blizzard.pcap +++ b/tests/cfgs/default/pcap/blizzard.pcap diff --git a/tests/cfgs/default/result/blizzard.pcap.out b/tests/cfgs/default/result/blizzard.pcap.out index b924e3cf0..6a70df956 100644 --- a/tests/cfgs/default/result/blizzard.pcap.out +++ b/tests/cfgs/default/result/blizzard.pcap.out @@ -1,14 +1,14 @@ -DPI Packets (TCP): 18 (4.50 pkts/flow) -DPI Packets (UDP): 2 (1.00 pkts/flow) -Confidence DPI : 6 (flows) -Num dissector calls: 165 (27.50 diss/flow) +DPI Packets (TCP): 22 (4.40 pkts/flow) +DPI Packets (UDP): 4 (1.00 pkts/flow) +Confidence DPI : 9 (flows) +Num dissector calls: 169 (18.78 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 0/4/0 (insert/search/found) +LRU cache fpc_dns: 0/5/0 (insert/search/found) Automa host: 0/0 (search/found) Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) @@ -18,17 +18,20 @@ Patricia risk mask: 0/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 6/6 (search/found) +Patricia protocols: 9/9 (search/found) Patricia protocols IPv6: 0/0 (search/found) WorldOfWarcraft 31 12551 1 -Blizzard 109 15770 5 +Blizzard 175 66112 8 -Fun 140 28321 6 +Fun 206 78663 9 - 1 TCP 192.168.1.117:50015 <-> 66.40.180.215:3724 [proto: 76/WorldOfWarcraft][IP: 213/Blizzard][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: IP address][DPI packets: 4][cat: Game/8][13 pkts/1799 bytes <-> 18 pkts/10752 bytes][Goodput ratio: 60/90][5.71 sec][bytes ratio: -0.713 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 590/152 3386/1606 1107/407][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 138/597 982/5894 244/1339][TCP Fingerprint: 2_128_65535_6bb88f5575fd/Windows][PLAIN TEXT (WORLD OF WARCRAFT CONNECTION )][Plen Bins: 31,12,12,6,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,6,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,6] - 2 UDP 192.168.12.67:44282 <-> 34.22.163.26:7521 [proto: 213/Blizzard][IP: 284/GoogleCloud][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: DPI][DPI packets: 1][cat: Game/8][8 pkts/3237 bytes <-> 10 pkts/2057 bytes][Goodput ratio: 90/80][0.47 sec][bytes ratio: 0.223 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 46/55 293/316 101/107][Pkt Len c2s/s2c min/avg/max/stddev: 61/61 405/206 542/542 202/220][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic / Expected on port 1119][PLAIN TEXT (yTIdpE)][Plen Bins: 50,0,0,0,0,0,0,0,0,0,0,5,0,0,0,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 TCP 192.168.12.67:42710 <-> 137.221.107.220:3724 [proto: 213/Blizzard][IP: 213/Blizzard][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: IP address][DPI packets: 4][cat: Game/8][11 pkts/845 bytes <-> 10 pkts/3590 bytes][Goodput ratio: 13/81][1.95 sec][bytes ratio: -0.619 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 180/168 330/335 110/95][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 77/359 161/1514 27/563][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 1119][TCP Fingerprint: 2_64_65535_685ad951a756/Android][PLAIN TEXT (OPbMAN)][Plen Bins: 66,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,11,0,0] - 4 TCP 192.168.1.205:50082 <-> 37.244.28.101:1119 [proto: 213/Blizzard][IP: 213/Blizzard][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: IP address][DPI packets: 6][cat: Game/8][17 pkts/1264 bytes <-> 8 pkts/1183 bytes][Goodput ratio: 26/61][1.45 sec][bytes ratio: 0.033 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 43/205 281/800 74/282][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 74/148 163/669 26/199][TCP Fingerprint: 2_128_32768_5a9ef1c58d0b/Windows][PLAIN TEXT (X@GMAIL.COM)][Plen Bins: 75,6,6,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 5 TCP 192.168.1.205:50056 <-> 137.221.106.59:1119 [proto: 213/Blizzard][IP: 213/Blizzard][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: IP address][DPI packets: 4][cat: Game/8][11 pkts/802 bytes <-> 8 pkts/1271 bytes][Goodput ratio: 24/64][2.25 sec][bytes ratio: -0.226 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 143/274 218/910 80/307][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 73/159 163/669 32/201][TCP Fingerprint: 2_128_32768_5a9ef1c58d0b/Windows][PLAIN TEXT (X@GMAIL.COM)][Plen Bins: 55,11,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 6 UDP 192.168.12.67:1120 <-> 34.171.17.90:50000 [proto: 213/Blizzard][IP: 284/GoogleCloud][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: DPI][DPI packets: 1][cat: Game/8][13 pkts/780 bytes <-> 13 pkts/741 bytes][Goodput ratio: 30/26][55.32 sec][bytes ratio: 0.026 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2001/2000 4765/4765 12385/12384 3769/3769][Pkt Len c2s/s2c min/avg/max/stddev: 60/57 60/57 60/57 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic / Expected on port 1119][PLAIN TEXT (bdXMtY2)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.1.117:60378 <-> 66.40.191.253:3724 [proto: 213/Blizzard][IP: 213/Blizzard][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: IP address][DPI packets: 4][cat: Game/8][11 pkts/1863 bytes <-> 20 pkts/43947 bytes][Goodput ratio: 67/97][0.49 sec][bytes ratio: -0.919 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 40/22 104/81 31/27][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 169/2197 785/29254 227/6289][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 1119][TCP Fingerprint: 2_128_65535_6bb88f5575fd/Windows][PLAIN TEXT (XLBcTjPRO SERVER)][Plen Bins: 20,15,5,0,0,0,0,0,0,0,5,0,0,10,5,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0,0,0,0,0,0,0,0,0,20] + 2 TCP 192.168.1.117:50015 <-> 66.40.180.215:3724 [proto: 76/WorldOfWarcraft][IP: 213/Blizzard][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: IP address][DPI packets: 4][cat: Game/8][13 pkts/1799 bytes <-> 18 pkts/10752 bytes][Goodput ratio: 60/90][5.71 sec][bytes ratio: -0.713 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 590/152 3386/1606 1107/407][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 138/597 982/5894 244/1339][TCP Fingerprint: 2_128_65535_6bb88f5575fd/Windows][PLAIN TEXT (WORLD OF WARCRAFT CONNECTION )][Plen Bins: 31,12,12,6,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,6,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,6] + 3 UDP 192.168.12.67:44282 <-> 34.22.163.26:7521 [proto: 213/Blizzard][IP: 284/GoogleCloud][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: DPI][DPI packets: 1][cat: Game/8][8 pkts/3237 bytes <-> 10 pkts/2057 bytes][Goodput ratio: 90/80][0.47 sec][bytes ratio: 0.223 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 46/55 293/316 101/107][Pkt Len c2s/s2c min/avg/max/stddev: 61/61 405/206 542/542 202/220][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic / Expected on port 1119][PLAIN TEXT (yTIdpE)][Plen Bins: 50,0,0,0,0,0,0,0,0,0,0,5,0,0,0,44,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 192.168.12.67:42710 <-> 137.221.107.220:3724 [proto: 213/Blizzard][IP: 213/Blizzard][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: IP address][DPI packets: 4][cat: Game/8][11 pkts/845 bytes <-> 10 pkts/3590 bytes][Goodput ratio: 13/81][1.95 sec][bytes ratio: -0.619 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 180/168 330/335 110/95][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 77/359 161/1514 27/563][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 1119][TCP Fingerprint: 2_64_65535_685ad951a756/Android][PLAIN TEXT (OPbMAN)][Plen Bins: 66,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,11,0,0] + 5 UDP 192.168.1.117:58787 <-> 137.221.82.101:29503 [proto: 213/Blizzard][IP: 213/Blizzard][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: DPI][DPI packets: 1][cat: Game/8][7 pkts/762 bytes <-> 9 pkts/2212 bytes][Goodput ratio: 61/83][1.20 sec][bytes ratio: -0.488 (Download)][IAT c2s/s2c min/avg/max/stddev: 62/0 195/107 311/285 81/128][Pkt Len c2s/s2c min/avg/max/stddev: 92/92 109/246 123/1287 15/369][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic / Expected on port 1119][Plen Bins: 0,50,25,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0] + 6 TCP 192.168.1.205:50082 <-> 37.244.28.101:1119 [proto: 213/Blizzard][IP: 213/Blizzard][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: IP address][DPI packets: 6][cat: Game/8][17 pkts/1264 bytes <-> 8 pkts/1183 bytes][Goodput ratio: 26/61][1.45 sec][bytes ratio: 0.033 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 43/205 281/800 74/282][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 74/148 163/669 26/199][TCP Fingerprint: 2_128_32768_5a9ef1c58d0b/Windows][PLAIN TEXT (X@GMAIL.COM)][Plen Bins: 75,6,6,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 TCP 192.168.1.205:50056 <-> 137.221.106.59:1119 [proto: 213/Blizzard][IP: 213/Blizzard][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: IP address][DPI packets: 4][cat: Game/8][11 pkts/802 bytes <-> 8 pkts/1271 bytes][Goodput ratio: 24/64][2.25 sec][bytes ratio: -0.226 (Download)][IAT c2s/s2c min/avg/max/stddev: 2/0 143/274 218/910 80/307][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 73/159 163/669 32/201][TCP Fingerprint: 2_128_32768_5a9ef1c58d0b/Windows][PLAIN TEXT (X@GMAIL.COM)][Plen Bins: 55,11,0,11,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 UDP 192.168.1.117:63711 <-> 137.221.72.99:29523 [proto: 213/Blizzard][IP: 213/Blizzard][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: DPI][DPI packets: 1][cat: Game/8][10 pkts/820 bytes <-> 9 pkts/738 bytes][Goodput ratio: 49/49][2.47 sec][bytes ratio: 0.053 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 249/248 274/272 293/295 18/18][Pkt Len c2s/s2c min/avg/max/stddev: 82/82 82/82 82/82 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic / Expected on port 1119][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 9 UDP 192.168.12.67:1120 <-> 34.171.17.90:50000 [proto: 213/Blizzard][IP: 284/GoogleCloud][ClearText][Confidence: DPI][FPC: 213/Blizzard, Confidence: DPI][DPI packets: 1][cat: Game/8][13 pkts/780 bytes <-> 13 pkts/741 bytes][Goodput ratio: 30/26][55.32 sec][bytes ratio: 0.026 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2001/2000 4765/4765 12385/12384 3769/3769][Pkt Len c2s/s2c min/avg/max/stddev: 60/57 60/57 60/57 0/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic / Expected on port 1119][PLAIN TEXT (bdXMtY2)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |