diff options
| -rw-r--r-- | src/lib/protocols/crossfire.c | 55 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/crossfire.pcapng | bin | 0 -> 32972 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/crossfire.pcapng.out | 30 |
3 files changed, 53 insertions, 32 deletions
diff --git a/src/lib/protocols/crossfire.c b/src/lib/protocols/crossfire.c index 78fd3358e..cf27477e2 100644 --- a/src/lib/protocols/crossfire.c +++ b/src/lib/protocols/crossfire.c @@ -30,50 +30,41 @@ static void ndpi_int_crossfire_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) + struct ndpi_flow_struct *flow) { - + NDPI_LOG_INFO(ndpi_struct, "found CrossFire\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CROSSFIRE, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } static void ndpi_search_crossfire_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + + NDPI_LOG_DBG(ndpi_struct, "search CrossFire\n"); - NDPI_LOG_DBG(ndpi_struct, "search crossfire\n"); - if (packet->udp != 0) { - if (packet->payload_packet_len == 25 - && get_u_int32_t(packet->payload, 0) == ntohl(0xc7d91999) - && get_u_int16_t(packet->payload, 4) == ntohs(0x0200) - && get_u_int16_t(packet->payload, 22) == ntohs(0x7d00)) { - NDPI_LOG_INFO(ndpi_struct, "found Crossfire: udp packet\n"); - ndpi_int_crossfire_add_connection(ndpi_struct, flow); - return; - } + if (packet->udp != NULL && packet->payload_packet_len >= 8 && + get_u_int32_t(packet->payload, 0) == ntohl(0xc7d91999)) + { + ndpi_int_crossfire_add_connection(ndpi_struct, flow); + return; + } - } else if (packet->tcp != 0) { - if (packet->payload_packet_len > 4 && memcmp(packet->payload, "GET /", 5) == 0) { - ndpi_parse_packet_line_info(ndpi_struct, flow); - if (packet->parsed_lines == 8 - && (packet->line[0].ptr != NULL && packet->line[0].len >= 30 - && (memcmp(&packet->payload[5], "notice/login_big", 16) == 0 - || memcmp(&packet->payload[5], "notice/login_small", 18) == 0)) - && memcmp(&packet->payload[packet->line[0].len - 19], "/index.asp HTTP/1.", 18) == 0 - && (packet->host_line.ptr != NULL && packet->host_line.len >= 13 - && (memcmp(packet->host_line.ptr, "crossfire", 9) == 0 - || memcmp(packet->host_line.ptr, "www.crossfire", 13) == 0)) - ) { - NDPI_LOG_DBG(ndpi_struct, "found Crossfire: HTTP request\n"); - ndpi_int_crossfire_add_connection(ndpi_struct, flow); - return; - } - } + if (packet->tcp != NULL && packet->payload_packet_len > 100 && + (packet->payload[0] == 0xF1 && packet->payload[packet->payload_packet_len-1] == 0xF2)) + { + /* Login packet */ + if (ntohl(get_u_int32_t(packet->payload, 2)) == 0x01000000) + { + ndpi_int_crossfire_add_connection(ndpi_struct, flow); + return; + } - } + /* TODO: add more CrossFire TCP signatures*/ + } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/tests/cfgs/default/pcap/crossfire.pcapng b/tests/cfgs/default/pcap/crossfire.pcapng Binary files differnew file mode 100644 index 000000000..508003b3a --- /dev/null +++ b/tests/cfgs/default/pcap/crossfire.pcapng diff --git a/tests/cfgs/default/result/crossfire.pcapng.out b/tests/cfgs/default/result/crossfire.pcapng.out new file mode 100644 index 000000000..9d039657b --- /dev/null +++ b/tests/cfgs/default/result/crossfire.pcapng.out @@ -0,0 +1,30 @@ +DPI Packets (TCP): 4 (4.00 pkts/flow) +DPI Packets (UDP): 2 (1.00 pkts/flow) +Confidence DPI : 3 (flows) +Num dissector calls: 112 (37.33 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 0/1/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 6/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +Crossfire 32 31378 3 + +Fun 32 31378 3 + + 1 TCP 192.168.1.15:49797 <-> 67.210.208.31:13008 [proto: 105/Crossfire][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][cat: RPC/16][12 pkts/2025 bytes <-> 11 pkts/28669 bytes][Goodput ratio: 67/98][56.82 sec][bytes ratio: -0.868 (Download)][IAT c2s/s2c min/avg/max/stddev: 187/0 6273/3070 32954/14745 10456/5219][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 169/2606 499/8694 191/3734][TCP Fingerprint: 2_128_65535_6bb88f5575fd/Windows][PLAIN TEXT (test12345)][Plen Bins: 15,0,0,0,0,0,7,0,0,0,0,23,0,23,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23] + 2 UDP 192.168.1.15:58790 <-> 67.210.208.40:14037 [proto: 105/Crossfire][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 105/Crossfire, Confidence: DPI][DPI packets: 1][cat: RPC/16][2 pkts/154 bytes <-> 1 pkts/215 bytes][Goodput ratio: 45/80][< 1 sec][Plen Bins: 0,66,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.1.15:51836 <-> 67.210.208.38:12007 [proto: 105/Crossfire][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 105/Crossfire, Confidence: DPI][DPI packets: 1][cat: RPC/16][5 pkts/255 bytes <-> 1 pkts/60 bytes][Goodput ratio: 18/13][< 1 sec][bytes ratio: 0.619 (Upload)][IAT c2s/s2c min/avg/max/stddev: 4/0 1/0 4/0 2/0][Pkt Len c2s/s2c min/avg/max/stddev: 51/60 51/60 51/60 0/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |