diff options
| -rw-r--r-- | src/lib/protocols/quic.c | 26 | ||||
| -rw-r--r-- | tests/pcap/snapchat_call_v1.pcapng | bin | 0 -> 381748 bytes | |||
| -rw-r--r-- | tests/result/snapchat_call_v1.pcapng.out | 30 |
3 files changed, 51 insertions, 5 deletions
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index b9b10b9c1..72e400c01 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1610,17 +1610,33 @@ static int eval_extra_processing(struct ndpi_detection_module_struct *ndpi_struc { /* For the time being we need extra processing in two cases only: 1) to detect Snapchat calls, i.e. RTP/RTCP multiplxed with QUIC. - We noticed that Snapchat uses Q046, without any SNI. + Two cases: + a) [old] Q046, without any SNI + b) v1 with SNI *.addlive.io 2) to reassemble CH fragments on multiple UDP packets. These two cases are mutually exclusive */ - if((version == V_Q046 && - flow->host_server_name[0] == '\0') || - is_ch_reassembler_pending(flow)) { - NDPI_LOG_DBG2(ndpi_struct, "We have further work to do\n"); + if(version == V_Q046 && flow->host_server_name[0] == '\0') { + NDPI_LOG_DBG2(ndpi_struct, "We have further work to do (old snapchat call?)\n"); return 1; } + + if(version == V_1 && + flow->detected_protocol_stack[0] == NDPI_PROTOCOL_SNAPCHAT) { + size_t sni_len = strlen(flow->host_server_name); + if(sni_len > 11 && + strcmp(flow->host_server_name + sni_len - 11, ".addlive.io") == 0) { + NDPI_LOG_DBG2(ndpi_struct, "We have further work to do (new snapchat call?)\n"); + return 1; + } + } + + if(is_ch_reassembler_pending(flow)) { + NDPI_LOG_DBG2(ndpi_struct, "We have further work to do (reasm)\n"); + return 1; + } + return 0; } diff --git a/tests/pcap/snapchat_call_v1.pcapng b/tests/pcap/snapchat_call_v1.pcapng Binary files differnew file mode 100644 index 000000000..cdb469642 --- /dev/null +++ b/tests/pcap/snapchat_call_v1.pcapng diff --git a/tests/result/snapchat_call_v1.pcapng.out b/tests/result/snapchat_call_v1.pcapng.out new file mode 100644 index 000000000..db82bfd83 --- /dev/null +++ b/tests/result/snapchat_call_v1.pcapng.out @@ -0,0 +1,30 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 20 (20.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 1 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 1/1 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 1/1 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia protocols: 1/1 (search/found) + +SnapchatCall 477 365314 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.12.169 1 + + + 1 UDP 192.168.12.169:47520 <-> 34.246.231.140:443 [proto: 188.255/QUIC.SnapchatCall][IP: 265/AmazonAWS][Encrypted][Confidence: DPI][cat: VoIP/10][386 pkts/353569 bytes <-> 91 pkts/11745 bytes][Goodput ratio: 95/67][9.53 sec][Hostname/SNI: str1-euwest1-34-246-231-140.addlive.io][(Advertised) ALPNs: h3][TLS Supported Versions: TLSv1.3][bytes ratio: 0.936 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/89 284/262 25/53][Pkt Len c2s/s2c min/avg/max/stddev: 70/67 916/129 1301/1242 282/178][TLSv1.3][JA3C: f4545fa40dda0c87b1bd81d9a55985a2][PLAIN TEXT (ktmbPg)][Plen Bins: 1,23,2,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0,1,1,0,4,1,2,1,1,1,3,6,3,3,4,4,7,4,7,1,1,3,1,0,0,0,0,0,0,0,0] |