diff options
| -rw-r--r-- | src/lib/ndpi_main.c | 11 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 12 | ||||
| -rw-r--r-- | tests/cfgs/default/result/anyconnect-vpn.pcap.out | 2 | ||||
| -rw-r--r-- | tests/cfgs/default/result/malware.pcap.out | 2 | ||||
| -rw-r--r-- | tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out | 2 | ||||
| -rw-r--r-- | tests/cfgs/fpc_disabled/result/teams.pcap.out | 2 | ||||
| -rw-r--r-- | tests/cfgs/subclassification_disable/result/anydesk.pcapng.out | 2 | ||||
| -rw-r--r-- | tests/cfgs/subclassification_disable/result/dns.pcap.out | 2 |
8 files changed, 22 insertions, 13 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index df1a62cc8..fd79a63e1 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -10281,7 +10281,8 @@ static u_int16_t ndpi_automa_match_string_subprotocol(struct ndpi_detection_modu } #endif - if((matching_protocol_id != NDPI_PROTOCOL_UNKNOWN) && + if(flow && + (matching_protocol_id != NDPI_PROTOCOL_UNKNOWN) && (!ndpi_is_more_generic_protocol(flow->detected_protocol_stack[0], matching_protocol_id))) { /* Move the protocol on slot 0 down one position */ flow->detected_protocol_stack[1] = master_protocol_id, @@ -10348,12 +10349,14 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ if(ndpi_get_custom_category_match(ndpi_str, string_to_match, string_to_match_len, &id) != -1) { /* if(id != -1) */ { - flow->category = ret_match->protocol_category = id; + ret_match->protocol_category = id; + if(flow) + flow->category = id; rc = master_protocol_id; } } - if(ndpi_str->risky_domain_automa.ac_automa != NULL) { + if(flow && ndpi_str->risky_domain_automa.ac_automa != NULL) { u_int32_t proto_id; u_int16_t rc1 = ndpi_match_string_common(ndpi_str->risky_domain_automa.ac_automa, string_to_match, string_to_match_len, @@ -10367,7 +10370,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ } /* Add punycode check */ - if(ndpi_check_punycode_string(string_to_match, string_to_match_len)) { + if(flow && ndpi_check_punycode_string(string_to_match, string_to_match_len)) { char str[64] = { '\0' }; strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1)); diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index ce991735d..bd55f19e7 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -819,16 +819,19 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st } if(len > 0) { - if(ndpi_struct->cfg.dns_subclassification_enabled) { + if(ndpi_struct->cfg.dns_subclassification_enabled || ndpi_struct->cfg.fpc_enabled) { ndpi_protocol_match_result ret_match; - ret.proto.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow, + /* Avoid writing on flow (i.e. updating classification) if subclassification is disabled */ + ret.proto.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, ndpi_struct->cfg.dns_subclassification_enabled ? flow : NULL, flow->host_server_name, strlen(flow->host_server_name), &ret_match, NDPI_PROTOCOL_DNS); /* Add to FPC DNS cache */ - if(ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN && + if(ndpi_struct->cfg.fpc_enabled && + ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN && + ret.proto.app_protocol != NDPI_PROTOCOL_DNS && (flow->protos.dns.rsp_type == 0x1 || flow->protos.dns.rsp_type == 0x1c) && /* A, AAAA */ ndpi_struct->fpc_dns_cache) { ndpi_lru_add_to_cache(ndpi_struct->fpc_dns_cache, @@ -836,6 +839,9 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st ndpi_get_current_time(flow)); } + if(!ndpi_struct->cfg.dns_subclassification_enabled) + ret.proto.app_protocol = NDPI_PROTOCOL_UNKNOWN; + if(ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN) ret.proto.master_protocol = checkDNSSubprotocol(s_port, d_port); else diff --git a/tests/cfgs/default/result/anyconnect-vpn.pcap.out b/tests/cfgs/default/result/anyconnect-vpn.pcap.out index a1931bcbe..614549742 100644 --- a/tests/cfgs/default/result/anyconnect-vpn.pcap.out +++ b/tests/cfgs/default/result/anyconnect-vpn.pcap.out @@ -13,7 +13,7 @@ LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/11/0 (insert/search/found) LRU cache mining: 0/8/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 8/18/1 (insert/search/found) +LRU cache fpc_dns: 7/18/1 (insert/search/found) Automa host: 69/19 (search/found) Automa domain: 69/0 (search/found) Automa tls cert: 4/0 (search/found) diff --git a/tests/cfgs/default/result/malware.pcap.out b/tests/cfgs/default/result/malware.pcap.out index 9deafa998..9e5394e7c 100644 --- a/tests/cfgs/default/result/malware.pcap.out +++ b/tests/cfgs/default/result/malware.pcap.out @@ -12,7 +12,7 @@ LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/4/0 (insert/search/found) LRU cache mining: 0/1/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache fpc_dns: 1/3/0 (insert/search/found) +LRU cache fpc_dns: 0/3/0 (insert/search/found) Automa host: 5/0 (search/found) Automa domain: 5/0 (search/found) Automa tls cert: 2/0 (search/found) diff --git a/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out b/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out index f957f4d47..a9f20999b 100644 --- a/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out +++ b/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out @@ -8,7 +8,7 @@ LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) LRU cache fpc_dns: 0/0/0 (insert/search/found) -Automa host: 0/0 (search/found) +Automa host: 2/2 (search/found) Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 2/0 (search/found) diff --git a/tests/cfgs/fpc_disabled/result/teams.pcap.out b/tests/cfgs/fpc_disabled/result/teams.pcap.out index 58a7a7953..8638e1e15 100644 --- a/tests/cfgs/fpc_disabled/result/teams.pcap.out +++ b/tests/cfgs/fpc_disabled/result/teams.pcap.out @@ -14,7 +14,7 @@ LRU cache stun: 30/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/3/0 (insert/search/found) LRU cache msteams: 20/6/6 (insert/search/found) -LRU cache fpc_dns: 15/0/0 (insert/search/found) +LRU cache fpc_dns: 0/0/0 (insert/search/found) Automa host: 85/71 (search/found) Automa domain: 85/0 (search/found) Automa tls cert: 0/0 (search/found) diff --git a/tests/cfgs/subclassification_disable/result/anydesk.pcapng.out b/tests/cfgs/subclassification_disable/result/anydesk.pcapng.out index 0efd5d286..9dd0e66d4 100644 --- a/tests/cfgs/subclassification_disable/result/anydesk.pcapng.out +++ b/tests/cfgs/subclassification_disable/result/anydesk.pcapng.out @@ -9,7 +9,7 @@ LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) LRU cache fpc_dns: 0/4/0 (insert/search/found) -Automa host: 0/0 (search/found) +Automa host: 4/4 (search/found) Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 2/0 (search/found) diff --git a/tests/cfgs/subclassification_disable/result/dns.pcap.out b/tests/cfgs/subclassification_disable/result/dns.pcap.out index b57589a1b..f72b6eab8 100644 --- a/tests/cfgs/subclassification_disable/result/dns.pcap.out +++ b/tests/cfgs/subclassification_disable/result/dns.pcap.out @@ -8,7 +8,7 @@ LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) LRU cache fpc_dns: 0/0/0 (insert/search/found) -Automa host: 0/0 (search/found) +Automa host: 3/3 (search/found) Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 2/0 (search/found) |