diff options
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/bittorrent.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/cassandra.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/ciscovpn.c | 29 | ||||
| -rw-r--r-- | src/lib/protocols/dnscrypt.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/imo.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/irc.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/rtp.c | 10 | ||||
| -rw-r--r-- | src/lib/protocols/sip.c | 34 | ||||
| -rw-r--r-- | src/lib/protocols/socks45.c | 17 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 24 | ||||
| -rw-r--r-- | src/lib/protocols/xbox.c | 1 |
11 files changed, 70 insertions, 66 deletions
diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index f80bb0d36..1522a14e9 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -642,9 +642,8 @@ static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_str } } - if(flow->packet_counter > 8) { - ndpi_skip_bittorrent(ndpi_struct, flow); - } + if(flow->packet_counter > 5) + ndpi_skip_bittorrent(ndpi_struct, flow); } /* ************************************* */ diff --git a/src/lib/protocols/cassandra.c b/src/lib/protocols/cassandra.c index de5b21f87..7e52dab14 100644 --- a/src/lib/protocols/cassandra.c +++ b/src/lib/protocols/cassandra.c @@ -66,7 +66,8 @@ static void ndpi_search_cassandra(struct ndpi_detection_module_struct *ndpi_stru return; } - if (packet->payload_packet_len < 9 || + if ((packet->payload_packet_len < 9) || + (flow->packet_counter >= 8) || (!ndpi_validate_cassandra_response(packet->payload[0]) || !ndpi_validate_cassandra_request(packet->payload[0]))) { diff --git a/src/lib/protocols/ciscovpn.c b/src/lib/protocols/ciscovpn.c index e5bfd6a22..792d060b1 100644 --- a/src/lib/protocols/ciscovpn.c +++ b/src/lib/protocols/ciscovpn.c @@ -48,26 +48,23 @@ static void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struc NDPI_LOG_DBG2(ndpi_struct, "calculated CISCOVPN over udp ports\n"); } - if( - ( - (usport == 10000 && udport == 10000) - && - (packet->payload_packet_len >= 4) && - (packet->payload[0] == 0xfe && - packet->payload[1] == 0x57 && - packet->payload[2] == 0x7e && - packet->payload[3] == 0x2b) - ) - ) - { + if((usport == 10000 && udport == 10000)) { + if((packet->payload_packet_len >= 4) && + (packet->payload[0] == 0xfe && + packet->payload[1] == 0x57 && + packet->payload[2] == 0x7e && + packet->payload[3] == 0x2b) + ) { /* This is a good query fe577e2b */ NDPI_LOG_INFO(ndpi_struct, "found CISCOVPN\n"); ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); return; - } - - if(flow->num_processed_pkts > 5) - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } + + if(flow->num_processed_pkts > 5) + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } else + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/dnscrypt.c b/src/lib/protocols/dnscrypt.c index c4e28323d..a77bade98 100644 --- a/src/lib/protocols/dnscrypt.c +++ b/src/lib/protocols/dnscrypt.c @@ -46,6 +46,7 @@ static void ndpi_search_dnscrypt(struct ndpi_detection_module_struct *ndpi_struc ndpi_int_dnscrypt_add_connection(ndpi_struct, flow); return; } + /* dnscrypt protocol version 1 and 2: resolver ping */ if (packet->payload_packet_len > 13 + strlen(dnscrypt_initial) && strncasecmp((char*)packet->payload + 13, dnscrypt_initial, strlen(dnscrypt_initial)) == 0) @@ -56,10 +57,9 @@ static void ndpi_search_dnscrypt(struct ndpi_detection_module_struct *ndpi_struc if ((flow->packet_direction_counter[packet->packet_direction] >= 1 && flow->packet_direction_counter[1 - packet->packet_direction] >= 1) || - flow->packet_counter >= 10) - { + flow->packet_counter >= 8) { /* - * Wait for at least one packet per direction, but not more then 10 packets. + * Wait for at least one packet per direction, up to a max * Required as we need to wait for the server response which contains the ASCII pattern below. */ NDPI_EXCLUDE_PROTO(ndpi_struct, flow); diff --git a/src/lib/protocols/imo.c b/src/lib/protocols/imo.c index 68cb9fb1b..3807e5010 100644 --- a/src/lib/protocols/imo.c +++ b/src/lib/protocols/imo.c @@ -1,7 +1,7 @@ /* * imo.c * - * Copyright (C) 2019 - ntop.org + * Copyright (C) 2019-24 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index a7f02d848..02b105a0f 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -97,8 +97,9 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct u_int16_t http_content_ptr_len = 0; NDPI_LOG_DBG(ndpi_struct, "search irc\n"); - if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && (flow->packet_counter > 10)) { - NDPI_LOG_DBG(ndpi_struct, "exclude irc, packet_counter > 70\n"); + if((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && (flow->packet_counter > 10)) + || (flow->packet_counter >= 10)) { + NDPI_LOG_DBG(ndpi_struct, "exclude irc, packet_counter too high0\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IRC); return; } diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index 97e392f02..b8f0a3978 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -79,8 +79,7 @@ u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_ } } -static int is_valid_rtcp_payload_type(uint8_t type) -{ +static int is_valid_rtcp_payload_type(uint8_t type) { return (type >= 192 && type <= 213); } @@ -172,8 +171,8 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, } is_rtp = is_rtp_or_rtcp(ndpi_struct, &seq); - if(is_rtp == IS_RTP) { + if(is_rtp == IS_RTP) { if(flow->l4.udp.rtp_stage == 2) { if(flow->l4.udp.line_pkts[0] >= 2 && flow->l4.udp.line_pkts[1] >= 2) { /* It seems that it is a LINE stuff; let its dissector to evaluate */ @@ -228,7 +227,10 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, NDPI_EXCLUDE_PROTO(ndpi_struct, flow); NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); } - } + } else if(flow->packet_counter > 3) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); + } } } diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index b6963584c..23a88ebf8 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -34,6 +34,8 @@ static void ndpi_int_sip_add_connection(struct ndpi_detection_module_struct *ndp ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SIP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } +/* ********************************************************** */ + #if !defined(WIN32) static inline #elif defined(MINGW_GCC) @@ -41,13 +43,16 @@ __mingw_forceinline static #else __forceinline static #endif -void ndpi_search_sip_handshake(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ +void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; + if(flow->packet_counter >= 8) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + if(payload_len > 4) { /* search for STUN Turn ChannelData Prefix */ u_int16_t message_len = ntohs(get_u_int16_t(packet->payload, 2)); @@ -57,9 +62,14 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct payload_len -= 4; packet_payload += 4; } + + if(!isprint(packet_payload[0])) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } } - if(payload_len >= 14) { + if(payload_len >= 14) { if((memcmp(packet_payload, "NOTIFY ", 7) == 0 || memcmp(packet_payload, "notify ", 7) == 0) && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) { @@ -180,28 +190,20 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct /* add bitmask for tcp only, some stupid udp programs * send a very few (< 10 ) packets before invite (mostly a 0x0a0x0d, but just search the first 3 payload_packets here */ - if(packet->udp != NULL && flow->packet_counter < 10) { + if(packet->udp != NULL) { NDPI_LOG_DBG2(ndpi_struct, "need next packet\n"); return; } if(payload_len == 4 && get_u_int32_t(packet_payload, 0) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "maybe sip. need next packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe sip. need next packet\n"); return; } - - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } -static void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - NDPI_LOG_DBG(ndpi_struct, "search sip\n"); - - ndpi_search_sip_handshake(ndpi_struct, flow); -} +/* ********************************************************** */ -void init_sip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id) -{ +void init_sip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id) { ndpi_set_bitmask_protocol_detection("SIP", ndpi_struct, *id, NDPI_PROTOCOL_SIP, ndpi_search_sip, diff --git a/src/lib/protocols/socks45.c b/src/lib/protocols/socks45.c index 742e0a6e6..78a744087 100644 --- a/src/lib/protocols/socks45.c +++ b/src/lib/protocols/socks45.c @@ -40,12 +40,6 @@ static void ndpi_check_socks4(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int32_t payload_len = packet->payload_packet_len; - /* Break after 10 packets. */ - if(flow->packet_counter > 10) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } - /* Check if we so far detected the protocol in the request or not. */ if(flow->socks4_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "SOCKS4 stage 0: \n"); @@ -81,12 +75,6 @@ static void ndpi_check_socks5(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int32_t payload_len = packet->payload_packet_len; - /* Break after 10 packets. */ - if(flow->packet_counter > 10) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } - /* Check if we so far detected the protocol in the request or not. */ if(flow->socks5_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "SOCKS5 stage 0: \n"); @@ -123,6 +111,11 @@ static void ndpi_search_socks(struct ndpi_detection_module_struct *ndpi_struct, { NDPI_LOG_DBG(ndpi_struct, "search SOCKS\n"); + if(flow->packet_counter >= 10) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + ndpi_check_socks4(ndpi_struct, flow); if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_SOCKS) diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index d6e7090d3..4d4fec6db 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -311,6 +311,9 @@ static void parse_xor_ip_port_attribute(struct ndpi_detection_module_struct *ndp } } } + +/* ***************************************************** */ + int is_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t *app_proto) @@ -325,9 +328,8 @@ int is_stun(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t magic_cookie; u_int32_t transaction_id[3]; - if(payload_length < STUN_HDR_LEN) { - return 0; - } + if(payload_length < STUN_HDR_LEN) + return(-1); /* Some really old/legacy stuff */ if(strncmp((const char *)payload, "RSP/", 4) == 0 && @@ -365,20 +367,21 @@ int is_stun(struct ndpi_detection_module_struct *ndpi_struct, if(packet->tcp) { if(msg_len + STUN_HDR_LEN > payload_length) return 0; + payload_length = msg_len + STUN_HDR_LEN; } if(msg_type == 0 || (msg_len + STUN_HDR_LEN != payload_length)) { NDPI_LOG_DBG(ndpi_struct, "Invalid msg_type = %04X or len %d %d\n", msg_type, msg_len, payload_length); - return 0; + return -1; } /* https://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml */ if(((msg_type & 0x3EEF) > 0x000B) && msg_type != 0x0800 && msg_type != 0x0801 && msg_type != 0x0802) { NDPI_LOG_DBG(ndpi_struct, "Invalid msg_type = %04X\n", msg_type); - return 0; + return -1; } if(magic_cookie != 0x2112A442) { @@ -582,6 +585,8 @@ int is_stun(struct ndpi_detection_module_struct *ndpi_struct, return 1; } +/* ***************************************************** */ + static int keep_extra_dissection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -965,7 +970,8 @@ static void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, s { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t app_proto; - + int rc; + NDPI_LOG_DBG(ndpi_struct, "search stun\n"); app_proto = NDPI_PROTOCOL_UNKNOWN; @@ -977,13 +983,15 @@ static void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, s return; } - if(is_stun(ndpi_struct, flow, &app_proto)) { + rc = is_stun(ndpi_struct, flow, &app_proto); + + if(rc == 1) { ndpi_int_stun_add_connection(ndpi_struct, flow, app_proto, __get_master(flow)); return; } /* TODO: can we stop earlier? */ - if(flow->packet_counter > 10) + if((rc == -1) || (flow->packet_counter > 8)) NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/xbox.c b/src/lib/protocols/xbox.c index e88cf39db..f1f334316 100644 --- a/src/lib/protocols/xbox.c +++ b/src/lib/protocols/xbox.c @@ -92,6 +92,7 @@ static void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, s } #endif } + if(flow->packet_counter >= 5) NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } |