diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/Makefile.am | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 16 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 182 | ||||
| -rw-r--r-- | src/lib/protocols/attic/ftp.c | 7 | ||||
| -rwxr-xr-x | src/lib/protocols/checkmk.c | 83 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 57 | ||||
| -rw-r--r-- | src/lib/protocols/irc.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/qq.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/rtp.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/sip.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/sopcast.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/ssl.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 23 | ||||
| -rw-r--r-- | src/lib/protocols/telnet.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/thunder.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/tor.c | 28 | ||||
| -rw-r--r-- | src/lib/protocols/world_of_warcraft.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/yahoo.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/zattoo.c | 4 |
20 files changed, 277 insertions, 165 deletions
diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index c2b4e4b13..7db19f818 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -26,6 +26,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/bgp.c \ protocols/bittorrent.c \ protocols/bjnp.c \ + protocols/checkmk.c \ protocols/ciscovpn.c \ protocols/citrix.c \ protocols/coap.c \ diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 4a9ec63cf..2682b2e71 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8044,6 +8044,7 @@ ndpi_protocol_match host_match[] = { { "swscan.apple.com", "AppleStore", NDPI_PROTOCOL_APPLESTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_SAFE }, { "itunes-apple.com", "AppleStore", NDPI_PROTOCOL_APPLESTORE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_SAFE }, { "itunes.apple.com", "AppleiTunes", NDPI_PROTOCOL_APPLE_ITUNES, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN }, + { "aaplimg.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_SAFE }, { ".cnn.c", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".cnn.net", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, @@ -8138,6 +8139,8 @@ ndpi_protocol_match host_match[] = { { ".yimg.com", "Yahoo", NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { "yahooapis.", "Yahoo", NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { "upload.youtube.com", "YouTubeUpload", NDPI_PROTOCOL_YOUTUBE_UPLOAD, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { "upload.video.google.com", "YouTubeUpload", NDPI_PROTOCOL_YOUTUBE_UPLOAD, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "youtube.", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "youtu.be.", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "yt3.ggpht.com", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, @@ -8308,7 +8311,12 @@ ndpi_protocol_match host_match[] = { { ".soundcloud.com", "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { "getrockerbox.com", "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, - { "web.telegram.org", "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE }, + { "web.telegram.org", "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE }, + { "tdesktop.com", "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE }, + { "tupdate.com", "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE }, + + { ".icq.", "ICQ", NDPI_PROTOCOL_ICQ, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE }, + { "icq.", "ICQ", NDPI_PROTOCOL_ICQ, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE }, { NULL, 0 } }; @@ -8434,13 +8442,13 @@ static const char *ndpi_en_bigrams[] = { "lz", "nz", "oz", "pz", "rz", "tz", "uz", "zz", NULL }; static const char *ndpi_en_impossible_bigrams[] = { - "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", "ee", + "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", /* "ee", removed it can be found in 'meeting' */ "fz", "gq", "gv", "gx", "hh", "hk", "hv", "hx", "hz", "iy", "jb", "jc", "jd", "jf", "jg", "jh", "jk", "jl", "jm", "jn", "jp", "jq", "jr", /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", "kz", "lq", "lx", "mg", "mj", "mq", "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii", "qg", "qh", "qj", "qk", "ql", "qm", "qn", "qo", "qp", "qr", "qs", "qt", "qv", "qw", "qx", "qy", "uu", - "qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", "vk", "vm", "vn", "vp", "bw", + "qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", "vm", "vn", "vp", "bw", /* "vk", "zr" Removed for kavkazr */ "vq", "vt", "vw", "vx", "vz", "wq", "wv", "wx", "wz", "xb", "xg", "xj", "xk", "xv", "xz", "xw", "yd", /*"yp", Removed for paypal */ - "yj", "yq", "yv", "yz", "yw", "zb", "zc", "zg", "zh", "zj", "zn", "zq", "zr", "zs", "zx", "wh", "wk", + "yj", "yq", "yv", "yz", "yw", "zb", "zc", "zg", "zh", "zj", "zn", "zq", "zs", "zx", "wh", "wk", "wb", "zk", "kp", "zk", "xy", NULL }; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 1e01489e7..25d8de602 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1169,7 +1169,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); custom_master[0] = NDPI_PROTOCOL_SIP, custom_master[1] = NDPI_PROTOCOL_H323; - ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_STUN, + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_STUN, no_master, custom_master, "STUN", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, @@ -1271,6 +1271,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "AFP", NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, ndpi_build_default_ports(ports_a, 548, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 548, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CHECKMK, + no_master, + no_master, "CHECKMK", NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, + ndpi_build_default_ports(ports_a, 6556, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_STEALTHNET, no_master, no_master, "Stealthnet", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, @@ -1401,21 +1406,6 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "Citrix", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 1494, 2598, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SKYFILE_PREPAID, - no_master, - no_master, "SkyFile_PrePaid", NDPI_PROTOCOL_CATEGORY_MAIL, - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SKYFILE_RUDICS, - no_master, - no_master, "SkyFile_Rudics", NDPI_PROTOCOL_CATEGORY_MAIL, - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SKYFILE_POSTPAID, - no_master, - no_master, "SkyFile_PostPaid", NDPI_PROTOCOL_CATEGORY_MAIL, - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CITRIX_ONLINE, no_master, no_master, "Citrix_Online", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, @@ -2654,6 +2644,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* AFP */ init_afp_dissector(ndpi_struct, &a, detection_bitmask); + /* check_mk */ + init_checkmk_dissector(ndpi_struct, &a, detection_bitmask); + /* AIMINI */ init_aimini_dissector(ndpi_struct, &a, detection_bitmask); @@ -3207,7 +3200,8 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_struct, packet->packet_direction = 1; #ifdef NDPI_DETECTION_SUPPORT_IPV6 - if(iphv6 != NULL && NDPI_COMPARE_IPV6_ADDRESS_STRUCTS(&iphv6->ip6_src, &iphv6->ip6_dst) != 0) + if(iphv6 != NULL && NDPI_COMPARE_IPV6_ADDRESS_STRUCTS(&iphv6->ip6_src, + &iphv6->ip6_dst) != 0) packet->packet_direction = 1; #endif } @@ -4553,25 +4547,6 @@ u_int16_t ntohs_ndpi_bytestream_to_number(const u_int8_t * str, u_int16_t max_ch /* ****************************************************** */ -ndpi_protocol ndpi_find_port_based_protocol(struct ndpi_detection_module_struct *ndpi_struct /* NOTUSED */, - /* u_int8_t proto, */ - u_int32_t shost, u_int16_t sport, - u_int32_t dhost, u_int16_t dport) { - ndpi_protocol proto = NDPI_PROTOCOL_NULL; - - /* Skyfile (host 193.252.234.246 or host 10.10.102.80) */ - if((shost == 0xC1FCEAF6) || (dhost == 0xC1FCEAF6) - || (shost == 0x0A0A6650) || (dhost == 0x0A0A6650)) { - if((sport == 4708) || (dport == 4708)) proto.app_protocol = NDPI_PROTOCOL_SKYFILE_PREPAID; - else if((sport == 4709) || (dport == 4709)) proto.app_protocol = NDPI_PROTOCOL_SKYFILE_RUDICS; - else if((sport == 4710) || (dport == 4710)) proto.app_protocol = NDPI_PROTOCOL_SKYFILE_POSTPAID; - } - - return(proto); -} - -/* ****************************************************** */ - u_int8_t ndpi_is_proto(ndpi_protocol proto, u_int16_t p) { return(((proto.app_protocol == p) || (proto.master_protocol == p)) ? 1 : 0); } @@ -4617,10 +4592,6 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct return(ret); } - ret = ndpi_find_port_based_protocol(ndpi_struct/* , proto */, shost, sport, dhost, dport); - if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) - return(ret); - check_guessed_skype: addr.s_addr = htonl(shost); if(ndpi_network_ptree_match(ndpi_struct, &addr) == NDPI_PROTOCOL_SKYPE) { @@ -4705,93 +4676,58 @@ void ndpi_category_set_name(struct ndpi_detection_module_struct *ndpi_mod, /* ****************************************************** */ +static const char* categories[] = { + "Unspecified", + "Media", + "VPN", + "Email", + "DataTransfer", + "Web", + "SocialNetwork", + "Download-FileTransfer-FileSharing", + "Game", + "Chat", + "VoIP", + "Database", + "RemoteAccess", + "Cloud", + "Network", + "Collaborative", + "RPC", + "NetworkTool", + "System", + "SoftwareUpdate", + "", + "", + "", + "", + "" +}; + const char* ndpi_category_get_name(struct ndpi_detection_module_struct *ndpi_mod, ndpi_protocol_category_t category) { - if(!ndpi_mod) return(NULL); - - switch(category) { - case NDPI_PROTOCOL_CATEGORY_MEDIA: - return("Media"); - break; - case NDPI_PROTOCOL_CATEGORY_VPN: - return("VPN"); - break; - case NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER: - return("DataTransfer"); - break; - case NDPI_PROTOCOL_CATEGORY_MAIL: - return("Email"); - break; - case NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT: - return("Download-FileTransfer-FileSharing"); - break; - case NDPI_PROTOCOL_CATEGORY_WEB: - return("Web"); - break; - case NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK: - return("SocialNetwork"); - break; - case NDPI_PROTOCOL_CATEGORY_GAME: - return("Game"); - break; - case NDPI_PROTOCOL_CATEGORY_CHAT: - return("Chat"); - break; - case NDPI_PROTOCOL_CATEGORY_VOIP: - return("VoIP"); - break; - case NDPI_PROTOCOL_CATEGORY_DATABASE: - return("Database"); - break; - case NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS: - return("RemoteAccess"); - break; - case NDPI_PROTOCOL_CATEGORY_CLOUD: - return("Cloud"); - break; - case NDPI_PROTOCOL_CATEGORY_NETWORK: - return("Network"); - break; - case NDPI_PROTOCOL_CATEGORY_COLLABORATIVE: - return("Collaborative"); - break; - case NDPI_PROTOCOL_CATEGORY_RPC: - return("RPC"); - break; - case NDPI_PROTOCOL_CATEGORY_NETWORK_TOOL: - return("NetworkTool"); - break; - case NDPI_PROTOCOL_CATEGORY_SYSTEM_OS: - return("System"); - break; - case NDPI_PROTOCOL_CATEGORY_UNSPECIFIED: - return("Unspecified"); - break; - case NDPI_PROTOCOL_CATEGORY_SW_UPDATE: - return("SoftwareUpdate"); - break; - case NDPI_PROTOCOL_CATEGORY_CUSTOM_1: - return(ndpi_mod->custom_category_labels[0]); - break; - case NDPI_PROTOCOL_CATEGORY_CUSTOM_2: - return(ndpi_mod->custom_category_labels[1]); - break; - case NDPI_PROTOCOL_CATEGORY_CUSTOM_3: - return(ndpi_mod->custom_category_labels[2]); - break; - case NDPI_PROTOCOL_CATEGORY_CUSTOM_4: - return(ndpi_mod->custom_category_labels[3]); - break; - case NDPI_PROTOCOL_CATEGORY_CUSTOM_5: - return(ndpi_mod->custom_category_labels[4]); - break; - case NDPI_PROTOCOL_NUM_CATEGORIES: - return("Code should not use this internal constant"); - break; - } - return("Unspecified"); + if(category < NDPI_PROTOCOL_CATEGORY_CUSTOM_1) + return(categories[category]); + else { + switch(category) { + case NDPI_PROTOCOL_CATEGORY_CUSTOM_1: + return(ndpi_mod->custom_category_labels[0]); + case NDPI_PROTOCOL_CATEGORY_CUSTOM_2: + return(ndpi_mod->custom_category_labels[1]); + case NDPI_PROTOCOL_CATEGORY_CUSTOM_3: + return(ndpi_mod->custom_category_labels[2]); + case NDPI_PROTOCOL_CATEGORY_CUSTOM_4: + return(ndpi_mod->custom_category_labels[3]); + case NDPI_PROTOCOL_CATEGORY_CUSTOM_5: + return(ndpi_mod->custom_category_labels[4]); + case NDPI_PROTOCOL_NUM_CATEGORIES: + return("Code should not use this internal constant"); + default: + return("Unspecified"); + } + } } /* ****************************************************** */ diff --git a/src/lib/protocols/attic/ftp.c b/src/lib/protocols/attic/ftp.c index 29cf55d15..2e06aec9a 100644 --- a/src/lib/protocols/attic/ftp.c +++ b/src/lib/protocols/attic/ftp.c @@ -43,6 +43,8 @@ static void ndpi_int_ftp_add_connection(struct ndpi_detection_module_struct *ndp */ #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif @@ -78,8 +80,11 @@ u_int8_t ndpi_int_check_possible_ftp_command(const struct ndpi_packet_struct *pa /** * ftp replies are are 3-digit number followed by space or hyphen */ + #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif @@ -108,6 +113,8 @@ u_int8_t ndpi_int_check_possible_ftp_reply(const struct ndpi_packet_struct *pack */ #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif diff --git a/src/lib/protocols/checkmk.c b/src/lib/protocols/checkmk.c new file mode 100755 index 000000000..50a92c8d5 --- /dev/null +++ b/src/lib/protocols/checkmk.c @@ -0,0 +1,83 @@ +/* + * checkmk.c + * + * Copyright (C) 2011-17 - ntop.org + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + * + */ + +#include "ndpi_protocols.h" + +#ifdef NDPI_PROTOCOL_CHECKMK + +static void ndpi_int_checkmk_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CHECKMK, NDPI_PROTOCOL_UNKNOWN); +} + + +void ndpi_search_checkmk(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + + if (packet->payload_packet_len >= 15) { + + if(packet->payload_packet_len > 128) { + /* + When we transfer a large data chunk, unless we have observed + the initial connection, we need to discard these packets + as they are not an indication that this flow is not AFP + */ + return; + } + + /* + * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol + * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks + */ + if (packet->payload_packet_len >= 15 && packet->payload_packet_len < 100 + && memcmp(packet->payload, "<<<check_mk>>>", 14) == 0) { + + NDPI_LOG(NDPI_PROTOCOL_CHECKMK, ndpi_struct, NDPI_LOG_DEBUG, "Check_MK: Flow detected.\n"); + ndpi_int_checkmk_add_connection(ndpi_struct, flow); + return; + } + } + + NDPI_LOG(NDPI_PROTOCOL_CHECKMK, ndpi_struct, NDPI_LOG_DEBUG, "Check_MK excluded.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CHECKMK); +} + + +void init_checkmk_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("CHECKMK", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_CHECKMK, + ndpi_search_checkmk, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + *id += 1; +} + + +#endif diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index bf4f9d9b6..7b56c3c02 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -201,6 +201,9 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd off++; } + if(is_query && ndpi_struct->dns_dissect_response) + return; /* The response will set the verdict */ + flow->host_server_name[j] = '\0'; flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries, @@ -220,9 +223,6 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd #endif if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - if(is_query && ndpi_struct->dns_dissect_response) - return; /* The response will set the verdict */ - /** Do not set the protocol with DNS if ndpi_match_host_subprotocol() has matched a subprotocol diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 1d12ea2e9..50eef99ed 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -552,15 +552,15 @@ static void http_bitmask_exclude_other(struct ndpi_flow_struct *flow) /*************************************************************************************************/ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t filename_start; /* the filename in the request method line, e.g., "GET filename_start..."*/ packet->packet_lines_parsed_complete = 0; /* Check if we so far detected the protocol in the request or not. */ - if(flow->l4.tcp.http_stage == 0) { /* Expected a request */ + if(flow->l4.tcp.http_stage == 0) { + /* Expected a request */ flow->http_detected = 0; NDPI_LOG_DBG2(ndpi_struct, "HTTP stage %d: \n", flow->l4.tcp.http_stage); @@ -578,11 +578,29 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } if((packet->payload_packet_len == 3) && memcmp(packet->payload, "HI\n", 3) == 0) { - /* This looks like Ookla: we don't give up with HTTP yet */ - flow->l4.tcp.http_stage = 1; - return; + /* This looks like Ookla: we don't give up with HTTP yet */ + flow->l4.tcp.http_stage = 1; + return; } - + + if((packet->payload_packet_len == 40) && (flow->l4.tcp.http_stage == 0)) { + /* + -> QR O06L0072-6L91-4O43-857J-K8OO172L6L51 + <- QNUUX 2.5 2017-08-15.1314.4jn12m5 + -> MXFWUXJM 31625365 + */ + + if((packet->payload[2] == ' ') + && (packet->payload[11] == '-') + && (packet->payload[16] == '-') + && (packet->payload[21] == '-') + && (packet->payload[26] == '-') + && (packet->payload[39] == 0x0A) + ) + flow->l4.tcp.http_stage = 1; + return; + } + if((packet->payload_packet_len == 23) && (memcmp(packet->payload, "<policy-file-request/>", 23) == 0)) { /* <policy-file-request/> @@ -757,17 +775,21 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } else if((flow->l4.tcp.http_stage == 1) || (flow->l4.tcp.http_stage == 2)) { NDPI_LOG_DBG2(ndpi_struct, "HTTP stage %u: \n", flow->l4.tcp.http_stage); - - - if(flow->l4.tcp.http_stage == 1) { - if((packet->payload_packet_len > 6) && memcmp(packet->payload, "HELLO ", 6) == 0) { - /* This looks like Ookla */ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN); - return; - } else - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OOKLA); + + if((packet->payload_packet_len == 34) && (flow->l4.tcp.http_stage == 1)) { + if((packet->payload[5] == ' ') && (packet->payload[9] == ' ')) { + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA); + return; + } } - + + if((packet->payload_packet_len > 6) && memcmp(packet->payload, "HELLO ", 6) == 0) { + /* This looks like Ookla */ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN); + return; + } else + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OOKLA); + /** At first check, if this is for sure a response packet (in another direction. If not, if HTTP is detected do nothing now and return, otherwise check the second packet for the HTTP request @@ -852,7 +874,6 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->l4.tcp.http_stage = 0; return; } - } void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 2cadf0a32..7bdd543c3 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -44,8 +44,11 @@ static void ndpi_int_irc_add_connection(struct ndpi_detection_module_struct *ndp } + #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif diff --git a/src/lib/protocols/qq.c b/src/lib/protocols/qq.c index 7eae869ac..f3b713132 100644 --- a/src/lib/protocols/qq.c +++ b/src/lib/protocols/qq.c @@ -85,6 +85,8 @@ static const u_int16_t ndpi_valid_qq_versions[] = { #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif @@ -176,6 +178,8 @@ u_int8_t ndpi_is_valid_qq_packet(const struct ndpi_packet_struct *packet) #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif @@ -429,6 +433,8 @@ static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index 3acf71b61..a61e732d2 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -119,6 +119,8 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd { struct ndpi_packet_struct *packet = &flow->packet; + /* printf("*** %s(pkt=%d)\n", __FUNCTION__, flow->packet_counter); */ + if((packet->udp != NULL) && (ntohs(packet->udp->source) > 1023) && (ntohs(packet->udp->dest) > 1023)) @@ -154,6 +156,8 @@ static void ndpi_int_rtp_add_connection(struct ndpi_detection_module_struct #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif @@ -168,6 +172,8 @@ void init_seq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index 4b3790208..5edd377c6 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -38,6 +38,8 @@ static void ndpi_int_sip_add_connection(struct ndpi_detection_module_struct *ndp #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif diff --git a/src/lib/protocols/sopcast.c b/src/lib/protocols/sopcast.c index db507ecc7..3e8009454 100644 --- a/src/lib/protocols/sopcast.c +++ b/src/lib/protocols/sopcast.c @@ -46,6 +46,8 @@ static void ndpi_int_sopcast_add_connection(struct ndpi_detection_module_struct #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index e57e891e5..adb0e9cf4 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -637,7 +637,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } else if((packet->payload_packet_len == 4) && (packet->payload[0] == 'W') - && (packet->payload[1] == 'A')){ + && (packet->payload[1] == 'A')) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); return; } else { diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 53f39c4d6..eef6e024e 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -247,10 +247,19 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * return NDPI_IS_NOT_STUN; udp_stun_found: - if(can_this_be_whatsapp_voice) + if(can_this_be_whatsapp_voice) { flow->num_stun_udp_pkts++; - return((flow->num_stun_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN); + return((flow->num_stun_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN); + } else { + /* + We cannot immediately say that this is STUN as there are other protocols + like GoogleHangout that might be candidates, thus we set the + guessed protocol to STUN + */ + flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; + return(NDPI_IS_NOT_STUN); + } } void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -293,17 +302,23 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n ndpi_int_stun_add_connection(ndpi_struct, is_whatsapp ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_STUN, flow); } + return; } if(flow->num_stun_udp_pkts >= MAX_NUM_STUN_PKTS) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } + + if(flow->packet_counter > 0) { + /* This might be a RTP stream: let's make sure we check it */ + NDPI_CLR(&flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP); + } } -void init_stun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ +void init_stun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("STUN", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_STUN, ndpi_search_stun, diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index 17618f795..264e83aa1 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -41,6 +41,8 @@ static void ndpi_int_telnet_add_connection(struct ndpi_detection_module_struct #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif diff --git a/src/lib/protocols/thunder.c b/src/lib/protocols/thunder.c index 2818d873d..384436f13 100644 --- a/src/lib/protocols/thunder.c +++ b/src/lib/protocols/thunder.c @@ -52,6 +52,8 @@ static void ndpi_int_thunder_add_connection(struct ndpi_detection_module_struct #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif @@ -81,6 +83,8 @@ void ndpi_int_search_thunder_udp(struct ndpi_detection_module_struct #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif @@ -134,6 +138,8 @@ void ndpi_int_search_thunder_tcp(struct ndpi_detection_module_struct #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index 93c4fecca..21fc0cf52 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -21,14 +21,23 @@ static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, char *certificate) { - + struct ndpi_flow_struct *flow, char *certificate) { int prev_num = 0, numbers_found = 0, num_found = 0, i, len; char dummy[48], *dot, *name; - if((certificate == NULL) - || (strlen(certificate) < 6) - || (strncmp(certificate, "www.", 4))) + if(certificate == NULL) + return(0); + else + len = strlen(certificate); + + /* Check if it ends in .com or .net */ + if(strcmp(&certificate[len-4], ".com") && strcmp(&certificate[len-4], ".net")) + return(0); + + if((len < 6) + || (!strncmp(certificate, "*.", 2)) /* Wildcard certificate */ + || (strncmp(certificate, "www.", 4)) /* Not starting with www.... */ + ) return(0); // printf("***** [SSL] %s(): %s\n", __FUNCTION__, certificate); @@ -60,13 +69,12 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, } else prev_num = 0; - if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) { - ndpi_int_tor_add_connection(ndpi_struct, flow); - return(1); - } - + if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, &name[i])) { num_found++; + } else if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) { + ndpi_int_tor_add_connection(ndpi_struct, flow); + return(1); } } diff --git a/src/lib/protocols/world_of_warcraft.c b/src/lib/protocols/world_of_warcraft.c index 307f41070..bfcf3f4e1 100644 --- a/src/lib/protocols/world_of_warcraft.c +++ b/src/lib/protocols/world_of_warcraft.c @@ -39,6 +39,8 @@ static void ndpi_int_worldofwarcraft_add_connection(struct ndpi_detection_module #if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif diff --git a/src/lib/protocols/yahoo.c b/src/lib/protocols/yahoo.c index 3c073482f..1144fb4ef 100644 --- a/src/lib/protocols/yahoo.c +++ b/src/lib/protocols/yahoo.c @@ -55,8 +55,10 @@ static u_int8_t ndpi_check_for_YmsgCommand(u_int16_t len, const u_int8_t * ptr) } -#ifndef WIN32 +#if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif diff --git a/src/lib/protocols/zattoo.c b/src/lib/protocols/zattoo.c index 9c212ddde..c3e514dda 100644 --- a/src/lib/protocols/zattoo.c +++ b/src/lib/protocols/zattoo.c @@ -28,8 +28,10 @@ #include "ndpi_api.h" -#ifndef WIN32 +#if !defined(WIN32) static inline +#elif defined(MINGW_GCC) +__mingw_forceinline static #else __forceinline static #endif |