aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_protocol_ids.h9
-rw-r--r--src/lib/ndpi_content_match.c.inc103
-rw-r--r--src/lib/ndpi_main.c41
-rw-r--r--src/lib/protocols/cassandra.c6
-rw-r--r--src/lib/protocols/dns.c3
-rw-r--r--src/lib/protocols/gtp.c15
-rw-r--r--src/lib/protocols/radius.c9
-rw-r--r--src/lib/protocols/sip.c14
-rw-r--r--src/lib/protocols/stun.c20
-rw-r--r--src/lib/protocols/syslog.c64
-rw-r--r--src/lib/protocols/tls.c3
11 files changed, 213 insertions, 74 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index 963744006..aeaeab18b 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -295,6 +295,15 @@ typedef enum {
NDPI_PROTOCOL_CASSANDRA = 264, /* Lucas Santos <lfneiva.santos@gmail.com> */
NDPI_PROTOCOL_AMAZON_AWS = 265,
NDPI_PROTOCOL_SALESFORCE = 266,
+ NDPI_PROTOCOL_VIMEO = 267,
+ NDPI_PROTOCOL_FACEBOOK_VOIP = 268,
+ NDPI_PROTOCOL_SIGNAL_VOIP = 269,
+ NDPI_PROTOCOL_FUZE = 270,
+ NDPI_PROTOCOL_GTP_U = 271,
+ NDPI_PROTOCOL_GTP_C = 272,
+ NDPI_PROTOCOL_GTP_PRIME = 273,
+ NDPI_PROTOCOL_ALIBABA = 274,
+ NDPI_PROTOCOL_CRASHLYSTICS = 275,
#ifdef CUSTOM_NDPI_PROTOCOLS
#include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 519f337d0..459d76a22 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -9563,13 +9563,13 @@ static ndpi_protocol_match host_match[] =
*/
/* Google Advertisements */
- { ".googlesyndication.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
- { "googleads.", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
- { ".doubleclick.net", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
- { "googleadservices.", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
- { ".2mdn.net", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
- { ".dmtry.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
- { "google-analytics.", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".googlesyndication.com", "Google", NDPI_PROTOCOL_GOOGLE, CUSTOM_CATEGORY_ADVERTISEMENT, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "googleads.", "Google", NDPI_PROTOCOL_GOOGLE, CUSTOM_CATEGORY_ADVERTISEMENT, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".doubleclick.net", "Google", NDPI_PROTOCOL_GOOGLE, CUSTOM_CATEGORY_ADVERTISEMENT, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "googleadservices.", "Google", NDPI_PROTOCOL_GOOGLE, CUSTOM_CATEGORY_ADVERTISEMENT, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".2mdn.net", "Google", NDPI_PROTOCOL_GOOGLE, CUSTOM_CATEGORY_ADVERTISEMENT, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".dmtry.com", "Google", NDPI_PROTOCOL_GOOGLE, CUSTOM_CATEGORY_ADVERTISEMENT, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "google-analytics.", "Google", NDPI_PROTOCOL_GOOGLE, CUSTOM_CATEGORY_ADVERTISEMENT, NDPI_PROTOCOL_TRACKER_ADS, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".gvt1.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".gvt2.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "telephony.goog", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -9593,6 +9593,7 @@ static ndpi_protocol_match host_match[] =
{ "maps.gstatic.com", "GoogleMaps", NDPI_PROTOCOL_GOOGLE_MAPS, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".gmail.", "GMail", NDPI_PROTOCOL_GMAIL, NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "inbox.google.com", "GMail", NDPI_PROTOCOL_GMAIL, NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "mail.google.", "GMail", NDPI_PROTOCOL_GMAIL, NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "google.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -9644,6 +9645,7 @@ static ndpi_protocol_match host_match[] =
{ "mmg-fna.whatsapp.net", "WhatsAppFiles", NDPI_PROTOCOL_WHATSAPP_FILES, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".fna.whatsapp.net", "WhatsAppFiles", NDPI_PROTOCOL_WHATSAPP_FILES, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".cdn.whatsapp.net", "WhatsAppFiles", NDPI_PROTOCOL_WHATSAPP_FILES, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "mms.whatsapp.net", "WhatsAppFiles", NDPI_PROTOCOL_WHATSAPP_FILES, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".whatsapp.", "WhatsApp", NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "g.whatsapp.net", "WhatsApp", NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "v.whatsapp.net", "WhatsApp", NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -9738,6 +9740,8 @@ static ndpi_protocol_match host_match[] =
{ ".dynamics.com", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "msftncsi.com", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".azure.com", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".azureedge.us", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".azurefd.us", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".windows.net", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".windows.com", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".microsoft.com", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -9770,7 +9774,10 @@ static ndpi_protocol_match host_match[] =
{ "..msn-com.", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".-s-msn-com.", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".s-msn.com", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
-
+ { ".img-s-msn-com.", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "img-s-msn-com.", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".location.live.net", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".virtualearth.net", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "teams.microsoft.com", "Teams", NDPI_PROTOCOL_MSTEAMS, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "teams.microsoft.us", "Teams", NDPI_PROTOCOL_MSTEAMS, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -9942,12 +9949,15 @@ static ndpi_protocol_match host_match[] =
{ "p16-tiktok-sign-va-h2.ibyteimg.com", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "p16-tiktok-sg.ibyteimg.com", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "p16-tiktok-va.ibyteimg.com", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "p16-musical-va.ibyteimg.com", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "p16-musical-sg.ibyteimg.com", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "p16-va-tiktok.ibyteimg.com", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "p16-ad-sg.ibyteimg.com", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "p21-ad-sg.ibyteimg.com", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "tiktokcdn.com", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "p16-tiktok-va-h2.ibyteimg.com", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "p16-tiktokcdn-com.akamaized.net", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "p16-va-default.akamaized.net", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "tiktokcdn.liveplay.myqcloud.com", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "musemuse.cn", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "tiktokv.com", "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -10028,24 +10038,46 @@ static ndpi_protocol_match host_match[] =
{ "disneyplus.net", "DisneyPlus", NDPI_PROTOCOL_DISNEYPLUS, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "dssott.com", "DisneyPlus", NDPI_PROTOCOL_DISNEYPLUS, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "disneyplus.com.ssl.sc.omtrdc.net", "DisneyPlus", NDPI_PROTOCOL_DISNEYPLUS, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
- { "search-api-disney.bamgrid.com", "DisneyPlus", NDPI_PROTOCOL_DISNEYPLUS, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".bamgrid.com", "DisneyPlus", NDPI_PROTOCOL_DISNEYPLUS, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".registerdisney.go.com", "DisneyPlus", NDPI_PROTOCOL_DISNEYPLUS, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
/*
Likee app
*/
{ ".like.video", "Likee", NDPI_PROTOCOL_LIKEE, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".likee.video", "Likee", NDPI_PROTOCOL_LIKEE, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".likee.com", "Likee", NDPI_PROTOCOL_LIKEE, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".likeevideo.com", "Likee", NDPI_PROTOCOL_LIKEE, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".like-video.com", "Likee", NDPI_PROTOCOL_LIKEE, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".likeimo.tech", "Likee", NDPI_PROTOCOL_LIKEE, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".liketech.tech", "Likee", NDPI_PROTOCOL_LIKEE, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "bstream.hzmklvdieo.com", "Likee", NDPI_PROTOCOL_LIKEE, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "bstream.kzhi.tech", "Likee", NDPI_PROTOCOL_LIKEE, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
/*
Activision
*/
{ "activision.", "Activision", NDPI_PROTOCOL_ACTIVISION, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".activision.com", "Activision", NDPI_PROTOCOL_ACTIVISION, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+
+ /* Vimeo */
+ { "vimeo.com", "Vimeo", NDPI_PROTOCOL_VIMEO, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".vimeo.com", "Vimeo", NDPI_PROTOCOL_VIMEO, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".vimeocdn.com", "Vimeo", NDPI_PROTOCOL_VIMEO, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+
+ { ".crashlytics.com", "Crashlytics", NDPI_PROTOCOL_CRASHLYSTICS, NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+
+ { ".fuze.com", "Fuze", NDPI_PROTOCOL_FUZE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".fuzemeeting.com", "Fuze", NDPI_PROTOCOL_FUZE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".thinkingphones.com", "Fuze", NDPI_PROTOCOL_FUZE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+
+ { "alibaba.com", "Alibaba", NDPI_PROTOCOL_ALIBABA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".alibaba.com", "Alibaba", NDPI_PROTOCOL_ALIBABA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".aliapp.org", "Alibaba", NDPI_PROTOCOL_ALIBABA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".alicdn.com", "Alibaba", NDPI_PROTOCOL_ALIBABA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".aliyuncs.com", "Alibaba", NDPI_PROTOCOL_ALIBABA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { ".mmstat.com", "Alibaba", NDPI_PROTOCOL_ALIBABA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+
{ NULL, NULL, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }
};
@@ -10109,6 +10141,7 @@ static ndpi_category_match category_match[] = {
{ "detectportal.firefox.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "connectivitycheck.android.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
{ "connectivitycheck.gstatic.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
+ { "connectivitycheck.platform.hicloud.com", NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK },
/* Hulu Streaming services AS23286 */
{ "8.28.124.0/24", NDPI_PROTOCOL_CATEGORY_STREAMING },
@@ -10141,6 +10174,58 @@ static ndpi_category_match category_match[] = {
{ "139.104.216.0/24", NDPI_PROTOCOL_CATEGORY_STREAMING },
{ "139.104.217.0/24", NDPI_PROTOCOL_CATEGORY_STREAMING },
+ /*
+ ADS and tracking
+ */
+ /* Smaato is a digital ad tech platform and ad server */
+ { ".smaato.net", CUSTOM_CATEGORY_ADVERTISEMENT },
+ { ".smaato.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* MoPub, a Twitter company, provides monetization solutions */
+ { ".mopub.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* AppsFlyer is a SaaS mobile marketing analytics and attribution platform */
+ { ".appsflyer.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* Adjust is the mobile marketing platform for marketers around the world */
+ { ".adjust.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* Helpshift enables brands to deliver superior digital customer service digital channels*/
+ { ".helpshift.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* AppLovin is a mobile marketing platform */
+ { ".applovin.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* AdRight is an innovative online advertising network */
+ { ".adright.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* MGID: Native Visitors Acquisition for Advertisers */
+ { ".mgid.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* InMobi is the world's leading mobile marketing and advertising platform provider */
+ { ".inmobi.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* AdColony - Elevating mobile advertising */
+ { ".adcolony.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* Supersonicads: App monetization done right */
+ { ".supersonicads.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* Criteo is an advertising company that provides online display advertisements */
+ { ".criteo.net", CUSTOM_CATEGORY_ADVERTISEMENT },
+ { ".criteo.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* Flurry is an American mobile analytics, monetization, and advertising company */
+ { ".flurry.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* Taboola is the world's leading discovery & native advertising platform */
+ { ".taboola.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* Market research community, a leading global market research effort that studies and reports on Internet trends and behavior. */
+ { ".scorecardresearch.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* Magnite Inc. (formerly Rubicon Project) is an American online advertising technology firm */
+ { ".rubiconproject.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* Adnxs.com is run by AppNexus, a company that provides technology, data and analytics to help companies buy and sell online display advertising */
+ { ".adnxs.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* PubMatic, Inc. is a company that develops and implements online advertising software */
+ { ".pubmatic.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* “OpenX’s unified monetization platform */
+ { ".openx.net", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* AddThis share buttons, targeting tools and content recommendations help you get more likes, shares and followers */
+ { ".addthis.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ { ".addthisedge.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* NEXAGE offers a mobile advertising platform that provides private and public exchanges */
+ { ".nexage.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+ /* RadiumOne (formerly GWallet) is a digital advertising company */
+ { ".gwallet.com", CUSTOM_CATEGORY_ADVERTISEMENT },
+
+
{ NULL, 0 }
};
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index ed47ef5ea..50483cf7e 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1022,6 +1022,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
"Skype_Teams", NDPI_PROTOCOL_CATEGORY_VOIP,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+ ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GOOGLE,
+ "Google", NDPI_PROTOCOL_CATEGORY_WEB,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SKYPE_CALL,
"SkypeCall", NDPI_PROTOCOL_CATEGORY_VOIP,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
@@ -1426,6 +1430,18 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
"GTP", NDPI_PROTOCOL_CATEGORY_NETWORK,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 2152, 2123, 0, 0, 0) /* UDP */);
+ ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GTP_C,
+ "GTP_C", NDPI_PROTOCOL_CATEGORY_NETWORK,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+ ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GTP_U,
+ "GTP_U", NDPI_PROTOCOL_CATEGORY_NETWORK,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+ ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GTP_PRIME,
+ "GTP_PRIME", NDPI_PROTOCOL_CATEGORY_NETWORK,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WSD,
"WSD", NDPI_PROTOCOL_CATEGORY_NETWORK,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
@@ -1458,7 +1474,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MESSENGER,
- "Messenger", NDPI_PROTOCOL_CATEGORY_VOIP,
+ "Messenger", NDPI_PROTOCOL_CATEGORY_CHAT,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_LISP,
@@ -1750,6 +1766,14 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
"Cassandra", NDPI_PROTOCOL_CATEGORY_DATABASE,
ndpi_build_default_ports(ports_a, 9042, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+ ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FACEBOOK_VOIP,
+ "FacebookVoip", NDPI_PROTOCOL_CATEGORY_VOIP,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+ ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SIGNAL_VOIP,
+ "SignalVoip", NDPI_PROTOCOL_CATEGORY_VOIP,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
#ifdef CUSTOM_NDPI_PROTOCOLS
#include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -2889,8 +2913,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
/* https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6 */
if(((icmp6_type >= 5) && (icmp6_type <= 127))
- || (icmp6_type >= 156)
- || ((icmp6_code > 7) && (icmp6_type != 255)))
+ || ((icmp6_code >= 156) && (icmp6_type != 255)))
ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET);
}
}
@@ -4955,7 +4978,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if(flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)
goto check_stun_export;
else if((flow->guessed_protocol_id == NDPI_PROTOCOL_HANGOUT_DUO) ||
- (flow->guessed_protocol_id == NDPI_PROTOCOL_MESSENGER) ||
+ (flow->guessed_protocol_id == NDPI_PROTOCOL_FACEBOOK_VOIP) ||
+ (flow->guessed_protocol_id == NDPI_PROTOCOL_SIGNAL_VOIP) ||
(flow->guessed_protocol_id == NDPI_PROTOCOL_WHATSAPP_CALL)) {
*protocol_was_guessed = 1;
ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN);
@@ -5039,7 +5063,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if(ret.master_protocol == NDPI_PROTOCOL_STUN) {
if(ret.app_protocol == NDPI_PROTOCOL_FACEBOOK)
- ret.app_protocol = NDPI_PROTOCOL_MESSENGER;
+ ret.app_protocol = NDPI_PROTOCOL_FACEBOOK_VOIP;
else if(ret.app_protocol == NDPI_PROTOCOL_GOOGLE) {
/*
As Google has recently introduced Duo,
@@ -6913,6 +6937,11 @@ static u_int8_t ndpi_is_more_generic_protocol(u_int16_t previous_proto, u_int16_
case NDPI_PROTOCOL_WHATSAPP_FILES:
if(new_proto == NDPI_PROTOCOL_WHATSAPP)
return(1);
+ break;
+ case NDPI_PROTOCOL_FACEBOOK_VOIP:
+ if(new_proto == NDPI_PROTOCOL_FACEBOOK)
+ return(1);
+ break;
}
return(0);
@@ -7769,7 +7798,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
}
if(num_bigram_checks
- && (num_dots > 0)
+ /* We already checked num_dots > 0 */
&& ((num_found == 0) || ((num_digits > 5) && (num_words <= 3))
|| enough(num_found, num_impossible)
|| ((num_trigram_checked > 2)
diff --git a/src/lib/protocols/cassandra.c b/src/lib/protocols/cassandra.c
index f7bbccfbc..33ac1f72a 100644
--- a/src/lib/protocols/cassandra.c
+++ b/src/lib/protocols/cassandra.c
@@ -100,6 +100,11 @@ static bool ndpi_check_valid_cassandra_opcode(uint8_t opcode)
return false;
}
+static bool ndpi_check_valid_cassandra_flags(uint8_t flags)
+{
+ return (flags & 0xF0) == 0;
+}
+
void ndpi_search_cassandra(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow)
{
@@ -108,6 +113,7 @@ void ndpi_search_cassandra(struct ndpi_detection_module_struct *ndpi_struct,
if (packet->tcp) {
if (packet->payload_packet_len >= CASSANDRA_HEADER_LEN &&
ndpi_check_valid_cassandra_version(get_u_int8_t(packet->payload, 0)) &&
+ ndpi_check_valid_cassandra_flags(get_u_int8_t(packet->payload, 1)) &&
ndpi_check_valid_cassandra_opcode(get_u_int8_t(packet->payload, 4)) &&
get_u_int32_t(packet->payload, 5) <= CASSANDRA_MAX_BODY_SIZE &&
get_u_int32_t(packet->payload, 5) >= (uint32_t) (packet->payload_packet_len - CASSANDRA_HEADER_LEN)) {
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index f32143320..c57d30ec0 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -206,10 +206,11 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
if(*is_query) {
/* DNS Request */
- if((dns_header->num_queries > 0) && (dns_header->num_queries <= NDPI_MAX_DNS_REQUESTS)
+ if((dns_header->num_queries <= NDPI_MAX_DNS_REQUESTS)
// && (dns_header->num_answers == 0)
&& (((dns_header->flags & 0x2800) == 0x2800 /* Dynamic DNS Update */)
|| ((dns_header->flags & 0xFCF0) == 0x00) /* Standard Query */
+ || ((dns_header->flags & 0xFCFF) == 0x0800) /* Inverse query */
|| ((dns_header->num_answers == 0) && (dns_header->authority_rrs == 0)))) {
/* This is a good query */
while(x+2 < packet->payload_packet_len) {
diff --git a/src/lib/protocols/gtp.c b/src/lib/protocols/gtp.c
index 956ebe355..f94138baf 100644
--- a/src/lib/protocols/gtp.c
+++ b/src/lib/protocols/gtp.c
@@ -82,28 +82,33 @@ static void ndpi_check_gtp(struct ndpi_detection_module_struct *ndpi_struct, str
(payload_len >= HEADER_LEN_GTP_U) &&
(message_len <= (payload_len - HEADER_LEN_GTP_U))) {
NDPI_LOG_INFO(ndpi_struct, "found gtp-u\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP, NDPI_PROTOCOL_UNKNOWN);
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP_U, NDPI_PROTOCOL_GTP);
return;
}
}
if((packet->udp->source == gtp_c) || (packet->udp->dest == gtp_c)) {
if(((version == 1) &&
(payload_len >= HEADER_LEN_GTP_C_V1) &&
- (message_len == (payload_len - HEADER_LEN_GTP_C_V1))) ||
+ (message_len == (payload_len - HEADER_LEN_GTP_C_V1)) &&
+ (message_len >= 4 * (!!(gtp->flags & 0x07))) &&
+ (gtp->message_type > 0 && gtp->message_type <= 129)) || /* Loose check based on TS 29.060 7.1 */
((version == 2) &&
/* payload_len is always valid, because HEADER_LEN_GTP_C_V2 == sizeof(struct gtp_header_generic) */
(message_len <= (payload_len - HEADER_LEN_GTP_C_V2)))) {
NDPI_LOG_INFO(ndpi_struct, "found gtp-c\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP, NDPI_PROTOCOL_UNKNOWN);
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP_C, NDPI_PROTOCOL_GTP);
return;
}
}
if((packet->udp->source == gtp_prime) || (packet->udp->dest == gtp_prime)) {
if((pt == 0) &&
+ ((gtp->flags & 0x0E) >> 1 == 0x7) && /* Spare bits */
(payload_len >= HEADER_LEN_GTP_PRIME) &&
- (message_len <= (payload_len - HEADER_LEN_GTP_PRIME))) {
+ (message_len <= (payload_len - HEADER_LEN_GTP_PRIME)) &&
+ ((gtp->message_type > 0 && gtp->message_type <= 7) || /* Check based on TS 32.295 6.2.1 */
+ gtp->message_type == 240 || gtp->message_type == 241)) {
NDPI_LOG_INFO(ndpi_struct, "found gtp-prime\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP, NDPI_PROTOCOL_UNKNOWN);
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP_PRIME, NDPI_PROTOCOL_GTP);
return;
}
}
diff --git a/src/lib/protocols/radius.c b/src/lib/protocols/radius.c
index 97806c68e..6829047e7 100644
--- a/src/lib/protocols/radius.c
+++ b/src/lib/protocols/radius.c
@@ -24,6 +24,10 @@
#include "ndpi_api.h"
+#define RADIUS_PORT 1812
+#define RADIUS_PORT_ACC 1813
+#define RADIUS_PORT_ACC_ALTERNATIVE 18013
+
struct radius_header {
u_int8_t code;
@@ -37,7 +41,10 @@ static void ndpi_check_radius(struct ndpi_detection_module_struct *ndpi_struct,
// const u_int8_t *packet_payload = packet->payload;
u_int32_t payload_len = packet->payload_packet_len;
- if(packet->udp != NULL) {
+ if(packet->udp != NULL &&
+ (packet->udp->dest == htons(RADIUS_PORT) || packet->udp->source == htons(RADIUS_PORT) ||
+ packet->udp->dest == htons(RADIUS_PORT_ACC) || packet->udp->source == htons(RADIUS_PORT_ACC) ||
+ packet->udp->dest == htons(RADIUS_PORT_ACC_ALTERNATIVE) || packet->udp->source == htons(RADIUS_PORT_ACC_ALTERNATIVE))) {
struct radius_header *h = (struct radius_header*)packet->payload;
/* RFC2865: The minimum length is 20 and maximum length is 4096. */
if((payload_len < 20) || (payload_len > 4096)) {
diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c
index 6c159afdd..bd9fb03d2 100644
--- a/src/lib/protocols/sip.c
+++ b/src/lib/protocols/sip.c
@@ -153,6 +153,20 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct
ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
return;
}
+
+ if((memcmp(packet_payload, "REFER ", 6) == 0 || memcmp(packet_payload, "refer ", 6) == 0)
+ && (memcmp(&packet_payload[6], "SIP:", 4) == 0 || memcmp(&packet_payload[6], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip REFER\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "PRACK ", 6) == 0 || memcmp(packet_payload, "prack ", 6) == 0)
+ && (memcmp(&packet_payload[6], "SIP:", 4) == 0 || memcmp(&packet_payload[6], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip REFER\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
}
/* add bitmask for tcp only, some stupid udp programs
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index eb1bc4292..8a387d8d2 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -264,6 +264,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
if(!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
+ else if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_FACEBOOK)
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_FACEBOOK_VOIP;
else
flow->guessed_protocol_id = NDPI_PROTOCOL_STUN;
@@ -272,6 +274,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
return(NDPI_IS_NOT_STUN); /* This to keep analyzing STUN instead of giving up */
}
}
+ if(msg_type == 0x03 /* Allocate Request */) {
+ if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_FACEBOOK)
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_FACEBOOK_VOIP;
+ }
if(!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
@@ -294,7 +300,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
else {
switch(flow->guessed_protocol_id) {
case NDPI_PROTOCOL_HANGOUT_DUO:
- case NDPI_PROTOCOL_MESSENGER:
+ case NDPI_PROTOCOL_FACEBOOK_VOIP:
+ case NDPI_PROTOCOL_SIGNAL_VOIP:
case NDPI_PROTOCOL_WHATSAPP_CALL:
/* Don't overwrite the protocol with sub-STUN protocols */
break;
@@ -360,11 +367,12 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
if(strstr(flow->host_server_name, "google.com") != NULL) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
return(NDPI_IS_STUN);
- } else if(strstr(flow->host_server_name, "whispersystems.org") != NULL) {
- flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
+ } else if(strstr(flow->host_server_name, "whispersystems.org") != NULL ||
+ (strstr(flow->host_server_name, "signal.org") != NULL)) {
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL_VOIP;
return(NDPI_IS_STUN);
} else if(strstr(flow->host_server_name, "facebook") != NULL) {
- flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER;
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_FACEBOOK_VOIP;
return(NDPI_IS_STUN);
}
}
@@ -374,7 +382,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
case 0xC057: /* Messeger */
if(msg_type == 0x0001) {
if((msg_len == 100) || (msg_len == 104)) {
- flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER;
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_FACEBOOK_VOIP;
return(NDPI_IS_STUN);
} else if(msg_len == 76) {
#if 0
@@ -473,7 +481,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
if(packet->iph) { /* TODO: ipv6 */
if(is_messenger_ip_address(ntohl(packet->iph->saddr)) || is_messenger_ip_address(ntohl(packet->iph->daddr)))
- flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER;
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_FACEBOOK_VOIP;
else if(is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr)))
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
}
diff --git a/src/lib/protocols/syslog.c b/src/lib/protocols/syslog.c
index 45b005030..a98476a11 100644
--- a/src/lib/protocols/syslog.c
+++ b/src/lib/protocols/syslog.c
@@ -42,7 +42,9 @@ void ndpi_search_syslog(struct ndpi_detection_module_struct
NDPI_LOG_DBG(ndpi_struct, "search syslog\n");
- if (packet->payload_packet_len > 20 && packet->payload_packet_len <= 1024 && packet->payload[0] == '<') {
+ if (packet->payload_packet_len > 20 && packet->payload[0] == '<') {
+ int j;
+
NDPI_LOG_DBG2(ndpi_struct, "checked len>20 and <1024 and first symbol=<\n");
for (i = 1; i <= 3; i++) {
@@ -55,7 +57,7 @@ void ndpi_search_syslog(struct ndpi_detection_module_struct
if (packet->payload[i++] != '>') {
NDPI_LOG_DBG(ndpi_struct, "excluded, there is no > following the number\n");
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SYSLOG);
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
} else {
NDPI_LOG_DBG2(ndpi_struct, "a > following the number\n");
@@ -68,51 +70,23 @@ void ndpi_search_syslog(struct ndpi_detection_module_struct
NDPI_LOG_DBG2(ndpi_struct, "no blank following the >: do nothing\n");
}
- /* check for "last message repeated" */
- if (i + sizeof("last message") - 1 <= packet->payload_packet_len &&
- memcmp(packet->payload + i, "last message", sizeof("last message") - 1) == 0) {
-
- NDPI_LOG_INFO(ndpi_struct, "found syslog by 'last message' string\n");
-
- ndpi_int_syslog_add_connection(ndpi_struct, flow);
-
- return;
- } else if (i + sizeof("snort: ") - 1 <= packet->payload_packet_len &&
- memcmp(packet->payload + i, "snort: ", sizeof("snort: ") - 1) == 0) {
-
- /* snort events */
-
- NDPI_LOG_INFO(ndpi_struct, "found syslog by 'snort: ' string\n");
-
- ndpi_int_syslog_add_connection(ndpi_struct, flow);
-
- return;
+ /* Even if there are 2 RFCs (3164, 5424), syslog format after "<NUMBER>" is
+ not standard. The only common pattern seems to be that the entire
+ payload is made by printable characters */
+ /* TODO: check only the first N bytes to avoid touching the entire payload? */
+ for (j = 0; j < packet->payload_packet_len - i; j++) {
+ if (!(ndpi_isprint(packet->payload[i + j]) ||
+ ndpi_isspace(packet->payload[i + j]))) {
+ NDPI_LOG_DBG2(ndpi_struct, "no printable char 0x%x [i/j %d/%d]\n",
+ packet->payload[i + j], i, j);
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ return;
+ }
}
- if (memcmp(&packet->payload[i], "Jan", 3) != 0
- && memcmp(&packet->payload[i], "Feb", 3) != 0
- && memcmp(&packet->payload[i], "Mar", 3) != 0
- && memcmp(&packet->payload[i], "Apr", 3) != 0
- && memcmp(&packet->payload[i], "May", 3) != 0
- && memcmp(&packet->payload[i], "Jun", 3) != 0
- && memcmp(&packet->payload[i], "Jul", 3) != 0
- && memcmp(&packet->payload[i], "Aug", 3) != 0
- && memcmp(&packet->payload[i], "Sep", 3) != 0
- && memcmp(&packet->payload[i], "Oct", 3) != 0
- && memcmp(&packet->payload[i], "Nov", 3) != 0 && memcmp(&packet->payload[i], "Dec", 3) != 0) {
-
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-
- return;
-
- } else {
-
- NDPI_LOG_INFO(ndpi_struct, "found syslog\n");
-
- ndpi_int_syslog_add_connection(ndpi_struct, flow);
-
- return;
- }
+ NDPI_LOG_INFO(ndpi_struct, "found syslog\n");
+ ndpi_int_syslog_add_connection(ndpi_struct, flow);
+ return;
}
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 34af15378..87553de87 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -2115,7 +2115,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
flow->protos.tls_quic.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1);
if(flow->protos.tls_quic.encrypted_sni.esni) {
- u_int16_t i, off;
+ u_int16_t off;
+ int i;
for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) {
int rc = sprintf(&flow->protos.tls_quic.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF);
Powered by cgit, Themed by Ted Yin.