3 files changed, 72 insertions, 0 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 1e75e5ee4..9b030a320 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -631,6 +631,7 @@ typedef enum {
   NDPI_LRUCACHE_TLS_CERT,
   NDPI_LRUCACHE_MINING,
   NDPI_LRUCACHE_MSTEAMS,
+  NDPI_LRUCACHE_STUN_ZOOM,
 
   NDPI_LRUCACHE_MAX	/* Last one! */
 } lru_cache_type;
@@ -1208,6 +1209,8 @@ struct ndpi_detection_module_struct {
   /* NDPI_PROTOCOL_STUN and subprotocols */
   struct ndpi_lru_cache *stun_cache;
   u_int32_t stun_cache_num_entries;
+  struct ndpi_lru_cache *stun_zoom_cache;
+  u_int32_t stun_zoom_cache_num_entries;
 
   /* NDPI_PROTOCOL_TLS and subprotocols */
   struct ndpi_lru_cache *tls_cert_cache;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index a3c017930..df6f29308 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -176,6 +176,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
 extern void ndpi_unset_risk(struct ndpi_detection_module_struct *ndpi_str,
 			    struct ndpi_flow_struct *flow, ndpi_risk_enum r);
 extern u_int32_t make_mining_key(struct ndpi_flow_struct *flow);
+extern int stun_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
 
 /* Forward */
 static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_str,
@@ -2787,6 +2788,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
   ndpi_str->tls_cert_cache_num_entries = 1024;
   ndpi_str->mining_cache_num_entries = 1024;
   ndpi_str->msteams_cache_num_entries = 1024;
+  ndpi_str->stun_zoom_cache_num_entries = 1024;
 
   ndpi_str->opportunistic_tls_smtp_enabled = 1;
   ndpi_str->opportunistic_tls_imap_enabled = 1;
@@ -2909,6 +2911,13 @@ void ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str)
                    ndpi_str->msteams_cache_num_entries);
     }
   }
+  if(ndpi_str->stun_zoom_cache_num_entries > 0) {
+    ndpi_str->stun_zoom_cache = ndpi_lru_cache_init(ndpi_str->stun_zoom_cache_num_entries);
+    if(!ndpi_str->stun_zoom_cache) {
+      NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n",
+                   ndpi_str->stun_zoom_cache_num_entries);
+    }
+  }
 
   if(ndpi_str->ac_automa_finalized) return;
 
@@ -3183,6 +3192,9 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) {
     if(ndpi_str->stun_cache)
       ndpi_lru_free_cache(ndpi_str->stun_cache);
 
+    if(ndpi_str->stun_zoom_cache)
+      ndpi_lru_free_cache(ndpi_str->stun_zoom_cache);
+
     if(ndpi_str->tls_cert_cache)
       ndpi_lru_free_cache(ndpi_str->tls_cert_cache);
 
@@ -6020,6 +6032,10 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
       /* This looks like Zoom */
       ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_ZOOM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE);
       ret.app_protocol = NDPI_PROTOCOL_ZOOM;
+    } else if(stun_search_into_zoom_cache(ndpi_str, flow)) {
+      /* This looks like Zoom */
+      ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_ZOOM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE);
+      ret.app_protocol = flow->detected_protocol_stack[0];
     }
   }
 
@@ -8437,6 +8453,9 @@ int ndpi_get_lru_cache_stats(struct ndpi_detection_module_struct *ndpi_struct,
   case NDPI_LRUCACHE_MSTEAMS:
     ndpi_lru_get_stats(ndpi_struct->msteams_cache, stats);
     return 0;
+  case NDPI_LRUCACHE_STUN_ZOOM:
+    ndpi_lru_get_stats(ndpi_struct->stun_zoom_cache, stats);
+    return 0;
   default:
     return -1;
   }
@@ -8468,6 +8487,9 @@ int ndpi_set_lru_cache_size(struct ndpi_detection_module_struct *ndpi_struct,
   case NDPI_LRUCACHE_MSTEAMS:
     ndpi_struct->msteams_cache_num_entries = num_entries;
     return 0;
+  case NDPI_LRUCACHE_STUN_ZOOM:
+    ndpi_struct->stun_zoom_cache_num_entries = num_entries;
+    return 0;
   default:
     return -1;
   }
@@ -8499,6 +8521,9 @@ int ndpi_get_lru_cache_size(struct ndpi_detection_module_struct *ndpi_struct,
   case NDPI_LRUCACHE_MSTEAMS:
     *num_entries = ndpi_struct->msteams_cache_num_entries;
     return 0;
+  case NDPI_LRUCACHE_STUN_ZOOM:
+    *num_entries = ndpi_struct->stun_zoom_cache_num_entries;
+    return 0;
   default:
     return -1;
   }
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index a06612b28..28f740180 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -31,6 +31,7 @@
 
 // #define DEBUG_STUN 1
 // #define DEBUG_LRU  1
+// #define DEBUG_ZOOM_LRU  1
 
 #define STUN_HDR_LEN   20 /* STUN message header length, Classic-STUN (RFC 3489) and STUN (RFC 8489) both */
 
@@ -52,6 +53,36 @@ u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) {
 
 /* ************************************************************ */
 
+int stun_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct,
+                                struct ndpi_flow_struct *flow)
+{
+  u_int16_t when;
+  u_int32_t key;
+
+  if(ndpi_struct->stun_zoom_cache &&
+     flow->l4_proto == IPPROTO_UDP) {
+    key = get_stun_lru_key(flow, 0); /* Src */
+#ifdef DEBUG_ZOOM_LRU
+    printf("[LRU ZOOM] Search %u [src_port %u]\n", key, ntohs(flow->c_port));
+#endif
+
+    if(ndpi_lru_find_cache(ndpi_struct->stun_zoom_cache, key,
+                           &when, 0 /* Don't remove it as it can be used for other connections */)) {
+      u_int16_t tdiff = ((flow->last_packet_time_ms /1000) & 0xFFFF) - when;
+
+#ifdef DEBUG_ZOOM_LRU
+      printf("[LRU ZOOM] Found, diff %d\n", tdiff);
+#endif
+
+      if(tdiff < 60 /* sec */)
+        return 1;
+    }
+  }
+  return 0;
+}
+
+/* ************************************************************ */
+
 static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
 					 struct ndpi_flow_struct *flow,
 					 u_int app_proto) {
@@ -107,6 +138,18 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd
     }
   }
 
+  /* TODO: extend to other protocols? */
+  if(ndpi_struct->stun_zoom_cache &&
+     app_proto == NDPI_PROTOCOL_ZOOM &&
+     flow->l4_proto == IPPROTO_UDP) {
+    u_int32_t key = get_stun_lru_key(flow, 0); /* Src */
+#ifdef DEBUG_ZOOM_LRU
+    printf("[LRU ZOOM] ADDING %u [src_port %u]\n", key, ntohs(flow->c_port));
+#endif
+    ndpi_lru_add_to_cache(ndpi_struct->stun_zoom_cache, key,
+                         (flow->last_packet_time_ms / 1000) & 0xFFFF /* 16 bit */);
+  }
+
   ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, NDPI_PROTOCOL_STUN, confidence);
 }
 
@@ -278,6 +321,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 #endif
 
         switch(attribute) {
+	case 0x0101:
 	case 0x0103:
           *app_proto = NDPI_PROTOCOL_ZOOM;
           return(NDPI_IS_STUN);