diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/include/ndpi_api.h.in | 3 | ||||
-rw-r--r-- | src/lib/Makefile.in | 2 | ||||
-rw-r--r-- | src/lib/ndpi_analyze.c | 96 | ||||
-rw-r--r-- | src/lib/ndpi_content_match.c.inc | 2 | ||||
-rw-r--r-- | src/lib/ndpi_main.c | 30 | ||||
-rw-r--r-- | src/lib/protocols/tls.c | 3 |
6 files changed, 118 insertions, 18 deletions
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 9640d3d8b..ed94c5bf3 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -1071,7 +1071,10 @@ extern "C" { void ndpi_free_bin(struct ndpi_bin *b); void ndpi_inc_bin(struct ndpi_bin *b, u_int8_t slot_id); void ndpi_normalize_bin(struct ndpi_bin *b); + char* ndpi_print_bin(struct ndpi_bin *b, u_int8_t normalize_first, char *out_buf, u_int out_buf_len); + float ndpi_bin_similarity(struct ndpi_bin *b1, struct ndpi_bin *b2, u_int8_t normalize_first); + #ifdef __cplusplus } #endif diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index f69c81946..874cee20c 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -54,7 +54,7 @@ $(NDPI_LIB_SHARED): $(OBJECTS) $(CC) $(CFLAGS) -c $< -o $@ $(LDFLAGS) clean: - /bin/rm -f $(NDPI_LIB_STATIC) $(OBJECTS) *.o *.so *.lo $(NDPI_LIB_SHARED) + /bin/rm -f $(NDPI_LIB_STATIC) $(OBJECTS) *.o *.so *.lo libndpi.so* distclean: clean /bin/rm -f Makefile diff --git a/src/lib/ndpi_analyze.c b/src/lib/ndpi_analyze.c index e1f37cc8d..4ca3ac25a 100644 --- a/src/lib/ndpi_analyze.c +++ b/src/lib/ndpi_analyze.c @@ -125,6 +125,12 @@ float ndpi_data_variance(struct ndpi_analyze_struct *s) { /* ********************************************************************************* */ +/* + See the link below for "Population and sample standard deviation review" + https://www.khanacademy.org/math/statistics-probability/summarizing-quantitative-data/variance-standard-deviation-sample/a/population-and-sample-standard-deviation-review + + In nDPI we use an approximate stddev calculation to avoid storing all data in memory +*/ /* Compute the standard deviation on all values */ float ndpi_data_stddev(struct ndpi_analyze_struct *s) { return(sqrt(ndpi_data_variance(s))); @@ -260,6 +266,8 @@ int ndpi_init_bin(struct ndpi_bin *b, enum ndpi_bin_family f, u_int8_t num_bins) return(0); } +/* ********************************************************************************* */ + void ndpi_free_bin(struct ndpi_bin *b) { switch(b->family) { case ndpi_bin_family8: @@ -274,6 +282,8 @@ void ndpi_free_bin(struct ndpi_bin *b) { } } +/* ********************************************************************************* */ + void ndpi_inc_bin(struct ndpi_bin *b, u_int8_t slot_id) { if(slot_id >= b->num_bins) slot_id = 0; @@ -292,6 +302,8 @@ void ndpi_inc_bin(struct ndpi_bin *b, u_int8_t slot_id) { } } +/* ********************************************************************************* */ + /* Each bin slot is transformed in a % with respect to the value total */ @@ -316,3 +328,87 @@ void ndpi_normalize_bin(struct ndpi_bin *b) { } } +/* ********************************************************************************* */ + +char* ndpi_print_bin(struct ndpi_bin *b, u_int8_t normalize_first, char *out_buf, u_int out_buf_len) { + u_int8_t i; + u_int len = 0; + + if(!out_buf) return(out_buf); else out_buf[0] = '\0'; + + if(normalize_first) + ndpi_normalize_bin(b); + + switch(b->family) { + case ndpi_bin_family8: + for(i=0; i<b->num_bins; i++) { + int rc = snprintf(&out_buf[len], out_buf_len-len, "%s%u", (i > 0) ? "," : "", b->u.bins8[i]); + + if(rc < 0) break; + len += rc; + } + break; + + case ndpi_bin_family16: + for(i=0; i<b->num_bins; i++) { + int rc = snprintf(&out_buf[len], out_buf_len-len, "%s%u", (i > 0) ? "," : "", b->u.bins16[i]); + + if(rc < 0) break; + len += rc; + } + break; + + case ndpi_bin_family32: + for(i=0; i<b->num_bins; i++) { + int rc = snprintf(&out_buf[len], out_buf_len-len, "%s%u", (i > 0) ? "," : "", b->u.bins32[i]); + + if(rc < 0) break; + len += rc; + } + break; + } + + return(out_buf); +} + +/* ********************************************************************************* */ + +/* + Determines how similar are two bins + + 0 = Very differet + ... (gray zone) + 1 = Alike + + See https://en.wikipedia.org/wiki/Cosine_similarity for more details +*/ +float ndpi_bin_similarity(struct ndpi_bin *b1, struct ndpi_bin *b2, u_int8_t normalize_first) { + u_int8_t i; + u_int32_t sumxx = 0, sumxy = 0, sumyy = 0; + + if((b1->num_incs == 0) || (b2->num_incs == 0) + || (b1->family != b2->family) || (b1->num_bins != b2->num_bins)) + return(0); + + if(normalize_first) + ndpi_normalize_bin(b1), ndpi_normalize_bin(b2); + + switch(b1->family) { + case ndpi_bin_family8: + for(i=0; i<b1->num_bins; i++) + sumxx += b1->u.bins8[i] * b1->u.bins8[i], sumyy += b2->u.bins8[i] * b2->u.bins8[i], sumxy += b1->u.bins8[i] * b2->u.bins8[i]; + break; + case ndpi_bin_family16: + for(i=0; i<b1->num_bins; i++) + sumxx += b1->u.bins16[i] * b1->u.bins16[i], sumyy += b2->u.bins16[i] * b2->u.bins16[i], sumxy += b1->u.bins16[i] * b2->u.bins16[i]; + break; + case ndpi_bin_family32: + for(i=0; i<b1->num_bins; i++) + sumxx += b1->u.bins32[i] * b1->u.bins32[i], sumyy += b2->u.bins32[i] * b2->u.bins32[i], sumxy += b1->u.bins32[i] * b2->u.bins32[i]; + break; + } + + return((float)sumxy / sqrt((float)(sumxx * sumyy))); +} + +/* ********************************************************************************* */ diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 82a77183a..4ad5c5598 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -909,7 +909,7 @@ static ndpi_network host_protocol_list[] = { /* Teamviewer 159.122.189.32-63 */ - { 0x9F7ABD30 /* 159.122.189.32 */, 21, NDPI_PROTOCOL_TEAMVIEWER }, + { 0x9F7ABD20 /* 159.122.189.32 */, 27, NDPI_PROTOCOL_TEAMVIEWER }, #if 0 /* diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 957e3b763..7715f0460 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -275,7 +275,7 @@ u_int8_t ndpi_is_subprotocol_informative(struct ndpi_detection_module_struct *nd if(protoId >= NDPI_MAX_SUPPORTED_PROTOCOLS + NDPI_MAX_NUM_CUSTOM_PROTOCOLS) return(0); - switch (protoId) { + switch(protoId) { /* All dissectors that have calls to ndpi_match_host_subprotocol() */ case NDPI_PROTOCOL_DNS: return(1); @@ -588,7 +588,7 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str, ndpi_detection_preference pref, int value) { - switch (pref) { + switch(pref) { case ndpi_pref_direction_detect_disable: ndpi_str->direction_detect_disable = (u_int8_t) value; break; @@ -2028,7 +2028,7 @@ void ndpi_finalize_initalization(struct ndpi_detection_module_struct *ndpi_str) for (i = 0; i < 4; i++) { ndpi_automa *automa; - switch (i) { + switch(i) { case 0: automa = &ndpi_str->host_automa; break; @@ -2376,7 +2376,7 @@ static ndpi_default_ports_tree_node_t *ndpi_get_guessed_protocol_id(struct ndpi_ as they have been excluded */ u_int8_t is_udp_guessable_protocol(u_int16_t l7_guessed_proto) { - switch (l7_guessed_proto) { + switch(l7_guessed_proto) { case NDPI_PROTOCOL_QUIC: case NDPI_PROTOCOL_SNMP: case NDPI_PROTOCOL_NETFLOW: @@ -2412,7 +2412,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str, } else { /* No TCP/UDP */ - switch (proto) { + switch(proto) { case NDPI_IPSEC_PROTOCOL_ESP: case NDPI_IPSEC_PROTOCOL_AH: return(NDPI_PROTOCOL_IP_IPSEC); @@ -2421,7 +2421,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str, return(NDPI_PROTOCOL_IP_GRE); break; case NDPI_ICMP_PROTOCOL_TYPE: - { + if(flow) { /* Run some basic consistency tests */ if(flow->packet.payload_packet_len < sizeof(struct ndpi_icmphdr)) @@ -2454,7 +2454,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str, return(NDPI_PROTOCOL_IP_IP_IN_IP); break; case NDPI_ICMPV6_PROTOCOL_TYPE: - { + if(flow) { /* Run some basic consistency tests */ if(flow->packet.payload_packet_len < sizeof(struct ndpi_icmphdr)) @@ -2518,7 +2518,7 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, char *rule, at[0] = 0, proto = &at[1]; for (i = 0; proto[i] != '\0'; i++) { - switch (proto[i]) { + switch(proto[i]) { case '/': case '&': case '^': @@ -5711,7 +5711,7 @@ char *ndpi_protocol2name(struct ndpi_detection_module_struct *ndpi_str, /* ****************************************************** */ int ndpi_is_custom_category(ndpi_protocol_category_t category) { - switch (category) { + switch(category) { case NDPI_PROTOCOL_CATEGORY_CUSTOM_1: case NDPI_PROTOCOL_CATEGORY_CUSTOM_2: case NDPI_PROTOCOL_CATEGORY_CUSTOM_3: @@ -5734,7 +5734,7 @@ void ndpi_category_set_name(struct ndpi_detection_module_struct *ndpi_str, if(!name) return; - switch (category) { + switch(category) { case NDPI_PROTOCOL_CATEGORY_CUSTOM_1: snprintf(ndpi_str->custom_category_labels[0], CUSTOM_CATEGORY_LABEL_LEN, "%s", name); break; @@ -5775,7 +5775,7 @@ const char *ndpi_category_get_name(struct ndpi_detection_module_struct *ndpi_str } if((category >= NDPI_PROTOCOL_CATEGORY_CUSTOM_1) && (category <= NDPI_PROTOCOL_CATEGORY_CUSTOM_5)) { - switch (category) { + switch(category) { case NDPI_PROTOCOL_CATEGORY_CUSTOM_1: return(ndpi_str->custom_category_labels[0]); case NDPI_PROTOCOL_CATEGORY_CUSTOM_2: @@ -5841,7 +5841,7 @@ ndpi_protocol_breed_t ndpi_get_proto_breed(struct ndpi_detection_module_struct * char *ndpi_get_proto_breed_name(struct ndpi_detection_module_struct *ndpi_str, ndpi_protocol_breed_t breed_id) { - switch (breed_id) { + switch(breed_id) { case NDPI_PROTOCOL_SAFE: return("Safe"); break; @@ -6009,7 +6009,7 @@ static u_int8_t ndpi_is_more_generic_protocol(u_int16_t previous_proto, u_int16_ if((previous_proto == NDPI_PROTOCOL_UNKNOWN) || (previous_proto == new_proto)) return(0); - switch (previous_proto) { + switch(previous_proto) { case NDPI_PROTOCOL_WHATSAPP_CALL: case NDPI_PROTOCOL_WHATSAPP_FILES: if(new_proto == NDPI_PROTOCOL_WHATSAPP) @@ -6353,7 +6353,7 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp proto); #endif - switch (proto) { + switch(proto) { case NDPI_PROTOCOL_TLS: if(!flow->l4.tcp.tls.certificate_processed) return(1); /* TODO: add check for TLS 1.3 */ @@ -6394,7 +6394,7 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp /* ******************************************************************** */ const char *ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) { - switch (proto) { + switch(proto) { case ndpi_l4_proto_unknown: return(""); break; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 007931e19..830232554 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1298,7 +1298,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset])); e_offset += 2; - if((e_offset+e_sni_len-extension_len-initial_offset) >= 0) { + if((e_offset+e_sni_len-extension_len-initial_offset) >= 0 && + e_offset+e_sni_len < packet->payload_packet_len) { #ifdef DEBUG_ENCRYPTED_SNI printf("Client SSL [Encrypted Server Name len: %u]\n", e_sni_len); #endif |