diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 8 | ||||
| -rw-r--r-- | src/lib/protocols/telegram.c | 28 |
3 files changed, 15 insertions, 23 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 064b50311..69e542884 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -995,6 +995,8 @@ static ndpi_protocol_match host_match[] = { "web.telegram.org", "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "tdesktop.com", "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "tupdate.com", "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "t.me", "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "telegram.me", "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { ".pastebin.com", "Pastebin", NDPI_PROTOCOL_PASTEBIN, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "pastebin.com", "Pastebin", NDPI_PROTOCOL_PASTEBIN, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_DEFAULT_LEVEL }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index b16f26016..ba7157031 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -8454,14 +8454,6 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio /* Zoom cache */ if((ret.app_protocol == NDPI_PROTOCOL_ZOOM) && (flow->l4_proto == IPPROTO_TCP)) ndpi_add_connection_as_zoom(ndpi_str, flow); - - /* - Telegram - With MTProto 2.0 telegram is no longr TLS-based (altoug based on TCP/443) so - we need to detect it with Telegram IPs - */ - if(ret.protocol_by_ip == NDPI_PROTOCOL_TELEGRAM) - ret.app_protocol = NDPI_PROTOCOL_TELEGRAM, flow->confidence = NDPI_CONFIDENCE_MATCH_BY_IP; if(ndpi_str->cfg.fully_encrypted_heuristic && ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && /* Only for unknown traffic */ diff --git a/src/lib/protocols/telegram.c b/src/lib/protocols/telegram.c index 8c9d18866..23f7cca51 100644 --- a/src/lib/protocols/telegram.c +++ b/src/lib/protocols/telegram.c @@ -31,8 +31,9 @@ #include "ndpi_private.h" static void ndpi_int_telegram_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + *ndpi_struct, struct ndpi_flow_struct *flow, + ndpi_confidence_t confidence) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_UNKNOWN, confidence); NDPI_LOG_INFO(ndpi_struct, "found telegram\n"); } @@ -51,18 +52,15 @@ static void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struc NDPI_LOG_DBG(ndpi_struct, "search telegram\n"); if(packet->tcp != NULL) { - if(packet->payload_packet_len > 56) { - u_int16_t dport = ntohs(packet->tcp->dest); - /* u_int16_t sport = ntohs(packet->tcp->source); */ - - if(packet->payload[0] == 0xef && (dport == 443 || dport == 80 || dport == 25)) { - if(packet->payload[1] == 0x7f) { - ndpi_int_telegram_add_connection(ndpi_struct, flow); - } else if(packet->payload[1]*4 <= packet->payload_packet_len - 1) { - ndpi_int_telegram_add_connection(ndpi_struct, flow); - } - return; - } + /* With MTProto 2.0 telegram via app is no longer TLS-based (althought based on TCP/443) so + we need to detect it with Telegram IPs. + Basically, we want a fast classification by ip. Note that, real Telegram traffic over + TLS (i.e. Telegram Web) is correctly classified as TLS/Telegram because TLS dissector + already kicked in. + Let's check every port for the time being */ + if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_TELEGRAM) { + ndpi_int_telegram_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_MATCH_BY_IP); + return; } } else if(packet->udp != NULL) { /* @@ -94,7 +92,7 @@ static void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struc } if(found == 12) { - ndpi_int_telegram_add_connection(ndpi_struct, flow); + ndpi_int_telegram_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; } } |