diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_api.h | 4 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 14 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 59 | ||||
| -rw-r--r-- | src/lib/protocols/fastcgi.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 2 |
6 files changed, 40 insertions, 43 deletions
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 72dfe82a9..3d95f6007 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -488,6 +488,7 @@ extern "C" { * @par string_to_match_len = the length of the string * @par ret_match = completed returned match information * @par master_protocol_id = value of the ID associated to the master protocol detected + * @par update_flow_classification = update or not protocol (sub)classification * @return the ID of the matched subprotocol * */ @@ -496,7 +497,8 @@ extern "C" { char *string_to_match, u_int string_to_match_len, ndpi_protocol_match_result *ret_match, - u_int16_t master_protocol_id); + u_int16_t master_protocol_id, + int update_flow_classification); /** * Check if the string content passed match with a protocol diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 39c924874..801a9d38f 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -10413,7 +10413,8 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ struct ndpi_flow_struct *flow, char *string_to_match, u_int string_to_match_len, ndpi_protocol_match_result *ret_match, - u_int16_t master_protocol_id) { + u_int16_t master_protocol_id, + int update_flow_classification) { u_int16_t rc; ndpi_protocol_category_t id; @@ -10421,7 +10422,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ memset(ret_match, 0, sizeof(*ret_match)); - rc = ndpi_automa_match_string_subprotocol(ndpi_str, flow, + rc = ndpi_automa_match_string_subprotocol(ndpi_str, update_flow_classification ? flow : NULL, string_to_match, string_to_match_len, master_protocol_id, ret_match); id = ret_match->protocol_category; @@ -10430,13 +10431,12 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ string_to_match_len, &id) != -1) { /* if(id != -1) */ { ret_match->protocol_category = id; - if(flow) - flow->category = id; + flow->category = id; rc = master_protocol_id; } } - if(flow && ndpi_str->risky_domain_automa.ac_automa != NULL) { + if(ndpi_str->risky_domain_automa.ac_automa != NULL) { u_int32_t proto_id; u_int16_t rc1 = ndpi_match_string_common(ndpi_str->risky_domain_automa.ac_automa, string_to_match, string_to_match_len, @@ -10450,7 +10450,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ } /* Add punycode check */ - if(flow && ndpi_check_punycode_string(string_to_match, string_to_match_len)) { + if(ndpi_check_punycode_string(string_to_match, string_to_match_len)) { char str[64] = { '\0' }; strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1)); @@ -10477,7 +10477,7 @@ int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struc what = name, what_len = name_len; subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, what, what_len, - &ret_match, master_protocol); + &ret_match, master_protocol, 1); if(subproto != NDPI_PROTOCOL_UNKNOWN) { ndpi_set_detected_protocol(ndpi_struct, flow, subproto, master_protocol, NDPI_CONFIDENCE_DPI); diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 70e1b81f5..19215e79b 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -801,44 +801,39 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st } } - if(len > 0) { - if(ndpi_struct->cfg.dns_subclassification_enabled || ndpi_struct->cfg.fpc_enabled) { - ndpi_protocol_match_result ret_match; - - /* Avoid writing on flow (i.e. updating classification) if subclassification is disabled */ - ret.proto.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, ndpi_struct->cfg.dns_subclassification_enabled ? flow : NULL, - flow->host_server_name, - strlen(flow->host_server_name), - &ret_match, - NDPI_PROTOCOL_DNS); - /* Add to FPC DNS cache */ - if(ndpi_struct->cfg.fpc_enabled && - ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN && - ret.proto.app_protocol != NDPI_PROTOCOL_DNS && - (flow->protos.dns.rsp_type == 0x1 || flow->protos.dns.rsp_type == 0x1c) && /* A, AAAA */ - ndpi_struct->fpc_dns_cache) { - ndpi_lru_add_to_cache(ndpi_struct->fpc_dns_cache, - fpc_dns_cache_key_from_dns_info(flow), ret.proto.app_protocol, - ndpi_get_current_time(flow)); - } + if(strlen(flow->host_server_name) > 0) { + ndpi_protocol_match_result ret_match; + + /* Avoid updating classification if subclassification is disabled */ + ret.proto.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow, + flow->host_server_name, + strlen(flow->host_server_name), + &ret_match, + NDPI_PROTOCOL_DNS, + ndpi_struct->cfg.dns_subclassification_enabled ? 1 : 0); + /* Add to FPC DNS cache */ + if(ndpi_struct->cfg.fpc_enabled && + ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN && + ret.proto.app_protocol != NDPI_PROTOCOL_DNS && + (flow->protos.dns.rsp_type == 0x1 || flow->protos.dns.rsp_type == 0x1c) && /* A, AAAA */ + ndpi_struct->fpc_dns_cache) { + ndpi_lru_add_to_cache(ndpi_struct->fpc_dns_cache, + fpc_dns_cache_key_from_dns_info(flow), ret.proto.app_protocol, + ndpi_get_current_time(flow)); + } - if(!ndpi_struct->cfg.dns_subclassification_enabled) - ret.proto.app_protocol = NDPI_PROTOCOL_UNKNOWN; + if(!ndpi_struct->cfg.dns_subclassification_enabled) + ret.proto.app_protocol = NDPI_PROTOCOL_UNKNOWN; - if(ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN) - ret.proto.master_protocol = checkDNSSubprotocol(s_port, d_port); - else - ret.proto.master_protocol = NDPI_PROTOCOL_DNS; + if(ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN) + ret.proto.master_protocol = checkDNSSubprotocol(s_port, d_port); + else + ret.proto.master_protocol = NDPI_PROTOCOL_DNS; - ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0); - } else { - ret.proto.master_protocol = checkDNSSubprotocol(s_port, d_port); - ret.proto.app_protocol = NDPI_PROTOCOL_UNKNOWN; - } + ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0); /* Category is always NDPI_PROTOCOL_CATEGORY_NETWORK, regardless of the subprotocol */ flow->category = NDPI_PROTOCOL_CATEGORY_NETWORK; - } /* Report if this is a DNS query or reply */ diff --git a/src/lib/protocols/fastcgi.c b/src/lib/protocols/fastcgi.c index 52518b0c9..484d98ed6 100644 --- a/src/lib/protocols/fastcgi.c +++ b/src/lib/protocols/fastcgi.c @@ -210,7 +210,7 @@ static void ndpi_search_fastcgi(struct ndpi_detection_module_struct *ndpi_struct ndpi_match_host_subprotocol(ndpi_struct, flow, flow->host_server_name, strlen(flow->host_server_name), - &ret_match, NDPI_PROTOCOL_FASTCGI); + &ret_match, NDPI_PROTOCOL_FASTCGI, 1); ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0); if(ndpi_is_valid_hostname((char *)packet->host_line.ptr, diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index f69d36f7c..cb3376e8e 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -571,7 +571,7 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp origin_hostname, origin_hostname_len, &ret_match, - master_protocol); + master_protocol, 1); } } } diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index e7b217862..0ddc1a830 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1460,7 +1460,7 @@ void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, ndpi_match_host_subprotocol(ndpi_struct, flow, flow->host_server_name, strlen(flow->host_server_name), - &ret_match, NDPI_PROTOCOL_QUIC); + &ret_match, NDPI_PROTOCOL_QUIC, 1); flow->protos.tls_quic.client_hello_processed = 1; /* Allow matching of custom categories */ ndpi_check_dga_name(ndpi_struct, flow, |