6 files changed, 39 insertions, 104 deletions

diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
index 858639ef0..1e9f8684f 100644
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@@ -782,7 +782,6 @@ void init_gtp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3
 void init_hsrp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_guildwars_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_h323_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
-void init_halflife2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_hots_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_iax_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index 85b2c0867..c62e9b4f3 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -103,7 +103,7 @@ typedef enum {
   NDPI_PROTOCOL_HART_IP               = 72,
   NDPI_PROTOCOL_IP_VRRP               = 73,
   NDPI_PROTOCOL_STEAM                 = 74,
-  NDPI_PROTOCOL_HALFLIFE2             = 75,
+  NDPI_PROTOCOL_FREE_75               = 75,
   NDPI_PROTOCOL_WORLDOFWARCRAFT       = 76,
   NDPI_PROTOCOL_TELNET                = 77,
   NDPI_PROTOCOL_STUN                  = 78,
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index c53ef12dd..639ba0360 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -919,9 +919,6 @@ struct ndpi_flow_tcp_struct {
 /* ************************************************** */
 
 struct ndpi_flow_udp_struct {
-  /* NDPI_PROTOCOL_HALFLIFE2 */
-  u_int32_t halflife2_stage:2;		  // 0 - 2
-
   /* NDPI_PROTOCOL_TFTP */
   u_int32_t tftp_stage:2;
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 8e7a86a92..fedf8b45d 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1372,8 +1372,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  "Steam", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
-  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_HALFLIFE2,
-			  "HalfLife2", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING,
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_75,
+			  "Free75", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_WORLDOFWARCRAFT,
@@ -5879,9 +5879,6 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* STEAM */
   init_steam_dissector(ndpi_str, &a);
 
-  /* HALFLIFE2 */
-  init_halflife2_dissector(ndpi_str, &a);
-
   /* XBOX */
   init_xbox_dissector(ndpi_str, &a);
 
diff --git a/src/lib/protocols/halflife2_and_mods.c b/src/lib/protocols/halflife2_and_mods.c
deleted file mode 100644
index bb924804f..000000000
--- a/src/lib/protocols/halflife2_and_mods.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * halflife2_and_mods.c
- *
- * Copyright (C) 2009-11 - ipoque GmbH
- * Copyright (C) 2011-25 - ntop.org
- *
- * This file is part of nDPI, an open source deep packet inspection
- * library based on the OpenDPI and PACE technology by ipoque GmbH
- *
- * nDPI is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * nDPI is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HALFLIFE2
-
-#include "ndpi_api.h"
-#include "ndpi_private.h"
-
-
-static void ndpi_int_halflife2_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HALFLIFE2, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-}
-
-static void ndpi_search_halflife2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
-	struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-	
-	NDPI_LOG_DBG(ndpi_struct, "search halflife2\n");
-
-	if (flow->l4.udp.halflife2_stage == 0) {
-		if (packet->payload_packet_len >= 20
-			&& get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF
-			&& get_u_int32_t(packet->payload, packet->payload_packet_len - 4) == htonl(0x30303000)) {
-			flow->l4.udp.halflife2_stage = 1 + packet->packet_direction;
-			NDPI_LOG_DBG2(ndpi_struct,
-					"halflife2 client req detected, waiting for server reply\n");
-			return;
-		}
-	} else if (flow->l4.udp.halflife2_stage == 2 - packet->packet_direction) {
-		if (packet->payload_packet_len >= 20
-			&& get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF
-			&& get_u_int32_t(packet->payload, packet->payload_packet_len - 4) == htonl(0x30303000)) {
-			ndpi_int_halflife2_add_connection(ndpi_struct, flow);
-			NDPI_LOG_INFO(ndpi_struct, "found halflife2\n");
-			return;
-		}
-	}
-
-	NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-}
-
-
-void init_halflife2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id)
-{
-  ndpi_set_bitmask_protocol_detection("HalfLife2", ndpi_struct, *id,
-				      NDPI_PROTOCOL_HALFLIFE2,
-				      ndpi_search_halflife2,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
-				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
-				      ADD_TO_DETECTION_BITMASK);
-
-  *id += 1;
-}
diff --git a/src/lib/protocols/source_engine.c b/src/lib/protocols/source_engine.c
index 8d92f537e..d49ed266d 100644
--- a/src/lib/protocols/source_engine.c
+++ b/src/lib/protocols/source_engine.c
@@ -1,7 +1,7 @@
 /*
  * source_engine.c
  *
- * Source Engine Protocol
+ * Source Engine Protocol (Valve’s A2S protocol)
  *
  * Copyright (C) 2023 - ntop.org
  *
@@ -45,31 +45,51 @@ static void ndpi_search_source_engine(struct ndpi_detection_module_struct *ndpi_
                                       struct ndpi_flow_struct *flow)
 {
   struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
-  char const source_engine_query[] = "Source Engine Query";
-  size_t const source_engine_query_len = strlen(source_engine_query);
 
   NDPI_LOG_DBG(ndpi_struct, "search Source Engine\n");
 
-  if (packet->payload_packet_len < source_engine_query_len + 1 /* '\0' */)
-  {
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-    return;
-  }
+  /* https://developer.valvesoftware.com/wiki/Server_queries */
 
-  if (packet->payload[packet->payload_packet_len - 1] != '\0')
+  /* A2S request */
+  if (current_pkt_from_client_to_server(ndpi_struct, flow) &&
+      (packet->payload_packet_len > 8 && packet->payload_packet_len < 30) &&
+      get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF)
   {
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-    return;
+    if (packet->payload[4] == 'T' || /* A2S_INFO */
+        packet->payload[4] == 'U' || /* A2S_PLAYER */
+        packet->payload[4] == 'V')   /* A2S_RULES */
+    {
+      ndpi_int_source_engine_add_connection(ndpi_struct, flow);
+      return;
+    }
   }
 
-  if (strncmp((char const *)&packet->payload[packet->payload_packet_len - source_engine_query_len - 1],
-              source_engine_query, source_engine_query_len) != 0)
+  /* A2S response */
+  if (current_pkt_from_server_to_client(ndpi_struct, flow))
   {
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-    return;
+    /* Challenge response */
+    if (packet->payload_packet_len == 9 && 
+        get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF &&
+        packet->payload[4] == 'A')
+    {
+      ndpi_int_source_engine_add_connection(ndpi_struct, flow);
+      return;
+    }
+
+    if (packet->payload_packet_len > 30 && /* A reasonable length for euristics */
+        get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF)
+    {
+      if (packet->payload[4] == 'I' || /* A2S_INFO */
+          packet->payload[4] == 'D' || /* A2S_PLAYER */
+          packet->payload[4] == 'E')   /* A2S_RULES */
+      {
+        ndpi_int_source_engine_add_connection(ndpi_struct, flow);
+        return;
+      }
+    }
   }
 
-  ndpi_int_source_engine_add_connection(ndpi_struct, flow);
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 /* ***************************************************** */