| Commit message (Collapse) | Author | Age | |
|---|---|---|---|
| * | Fix `ndpi_do_guess()` (#1731) | Ivan Nardi | 2022-09-12 |
| | | | | | | Avoid a double call of `ndpi_guess_host_protocol_id()`. Some code paths work for ipv4/6 both Remove some never used code. | ||
| * | Avoid useless host automa lookup (#1724) | Ivan Nardi | 2022-09-05 |
| | | | | | | | | | | | | | | | | | | | | The host automa is used for two tasks: * protocol sub-classification (obviously); * DGA evaluation: the idea is that if a domain is present in this automa, it can't be a DGA, regardless of its format/name. In most dissectors both checks are executed, i.e. the code is something like: ``` ndpi_match_host_subprotocol(..., flow->host_server_name, ...); ndpi_check_dga_name(..., flow->host_server_name,...); ``` In that common case, we can perform only one automa lookup: if we check the sub-classification before the DGA, we can avoid the second lookup in the DGA function itself. | ||
| * | HTTP: fix classification (#1692) | Ivan Nardi | 2022-07-30 |
| If we have a valid HTTP sessions, we should ignore `flow->guessed_protocol_id` field (i.e. classification "by-port") altogheter. The attached trace was classified as "SIP/HTTP" only because the *client* port was 5060... As a general rule, having a classification such as "XXXX/HTTP" is *extremely* suspicious. | |||