From 1b3de449a1192a2d834f43901f4dd8b45edbf011 Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Tue, 6 Sep 2022 12:02:23 +0200 Subject: HTTP: correctly set the classification protocols Classification should always be set via `ndpi_set_detected_protocol()` to be sure to set a correct `confidence` value, too. Having a "known" protocol stack with `NDPI_CONFIDENCE_UNKNOWN` as confidence, is not valid. This code in HTTP dissector likely needs some more thoughts (the classification itself of the attached example doesn't make a lot of sense), but the goal of this commit is only to always have a valid `confidence` value. --- src/lib/protocols/http.c | 3 +-- tests/pcap/http_guessed_host_and_guessed.pcapng | Bin 0 -> 268 bytes .../http_guessed_host_and_guessed.pcapng.out | 24 +++++++++++++++++++++ 3 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 tests/pcap/http_guessed_host_and_guessed.pcapng create mode 100644 tests/result/http_guessed_host_and_guessed.pcapng.out diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index f9d6abd90..5a088c7c8 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -762,8 +762,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(ndpi_struct->proto_defaults[flow->guessed_protocol_id].subprotocol_count == 0) { if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { - flow->detected_protocol_stack[0] = flow->guessed_host_protocol_id; - flow->detected_protocol_stack[1] = flow->guessed_protocol_id; + ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, flow->guessed_protocol_id, NDPI_CONFIDENCE_DPI); } } } diff --git a/tests/pcap/http_guessed_host_and_guessed.pcapng b/tests/pcap/http_guessed_host_and_guessed.pcapng new file mode 100644 index 000000000..ec293a101 Binary files /dev/null and b/tests/pcap/http_guessed_host_and_guessed.pcapng differ diff --git a/tests/result/http_guessed_host_and_guessed.pcapng.out b/tests/result/http_guessed_host_and_guessed.pcapng.out new file mode 100644 index 000000000..ca0436e21 --- /dev/null +++ b/tests/result/http_guessed_host_and_guessed.pcapng.out @@ -0,0 +1,24 @@ +Guessed flow protos: 1 + +DPI Packets (TCP): 1 (1.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 2 (2.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +Automa host: 1/0 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia protocols: 2/2 (search/found) + +Alibaba 1 123 1 + + 1 TCP 170.33.13.5:110 -> 192.168.0.1:179 [proto: 2.274/POP3.Alibaba][ClearText][Confidence: DPI][cat: Email/3][1 pkts/123 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][< 1 sec][Hostname/SNI: pornhub.com][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (6 HTTP/1.1)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] -- cgit v1.2.3