From 948a9060378a2a33f5701947386492ff10cb2de6 Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Mon, 26 Oct 2020 21:40:59 +0100
Subject: Added -D flag for detecting DoH in the wild Removed heuristic from
 CiscoVPN as it leads to false positives

---
 example/reader_util.c | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

(limited to 'example/reader_util.c')

diff --git a/example/reader_util.c b/example/reader_util.c
index 9b31f0e3f..3a8faed03 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -38,6 +38,8 @@
 #include <float.h>
 #endif
 
+#include "reader_util.h"
+
 #ifndef ETH_P_IP
 #define ETH_P_IP               0x0800 	/* IPv4 */
 #endif
@@ -77,11 +79,6 @@
 #define DLT_LINUX_SLL  113
 #endif
 
-#define PLEN_MAX         1504
-#define PLEN_BIN_LEN     32
-#define PLEN_NUM_BINS    48 /* 47*32 = 1504 */
-#define MAX_NUM_BIN_PKTS 256
-
 #include "ndpi_main.h"
 #include "reader_util.h"
 #include "ndpi_classify.h"
@@ -89,6 +86,7 @@
 extern u_int8_t enable_protocol_guess, enable_joy_stats, enable_payload_analyzer;
 extern u_int8_t verbose, human_readeable_string_len;
 extern u_int8_t max_num_udp_dissected_pkts /* 8 */, max_num_tcp_dissected_pkts /* 10 */;
+extern u_int8_t enable_doh_dot_detection;
 static u_int32_t flow_id = 0;
 
 /* ****************************************************** */
@@ -1213,17 +1211,17 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
 		 flow->ndpi_flow->protos.stun_ssl.ssl.alpn);
     }
 
-#ifdef USE_TLS_LEN
-    /* For TLS we use TLS block lenght instead of payload lenght */
-    ndpi_reset_bin(&flow->payload_len_bin);
-    
-    for(i=0; i<flow->ndpi_flow->l4.tcp.tls.num_tls_blocks; i++) {
-      u_int16_t len = abs(flow->ndpi_flow->l4.tcp.tls.tls_application_blocks_len[i]);
-
-      /* printf("[TLS_LEN] %u\n", len); */
-      ndpi_inc_bin(&flow->payload_len_bin, plen2slot(len), 1);
+    if(enable_doh_dot_detection) {
+      /* For TLS we use TLS block lenght instead of payload lenght */
+      ndpi_reset_bin(&flow->payload_len_bin);
+      
+      for(i=0; i<flow->ndpi_flow->l4.tcp.tls.num_tls_blocks; i++) {
+	u_int16_t len = abs(flow->ndpi_flow->l4.tcp.tls.tls_application_blocks_len[i]);
+	
+	/* printf("[TLS_LEN] %u\n", len); */
+	ndpi_inc_bin(&flow->payload_len_bin, plen2slot(len), 1);
+      }
     }
-#endif
   }
 
   if(flow->detection_completed && (!flow->check_extra_packets)) {
-- 
cgit v1.2.3