From 1dccaf37b075ebfb726d407b9c4d95fcf2983135 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Tue, 11 Feb 2025 15:48:53 +0100
Subject: DNS: fix check for DGA domain (#2716)

If we have a (potential) valid sub-classification, we shoudn't check for
DGA, even if the subclassification itself is disabled!
---
 src/lib/ndpi_main.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/lib/ndpi_main.c')

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 0d82cfb4c..0150d12bf 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -10830,7 +10830,8 @@ static int ndpi_is_vowel(char c) {
 
 int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
 			struct ndpi_flow_struct *flow,
-			char *name, u_int8_t is_hostname, u_int8_t check_subproto) {
+			char *name, u_int8_t is_hostname, u_int8_t check_subproto,
+			u_int8_t flow_fully_classified) {
 
   /* Get domain name if ndpi_load_domain_suffixes(..) has been called */
   name = (char*)ndpi_get_host_domain(ndpi_str, name);
@@ -10863,7 +10864,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
        )
       return(0);
 
-    if(flow && (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN))
+    if(flow && (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN || flow_fully_classified))
       return(0); /* Ignore DGA check for protocols already fully detected */
 
     if(check_subproto &&
-- 
cgit v1.2.3