From 5e57c2ca2f299ad53dd8e01d3aec88a624d15851 Mon Sep 17 00:00:00 2001 From: Toni Uhlig Date: Tue, 23 Aug 2022 21:56:33 +0200 Subject: Add FastCGI protocol detection. * CQL: fixed byte order conversion (BigEndian not LittleEndian) * CQL: increased required successful dissected packets to prevent false-positives Signed-off-by: Toni Uhlig --- src/lib/protocols/cassandra.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'src/lib/protocols/cassandra.c') diff --git a/src/lib/protocols/cassandra.c b/src/lib/protocols/cassandra.c index 154882f81..07231ac65 100644 --- a/src/lib/protocols/cassandra.c +++ b/src/lib/protocols/cassandra.c @@ -117,12 +117,15 @@ void ndpi_search_cassandra(struct ndpi_detection_module_struct *ndpi_struct, ndpi_check_valid_cassandra_version(get_u_int8_t(packet->payload, 0)) && ndpi_check_valid_cassandra_flags(get_u_int8_t(packet->payload, 1)) && ndpi_check_valid_cassandra_opcode(get_u_int8_t(packet->payload, 4)) && - le32toh(get_u_int32_t(packet->payload, 5)) <= CASSANDRA_MAX_BODY_SIZE && - le32toh(get_u_int32_t(packet->payload, 5)) >= (uint32_t) (packet->payload_packet_len - CASSANDRA_HEADER_LEN) && + ntohl(get_u_int32_t(packet->payload, 5)) <= CASSANDRA_MAX_BODY_SIZE && + ntohl(get_u_int32_t(packet->payload, 5)) >= (uint32_t) (packet->payload_packet_len - CASSANDRA_HEADER_LEN) && flow->l4.tcp.h323_valid_packets == 0 /* To avoid clashing with H323 */ && flow->socks4_stage == 0 /* To avoid clashing with SOCKS */) { - NDPI_LOG_INFO(ndpi_struct, "found Cassandra\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CASSANDRA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + if (flow->packet_counter > 3) + { + NDPI_LOG_INFO(ndpi_struct, "found Cassandra\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CASSANDRA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + } return; } } -- cgit v1.2.3