From acac47ded3403f205b4c44733be81cd716921927 Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Fri, 30 Jul 2021 14:11:46 +0200
Subject: Improved RTSP detection and fixed HTTP false-positive. Fixes #1229.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
---
 src/lib/protocols/http.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'src/lib/protocols/http.c')

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 647bd6c2b..a2dd25f3c 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -963,8 +963,17 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
       NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
       http_bitmask_exclude_other(flow);
       return;
-    } else
-      ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB);
+    } else {
+      /* This check is required as RTSP is pretty similiar to HTTP (prevent false-positives). */
+      if (strncmp((const char *)packet->payload + filename_start,
+                  "rtsp://", ndpi_min(7, packet->payload_packet_len - filename_start)) == 0)
+      {
+        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+        return;
+      } else {
+        ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB);
+      }
+    }
 
     NDPI_LOG_DBG2(ndpi_struct,
 		  "Filename HTTP found: %d, we look for line info..\n", filename_start);
-- 
cgit v1.2.3