From c0732eda45884de91e0c221e9dd23eeec364bf68 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Fri, 5 Aug 2022 14:14:38 +0200
Subject: HTTP: improve sub-classification (#1696)

Content-matched sub-protocols (DASH, IPP, MPEGDASH...) shouldn't
ovewrite the previous master protocol (if any; usually HTTP).

Furthermore. the HTTP dissector shouldn't update the classification
(in the extra-dissection code path) if a content-matched sub-protocols
has already been found.

This commit should address the first part of the changes described in #1687.
---
 src/lib/protocols/http.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'src/lib/protocols/http.c')

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 48a80dd9a..a403118f2 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -344,9 +344,6 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd
   if(flow->extra_packets_func && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN))
      return; /* Nothing new to add */
 
-  /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */
-  ndpi_search_tcp_or_udp(ndpi_struct, flow);
-
   /* If no custom protocol has been detected */
   if((flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)
      || ((http_protocol != NDPI_PROTOCOL_HTTP) &&
@@ -363,9 +360,14 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd
           flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_PROXY)
     master_protocol = flow->detected_protocol_stack[0];
 
-  ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id,
-			     master_protocol,
-			     NDPI_CONFIDENCE_DPI);
+  /* Update the classification only if we don't already have master + app;
+     for example don't change the protocols if we have already detected a
+     sub-protocol via the (content-matched) subprotocols logic (i.e.
+     MPEGDASH, SOAP, ....) */
+  if(flow->detected_protocol_stack[1] == 0)
+    ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id,
+			       master_protocol,
+			       NDPI_CONFIDENCE_DPI);
 
   /* This is necessary to inform the core to call this dissector again */
   flow->check_extra_packets = 1;
-- 
cgit v1.2.3