From 3a087e951d96f509c75344ad6791591e10e4f1cd Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Tue, 11 Jan 2022 15:23:39 +0100 Subject: Add a "confidence" field about the reliability of the classification. (#1395) As a general rule, the higher the confidence value, the higher the "reliability/precision" of the classification. In other words, this new field provides an hint about "how" the flow classification has been obtained. For example, the application may want to ignore classification "by-port" (they are not real DPI classifications, after all) or give a second glance at flows classified via LRU caches (because of false positives). Setting only one value for the confidence field is a bit tricky: more work is probably needed in the next future to tweak/fix/improve the logic. --- src/lib/protocols/tls.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) (limited to 'src/lib/protocols/tls.c') diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 925efa7e3..622fa678f 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -301,11 +301,9 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct if(ndpi_lru_find_cache(ndpi_struct->tls_cert_cache, key, &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) { - ndpi_protocol ret = { NDPI_PROTOCOL_TLS, cached_proto, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED }; - - flow->detected_protocol_stack[0] = cached_proto, - flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS; + ndpi_protocol ret = { NDPI_PROTOCOL_TLS, cached_proto, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED}; + ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI_CACHE); flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, cached_proto); } @@ -637,9 +635,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi u_int16_t proto_id = (u_int16_t)val; ndpi_protocol ret = { NDPI_PROTOCOL_TLS, proto_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED}; - flow->detected_protocol_stack[0] = proto_id, - flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS; - + ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI); flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, proto_id); @@ -848,7 +844,7 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, static void ndpi_looks_like_tls(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - // ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN); + // ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) flow->guessed_protocol_id = NDPI_PROTOCOL_TLS; @@ -1179,7 +1175,7 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp else protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); - ndpi_set_detected_protocol(ndpi_struct, flow, protocol, protocol); + ndpi_set_detected_protocol(ndpi_struct, flow, protocol, protocol, NDPI_CONFIDENCE_DPI); tlsInitExtraPacketProcessing(ndpi_struct, flow); } @@ -1775,7 +1771,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, /* Check if it ends in .com or .net */ && ((strcmp(&sni[sni_len-4], ".com") == 0) || (strcmp(&sni[sni_len-4], ".net") == 0)) && (strncmp(sni, "www.", 4) == 0)) /* Not starting with www.... */ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_TLS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI); } else { #ifdef DEBUG_TLS printf("[TLS] SNI: (NO DGA) [%s]\n", sni); -- cgit v1.2.3