From 2a596c79e6df7f78dea6ee3b581b4ed99d48bd7b Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Sat, 30 Jul 2022 22:57:20 +0200
Subject: HTTP: fix classification (#1692)

If we have a valid HTTP sessions, we should ignore
`flow->guessed_protocol_id` field (i.e. classification "by-port")
altogheter.

The attached trace was classified as "SIP/HTTP" only because the *client*
port was 5060...
As a general rule, having a classification such as "XXXX/HTTP" is
*extremely* suspicious.
---
 src/lib/protocols/http.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/lib/protocols')

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 6e2cf924b..48a80dd9a 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -759,9 +759,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
     if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) {
       /* Avoid putting as subprotocol a "core" protocol such as SSL or DNS */
       if(ndpi_struct->proto_defaults[flow->guessed_protocol_id].subprotocol_count == 0) {
-	flow->detected_protocol_stack[1] = flow->guessed_protocol_id;
-	if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)
+	if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
 	  flow->detected_protocol_stack[0] = flow->guessed_host_protocol_id;
+	  flow->detected_protocol_stack[1] = flow->guessed_protocol_id;
+        }
       }
     }
     else {
-- 
cgit v1.2.3