From 94c134318bc2e2b36f44cdb9e20efedf9ad99060 Mon Sep 17 00:00:00 2001
From: Campus <campus@ntop.org>
Date: Mon, 17 Oct 2016 18:43:47 +0200
Subject: fix msn dissector - add pcap for test

---
 src/lib/protocols/msn.c | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

(limited to 'src/lib/protocols')

diff --git a/src/lib/protocols/msn.c b/src/lib/protocols/msn.c
index 204e2bfe6..2f5b6c468 100644
--- a/src/lib/protocols/msn.c
+++ b/src/lib/protocols/msn.c
@@ -448,22 +448,20 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct
   }
   NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "msn 7.\n");
   
-  if (flow->packet_counter <= MAX_PACKETS_FOR_MSN) {
-    if (packet->tcp->source == htons(443) || packet->tcp->dest == htons(443)) {
-      if (packet->payload_packet_len > 300) {
-	
-	if (memcmp(&packet->payload[40], "INVITE MSNMSGR", 14) == 0
-	    || memcmp(&packet->payload[56], "INVITE MSNMSGR", 14) == 0
-	    || memcmp(&packet->payload[172], "INVITE MSNMSGR", 14) == 0) {
-	  ndpi_int_msn_add_connection(ndpi_struct, flow);
-
-	  NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 3\n");
-	  return;
-	}
-      }
+  if (flow->packet_counter <= MAX_PACKETS_FOR_MSN) {	
+    if (memcmp(&packet->payload[0], "MSG ", 4) == 0
+	|| memcmp(&packet->payload[0], "PNG", 3) == 0
+	|| memcmp(&packet->payload[0], "QNG ", 4) == 0
+	|| memcmp(&packet->payload[0], "OUT", 3) == 0
+	|| memcmp(&packet->payload[0], "RNG ", 4) == 0
+	|| memcmp(&packet->payload[0], "NLN ", 4) == 0
+	|| memcmp(&packet->payload[0], "UBX ", 4) == 0
+	|| memcmp(&packet->payload[0], "XFR ", 4) == 0) {
+      ndpi_int_msn_add_connection(ndpi_struct, flow);
+      
+      NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN detected\n");
       return;
     }
-    /* For non port 443 flows exclude flow bitmask after first packet itself */
   }
   NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN tcp excluded.\n");
  ndpi_msn_exclude:
-- 
cgit v1.2.3


From 93f01e614f578255ccecb4268b2a99e02530b72a Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Sun, 23 Oct 2016 13:00:41 +0200
Subject: Added new functions defined in #279 for exporiting them in shared
 libs Disabked some search dissectors from Office365 Fixed warning

---
 libndpi.sym                      |  4 +++-
 src/lib/ndpi_content_match.c.inc |  5 ++++-
 src/lib/protocols/vnc.c          | 21 ++++++++++-----------
 3 files changed, 17 insertions(+), 13 deletions(-)

(limited to 'src/lib/protocols')

diff --git a/libndpi.sym b/libndpi.sym
index da21e64fd..d7dc633fc 100644
--- a/libndpi.sym
+++ b/libndpi.sym
@@ -46,4 +46,6 @@ ndpi_finalize_automa
 ndpi_match_string
 set_ndpi_malloc
 set_ndpi_free
-set_ndpi_debug_function
\ No newline at end of file
+set_ndpi_debug_function
+ndpi_category_str
+ndpi_get_proto_category
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 56928f7e3..fd0fef0e2 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -7417,6 +7417,9 @@ ndpi_protocol_match host_match[] = {
   { "evsecure-aia.verisign.com", 	"Office365",       	NDPI_SERVICE_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
   { "evsecure-crl.verisign.com", 	"Office365",       	NDPI_SERVICE_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
   { ".omniroot.com",       		"Office365",       	NDPI_SERVICE_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
+
+#if 0
+  /* The lines below are not just for Office 365 so they cannot be used for this purpose */
   { ".verisign.com",       		"Office365",       	NDPI_SERVICE_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
   { ".symcb.com",       		"Office365",       	NDPI_SERVICE_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
   { ".symcd.com",       		"Office365",       	NDPI_SERVICE_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
@@ -7424,7 +7427,7 @@ ndpi_protocol_match host_match[] = {
   { ".geotrust.com",       		"Office365",       	NDPI_SERVICE_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
   { ".entrust.net",       		"Office365",       	NDPI_SERVICE_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
   { ".public-trust.com",       		"Office365",       	NDPI_SERVICE_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
-
+#endif
   /* http://www.urlquery.net/report.php?id=1453233646161 */
   { "lifedom.top",       		"Cloudflare",       	NDPI_SERVICE_CLOUDFLARE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
   { "coby.ns.cloudflare.com",  		"Cloudflare",       	NDPI_SERVICE_CLOUDFLARE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
diff --git a/src/lib/protocols/vnc.c b/src/lib/protocols/vnc.c
index 6315a2aa5..ff0f6c6fa 100644
--- a/src/lib/protocols/vnc.c
+++ b/src/lib/protocols/vnc.c
@@ -34,23 +34,22 @@ void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
     
     if(flow->l4.tcp.vnc_stage == 0) {
       
-      if(packet->payload_packet_len == 12 &&
-	 (memcmp(packet->payload, "RFB 003.003", 11) == 0 && packet->payload[11] == 0x0a) ||
-	 (memcmp(packet->payload, "RFB 003.007", 11) == 0 && packet->payload[11] == 0x0a) ||
-	 (memcmp(packet->payload, "RFB 003.008", 11) == 0 && packet->payload[11] == 0x0a) ||
-	 (memcmp(packet->payload, "RFB 004.001", 11) == 0 && packet->payload[11] == 0x0a)) {
-	
+      if((packet->payload_packet_len == 12) &&
+	 ((memcmp(packet->payload, "RFB 003.003", 11) == 0 && packet->payload[11] == 0x0a) ||
+	  (memcmp(packet->payload, "RFB 003.007", 11) == 0 && packet->payload[11] == 0x0a) ||
+	  (memcmp(packet->payload, "RFB 003.008", 11) == 0 && packet->payload[11] == 0x0a) ||
+	  (memcmp(packet->payload, "RFB 004.001", 11) == 0 && packet->payload[11] == 0x0a))) {	   
 	NDPI_LOG(NDPI_PROTOCOL_VNC, ndpi_struct, NDPI_LOG_DEBUG, "reached vnc stage one\n");
 	flow->l4.tcp.vnc_stage = 1 + packet->packet_direction;
 	return;
       }
     } else if(flow->l4.tcp.vnc_stage == 2 - packet->packet_direction) {
       
-      if(packet->payload_packet_len == 12 &&
-	 (memcmp(packet->payload, "RFB 003.003", 11) == 0 && packet->payload[11] == 0x0a) ||
-	 (memcmp(packet->payload, "RFB 003.007", 11) == 0 && packet->payload[11] == 0x0a) ||
-	 (memcmp(packet->payload, "RFB 003.008", 11) == 0 && packet->payload[11] == 0x0a) ||
-	 (memcmp(packet->payload, "RFB 004.001", 11) == 0 && packet->payload[11] == 0x0a)) {
+      if((packet->payload_packet_len == 12) &&
+	 ((memcmp(packet->payload, "RFB 003.003", 11) == 0 && packet->payload[11] == 0x0a) ||
+	  (memcmp(packet->payload, "RFB 003.007", 11) == 0 && packet->payload[11] == 0x0a) ||
+	  (memcmp(packet->payload, "RFB 003.008", 11) == 0 && packet->payload[11] == 0x0a) ||
+	  (memcmp(packet->payload, "RFB 004.001", 11) == 0 && packet->payload[11] == 0x0a))) {
 	
 	NDPI_LOG(NDPI_PROTOCOL_VNC, ndpi_struct, NDPI_LOG_DEBUG, "found vnc\n");
 	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN);
-- 
cgit v1.2.3