From ab3a678ad423fcd431037093220a145925f64148 Mon Sep 17 00:00:00 2001
From: Toni <matzeton@googlemail.com>
Date: Mon, 25 Jul 2022 18:07:44 +0200
Subject: Add AVAST dissector. (#1674)

Signed-off-by: lns <matzeton@googlemail.com>
---
 src/lib/inc_generated/ndpi_asn_avast.c.inc | 64 ++++++++++++++++++++++++++++
 src/lib/ndpi_main.c                        |  9 ++++
 src/lib/protocols/avast.c                  | 67 ++++++++++++++++++++++++++++++
 src/lib/protocols/avast_securedns.c        |  4 +-
 4 files changed, 142 insertions(+), 2 deletions(-)
 create mode 100644 src/lib/inc_generated/ndpi_asn_avast.c.inc
 create mode 100644 src/lib/protocols/avast.c

(limited to 'src/lib')

diff --git a/src/lib/inc_generated/ndpi_asn_avast.c.inc b/src/lib/inc_generated/ndpi_asn_avast.c.inc
new file mode 100644
index 000000000..c1e645d34
--- /dev/null
+++ b/src/lib/inc_generated/ndpi_asn_avast.c.inc
@@ -0,0 +1,64 @@
+/*
+ *
+ * This file is generated automatically and part of nDPI
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/* ****************************************************** */
+
+
+static ndpi_network ndpi_protocol_avast_protocol_list[] = {
+ { 0x052D3800 /* 5.45.56.0/21 */, 21, NDPI_PROTOCOL_AVAST },
+ { 0x053E1000 /* 5.62.16.0/23 */, 23, NDPI_PROTOCOL_AVAST },
+ { 0x053E1400 /* 5.62.20.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x053E1800 /* 5.62.24.0/23 */, 23, NDPI_PROTOCOL_AVAST },
+ { 0x053E2000 /* 5.62.32.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x053E2400 /* 5.62.36.0/22 */, 22, NDPI_PROTOCOL_AVAST },
+ { 0x053E2800 /* 5.62.40.0/21 */, 21, NDPI_PROTOCOL_AVAST },
+ { 0x053E3000 /* 5.62.48.0/23 */, 23, NDPI_PROTOCOL_AVAST },
+ { 0x053E3200 /* 5.62.50.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x053E3400 /* 5.62.52.0/22 */, 22, NDPI_PROTOCOL_AVAST },
+ { 0x053E3800 /* 5.62.56.0/21 */, 21, NDPI_PROTOCOL_AVAST },
+ { 0x259CB800 /* 37.156.184.0/23 */, 23, NDPI_PROTOCOL_AVAST },
+ { 0x259CBB00 /* 37.156.187.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x455E4000 /* 69.94.64.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x455E4300 /* 69.94.67.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x455E4400 /* 69.94.68.0/23 */, 23, NDPI_PROTOCOL_AVAST },
+ { 0x455E4600 /* 69.94.70.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x455E4800 /* 69.94.72.0/21 */, 21, NDPI_PROTOCOL_AVAST },
+ { 0x4DEA2800 /* 77.234.40.0/22 */, 22, NDPI_PROTOCOL_AVAST },
+ { 0x4DEA2C00 /* 77.234.44.0/23 */, 23, NDPI_PROTOCOL_AVAST },
+ { 0x4DEA2E00 /* 77.234.46.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x5BD58F00 /* 91.213.143.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x5F8E7000 /* 95.142.112.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x5F8E7300 /* 95.142.115.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x5F8E7600 /* 95.142.118.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x5F8E7900 /* 95.142.121.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x5F8E7C00 /* 95.142.124.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x5F8E7F00 /* 95.142.127.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x9FF2E300 /* 159.242.227.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x9FF2EA00 /* 159.242.234.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0x9FF2EF00 /* 159.242.239.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0xB933E400 /* 185.51.228.0/23 */, 23, NDPI_PROTOCOL_AVAST },
+ { 0xB933E600 /* 185.51.230.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0xB936E600 /* 185.54.230.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0xB9A74000 /* 185.167.64.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ { 0xB9BD5C00 /* 185.189.92.0/22 */, 22, NDPI_PROTOCOL_AVAST },
+ { 0xC2631C00 /* 194.99.28.0/22 */, 22, NDPI_PROTOCOL_AVAST },
+ { 0xC34A4C00 /* 195.74.76.0/24 */, 24, NDPI_PROTOCOL_AVAST },
+ /* End */
+ { 0x0, 0, 0 }
+};
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 53f2dad3a..5f6ff9aa5 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -87,6 +87,7 @@
 #include "inc_generated/ndpi_asn_riotgames.c.inc"
 #include "inc_generated/ndpi_asn_threema.c.inc"
 #include "inc_generated/ndpi_asn_alibaba.c.inc"
+#include "inc_generated/ndpi_asn_avast.c.inc"
 
 /* Third party libraries */
 #include "third_party/include/ndpi_patricia.h"
@@ -1954,6 +1955,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
                           "AliCloud", NDPI_PROTOCOL_CATEGORY_CLOUD,
                           ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
                           ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+  ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_AVAST,
+                          "AVAST", NDPI_PROTOCOL_CATEGORY_NETWORK,
+                          ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+                          ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -2612,6 +2617,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
       ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_riotgames_protocol_list);
       ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_threema_protocol_list);
       ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_alibaba_protocol_list);
+      ndpi_init_ptree_ipv4(ndpi_str, ndpi_str->protocols_ptree, ndpi_protocol_avast_protocol_list);
     }
   }
 
@@ -4456,6 +4462,9 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* AliCloud */
   init_alicloud_dissector(ndpi_str, &a, detection_bitmask);
 
+  /* AVAST */
+  init_avast_dissector(ndpi_str, &a, detection_bitmask);
+
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main_init.c"
 #endif
diff --git a/src/lib/protocols/avast.c b/src/lib/protocols/avast.c
new file mode 100644
index 000000000..b94c5ad62
--- /dev/null
+++ b/src/lib/protocols/avast.c
@@ -0,0 +1,67 @@
+/*
+ * avast.c
+ *
+ * Copyright (C) 2012-22 - ntop.org
+ *
+ * This module is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This module is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License.
+ * If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_AVAST
+
+#include <stdlib.h>
+#include "ndpi_api.h"
+
+static void ndpi_int_avast_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
+                                          struct ndpi_flow_struct *flow)
+{
+  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AVAST, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+}
+
+static void ndpi_search_avast(struct ndpi_detection_module_struct *ndpi_struct,
+                              struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct * packet = &ndpi_struct->packet;
+
+  if (packet->payload_packet_len < 6)
+  {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+
+  if (strncmp((char *)&packet->payload[0], "NOSA", NDPI_STATICSTRING_LEN("NOSA")) == 0 &&
+      ntohs(*(uint16_t *)&packet->payload[4]) == packet->payload_packet_len)
+  {
+    ndpi_int_avast_add_connection(ndpi_struct, flow);
+    return;
+  }
+
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+}
+
+void init_avast_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id,
+                          NDPI_PROTOCOL_BITMASK *detection_bitmask)
+{
+  ndpi_set_bitmask_protocol_detection("AVAST",
+                                      ndpi_struct, detection_bitmask, *id,
+                                      NDPI_PROTOCOL_AVAST,
+                                      ndpi_search_avast,
+                                      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+                                      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+                                      ADD_TO_DETECTION_BITMASK);
+
+  *id += 1;
+}
diff --git a/src/lib/protocols/avast_securedns.c b/src/lib/protocols/avast_securedns.c
index 5edd1e689..a640d6815 100644
--- a/src/lib/protocols/avast_securedns.c
+++ b/src/lib/protocols/avast_securedns.c
@@ -1,5 +1,5 @@
 /*
- * avast.c
+ * avast_securedns.c
  *
  * Copyright (C) 2012-22 - ntop.org
  *
@@ -44,7 +44,7 @@ static void ndpi_search_avast_securedns(struct ndpi_detection_module_struct *ndp
     return;
   }
 
-  if (strncasecmp((char *)&packet->payload[15], "securedns", strlen("securedns")) == 0)
+  if (strncasecmp((char *)&packet->payload[15], "securedns", NDPI_STATICSTRING_LEN("securedns")) == 0)
   {
     ndpi_int_avast_securedns_add_connection(ndpi_struct, flow);
     return;
-- 
cgit v1.2.3