From e4453938d5329daaa0ea682bba55d354759c077e Mon Sep 17 00:00:00 2001 From: Toni Date: Tue, 13 Jul 2021 15:10:18 +0200 Subject: Improved dnscrypt midstream detection. (#1241) * fixed skype false-positive detection of dnscrypt traffic Signed-off-by: Toni Uhlig --- src/lib/protocols/dnscrypt.c | 2 +- src/lib/protocols/skype.c | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'src/lib') diff --git a/src/lib/protocols/dnscrypt.c b/src/lib/protocols/dnscrypt.c index 6c89466f1..af147614a 100644 --- a/src/lib/protocols/dnscrypt.c +++ b/src/lib/protocols/dnscrypt.c @@ -38,7 +38,7 @@ void ndpi_search_dnscrypt(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "search dnscrypt\n"); - if (flow->packet_counter > 2) + if (flow->packet_counter > 3) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index 0c2c0f675..9e17f32a1 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -35,6 +35,15 @@ static int ndpi_check_skype_udp_again(struct ndpi_detection_module_struct *ndpi_ const uint8_t crc_len = sizeof(flow->l4.udp.skype_crc); const uint8_t crc_offset = id_flags_iv_crc_len - crc_len; + if (flow->packet_counter > 2) + { + /* + * Process only one packet after the initial packet received. + * This is required to prevent fals-positives with other protocols e.g. dnscrypt. + */ + return 0; + } + if ((payload_len >= id_flags_iv_crc_len) && (packet->payload[2] == 0x02 /* Payload flag */ )) { u_int8_t detected = 1; -- cgit v1.2.3