From 0b6e261523f6d8ff66ae711922fc266bb6baa07c Mon Sep 17 00:00:00 2001
From: Vladimir Gavrilov <105977161+0xA50C1A1@users.noreply.github.com>
Date: Mon, 27 Nov 2023 15:10:50 +0300
Subject: Improve CORBA detection (#2167)

* Improve CORBA detection

* Remove dummy flow from ziop.pcap

* Merge ziop.pcap and miop.pcap into corba.pcap
---
 src/lib/protocols/corba.c | 35 ++++++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 13 deletions(-)

(limited to 'src')

diff --git a/src/lib/protocols/corba.c b/src/lib/protocols/corba.c
index aaf3563e6..8aa98babe 100644
--- a/src/lib/protocols/corba.c
+++ b/src/lib/protocols/corba.c
@@ -26,27 +26,36 @@
 #include "ndpi_private.h"
 
 static void ndpi_int_corba_add_connection(struct ndpi_detection_module_struct
-					  *ndpi_struct, struct ndpi_flow_struct *flow)
+                                          *ndpi_struct, struct ndpi_flow_struct *flow)
 {
+  NDPI_LOG_INFO(ndpi_struct, "found Corba\n");
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CORBA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
 }
 static void ndpi_search_corba(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
 {
-  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-
-  NDPI_LOG_DBG(ndpi_struct, "search for CORBA\n");
-  if(packet->tcp != NULL) {
-    NDPI_LOG_DBG2(ndpi_struct, "calculating CORBA over tcp\n");
-    /* Corba General Inter-ORB Protocol -> GIOP */
-    if(packet->payload_packet_len >= 24 &&
-       memcmp(packet->payload, "GIOP", 4) == 0) {
-      NDPI_LOG_INFO(ndpi_struct, "found corba\n");
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
+
+  NDPI_LOG_DBG(ndpi_struct, "search for Corba\n");
+
+  if (packet->tcp != NULL && packet->payload_packet_len >= 24) {
+    /* General Inter-ORB Protocol -> GIOP
+     * Zipped Inter-ORB Protocol  -> ZIOP */
+    if ((memcmp(packet->payload, "GIOP", 4) == 0) ||
+        (memcmp(packet->payload, "ZIOP", 4) == 0))
+    {
+      ndpi_int_corba_add_connection(ndpi_struct, flow);
+      return;
+    }
+  } 
+  else if (packet->udp != NULL && packet->payload_packet_len > 32) {
+    /* Unreliable Multicast Inter-ORB Protocol -> MIOP */
+    if (memcmp(packet->payload, "MIOP", 4) == 0) {
       ndpi_int_corba_add_connection(ndpi_struct, flow);
       return;
     }
   }
-  if(flow->packet_counter > 5)
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 
@@ -55,7 +64,7 @@ void init_corba_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in
   ndpi_set_bitmask_protocol_detection("Corba", ndpi_struct, *id,
 				      NDPI_PROTOCOL_CORBA,
 				      ndpi_search_corba,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
   *id += 1;
-- 
cgit v1.2.3