From a1602dd0a5f243da2aa550669c0c01c1c89cae52 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Mon, 16 Sep 2024 22:21:14 +0200
Subject: dns: add a check before setting `NDPI_MALFORMED_PACKET` risk (#2558)

"Invalid DNS Header"-risk should be set only if the flow has been
already classified as DNS. Otherwise, almost any non-DNS flows on port 53
will end up having the `NDPI_MALFORMED_PACKET` risk set, which is a little
bit confusing for non DNS traffic
---
 src/lib/protocols/dns.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 94367d318..4e3b09d5b 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -320,7 +320,8 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
 	  x++;
       }
     } else {
-      ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid DNS Header");
+      if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
+        ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid DNS Header");
       return(1 /* invalid */);
     }
   } else {
-- 
cgit v1.2.3