From 46affea055a19b81d63a4015315cb1f120a6d4ab Mon Sep 17 00:00:00 2001
From: Andrew Karelin <36686667+AndrewKarelin@users.noreply.github.com>
Date: Wed, 23 Oct 2019 18:47:51 +0500
Subject: Added some public DNSoverHTTPS servers

List of servers taken from https://github.com/curl/curl/wiki/DNS-over-HTTPS
---
 src/lib/ndpi_content_match.c.inc | 44 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

(limited to 'src')

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 0eed29d26..257fdf3cc 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -8491,6 +8491,50 @@ static ndpi_protocol_match host_match[] = {
   { "dns.google", NULL, "dns\\.google" TLD, "DNSoverHTTPS",     NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
   // { "mozilla.cloudflare-dns.com", NULL, "mozilla\\.cloudflare-dns\\.com" TLD, "DNSoverHTTPS",     NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, /* Firefox */
   { "cloudflare-dns.com", NULL, "cloudflare-dns\\.com" TLD, "DNSoverHTTPS",     NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "commons.host", NULL, "commons\\.host" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.li", NULL, "doh\\.li" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns9.quad9.net", NULL, "dns9\\.quad9\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.opendns.com", NULL, "doh\\.opendns\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.dns.sb", NULL, "doh\\.dns\\.sb" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.netweaver.uk", NULL, "doh\\.netweaver\\.uk" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns.dns-over-https.com", NULL, "dns\\.dns-over-https\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "jp.tiarap.org", NULL, "jp\\.tiarap\\.org" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns.dnsoverhttps.net", NULL, "dns\\.dnsoverhttps\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.powerdns.org", NULL, "doh\\.powerdns\\.org" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "adblock.mydns.network", NULL, "adblock\\.mydns\\.network" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "jp.tiar.app", NULL, "jp\\.tiar\\.app" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.crypto.sx", NULL, "doh\\.crypto\\.sx" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns.quad9.net", NULL, "dns\\.quad9\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns.containerpi.com", NULL, "dns\\.containerpi\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "ibksturm.synology.me", NULL, "ibksturm\\.synology\\.me" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.captnemo.in", NULL, "doh\\.captnemo\\.in" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns.rubyfish.cn", NULL, "dns\\.rubyfish\\.cn" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.42l.fr", NULL, "doh\\.42l\\.fr" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns-family.adguard.com", NULL, "dns-family\\.adguard\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "appliedprivacy.net", NULL, "appliedprivacy\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.cleanbrowsing.org", NULL, "doh\\.cleanbrowsing\\.org" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns10.quad9.net", NULL, "dns10\\.quad9\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh-ch.blahdns.com", NULL, "doh-ch\\.blahdns\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.seby.io", NULL, "doh\\.seby\\.io" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns.adguard.com", NULL, "dns\\.adguard\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "ibuki.cgnat.net", NULL, "ibuki\\.cgnat\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "jcdns.fun", NULL, "jcdns\\.fun" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh-2.seby.io", NULL, "doh-2\\.seby\\.io" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.tiar.app", NULL, "doh\\.tiar\\.app" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.dnswarden.com", NULL, "doh\\.dnswarden\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh-de.blahdns.com", NULL, "doh-de\\.blahdns\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh-jp.blahdns.com", NULL, "doh-jp\\.blahdns\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.appliedprivacy.net", NULL, "doh\\.appliedprivacy\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.tiarap.org", NULL, "doh\\.tiarap\\.org" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.armadillodns.net", NULL, "doh\\.armadillodns\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns-nyc.aaflalo.me", NULL, "dns-nyc\\.aaflalo\\.me" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns.aa.net.uk", NULL, "dns\\.aa\\.net\\.uk" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns.aaflalo.me", NULL, "dns\\.aaflalo\\.me" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns11.quad9.net", NULL, "dns11\\.quad9\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "dns.nextdns.io", NULL, "dns\\.nextdns\\.io" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "doh.securedns.eu", NULL, "doh\\.securedns\\.eu" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "rdns.faelix.net", NULL, "rdns\\.faelix\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { "captnemo.in", NULL, "captnemo\\.in" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
 
 
   /*
-- 
cgit v1.2.3


From 53e1ee347563f9c585bada705a03d2985f8f0a94 Mon Sep 17 00:00:00 2001
From: Renan de Souza <renan.souza@setinet.com.br>
Date: Thu, 24 Oct 2019 14:43:10 -0300
Subject: Changed Breeds descriptions in ndpi_get_proto_breed_name: Dangerous
 to Potentially Dangerous, added Dangerous (SMBv1)

---
 src/lib/ndpi_main.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 8e3f704e4..8cd661243 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -5969,9 +5969,11 @@ char* ndpi_get_proto_breed_name(struct ndpi_detection_module_struct *ndpi_str,
     return("Unsafe");
     break;
   case NDPI_PROTOCOL_POTENTIALLY_DANGEROUS:
+    return("Potentially Dangerous");
+    break;
+  case NDPI_PROTOCOL_DANGEROUS:
     return("Dangerous");
     break;
-
   case NDPI_PROTOCOL_UNRATED:
   default:
     return("Unrated");
-- 
cgit v1.2.3


From 653c2092536466cf8d62bc73e73f12ecf97ed9fc Mon Sep 17 00:00:00 2001
From: Renan de Souza <renan.souza@setinet.com.br>
Date: Thu, 24 Oct 2019 14:50:54 -0300
Subject: Added 52.84.0.0/14 range as Amazon

---
 src/lib/ndpi_content_match.c.inc | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src')

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 0eed29d26..ca8b757c5 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -488,6 +488,7 @@ static ndpi_network host_protocol_list[] = {
   { 0x344E0000 /* 52.78.0.0/16 */, 16, NDPI_PROTOCOL_AMAZON },
   { 0x344F0000 /* 52.79.0.0/16 */, 16, NDPI_PROTOCOL_AMAZON },
   { 0x34520000 /* 52.82.0.0/14 */, 14, NDPI_PROTOCOL_AMAZON },
+  { 0x34540000 /* 52.84.0.0/14 */, 14, NDPI_PROTOCOL_AMAZON },
   { 0x34580000 /* 52.88.0.0/13 */, 13, NDPI_PROTOCOL_AMAZON },
   { 0x345A0000 /* 52.90.0.0/15 */, 15, NDPI_PROTOCOL_AMAZON },
   { 0x345EE000 /* 52.94.224.0/19 */, 19, NDPI_PROTOCOL_AMAZON },
-- 
cgit v1.2.3


From d0623866565df25ebbb2a6af5094069932e8046c Mon Sep 17 00:00:00 2001
From: Renan de Souza <renan.souza@setinet.com.br>
Date: Tue, 29 Oct 2019 09:54:42 -0300
Subject: Added ^pastebin.com to host_match[]

---
 src/lib/ndpi_content_match.c.inc | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src')

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 54ce263e6..233d310cf 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -8777,6 +8777,7 @@ static ndpi_protocol_match host_match[] = {
   { "tupdate.com", NULL, "tupdate" TLD,                                "Telegram",         NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
 
   { ".pastebin.com", NULL, "\\.pastebin" TLD,                          "Pastebin",         NDPI_PROTOCOL_PASTEBIN, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS },
+  { "pastebin.com", NULL, "^pastebin" TLD,                             "Pastebin",         NDPI_PROTOCOL_PASTEBIN, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS },
 
   { ".ppstream.com", NULL, "\\.ppstream" TLD,                          "PPStream",         NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
   { ".pps.tv", NULL, "\\.pps\\.tv$",                                   "PPStream",         NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
-- 
cgit v1.2.3


From fbea243e563abe0799307afa939514af56e1bff0 Mon Sep 17 00:00:00 2001
From: Renan de Souza <renan.souza@setinet.com.br>
Date: Tue, 29 Oct 2019 11:48:23 -0300
Subject: Added brasilbandalarga.com.br and .eaqbr.com.br as EAQ on
 host_match[]

---
 src/lib/ndpi_content_match.c.inc | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src')

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 233d310cf..801dcac1f 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -8798,6 +8798,9 @@ static ndpi_protocol_match host_match[] = {
   { "musical.ly", NULL, "musical\\.ly" TLD,                            "TikTok",           NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
   { "muscdn.com", NULL, "muscndl\\.com" TLD,                           "TikTok",           NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
 
+  { "brasilbandalarga.com.br", NULL, "brasilbandalarga\\.com" TLD,     "EAQ",              NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+  { ".eaqbr.com.br", NULL, "\\.eaqbr\\.com" TLD,                       "EAQ",              NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+
   { NULL, NULL, NULL, 0 }
 };
 
-- 
cgit v1.2.3


From 9400a3b9ef1f784cd25b2f6b5f3ba1a9e83cca83 Mon Sep 17 00:00:00 2001
From: Renan de Souza <renan.souza@setinet.com.br>
Date: Tue, 29 Oct 2019 15:28:08 -0300
Subject: Added ranges 20.180.0.0/14, 20.184.0.0/13 to Skype

---
 src/lib/ndpi_content_match.c.inc | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src')

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 10058f8c0..8f8472738 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -979,6 +979,8 @@ static ndpi_network host_protocol_list[] = {
   { 0x4237DF00 /* 65.55.223.0 */, 26, NDPI_PROTOCOL_SKYPE },
   { 0x17600000 /* 23.96.0.0 */, 13, NDPI_PROTOCOL_SKYPE },
   { 0x34724A05 /* 52.114.74.5 */, 32, NDPI_PROTOCOL_SKYPE },
+  { 0x14B40000 /* 20.180.0.0 */, 14, NDPI_PROTOCOL_SKYPE },
+  { 0x14B80000 /* 20.184.0.0 */, 13, NDPI_PROTOCOL_SKYPE },
 
   /*
     Blizzard Entertainment, Inc
-- 
cgit v1.2.3


From 124545e1ed70e5c3e8a0e6d582f1f52c003b84a4 Mon Sep 17 00:00:00 2001
From: Renan de Souza <renan.souza@setinet.com.br>
Date: Tue, 29 Oct 2019 16:26:17 -0300
Subject: Added twitch.tv website

---
 src/lib/ndpi_content_match.c.inc | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src')

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 8f8472738..628664a65 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -8853,6 +8853,7 @@ static ndpi_protocol_match host_match[] = {
   { "ttvnw.net", NULL, "ttvnw" TLD,                                    "Twitch",           NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
   { "static-cdn.jtvnw.net", NULL, "static-cdn\\.jtvnw" TLD,            "Twitch",           NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
   { "www-cdn.jtvnw.net", NULL, "www-cdn\\.jtvnw" TLD,                  "Twitch",           NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+  { "twitch.tv", NULL, "twitch\\.tv$",                  "Twitch",           NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
 
   { ".qq.com", NULL, "\\.qq" TLD,                                      "QQ",               NDPI_PROTOCOL_QQ, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
   { ".gtimg.com", NULL, "\\.gtimg" TLD,                                "QQ",               NDPI_PROTOCOL_QQ, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
-- 
cgit v1.2.3


From a3a85106a1eb59bc87cafa06796ea404f450eda9 Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Fri, 1 Nov 2019 23:05:11 +0100
Subject: Implemented SQL Injection and XSS attack detection

---
 example/ndpiReader.c            |  23 +++++-
 src/include/ndpi_api.h          |   2 +
 src/include/ndpi_typedefs.h     |   6 ++
 src/lib/ndpi_utils.c            | 163 +++++++++++++++++++++++++++++++++++++---
 tests/pcap/WebattackSQLinj.pcap | Bin 0 -> 31536 bytes
 tests/pcap/WebattackXSS.pcap    | Bin 0 -> 4871156 bytes
 6 files changed, 182 insertions(+), 12 deletions(-)
 create mode 100644 tests/pcap/WebattackSQLinj.pcap
 create mode 100644 tests/pcap/WebattackXSS.pcap

(limited to 'src')

diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 268fea160..f70ebd785 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -998,6 +998,23 @@ static char* is_unsafe_cipher(ndpi_cipher_weakness c) {
 
 /* ********************************** */
 
+char* printUrlRisk(ndpi_url_risk risk) {
+  switch(risk) {
+    case ndpi_url_no_problem:
+      return("");
+      break;
+    case ndpi_url_possible_xss:
+      return(" ** XSS **");
+      break;
+    case ndpi_url_possible_sql_injection:
+      return(" ** SQL Injection **");
+      break;
+  }
+
+  return("");
+}
+/* ********************************** */
+
 /**
  * @brief Print the flow
  */
@@ -1143,8 +1160,10 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa
     }
 
     if(flow->http.url[0] != '\0')
-      fprintf(out, "[URL: %s][StatusCode: %u][ContentType: %s][UserAgent: %s]",
-	      flow->http.url, flow->http.response_status_code,
+      fprintf(out, "[URL: %s%s][StatusCode: %u][ContentType: %s][UserAgent: %s]",
+	      flow->http.url,
+	      printUrlRisk(ndpi_validate_url(flow->http.url)),
+	      flow->http.response_status_code,
 	      flow->http.content_type, flow->http.user_agent);
     
     if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ssh_tls.ssl_version, &known_tls));
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index a1c33b36e..6228a6123 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -940,6 +940,8 @@ extern "C" {
   const char* ndpi_data_ratio2str(float ratio);
   
   void ndpi_data_print_window_values(struct ndpi_analyze_struct *s); /* debug */
+
+  ndpi_url_risk ndpi_validate_url(char *url);
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 04e439221..057fa2527 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -42,6 +42,12 @@ typedef enum {
 	      ndpi_l4_proto_tcp_and_udp,
 } ndpi_l4_proto_info;
 
+typedef enum {
+   ndpi_url_no_problem = 0,
+   ndpi_url_possible_xss,
+   ndpi_url_possible_sql_injection
+  } ndpi_url_risk;
+
 /* NDPI_VISIT */
 typedef enum {
 	      ndpi_preorder,
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index f11f074cd..a8c73e67e 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -759,11 +759,11 @@ void ndpi_user_pwd_payload_copy(u_int8_t *dest, u_int dest_len,
 				u_int offset,
 				const u_int8_t *src, u_int src_len) {
   u_int i, j=0, k = dest_len-1;
-  
+
   for(i=offset; (i<src_len) && (j<=k); i++) {
     if((j == k) || (src[i] < ' '))
       break;
-    
+
     dest[j++] = src[i];
   }
 
@@ -857,7 +857,7 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct,
 		   u_int32_t src_v4, u_int32_t dst_v4,
 		   struct ndpi_in6_addr *src_v6, struct ndpi_in6_addr *dst_v6,
 		   u_int16_t src_port, u_int16_t dst_port,
-		   ndpi_protocol l7_protocol,		   
+		   ndpi_protocol l7_protocol,
 		   ndpi_serializer *serializer) {
   char buf[64], src_name[32], dst_name[32];
 
@@ -976,7 +976,7 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct,
     ndpi_serialize_start_of_block(serializer, "http");
     if(flow->host_server_name[0] != '\0')
       ndpi_serialize_string_string(serializer, "hostname", (const char*)flow->host_server_name);
-    ndpi_serialize_string_string(serializer,   "url", flow->http.url);    
+    ndpi_serialize_string_string(serializer,   "url", flow->http.url);
     ndpi_serialize_string_uint32(serializer,   "code", flow->http.response_status_code);
     ndpi_serialize_string_string(serializer,   "content_type", flow->http.content_type);
     ndpi_serialize_string_string(serializer,   "user_agent", flow->http.user_agent);
@@ -989,28 +989,28 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct,
     ndpi_serialize_string_string(serializer,  "password", flow->protos.ftp_imap_pop_smtp.password);
     ndpi_serialize_end_of_block(serializer);
     break;
-      
+
   case NDPI_PROTOCOL_MAIL_POP:
     ndpi_serialize_start_of_block(serializer, "pop");
     ndpi_serialize_string_string(serializer,  "user", flow->protos.ftp_imap_pop_smtp.username);
     ndpi_serialize_string_string(serializer,  "password", flow->protos.ftp_imap_pop_smtp.password);
     ndpi_serialize_end_of_block(serializer);
     break;
-      
+
   case NDPI_PROTOCOL_MAIL_SMTP:
     ndpi_serialize_start_of_block(serializer, "smtp");
     ndpi_serialize_string_string(serializer,  "user", flow->protos.ftp_imap_pop_smtp.username);
     ndpi_serialize_string_string(serializer,  "password", flow->protos.ftp_imap_pop_smtp.password);
     ndpi_serialize_end_of_block(serializer);
     break;
-      
+
   case NDPI_PROTOCOL_FTP_CONTROL:
     ndpi_serialize_start_of_block(serializer, "ftp");
     ndpi_serialize_string_string(serializer,  "user", flow->protos.ftp_imap_pop_smtp.username);
     ndpi_serialize_string_string(serializer,  "password", flow->protos.ftp_imap_pop_smtp.password);
     ndpi_serialize_end_of_block(serializer);
     break;
-      
+
   case NDPI_PROTOCOL_SSH:
     ndpi_serialize_start_of_block(serializer, "ssh");
     ndpi_serialize_string_string(serializer,  "client_signature", flow->protos.ssh.client_signature);
@@ -1041,7 +1041,7 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct,
 	ndpi_serialize_string_string(serializer, "issuer", flow->protos.stun_ssl.ssl.server_organization);
 
 	if(before) {
-          strftime(notBefore, sizeof(notBefore), "%F %T", before); 
+          strftime(notBefore, sizeof(notBefore), "%F %T", before);
           ndpi_serialize_string_string(serializer, "notbefore", notBefore);
         }
 
@@ -1061,7 +1061,7 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct,
 
 	  ndpi_serialize_string_string(serializer, "fingerprint", buf);
 	}
-      
+
 	ndpi_serialize_end_of_block(serializer);
       }
     }
@@ -1072,3 +1072,146 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct,
 }
 
 /* ********************************** */
+
+/*
+  /dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27JUL2D3WXHEGWRAFJE2PI7OS71Z4Z8RFUHXGNFLUFYVP6M3OL55%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E
+  /dv/vulnerabilities/sqli/?id=1%27+and+1%3D1+union+select+null%2C+table_name+from+information_schema.tables%23&Submit=Submit
+*/
+
+/* https://www.rosettacode.org/wiki/URL_decoding#C */
+static int ishex(int x) {
+  return(x >= '0' && x <= '9') || (x >= 'a' && x <= 'f') || (x >= 'A' && x <= 'F');
+}
+
+/* ********************************** */
+
+static int ndpi_url_decode(const char *s, char *out) {
+  char *o;
+  const char *end = s + strlen(s);
+  int c;
+
+  for(o = out; s <= end; o++) {
+    c = *s++;
+    if(c == '+') c = ' ';
+    else if(c == '%' && (!ishex(*s++)||
+			  !ishex(*s++)||
+			  !sscanf(s - 2, "%2x", &c)))
+      return(-1);
+
+    if(out) *o = c;
+  }
+
+  return(o - out);
+}
+
+/* ********************************** */
+
+/* #define URL_CHECK_DEBUG 1 */
+
+static int find_occurrency(char *str, char *what) {
+  char *found = strstr(str, what);
+  u_int len;
+
+#ifdef URL_CHECK_DEBUG
+  printf("%s() [%s][%s]\n", __FUNCTION__, str, what);
+#endif
+
+  if(!found) return(0);
+
+  len = strlen(what);
+
+  if((found[len] != '\0') && (found[len] != ' ')
+     && ((found == str) || (found[-1] == ' ')))
+    return(1);
+  else
+    return(find_occurrency(&found[len], what));
+}
+
+/* ********************************** */
+
+static int ndpi_check_tokens(char* query, char* keywords[]) {
+#ifdef URL_CHECK_DEBUG
+  printf("%s() [%s]\n", __FUNCTION__, query);
+#endif
+  
+  for(int i=0; keywords[i] != NULL; i++) {
+    if(find_occurrency(query, keywords[i]) > 0)
+      return(1);
+  }
+
+  return(0);
+}
+
+/* ********************************** */
+
+static int ndpi_is_sql_injection(char* query) {
+  char* sql_keywords[]  = { "select", "from", "where", "any", "all", "join", "inner", "left", "right", "full",
+			    "table", "alter", "create", "delete", "union", "update", "drop", "group", "order",
+			    "limit", "primary", "column", NULL };
+  return(ndpi_check_tokens(query, sql_keywords));
+}
+
+/* ********************************** */
+
+static int ndpi_is_xss_injection(char* query) {
+  char* js_keywords[]  = { "<script>", "console.", "log.", NULL };
+  return(ndpi_check_tokens(query, js_keywords));
+}
+
+/* ********************************** */
+
+ndpi_url_risk ndpi_validate_url(char *url) {
+  char *orig_str = NULL, *str = NULL, *question_mark = strchr(url, '?');
+  ndpi_url_risk rc = ndpi_url_no_problem;
+
+  if(question_mark) {
+    char *tmp;
+
+    orig_str = str = ndpi_strdup(&question_mark[1]); /* Skip ? */
+
+    if(!str) goto validate_rc;
+
+    str = strtok_r(str, "&", &tmp);
+
+    while(str != NULL) {
+      char *value = strchr(str, '=');
+      char *decoded;
+
+      if(!value)
+	break;
+      else
+	value = &value[1];
+
+      if(value[0] != '\0') {
+	if(!(decoded = (char*)ndpi_malloc(strlen(value)+1)))
+	  break;
+
+	if(ndpi_url_decode(value, decoded) < 0) {
+	  /* Invalid string */
+	} else if(decoded[0] != '\0') {
+	  /* Valid string */
+
+	  if(ndpi_is_xss_injection(decoded))
+	    rc = ndpi_url_possible_xss;
+	  else if(ndpi_is_sql_injection(decoded))
+	    rc = ndpi_url_possible_sql_injection;
+
+#ifdef URL_CHECK_DEBUG
+	  printf("=>> [rc: %u] %s\n", rc, decoded);
+#endif
+	}
+
+	ndpi_free(decoded);
+
+	if(rc != ndpi_url_no_problem)
+	  break;
+      }
+      
+      str = strtok_r(NULL, "&", &tmp);
+    }
+  }
+
+ validate_rc:
+  if(orig_str) ndpi_free(orig_str);
+  return(rc);
+}
diff --git a/tests/pcap/WebattackSQLinj.pcap b/tests/pcap/WebattackSQLinj.pcap
new file mode 100644
index 000000000..f63da5f80
Binary files /dev/null and b/tests/pcap/WebattackSQLinj.pcap differ
diff --git a/tests/pcap/WebattackXSS.pcap b/tests/pcap/WebattackXSS.pcap
new file mode 100644
index 000000000..8fc8a89e8
Binary files /dev/null and b/tests/pcap/WebattackXSS.pcap differ
-- 
cgit v1.2.3


From 953571e3d8e612baf33ef0ec9e5a37a38ad702c0 Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Sun, 3 Nov 2019 17:15:40 +0100
Subject: Added comment

---
 src/lib/ndpi_content_match.c.inc | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

(limited to 'src')

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 5345a3c46..ebf0fbc1b 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -1120,10 +1120,10 @@ static ndpi_network host_protocol_list[] = {
     Tor
     http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
     From 09.09.2019
-    
+
     Use utils/toripaddr2list.py to convert them
   */
-  
+
   { 0x0122a339 /* 1.34.163.57/32 */, 32, NDPI_PROTOCOL_TOR },
   { 0x01EA0B8E /* 1.234.11.142/32 */, 32, NDPI_PROTOCOL_TOR },
   { 0x01F4E33D /* 1.244.227.61/32 */, 32, NDPI_PROTOCOL_TOR },
@@ -8220,7 +8220,7 @@ static ndpi_network host_protocol_list[] = {
   { 0xD04EA400 /* 208.78.164.0/22 */, 22, NDPI_PROTOCOL_STEAM },
 
   /* Line */
-  { 0x7DD1FC00 /* 125.209.252.0/24 */, 24, NDPI_PROTOCOL_LINE },	
+  { 0x7DD1FC00 /* 125.209.252.0/24 */, 24, NDPI_PROTOCOL_LINE },
 
   /* Zoom video conference app. */
   { 0x03501480 /* 3.80.20.128/25 */, 25, NDPI_PROTOCOL_ZOOM },
@@ -8629,7 +8629,7 @@ static ndpi_protocol_match host_match[] = {
 
   { ".bloombergvault.com", NULL, "\\.bloombergvault.\\com" TLD,                          "Bloomberg",        NDPI_PROTOCOL_BLOOMBERG, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE },
   { ".bloomberg.com", NULL, "\\.bloomberg.\\com" TLD,                                    "Bloomberg",        NDPI_PROTOCOL_BLOOMBERG, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE },
-  
+
   { ".push.apple.com", NULL, "\\.push\\.apple" TLD,                   "ApplePush",        NDPI_PROTOCOL_APPLE_PUSH, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE },
   { ".apple-dns.net", NULL, "\\.apple-dns" TLD,                       "Apple",            NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
   { ".mzstatic.com", NULL, "\\.mzstatic" TLD,                         "Apple",            NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
@@ -8708,8 +8708,10 @@ static ndpi_protocol_match host_match[] = {
 
     This traffic will bypass checks and blocks as it will include all the communications from/to
     the browser instead of using the standard communication mechanisms SSL/HTTP(S)/DNS
-  */
-  { ".googlezip.net", NULL, ".googlezip\\.net" TLD,                       "DataSaver",     NDPI_PROTOCOL_DATASAVER, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },	 
+
+    https://github.com/curl/curl/wiki/DNS-over-HTTPS
+*/
+  { ".googlezip.net", NULL, ".googlezip\\.net" TLD,                       "DataSaver",     NDPI_PROTOCOL_DATASAVER, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
   { "datasaver.googleapis.com", NULL, "datasaver\\.googleapis\\.com" TLD, "DataSaver",     NDPI_PROTOCOL_DATASAVER, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
 
   /* http://check.googlezip.net/connect [check browser connectivity] */
@@ -8841,7 +8843,7 @@ static ndpi_protocol_match host_match[] = {
   { "e4593.dspg.akamaiedge.net", NULL, "e4593\\.dspg\\.akamaiedge" TLD,"Skype",            NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
   { "e4593.g.akamaiedge.net", NULL, "e4593\\.g\\.akamaiedge" TLD,      "Skype",            NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
   { "*.gateway.messenger.live.com", NULL, "\\*\\.gateway\\.messenger\\.live" TLD, "Skype",            NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
-  
+
   { ".tuenti.com", NULL, "\\.tuenti" TLD,                              "Tuenti",           NDPI_PROTOCOL_TUENTI, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
 
   { ".twttr.com", NULL, "\\.twttr" TLD,                                "Twitter",          NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
@@ -9043,7 +9045,7 @@ static ndpi_protocol_match host_match[] = {
   { ".pps.tv", NULL, "\\.pps\\.tv$",                                   "PPStream",         NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
 
   { ".hulu.com", NULL, "\\.hulu",                                       "Hulu",            NDPI_PROTOCOL_HULU, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
-  
+
   /*
     VidTO streaming service
   */
@@ -9062,7 +9064,7 @@ static ndpi_protocol_match host_match[] = {
 };
 
 /* ******************************************************************** */
-   
+
 static ndpi_category_match category_match[] = {
    { ".edgecastcdn.net", "egdecastcdn" TLD,                       NDPI_PROTOCOL_CATEGORY_MEDIA },
    { ".hwcdn.net", "hwcdn" TLD,                                   NDPI_PROTOCOL_CATEGORY_MEDIA },
@@ -9196,5 +9198,3 @@ static const char *ndpi_en_impossible_bigrams[] = {
   "yj", "yq", "yv", "yz", "yw", "zb", "zc", "zg", "zh", "zj", "zn", "zq", "zs", "zx", "wh", "wk",
   "wb", "zk", "kp", "zk", "xy",
   NULL };
-
-
-- 
cgit v1.2.3


From 5b2c0f68fe0c9d805f14f49388ea864f2032a64e Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Mon, 4 Nov 2019 22:06:02 +0100
Subject: Telnet fix

---
 example/ndpiReader.c       |  2 +-
 src/lib/protocols/telnet.c | 27 +++++++++++++++++++++------
 2 files changed, 22 insertions(+), 7 deletions(-)

(limited to 'src')

diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index d7c5630ef..41e33f949 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -89,7 +89,7 @@ static u_int8_t stats_flag = 0, bpf_filter_flag = 0;
 static u_int8_t file_first_time = 1;
 #endif
 u_int8_t human_readeable_string_len = 5;
-u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 32 /* due to telnet */;
+u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
 static u_int32_t pcap_analysis_duration = (u_int32_t)-1;
 static u_int16_t decode_tunnels = 0;
 static u_int16_t num_loops = 1;
diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c
index 59b1e4978..0fd00e6d4 100644
--- a/src/lib/protocols/telnet.c
+++ b/src/lib/protocols/telnet.c
@@ -29,14 +29,18 @@
 
 #include "ndpi_api.h"
 
+/* #define TELNET_DEBUG 1 */
+
 /* ************************************************************************ */
 
 static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct,
 			       struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &flow->packet;
 
-  // printf("==> %s()\n", __FUNCTION__);
-
+#ifdef TELNET_DEBUG
+  printf("==> %s() [%s]\n", __FUNCTION__, packet->payload);
+#endif
+  
   if(packet->payload[0] == 0xFF)
     return(1);
 
@@ -81,7 +85,7 @@ static void ndpi_int_telnet_add_connection(struct ndpi_detection_module_struct
 
   /* This is necessary to inform the core to call this dissector again */
   flow->check_extra_packets = 1;
-  flow->max_extra_packets_to_check = 32;
+  flow->max_extra_packets_to_check = 64;
   flow->extra_packets_func = search_telnet_again;
 
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELNET, NDPI_PROTOCOL_UNKNOWN);
@@ -102,6 +106,10 @@ u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct,
 
   u_int16_t a;
 
+#ifdef TELNET_DEBUG
+  printf("==> %s()\n", __FUNCTION__);
+#endif
+
   if(packet->payload_packet_len < 3)
     return(0);
 
@@ -147,11 +155,18 @@ void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct *ndpi_struct,
     return;
   }
 
-  if(((flow->packet_counter < 12) && (flow->l4.tcp.telnet_stage > 0)) || (flow->packet_counter < 6))
+  if(((flow->packet_counter < 12) && (flow->l4.tcp.telnet_stage > 0)) || (flow->packet_counter < 6)) {
+#ifdef TELNET_DEBUG
+    printf("==> [%s:%u] %s()\n", __FILE__, __LINE__, __FUNCTION__);
+#endif
     return;
-  else
+  } else {
+#ifdef TELNET_DEBUG
+    printf("==> [%s:%u] %s()\n", __FILE__, __LINE__, __FUNCTION__);
+#endif
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-
+  }
+  
   return;
 }
 
-- 
cgit v1.2.3