Added OperaVPN detection

ntop · Sep 9, 2023 · 6397745 · 6397745
1 parent 076edea
commit 6397745
Show file tree

Hide file tree

Showing 6 changed files with 128 additions and 9 deletions.
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
@@ -367,7 +367,7 @@ typedef enum {
   NDPI_PROTOCOL_HOTS                  = 336, /* Heroes of the Storm */
   NDPI_PROTOCOL_FACEBOOK_REEL_STORY   = 337,
   NDPI_PROTOCOL_SRTP                  = 338,
-  NDPI_PROTOCOL_FREE                  = 339, /* Formerly used by gambling now a category. It can be reused in the future */
+  NDPI_PROTOCOL_OPERA_VPN             = 339,
   NDPI_PROTOCOL_EPICGAMES             = 340,
   NDPI_PROTOCOL_GEFORCENOW            = 341,
   NDPI_PROTOCOL_NVIDIA                = 342,

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
@@ -890,6 +890,8 @@ static ndpi_protocol_match host_match[] =
    { "hotspotshield.com",                    "HotspotShield",    NDPI_PROTOCOL_HOTSPOT_SHIELD, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { ".northghost.com",                      "HotspotShield",    NDPI_PROTOCOL_HOTSPOT_SHIELD, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
+   { ".sec-tunnel.com",                      "OperaVPN",    NDPI_PROTOCOL_OPERA_VPN, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+
    { ".webex.com",                              "Webex",           NDPI_PROTOCOL_WEBEX, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { ".webexcontent.com",                       "Webex",           NDPI_PROTOCOL_WEBEX, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -896,11 +896,11 @@ int ndpi_init_app_protocol(struct ndpi_detection_module_struct *ndpi_str,
 
 void ndpi_init_protocol_match(struct ndpi_detection_module_struct *ndpi_str,
                               ndpi_protocol_match const * const match) {
-	if (ndpi_init_app_protocol(ndpi_str, match) == 0) {
-		ndpi_add_host_url_subprotocol(ndpi_str, match->string_to_match,
-				match->protocol_id, match->protocol_category,
-				match->protocol_breed, match->level);
-	}
+  if (ndpi_init_app_protocol(ndpi_str, match) == 0) {
+    ndpi_add_host_url_subprotocol(ndpi_str, match->string_to_match,
+				  match->protocol_id, match->protocol_category,
+				  match->protocol_breed, match->level);
+  }
 }
 
 /* ******************************************************************** */
@@ -2144,9 +2144,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  "Mullvad", NDPI_PROTOCOL_CATEGORY_VPN,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
-
-  ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE,
-			  "Free", NDPI_PROTOCOL_CATEGORY_WEB,
+  ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_OPERA_VPN,
+			  "OperaVPN", NDPI_PROTOCOL_CATEGORY_VPN,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
 

diff --git a/tests/cfgs/default/pcap/opera-vpn.pcapng b/tests/cfgs/default/pcap/opera-vpn.pcapng
diff --git a/tests/cfgs/default/result/dns-exf.pcap.out b/tests/cfgs/default/result/dns-exf.pcap.out
@@ -0,0 +1,25 @@
+Guessed flow protos:	0
+
+DPI Packets (UDP):	2	(2.00 pkts/flow)
+Confidence DPI              : 1 (flows)
+Num dissector calls: 1 (1.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache zoom:       0/0/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          2/0 (search/found)
+Automa domain:        2/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     1/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia protocols:   2/0 (search/found)
+
+DNS	2	342	1
+
+	1	UDP 192.168.2.225:45290 <-> 192.168.2.134:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/163 bytes <-> 1 pkts/179 bytes][Goodput ratio: 74/76][0.00 sec][Hostname/SNI: 4sicn03_2qaa3rlc3qudhh0aavjycxwakjehelu5klueow0zjxulgage-.4s2fgaaaa__-.test.txt][::][Risk: ** Susp DNS Traffic **** Non-Printable/Invalid Chars Detected **** Minor Issues **][Risk Score: 210][Risk Info: DNS Record with zero TTL][PLAIN TEXT (sICN03)][Plen Bins: 0,0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]