Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

H323: fix false positives #1916

Merged
merged 1 commit into from
Apr 6, 2023
Merged

H323: fix false positives #1916

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions src/include/ndpi_typedefs.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -684,9 +684,6 @@ struct ndpi_flow_tcp_struct {
/* NDPI_PROTOCOL_IRC */
u_int8_t irc_stage;

/* NDPI_PROTOCOL_H323 */
u_int8_t h323_valid_packets;

/* NDPI_PROTOCOL_GNUTELLA */
u_int8_t gnutella_msg_id[3];

Expand Down Expand Up @@ -1529,6 +1526,9 @@ struct ndpi_flow_struct {
u_int16_t all_packets_counter;
u_int16_t packet_direction_complete_counter[2]; // can be 0 - 65000

/* NDPI_PROTOCOL_H323 */
u_int8_t h323_valid_packets;

/* NDPI_PROTOCOL_BITTORRENT */
u_int8_t bittorrent_stage; // can be 0 - 255
u_int8_t bt_check_performed : 1;
Expand Down
2 changes: 1 addition & 1 deletion src/lib/protocols/cassandra.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ static void ndpi_search_cassandra(struct ndpi_detection_module_struct *ndpi_stru
ndpi_check_valid_cassandra_opcode(get_u_int8_t(packet->payload, 4)) &&
ntohl(get_u_int32_t(packet->payload, 5)) <= CASSANDRA_MAX_BODY_SIZE &&
ntohl(get_u_int32_t(packet->payload, 5)) >= (uint32_t) (packet->payload_packet_len - CASSANDRA_HEADER_LEN) &&
flow->l4.tcp.h323_valid_packets == 0 /* To avoid clashing with H323 */ &&
flow->h323_valid_packets == 0 /* To avoid clashing with H323 */ &&
flow->socks4_stage == 0 /* To avoid clashing with SOCKS */) {
if (flow->packet_counter > 3)
{
Expand Down
13 changes: 8 additions & 5 deletions src/lib/protocols/h323.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,9 @@ static void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, s
}
}

flow->l4.tcp.h323_valid_packets++;
flow->h323_valid_packets++;

if(flow->l4.tcp.h323_valid_packets >= 2) {
if(flow->h323_valid_packets >= 2) {
NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
}
Expand Down Expand Up @@ -103,9 +103,12 @@ static void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, s
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
return;
} else if(packet->payload_packet_len >= 20 && packet->payload_packet_len <= 117) {
NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
return;
/* This check is quite generic: let's check another packet...*/
flow->h323_valid_packets++;
if(flow->h323_valid_packets >= 2) {
NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
}
} else {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
Expand Down
Binary file added tests/pcap/h323_false_positive.pcap
View file
Open in desktop
Binary file not shown.
6 changes: 3 additions & 3 deletions tests/result/h323.pcap.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
Guessed flow protos: 0

DPI Packets (TCP): 2 (2.00 pkts/flow)
DPI Packets (UDP): 1 (1.00 pkts/flow)
DPI Packets (UDP): 2 (2.00 pkts/flow)
Confidence DPI : 2 (flows)
Num dissector calls: 118 (59.00 diss/flow)
Num dissector calls: 224 (112.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand All @@ -23,5 +23,5 @@ Patricia protocols: 2/2 (search/found)

H323 12 1825 2

1 UDP 17.2.0.124:2034 <-> 17.2.0.161:1719 [proto: 158/H323][IP: 140/Apple][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][3 pkts/665 bytes <-> 7 pkts/853 bytes][Goodput ratio: 81/65][80.21 sec][bytes ratio: -0.124 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 247/336 288/13362 330/70142 42/25418][Pkt Len c2s/s2c min/avg/max/stddev: 80/67 222/122 411/176 139/48][PLAIN TEXT (@333333330)][Plen Bins: 20,20,10,10,30,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
1 UDP 17.2.0.124:2034 <-> 17.2.0.161:1719 [proto: 158/H323][IP: 140/Apple][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][3 pkts/665 bytes <-> 7 pkts/853 bytes][Goodput ratio: 81/65][80.21 sec][bytes ratio: -0.124 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 247/336 288/13362 330/70142 42/25418][Pkt Len c2s/s2c min/avg/max/stddev: 80/67 222/122 411/176 139/48][PLAIN TEXT (@333333330)][Plen Bins: 20,20,10,10,30,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
2 TCP 17.2.0.124:3032 <-> 17.2.0.122:1720 [proto: 158/H323][IP: 140/Apple][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][1 pkts/207 bytes <-> 1 pkts/100 bytes][Goodput ratio: 74/46][0.06 sec][PLAIN TEXT (5295672)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
25 changes: 25 additions & 0 deletions tests/result/h323_false_positive.pcap.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
Guessed flow protos: 0

DPI Packets (UDP): 4 (4.00 pkts/flow)
Confidence DPI : 1 (flows)
Num dissector calls: 76 (76.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 5/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache stun_zoom: 0/0/0 (insert/search/found)
Automa host: 0/0 (search/found)
Automa domain: 0/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 0/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 2/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia protocols: 2/0 (search/found)

BitTorrent 4 645 1

1 UDP 10.0.2.15:23994 <-> 112.51.146.106:1719 [proto: 37/BitTorrent][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Download/7][2 pkts/231 bytes <-> 2 pkts/414 bytes][Goodput ratio: 63/80][16.92 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 6771,51413][PLAIN TEXT (target20)][Plen Bins: 0,50,0,25,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]