Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

STUN: fix Skype/MsTeams detection and monitoring logic #2028

Merged
merged 1 commit into from
Jul 3, 2023
Merged

STUN: fix Skype/MsTeams detection and monitoring logic #2028

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 8 additions & 5 deletions src/lib/ndpi_main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6055,7 +6055,8 @@ static u_int32_t make_msteams_key(struct ndpi_flow_struct *flow, u_int8_t use_cl
/* ********************************************************************************* */

static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi_str,
struct ndpi_flow_struct *flow) {
struct ndpi_flow_struct *flow,
u_int16_t master) {

/* This function can NOT access &ndpi_str->packet since it is called also from ndpi_detection_giveup(), via ndpi_reconcile_protocols() */

Expand All @@ -6067,8 +6068,10 @@ static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi

if(s_match || d_match) {
ndpi_int_change_protocol(ndpi_str, flow,
NDPI_PROTOCOL_SKYPE_TEAMS, flow->detected_protocol_stack[1],
NDPI_CONFIDENCE_DPI_PARTIAL);
NDPI_PROTOCOL_SKYPE_TEAMS, master,
/* Keep the same confidence */
flow->confidence);


if(ndpi_str->msteams_cache)
ndpi_lru_add_to_cache(ndpi_str->msteams_cache,
Expand Down Expand Up @@ -6136,7 +6139,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s

switch(ret->app_protocol) {
case NDPI_PROTOCOL_MICROSOFT_AZURE:
ndpi_reconcile_msteams_udp(ndpi_str, flow);
ndpi_reconcile_msteams_udp(ndpi_str, flow, flow->detected_protocol_stack[1]);
break;

/*
Expand All @@ -6157,7 +6160,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s

case NDPI_PROTOCOL_STUN:
if(flow && (flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_MICROSOFT_AZURE))
ndpi_reconcile_msteams_udp(ndpi_str, flow);
ndpi_reconcile_msteams_udp(ndpi_str, flow, NDPI_PROTOCOL_STUN);
break;

case NDPI_PROTOCOL_NETFLOW:
Expand Down
9 changes: 7 additions & 2 deletions src/lib/protocols/stun.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ static int stun_monitoring(struct ndpi_detection_module_struct *ndpi_struct,
u_int8_t first_byte;

#ifdef DEBUG_MONITORING
printf("[STUN-MON] Packet counter %d\n", flow->packet_counter);
printf("[STUN-MON] Packet counter %d protos %d/%d\n", flow->packet_counter,
flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]);
#endif

if(packet->payload_packet_len == 0)
Expand Down Expand Up @@ -261,14 +262,18 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd
0 /* dummy */, ndpi_get_current_time(flow));
}


#ifdef DEBUG_STUN
printf("[STUN] Setting %d\n", app_proto);
#endif
ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, NDPI_PROTOCOL_STUN, confidence);

if(ndpi_struct->monitoring_stun_pkts_to_process > 0 &&
flow->l4_proto == IPPROTO_UDP /* TODO: support TCP. We need to pay some attention because:
* multiple msg in the same TCP segment
* same msg split across multiple segments */) {
if((ndpi_struct->monitoring_stun_flags & NDPI_MONITORING_STUN_SUBCLASSIFIED) ||
app_proto == NDPI_PROTOCOL_UNKNOWN /* No-subclassification */) {
flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No-subclassification */) {
flow->max_extra_packets_to_check = ndpi_struct->monitoring_stun_pkts_to_process;
flow->extra_packets_func = stun_monitoring;
}
Expand Down
Binary file added tests/cfgs/default/pcap/stun_msteams_unidir.pcapng
View file
Open in desktop
Binary file not shown.
25 changes: 25 additions & 0 deletions tests/cfgs/default/result/stun_msteams_unidir.pcapng.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
Guessed flow protos: 0

DPI Packets (UDP): 7 (7.00 pkts/flow)
Confidence DPI : 1 (flows)
Num dissector calls: 190 (190.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/3/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
LRU cache stun: 0/6/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 1/0/0 (insert/search/found)
LRU cache stun_zoom: 0/0/0 (insert/search/found)
Automa host: 0/0 (search/found)
Automa domain: 0/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 0/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 2/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia protocols: 2/1 (search/found)

Skype_Teams 12 5944 1

1 UDP 52.115.136.55:3479 -> 10.0.0.1:50006 [proto: 78.125/STUN.Skype_Teams][IP: 276/Azure][ClearText][Confidence: DPI][DPI packets: 7][cat: VoIP/10][12 pkts/5944 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][4.53 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 453/0 1210/0 379/0][Pkt Len c2s/s2c min/avg/max/stddev: 81/0 495/0 1257/0 539/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,16,33,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0]
Loading