Allow IP guess before port in ndpi_detection_giveup (ntop#2562)

Add dpi.guess_ip_before_port which when enabled uses classification by-ip before classification by-port.
1253818934 · Sep 20, 2024 · 80971e4 · 80971e4
1 parent 191694f
commit 80971e4
Show file tree

Hide file tree

Showing 7 changed files with 284 additions and 3 deletions.
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md
@@ -14,6 +14,7 @@ TODO
 | NULL         | "dpi.compute_entropy"                     | 1             | NULL      | NULL      | Enable/disable computation of flow entropy |
 | NULL         | "fpc"                                     | enable        | NULL      | NULL      | Enable/disable First Packet Classification |
 | NULL         | "dpi.guess_on_giveup"                     | 0x03          | 0x00      | 0x03      | Tell the library to guess flow classification, if any DPI algorithms/logics fail.  The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable guessing by port; 0x02 = enable guessing by ip |
+| NULL         | "dpi.guess_ip_before_port"                | disable       | NULL      | NULL      | Enable/disable guessing by IP first when guessing flow classifcation. Disabled = guess by port first. |
 | NULL         | "flow_risk_lists.load"                    | 1             | NULL      | NULL      | Enable/disable loading of every IP addresses lists used to check any flow risks |
 | NULL         | "flow_risk.anonymous_subscriber.list.icloudprivaterelay.load" | 1             | NULL      | NULL      | Enable/disable loading of internal iCouldPrivateRealy IP address list used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk |
 | NULL         | "flow_risk.anonymous_subscriber.list.protonvpn.load"          | 1             | NULL      | NULL      | Enable/disable loading of internal IP address list of ProtonVPN exit nodes used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk  |

diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
@@ -321,6 +321,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     snprintf(cfg_value, sizeof(cfg_value), "%d", value);
     ndpi_set_config(ndpi_info_mod, NULL, "dpi.guess_on_giveup", cfg_value);
   }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    snprintf(cfg_value, sizeof(cfg_value), "%d", value);
+    ndpi_set_config(ndpi_info_mod, NULL, "dpi.guess_ip_before_port", cfg_value);
+  }
   if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
     snprintf(cfg_value, sizeof(cfg_value), "%d", value);

diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
@@ -199,6 +199,7 @@ struct ndpi_detection_module_config_struct {
   int guess_on_giveup;
   int compute_entropy;
   int fpc_enabled;
+  int guess_ip_before_port;
 
   char filename_config[CFG_MAX_LEN];
 

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -7896,6 +7896,20 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
     ndpi_set_risk(flow, NDPI_FULLY_ENCRYPTED, NULL);
   }
 
+  /* If guess_ip_before_port is enabled, classify by-ip first */
+  if((ndpi_str->cfg.guess_ip_before_port))
+  {
+    if((ndpi_str->cfg.guess_on_giveup & NDPI_GIVEUP_GUESS_BY_IP) &&
+    ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN &&
+    flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) {
+
+    ndpi_set_detected_protocol(ndpi_str, flow,
+			       flow->guessed_protocol_id_by_ip,
+			       ret.proto.master_protocol,
+			       NDPI_CONFIDENCE_MATCH_BY_IP);
+    ret.proto.app_protocol = flow->detected_protocol_stack[0];
+    }
+  }
   /* Classification by-port */
   if((ndpi_str->cfg.guess_on_giveup & NDPI_GIVEUP_GUESS_BY_PORT) &&
      ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN) {
@@ -7912,9 +7926,9 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
       ret.proto.app_protocol = flow->detected_protocol_stack[0];
     }
   }
-
-  /* Classification by-ip, as last effort */
-  if((ndpi_str->cfg.guess_on_giveup & NDPI_GIVEUP_GUESS_BY_IP) &&
+  /* Classification by-ip, as last effort if guess_ip_before_port is disabled*/
+  if(!(ndpi_str->cfg.guess_ip_before_port) &&
+     (ndpi_str->cfg.guess_on_giveup & NDPI_GIVEUP_GUESS_BY_IP) &&
      ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN &&
      flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) {
 
@@ -11493,6 +11507,7 @@ static const struct cfg_param {
   { NULL,            "fully_encrypted_heuristic",               "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(fully_encrypted_heuristic), NULL },
   { NULL,            "libgcrypt.init",                          "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(libgcrypt_init), NULL },
   { NULL,            "dpi.guess_on_giveup",                     "0x3", "0", "3", CFG_PARAM_INT, __OFF(guess_on_giveup), NULL },
+  { NULL,            "dpi.guess_ip_before_port",                "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(guess_ip_before_port), NULL},
   { NULL,            "dpi.compute_entropy",                     "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(compute_entropy), NULL },
   { NULL,            "fpc",                                     "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(fpc_enabled), NULL },
 

diff --git a/tests/cfgs/guess_ip_before_port_enabled/config.txt b/tests/cfgs/guess_ip_before_port_enabled/config.txt
@@ -0,0 +1 @@
+--cfg=dpi.guess_ip_before_port,1
diff --git a/tests/cfgs/guess_ip_before_port_enabled/pcap/1kxun.pcap b/tests/cfgs/guess_ip_before_port_enabled/pcap/1kxun.pcap
@@ -0,0 +1 @@
+../../default/pcap/1kxun.pcap