Added support for Snapchat

Reworked code to better handle host-based protocols
ntop · Jul 5, 2015 · f5d6cd5 · f5d6cd5
1 parent 09c137b
commit f5d6cd5
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 15 deletions.
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
@@ -245,9 +245,10 @@
 #define NDPI_SERVICE_QUICKPLAY                          196 /* Streaming service used by various services such as hooq.tv  */
 #define NDPI_SERVICE_TIM                                197 /* Traffic for tim.com.br and tim.it */
 #define NDPI_PROTOCOL_MPEGTS        			198
+#define NDPI_SERVICE_SNAPCHAT                           199
 
 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */
-#define NDPI_LAST_IMPLEMENTED_PROTOCOL			NDPI_PROTOCOL_MPEGTS
+#define NDPI_LAST_IMPLEMENTED_PROTOCOL			NDPI_SERVICE_SNAPCHAT
 
 #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1)
 #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS                   (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL)

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
@@ -7372,6 +7372,12 @@ ndpi_protocol_match host_match[] = {
   { "quickplay.com",                    "QuickPlay",            NDPI_SERVICE_QUICKPLAY, NDPI_PROTOCOL_FUN },
   { "tim.com.br",                       "TIM",                  NDPI_SERVICE_TIM, NDPI_PROTOCOL_ACCEPTABLE },
   { "tim.it",                           "TIM",                  NDPI_SERVICE_TIM, NDPI_PROTOCOL_ACCEPTABLE },
+
+  /* https://support.cipafilter.com/index.php?/Knowledgebase/Article/View/117/0/snapchat---how-to-block */
+  { "feelinsonice.appspot.com",         "Snapchat",             NDPI_SERVICE_SNAPCHAT, NDPI_PROTOCOL_FUN },
+  { "feelinsonice-hrd.appspot.com",     "Snapchat",             NDPI_SERVICE_SNAPCHAT, NDPI_PROTOCOL_FUN },
+  { "feelinsonice.com",                 "Snapchat",             NDPI_SERVICE_SNAPCHAT, NDPI_PROTOCOL_FUN },
+
   { NULL, 0 }
 };
 

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -530,15 +530,25 @@ void ndpi_set_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod,
 			     u_int16_t tcp_master_protoId[2], u_int16_t udp_master_protoId[2],
 			     char *protoName,
 			     ndpi_port_range *tcpDefPorts, ndpi_port_range *udpDefPorts) {
-  char *name = ndpi_strdup(protoName);
+  char *name;
   int j;
 
   if(protoId >= NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS) {
-    printf("[NDPI] %s(protoId=%d): INTERNAL ERROR\n", __FUNCTION__, protoId);
-    ndpi_free(name);
+#ifdef DEBUG
+    printf("[NDPI] %s(%s/protoId=%d): INTERNAL ERROR\n", __FUNCTION__, protoName, protoId);
+#endif
+    return;
+  }
+
+  if(ndpi_mod->proto_defaults[protoId].protoName != NULL) {
+#ifdef DEBUG
+    printf("[NDPI] %s(%s/protoId=%d): already initialized. Ignoring it\n", __FUNCTION__, protoName, protoId);
+#endif
     return;
   }
 
+  name = ndpi_strdup(protoName);
+
   ndpi_mod->proto_defaults[protoId].protoName = name,
     ndpi_mod->proto_defaults[protoId].protoId = protoId,
     ndpi_mod->proto_defaults[protoId].protoBreed = breed;
@@ -672,6 +682,10 @@ static int ndpi_string_to_automa(struct ndpi_detection_module_struct *ndpi_struc
 static int ndpi_add_host_url_subprotocol(struct ndpi_detection_module_struct *ndpi_struct,
 					 char *value, int protocol_id,
 					 ndpi_protocol_breed_t breed) {
+#ifdef DEBUG
+  printf("[NDPI] Adding [%s][%d]\n", value, protocol_id);
+#endif
+
   return(ndpi_string_to_automa(ndpi_struct, &ndpi_struct->host_automa,
 			       value, protocol_id, breed));
 }
@@ -681,7 +695,8 @@ static int ndpi_add_host_url_subprotocol(struct ndpi_detection_module_struct *nd
 int ndpi_add_content_subprotocol(struct ndpi_detection_module_struct *ndpi_struct,
 				 char *value, int protocol_id,
 				 ndpi_protocol_breed_t breed) {
-  return(ndpi_string_to_automa(ndpi_struct, &ndpi_struct->content_automa, value, protocol_id, breed));
+  return(ndpi_string_to_automa(ndpi_struct, &ndpi_struct->content_automa, 
+			       value, protocol_id, breed));
 }
 
 /* ****************************************************** */
@@ -705,6 +720,9 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp
   int i;
 
   for(i=0; host_match[i].string_to_match != NULL; i++) {
+    u_int16_t no_master[2] = { NDPI_PROTOCOL_NO_MASTER_PROTO, NDPI_PROTOCOL_NO_MASTER_PROTO };
+    ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS];
+
     ndpi_add_host_url_subprotocol(ndpi_mod, host_match[i].string_to_match,
 				  host_match[i].protocol_id, host_match[i].protocol_breed);
 
@@ -713,8 +731,20 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp
       ndpi_mod->proto_defaults[host_match[i].protocol_id].protoId = host_match[i].protocol_id;
       ndpi_mod->proto_defaults[host_match[i].protocol_id].protoBreed = host_match[i].protocol_breed;
     }
+
+    ndpi_set_proto_defaults(ndpi_mod, 
+			    ndpi_mod->proto_defaults[host_match[i].protocol_id].protoBreed,
+			    ndpi_mod->proto_defaults[host_match[i].protocol_id].protoId,
+			    no_master, no_master,
+			    ndpi_mod->proto_defaults[host_match[i].protocol_id].protoName,
+			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
   }
 
+#ifdef DEBUG
+  ac_automata_display(ndpi_mod->host_automa.ac_automa, 'n');
+#endif
+
   for(i=0; content_match[i].string_to_match != NULL; i++)
     ndpi_add_content_subprotocol(ndpi_mod, content_match[i].string_to_match,
 				 content_match[i].protocol_id,
@@ -5280,7 +5310,7 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str
   struct ndpi_packet_struct *packet = &flow->packet;
   AC_TEXT_t ac_input_text;
 
-  if((automa->ac_automa == NULL) || (string_to_match_len== 0)) return(NDPI_PROTOCOL_UNKNOWN);
+  if((automa->ac_automa == NULL) || (string_to_match_len == 0)) return(NDPI_PROTOCOL_UNKNOWN);
 
   if(!automa->ac_automa_finalized) {
     ac_automata_finalize((AC_AUTOMATA_t*)automa->ac_automa);

diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c
@@ -119,15 +119,6 @@ void ndpi_search_skype(struct ndpi_detection_module_struct *ndpi_struct, struct
 }
 
 void init_skype_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {
-  ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS];
-  u_int16_t no_master[2] = { NDPI_PROTOCOL_NO_MASTER_PROTO, NDPI_PROTOCOL_NO_MASTER_PROTO };
-
-  ndpi_set_proto_defaults(ndpi_struct, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SKYPE,
-			  no_master,
-			  no_master, "Skype",
-			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
-			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
-
   ndpi_set_bitmask_protocol_detection("Skype", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_SKYPE,
 				      ndpi_search_skype,

diff --git a/tests/pcap/snapchat.pcap b/tests/pcap/snapchat.pcap
diff --git a/tests/result/snapchat.pcap.out b/tests/result/snapchat.pcap.out
@@ -0,0 +1,6 @@
+SSL_No_Cert	22	2879	1
+Snapchat	34	7320	2
+
+	1	TCP 10.8.0.1:56193 <-> 74.125.136.141:443 [proto: 199/Snapchat][17 pkts/3943 bytes][SSL client: feelinsonice-hrd.appspot.com]
+	2	TCP 10.8.0.1:44536 <-> 74.125.136.141:443 [proto: 199/Snapchat][17 pkts/3377 bytes][SSL client: feelinsonice-hrd.appspot.com]
+	3	TCP 10.8.0.1:33233 <-> 74.125.136.141:443 [proto: 64/SSL_No_Cert][22 pkts/2879 bytes]