IRC: simplify detection

The long term goal is to simplify how we handle packet lines

Author: IvanNardi

src/include/ndpi_private.h

@@ -693,7 +693,6 @@ char *ndpi_user_agent_set(struct ndpi_flow_struct *flow, const u_int8_t *value,
 
 void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struct,
 					  struct ndpi_flow_struct *flow);
-void ndpi_parse_packet_line_info_any(struct ndpi_detection_module_struct *ndpi_struct);
 
 void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str);
 u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str,

src/include/ndpi_typedefs.h

@@ -906,9 +906,6 @@ struct ndpi_flow_tcp_struct {
   /* NDPI_PROTOCOL_WHATSAPP */
   u_int8_t wa_matched_so_far;
 
-  /* NDPI_PROTOCOL_IRC */
-  u_int8_t irc_stage;
-
   /* NDPI_PROTOCOL_NEST_LOG_SINK */
   u_int8_t nest_log_sink_matches;
 
@@ -919,7 +916,7 @@ struct ndpi_flow_tcp_struct {
   u_int64_t seen_syn:1, seen_syn_ack:1, seen_ack:1;
 
   /* NDPI_PROTOCOL_IRC */
-  u_int64_t irc_3a_counter:3;
+  u_int64_t irc_stage:2;
 
   /* NDPI_PROTOCOL_USENET */
   u_int64_t usenet_stage:2;
@@ -970,7 +967,7 @@ struct ndpi_flow_tcp_struct {
   u_int64_t rdp_protocol_detected:1;
 
   /* Reserved for future use */
-  u_int64_t reserved:20;
+  u_int64_t reserved:21;
 };
 
 /* ************************************************** */

src/lib/ndpi_main.c

@@ -11120,47 +11120,6 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str,
 
 /* ********************************************************************************* */
 
-void ndpi_parse_packet_line_info_any(struct ndpi_detection_module_struct *ndpi_str) {
-  struct ndpi_packet_struct *packet = &ndpi_str->packet;
-  u_int32_t a;
-  u_int16_t end = packet->payload_packet_len;
-
-  if(packet->packet_lines_parsed_complete != 0)
-    return;
-
-  packet->packet_lines_parsed_complete = 1;
-  packet->parsed_lines = 0;
-
-  if(packet->payload_packet_len == 0)
-    return;
-
-  packet->line[packet->parsed_lines].ptr = packet->payload;
-  packet->line[packet->parsed_lines].len = 0;
-
-  for(a = 0; a < end; a++) {
-    if(packet->payload[a] == 0x0a) {
-      packet->line[packet->parsed_lines].len = (u_int16_t)(((size_t) &packet->payload[a]) - ((size_t) packet->line[packet->parsed_lines].ptr));
-
-      if(a > 0 && packet->payload[a - 1] == 0x0d)
-	packet->line[packet->parsed_lines].len--;
-
-      if(packet->parsed_lines >= (NDPI_MAX_PARSE_LINES_PER_PACKET - 1))
-	break;
-
-      packet->parsed_lines++;
-      packet->line[packet->parsed_lines].ptr = &packet->payload[a + 1];
-      packet->line[packet->parsed_lines].len = 0;
-
-      if((a + 1) >= packet->payload_packet_len)
-	break;
-
-      //a++;
-    }
-  }
-}
-
-/* ********************************************************************************* */
-
 u_int8_t ndpi_detection_get_l4(const u_int8_t *l3, u_int16_t l3_len, const u_int8_t **l4_return,
 			       u_int16_t *l4_len_return, u_int8_t *l4_protocol_return, u_int32_t flags) {
   return(ndpi_detection_get_l4_internal(NULL, l3, l3_len, l4_return, l4_len_return, l4_protocol_return, flags));

src/lib/protocols/irc.c

@@ -32,6 +32,7 @@
 
 static void ndpi_int_irc_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, ndpi_confidence_t confidence)
 {
+  NDPI_LOG_INFO(ndpi_struct, "Found IRC\n");
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IRC, NDPI_PROTOCOL_UNKNOWN, confidence);
 }
 
@@ -50,122 +51,49 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct
 {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
 
-  u_int16_t c = 0;
-  u_int16_t i = 0;
-
   NDPI_LOG_DBG(ndpi_struct, "search irc\n");
-  if((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && (flow->packet_counter > 10))
-     || (flow->packet_counter >= 10)) {
-    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
-    return;
-  }
-
-  if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter < 20
-      && packet->payload_packet_len >= 8) {
-    if (get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x0a
-	|| (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0a00)) {
-      if (memcmp(packet->payload, ":", 1) == 0) {
-	if (packet->payload[packet->payload_packet_len - 2] != 0x0d
-	    && packet->payload[packet->payload_packet_len - 1] == 0x0a) {
-	  ndpi_parse_packet_line_info_any(ndpi_struct);
-	} else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) {
-	  ndpi_parse_packet_line_info(ndpi_struct, flow);
-	} else {
-	  flow->l4.tcp.irc_3a_counter++;
-	  packet->parsed_lines = 0;
-	}
-	for (i = 0; i < packet->parsed_lines; i++) {
-	  if ((packet->line[i].len > 0) && packet->line[i].ptr[0] == ':') {
-	    flow->l4.tcp.irc_3a_counter++;
-	    if (flow->l4.tcp.irc_3a_counter == 7) {	/* ':' == 0x3a */
-	      NDPI_LOG_INFO(ndpi_struct, "found irc. 0x3a. seven times.");
-	      ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
-	      return;
-	    }
-	  }
-	}
-	if (flow->l4.tcp.irc_3a_counter == 7) {	/* ':' == 0x3a */
-	  NDPI_LOG_INFO(ndpi_struct, "found irc. 0x3a. seven times.");
-	  ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
-	  return;
-	}
-      }
 
-      if ((memcmp(packet->payload, "USER ", 5) == 0)
-	  || (memcmp(packet->payload, "NICK ", 5) == 0)
-	  || (memcmp(packet->payload, "PASS ", 5) == 0)
-	  || (memcmp(packet->payload, ":", 1) == 0 && ndpi_check_for_NOTICE_or_PRIVMSG(ndpi_struct) != 0)
-	  || (memcmp(packet->payload, "PONG ", 5) == 0)
-	  || (memcmp(packet->payload, "PING ", 5) == 0)
-	  || (memcmp(packet->payload, "JOIN ", 5) == 0)
-	  || (memcmp(packet->payload, "MODE ", 5) == 0)
-	  || (memcmp(packet->payload, "NOTICE ", 7) == 0)
-	  || (memcmp(packet->payload, "PRIVMSG ", 8) == 0)
-	  || (memcmp(packet->payload, "VERSION ", 8) == 0)) {
-	char *user = ndpi_strnstr((char*)packet->payload, "USER ", packet->payload_packet_len);
-
-	if(user) {
-	  char buf[32], msg[64], *sp;
-
-	  snprintf(buf, sizeof(buf), "%.*s", (int)(packet->payload_packet_len - (user + 5 - (char *)packet->payload)), user + 5);
-	  sp = buf;
-	  strsep(&sp, " \r\n");
+  /* Simple detection, expecially from the beginning of the flow */
+
+  if(packet->payload_packet_len >= 8 &&
+     (get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x0a ||
+      ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0a00)) {
+
+    if (memcmp(packet->payload, "USER ", 5) == 0 ||
+	memcmp(packet->payload, "NICK ", 5) == 0 ||
+	memcmp(packet->payload, "PASS ", 5) == 0 ||
+	(memcmp(packet->payload, ":", 1) == 0 && ndpi_check_for_NOTICE_or_PRIVMSG(ndpi_struct) != 0) ||
+	memcmp(packet->payload, "PONG ", 5) == 0 ||
+	memcmp(packet->payload, "HELLO ", 6) == 0 ||
+	memcmp(packet->payload, "YOURIP ", 7) == 0 ||
+	memcmp(packet->payload, "PING ", 5) == 0 ||
+	memcmp(packet->payload, "JOIN ", 5) == 0 ||
+	memcmp(packet->payload, "MODE ", 5) == 0 ||
+	memcmp(packet->payload, "NOTICE ", 7) == 0 ||
+	memcmp(packet->payload, "PRIVMSG ", 8) == 0 ||
+	memcmp(packet->payload, "VERSION ", 8) == 0) {
+      char *user = ndpi_strnstr((char*)packet->payload, "USER ", packet->payload_packet_len);
+
+      if(user) {
+        char buf[32], msg[64], *sp;
+
+        snprintf(buf, sizeof(buf), "%.*s", (int)(packet->payload_packet_len - (user + 5 - (char *)packet->payload)), user + 5);
+	sp = buf;
+	strsep(&sp, " \r\n");
 
-	  snprintf(msg, sizeof(msg), "Found IRC username (%s)", buf);
-	  ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg);
-	}
-	
-	NDPI_LOG_DBG2(ndpi_struct,
-		      "USER, NICK, PASS, NOTICE, PRIVMSG one time");
-	if (flow->l4.tcp.irc_stage == 2) {
-	  NDPI_LOG_INFO(ndpi_struct, "found irc");
-	  ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
-	  flow->l4.tcp.irc_stage = 3;
-	}
-	if (flow->l4.tcp.irc_stage == 1) {
-	  NDPI_LOG_DBG2(ndpi_struct, "second time, stage=2");
-	  flow->l4.tcp.irc_stage = 2;
-	}
-	if (flow->l4.tcp.irc_stage == 0) {
-	  NDPI_LOG_DBG2(ndpi_struct, "first time, stage=1");
-	  flow->l4.tcp.irc_stage = 1;
-	}
-	/* irc packets can have either windows line breaks (0d0a) or unix line breaks (0a) */
-	if (packet->payload[packet->payload_packet_len - 2] == 0x0d
-	    && packet->payload[packet->payload_packet_len - 1] == 0x0a) {
-	  ndpi_parse_packet_line_info(ndpi_struct, flow);
-	  if (packet->parsed_lines > 1) {
-	    NDPI_LOG_DBG2(ndpi_struct, "packet contains more than one line");
-	    for (c = 1; c < packet->parsed_lines; c++) {
-	      if (packet->line[c].len > 4 && (memcmp(packet->line[c].ptr, "NICK ", 5) == 0
-					      || memcmp(packet->line[c].ptr, "USER ", 5) == 0)) {
-		NDPI_LOG_INFO(ndpi_struct, "found IRC: two icq signal words in the same packet");
-		ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
-		flow->l4.tcp.irc_stage = 3;
-		return;
-	      }
-	    }
-	  }
-
-	} else if (packet->payload[packet->payload_packet_len - 1] == 0x0a) {
-	  ndpi_parse_packet_line_info_any(ndpi_struct);
-	  if (packet->parsed_lines > 1) {
-	    NDPI_LOG_DBG2(ndpi_struct, "packet contains more than one line");
-	    for (c = 1; c < packet->parsed_lines; c++) {
-	      if (packet->line[c].len > 4 && (memcmp(packet->line[c].ptr, "NICK ", 5) == 0
-					      || memcmp(packet->line[c].ptr, "USER ",
-							5) == 0)) {
-		NDPI_LOG_INFO(ndpi_struct, "found IRC: two icq signal words in the same packet");
-		ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
-		flow->l4.tcp.irc_stage = 3;
-		return;
-	      }
-	    }
-	  }
-	}
+        snprintf(msg, sizeof(msg), "Found IRC username (%s)", buf);
+        ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg);
       }
+
+      NDPI_LOG_DBG2(ndpi_struct, "IRC stage: %d\n", flow->l4.tcp.irc_stage);
+      flow->l4.tcp.irc_stage++;
+      /* 3 consecutive valid packets */
+      if(flow->l4.tcp.irc_stage == 3)
+        ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
+      return;
     }
   }
+  NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
 }
 
 void init_irc_dissector(struct ndpi_detection_module_struct *ndpi_struct)

tests/cfgs/caches_cfg/result/ookla.pcap.out

@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 572 (95.33 diss/flow)
+Num dissector calls: 566 (94.33 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

tests/cfgs/caches_cfg/result/teams.pcap.out

@@ -6,7 +6,7 @@ DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 80 (flows)
-Num dissector calls: 524 (6.31 diss/flow)
+Num dissector calls: 523 (6.30 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache stun:       30/0/0 (insert/search/found)

tests/cfgs/caches_global/result/ookla.pcap.out

@@ -4,7 +4,7 @@ DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence DPI (partial cache): 1 (flows)
 Confidence DPI              : 4 (flows)
 Confidence DPI (aggressive) : 1 (flows)
-Num dissector calls: 572 (95.33 diss/flow)
+Num dissector calls: 566 (94.33 diss/flow)
 LRU cache ookla:      4/2/2 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

tests/cfgs/caches_global/result/teams.pcap.out

@@ -7,7 +7,7 @@ Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 2 (flows)
 Confidence DPI (partial)    : 4 (flows)
 Confidence DPI              : 76 (flows)
-Num dissector calls: 524 (6.31 diss/flow)
+Num dissector calls: 523 (6.30 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache stun:       30/0/0 (insert/search/found)

tests/cfgs/classification_only/result/bittorrent_tcp_miss.pcapng.out

@@ -1,6 +1,6 @@
 DPI Packets (TCP):	10	(10.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 227 (227.00 diss/flow)
+Num dissector calls: 223 (223.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 5/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

tests/cfgs/classification_only/result/ookla.pcap.out

@@ -4,7 +4,7 @@ DPI Packets (TCP):	38	(6.33 pkts/flow)
 Confidence DPI (partial cache): 1 (flows)
 Confidence DPI              : 4 (flows)
 Confidence DPI (aggressive) : 1 (flows)
-Num dissector calls: 572 (95.33 diss/flow)
+Num dissector calls: 566 (94.33 diss/flow)
 LRU cache ookla:      4/2/2 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)