Fix classification when non tcp/udp protocols are disabled (#2824)

Author: IvanNardi

src/lib/ndpi_main.c

@@ -4584,32 +4584,58 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str
   } else {
     /* No TCP/UDP */
 
+    /* All these calls to `is_proto_enabled()` are needed to avoid classification by-port
+       if the protocol is disabled */
     switch(proto) {
     case NDPI_IPSEC_PROTOCOL_ESP:
     case NDPI_IPSEC_PROTOCOL_AH:
-      return(NDPI_PROTOCOL_IPSEC);
+      if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IPSEC))
+        return(NDPI_PROTOCOL_IPSEC);
+      break;
     case NDPI_GRE_PROTOCOL_TYPE:
-      return(NDPI_PROTOCOL_IP_GRE);
+      if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IPSEC))
+        return(NDPI_PROTOCOL_IP_GRE);
+      break;
     case NDPI_PGM_PROTOCOL_TYPE:
-      return(NDPI_PROTOCOL_IP_PGM);
+      if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_PGM))
+        return(NDPI_PROTOCOL_IP_PGM);
+      break;
     case NDPI_PIM_PROTOCOL_TYPE:
-      return(NDPI_PROTOCOL_IP_PIM);
+      if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_PIM))
+        return(NDPI_PROTOCOL_IP_PIM);
+      break;
     case NDPI_ICMP_PROTOCOL_TYPE:
-      return(NDPI_PROTOCOL_IP_ICMP);
+      if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_ICMP))
+        return(NDPI_PROTOCOL_IP_ICMP);
+      break;
     case NDPI_IGMP_PROTOCOL_TYPE:
-      return(NDPI_PROTOCOL_IP_IGMP);
+      if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_IGMP))
+        return(NDPI_PROTOCOL_IP_IGMP);
+      break;
     case NDPI_EGP_PROTOCOL_TYPE:
-      return(NDPI_PROTOCOL_IP_EGP);
+      if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_EGP))
+        return(NDPI_PROTOCOL_IP_EGP);
+      break;
     case NDPI_SCTP_PROTOCOL_TYPE:
-      return(NDPI_PROTOCOL_IP_SCTP);
+      if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_SCTP))
+        return(NDPI_PROTOCOL_IP_SCTP);
+      break;
     case NDPI_OSPF_PROTOCOL_TYPE:
-      return(NDPI_PROTOCOL_IP_OSPF);
+      if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_OSPF))
+        return(NDPI_PROTOCOL_IP_OSPF);
+      break;
     case NDPI_IPIP_PROTOCOL_TYPE:
-      return(NDPI_PROTOCOL_IP_IP_IN_IP);
+      if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_IP_IN_IP))
+        return(NDPI_PROTOCOL_IP_IP_IN_IP);
+      break;
     case NDPI_ICMPV6_PROTOCOL_TYPE:
-      return(NDPI_PROTOCOL_IP_ICMPV6);
+      if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_ICMPV6))
+        return(NDPI_PROTOCOL_IP_ICMPV6);
+      break;
     case NDPI_VRRP_PROTOCOL_TYPE:
-      return(NDPI_PROTOCOL_IP_VRRP);
+      if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_VRRP))
+        return(NDPI_PROTOCOL_IP_VRRP);
+      break;
     }
   }
 

tests/cfgs/disable_protocols/config.txt

@@ -1 +1 @@
--B soap,dns,pluralsight,quic
+-B soap,dns,pluralsight,quic,ipsec,ospf

tests/cfgs/disable_protocols/pcap/esp.pcapng

@@ -0,0 +1 @@
+../../default/pcap/esp.pcapng

tests/cfgs/disable_protocols/pcap/ospfv2_add_new_prefix.pcap

@@ -0,0 +1 @@
+../../default/pcap/ospfv2_add_new_prefix.pcap

tests/cfgs/disable_protocols/pcap/sctp.cap

@@ -0,0 +1 @@
+../../default/pcap/sctp.cap

tests/cfgs/disable_protocols/result/dns_long_domainname.pcap.out

@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 155 (155.00 diss/flow)
+Num dissector calls: 154 (154.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

tests/cfgs/disable_protocols/result/esp.pcapng.out

@@ -0,0 +1,32 @@
+DPI Packets (UDP):	4	(4.00 pkts/flow)
+DPI Packets (other):	1	(1.00 pkts/flow)
+Confidence Unknown          : 2 (flows)
+Num dissector calls: 168 (84.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/6/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/2/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    0/2/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   0/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   4/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+Unknown	6	1856	2
+
+Unrated                          6 1856          2            
+
+
+
+Undetected flows:
+	1	UDP 10.2.3.2:500 <-> 10.3.4.4:500 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 4][2 pkts/786 bytes <-> 2 pkts/738 bytes][Goodput ratio: 89/88][0.02 sec][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: Entropy: 6.387 (Executable?)][PLAIN TEXT (DELETE)][Plen Bins: 0,0,0,0,0,0,0,0,0,25,25,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	ESP 10.2.3.2:0 <-> 10.3.4.4:0 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][1 pkts/166 bytes <-> 1 pkts/166 bytes][Goodput ratio: 0/0][0.00 sec][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: No server to client traffic / Entropy: 6.639 (Executable?)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

tests/cfgs/disable_protocols/result/ospfv2_add_new_prefix.pcap.out

@@ -0,0 +1,30 @@
+DPI Packets (other):	1	(1.00 pkts/flow)
+Confidence Unknown          : 1 (flows)
+Num dissector calls: 0 (0.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/3/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/1/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    0/1/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   0/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   2/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+Unknown	2	200	1
+
+Unrated                          2 200           1            
+
+
+
+Undetected flows:
+	1	OSPF 10.1.10.10:0 <-> 10.1.10.1:0 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][1 pkts/122 bytes <-> 1 pkts/78 bytes][Goodput ratio: 0/0][2.51 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

tests/cfgs/disable_protocols/result/quic-mvfst-27.pcapng.out

@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (UDP):	7	(7.00 pkts/flow)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 176 (176.00 diss/flow)
+Num dissector calls: 175 (175.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)

tests/cfgs/disable_protocols/result/sctp.cap.out

@@ -0,0 +1,30 @@
+Guessed flow protos:	2
+
+DPI Packets (other):	2	(1.00 pkts/flow)
+Confidence Match by port    : 2 (flows)
+Num dissector calls: 0 (0.00 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/6/0 (insert/search/found)
+LRU cache stun:       0/0/0 (insert/search/found)
+LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache mining:     0/2/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache fpc_dns:    0/2/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   4/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+SCTP	4	340	2
+
+Acceptable                       4 340           2            
+
+	1	SCTP 10.28.6.43:0 <-> 10.28.6.44:0 [proto: 84/SCTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Network/14][1 pkts/138 bytes <-> 1 pkts/62 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Susp Entropy **][Risk Score: 10][Risk Info: No server to client traffic / Entropy: 5.478 (Executable?)][PLAIN TEXT (MEGACO/2 )][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	SCTP 10.28.6.42:0 <-> 10.28.6.44:0 [proto: 84/SCTP][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Network/14][1 pkts/70 bytes <-> 1 pkts/70 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]