STUN: add a parameter to configure how long the extra dissection lasts (

#2336) Tradeoff: performance (i.e. number of packets) vs sub-classification
ntop · Mar 7, 2024 · 6152d59 · 6152d59
1 parent 56ce228
commit 6152d59
Show file tree

Hide file tree

Showing 11 changed files with 109 additions and 26 deletions.
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md
@@ -31,6 +31,7 @@ TODO
 | "imap"       | "tls_dissection"                          | enable        | NULL      | NULL      | Enable/disable dissection of TLS packets in cleartext IMAP flows (because of opportunistic TLS, via STARTTLS msg) |
 | "pop"        | "tls_dissection"                          | enable        | NULL      | NULL      | Enable/disable dissection of TLS packets in cleartext POP flows (because of opportunistic TLS, via STARTTLS msg) |
 | "ftp"        | "tls_dissection"                          | enable        | NULL      | NULL      | Enable/disable dissection of TLS packets in cleartext FTP flows (because of opportunistic TLS, via AUTH TLS msg) |
+| "stun"       | "max_packets_extra_dissection"            | 4             | 0         | 255       | After a flow has been classified has STUN, nDPI might analyse more packets to look for a sub-classification or for metadata. This parameter set the upper limit on the number of these packets  |
 | "stun"       | "tls_dissection"                          | enable        | NULL      | NULL      | Enable/disable dissection of TLS packets multiplexed into STUN flows |
 | "dns"        | "subclassification"                       | enable        | NULL      | NULL      | Enable/disable sub-classification of DNS flows (via query/response domain name). If disabled, some flow risks are not checked |
 | "dns"        | "process_response"                        | enable        | NULL      | NULL      | Enable/disable processing of DNS responses. By default, DNS flows are fully classified after the first request/response pair (or after the first response, if the request is missing). If this parameter is disabled, the flows are fully classified after the first packet, i.e. usually after the first request; in that case, some flow risks are not checked and some metadata are not exported |

diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
@@ -133,6 +133,21 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     sprintf(cfg_value, "%d", value);
     ndpi_set_config(ndpi_info_mod, "tls", "metadata.sha1_fingerprint", cfg_value);
   }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    sprintf(cfg_value, "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "metadata.ja3c_fingerprint", cfg_value);
+  }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    sprintf(cfg_value, "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "metadata.ja3s_fingerprint", cfg_value);
+  }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
+    sprintf(cfg_value, "%d", value);
+    ndpi_set_config(ndpi_info_mod, "tls", "metadata.ja4c_fingerprint", cfg_value);
+  }
   if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
     sprintf(cfg_value, "%d", value);
@@ -158,6 +173,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     sprintf(cfg_value, "%d", value);
     ndpi_set_config(ndpi_info_mod, "stun", "tls_dissection", cfg_value);
   }
+  if(fuzzed_data.ConsumeBool()) {
+    value = fuzzed_data.ConsumeIntegralInRange(0, 255 + 1);
+    sprintf(cfg_value, "%d", value);
+    ndpi_set_config(ndpi_info_mod, "stun", "max_packets_extra_dissection", cfg_value);
+  }
   if(fuzzed_data.ConsumeBool()) {
     value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
     sprintf(cfg_value, "%d", value);

diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
@@ -248,6 +248,7 @@ struct ndpi_detection_module_config_struct {
   int ftp_opportunistic_tls_enabled;
 
   int stun_opportunistic_tls_enabled;
+  int stun_max_packets_extra_dissection;
 
   int dns_subclassification_enabled;
   int dns_parse_response_enabled;

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -11065,6 +11065,7 @@ static const struct cfg_param {
   { "ftp",           "tls_dissection",                          "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(ftp_opportunistic_tls_enabled), NULL },
 
   { "stun",          "tls_dissection",                          "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(stun_opportunistic_tls_enabled), NULL },
+  { "stun",          "max_packets_extra_dissection",            "4", "0", "255", CFG_PARAM_INT, __OFF(stun_max_packets_extra_dissection), NULL },
 
   { "dns",           "subclassification",                       "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(dns_subclassification_enabled), NULL },
   { "dns",           "process_response",                        "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(dns_parse_response_enabled), NULL },

diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
@@ -440,7 +440,7 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct,
 
             /* Give room for DTLS handshake, where we might have
                retransmissions and fragments */
-            flow->max_extra_packets_to_check += 10;
+            flow->max_extra_packets_to_check = ndpi_min(255, (int)flow->max_extra_packets_to_check + 10);
             flow->stun.maybe_dtls = 1;
 	  }
           NDPI_LOG_DBG(ndpi_struct, "Switch to TLS (%d/%d)\n",
@@ -626,19 +626,8 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd
     if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No-subclassification */ ||
        flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP /* Metadata. TODO: other protocols? */) {
       NDPI_LOG_DBG(ndpi_struct, "Enabling extra dissection\n");
-
-      if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP) {
-        flow->max_extra_packets_to_check = 10; /* Looking for metadata. There are no really RTP packets
-						  in Telegram flows, so no need to enable monitoring for them */
-      } else {
-        flow->max_extra_packets_to_check = 4;
-        flow->extra_packets_func = stun_search_again;
-      }
-    }
-  } else {
-    /* Already in extra dissection, but we just sub-classied */
-    if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP) {
-      flow->max_extra_packets_to_check = 10;
+      flow->max_extra_packets_to_check = ndpi_struct->cfg.stun_max_packets_extra_dissection;
+      flow->extra_packets_func = stun_search_again;
     }
   }
 }