DNS: fix relationship between FPC and subclassification (#2702)

Allow optimal FPC even if DNS subclassification is disabled
ntop · Jan 30, 2025 · c669bb3 · c669bb3
1 parent aacade6
commit c669bb3
Show file tree

Hide file tree

Showing 8 changed files with 22 additions and 13 deletions.
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -10281,7 +10281,8 @@ static u_int16_t ndpi_automa_match_string_subprotocol(struct ndpi_detection_modu
   }
 #endif
 
-  if((matching_protocol_id != NDPI_PROTOCOL_UNKNOWN) &&
+  if(flow &&
+     (matching_protocol_id != NDPI_PROTOCOL_UNKNOWN) &&
      (!ndpi_is_more_generic_protocol(flow->detected_protocol_stack[0], matching_protocol_id))) {
     /* Move the protocol on slot 0 down one position */
     flow->detected_protocol_stack[1] = master_protocol_id,
@@ -10348,12 +10349,14 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_
   if(ndpi_get_custom_category_match(ndpi_str, string_to_match,
 				    string_to_match_len, &id) != -1) {
     /* if(id != -1) */ {
-      flow->category = ret_match->protocol_category = id;
+      ret_match->protocol_category = id;
+      if(flow)
+        flow->category = id;
       rc = master_protocol_id;
     }
   }
 
-  if(ndpi_str->risky_domain_automa.ac_automa != NULL) {
+  if(flow && ndpi_str->risky_domain_automa.ac_automa != NULL) {
     u_int32_t proto_id;
     u_int16_t rc1 = ndpi_match_string_common(ndpi_str->risky_domain_automa.ac_automa,
 					     string_to_match, string_to_match_len,
@@ -10367,7 +10370,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_
   }
 
   /* Add punycode check */
-  if(ndpi_check_punycode_string(string_to_match, string_to_match_len)) {
+  if(flow && ndpi_check_punycode_string(string_to_match, string_to_match_len)) {
     char str[64] = { '\0' };
 
     strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1));

diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
@@ -819,23 +819,29 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
     }
 
     if(len > 0) {
-      if(ndpi_struct->cfg.dns_subclassification_enabled) {
+      if(ndpi_struct->cfg.dns_subclassification_enabled || ndpi_struct->cfg.fpc_enabled) {
         ndpi_protocol_match_result ret_match;
 
-        ret.proto.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow,
+        /* Avoid writing on flow (i.e. updating classification) if subclassification is disabled */
+        ret.proto.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, ndpi_struct->cfg.dns_subclassification_enabled ? flow : NULL,
 						       flow->host_server_name,
 						       strlen(flow->host_server_name),
 						       &ret_match,
 						       NDPI_PROTOCOL_DNS);
         /* Add to FPC DNS cache */
-        if(ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN &&
+        if(ndpi_struct->cfg.fpc_enabled &&
+           ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN &&
+           ret.proto.app_protocol != NDPI_PROTOCOL_DNS &&
            (flow->protos.dns.rsp_type == 0x1 || flow->protos.dns.rsp_type == 0x1c) && /* A, AAAA */
            ndpi_struct->fpc_dns_cache) {
             ndpi_lru_add_to_cache(ndpi_struct->fpc_dns_cache,
                                   fpc_dns_cache_key_from_dns_info(flow), ret.proto.app_protocol,
                                   ndpi_get_current_time(flow));
         }
 
+        if(!ndpi_struct->cfg.dns_subclassification_enabled)
+          ret.proto.app_protocol = NDPI_PROTOCOL_UNKNOWN;
+
         if(ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN)
 	  ret.proto.master_protocol = checkDNSSubprotocol(s_port, d_port);
         else

diff --git a/tests/cfgs/default/result/anyconnect-vpn.pcap.out b/tests/cfgs/default/result/anyconnect-vpn.pcap.out
@@ -13,7 +13,7 @@ LRU cache stun:       0/0/0 (insert/search/found)
 LRU cache tls_cert:   0/11/0 (insert/search/found)
 LRU cache mining:     0/8/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
-LRU cache fpc_dns:    8/18/1 (insert/search/found)
+LRU cache fpc_dns:    7/18/1 (insert/search/found)
 Automa host:          69/19 (search/found)
 Automa domain:        69/0 (search/found)
 Automa tls cert:      4/0 (search/found)

diff --git a/tests/cfgs/default/result/malware.pcap.out b/tests/cfgs/default/result/malware.pcap.out
@@ -12,7 +12,7 @@ LRU cache stun:       0/0/0 (insert/search/found)
 LRU cache tls_cert:   0/4/0 (insert/search/found)
 LRU cache mining:     0/1/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
-LRU cache fpc_dns:    1/3/0 (insert/search/found)
+LRU cache fpc_dns:    0/3/0 (insert/search/found)
 Automa host:          5/0 (search/found)
 Automa domain:        5/0 (search/found)
 Automa tls cert:      2/0 (search/found)

diff --git a/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out b/tests/cfgs/dns_subclassification_and_process_response_disable/result/dns.pcap.out
@@ -8,7 +8,7 @@ LRU cache tls_cert:   0/0/0 (insert/search/found)
 LRU cache mining:     0/0/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
 LRU cache fpc_dns:    0/0/0 (insert/search/found)
-Automa host:          0/0 (search/found)
+Automa host:          2/2 (search/found)
 Automa domain:        0/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     2/0 (search/found)

diff --git a/tests/cfgs/fpc_disabled/result/teams.pcap.out b/tests/cfgs/fpc_disabled/result/teams.pcap.out
@@ -14,7 +14,7 @@ LRU cache stun:       30/0/0 (insert/search/found)
 LRU cache tls_cert:   0/0/0 (insert/search/found)
 LRU cache mining:     0/3/0 (insert/search/found)
 LRU cache msteams:    20/6/6 (insert/search/found)
-LRU cache fpc_dns:    15/0/0 (insert/search/found)
+LRU cache fpc_dns:    0/0/0 (insert/search/found)
 Automa host:          85/71 (search/found)
 Automa domain:        85/0 (search/found)
 Automa tls cert:      0/0 (search/found)

diff --git a/tests/cfgs/subclassification_disable/result/anydesk.pcapng.out b/tests/cfgs/subclassification_disable/result/anydesk.pcapng.out
@@ -9,7 +9,7 @@ LRU cache tls_cert:   0/0/0 (insert/search/found)
 LRU cache mining:     0/0/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
 LRU cache fpc_dns:    0/4/0 (insert/search/found)
-Automa host:          0/0 (search/found)
+Automa host:          4/4 (search/found)
 Automa domain:        0/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     2/0 (search/found)

diff --git a/tests/cfgs/subclassification_disable/result/dns.pcap.out b/tests/cfgs/subclassification_disable/result/dns.pcap.out
@@ -8,7 +8,7 @@ LRU cache tls_cert:   0/0/0 (insert/search/found)
 LRU cache mining:     0/0/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
 LRU cache fpc_dns:    0/0/0 (insert/search/found)
-Automa host:          0/0 (search/found)
+Automa host:          3/3 (search/found)
 Automa domain:        0/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     2/0 (search/found)