Added support for Snapchat

Reworked code to better handle host-based protocols
2026-05-22 03:03:07 +00:00 · 2015-07-05 19:21:12 +02:00 · 2015-07-05 19:21:12 +02:00 · f5d6cd511e
commit f5d6cd511e
parent 09c137b27a
6 changed files with 49 additions and 15 deletions
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@ -245,9 +245,10 @@
 #define NDPI_SERVICE_QUICKPLAY                          196 /* Streaming service used by various services such as hooq.tv  */
 #define NDPI_SERVICE_TIM                                197 /* Traffic for tim.com.br and tim.it */
 #define NDPI_PROTOCOL_MPEGTS        			198
+#define NDPI_SERVICE_SNAPCHAT                           199

 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */
-#define NDPI_LAST_IMPLEMENTED_PROTOCOL			NDPI_PROTOCOL_MPEGTS
+#define NDPI_LAST_IMPLEMENTED_PROTOCOL			NDPI_SERVICE_SNAPCHAT

 #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1)
 #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS                   (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL)
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@ -7372,6 +7372,12 @@ ndpi_protocol_match host_match[] = {
  { "quickplay.com",                    "QuickPlay",            NDPI_SERVICE_QUICKPLAY, NDPI_PROTOCOL_FUN },
  { "tim.com.br",                       "TIM",                  NDPI_SERVICE_TIM, NDPI_PROTOCOL_ACCEPTABLE },
  { "tim.it",                           "TIM",                  NDPI_SERVICE_TIM, NDPI_PROTOCOL_ACCEPTABLE },
+
+  /* https://support.cipafilter.com/index.php?/Knowledgebase/Article/View/117/0/snapchat---how-to-block */
+  { "feelinsonice.appspot.com",         "Snapchat",             NDPI_SERVICE_SNAPCHAT, NDPI_PROTOCOL_FUN },
+  { "feelinsonice-hrd.appspot.com",     "Snapchat",             NDPI_SERVICE_SNAPCHAT, NDPI_PROTOCOL_FUN },
+  { "feelinsonice.com",                 "Snapchat",             NDPI_SERVICE_SNAPCHAT, NDPI_PROTOCOL_FUN },
+
  { NULL, 0 }
 };

--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@ -530,15 +530,25 @@ void ndpi_set_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod,
 			     u_int16_t tcp_master_protoId[2], u_int16_t udp_master_protoId[2],
 			     char *protoName,
 			     ndpi_port_range *tcpDefPorts, ndpi_port_range *udpDefPorts) {
-  char *name = ndpi_strdup(protoName);
+  char *name;
  int j;

  if(protoId >= NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS) {
-    printf("[NDPI] %s(protoId=%d): INTERNAL ERROR\n", __FUNCTION__, protoId);
-    ndpi_free(name);
+#ifdef DEBUG
+    printf("[NDPI] %s(%s/protoId=%d): INTERNAL ERROR\n", __FUNCTION__, protoName, protoId);
+#endif
    return;
  }

+  if(ndpi_mod->proto_defaults[protoId].protoName != NULL) {
+#ifdef DEBUG
+    printf("[NDPI] %s(%s/protoId=%d): already initialized. Ignoring it\n", __FUNCTION__, protoName, protoId);
+#endif
+    return;
+  }
+
+  name = ndpi_strdup(protoName);
+
  ndpi_mod->proto_defaults[protoId].protoName = name,
    ndpi_mod->proto_defaults[protoId].protoId = protoId,
    ndpi_mod->proto_defaults[protoId].protoBreed = breed;
@ -672,6 +682,10 @@ static int ndpi_string_to_automa(struct ndpi_detection_module_struct *ndpi_struc
 static int ndpi_add_host_url_subprotocol(struct ndpi_detection_module_struct *ndpi_struct,
 					 char *value, int protocol_id,
 					 ndpi_protocol_breed_t breed) {
+#ifdef DEBUG
+  printf("[NDPI] Adding [%s][%d]\n", value, protocol_id);
+#endif
+
  return(ndpi_string_to_automa(ndpi_struct, &ndpi_struct->host_automa,
 			       value, protocol_id, breed));
 }
@ -681,7 +695,8 @@ static int ndpi_add_host_url_subprotocol(struct ndpi_detection_module_struct *nd
 int ndpi_add_content_subprotocol(struct ndpi_detection_module_struct *ndpi_struct,
 				 char *value, int protocol_id,
 				 ndpi_protocol_breed_t breed) {
-  return(ndpi_string_to_automa(ndpi_struct, &ndpi_struct->content_automa, value, protocol_id, breed));
+  return(ndpi_string_to_automa(ndpi_struct, &ndpi_struct->content_automa, 
+			       value, protocol_id, breed));
 }

 /* ****************************************************** */
@ -705,6 +720,9 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp
  int i;

  for(i=0; host_match[i].string_to_match != NULL; i++) {
+    u_int16_t no_master[2] = { NDPI_PROTOCOL_NO_MASTER_PROTO, NDPI_PROTOCOL_NO_MASTER_PROTO };
+    ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS];
+
    ndpi_add_host_url_subprotocol(ndpi_mod, host_match[i].string_to_match,
 				  host_match[i].protocol_id, host_match[i].protocol_breed);

@ -713,8 +731,20 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp
      ndpi_mod->proto_defaults[host_match[i].protocol_id].protoId = host_match[i].protocol_id;
      ndpi_mod->proto_defaults[host_match[i].protocol_id].protoBreed = host_match[i].protocol_breed;
    }
+
+    ndpi_set_proto_defaults(ndpi_mod, 
+			    ndpi_mod->proto_defaults[host_match[i].protocol_id].protoBreed,
+			    ndpi_mod->proto_defaults[host_match[i].protocol_id].protoId,
+			    no_master, no_master,
+			    ndpi_mod->proto_defaults[host_match[i].protocol_id].protoName,
+			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
  }

+#ifdef DEBUG
+  ac_automata_display(ndpi_mod->host_automa.ac_automa, 'n');
+#endif
+
  for(i=0; content_match[i].string_to_match != NULL; i++)
    ndpi_add_content_subprotocol(ndpi_mod, content_match[i].string_to_match,
 				 content_match[i].protocol_id,
@ -5280,7 +5310,7 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str
  struct ndpi_packet_struct *packet = &flow->packet;
  AC_TEXT_t ac_input_text;

-  if((automa->ac_automa == NULL) || (string_to_match_len== 0)) return(NDPI_PROTOCOL_UNKNOWN);
+  if((automa->ac_automa == NULL) || (string_to_match_len == 0)) return(NDPI_PROTOCOL_UNKNOWN);

  if(!automa->ac_automa_finalized) {
    ac_automata_finalize((AC_AUTOMATA_t*)automa->ac_automa);
--- a/src/lib/protocols/skype.c
+++ b/src/lib/protocols/skype.c
@ -119,15 +119,6 @@ void ndpi_search_skype(struct ndpi_detection_module_struct *ndpi_struct, struct
 }

 void init_skype_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {
-  ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS];
-  u_int16_t no_master[2] = { NDPI_PROTOCOL_NO_MASTER_PROTO, NDPI_PROTOCOL_NO_MASTER_PROTO };
-
-  ndpi_set_proto_defaults(ndpi_struct, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SKYPE,
-			  no_master,
-			  no_master, "Skype",
-			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
-			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
-  
  ndpi_set_bitmask_protocol_detection("Skype", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_SKYPE,
 				      ndpi_search_skype,
--- a/tests/pcap/snapchat.pcap
+++ b/tests/pcap/snapchat.pcap
--- a/tests/result/snapchat.pcap.out
+++ b/tests/result/snapchat.pcap.out
@ -0,0 +1,6 @@
+SSL_No_Cert	22	2879	1
+Snapchat	34	7320	2
+
+	1	TCP 10.8.0.1:56193 <-> 74.125.136.141:443 [proto: 199/Snapchat][17 pkts/3943 bytes][SSL client: feelinsonice-hrd.appspot.com]
+	2	TCP 10.8.0.1:44536 <-> 74.125.136.141:443 [proto: 199/Snapchat][17 pkts/3377 bytes][SSL client: feelinsonice-hrd.appspot.com]
+	3	TCP 10.8.0.1:33233 <-> 74.125.136.141:443 [proto: 64/SSL_No_Cert][22 pkts/2879 bytes]