STUN: rework extra dissection (#2202)

Keep looking for RTP packets but remove the monitoring concept.
We will re-introduce a more general concept of "flow in monitoring
state" later.
The function was disabled by default.
Some configuration knobs will be provided when/if #2190 is merged.

example/ndpiReader.c

@@ -94,8 +94,6 @@ static u_int8_t ignore_vlanid = 0;
 /** User preferences **/
 u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0, num_bin_clusters = 0, extcap_exit = 0;
 u_int8_t verbose = 0, enable_flow_stats = 0;
-int stun_monitoring_pkts_to_process = -1; /* Default */
-int stun_monitoring_flags = -1; /* Default */
 int nDPI_LogLevel = 0;
 char *_debug_protocols = NULL;
 char *_disabled_protocols = NULL;
@@ -591,8 +589,6 @@ static void help(u_int long_help) {
          "  -Z proto:value            | Set this value of aggressiveness for this protocol (0 to disable it). This flag can be used multiple times\n"
          "  --lru-cache-size=NAME:size       | Specify the size for this LRU cache (0 to disable it). This flag can be used multiple times\n"
          "  --lru-cache-ttl=NAME:size        | Specify the TTL [in seconds] for this LRU cache (0 to disable it). This flag can be used multiple times\n"
-         "  --stun-monitoring=<pkts>:<flags> | Configure STUN monitoring: keep monitoring STUN session for <pkts> more pkts looking for RTP\n"
-         "                                   | (0:0 to disable the feature); set the specified features in <flags>\n"
          ,
          human_readeable_string_len,
          min_pattern_len, max_pattern_len, max_num_packets_per_flow, max_packet_payload_dissection,
@@ -646,8 +642,6 @@ static void help(u_int long_help) {
 #define OPTLONG_VALUE_LRU_CACHE_SIZE	1000
 #define OPTLONG_VALUE_LRU_CACHE_TTL	1001
 
-#define OPTLONG_VALUE_STUN_MONITORING	2000
-
 static struct option longopts[] = {
   /* mandatory extcap options */
   { "extcap-interfaces", no_argument, NULL, '0'},
@@ -691,7 +685,6 @@ static struct option longopts[] = {
 
   { "lru-cache-size", required_argument, NULL, OPTLONG_VALUE_LRU_CACHE_SIZE},
   { "lru-cache-ttl", required_argument, NULL, OPTLONG_VALUE_LRU_CACHE_TTL},
-  { "stun-monitoring", required_argument, NULL, OPTLONG_VALUE_STUN_MONITORING},
 
   {0, 0, 0, 0}
 };
@@ -966,7 +959,6 @@ static void parseOptions(int argc, char **argv) {
 #endif
 #endif
   int cache_idx, cache_size, cache_ttl;
-  u_int32_t num_pkts, flags;
 
 #ifdef USE_DPDK
   {
@@ -1302,15 +1294,6 @@ static void parseOptions(int argc, char **argv) {
       lru_cache_ttls[cache_idx] = cache_ttl;
       break;
 
-    case OPTLONG_VALUE_STUN_MONITORING:
-      if(parse_two_unsigned_integer(optarg, &num_pkts, &flags) == -1) {
-        printf("Invalid parameter [%s]\n", optarg);
-        exit(1);
-      }
-      stun_monitoring_pkts_to_process = num_pkts;
-      stun_monitoring_flags = flags;
-      break;
-
     default:
 #ifdef DEBUG_TRACE
       if(trace) fprintf(trace, " #### Unknown option -%c: skipping it #### \n", opt);
@@ -2752,11 +2735,6 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) {
       ndpi_set_protocol_aggressiveness(ndpi_thread_info[thread_id].workflow->ndpi_struct, i, aggressiveness[i]);
   }
 
-  if(stun_monitoring_pkts_to_process != -1 &&
-     stun_monitoring_flags != -1)
-    ndpi_set_monitoring_state(ndpi_thread_info[thread_id].workflow->ndpi_struct, NDPI_PROTOCOL_STUN,
-                              stun_monitoring_pkts_to_process, stun_monitoring_flags);
-
   ndpi_finalize_initialization(ndpi_thread_info[thread_id].workflow->ndpi_struct);
 
   if(enable_doh_dot_detection)

fuzz/fuzz_config.cpp

@@ -13,7 +13,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   struct ndpi_detection_module_struct *ndpi_info_mod;
   struct ndpi_flow_struct flow;
   u_int8_t protocol_was_guessed;
-  u_int32_t i, num, num2;
+  u_int32_t i, num;
   u_int16_t random_proto, bool_value;
   int random_value;
   NDPI_PROTOCOL_BITMASK enabled_bitmask;
@@ -36,7 +36,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 				     6 + /* files */
 				     ((NDPI_LRUCACHE_MAX + 1) * 5) + /* LRU caches */
 				     2 + 1 + 4 + /* ndpi_set_detection_preferences() */
-				     1 + 3 + 1 + 3 + /* Monitoring */
 				     7 + /* Opportunistic tls */
 				     2 + /* Pid */
 				     2 + /* Category */
@@ -108,18 +107,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
   ndpi_set_detection_preferences(ndpi_info_mod, static_cast<ndpi_detection_preference>(0xFF), 0xFF); /* Invalid preference */
 
-  if(fuzzed_data.ConsumeBool()) {
-    ndpi_set_monitoring_state(ndpi_info_mod, NDPI_PROTOCOL_STUN,
-                              fuzzed_data.ConsumeIntegralInRange(0, (1 << 16)),
-                              fuzzed_data.ConsumeIntegralInRange(0, 7));
-    ndpi_get_monitoring_state(ndpi_info_mod, NDPI_PROTOCOL_STUN, &num, &num2);
-  }
-
-  random_proto = fuzzed_data.ConsumeIntegralInRange(0, (1 << 16) - 1);
-  random_value = fuzzed_data.ConsumeIntegralInRange(0,2);
-  ndpi_set_monitoring_state(ndpi_info_mod, random_proto, random_value, random_value);
-  ndpi_get_monitoring_state(ndpi_info_mod, random_proto, &num, &num2);
-
   ndpi_set_opportunistic_tls(ndpi_info_mod, NDPI_PROTOCOL_MAIL_SMTP, fuzzed_data.ConsumeBool());
   ndpi_get_opportunistic_tls(ndpi_info_mod, NDPI_PROTOCOL_MAIL_SMTP);
   ndpi_set_opportunistic_tls(ndpi_info_mod, NDPI_PROTOCOL_MAIL_IMAP, fuzzed_data.ConsumeBool());

fuzz/fuzz_ndpi_reader.c

@@ -74,9 +74,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 
     ndpi_set_detection_preferences(workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 0 /* unused */);
 
-    ndpi_set_monitoring_state(workflow->ndpi_struct, NDPI_PROTOCOL_STUN,
-                              10, NDPI_MONITORING_STUN_SUBCLASSIFIED);
-
     memset(workflow->stats.protocol_counter, 0,
 	   sizeof(workflow->stats.protocol_counter));
     memset(workflow->stats.protocol_counter_bytes, 0,

src/include/ndpi_api.h

@@ -1099,12 +1099,6 @@ extern "C" {
   u_int32_t ndpi_get_protocol_aggressiveness(struct ndpi_detection_module_struct *ndpi_struct,
                                              u_int16_t proto);
 
-  int ndpi_set_monitoring_state(struct ndpi_detection_module_struct *ndpi_struct,
-                                u_int16_t proto, u_int32_t num_pkts, u_int32_t flags);
-  int ndpi_get_monitoring_state(struct ndpi_detection_module_struct *ndpi_struct,
-                                u_int16_t proto, u_int32_t *num_pkts, u_int32_t *flags);
-
-
   /**
    * Find a protocol id associated with a string automata
    *

src/include/ndpi_typedefs.h

@@ -753,12 +753,6 @@ struct ndpi_lru_cache {
 /* Ookla */
 #define NDPI_AGGRESSIVENESS_OOKLA_TLS			0x01 /* Enable detection over TLS (using ookla cache) */
 
-
-/* Monitoring flags */
-
-/* Stun */
-#define NDPI_MONITORING_STUN_SUBCLASSIFIED		0x01 /* Monitor STUN flows even if we have a valid sub-protocol */
-
 /* ************************************************** */
 
 struct ndpi_flow_tcp_struct {

src/lib/ndpi_main.c

@@ -3387,9 +3387,6 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
   ndpi_str->opportunistic_tls_ftp_enabled = 1;
   ndpi_str->opportunistic_tls_stun_enabled = 1;
 
-  ndpi_str->monitoring_stun_pkts_to_process = 4;
-  ndpi_str->monitoring_stun_flags = 0;
-
   ndpi_str->aggressiveness_ookla = NDPI_AGGRESSIVENESS_OOKLA_TLS;
 
   if(prefs & ndpi_enable_tcp_ack_payload_heuristic)
@@ -10430,42 +10427,6 @@ int ndpi_seen_flow_beginning(const struct ndpi_flow_struct *flow)
 
 /* ******************************************************************** */
 
-int ndpi_set_monitoring_state(struct ndpi_detection_module_struct *ndpi_struct,
-			      u_int16_t proto, u_int32_t num_pkts, u_int32_t flags)
-{
-  if(!ndpi_struct || num_pkts > 0xFFFF)
-    return -1;
-
-  switch(proto) {
-  case NDPI_PROTOCOL_STUN:
-    ndpi_struct->monitoring_stun_pkts_to_process = num_pkts;
-    ndpi_struct->monitoring_stun_flags = flags;
-    return 0;
-  default:
-    return -1;
-  }
-}
-
-/* ******************************************************************** */
-
-int ndpi_get_monitoring_state(struct ndpi_detection_module_struct *ndpi_struct,
-			      u_int16_t proto, u_int32_t *num_pkts, u_int32_t *flags)
-{
-  if(!ndpi_struct || !num_pkts || !flags)
-    return -1;
-
-  switch(proto) {
-  case NDPI_PROTOCOL_STUN:
-    *num_pkts = ndpi_struct->monitoring_stun_pkts_to_process;
-    *flags = ndpi_struct->monitoring_stun_flags;
-    return 0;
-  default:
-    return -1;
-  }
-}
-
-/* ******************************************************************** */
-
 int ndpi_set_opportunistic_tls(struct ndpi_detection_module_struct *ndpi_struct,
 			       u_int16_t proto, int value)
 {

src/lib/ndpi_private.h

@@ -253,9 +253,6 @@ struct ndpi_detection_module_struct {
   int opportunistic_tls_ftp_enabled;
   int opportunistic_tls_stun_enabled;
 
-  u_int32_t monitoring_stun_pkts_to_process;
-  u_int32_t monitoring_stun_flags;
-
   u_int32_t aggressiveness_ookla;
 
   int tcp_ack_paylod_heuristic;

src/lib/protocols/stun.c

@@ -345,9 +345,8 @@ static int keep_extra_dissection(struct ndpi_detection_module_struct *ndpi_struc
 
   /* We have a sub-classification */
 
-  if((ndpi_struct->monitoring_stun_flags & NDPI_MONITORING_STUN_SUBCLASSIFIED) &&
-     flow->detected_protocol_stack[0] != NDPI_PROTOCOL_RTP)
-    return 1;
+  if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_RTP)
+    return 0;
 
   /* Looking for XOR-PEER-ADDRESS metadata; TODO: other protocols? */
   if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP)
@@ -614,25 +613,22 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd
     ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, __get_master(flow), confidence);
   }
 
-  /* This is quite complex. We want extra dissection for:
+  /* We want extra dissection for:
      * sub-classification
-     * metadata extraction in general
-       * Telegram: we need more packets to find all XOR-PEER-ADDRESS attributes
-     * monitoring, i.e. looking for RTP
-     And all these cases might overlap...
+     * metadata extraction or looking for RTP
+     The latter is enabled only without sub-classification or for Telegram
+     (to find all XOR-PEER-ADDRESS attributes)
   */
   if(!flow->extra_packets_func) {
     if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No-subclassification */ ||
-       flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP /* Metadata. TODO: other protocols? */ ||
-       (ndpi_struct->monitoring_stun_pkts_to_process > 0 &&
-        (ndpi_struct->monitoring_stun_flags & NDPI_MONITORING_STUN_SUBCLASSIFIED))) {
+       flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP /* Metadata. TODO: other protocols? */) {
       NDPI_LOG_DBG(ndpi_struct, "Enabling extra dissection\n");
 
       if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP) {
         flow->max_extra_packets_to_check = 10; /* Looking for metadata. There are no really RTP packets
 						  in Telegram flows, so no need to enable monitoring for them */
       } else {
-        flow->max_extra_packets_to_check = ndpi_max(4, ndpi_struct->monitoring_stun_pkts_to_process);
+        flow->max_extra_packets_to_check = 4;
         flow->extra_packets_func = stun_search_again;
       }
     }