Merge pull request #152 from CESNET/ovpn_enhacment

cejkato2 · web-flow · commit 1445d7f4349f · 2023-05-19T15:31:05.000+02:00
Better detection of OVPN protocol
diff --git a/process/ovpn.cpp b/process/ovpn.cpp
@@ -151,7 +151,9 @@ void OVPNPlugin::update_record(RecordExtOVPN* vpn_data, const Packet &pkt)
             vpn_data->status = status_data;
             vpn_data->invalid_pkt_cnt = -1;
          }
-         vpn_data->data_pkt_cnt++;
+         if (pkt.payload_len_wire > c_min_data_packet_size) {
+            vpn_data->data_pkt_cnt++;
+         }
          break;
 
          //no opcode
@@ -189,6 +191,14 @@ int OVPNPlugin::pre_update(Flow &rec, Packet &pkt)
 void OVPNPlugin::pre_export(Flow &rec)
 {
    RecordExtOVPN *vpn_data = (RecordExtOVPN *) rec.get_extension(RecordExtOVPN::REGISTERED_ID);
+
+   //do not export ovpn for short flows, usually port scans
+   uint32_t packets = rec.src_packets + rec.dst_packets;
+   if (packets <= min_pckt_export_treshold) { 
+      rec.remove_extension(RecordExtOVPN::REGISTERED_ID);
+      return;
+   }
+
    if (vpn_data->pkt_cnt > min_pckt_treshold && vpn_data->status == status_data) {
       vpn_data->possible_vpn = 100;
    } else if (vpn_data->pkt_cnt > min_pckt_treshold && ((double) vpn_data->data_pkt_cnt / (double) vpn_data->pkt_cnt) >= data_pckt_treshold) {
diff --git a/process/ovpn.hpp b/process/ovpn.hpp
@@ -137,9 +137,11 @@ class OVPNPlugin : public ProcessPlugin
       udp = 17
    } e_ip_proto_nbr;
 
+   static const uint32_t c_min_data_packet_size = 500;
    static const uint32_t c_udp_opcode_index = 0;
    static const uint32_t c_tcp_opcode_index = 2;
    static const uint32_t min_pckt_treshold = 20;
+   static const uint32_t min_pckt_export_treshold = 5;
    static constexpr float data_pckt_treshold = 0.6f;
    static const int32_t invalid_pckt_treshold = 4;
    static const uint32_t min_opcode = 1;
diff --git a/tests/functional/reference/ovpn b/tests/functional/reference/ovpn
@@ -1,4 +1,3 @@
 192.168.43.91,90.178.247.107,1380,0,0,2019-10-05T15:25:12.103104,2019-10-05T15:25:54.374882,3c:6a:a7:fc:00:67,20:39:56:43:58:45,6,0,60753,10102,0,0,17,0,0
-192.168.43.91,90.178.247.107,204,0,0,2019-10-05T15:25:20.027044,2019-10-05T15:25:40.347067,3c:6a:a7:fc:00:67,20:39:56:43:58:45,3,0,62158,10100,0,0,17,0,0
 90.178.247.107,192.168.43.91,49004,64203,0,2019-10-05T15:25:16.735147,2019-10-05T15:25:54.118079,20:39:56:43:58:45,3c:6a:a7:fc:00:67,164,166,10103,54113,0,100,6,30,26
 ipaddr DST_IP,ipaddr SRC_IP,uint64 BYTES,uint64 BYTES_REV,uint64 LINK_BIT_FIELD,time TIME_FIRST,time TIME_LAST,macaddr DST_MAC,macaddr SRC_MAC,uint32 PACKETS,uint32 PACKETS_REV,uint16 DST_PORT,uint16 SRC_PORT,uint8 DIR_BIT_FIELD,uint8 OVPN_CONF_LEVEL,uint8 PROTOCOL,uint8 TCP_FLAGS,uint8 TCP_FLAGS_REV
