Merge pull request #149 from CESNET/ssadetector_plugin

hynekkar · web-flow · commit 2a131ff8be8c · 2023-05-16T21:51:25.000+02:00
SSADetector: Bugfix, improved memory consumption
diff --git a/README.md b/README.md
@@ -590,6 +590,15 @@ List of fields exported together with basic flow fields on interface by quic plu
 |:------------------:|:------:|:-------------------------------:|
 | QUIC_SNI           | string | Decrypted server name           |
 
+### SSADetector
+
+List of fields exported together with basic flow fields on interface by ssadetector plugin.
+The detector search for the SYN SYN-ACK ACK pattern in packet lengths. Multiple occurrences of this pattern suggest a tunneled connection.
+
+| Output field       | Type   | Description                             |
+|:------------------:|:------:|:---------------------------------------:|
+| SSA_CONF_LEVEL     | uint8  | 1 if SSA sequence detected, 0 otherwise |
+
 ## Simplified function diagram
 Diagram below shows how `ipfixprobe` works.
 
diff --git a/process/ssadetector.cpp b/process/ssadetector.cpp
@@ -133,19 +133,20 @@ void SSADetectorPlugin::update_record(RecordExtSSADetector* record, const Packet
    transition_from_init(record, len, ts, dir);
 }
 
-int SSADetectorPlugin::post_create(Flow& rec, const Packet& pkt)
-{
-   RecordExtSSADetector* record = new RecordExtSSADetector();
-   rec.add_extension(record);
-
-   update_record(record, pkt);
-   return 0;
-}
 
 int SSADetectorPlugin::post_update(Flow& rec, const Packet& pkt)
 {
-   RecordExtSSADetector* record
-       = (RecordExtSSADetector*) rec.get_extension(RecordExtSSADetector::REGISTERED_ID);
+   RecordExtSSADetector *record = nullptr;
+   if (rec.src_packets + rec.dst_packets < MIN_PKT_IN_FLOW) {
+      return 0;
+   }
+
+   record = (RecordExtSSADetector *) rec.get_extension(RecordExtSSADetector::REGISTERED_ID);
+   if (record == nullptr) {
+      record = new RecordExtSSADetector();
+      rec.add_extension(record);   
+   }
+   
    update_record(record, pkt);
    return 0;
 }
diff --git a/process/ssadetector.hpp b/process/ssadetector.hpp
@@ -189,7 +189,6 @@ class SSADetectorPlugin : public ProcessPlugin {
    RecordExt* get_ext() const { return new RecordExtSSADetector(); }
    ProcessPlugin* copy();
 
-   int post_create(Flow& rec, const Packet& pkt);
    int post_update(Flow& rec, const Packet& pkt);
    void pre_export(Flow& rec);
    void update_record(RecordExtSSADetector* record, const Packet& pkt);
