Merge branch 'develop'

README

@@ -1,4 +1,4 @@
-libprotoident 2.0.13
+libprotoident 2.0.14
 
 ---------------------------------------------------------------------------
 Copyright (c) 2011-2019 The University of Waikato, Hamilton, New Zealand.
@@ -27,6 +27,7 @@ With contributions from:
     Jeroen Roovers
     Jiri Havranek
     Romain Fontugne
+    Jacob van Walraven
 
 Introduction
 ============
@@ -65,7 +66,7 @@ The libprotoident tools are built by default - this can be changed by using the
 Protocols Supported
 ===================
 A full list of supported protocols can be found at 
-http://wand.net.nz/trac/libprotoident/wiki/SupportedProtocols
+https://github.com/wanduow/libprotoident/wiki/SupportedProtocols
 
 Libprotoident also currently has rules for several "mystery" protocols. These
 are patterns that commonly occur in our trace sets that we cannot tie to an
@@ -93,6 +94,9 @@ There are three tools included with libprotoident.
 	lpi_protoident <input trace URI>
 
 	The input trace must be a valid libtrace URI.
+        See https://github.com/LibtraceTeam/libtrace/wiki/Supported-Trace-Formats
+        to learn more about libtrace URIs. Note that a URI may be a live
+        source, such as a network interface.
 
    Output:
    	For each flow in the input trace, a single line is printed to stdout
@@ -132,6 +136,9 @@ There are three tools included with libprotoident.
 	lpi_find_unknown <input trace URI>
 
 	The input trace must be a valid libtrace URI.
+        See https://github.com/LibtraceTeam/libtrace/wiki/Supported-Trace-Formats
+        to learn more about libtrace URIs. Note that a URI may be a live
+        source, such as a network interface.
 
    Output:
    	For each unknown flow in the input trace, a single line is printed to 
@@ -167,6 +174,9 @@ There are three tools included with libprotoident.
         lpi_arff <input trace URI>
 
 	The input trace must be a valid libtrace URI.
+        See https://github.com/LibtraceTeam/libtrace/wiki/Supported-Trace-Formats
+        to learn more about libtrace URIs. Note that a URI may be a live
+        source, such as a network interface.
 
    Output:
         The output begins with a series of lines describing each feature that

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT(libprotoident, 2.0.13, [email protected])
+AC_INIT(libprotoident, 2.0.14, [email protected])
 
 AM_INIT_AUTOMAKE
 AC_CONFIG_SRCDIR(lib/libprotoident.cc)

debian/changelog

@@ -1,5 +1,20 @@
+libprotoident (2.0.14-1) unstable; urgency=low
+
+  * New upstream release.
+  * Added new API method: lpi_get_protocol_by_name().
+  * Fixed bug where lpi_print_category() would fail for the message
+    queuing category.
+  * Renamed "Roblox" to "Raknet" to better reflect the real underlying
+    protocol.
+  * Added new protocol category for educational applications.
+  * Added 17 new application protocols.
+  * Improved rules for a further 17 application protocols.
+
+ -- Shane Alcock <[email protected]>  Wed, 20 Nov 2019 14:11:21 +1300
+
 libprotoident (2.0.13) unstable; urgency=low
 
+  * New upstream release
   * Fixed bug where RST payload was used for classification purposes.
   * Fixed errors in 4D, Heroes of the Storm and The Division rules.
   * Added new protocol category for message queuing applications.

lib/Makefile.am

@@ -10,5 +10,5 @@ libprotoident_la_SOURCES=libprotoident.h libprotoident.cc \
 INCLUDES=@ADD_INCLS@
 libprotoident_la_LIBADD = @ADD_LIBS@ tcp/libprotoident_tcp.la \
 	udp/libprotoident_udp.la
-libprotoident_la_LDFLAGS = @ADD_LDFLAGS@ -version-info 2:13:0
+libprotoident_la_LDFLAGS = @ADD_LDFLAGS@ -version-info 3:0:1
 libprotoident_la_CPPFLAGS = -Werror

lib/libprotoident.cc

@@ -50,6 +50,7 @@ lpi_module_t *lpi_unknown_tcp = NULL;
 lpi_module_t *lpi_unknown_udp = NULL;
 
 static LPINameMap lpi_names;
+static LPIProtocolMap lpi_protocols;
 
 static int seq_cmp (uint32_t seq_a, uint32_t seq_b) {
 
@@ -78,10 +79,10 @@ int lpi_init_library() {
 	if (register_udp_protocols(&UDP_protocols) == -1) 
 		return -1;
 
-	init_other_protocols(&lpi_names);
+	init_other_protocols(&lpi_names, &lpi_protocols);
 
-	register_names(&TCP_protocols, &lpi_names);
-	register_names(&UDP_protocols, &lpi_names);
+	register_names(&TCP_protocols, &lpi_names, &lpi_protocols);
+	register_names(&UDP_protocols, &lpi_names, &lpi_protocols);
 
 	init_called = true;
 
@@ -439,6 +440,10 @@ const char *lpi_print_category(lpi_category_t category) {
 			return "Mobile App";
 		case LPI_CATEGORY_IPCAMERAS:
 			return "IP Cameras";
+		case LPI_CATEGORY_EDUCATIONAL:
+			return "Educational";
+                case LPI_CATEGORY_MESSAGE_QUEUE:
+                        return "Message_Queuing";
 		case LPI_CATEGORY_ICMP:
 			return "ICMP";
 		case LPI_CATEGORY_MIXED:
@@ -472,6 +477,21 @@ const char *lpi_print(lpi_protocol_t proto) {
 
 }
 
+lpi_protocol_t lpi_get_protocol_by_name(char *name) {
+
+	LPIProtocolMap::iterator it;
+
+	it = lpi_protocols.find(name);
+
+	if (it == lpi_protocols.end()) {
+		return LPI_PROTO_LAST;
+	}
+
+	return (it->second);
+}
+
+
+
 bool lpi_is_protocol_inactive(lpi_protocol_t proto) {
 
 	LPINameMap::iterator it;

lib/libprotoident.h

@@ -107,6 +107,8 @@ typedef enum {
     LPI_CATEGORY_ICS,           /* Industrial control system protocols */
         LPI_CATEGORY_IPCAMERAS,         /* IP Surveillance Camera protocols */
         LPI_CATEGORY_MESSAGE_QUEUE,     /* Message queuing protocols */
+        LPI_CATEGORY_EDUCATIONAL,     /* Educational applications, e.g. virtual
+                                         classrooms */
 	LPI_CATEGORY_ICMP,		/* ICMP */
 	LPI_CATEGORY_MIXED,		/* Different protos in each direction */
 	LPI_CATEGORY_NOPAYLOAD,		/* No payload observed */
@@ -390,6 +392,14 @@ typedef enum {
         LPI_PROTO_300_HEROES,
         LPI_PROTO_FILENORI,
         LPI_PROTO_IPFS,
+        LPI_PROTO_REMOTE_MANIPULATOR,
+        LPI_PROTO_WEBEX_STUN,
+        LPI_PROTO_RRTV,
+        LPI_PROTO_RABBITMQ,
+        LPI_PROTO_ICEP,
+        LPI_PROTO_BEAM,
+        LPI_PROTO_VHDP2P,
+        LPI_PROTO_CLASSIN,
 
         /* UDP Protocols */
         LPI_PROTO_UDP,
@@ -511,7 +521,7 @@ typedef enum {
 	LPI_PROTO_UDP_SPOTIFY_BROADCAST,
 	LPI_PROTO_UDP_MDNS,	/* Multicast DNS */
 	LPI_PROTO_UDP_FASP,
-	LPI_PROTO_UDP_ROBLOX,
+	LPI_PROTO_UDP_RAKNET,
 	LPI_PROTO_UDP_OPENVPN,
 	LPI_PROTO_UDP_NOE,	/* Alcatel's New Office Environment */
 	LPI_PROTO_UDP_VIBER,
@@ -622,6 +632,15 @@ typedef enum {
         LPI_PROTO_UDP_HEROES_EVOLVED,
         LPI_PROTO_UDP_RULES_OF_SURVIVAL,
         LPI_PROTO_UDP_CONTRACT_WARS,
+        LPI_PROTO_UDP_ARD,
+        LPI_PROTO_UDP_QVOD,
+        LPI_PROTO_UDP_YUANFUDAO,
+        LPI_PROTO_UDP_ROCKET_LEAGUE,
+        LPI_PROTO_UDP_CLOUDFLARE_WARP,
+        LPI_PROTO_UDP_WIREGUARD,
+        LPI_PROTO_UDP_COD_MOBILE,
+        LPI_PROTO_UDP_NVIDIA_GAMESTREAM,
+        LPI_PROTO_UDP_CLASSIN,
 
 	/* Patterns that we can match, but do not know the protocol */
 	LPI_PROTO_REJECTION,	/* All responses are 0x02 */
@@ -769,6 +788,14 @@ const char *lpi_print_category(lpi_category_t category);
  */
 lpi_module_t *lpi_guess_protocol(lpi_data_t *data);
 
+/** Given the protocol name, returns the lpi protcol it matches.
+ *
+ * @param name The protocol name
+ *
+ * @returns The LPI protocol for the supplied name.
+ */
+lpi_protocol_t lpi_get_protocol_by_name(char *name);
+
 /** Determines whether the protocol matching a given protocol number is no
  *  longer supported by libprotoident.
  *

lib/proto_common.cc

@@ -327,6 +327,10 @@ bool match_file_header(uint32_t payload) {
         if (MATCH(payload, 't', 't', 'c', 'f'))
                 return true;
 
+        /* RIR delegation files... */
+        if (MATCH(payload, '2', '.', '3', '|'))
+                return true;
+
         /* REBASE -- restriction enzyme database
          * A bit niche, but might be fairly common at universities? */
         if (MATCH(payload, 0x20, 0x0a, 'R', 'E'))