Mining dissector gives false positives on any JSON-RPC over TCP traffic

Question

Mining dissector gives false positives on any JSON-RPC over TCP traffic

0xA50C1A1 opened this issue 9 months ago · 2 comments

Describe the bug

Well, this is totally screwed up... With such check, this dissector will trigger on any JSON-RPC over TCP traffic, even non-mining related.

    if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len)
	      && (ndpi_strnstr((const char *)packet->payload, "\"method\":", packet->payload_packet_len)
		  || ndpi_strnstr((const char *)packet->payload, "\"blob\":", packet->payload_packet_len)
		  /* || ndpi_strnstr((const char *)packet->payload, "\"id\":", packet->payload_packet_len) - Removed as too generic */
		)
      )

Here's the JSON-RPC spec to prove my words.

Expected behavior

This dissector is worth either deleting or reworking.

Obtained behavior

Mining dissector gives false positives on common JSON-RPC over TCP traffic.

nDPI Environment (please complete the following information):

OS name: Ubuntu
OS version: 23.04
Architecture: amd64
nDPI version or commit hash: from the dev branch
nDPI compilation flags used: --with-pcre2 --with-nbpf-path=/home/vladimir/PF_RING/userland/nbpf/
config.log

How to reproduce the reported bug

Reproducible using ndpiReader?

The reported bug is reproducible using ndpiReader.

If applicable, the used ndpiReader options:

ndpiReader -v 2 -V 3 -i jsonrpc.pcap

If your bug is reproducible using a pcap, please attach a pcap file (or a valid link to download it)

jsonrpc.zip

Steps to reproduce the behavior:

Run 'ndpiReader -v 2 -V 3 -i jsonrpc.pcap'
See error

Answer 1 · 2023-12-19T00:54:41.000Z

@utoni @IvanNardi what do you think about it?

P.S. Sorry if my bug report seems rude to you, guys.

Answer 2 · 2023-12-19T06:08:45.000Z

Not rude. I agree with you. IMHO I would like to either get rid of those too generic detection patterns in mining.c or de-serialize the JSON message the proper way.