Mining dissector gives false positives on any JSON-RPC over TCP traffic
0xA50C1A1 opened this issue · 2 comments
0xA50C1A1 commented
Describe the bug
Well, this is totally screwed up... With such check, this dissector will trigger on any JSON-RPC over TCP traffic, even non-mining related.
if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len)
&& (ndpi_strnstr((const char *)packet->payload, "\"method\":", packet->payload_packet_len)
|| ndpi_strnstr((const char *)packet->payload, "\"blob\":", packet->payload_packet_len)
/* || ndpi_strnstr((const char *)packet->payload, "\"id\":", packet->payload_packet_len) - Removed as too generic */
)
)
Here's the JSON-RPC spec to prove my words.
Expected behavior
This dissector is worth either deleting or reworking.
Obtained behavior
Mining dissector gives false positives on common JSON-RPC over TCP traffic.
nDPI Environment (please complete the following information):
- OS name: Ubuntu
- OS version: 23.04
- Architecture: amd64
- nDPI version or commit hash: from the
dev
branch - nDPI compilation flags used: --with-pcre2 --with-nbpf-path=/home/vladimir/PF_RING/userland/nbpf/
config.log
How to reproduce the reported bug
Reproducible using ndpiReader?
- The reported bug is reproducible using ndpiReader.
If applicable, the used ndpiReader options:
ndpiReader -v 2 -V 3 -i jsonrpc.pcap
If your bug is reproducible using a pcap, please attach a pcap file (or a valid link to download it)
Steps to reproduce the behavior:
- Run 'ndpiReader -v 2 -V 3 -i jsonrpc.pcap'
- See error
0xA50C1A1 commented
@utoni @IvanNardi what do you think about it?
P.S. Sorry if my bug report seems rude to you, guys.
utoni commented
Not rude. I agree with you. IMHO I would like to either get rid of those too generic detection patterns in mining.c
or de-serialize the JSON message the proper way.