Potential incorrect detection as Telegram (TLS)
ckcr4lyf opened this issue ยท 4 comments
Describe the bug
I operate a tor bridge, and expose an obsf4 proxy on port 443 for it. Usually ntopng will show these as TLS (Guess) or TLS (DPI).
However, I noticed one of them showing up as TLS.Telegram, w/ confidence DPI.
Since it's just a tor bridge, there's no way top layer telegram traffic would be exposed, so I am guessing this is an incorrect detection.
Expected behavior
Just be TLS?
Obtained behavior
Seems like it thinks its Telegram
nDPI Environment (please complete the following information):
Sorry I am not sure, but my ntopng is:
ntopng Community v.6.0.240216 (Ubuntu 22.04.3 LTS)
How to reproduce the reported bug
Unsure
Reproducible using ndpiReader?
Unsure
Additional context
One guess I have is it randomly matched some bytes in the obsf4 proxy to what Telegram looks like?
I do have a 1min pcap of this connection, though I don't want to share it publicly if possible. Also a pcap of current traffic, I am not sure it'll be helpful (vs. it probably "guessed" telegram from way earlier on).
Sorry if this is kinda expected behavior - but I'd have though DPI level confidence would not be triggered by something opaquely random like obsf4.
Telegram detection (over TCP) has been fixed last week in nDPI.
Could you try to update your ntopng and check, please?
I will try and do that, thanks.
I've updated it yesterday, and in ~24hours TLS.Telegram has not cropped up again.
Thanks for the suggestion, closing.