From 160bbfac8a7b40a4af2c3d0031c8aaad0d5dd8ff Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Wed, 1 Nov 2023 20:11:17 +0100
Subject: [PATCH] fuzz: improve coverage and remove dead code

We are not able to remove custom rules: remove the empty stubs (which
originate from the original OpenDPI code).

`ndpi_guess_protocol_id()` is only called on the first packet of the
flow, so the bitmask `flow->excluded_protocol_bitmask` is always empty,
since we didn't call any dissectors yet.

Move another hash function to the dedicated source file.
---
 fuzz/fuzz_alg_crc32_md5.c               |   3 +
 fuzz/fuzz_ds_hash.cpp                   |   5 +-
 fuzz/fuzz_gcrypt_cipher.cpp             |  42 ++++++------
 fuzz/fuzz_gcrypt_gcm.cpp                |   9 ++-
 src/lib/ndpi_hash.c                     |  27 ++++++++
 src/lib/ndpi_main.c                     |  82 +++---------------------
 src/lib/ndpi_utils.c                    |  34 +---------
 tests/cfgs/default/pcap/stun.pcap       | Bin 29574 -> 34424 bytes
 tests/cfgs/default/result/stun.pcap.out |  18 ++++--
 9 files changed, 85 insertions(+), 135 deletions(-)

diff --git a/fuzz/fuzz_alg_crc32_md5.c b/fuzz/fuzz_alg_crc32_md5.c
index 1f45e476e093..def56566c83c 100644
--- a/fuzz/fuzz_alg_crc32_md5.c
+++ b/fuzz/fuzz_alg_crc32_md5.c
@@ -15,6 +15,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_murmur_hash((const char *)data, size);
   ndpi_quick_hash(data, size);
 
+  if(size >= 16)
+    ndpi_quick_16_byte_hash(data);
+
   str = ndpi_malloc(size + 1);
   if(str) {
     memcpy(str, data, size);
diff --git a/fuzz/fuzz_ds_hash.cpp b/fuzz/fuzz_ds_hash.cpp
index 5b26d684b08a..4bcd4a48556d 100644
--- a/fuzz/fuzz_ds_hash.cpp
+++ b/fuzz/fuzz_ds_hash.cpp
@@ -57,7 +57,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     ndpi_hash_find_entry(h, value_added.data(), value_added.size(), &value);
   }
 
-  ndpi_hash_free(&h, cleanup_func);
+  if (fuzzed_data.ConsumeBool())
+    ndpi_hash_free(&h, cleanup_func);
+  else
+    ndpi_hash_free(NULL, cleanup_func);
 
   return 0;
 }
diff --git a/fuzz/fuzz_gcrypt_cipher.cpp b/fuzz/fuzz_gcrypt_cipher.cpp
index 7eaffcdc201c..270c583ea2ed 100644
--- a/fuzz/fuzz_gcrypt_cipher.cpp
+++ b/fuzz/fuzz_gcrypt_cipher.cpp
@@ -67,28 +67,34 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   rc_e = mbedtls_cipher_setkey(ctx_e, key.data(), key.size() * 8, MBEDTLS_ENCRYPT);
   rc_d = mbedtls_cipher_setkey(ctx_d, key.data(), key.size() * 8, MBEDTLS_DECRYPT);
   if(rc_e == 0 && rc_d == 0) {
-    rc_e = mbedtls_cipher_set_iv(ctx_e, iv.data(), iv.size());
-    rc_d = mbedtls_cipher_set_iv(ctx_d, iv.data(), iv.size());
-    if(rc_e == 0 && rc_d == 0) {
-      mbedtls_cipher_reset(ctx_e);
-      mbedtls_cipher_reset(ctx_d);
-
-      rc_e = mbedtls_cipher_update(ctx_e, input.data(), input.size(), output, &output_size);
-      if(rc_e == 0) {
-	rc_e = mbedtls_cipher_finish(ctx_e, NULL, &output_size2);
+
+    if(fuzzed_data.ConsumeBool()) {
+      rc_e = mbedtls_cipher_crypt(ctx_e, iv.data(), iv.size(),
+                                  input.data(), input.size(), output, &output_size);
+    } else {
+      rc_e = mbedtls_cipher_set_iv(ctx_e, iv.data(), iv.size());
+      rc_d = mbedtls_cipher_set_iv(ctx_d, iv.data(), iv.size());
+      if(rc_e == 0 && rc_d == 0) {
+        mbedtls_cipher_reset(ctx_e);
+        mbedtls_cipher_reset(ctx_d);
+
+        rc_e = mbedtls_cipher_update(ctx_e, input.data(), input.size(), output, &output_size);
         if(rc_e == 0) {
+	  rc_e = mbedtls_cipher_finish(ctx_e, NULL, &output_size2);
+          if(rc_e == 0) {
 
-          rc_d = mbedtls_cipher_update(ctx_d, output, output_size, decrypted, &decrypted_size);
-          if(rc_d == 0) {
-            rc_d = mbedtls_cipher_finish(ctx_d, NULL, &output_size2);
-            /* TODO: decryption doesn't work with no-aesni data path!
-	       Note that with MASAN, aesni is always disabled */
+            rc_d = mbedtls_cipher_update(ctx_d, output, output_size, decrypted, &decrypted_size);
+            if(rc_d == 0) {
+              rc_d = mbedtls_cipher_finish(ctx_d, NULL, &output_size2);
+              /* TODO: decryption doesn't work with no-aesni data path!
+	         Note that with MASAN, aesni is always disabled */
 #if 0
-	    if(rc_d == 0) {
-              assert(input.size() == decrypted_size);
-              assert(memcmp(input.data(), decrypted, decrypted_size) == 0);
-            }
+	      if(rc_d == 0) {
+                assert(input.size() == decrypted_size);
+                assert(memcmp(input.data(), decrypted, decrypted_size) == 0);
+              }
 #endif
+	    }
           }
         }
       }
diff --git a/fuzz/fuzz_gcrypt_gcm.cpp b/fuzz/fuzz_gcrypt_gcm.cpp
index debead9b46ce..f77a6583be4d 100644
--- a/fuzz/fuzz_gcrypt_gcm.cpp
+++ b/fuzz/fuzz_gcrypt_gcm.cpp
@@ -20,7 +20,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   int key_len, rc_e, rc_d;
   mbedtls_cipher_id_t cipher;
   unsigned char *tag;
-  int iv_len, tag_len, input_length, force_auth_tag_error;
+  int iv_len, tag_len, ad_len, input_length, force_auth_tag_error;
 
   /* No real memory allocations involved */
 
@@ -50,6 +50,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   tag_len = fuzzed_data.ConsumeIntegralInRange(0, 17);
   tag = (unsigned char *)malloc(tag_len);
 
+  ad_len = fuzzed_data.ConsumeIntegralInRange(0, 17);
+  std::vector<u_int8_t>ad = fuzzed_data.ConsumeBytes<uint8_t>(ad_len);
+
   input_length = fuzzed_data.ConsumeIntegralInRange(16, 64);
   std::vector<unsigned char>input = fuzzed_data.ConsumeBytes<u_int8_t>(input_length);
   output = (unsigned char *)malloc(input_length);
@@ -71,7 +74,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     rc_e = mbedtls_gcm_crypt_and_tag(gcm_e_ctx, MBEDTLS_GCM_ENCRYPT,
 				     input.size(),
 				     iv.data(), iv.size(),
-				     NULL, 0, /* TODO */
+				     ad.data(), ad.size(),
 				     input.data(),
 				     output,
 				     tag_len, tag);
@@ -85,7 +88,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
       rc_d = mbedtls_gcm_auth_decrypt(gcm_d_ctx,
 				      input.size(),
 				      iv.data(), iv.size(),
-				      NULL, 0, /* TODO */
+				      ad.data(), ad.size(),
 				      tag, tag_len,
 				      output,
 				      decrypted);
diff --git a/src/lib/ndpi_hash.c b/src/lib/ndpi_hash.c
index 567e1d67cc9a..0a3507d7659b 100644
--- a/src/lib/ndpi_hash.c
+++ b/src/lib/ndpi_hash.c
@@ -125,4 +125,31 @@ u_int32_t ndpi_hash_string_len(const char *str, u_int len) {
   return(hash);
 }
 
+/* ******************************************************************** */
+
+#define ROR64(x,r) (((x)>>(r))|((x)<<(64-(r))))
+
+/*
+  'in_16_bytes_long` points to some 16 byte memory data to be hashed;
+  two independent 64-bit linear congruential generators are applied
+  results are mixed, scrambled and cast to 32-bit
+*/
+u_int32_t ndpi_quick_16_byte_hash(u_int8_t *in_16_bytes_long) {
+  u_int64_t a = *(u_int64_t*)(in_16_bytes_long + 0);
+  u_int64_t c = *(u_int64_t*)(in_16_bytes_long + 8);
 
+  // multipliers are taken from sprng.org, addends are prime
+  a = a * 0x2c6fe96ee78b6955 + 0x9af64480a3486659;
+  c = c * 0x369dea0f31a53f85 + 0xd0c6225445b76b5b;
+
+  // mix results
+  a += c;
+
+  // final scramble
+  a ^= ROR64(a, 13) ^ ROR64(a, 7);
+
+  // down-casting, also taking advantage of upper half
+  a ^= a >> 32;
+
+  return((u_int32_t)a);
+}
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index a6eceee28220..c07d95c1f9ec 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -224,8 +224,6 @@ static int addDefaultPort(struct ndpi_detection_module_struct *ndpi_str,
 			  ndpi_port_range *range, ndpi_proto_defaults_t *def,
 			  u_int8_t customUserProto, ndpi_default_ports_tree_node_t **root,
 			  const char *_func, int _line);
-static int removeDefaultPort(ndpi_port_range *range, ndpi_proto_defaults_t *def,
-			     ndpi_default_ports_tree_node_t **root);
 
 static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet);
 static void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
@@ -474,7 +472,6 @@ u_int8_t ndpi_is_subprotocol_informative(struct ndpi_detection_module_struct *nd
     /* All dissectors that have calls to ndpi_match_host_subprotocol() */
   case NDPI_PROTOCOL_DNS:
     return(1);
-    break;
 
   default:
     return(0);
@@ -682,37 +679,6 @@ static int addDefaultPort(struct ndpi_detection_module_struct *ndpi_str,
 
 /* ****************************************************** */
 
-/*
-  NOTE
-
-  This function must be called with a semaphore set, this in order to avoid
-  changing the datastructures while using them
-*/
-static int removeDefaultPort(ndpi_port_range *range, ndpi_proto_defaults_t *def,
-			     ndpi_default_ports_tree_node_t **root) {
-  ndpi_default_ports_tree_node_t node;
-  u_int16_t port;
-
-  for(port = range->port_low; port <= range->port_high; port++) {
-    ndpi_default_ports_tree_node_t *ret;
-
-    node.proto = def, node.default_port = port;
-
-    ret = (ndpi_default_ports_tree_node_t *)
-      ndpi_tdelete(&node, (void *) root,
-		   ndpi_default_ports_tree_node_t_cmp); /* Add it to the tree */
-
-    if(ret != NULL) {
-      ndpi_free((ndpi_default_ports_tree_node_t *) ret);
-      return(0);
-    }
-  }
-
-  return(-1);
-}
-
-/* ****************************************************** */
-
 /*
   This is a function used to see if we need to
   add a trailer $ in case the string is complete
@@ -833,19 +799,6 @@ static int ndpi_add_host_url_subprotocol(struct ndpi_detection_module_struct *nd
 
 }
 
-/* ****************************************************** */
-
-/*
-  NOTE
-
-  This function must be called with a semaphore set, this in order to avoid
-  changing the datastructures while using them
-*/
-static int ndpi_remove_host_url_subprotocol(struct ndpi_detection_module_struct *ndpi_str, char *value, int protocol_id) {
-  NDPI_LOG_ERR(ndpi_str, "[NDPI] Missing implementation for proto %s/%d\n", value, protocol_id);
-  return(-1);
-}
-
 /* ******************************************************************** */
 
 int ndpi_init_empty_app_protocol(ndpi_protocol_match const * const hostname_list,
@@ -4014,15 +3967,8 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str,
     if(found != NULL) {
       u_int16_t guessed_proto = found->proto->protoId;
 
-      /* We need to check if the guessed protocol isn't excluded by nDPI */
-      if(flow && (proto == IPPROTO_UDP) &&
-	 NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, guessed_proto) &&
-	 is_udp_not_guessable_protocol(guessed_proto))
-	return(NDPI_PROTOCOL_UNKNOWN);
-      else {
-	*user_defined_proto = found->customUserProto;
-	return(guessed_proto);
-      }
+      *user_defined_proto = found->customUserProto;
+      return(guessed_proto);
     }
   } else {
     /* No TCP/UDP */
@@ -4264,8 +4210,8 @@ int ndpi_add_trusted_issuer_dn(struct ndpi_detection_module_struct *ndpi_str, ch
 }
 /* ******************************************************************** */
 
-int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str,
-		     char *rule, u_int8_t do_add) {
+static int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str,
+		            char *rule) {
   char *at, *proto, *elem;
   ndpi_proto_defaults_t *def;
   u_int subprotocol_id, i;
@@ -4330,11 +4276,6 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str,
     def = NULL;
 
   if(def == NULL) {
-    if(!do_add) {
-      /* We need to remove a rule */
-      NDPI_LOG_ERR(ndpi_str, "Unable to find protocol '%s': skipping rule '%s'\n", proto, rule);
-      return(-3);
-    } else {
       ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS];
       char *equal = strchr(proto, '=');
       u_int16_t user_proto_id = ndpi_str->ndpi_num_supported_protocols;
@@ -4371,7 +4312,6 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str,
       def = &ndpi_str->proto_defaults[ndpi_str->ndpi_num_supported_protocols];
       subprotocol_id = ndpi_str->ndpi_num_supported_protocols;
       ndpi_str->ndpi_num_supported_protocols++, ndpi_str->ndpi_num_custom_protocols++;
-    }
   }
 
   while((elem = strsep(&rule, ",")) != NULL) {
@@ -4445,11 +4385,8 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str,
       else
 	range.port_low = range.port_high = atoi(&elem[4]);
 
-      if(do_add)
-	rc = addDefaultPort(ndpi_str, &range, def, 1 /* Custom user proto */,
+      rc = addDefaultPort(ndpi_str, &range, def, 1 /* Custom user proto */,
 		       is_tcp ? &ndpi_str->tcpRoot : &ndpi_str->udpRoot, __FUNCTION__, __LINE__);
-      else
-	rc = removeDefaultPort(&range, def, is_tcp ? &ndpi_str->tcpRoot : &ndpi_str->udpRoot);
 
       if(rc != 0) ret = rc;
     } else if(is_ip) {
@@ -4458,11 +4395,8 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str,
       if(rc != 0)
 	return(rc);
     } else {
-      if(do_add)
-	ndpi_add_host_url_subprotocol(ndpi_str, value, subprotocol_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED,
-				      NDPI_PROTOCOL_ACCEPTABLE, 0);
-      else
-	ndpi_remove_host_url_subprotocol(ndpi_str, value, subprotocol_id);
+      ndpi_add_host_url_subprotocol(ndpi_str, value, subprotocol_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED,
+				    NDPI_PROTOCOL_ACCEPTABLE, 0);
     }
   }
 
@@ -4971,7 +4905,7 @@ int ndpi_load_protocols_file_fd(struct ndpi_detection_module_struct *ndpi_str, F
 
     /* printf("Processing: \"%s\"\n", buffer); */
 
-    if(ndpi_handle_rule(ndpi_str, buffer, 1) != 0)
+    if(ndpi_handle_rule(ndpi_str, buffer) != 0)
       NDPI_LOG_INFO(ndpi_str, "Discraded rule '%s'\n", buffer);
   }
 
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 68c07fa6c927..b41ec6706dd6 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2051,11 +2051,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
 
   case NDPI_TLS_ALPN_SNI_MISMATCH:
     return("ALPN/SNI Mismatch");
-    
+
   case NDPI_MALWARE_HOST_CONTACTED:
     return("Client contacted a malware host");
-    break;
-    
+
   default:
     ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
@@ -2201,35 +2200,6 @@ ndpi_http_method ndpi_http_str2method(const char* method, u_int16_t method_len)
 
 /* ******************************************************************** */
 
-#define ROR64(x,r) (((x)>>(r))|((x)<<(64-(r))))
-
-/*
-  'in_16_bytes_long` points to some 16 byte memory data to be hashed;
-  two independent 64-bit linear congruential generators are applied
-  results are mixed, scrambled and cast to 32-bit
-*/
-u_int32_t ndpi_quick_16_byte_hash(u_int8_t *in_16_bytes_long) {
-  u_int64_t a = *(u_int64_t*)(in_16_bytes_long + 0);
-  u_int64_t c = *(u_int64_t*)(in_16_bytes_long + 8);
-
-  // multipliers are taken from sprng.org, addends are prime
-  a = a * 0x2c6fe96ee78b6955 + 0x9af64480a3486659;
-  c = c * 0x369dea0f31a53f85 + 0xd0c6225445b76b5b;
-
-  // mix results
-  a += c;
-
-  // final scramble
-  a ^= ROR64(a, 13) ^ ROR64(a, 7);
-
-  // down-casting, also taking advantage of upper half
-  a ^= a >> 32;
-
-  return((u_int32_t)a);
-}
-
-/* ******************************************************************** */
-
 int ndpi_hash_init(ndpi_str_hash **h)
 {
   if (h == NULL)
diff --git a/tests/cfgs/default/pcap/stun.pcap b/tests/cfgs/default/pcap/stun.pcap
index aceefec22d1b6b9a417369c80961e18ebe643634..c7e645eea168eb9afd1df6e54f90eb61bbf5dc68 100644
GIT binary patch
delta 7866
zcmb_hYgkm(8eYRi!9)cShZ!!T*%=jq0R=}v#keR4q=E{D%Ah!0h7q|aDZ!YRqlG@=
zGBmvP95pe`R4_fHh?truLrP2YLX?-|i8Ql99dGCR_IBWt*iV02&oeT6z3+Oz_j}jc
z8)jVgU)h5atKu#W4qetV#$tlK6f*ev?D?=}y;*d+F~2|+;NutIqw&^iz4fWa)SUF0
z%!b9WnA9A7>P%g>s{fSqoYdSjT~6iz)es+zPoS#*nDji=Jn?<DZf2%VpE^sW%N0>?
zzoOKFY`>!Xlzd}ezJIaCM+3~F>};Li04UEGnn5GZ&wnx~XL&!K%vrJSY`&pDqfJTG
z&D5m$4Gm0X_OQ|(I9-|ix%nZYc|SkDR`-CTPA7P!v2O4$j3aAoS<hc@)Rn4Y6*z5y
z1yDd$8*T!sEG->O2%m|#KwxW|>$pkgS=zi(j`OJB0lvExJWLkft^B!;H(7b|IIE>{
z1aLJaL>v$Z+giahWVHa6SXaq$5?502`lj1;yu{j*>uug`B~WA4DR<Gh2k&dUszY<7
z-v9y4U9fF4M@y6=0ZT0I)K;R37(Ar?wT`PgZ<OOC8l+&K#{%fVf9zb;At6}v2d?(u
z%k0_+$wYo^=axF&)qboyPNF>i#4{9h@nsjMzDpO6g!d!)v3}0c8sFv+7UKBmt=fvN
zJEPvbZ>q3!C}VCt^vLhywC&Znv6*QR+Bvi4>))6x3ZY;g5#05W%aVz3JrM<y!+dWG
zf`%6aHJ|Ke*34NDG)B*!SP&POI>8vvT$zm{EPZCnI>#r@Fy<Q!&&9C_zPGrRFKS#8
z1=mqr=jEIb{B$T|vmM6_M8{ajp{&A=^*?)4CSzUy<XXk-nC#7og(JeZilQjKk%+4u
zmn>TV*9%a**zi<~;t>yD5Kp)^Sk{vT|EU9exE+~|3~ousy!;%akHJSjXO7;G>N9gr
z7D%#QOrE7n3!L*>o?&ocbi|OX`QtRY`I8byj~F4EKr^@CW$D!ZzT1{%Ct>0w=2?8m
z_ZQ65-10)6+lpn7=W=ut85&xk8=aduH7Y*Ok|%6>-_WQxVu#GrM}+HjUSo1ICyn#h
zBxcRhMH`|fq(nxBX1qE9YW$_^Ngdd>W6sUf>-%r&o{}--i^$vmk?-4esjBMXi<^io
zVQcH*Wod1}xaNP(gX?)h&S_6$gq&}^kaPUk88U08{ZnTyxQVNZyn1YNW)7G+D`0eE
z!PNY-KI<b}whyTJ)%`*K`o{s6*ACt+8bBjgh>`w|hiYxBVWL{dc(=ww$oSj~8LxlT
z40Q_8NrrAgdZ2&o>`7q(^PgA8?*68XBRkIcZl|?L*Ye^j92#0K#0K4X`uqOP+r>7p
z9TREin=I%0>2N(=$aTC79{IB!!@^(4HF&`VnGI7(b_4m@4R0`xIyLKYV-EXvVD5)s
z3>dWY3$YLuq&Lj+d!x<^Hw?_%)$D$$x3T>D1atEhI~HDB%nbLBGZrGtsj<XqZQZpT
zm@FKA)BL^W&=i`(=Mj!mhiz@y$69rFp4>f*zi;oN5HaMG2n>P43gduMW1j;sPPda_
z`_3H`6$-mZDQvm}lp6am-q^)QLgnO-GkOR<s$Zfi#48(dr$Y+0y7LK8u#j6<T8L7v
z*d=#Fp@kx*Jruq4aG+kOO5XyY_&7*q;`#L&N1>aaB^6}1fr3_JyHTsuhxgb)PJ+tk
z-K2apr2qw026mTHnX>N$s!WyG-B->4j0&B4NGXI&nbA}5Vd^2}!#xKmn|ny*v3<$|
zQ6b4uN}(tRDBYaH`B6u2i8J!Agi>e0ht^3-Wo<4{u$yuxsc!Dw8rX|BI7#KP+uEy_
zpfInel){o{pY;-a-0dmlL$5f|3%ZfYV})wEi=c4ESxUh_2q@TzPcJDS2R^tjs#Nrn
zQmHxy6jbTrBBgSF*XrIp#6>EPbteHvg`1KJp8E&Lg>I62OZm8S1}H_nrShoWUneRA
z%cT@Hd<hivu~{zFNtJh!tKdWKDy1@GEKpEofvc3tzR(s|zSmVMkF4ncqrzl`l)^gO
zQib57K_TU1q6#Q?6gi%4&s6;2faCmWTbA~nuQ>wVN8qnqzDOAWcZB7GMU}u3dFh=r
zW?rK#2N<XE(R`l3MJ@m*yH!IKoJJV`#K3`7s=_qp);}?Lkb5e~Adb9?NP>Yp+XL^I
zxzR((kGpRL3PSBEC8q>R4OFtghlTZ`!qCs(F_*)2IsVe+F`g?x2J!YX-M<5wMo%f3
zbvLNY5fzmwAmtXyO3XaA&vdAQ(^!SZ@_}iknb*Fe<Y)VA0g5FWN{OpmBT`EHQc43U
zlC*`Jxk|0%aW8KG6@=QibNox7U~rE8XmERp%CdT(G=j>7ehWbbAylE=g#Qeb*gguL
z_ez*VN579+i*~C?H?+w3_;<}b$xF#M{eu=k%Q$e4x9tUrO8p7xget5%1aPCej98>`
z9jE~q6J6I|DlTn)nHX2%02&u9GHW4FFpJ&;sZCnwjY6Pcp#uYHA*ym+yAGSBR%xT#
z!vR*Q72J8yMu}!mAqC?)H;DScgN*~@(u@NN?(AG|shzzM4HWEVs1H@4JG(3sD7drd
zedx|oyNbs^QTft+q412Ba<Q8SzO)-k`RWl;e3ks5Mk@GIY=dYu-;Y|QDhbs<L6x5V
zRAspsiIB<LZX3;f&|oG1%0CX0MF@{FrBv=0C`NcpSl}k2aL#p;xdyIlgvZ{egFgZp
z#8GA&yl`Op6FfJWdG?UE0mkX}H_RF>z!<ArfK;qACTtONdn<tEwpS=27O6=B3hv+N
zK&epVt5F3)`96?_LRH3HuE4XT;2Vb)f?b5rZWSps==e@h(UwCfIF0aX0v~SJX*R;O
zQ3&O-b{fbaj=Wif7Zm)VnTHIEmg8i5k-nb+s0mZ>J;Rcqj%B@xtUq>jmpK`(lZ857
z!(Wplib4(W!hzB6I=){FZsTwo95qsll#rk{BYVZ=!ur+9N-@=sgJ`Ps-s%(r6uh@$
zg6X|QZ=8xWpx_QWjgZ>m_f`T0@AHBY)F}1R?d#`WhK^hap&*3qnuy&!wpApQb0a$r
zrRmxM@f?JYqUV6-W~%!{q*#Yg3bpgY)Pv$tsSPP4c2*NR#*~BPEKD0s&jLMC@+^>2
zX_fry=wdi7mSaV$1?)H^Rx5gyR-?_UgQ`jM%FvFR->t6}gDwfBK~vj}NYRANBPW+y
zd6)(8o-nB=_FLYciqYxAX>|0+9Xbw_kYNhmFT%g|{8Pe;izh@vfdt_XyU#_!8A6~Y
zZzi1<^HPnWdC@k%S$>-A&XF;6cg~YtTz(X!lHC+Mc<lSI(FnCacT=yNHn)CD!Jmwc
z0UmA*@(l38(fF+`i_N}g62IyzjdSLik;5Qj#Hk+gN><%7@!gTL0XB62|1Z4-VI>cU
z8b>HsfQkbZf|meA6RqT1qjrE9gs{k6#9<&sTi#--hxhe-UnH0rcLbymM;?_5N;9KW
zorKI@qnXI`jG;1?=LD8Z8v4k@OX8ILw;1}I_#LX@K+3a;K-nC735?)08d-v0u)#n$
zIqs3E()3z}3~-!B{FZ=<_^z$6+&D$a9VS!)1tFx+3JGU~3QB%$!ckI%QtJJmpa~^E
zF_BVeE8SK-#a8Iwy@!Yox$QGk8C;ifVVC2VLUM?snXaUt!@&Cq=6(`*j+4FvM~JuY
z%S-?4d0&$&LCVq>E%`w)E&0Rbr66S~Nh4aUW{V)AdI_1(TWnFA^Jxjxxux9MOSY^_
z*;Td3!w)>xiL_h=bc6$WTYkB!=BpD|K{=ep#;zj<17TnDRW*E{#*PcW!$wWr?;*fQ
zJB%C{NShnls4j>1<pRy=b^1BtfsH^Dcz+}`sw=m?-ee=kSyVAtwV`}ApzkEdTgh=2
zQR=kpy+(AZ<W@6tAv=rPjpBMie(%45^5)FNuEO_)D6oXcp8&MdZkEAHj<bl;wJWZE
zujYlb7kjj>r45d^Y9bA)^t8cR;=tXnNzM1^cepZ~#TpF+J*ovXIqjfp>xUcKVAEtk
zvBBZ#xnw)2jr}W|)Ehu>18>T3=Jn}syS9GnvwWF`+fffRo}7{E+WP&X<*AD3MMN)W
z%=c*htA(yD+0mrVgc6y;R>C*?9<3tplUCmQwn<$K*Tn+uPNvb7A&ebc9;aCAq1$ye
zUue|uwT6Cj%X5^LyO|7xT0?GI725Bmb+<|E@mVx>8r_G@w=p^ef0mU;&IWZdCgwME
z67OztK{vlB{DHa<tQQL1+%;ypBZ|#XH_p08#7*HGDL1RD9*J($+0+ef`{IJfYVJ8#
z$!oF`<p^LcO7Pw+5c1qDAl<<ecOI+p|97$kyH#_ORB(X=RH4MOq$h;vmm^91<y}hL
Wlar(*iqx0!_7l;#cW$B$0{;h5R*F6V

delta 2946
zcmYk8dr(y88OG1D3;S`)prDdnkei~SIoveVcu9nH0ShRX0v?edQM?f)W>F)^wdy!k
zX60*)1rms+YDW`EFw_tw4aQ`0k(y2?H4Vn4rcG+AF;gd|txfv8@3&0gzu)t`m+yPe
zd(QIR0iV5Jnxg-B@wFFyG>i7*pG7kPtZy}~E?g6=$ski+FhND&1DX?tQ;u4~<snnD
z5Ky%tvnG3dqU3)~2geJi8Sac)G#PD)lC9=FEI4nl@Y0VkVmZt3#fQF{96{)NzR$8S
z;1*PQs%-abW8sk5Ull8{s$v}^P)ev!Dd(yn{7!UncuYb70rLGDSXfw&+mPT4P(s$c
z2aq3-C652Fq$05uCv%4w4ELW0><o3ttO>g4h5PD0Ke!VNhUbq0*qx}00k}>r2<}9K
z;X>dzm}Lj-4Bf^~S-cnCp`0%$EX)uDu|Kebev@=D4551nXLV097@DsExZh-5T!s74
zQ5@Vo*<kRT2e3Ou7dPNOm!iR)Vlb@B1+W{gi(7EDbQ9cggW*~kfZYdmaS!faPm%ke
z!7%vlm}}F8NlUM&oa_VFW-t^b131^Ni$J(3Ay@^s-C+1<0)X8JT}*=OaMOGv42Bt}
z#^xKTizvA7+wk<=kp{!Ic>vCxs*720YXfNdQw;{!^s(tj=^_<w+B4)v84Q1tV{WuA
z7Qwy#6}iy{!z*U1w{nawGU5KG0D?QlVEF9GF*jBh`EXrnSV4EJ!4Opd;8VrvVinwP
z`mt^9ID_Hkj{)pX)5SWtC4UKoJI!F2_&)%<({=HtIdaX(vox#edBFs~88vI|c(dAN
zb5NL^5Z}xpgWpid9GiSMzK4aoQ5ag&j0W*GaxVD*?##5y)S1Uv$eF~#Aj3U^ve|Zd
zW7a+vejo1*?@mzRC8->7l-&i(0q!K5Oqt_gp=y{O$D9F%&=9)G9J_3MsGEg|TM#^R
z?XpnsWTBO|oDLJ0sH!_7Ab1iFv+Mf^ZF*8U!`XubC>EEjiiI4-a`!rH^4sKkj#&FW
z1gd@_MO82H!-9Jf?Q%zI9Y@p#(fXstjJc}DcS960x1Zf<?*n@0sowKH08~6YAcior
zwGO-s)G9Bno`vc85Il2j^82(d7BWeoh~b~8h~8odbhF0!$2ekLDW%{rC6Cmx;I{*U
zJIOAs3o=;fu;Q)pWFTchCkxk2m@ak6Td2C^TS-7f)FKs;8AJk#e!WN)y?V(T(Y;tj
z1k9wb<D+)D_0d8unmWkBmSDPAAzq0=EYP4_5*Q|TKlU=KA1C-}El^unUA^QfPMqkV
z_W{q^C*7frSBAZ=NbhG@yaAAuahTyqC%}`@FD|0TFJ8jy-s?EbP<;TqS+TT(;r_1x
zUCZq<(YcC+I$xarPLWLxI#XDvJV@6mu*ulWG8RlHXutC9vM)22g?}8Ng~5zcvbtE%
zXiunyPqwOYg}#?GqxIQ!9O3lGp3tM2vg{ZOUnN7Jo84aKVBynZ-Xxo>`l%|K*GU3u
zq~)j@w}&YO=lC)wSG<E;dN$GH#iLoD+sQ&xw)bhK<tbrw6auY?-|~8n*z$J>UCXyK
zgx>{JEVawb6^$&+(=i;+io*;uhA;<r{sxBAw*esq{S2QIcnVaJf8Pbv6snw-vlvx$
zkqSGv3=i*4QI5ETvt~!47maAk&r(=;Jr})5_=8tC{vry|SsyO0=ZI%7L-?q8J42R*
z9s)iv+e>;_u*E<~Dy<T+gZI`9$6*q^r3DN@>41op%Gnr+B3)iMp9Y99hJq>QT&_hM
z#>NfHn3edDt-8R;Z`!d&5r$ow%T91uQmhykcCG9Jt0Oms){o?V8DoUW%d3CQ$&G&a
zu6io*H7I|J1rLP2rpGs#m}Zy2uBpPSw5E@RtBu}xYo&_M`y2iZ@KpYpd$cVH8rS32
z6RO9Nb6Bm@YhU1yg>M9DH*t)ce2m@eKIO8fY*>_<s$qusRKV%AcKP)BRu;^kK?vEP
z+>4#~<d7S>u~jr*onQGuDt=aaH@?8|_(A%?X|c(cO)eI`ehxy&<`07@G<npjb)b0%
zzp}yA`#I$GZ>?HiZ?(t5RA>=e-^r(ne3**)Ckpj+m#SA&f@z<3sn&Y{eWkV4DmJ?g
zvl-dZ%B@0r{KvIAv~xeJ*M|MIZXBRnzU>N=xzDt*+W3jTb_VJhb*x?LDm`~mj;`|g
zF4cP5Y>c|P?ie4ejbNl9NtV`UaFHVrwxY;ZE`7PaoYkDA0orD$o7G2Zx53FPT}ZyN
zdmqCa12p@FB8KDi>oC&rbZ`sCW&CUWxSAXH3sMs@F#$T);wBdh@15iVN%DTvwBS}m
z43?X<dNi%)ruogASuNV-H*O-gn)eHey>gkpmo04!;lH$M?R)XV*SeDV$=@oz?qy$r
d)+>Hq%jPGw0FM_E&j4!nDCZUIaQj}@{{daZ;AsE=

diff --git a/tests/cfgs/default/result/stun.pcap.out b/tests/cfgs/default/result/stun.pcap.out
index a396239ff270..4c421c21e6da 100644
--- a/tests/cfgs/default/result/stun.pcap.out
+++ b/tests/cfgs/default/result/stun.pcap.out
@@ -1,13 +1,14 @@
 Guessed flow protos:	0
 
 DPI Packets (TCP):	9	(4.50 pkts/flow)
-DPI Packets (UDP):	8	(2.67 pkts/flow)
-Confidence DPI              : 5 (flows)
-Num dissector calls: 20 (4.00 diss/flow)
+DPI Packets (UDP):	12	(3.00 pkts/flow)
+DPI Packets (other):	1	(1.00 pkts/flow)
+Confidence DPI              : 7 (flows)
+Num dissector calls: 22 (3.14 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
-LRU cache stun:       6/22/0 (insert/search/found)
+LRU cache stun:       8/28/0 (insert/search/found)
 LRU cache tls_cert:   0/0/0 (insert/search/found)
 LRU cache mining:     0/0/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
@@ -17,16 +18,17 @@ Automa domain:        0/0 (search/found)
 Automa tls cert:      0/0 (search/found)
 Automa risk mask:     1/0 (search/found)
 Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   4/0 (search/found)
+Patricia risk mask:   8/0 (search/found)
 Patricia risk mask IPv6: 2/0 (search/found)
 Patricia risk:        1/0 (search/found)
 Patricia risk IPv6:   1/0 (search/found)
-Patricia protocols:   6/2 (search/found)
+Patricia protocols:   8/4 (search/found)
 Patricia protocols IPv6: 2/0 (search/found)
 
 Skype_TeamsCall	15	2124	1
 STUN	62	7620	2
-GoogleHangoutDuo	33	6292	1
+ICMP	1	122	1
+GoogleHangoutDuo	41	7228	2
 FacebookVoip	75	10554	1
 
 	1	UDP 192.168.12.169:38123 <-> 31.13.86.54:40003 [proto: 78.268/STUN.FacebookVoip][IP: 119/Facebook][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][40 pkts/6134 bytes <-> 35 pkts/4420 bytes][Goodput ratio: 73/67][10.09 sec][Hostname/SNI: turner.facebook][bytes ratio: 0.162 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 260/331 6004/5997 1040/1126][Pkt Len c2s/s2c min/avg/max/stddev: 70/68 153/126 190/174 31/39][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (unauthorized)][Plen Bins: 8,14,9,28,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
@@ -34,3 +36,5 @@ FacebookVoip	75	10554	1
 	3	UDP [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603]:56880 <-> [2a38:e156:8167:a333:face:b00c::24d9]:3478 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Network/14][21 pkts/1722 bytes <-> 21 pkts/2226 bytes][Goodput ratio: 24/41][191.49 sec][bytes ratio: -0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/2 9451/9451 10358/10358 2441/2441][Pkt Len c2s/s2c min/avg/max/stddev: 82/106 82/106 82/106 0/0][PLAIN TEXT (WOBTrOXR)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	4	TCP 87.47.100.17:3478 <-> 54.1.57.155:37257 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Network/14][9 pkts/1494 bytes <-> 11 pkts/2178 bytes][Goodput ratio: 60/67][0.95 sec][Hostname/SNI: apps-host.com][bytes ratio: -0.186 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 104/96 267/252 102/93][Pkt Len c2s/s2c min/avg/max/stddev: 74/94 166/198 234/354 41/65][PLAIN TEXT (Unauthorized)][Plen Bins: 10,0,15,21,42,5,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	5	TCP 10.77.110.51:41588 <-> 10.206.50.239:42000 [VLAN: 1611][proto: 78.38/STUN.Skype_TeamsCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][7 pkts/1006 bytes <-> 8 pkts/1118 bytes][Goodput ratio: 58/57][1.05 sec][bytes ratio: -0.053 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 189/134 369/399 144/153][Pkt Len c2s/s2c min/avg/max/stddev: 70/64 144/140 164/172 31/43][Plen Bins: 0,0,25,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	UDP 192.168.12.169:43016 <-> 74.125.247.128:3478 [proto: 78.201/STUN.GoogleHangoutDuo][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 4][cat: VoIP/10][4 pkts/528 bytes <-> 4 pkts/408 bytes][Goodput ratio: 68/59][1.25 sec][Hostname/SNI: turn.l.google.com][bytes ratio: 0.128 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/23 342/409 974/1177 447/543][Pkt Len c2s/s2c min/avg/max/stddev: 62/74 132/102 198/122 61/19][PLAIN TEXT (BSnLfRxS6)][Plen Bins: 12,37,25,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	ICMP 192.168.12.169:0 -> 74.125.247.128:0 [proto: 81/ICMP][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/122 bytes -> 0 pkts/0 bytes][Goodput ratio: 65/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (62NfUD5)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]