Detection

Previously, I provided an OpenSSL command that would spoof the SNI value when connecting to my server. I decided to use an open source DPI engine named nDPI that is maintained by the folks at ntop to see if the flow would be misclassified as Twitter.

Using this linked packet capture that I obtained from my OpenSSL command, we can see that the nDPI engine misclassified the flow:

A partial snippet from the signature source code shows the following:

# vi src/lib/ndpi_content_match.c.inc
...
7967 /* ****************************************************** */
7968 
7969 /*
7970   Host-based match
7971 
7972   HTTP:  Server: field
7973   HTTPS: Server certificate name
7974 */
7975 
7976 ndpi_protocol_match host_match[] = {
...
8073   { "twitter.",                         "Twitter",              NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
...

Line 8073 reveals that the signature will match every time "twitter." is seen in the Host field of an HTTP flow or the SNI field of an SSL flow.

Looking at our packet capture within Wireshark, shows that the SNI field is set to api.twitter.com and therefore a match occurs: