Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OICQAnalyzer #42

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add OICQAnalyzer #42

wants to merge 4 commits into from

Conversation

HynoR
Copy link

@HynoR HynoR commented Jan 31, 2024
edited
Loading

Add OICQ Analyzer (For QQ):

usage:

- name: all oicq traffic
  action: block
  expr: oicq != nil

- name: oicq and QQ number is 114514
  action: block
  expr: oicq != nil && oicq.number == 114514

result:
When applying the rules oicq and QQ number is 114514, the user with the number 114514 cannot log in to QQ, or send messages successfully to the QQ server even if he is already logged in.

@haruue
Copy link
Collaborator

haruue commented Jan 31, 2024

Thanks for your contributing.

What version of QQ can I use to test this analyzer?
I've tried with iOS QQ v9.0.x (latest) and PC QQ 9.5.x (2022), but it seems that no connection is detected as OICQ by this analyzer.

@HynoR
Copy link
Author

HynoR commented Feb 1, 2024
edited
Loading

Thanks for your contributing.

What version of QQ can I use to test this analyzer? I've tried with iOS QQ v9.0.x (latest) and PC QQ 9.5.x (2022), but it seems that no connection is detected as OICQ by this analyzer.

I test it on TIM Lateset Version.
Mabye some version is not concerned, I will look into it.

@HynoR HynoR changed the title Add OICQAnalyzer WIP:Add OICQAnalyzer Feb 1, 2024
@HynoR
Copy link
Author

HynoR commented Feb 1, 2024
edited
Loading

Blocking QQ Traffic solely by blocking OICQ appears outdated. The latest version of QQ defaults to using port 443 and a new protocol. The OICQ analyzer might not be effective on it.
image

Some QQ IM software still use OICQ to connect to the Tencent Server, with an unfixed version parameter. I've modified the code to enable analysis of the OICQ protocol. The module's value is still under consideration.
image

@HynoR HynoR marked this pull request as draft February 1, 2024 02:16
@HynoR
Copy link
Author

HynoR commented Feb 1, 2024

rule:

- name: oicq
  action: block
  expr: oicq != nil && oicq.number == 109xxxxxxx

log result:
image

image

@HynoR HynoR marked this pull request as ready for review February 1, 2024 02:55
@HynoR HynoR changed the title WIP:Add OICQAnalyzer Add OICQAnalyzer Feb 2, 2024
@HynoR
Copy link
Author

HynoR commented Feb 2, 2024
edited
Loading

QQ selects the optimal communication method based on the network environment. On Windows devices, it works on the latest version of QQ when it using the OICQ Protocol. (I've implemented some tricks to prioritize OICQ.)
927740ff9f06a1208550f02376d486e7
686c0c42c2c082c29e217708fd876079

@haruue
Copy link
Collaborator

haruue commented Feb 2, 2024

Still unable to confirm it works for PC QQ 9.7.22.29298 (Legacy latest) and PC QQ 9.9.7.21357 (QQNT latest).

How to "implement some tricks to prioritize OICQ"?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@HynoR @haruue