diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-09-13 20:55:11 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-13 20:55:11 +0200 |
| commit | b4f52437169b8b3c92811566af3965719b4e0c2c (patch) | |
| tree | f5da375b968f8f8fb0407a58667053d5571c0d52 | |
| parent | eea3c448de75bcb63f505957fbcbf4e36a3b8d88 (diff) | |
Anydesk: improve detection (#1735)
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 3 | ||||
| -rw-r--r-- | tests/pcap/anydesk-2.pcap | bin | 2232732 -> 0 bytes | |||
| -rw-r--r-- | tests/pcap/anydesk.pcap | bin | 2906892 -> 0 bytes | |||
| -rw-r--r-- | tests/pcap/anydesk.pcapng | bin | 0 -> 5279360 bytes | |||
| -rw-r--r-- | tests/result/anydesk-2.pcap.out | 34 | ||||
| -rw-r--r-- | tests/result/anydesk.pcap.out | 30 | ||||
| -rw-r--r-- | tests/result/anydesk.pcapng.out | 39 |
7 files changed, 42 insertions, 64 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 217192fcd..b8392fd82 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -716,6 +716,8 @@ static ndpi_network host_protocol_list[] = { { 0x3353EED0 /* 51.83.238.208/29 */, 29, NDPI_PROTOCOL_ANYDESK }, { 0x3353EED8 /* 51.83.238.216/30 */, 30, NDPI_PROTOCOL_ANYDESK }, { 0x3353EEDC /* 51.83.238.220/31 */, 31, NDPI_PROTOCOL_ANYDESK }, + /* From support.anydesk.com/knowledge/firewall */ + { 0xEFFF6612 /* 239.255.102.18/32 */, 32, NDPI_PROTOCOL_ANYDESK }, /* * Edgecast CDN @@ -1713,6 +1715,7 @@ static ndpi_protocol_match host_match[] = static ndpi_tls_cert_name_match tls_certificate_match [] = { { "CN=AnyDesk Client", NDPI_PROTOCOL_ANYDESK }, + { "O=philandro Software GmbH", NDPI_PROTOCOL_ANYDESK }, { "O=Kakao", NDPI_PROTOCOL_KAKAOTALK }, { "O=ntop.org", NDPI_PROTOCOL_NTOP }, { "O=Netflix", NDPI_PROTOCOL_NETFLIX }, diff --git a/tests/pcap/anydesk-2.pcap b/tests/pcap/anydesk-2.pcap Binary files differdeleted file mode 100644 index 20749115b..000000000 --- a/tests/pcap/anydesk-2.pcap +++ /dev/null diff --git a/tests/pcap/anydesk.pcap b/tests/pcap/anydesk.pcap Binary files differdeleted file mode 100644 index 8b9c70352..000000000 --- a/tests/pcap/anydesk.pcap +++ /dev/null diff --git a/tests/pcap/anydesk.pcapng b/tests/pcap/anydesk.pcapng Binary files differnew file mode 100644 index 000000000..9d273d0d4 --- /dev/null +++ b/tests/pcap/anydesk.pcapng diff --git a/tests/result/anydesk-2.pcap.out b/tests/result/anydesk-2.pcap.out deleted file mode 100644 index 3307b08c0..000000000 --- a/tests/result/anydesk-2.pcap.out +++ /dev/null @@ -1,34 +0,0 @@ -Guessed flow protos: 0 - -DPI Packets (TCP): 13 (6.50 pkts/flow) -DPI Packets (UDP): 4 (2.00 pkts/flow) -Confidence DPI : 4 (flows) -Num dissector calls: 8 (2.00 diss/flow) -LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/0/0 (insert/search/found) -LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 0/0/0 (insert/search/found) -LRU cache tls_cert: 2/2/0 (insert/search/found) -LRU cache mining: 0/0/0 (insert/search/found) -LRU cache msteams: 0/0/0 (insert/search/found) -Automa host: 4/4 (search/found) -Automa domain: 4/0 (search/found) -Automa tls cert: 2/2 (search/found) -Automa risk mask: 0/0 (search/found) -Automa common alpns: 0/0 (search/found) -Patricia risk mask: 8/0 (search/found) -Patricia risk: 0/0 (search/found) -Patricia protocols: 8/0 (search/found) - -AnyDesk 2083 346113 4 - -JA3 Host Stats: - IP Address # JA3C - 1 192.168.1.178 1 - 2 192.168.1.187 1 - - - 1 TCP 192.168.1.187:54164 <-> 192.168.1.178:7070 [proto: 91.252/TLS.AnyDesk][Encrypted][Confidence: DPI][cat: RemoteAccess/12][509 pkts/226247 bytes <-> 1555 pkts/115282 bytes][Goodput ratio: 88/22][22.84 sec][bytes ratio: 0.325 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 48/14 2966/3021 229/106][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 444/74 1511/1514 475/47][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Desktop/File Sharing **][Risk Score: 120][Risk Info: No ALPN / Found AnyDesk][TLSv1.2][JA3C: 3f2fba0262b1a22b739126dfb2fe7a7d][JA3S: ee644a8a34c434abca4b737ec1d9efad][Subject: CN=AnyDesk Client, CN=AnyDesk Client][Certificate SHA-1: F8:4E:27:4E:F9:33:35:2F:1A:69:71:D5:02:6B:B8:72:EF:B7:BA:B0][Firefox][Cipher: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,64,6,1,3,1,1,1,0,1,1,0,0,1,1,0,3,0,0,0,0,0,3,1,0,1,1,0,1,0,0,0,0,1,0,0,1,0,0,0,1,0,0,1,0,1,0,0] - 2 TCP 192.168.1.178:52039 <-> 192.168.1.187:7070 [proto: 91.252/TLS.AnyDesk][Encrypted][Confidence: DPI][cat: RemoteAccess/12][8 pkts/2035 bytes <-> 7 pkts/2157 bytes][Goodput ratio: 76/82][0.56 sec][bytes ratio: -0.029 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 92/40 406/85 150/33][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 254/308 1340/968 419/387][Risk: ** Known Proto on Non Std Port **** Weak TLS Cipher **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Desktop/File Sharing **][Risk Score: 220][Risk Info: No ALPN / Cipher TLS_RSA_WITH_AES_256_GCM_SHA384 / Found AnyDesk][TLSv1.2][JA3C: 201999283915cc31cee6b15472ef3332][JA3S: 4b505adfb4a921c5a3a39d293b0811e1 (WEAK)][Subject: CN=AnyDesk Client, CN=AnyDesk Client][Certificate SHA-1: 86:4F:2A:9F:24:71:FD:0D:6A:35:56:AC:D8:7B:3A:19:E8:03:CA:2E][Firefox][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,20,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0] - 3 UDP 192.168.1.187:55376 <-> 192.168.1.1:53 [proto: 5.252/DNS.AnyDesk][ClearText][Confidence: DPI][cat: RemoteAccess/12][1 pkts/90 bytes <-> 1 pkts/106 bytes][Goodput ratio: 53/60][0.01 sec][Hostname/SNI: relay-9b6827f2.net.anydesk.com][138.199.36.115][PLAIN TEXT (anydesk)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 UDP 192.168.1.187:59511 <-> 192.168.1.1:53 [proto: 5.252/DNS.AnyDesk][ClearText][Confidence: DPI][cat: RemoteAccess/12][1 pkts/90 bytes <-> 1 pkts/106 bytes][Goodput ratio: 53/60][0.01 sec][Hostname/SNI: relay-3185a847.net.anydesk.com][37.61.223.15][PLAIN TEXT (anydesk)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/anydesk.pcap.out b/tests/result/anydesk.pcap.out deleted file mode 100644 index b67595028..000000000 --- a/tests/result/anydesk.pcap.out +++ /dev/null @@ -1,30 +0,0 @@ -Guessed flow protos: 0 - -DPI Packets (TCP): 13 (6.50 pkts/flow) -Confidence DPI : 2 (flows) -Num dissector calls: 6 (3.00 diss/flow) -LRU cache ookla: 0/0/0 (insert/search/found) -LRU cache bittorrent: 0/0/0 (insert/search/found) -LRU cache zoom: 0/0/0 (insert/search/found) -LRU cache stun: 0/0/0 (insert/search/found) -LRU cache tls_cert: 0/0/0 (insert/search/found) -LRU cache mining: 0/0/0 (insert/search/found) -LRU cache msteams: 0/0/0 (insert/search/found) -Automa host: 0/0 (search/found) -Automa domain: 0/0 (search/found) -Automa tls cert: 0/0 (search/found) -Automa risk mask: 0/0 (search/found) -Automa common alpns: 0/0 (search/found) -Patricia risk mask: 4/0 (search/found) -Patricia risk: 0/0 (search/found) -Patricia protocols: 2/2 (search/found) - -AnyDesk 6963 2795460 2 - -JA3 Host Stats: - IP Address # JA3C - 1 192.168.149.129 1 - - - 1 TCP 192.168.149.129:43535 <-> 51.83.238.219:80 [proto: 91.252/TLS.AnyDesk][Encrypted][Confidence: DPI][cat: RemoteAccess/12][2942 pkts/175103 bytes <-> 4001 pkts/2618640 bytes][Goodput ratio: 9/92][55.97 sec][bytes ratio: -0.875 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/14 7028/7028 153/126][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 60/654 1514/1514 50/618][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Desktop/File Sharing **][Risk Score: 120][Risk Info: No ALPN / Expected on port 443 / Found AnyDesk][TLSv1.2][JA3C: 201999283915cc31cee6b15472ef3332][JA3S: 107030a763c7224285717ff1569a17f3][Issuer: CN=AnyNet Root CA, O=philandro Software GmbH, C=DE][Subject: C=DE, O=philandro Software GmbH, CN=AnyNet Relay][Certificate SHA-1: 9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3][Firefox][Validity: 2018-11-18 02:14:23 - 2028-11-15 02:14:23][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,7,17,2,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,33,0,0,0,0,29,0,0] - 2 TCP 192.168.149.129:36351 <-> 51.83.239.144:80 [proto: 91.252/TLS.AnyDesk][Encrypted][Confidence: DPI][cat: RemoteAccess/12][10 pkts/792 bytes <-> 10 pkts/925 bytes][Goodput ratio: 32/38][45.83 sec][bytes ratio: -0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 32/31 5700/5700 15000/15001 7162/7162][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 79/92 105/213 25/45][Risk: ** Known Proto on Non Std Port **** Desktop/File Sharing **][Risk Score: 60][Risk Info: Expected on port 443 / Found AnyDesk][Plen Bins: 0,90,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/anydesk.pcapng.out b/tests/result/anydesk.pcapng.out new file mode 100644 index 000000000..4a596281a --- /dev/null +++ b/tests/result/anydesk.pcapng.out @@ -0,0 +1,39 @@ +Guessed flow protos: 0 + +DPI Packets (TCP): 34 (6.80 pkts/flow) +DPI Packets (UDP): 4 (2.00 pkts/flow) +Confidence DPI : 7 (flows) +Num dissector calls: 15 (2.14 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 3/4/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +Automa host: 4/4 (search/found) +Automa domain: 4/0 (search/found) +Automa tls cert: 3/3 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 14/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia protocols: 12/2 (search/found) + +AnyDesk 9100 3154119 7 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.1.178 1 + 2 192.168.1.187 1 + 3 192.168.1.128 1 + 4 192.168.149.129 1 + + + 1 TCP 192.168.149.129:43535 <-> 51.83.238.219:80 [proto: 91.252/TLS.AnyDesk][Encrypted][Confidence: DPI][cat: RemoteAccess/12][2942 pkts/175103 bytes <-> 4001 pkts/2618640 bytes][Goodput ratio: 9/92][55.97 sec][bytes ratio: -0.875 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/14 7028/7028 153/126][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 60/654 1514/1514 50/618][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Desktop/File Sharing **][Risk Score: 120][Risk Info: No ALPN / Expected on port 443 / Found AnyDesk][TLSv1.2][JA3C: 201999283915cc31cee6b15472ef3332][JA3S: 107030a763c7224285717ff1569a17f3][Issuer: CN=AnyNet Root CA, O=philandro Software GmbH, C=DE][Subject: C=DE, O=philandro Software GmbH, CN=AnyNet Relay][Certificate SHA-1: 9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3][Firefox][Validity: 2018-11-18 02:14:23 - 2028-11-15 02:14:23][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,7,17,2,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,33,0,0,0,0,29,0,0] + 2 TCP 192.168.1.187:54164 <-> 192.168.1.178:7070 [proto: 91.252/TLS.AnyDesk][Encrypted][Confidence: DPI][cat: RemoteAccess/12][509 pkts/226247 bytes <-> 1555 pkts/115282 bytes][Goodput ratio: 88/22][22.84 sec][bytes ratio: 0.325 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 48/14 2966/3021 229/106][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 444/74 1511/1514 475/47][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Desktop/File Sharing **][Risk Score: 120][Risk Info: No ALPN / Found AnyDesk][TLSv1.2][JA3C: 3f2fba0262b1a22b739126dfb2fe7a7d][JA3S: ee644a8a34c434abca4b737ec1d9efad][Subject: CN=AnyDesk Client, CN=AnyDesk Client][Certificate SHA-1: F8:4E:27:4E:F9:33:35:2F:1A:69:71:D5:02:6B:B8:72:EF:B7:BA:B0][Firefox][Cipher: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,64,6,1,3,1,1,1,0,1,1,0,0,1,1,0,3,0,0,0,0,0,3,1,0,1,1,0,1,0,0,0,0,1,0,0,1,0,0,0,1,0,0,1,0,1,0,0] + 3 TCP 192.168.1.128:48260 <-> 195.181.174.176:443 [proto: 91.252/TLS.AnyDesk][Encrypted][Confidence: DPI][cat: RemoteAccess/12][27 pkts/7693 bytes <-> 27 pkts/4853 bytes][Goodput ratio: 77/63][58.81 sec][ALPN: anydesk/6.2.0/linux][bytes ratio: 0.226 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 2284/1898 10210/10228 4074/3857][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 285/180 1514/1514 460/331][Risk: ** Missing SNI TLS Extn **** Desktop/File Sharing **][Risk Score: 60][Risk Info: Found AnyDesk][TLSv1.2][JA3C: 29b5a018fa5992fe23560c16af0dc9fc][JA3S: e58f0b3c1e9eefb8ee4f92aeceee5858][Issuer: CN=AnyNet Root CA, O=philandro Software GmbH, C=DE][Subject: C=DE, O=philandro Software GmbH, CN=AnyNet Relay][Certificate SHA-1: 9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3][Firefox][Validity: 2018-11-18 02:14:23 - 2028-11-15 02:14:23][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,35,20,0,10,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,5,0,0,0,5,0,0,0,0,0,0,15,0,0] + 4 TCP 192.168.1.178:52039 <-> 192.168.1.187:7070 [proto: 91.252/TLS.AnyDesk][Encrypted][Confidence: DPI][cat: RemoteAccess/12][8 pkts/2035 bytes <-> 7 pkts/2157 bytes][Goodput ratio: 76/82][0.56 sec][bytes ratio: -0.029 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 92/40 406/85 150/33][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 254/308 1340/968 419/387][Risk: ** Known Proto on Non Std Port **** Weak TLS Cipher **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Desktop/File Sharing **][Risk Score: 220][Risk Info: No ALPN / Cipher TLS_RSA_WITH_AES_256_GCM_SHA384 / Found AnyDesk][TLSv1.2][JA3C: 201999283915cc31cee6b15472ef3332][JA3S: 4b505adfb4a921c5a3a39d293b0811e1 (WEAK)][Subject: CN=AnyDesk Client, CN=AnyDesk Client][Certificate SHA-1: 86:4F:2A:9F:24:71:FD:0D:6A:35:56:AC:D8:7B:3A:19:E8:03:CA:2E][Firefox][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,20,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,20,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0] + 5 TCP 192.168.149.129:36351 <-> 51.83.239.144:80 [proto: 91.252/TLS.AnyDesk][Encrypted][Confidence: DPI][cat: RemoteAccess/12][10 pkts/792 bytes <-> 10 pkts/925 bytes][Goodput ratio: 32/38][45.83 sec][bytes ratio: -0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 32/31 5700/5700 15000/15001 7162/7162][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 79/92 105/213 25/45][Risk: ** Known Proto on Non Std Port **** Desktop/File Sharing **][Risk Score: 60][Risk Info: Expected on port 443 / Found AnyDesk][Plen Bins: 0,90,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 192.168.1.187:55376 <-> 192.168.1.1:53 [proto: 5.252/DNS.AnyDesk][ClearText][Confidence: DPI][cat: RemoteAccess/12][1 pkts/90 bytes <-> 1 pkts/106 bytes][Goodput ratio: 53/60][0.01 sec][Hostname/SNI: relay-9b6827f2.net.anydesk.com][138.199.36.115][PLAIN TEXT (anydesk)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 192.168.1.187:59511 <-> 192.168.1.1:53 [proto: 5.252/DNS.AnyDesk][ClearText][Confidence: DPI][cat: RemoteAccess/12][1 pkts/90 bytes <-> 1 pkts/106 bytes][Goodput ratio: 53/60][0.01 sec][Hostname/SNI: relay-3185a847.net.anydesk.com][37.61.223.15][PLAIN TEXT (anydesk)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |