diff options
| author | Luca Deri <deri@ntop.org> | 2021-02-10 12:20:48 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-02-10 15:22:20 +0100 |
| commit | e2f6569adb62488b497d3bd6901308286fe8451d (patch) | |
| tree | 60e304d0a2ed1548b465084d8078724990f8bb24 | |
| parent | 0de3d4c37a06b800b740166b83a8ed108fbf76a4 (diff) | |
Fixed CPHA missing protocol initialization
Improved IEC104 and IRC detection
| -rw-r--r-- | example/reader_util.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_protocols.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/iec60870-5-104.c | 14 | ||||
| -rw-r--r-- | src/lib/protocols/irc.c | 49 | ||||
| -rw-r--r-- | tests/pcap/IEC104.pcap | bin | 0 -> 1695 bytes | |||
| -rw-r--r-- | tests/result/IEC104.pcap.out | 4 |
7 files changed, 28 insertions, 45 deletions
diff --git a/example/reader_util.h b/example/reader_util.h index b7ab1bc41..e317b4aa8 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -195,7 +195,7 @@ typedef struct ndpi_flow_info { struct ndpi_analyze_struct *iat_c_to_s, *iat_s_to_c, *iat_flow, *pktlen_c_to_s, *pktlen_s_to_c; - char info[160]; + char info[255]; char flow_extra_info[16]; char host_server_name[240]; char bittorent_hash[41]; diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 3bff4bcbc..7a12c1ffd 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -192,6 +192,7 @@ void init_fix_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 void init_nintendo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_csgo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_checkmk_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_cpha_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_apple_push_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_amazon_video_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_whatsapp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 385b869e5..58b48d2c2 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3116,6 +3116,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* check_mk */ init_checkmk_dissector(ndpi_str, &a, detection_bitmask); + /* cpha */ + init_cpha_dissector(ndpi_str, &a, detection_bitmask); + /* AIMINI */ init_aimini_dissector(ndpi_str, &a, detection_bitmask); diff --git a/src/lib/protocols/iec60870-5-104.c b/src/lib/protocols/iec60870-5-104.c index 93f724543..b2da8c34c 100644 --- a/src/lib/protocols/iec60870-5-104.c +++ b/src/lib/protocols/iec60870-5-104.c @@ -34,7 +34,7 @@ void ndpi_search_iec60870_tcp(struct ndpi_detection_module_struct *ndpi_struct, /* Check connection over TCP */ NDPI_LOG_DBG(ndpi_struct, "search IEC60870\n"); - + if(packet->tcp) { u_int16_t offset = 0, found = 0; @@ -45,8 +45,16 @@ void ndpi_search_iec60870_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(len == 0) break; - else - offset += len + 2, found = 1; + else { + u_int8_t len = packet->payload[offset+1]; + + if((len + offset + 2) == packet->payload_packet_len) { + found = 1; + break; + } + + offset += len + 2; + } } else break; } diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 71d739025..8eb51aae4 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -373,7 +373,6 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc struct ndpi_id_struct *dst = flow->dst; int less; u_int16_t c = 0; - u_int16_t c1 = 0; u_int16_t port = 0; u_int16_t sport = 0; u_int16_t dport = 0; @@ -439,38 +438,6 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } } -#if 0 - if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC - && flow->packet_counter == 2 && (packet->payload_packet_len > 400 && packet->payload_packet_len < 1381)) { - for (c1 = 50; c1 < packet->payload_packet_len - 23; c1++) { - if (packet->payload[c1] == 'i' || packet->payload[c1] == 'd') { - if ((memcmp(&packet->payload[c1], "irc.hackthissite.org0", 21) - == 0) - || (memcmp(&packet->payload[c1], "irc.gamepad.ca1", 15) == 0) - || (memcmp(&packet->payload[c1], "dungeon.axenet.org0", 19) - == 0) - || (memcmp(&packet->payload[c1], "dazed.nuggethaus.net", 20) - == 0) - || (memcmp(&packet->payload[c1], "irc.indymedia.org", 17) - == 0) - || (memcmp(&packet->payload[c1], "irc.cccp-project.net", 20) - == 0) - || (memcmp(&packet->payload[c1], "dirc.followell.net0", 19) - == 0) - || (memcmp(&packet->payload[c1], "irc.discostars.de1", 18) - == 0) - || (memcmp(&packet->payload[c1], "irc.rizon.net", 13) == 0)) { - NDPI_LOG_INFO(ndpi_struct, - "found IRC SSL: - irc.hackthissite.org0 | irc.gamepad.ca1 | dungeon.axenet.org0 " - "| dazed.nuggethaus.net | irc.indymedia.org | irc.discostars.de1 "); - ndpi_int_irc_add_connection(ndpi_struct, flow); - break; - } - } - } - } -#endif - if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(ndpi_struct, flow) != 0) { return; @@ -518,7 +485,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc || (memcmp(packet->payload, "PRIVMSG ", 8) == 0) || (memcmp(packet->payload, "VERSION ", 8) == 0)) { NDPI_LOG_DBG2(ndpi_struct, - "USER, NICK, PASS, NOTICE, PRIVMSG one time"); + "USER, NICK, PASS, NOTICE, PRIVMSG one time"); if (flow->l4.tcp.irc_stage == 2) { NDPI_LOG_INFO(ndpi_struct, "found irc"); ndpi_int_irc_add_connection(ndpi_struct, flow); @@ -555,8 +522,8 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG_DBG2(ndpi_struct, "packet contains more than one line"); for (c = 1; c < packet->parsed_lines; c++) { if (packet->line[c].len > 4 && (memcmp(packet->line[c].ptr, "NICK ", 5) == 0 - || memcmp(packet->line[c].ptr, "USER ", - 5) == 0)) { + || memcmp(packet->line[c].ptr, "USER ", + 5) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found IRC: two icq signal words in the same packet"); ndpi_int_irc_add_connection(ndpi_struct, flow); flow->l4.tcp.irc_stage = 3; @@ -580,7 +547,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (memcmp(packet->payload, "POST ", 5) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines) { - u_int16_t http_header_len = (u_int16_t)((packet->line[packet->parsed_lines - 1].ptr - packet->payload) + 2); + u_int16_t http_header_len = (u_int16_t)((packet->line[packet->parsed_lines - 1].ptr - packet->payload) + 2); if (packet->payload_packet_len > http_header_len) { http_content_ptr_len = packet->payload_packet_len - http_header_len; } @@ -590,7 +557,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc || ((packet->referer_line.ptr) && (ndpi_check_for_IRC_traces(packet->referer_line.ptr, packet->referer_line.len)))) { NDPI_LOG_DBG2(ndpi_struct, - "IRC detected from the Http URL/ Referer header "); + "IRC detected from the Http URL/ Referer header "); flow->l4.tcp.irc_stage = 1; // HTTP POST Request body is not in the same packet. if (!http_content_ptr_len) { @@ -637,7 +604,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (memcmp(&packet->line[i].ptr[j + 1], "DCC SEND ", 9) == 0 || memcmp(&packet->line[i].ptr[j + 1], "DCC CHAT ", 9) == 0) { NDPI_LOG_INFO(ndpi_struct, - "found NOTICE and DCC CHAT or DCC SEND."); + "found NOTICE and DCC CHAT or DCC SEND."); } } } @@ -700,7 +667,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc ntohs_ndpi_bytestream_to_number (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); NDPI_LOG_DBG2(ndpi_struct, "port %u.", - port); + port); j = k; // hier jetzt überlegen, wie die ports abgespeichert werden sollen if (src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT) @@ -711,7 +678,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc = port; src->irc_number_of_port++; NDPI_LOG_DBG2(ndpi_struct, "found port=%d jjeeeeeeeeeeeeeeeeeeeeeeeee", - ntohs(get_u_int16_t(src->irc_port, 0))); + ntohs(get_u_int16_t(src->irc_port, 0))); } src->irc_ts = packet->current_time_ms; } else if (port != 0 && src->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { diff --git a/tests/pcap/IEC104.pcap b/tests/pcap/IEC104.pcap Binary files differnew file mode 100644 index 000000000..23f09b4be --- /dev/null +++ b/tests/pcap/IEC104.pcap diff --git a/tests/result/IEC104.pcap.out b/tests/result/IEC104.pcap.out new file mode 100644 index 000000000..8673f82d1 --- /dev/null +++ b/tests/result/IEC104.pcap.out @@ -0,0 +1,4 @@ +IEC60870 15 1431 2 + + 1 TCP 10.175.211.1:2404 <-> 10.119.105.26:54768 [proto: 245/IEC60870][cat: IoT-Scada/31][7 pkts/987 bytes <-> 5 pkts/270 bytes][Goodput ratio: 61/0][2.00 sec][bytes ratio: 0.570 (Upload)][IAT c2s/s2c min/avg/max/stddev: 36/199 360/521 935/935 313/307][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 141/54 306/54 90/0][Plen Bins: 51,0,0,16,0,16,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 10.175.211.3:2404 <-> 10.119.105.26:54769 [proto: 245/IEC60870][cat: IoT-Scada/31][2 pkts/120 bytes <-> 1 pkts/54 bytes][Goodput ratio: 5/0][0.22 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |