diff options
| author | Luca Deri <deri@ntop.org> | 2022-03-31 11:29:30 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-03-31 11:29:30 +0200 |
| commit | 98a548c642c87acf67365e06e514afaf110fdabf (patch) | |
| tree | 5c5a08812ac6f85b32b4c1cc2cfb8c87d9027692 | |
| parent | 46dc8b5bda05f6d7fee62586abd8881284f71a4f (diff) | |
Improved DGA detection
| -rw-r--r-- | example/ndpiReader.c | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_dga_match.c.inc | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 9 |
3 files changed, 10 insertions, 2 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 60601b4fe..0019fa4fd 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -3652,6 +3652,7 @@ static void dgaUnitTest() { const char *non_dga[] = { "100x100design.com", + "vcsa.vmware.com", "mz.gov.pl", "zoomam104zc.zoom.us", "5CI_DOMBIN", diff --git a/src/lib/ndpi_dga_match.c.inc b/src/lib/ndpi_dga_match.c.inc index edf68ebe8..0f434672a 100644 --- a/src/lib/ndpi_dga_match.c.inc +++ b/src/lib/ndpi_dga_match.c.inc @@ -107,7 +107,7 @@ static const char *ndpi_en_impossible_bigrams[] = { "jl", "jm", "jn", "jp", "jq", /* "jr",*/ /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", /* "kg", */ "kq", "kv", "kx", "kz", "lq", "lx", /* "mg" tamgrt.com , */ "mj", /* "mq", mqtt */ "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii", "qg", "qh", "qj", "qk", "ql", "qm", "qn", "qo", "qp", "qr", "qs", "qt", "qv", "qw", "qx", "qy", "uu", - "qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", "vm", "vn", /* "vp", Removed for vpbank.com */ "bw", /* "vk", "zr" Removed for kavkazr */ + "qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", /* "vm" Used in VMs */ "vn", /* "vp", Removed for vpbank.com */ "bw", /* "vk", "zr" Removed for kavkazr */ "vq", /* "vt", gvt1.com, gvt2.com */ "vw", "vx", "vz", "wq", "wv", "wx", "wz", /* "xb", foxbusiness.com */ "xg", "xj", "xk", "xv", "xz", "xw", /* "yd", Removed for anywayanyday.com */ /*"yp", Removed for paypal */ "yj", "yq", "yv", "yz", "yw", "zb", "zc", "zg", "zh", "zj", "zn", "zq", "zs", "zx", /* "wh", e.g. why */ "wk", diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 7410b53e6..89b39d205 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2589,6 +2589,9 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs static void ndpi_add_domain_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str) { const char *domains[] = { ".local", + ".work", + /* DGA's are used for caching */ + "akamaihd.net", NULL /* End */ }; const ndpi_risk risks_to_mask[] = { @@ -8198,7 +8201,10 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, num_words++; - if(strlen(word) < 3) continue; + if(num_words > 2) + break; /* Stop after the 2nd word of the domain name */ + + if(strlen(word) < 5) continue; if(ndpi_verbose_dga_detection) printf("-> word(%s) [%s][len: %u]\n", word, name, (unsigned int)strlen(word)); @@ -8236,6 +8242,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, continue; break; } + num_bigram_checks++; if(ndpi_verbose_dga_detection) |