diff options
| author | Luca Deri <deri@ntop.org> | 2023-10-23 17:49:50 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2023-10-23 17:49:50 +0200 |
| commit | 71d768d0364307f1c841a8f241db3781fe1e62be (patch) | |
| tree | 96d2e89d658064dbf080f963493be6dcaeaa9331 | |
| parent | a443bba0dd8cb295d95e50ea763d1956003ac8d9 (diff) | |
Improved detection as non DGA for hostnames belnging to a CDN (#2068)
| -rw-r--r-- | src/lib/ndpi_main.c | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 5eb9f38d6..be6820375 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -9803,10 +9803,9 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, u_int i, j, max_tmp_len = sizeof(tmp)-1; len = ndpi_snprintf(tmp, max_tmp_len, "%s", name); + if(len < 0) { - - NDPI_LOG_DBG2(ndpi_str, "[DGA] too short"); - + NDPI_LOG_DBG2(ndpi_str, "[DGA] too short"); return(0); } else tmp[(u_int)len < max_tmp_len ? (u_int)len : max_tmp_len] = '\0'; @@ -9913,8 +9912,8 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, u_int max_num_consecutive_digits_first_word = 0, num_word = 0; for(word = strtok_r(tmp, ".", &tok_tmp); ; word = strtok_r(NULL, ".", &tok_tmp)) { - u_int num_consecutive_digits = 0; - + u_int num_consecutive_digits = 0, word_len; + if(!word) break; else num_word++; num_words++; @@ -9922,8 +9921,11 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, if(num_words > 2) break; /* Stop after the 2nd word of the domain name */ - if(strlen(word) < 5) continue; + if((word_len = strlen(word)) < 5) continue; + if((word_len < 10) && (ndpi_ends_with(ndpi_str, word, "cdn") /* Content Delivery Network ? */)) + continue; /* Ignore names (not too long) that end with cdn [ ssl.p.jwpcdn.com or www.awxcdn.com ] */ + NDPI_LOG_DBG2(ndpi_str, "[DGA] word(%s) [%s][len: %u]\n", word, name, (unsigned int)strlen(word)); trigram_char_skip = 0; @@ -10007,11 +10009,11 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, max_num_consecutive_digits_first_word = num_consecutive_digits; } /* for */ - NDPI_LOG_DBG2(ndpi_str, "[DGA] max_num_consecutive_digits_first_word=%u\n", max_num_consecutive_digits_first_word); + NDPI_LOG_DBG2(ndpi_str, "[DGA] max_num_consecutive_digits_first_word=%u\n", max_num_consecutive_digits_first_word); - NDPI_LOG_DBG2(ndpi_str, "[DGA] [%s][num_found: %u][num_impossible: %u][num_digits: %u][num_bigram_checks: %u][num_vowels: %u/%u][num_trigram_vowels: %u][num_trigram_found: %u/%u][vowels: %u][rc: %u]\n", - name, num_found, num_impossible, num_digits, num_bigram_checks, num_vowels, len, num_trigram_vowels, - num_trigram_checked, num_trigram_found, num_vowels, rc); + NDPI_LOG_DBG2(ndpi_str, "[DGA] [%s][num_found: %u][num_impossible: %u][num_digits: %u][num_bigram_checks: %u][num_vowels: %u/%u][num_trigram_vowels: %u][num_trigram_found: %u/%u][vowels: %u][rc: %u]\n", + name, num_found, num_impossible, num_digits, num_bigram_checks, num_vowels, len, num_trigram_vowels, + num_trigram_checked, num_trigram_found, num_vowels, rc); if((len > 16) && (num_dots < 3) && ((num_vowels*4) < (len-num_dots))) { if((num_trigram_checked > 2) && (num_trigram_vowels >= (num_trigram_found-1))) @@ -10043,8 +10045,8 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, rc = 0; if(rc) - NDPI_LOG_DBG2(ndpi_str, "[DGA] %s [num_found: %u][num_impossible: %u]\n", - name, num_found, num_impossible); + NDPI_LOG_DBG2(ndpi_str, "[DGA] %s [num_found: %u][num_impossible: %u]\n", + name, num_found, num_impossible); } NDPI_LOG_DBG2(ndpi_str, "[DGA] Result: %u\n", rc); |