diff options
| author | Luca Deri <deri@ntop.org> | 2020-06-11 18:51:53 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-06-11 18:51:53 +0200 |
| commit | 55364ef0b4ef629630a663dc7b05d83c1b662067 (patch) | |
| tree | 46d9c5ecd55e7af6a2487b0bd9f6bf4eacebc765 | |
| parent | 60aaa80570b48b15c14c2a5133d9b73f7578b21a (diff) | |
Added DGA risk for names that look like a DGA
| -rw-r--r-- | example/ndpiReader.c | 65 | ||||
| -rw-r--r-- | src/include/ndpi_api.h.in | 5 | ||||
| -rw-r--r-- | src/include/ndpi_protocols.h | 1 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 4 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 101 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/netbios.c | 55 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 46 | ||||
| -rw-r--r-- | src/lib/protocols/tor.c | 43 | ||||
| -rw-r--r-- | tests/result/1kxun.pcap.out | 12 | ||||
| -rw-r--r-- | tests/result/wechat.pcap.out | 6 | ||||
| -rw-r--r-- | tests/result/weibo.pcap.out | 2 |
15 files changed, 239 insertions, 115 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index fd55c3290..8ce4c6263 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -417,6 +417,7 @@ static void help(u_int long_help) { ndpi_dump_protocols(ndpi_info_mod); } + exit(!long_help); } @@ -3048,6 +3049,59 @@ void test_lib() { /* *********************************************** */ +static void dgaUnitTest() { + const char *s[] = { + "zoomam104zc.zoom.us", + "5CI_DOMBIN", + "ALICEGATE", + "BOWIE", + "D002465", + "DESKTOP-RB5T12G", + "ECI_DOM", + "ECI_DOMA", + "ECI_DOMAIN", + "ENDIAN-PC", + "GFILE", + "GIOVANNI-PC", + "GUNNAR", + "ISATAP", + "LAB111", + "LP-RKERUR-OSX", + "LUCAS-IMAC", + "LUCASMACBOOKPRO", + "MACBOOKAIR-E1D0", + "MDJR98", + "NASFILE", + "SANJI-LIFEBOOK-", + "SC.ARRANCAR.ORG", + "WORKG", + "WORKGROUP", + "XSTREAM_HY", + "__MSBROWSE__", + "mqtt.facebook.com", + NULL + }; + int i; + NDPI_PROTOCOL_BITMASK all; + struct ndpi_detection_module_struct *ndpi_str = ndpi_init_detection_module(ndpi_no_prefs); + + assert(ndpi_str != NULL); + + ndpi_set_protocol_detection_bitmask2(ndpi_str, &all); + + ndpi_finalize_initalization(ndpi_str); + + assert(ndpi_str != NULL); + + for(i=0; s[i] != NULL; i++) { + assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)s[i]) == 0); + } + + ndpi_exit_detection_module(ndpi_str); +} + +/* *********************************************** */ + static void hllUnitTest() { struct ndpi_hll h; u_int8_t bits = 8; /* >= 4, <= 16 */ @@ -3357,7 +3411,13 @@ int orginal_main(int argc, char **argv) { return(-1); } + gettimeofday(&startup_time, NULL); + ndpi_info_mod = ndpi_init_detection_module(ndpi_no_prefs); + + if(ndpi_info_mod == NULL) return -1; + /* Internal checks */ + dgaUnitTest(); hllUnitTest(); bitmapUnitTest(); automataUnitTest(); @@ -3365,11 +3425,6 @@ int orginal_main(int argc, char **argv) { analyzeUnitTest(); ndpi_self_check_host_match(); - gettimeofday(&startup_time, NULL); - ndpi_info_mod = ndpi_init_detection_module(ndpi_no_prefs); - - if(ndpi_info_mod == NULL) return -1; - memset(ndpi_thread_info, 0, sizeof(ndpi_thread_info)); parseOptions(argc, argv); diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 87429c6de..8f6738920 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -926,6 +926,11 @@ extern "C" { int ndpi_ptree_match_addr(ndpi_ptree_t *tree, const ndpi_ip_addr_t *addr, uint *user_data); void ndpi_ptree_destroy(ndpi_ptree_t *tree); + /* DGA */ + int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, + struct ndpi_flow_struct *flow, + char *name); + /* Serializer */ int ndpi_init_serializer_ll(ndpi_serializer *serializer, ndpi_serialization_format fmt, u_int32_t buffer_size); diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 3ef3cbf28..417c6fb8d 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -213,4 +213,5 @@ void init_dnp3_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int void init_104_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_s7comm_dissector(struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_websocket_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); + #endif /* __NDPI_PROTOCOLS_H__ */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 29c9ed364..79288e5bc 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -72,6 +72,7 @@ typedef enum { NDPI_HTTP_SUSPICIOUS_URL, NDPI_HTTP_SUSPICIOUS_HEADER, NDPI_TLS_NOT_CARRYING_HTTPS, + NDPI_SUSPICIOUS_DGA_DOMAIN, /* Leave this as last member */ NDPI_MAX_RISK diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 32a6e840c..148ee9443 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -9266,8 +9266,8 @@ static const char *ndpi_en_bigrams[] = { static const char *ndpi_en_impossible_bigrams[] = { "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", /* "ee", removed it can be found in 'meeting' */ "fz", "gq", "gv", "gx", "hh", "hk", "hv", "hx", "hz", "iy", "jb", /* "jc", jcrew.com */ "jd", "jf", "jg", "jh", "jk", - "jl", "jm", "jn", "jp", "jq", "jr", /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", - "kz", "lq", "lx", /* "mg" tamgrt.com , */ "mj", "mq", "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii", + "jl", "jm", "jn", "jp", "jq", /* "jr",*/ /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", + "kz", "lq", "lx", /* "mg" tamgrt.com , */ "mj", /* "mq", mqtt */ "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii", "qg", "qh", "qj", "qk", "ql", "qm", "qn", "qo", "qp", "qr", "qs", "qt", "qv", "qw", "qx", "qy", "uu", "qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", "vm", "vn", /* "vp", Removed for vpbank.com */ "bw", /* "vk", "zr" Removed for kavkazr */ "vq", "vt", "vw", "vx", "vz", "wq", "wv", "wx", "wz", /* "xb", foxbusiness.com */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 9c444ce2b..6bbda45f6 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4354,12 +4354,12 @@ static int ndpi_check_protocol_port_mismatch_exceptions(struct ndpi_detection_mo break; } } - + return(0); } /* ********************************************************************************* */ - + static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, ndpi_protocol *ret) { @@ -4818,28 +4818,28 @@ u_int32_t ndpi_bytestream_to_ipv4(const u_int8_t *str, u_int16_t max_chars_to_re c = ndpi_bytestream_to_number(str, max_chars_to_read, &read); if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.') return(0); - + read++; val = c << 24; oldread = read; c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read); if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.') return(0); - + read++; val = val + (c << 16); oldread = read; c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read); if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.') return(0); - + read++; val = val + (c << 8); oldread = read; c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read); if(c > 255 || oldread == read || max_chars_to_read == read) return(0); - + val = val + c; *bytes_read = *bytes_read + read; @@ -4853,7 +4853,7 @@ u_int32_t ndpi_bytestream_to_ipv4(const u_int8_t *str, u_int16_t max_chars_to_re void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { u_int32_t a; struct ndpi_packet_struct *packet = &flow->packet; - + if((packet->payload_packet_len < 3) || (packet->payload == NULL)) return; @@ -4876,7 +4876,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, /* \r\n\r\n */ int diff; /* No unsigned ! */ u_int32_t a1 = a + 4; - + diff = packet->payload_packet_len - a1; if(diff > 0) { @@ -5889,10 +5889,10 @@ const char * ndpi_strncasestr(const char *str1, const char *str2, size_t len) { for(i = 0; i < (str1_len - str2_len + 1); i++){ if(str1[0] == '\0') - return NULL; + return NULL; else if(strncasecmp(str1, str2, str2_len) == 0) return(str1); - + str1++; } @@ -6473,3 +6473,84 @@ void ndpi_md5(const u_char *data, size_t data_len, u_char hash[16]) { ndpi_MD5Update(&ctx, data, data_len); ndpi_MD5Final(hash, &ctx); } + +/* ******************************************************************** */ + +static int enough(int a, int b) { + u_int8_t percentage = 20; + + if(b == 0) return(0); + if(a == 0) return(1); + + if(b > ((a*percentage)/100)) return(1); + + return(0); +} + +/* ******************************************************************** */ + +int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, + struct ndpi_flow_struct *flow, + char *name) { + int len = strlen(name), rc = 0; + + if(len >= 5) { + int i, j, num_found = 0, num_impossible = 0, num_bigram_checks = 0; + char tmp[128]; + + len = snprintf(tmp, sizeof(tmp)-1, "%s", name); + if(len < 0) return(0); + + for(i=0, j=0; (i<len) && (j<(sizeof(tmp)-1)); i++) { + if(isdigit(name[i])) + continue; + else + tmp[j++] = tolower(tmp[i]); + } + + len = j; + + for(i = 0; tmp[i+1] != '\0'; i++) { + if(isdigit(tmp[i])) continue; + + switch(tmp[i]) { + case '-': + case ':': + case '.': + continue; + break; + } + + if(isdigit(tmp[i+1])) continue; + + num_bigram_checks++; + + if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &tmp[i])) { + num_found++; + } else if(ndpi_match_bigram(ndpi_str, + &ndpi_str->impossible_bigrams_automa, + &tmp[i])) { +#ifdef DGA_DEBUG + printf("IMPOSSIBLE %s\n", &tmp[i]); +#endif + num_impossible++; + } + } + + if(num_bigram_checks + && ((num_found == 0) + || (enough(num_found, num_impossible)))) + rc = 1; + + if(rc && flow) + NDPI_SET_BIT(flow->risk, NDPI_SUSPICIOUS_DGA_DOMAIN); + +#ifdef DGA_DEBUG + if(rc) + printf("DGA %s [%s][num_found: %u][num_impossible: %u]\n", + tmp, name, num_found, num_impossible); +#endif + } + + return(rc); +} diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index e2571f64b..335b9dd87 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1497,6 +1497,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_TLS_NOT_CARRYING_HTTPS: return("TLS (probably) not carrying HTTPS"); + + case NDPI_SUSPICIOUS_DGA_DOMAIN: + return("Suspicious DGA domain name"); default: snprintf(buf, sizeof(buf), "%d", (int)risk); diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 460117c96..099f343e4 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -292,8 +292,10 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st cl--; } } - flow->host_server_name[j] = '\0'; + flow->host_server_name[j] = '\0'; + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); + if(j > 0) { ndpi_protocol_match_result ret_match; diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 7b83b91e7..a896c6214 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -284,9 +284,8 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru buf[ip_len] = '\0'; ip_addr.s_addr = inet_addr(buf); - if(strcmp(inet_ntoa(ip_addr), buf) == 0) { + if(strcmp(inet_ntoa(ip_addr), buf) == 0) NDPI_SET_BIT(flow->risk, NDPI_HTTP_NUMERIC_IP_HOST); - } } /* ************************************************************* */ @@ -294,7 +293,7 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *url) { - + /* Nothing to do */ } /* ************************************************************* */ @@ -451,6 +450,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ flow->host_server_name[len] = '\0'; flow->extra_packets_func = NULL; /* We're good now */ + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); flow->server_id = flow->dst; if(packet->forwarded_line.ptr) { diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index 7e4c98265..c396a392b 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -19,7 +19,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ @@ -41,14 +41,14 @@ struct netbios_header { int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len) { int ret = 0, len; char *b; - + len = (*in++)/2; b = out; *out = 0; if(len > (out_len-1) || len < 1 || 2*len > inlen) - return(-1); - + return(-1); + while (len--) { if(in[0] < 'A' || in[0] > 'P' || in[1] < 'A' || in[1] > 'P') { *out = 0; @@ -56,7 +56,7 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len } *out = ((in[0]-'A')<<4) + (in[1]-'A'); - + in += 2; if(isprint(*out)) @@ -76,13 +76,16 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int16_t sub_protocol) { + u_int16_t sub_protocol) { char name[64]; u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14; if((off < flow->packet.payload_packet_len) && - ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) - snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); + ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) { + snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); + + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); + } if(sub_protocol == NDPI_PROTOCOL_UNKNOWN) ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETBIOS, NDPI_PROTOCOL_UNKNOWN); @@ -96,9 +99,9 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport; - + NDPI_LOG_DBG(ndpi_struct, "search netbios\n"); - + if(packet->udp != NULL) { dport = ntohs(packet->udp->dest); @@ -110,7 +113,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, h.transaction_id = ntohs(h.transaction_id), h.flags = ntohs(h.flags), h.questions = ntohs(h.questions), h.answer_rrs = ntohs(h.answer_rrs), h.authority_rrs = ntohs(h.authority_rrs), h.additional_rrs = ntohs(h.additional_rrs); - + NDPI_LOG_DBG(ndpi_struct, "found netbios port 137 and payload_packet_len 50\n"); if(h.flags == 0 && @@ -123,18 +126,18 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(((h.flags & 0x8710) == 0x10) && h.questions == 1 && h.answer_rrs == 0 && h.authority_rrs == 0) { NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers = 0, authority = 0 and broadcast \n"); - + ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(packet->payload[2] == 0x80 && h.questions == 1 && h.answer_rrs == 0 && @@ -145,7 +148,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0x4000 && h.questions == 1 && h.answer_rrs == 0 && @@ -156,7 +159,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0x8400 && h.questions == 0 && h.answer_rrs == 1 && @@ -168,7 +171,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0x8500 && h.questions == 0 && h.answer_rrs == 1 && @@ -180,7 +183,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(((h.flags == 0x2900) || (h.flags == 0x2910)) && h.questions == 1 && h.answer_rrs == 0 && @@ -192,7 +195,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0xAD86 && h.questions == 0 && h.answer_rrs == 1 && @@ -204,7 +207,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0x0110 && h.questions == 1 && h.answer_rrs == 0 && @@ -333,25 +336,25 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, } /* TODO: extend according to rfc1002 */ } - + /* check standard NETBIOS over udp to port 138 */ /* netbios header token from http://www.protocolbase.net/protocols/protocol_NBDGM.php */ if((dport == 138) && (packet->payload_packet_len >= 14)) { u_int16_t netbios_len = ntohs(get_u_int16_t(packet->payload, 10)); - - if(netbios_len == packet->payload_packet_len - 14) { + + if(netbios_len == packet->payload_packet_len - 14) { NDPI_LOG_DBG2(ndpi_struct, "found netbios port 138 and payload length >= 112 \n"); - + if(packet->payload[0] >= 0x10 && packet->payload[0] <= 0x16) { u_int32_t source_ip = ntohl(get_u_int32_t(packet->payload, 4)); - + NDPI_LOG_DBG2(ndpi_struct, "found netbios with MSG-type 0x10,0x11,0x12,0x13,0x14,0x15 or 0x16\n"); if(source_ip == ntohl(packet->iph->saddr)) { int16_t leftover = netbios_len - 82; /* NetBIOS len */ - + NDPI_LOG_INFO(ndpi_struct, "found netbios with checked ip-address\n"); ndpi_int_netbios_add_connection(ndpi_struct, flow, (leftover > 0) ? NDPI_PROTOCOL_SMBV1 : NDPI_PROTOCOL_UNKNOWN); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 7d9e99171..816b23a50 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -223,7 +223,7 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet, if(rc > 0) (*rdnSeqBuf_offset) += rc; } - + return(is_printable); } @@ -244,7 +244,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ for(i = p_offset; i < certificate_len; i++) { - /* + /* See https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q009860_.htm for X.509 certificate labels */ @@ -252,7 +252,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi /* Common Name */ int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "CN"); if(rc == -1) break; - + #ifdef DEBUG_TLS printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Common Name", buffer); #endif @@ -260,7 +260,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi /* Country */ int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "C"); if(rc == -1) break; - + #ifdef DEBUG_TLS printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Country", buffer); #endif @@ -315,10 +315,10 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if((offset+len) < packet->payload_packet_len) { char utcDate[32]; - + #ifdef DEBUG_TLS u_int j; - + printf("[CERTIFICATE] notBefore [len: %u][", len); for(j=0; j<len; j++) printf("%c", packet->payload[i+4+j]); printf("]\n"); @@ -352,7 +352,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi u_int32_t time_sec = flow->packet.current_time_ms / 1000; #ifdef DEBUG_TLS u_int j; - + printf("[CERTIFICATE] notAfter [len: %u][", len); for(j=0; j<len; j++) printf("%c", packet->payload[offset+j]); printf("]\n"); @@ -375,7 +375,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi } } - + if((time_sec < flow->protos.stun_ssl.ssl.notBefore) || (time_sec > flow->protos.stun_ssl.ssl.notAfter)) NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */ @@ -385,7 +385,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x1d) && (packet->payload[i+2] == 0x11)) { /* Organization OID: 2.5.29.17 (subjectAltName) */ u_int8_t matched_name = 0; - + #ifdef DEBUG_TLS printf("******* [TLS] Found subjectAltName\n"); #endif @@ -428,7 +428,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi else if(strcmp(flow->protos.stun_ssl.ssl.client_requested_server_name, dNSName) == 0) matched_name = 1; } - + if(flow->protos.stun_ssl.ssl.server_names == NULL) flow->protos.stun_ssl.ssl.server_names = ndpi_strdup(dNSName), flow->protos.stun_ssl.ssl.server_names_len = strlen(dNSName); @@ -477,7 +477,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(flow->protos.stun_ssl.ssl.subjectDN && flow->protos.stun_ssl.ssl.issuerDN && (!strcmp(flow->protos.stun_ssl.ssl.subjectDN, flow->protos.stun_ssl.ssl.issuerDN))) NDPI_SET_BIT(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE); - + #if DEBUG_TLS printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf); #endif @@ -864,7 +864,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version; if(flow->protos.stun_ssl.ssl.ssl_version < 0x0302) /* TLSv1.1 */ NDPI_SET_BIT(flow->risk, NDPI_TLS_OBSOLETE_VERSION); - + if(handshake_type == 0x02 /* Server Hello */) { int i, rc; @@ -889,7 +889,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); if((flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1) NDPI_SET_BIT(flow->risk, NDPI_TLS_WEAK_CIPHER); - + flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; #ifdef DEBUG_TLS @@ -1108,6 +1108,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer))) flow->l4.tcp.tls.subprotocol_detected = 1; + + ndpi_check_dga_name(ndpi_struct, flow, flow->protos.stun_ssl.ssl.client_requested_server_name); } else { #ifdef DEBUG_TLS printf("[TLS] Extensions server len too short: %u vs %u\n", @@ -1261,8 +1263,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.stun_ssl.ssl.tls_supported_versions = ndpi_strdup(version_str); } } else if(extension_id == 65486 /* encrypted server name */) { - /* - - https://tools.ietf.org/html/draft-ietf-tls-esni-06 + /* + - https://tools.ietf.org/html/draft-ietf-tls-esni-06 - https://blog.cloudflare.com/encrypted-sni/ */ u_int16_t e_offset = offset+extension_offset; @@ -1270,9 +1272,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t e_sni_len, cipher_suite = ntohs(*((u_int16_t*)&packet->payload[e_offset])); flow->protos.stun_ssl.ssl.encrypted_sni.cipher_suite = cipher_suite; - + e_offset += 2; /* Cipher suite len */ - + /* Key Share Entry */ e_offset += 2; /* Group */ e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */ @@ -1280,11 +1282,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if((e_offset+4) < packet->payload_packet_len) { /* Record Digest */ e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */ - + if((e_offset+4) < packet->payload_packet_len) { e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset])); e_offset += 2; - + if((e_offset+e_sni_len-extension_len-initial_offset) >= 0) { #ifdef DEBUG_ENCRYPTED_SNI printf("Client SSL [Encrypted Server Name len: %u]\n", e_sni_len); @@ -1292,13 +1294,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(flow->protos.stun_ssl.ssl.encrypted_sni.esni == NULL) { flow->protos.stun_ssl.ssl.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1); - + if(flow->protos.stun_ssl.ssl.encrypted_sni.esni) { u_int16_t i, off; - + for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) { int rc = sprintf(&flow->protos.stun_ssl.ssl.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF); - + if(rc <= 0) { flow->protos.stun_ssl.ssl.encrypted_sni.esni[off] = '\0'; break; diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index 9dd14046e..7318685e7 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -48,45 +48,16 @@ int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct, if((dot = strrchr(dummy, '.')) == NULL) return(0); name = &dot[1]; - len = strlen(name); - - if(len >= 5) { - int i, prev_num = 0, numbers_found = 0, num_found = 0, num_impossible = 0; - - for(i = 0; name[i+1] != '\0'; i++) { - // printf("***** [SSL] %s(): [%d][%c]", __FUNCTION__, i, name[i]); - - if((name[i] >= '0') && (name[i] <= '9')) { - if(prev_num != 1) { - numbers_found++; - - if(numbers_found == 2) { - ndpi_int_tor_add_connection(ndpi_struct, flow); - return(1); - } - prev_num = 1; - } - } else - prev_num = 0; - - if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, &name[i])) { - num_found++; - } else if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) { - num_impossible++; - } - } - - if((num_found == 0) || (num_impossible > 1)) { + if(ndpi_check_dga_name(ndpi_struct, flow, name)) { + ndpi_int_tor_add_connection(ndpi_struct, flow); + return(1); + } else { +#ifdef PEDANTIC_TOR_CHECK + if(gethostbyname(certificate) == NULL) { ndpi_int_tor_add_connection(ndpi_struct, flow); return(1); - } else { -#ifdef PEDANTIC_TOR_CHECK - if(gethostbyname(certificate) == NULL) { - ndpi_int_tor_add_connection(ndpi_struct, flow); - return(1); - } -#endif } +#endif } return(0); diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out index 8c4ae196e..ab0282e92 100644 --- a/tests/result/1kxun.pcap.out +++ b/tests/result/1kxun.pcap.out @@ -82,9 +82,9 @@ JA3 Host Stats: 60 UDP [fe80::9bd:81dd:2fdc:5750]:61548 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/190 bytes -> 0 pkts/0 bytes][Goodput ratio: 35/0][0.41 sec][Host: caesar-thinkpad][PLAIN TEXT (caesar)] 61 UDP [fe80::9bd:81dd:2fdc:5750]:64568 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/190 bytes -> 0 pkts/0 bytes][Goodput ratio: 35/0][0.41 sec][Host: caesar-thinkpad][PLAIN TEXT (caesar)] 62 UDP 192.168.5.45:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.02 sec][Host: nasfile][PLAIN TEXT ( EOEBFDEGEJEMEFCACACACACACACACA)] - 63 UDP [fe80::e98f:bae2:19f7:6b0f]:51451 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.41 sec][Host: ____________] - 64 UDP [fe80::e98f:bae2:19f7:6b0f]:54888 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.10 sec][Host: ____________] - 65 UDP [fe80::e98f:bae2:19f7:6b0f]:58779 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.41 sec][Host: ____________] + 63 UDP [fe80::e98f:bae2:19f7:6b0f]:51451 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.41 sec][Host: ____________][Risk: ** Suspicious DGA domain name **] + 64 UDP [fe80::e98f:bae2:19f7:6b0f]:54888 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.10 sec][Host: ____________][Risk: ** Suspicious DGA domain name **] + 65 UDP [fe80::e98f:bae2:19f7:6b0f]:58779 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/184 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.41 sec][Host: ____________][Risk: ** Suspicious DGA domain name **] 66 UDP [fe80::e034:7be:d8f9:6197]:49766 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/182 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][0.41 sec][Host: charming-pc][PLAIN TEXT (charming)] 67 UDP [fe80::5d92:62a8:ebde:1319]:49735 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/178 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][0.10 sec][Host: wangs-ltw] 68 UDP [fe80::5d92:62a8:ebde:1319]:58468 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/178 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][0.10 sec][Host: wangs-ltw] @@ -98,9 +98,9 @@ JA3 Host Stats: 76 UDP [fe80::edf5:240a:c8c0:8312]:61603 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 28/0][0.41 sec][Host: ro_x1c] 77 UDP 192.168.5.49:61548 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Goodput ratio: 44/0][0.41 sec][Host: caesar-thinkpad][PLAIN TEXT (caesar)] 78 UDP 192.168.5.49:64568 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Goodput ratio: 44/0][0.41 sec][Host: caesar-thinkpad][PLAIN TEXT (caesar)] - 79 UDP 192.168.3.95:51451 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.41 sec][Host: ____________] - 80 UDP 192.168.3.95:54888 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.10 sec][Host: ____________] - 81 UDP 192.168.3.95:58779 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.41 sec][Host: ____________] + 79 UDP 192.168.3.95:51451 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.41 sec][Host: ____________][Risk: ** Suspicious DGA domain name **] + 80 UDP 192.168.3.95:54888 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.10 sec][Host: ____________][Risk: ** Suspicious DGA domain name **] + 81 UDP 192.168.3.95:58779 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.41 sec][Host: ____________][Risk: ** Suspicious DGA domain name **] 82 UDP 192.168.5.50:57143 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.41 sec][Host: charming-pc][PLAIN TEXT (charming)] 83 UDP 192.168.5.50:62756 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Goodput ratio: 41/0][0.41 sec][Host: charming-pc][PLAIN TEXT (charming)] 84 UDP 192.168.5.48:59797 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.41 sec][Host: kasper-mac][PLAIN TEXT (Kasper)] diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out index 8d58440d7..d8e84d7b2 100644 --- a/tests/result/wechat.pcap.out +++ b/tests/result/wechat.pcap.out @@ -60,7 +60,7 @@ JA3 Host Stats: 39 TCP 192.168.1.103:58039 <-> 203.205.147.171:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][13 pkts/866 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][140.92 sec][bytes ratio: 0.511 (Upload)][IAT c2s/s2c min/avg/max/stddev: 272/45308 12755/45308 45020/45308 13611/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 67/70 74/74 2/4] 40 TCP 192.168.1.103:58143 -> 216.58.205.131:443 [proto: 91.126/TLS.Google][cat: Web/5][3 pkts/1078 bytes -> 0 pkts/0 bytes][Goodput ratio: 82/0][92.69 sec] 41 TCP 203.205.151.162:443 <-> 192.168.1.103:54084 [proto: 91.197/TLS.WeChat][cat: Chat/9][3 pkts/802 bytes <-> 3 pkts/198 bytes][Goodput ratio: 75/0][16.21 sec][bytes ratio: 0.604 (Upload)][IAT c2s/s2c min/avg/max/stddev: 6562/9679 8102/9679 9642/9679 1540/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 267/66 670/66 285/0] - 42 UDP 192.168.1.100:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][9 pkts/828 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.44 sec][Host: lbjamwptxz][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 179/0 816/0 313/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( EMECEKEBENFHFAFEFIFKCACACACACA)] + 42 UDP 192.168.1.100:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][cat: System/18][9 pkts/828 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1.44 sec][Host: lbjamwptxz][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 179/0 816/0 313/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][Risk: ** Suspicious DGA domain name **][PLAIN TEXT ( EMECEKEBENFHFAFEFIFKCACACACACA)] 43 IGMP 192.168.1.100:0 -> 224.0.0.22:0 [proto: 82/IGMP][cat: Network/14][15 pkts/810 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3769.99 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 409/0 289920/0 3384346/0 895904/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/0 54/0 54/0 0/0] 44 UDP 192.168.1.100:138 -> 192.168.1.255:138 [proto: 10.16/NetBIOS.SMBv1][cat: System/18][3 pkts/751 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][3600.00 sec][Host: giovanni-pc][PLAIN TEXT ( EHEJEPFGEBEOEOEJ)] 45 TCP 192.168.1.103:54112 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][5 pkts/338 bytes <-> 4 pkts/280 bytes][Goodput ratio: 0/0][22.72 sec][bytes ratio: 0.094 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 351/910 5597/910 20327/910 8509/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/70 74/74 3/4] @@ -93,7 +93,7 @@ JA3 Host Stats: 72 TCP 192.168.1.103:40741 <-> 203.205.151.211:443 [proto: 91/TLS][cat: Web/5][2 pkts/108 bytes <-> 2 pkts/108 bytes][Goodput ratio: 0/0][0.36 sec] 73 IGMP 192.168.1.254:0 -> 224.0.0.1:0 [proto: 82/IGMP][cat: Network/14][4 pkts/200 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][3763.44 sec] 74 TCP 192.168.1.103:54085 <-> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][2 pkts/132 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0/0][0.33 sec] - 75 UDP [fe80::91f9:3df3:7436:6cd6]:50440 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/180 bytes -> 0 pkts/0 bytes][Goodput ratio: 31/0][0.01 sec][Host: lbjamwptxz][PLAIN TEXT (lbjamwptx)] + 75 UDP [fe80::91f9:3df3:7436:6cd6]:50440 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/180 bytes -> 0 pkts/0 bytes][Goodput ratio: 31/0][0.01 sec][Host: lbjamwptxz][Risk: ** Suspicious DGA domain name **][PLAIN TEXT (lbjamwptx)] 76 UDP [fe80::91f9:3df3:7436:6cd6]:49195 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Goodput ratio: 29/0][0.01 sec][Host: cansaqcq][PLAIN TEXT (cansaqcq)] 77 UDP [fe80::91f9:3df3:7436:6cd6]:50577 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Goodput ratio: 29/0][0.01 sec][Host: mcztmpkc][PLAIN TEXT (mcztmpkc)] 78 UDP 192.168.1.103:43705 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][cat: Chat/9][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][5.01 sec][Host: webpush.web.wechat.com.lan][::][PLAIN TEXT (webpush)] @@ -103,7 +103,7 @@ JA3 Host Stats: 82 UDP 192.168.1.103:41759 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/162 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][Host: 2.debian.pool.ntp.org][::][PLAIN TEXT (debian)] 83 UDP 192.168.1.103:44063 -> 192.168.1.254:53 [proto: 5/DNS][cat: Network/14][2 pkts/162 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][< 1 sec][Host: 1.debian.pool.ntp.org][::][PLAIN TEXT (debian)] 84 UDP 192.168.1.103:42074 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][cat: Web/5][2 pkts/158 bytes -> 0 pkts/0 bytes][Goodput ratio: 47/0][5.01 sec][Host: ssl.gstatic.com.lan][::][PLAIN TEXT (gstatic)] - 85 UDP 192.168.1.100:54124 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.01 sec][Host: lbjamwptxz][PLAIN TEXT (lbjamwptx)] + 85 UDP 192.168.1.100:54124 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.01 sec][Host: lbjamwptxz][Risk: ** Suspicious DGA domain name **][PLAIN TEXT (lbjamwptx)] 86 UDP 192.168.1.100:49832 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Goodput ratio: 38/0][0.01 sec][Host: cansaqcq][PLAIN TEXT (cansaqcq)] 87 UDP 192.168.1.100:57401 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Goodput ratio: 38/0][0.01 sec][Host: mcztmpkc][PLAIN TEXT (mcztmpkc)] 88 TCP 192.168.1.103:54106 -> 203.205.151.162:443 [proto: 91.197/TLS.WeChat][cat: Chat/9][2 pkts/132 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][35.46 sec] diff --git a/tests/result/weibo.pcap.out b/tests/result/weibo.pcap.out index f90ce31de..e11aa8ed3 100644 --- a/tests/result/weibo.pcap.out +++ b/tests/result/weibo.pcap.out @@ -28,7 +28,7 @@ JA3 Host Stats: 16 UDP 192.168.1.105:51440 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/72 bytes <-> 1 pkts/171 bytes][Goodput ratio: 41/75][0.19 sec][Host: g.alicdn.com][47.89.65.229][PLAIN TEXT (alicdn)] 17 UDP 192.168.1.105:33822 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/76 bytes <-> 1 pkts/166 bytes][Goodput ratio: 44/74][0.47 sec][Host: login.taobao.com][140.205.170.63][PLAIN TEXT (taobao)] 18 UDP 192.168.1.105:18035 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/81 bytes <-> 1 pkts/159 bytes][Goodput ratio: 48/73][0.11 sec][Host: u1.img.mobile.sina.cn][222.73.28.96][PLAIN TEXT (mobile)] - 19 UDP 192.168.1.105:50640 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/77 bytes <-> 1 pkts/157 bytes][Goodput ratio: 45/73][0.47 sec][Host: acjstb.aliyun.com][42.156.184.19][PLAIN TEXT (alibabadns)] + 19 UDP 192.168.1.105:50640 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/77 bytes <-> 1 pkts/157 bytes][Goodput ratio: 45/73][0.47 sec][Host: acjstb.aliyun.com][42.156.184.19][Risk: ** Suspicious DGA domain name **][PLAIN TEXT (alibabadns)] 20 UDP 192.168.1.105:7148 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][cat: SocialNetwork/6][1 pkts/73 bytes <-> 1 pkts/142 bytes][Goodput ratio: 42/70][0.06 sec][Host: www.weibo.com][93.188.134.137] 21 TCP 192.168.1.105:35808 <-> 93.188.134.246:80 [proto: 7/HTTP][cat: Web/5][2 pkts/140 bytes <-> 1 pkts/74 bytes][Goodput ratio: 0/0][0.06 sec] 22 TCP 192.168.1.105:50831 <-> 47.89.65.229:443 [proto: 91/TLS][cat: Web/5][2 pkts/128 bytes <-> 1 pkts/66 bytes][Goodput ratio: 0/0][0.22 sec] |