diff options
| author | Luca Deri <deri@ntop.org> | 2021-03-20 17:56:24 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-03-20 17:56:24 +0100 |
| commit | 627299e4ddd7d39fcc7ce8cd703be0ed8f92da4a (patch) | |
| tree | 1cc856b772fb5f56a84df4fb631b468237dd81e1 | |
| parent | 6333bb1702619d29e7f6ce2acf9091c0ccc436c9 (diff) | |
Better DGA detection (slightly decreased accuracy)
| -rw-r--r-- | example/ndpiReader.c | 61 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 8 | ||||
| -rwxr-xr-x | tests/do-dga.sh | 4 | ||||
| -rw-r--r-- | tests/result/teams.pcap.out | 2 |
5 files changed, 38 insertions, 39 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 15cf52af8..641c19091 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -3540,36 +3540,37 @@ static void dgaUnitTest() { }; const char *non_dga[] = { - "mz.gov.pl", - "zoomam104zc.zoom.us", - "5CI_DOMBIN", - "ALICEGATE", - "BOWIE", - "D002465", - "DESKTOP-RB5T12G", - "ECI_DOM", - "ECI_DOMA", - "ECI_DOMAIN", - "ENDIAN-PC", - "GFILE", - "GIOVANNI-PC", - "GUNNAR", - "ISATAP", - "LAB111", - "LP-RKERUR-OSX", - "LUCAS-IMAC", - "LUCASMACBOOKPRO", - "MACBOOKAIR-E1D0", - //"MDJR98", - "NASFILE", - "SANJI-LIFEBOOK-", - "SC.ARRANCAR.ORG", - "WORKG", - "WORKGROUP", - "XSTREAM_HY", - "__MSBROWSE__", - "mqtt.facebook.com", - NULL + "www.confindustriabrescia.it", + "mz.gov.pl", + "zoomam104zc.zoom.us", + "5CI_DOMBIN", + "ALICEGATE", + "BOWIE", + "D002465", + "DESKTOP-RB5T12G", + "ECI_DOM", + "ECI_DOMA", + "ECI_DOMAIN", + "ENDIAN-PC", + "GFILE", + "GIOVANNI-PC", + "GUNNAR", + "ISATAP", + "LAB111", + "LP-RKERUR-OSX", + "LUCAS-IMAC", + "LUCASMACBOOKPRO", + "MACBOOKAIR-E1D0", + //"MDJR98", + "NASFILE", + "SANJI-LIFEBOOK-", + "SC.ARRANCAR.ORG", + "WORKG", + "WORKGROUP", + "XSTREAM_HY", + "__MSBROWSE__", + "mqtt.facebook.com", + NULL }; int i; NDPI_PROTOCOL_BITMASK all; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 50fccbefa..f4b949b2b 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -7464,7 +7464,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, - https://www.akamai.com/uk/en/multimedia/documents/state-of-the-internet/ddos-reflection-netbios-name-server-rpc-portmap-sentinel-udp-threat-advisory.pdf - http://ubiqx.org/cifs/NetBIOS.html */ - || (max_domain_element_len >= 19 /* word too long. Example bbcbedxhgjmdobdprmen.com */) + || ((max_domain_element_len >= 19 /* word too long. Example bbcbedxhgjmdobdprmen.com */) && ((num_char_repetitions > 1) || (num_digits > 1))) ) { if(flow) ndpi_set_risk(flow, NDPI_SUSPICIOUS_DGA_DOMAIN); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index fdd59cb67..d7116ee6e 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1444,11 +1444,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #endif if((len >= 4) - && strcmp(&sni[len-4], ".com") /* Check if it ends in .com or .net */ - && strcmp(&sni[len-4], ".net") - && strncmp(sni, "www.", 4)) /* Not starting with www.... */ - ; - else + /* Check if it ends in .com or .net */ + && ((strcmp(&sni[len-4], ".com") == 0) || (strcmp(&sni[len-4], ".net") == 0)) + && (strncmp(sni, "www.", 4) == 0)) /* Not starting with www.... */ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_TLS); } else { #ifdef DEBUG_TLS diff --git a/tests/do-dga.sh b/tests/do-dga.sh index d53cc1bd9..93408a012 100755 --- a/tests/do-dga.sh +++ b/tests/do-dga.sh @@ -4,9 +4,9 @@ cd "$(dirname "${0}")" # Baseline performances ------------------------------------------------------------------------------------------------ # Important notes: BASE values must be integers examples and represents percentage (e.g. 79%, 98%). -BASE_ACCURACY=71 +BASE_ACCURACY=69 BASE_PRECISION=89 -BASE_RECALL=49 +BASE_RECALL=41 # ---------------------------------------------------------------------------------------------------------------------- DGA_EVALUATE="./dga/dga_evaluate" diff --git a/tests/result/teams.pcap.out b/tests/result/teams.pcap.out index 02a161319..219343e23 100644 --- a/tests/result/teams.pcap.out +++ b/tests/result/teams.pcap.out @@ -73,7 +73,7 @@ JA3 Host Stats: 53 UDP 192.168.1.6:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][cat: Cloud/13][1 pkts/527 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 54 UDP 192.168.1.6:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][cat: Cloud/13][1 pkts/527 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][< 1 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 55 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][1 pkts/397 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][< 1 sec][PLAIN TEXT (6.10.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 56 UDP 192.168.1.6:63930 <-> 192.168.1.1:53 [proto: 5.212/DNS.Microsoft][cat: Cloud/13][1 pkts/96 bytes <-> 1 pkts/301 bytes][Goodput ratio: 56/86][0.04 sec][Host: dc.applicationinsights.microsoft.com][40.79.138.41][Risk: ** Suspicious DGA domain name **][PLAIN TEXT (applicationinsights)][Plen Bins: 0,50,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 56 UDP 192.168.1.6:63930 <-> 192.168.1.1:53 [proto: 5.212/DNS.Microsoft][cat: Cloud/13][1 pkts/96 bytes <-> 1 pkts/301 bytes][Goodput ratio: 56/86][0.04 sec][Host: dc.applicationinsights.microsoft.com][40.79.138.41][PLAIN TEXT (applicationinsights)][Plen Bins: 0,50,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 57 UDP 192.168.1.6:54069 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/83 bytes <-> 1 pkts/264 bytes][Goodput ratio: 49/84][0.06 sec][Host: api.microsoftstream.com][104.40.187.151][PLAIN TEXT (microsoftstream)][Plen Bins: 0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 58 UDP 192.168.1.6:62735 <-> 192.168.1.1:53 [proto: 5/DNS][cat: Network/14][1 pkts/90 bytes <-> 1 pkts/225 bytes][Goodput ratio: 53/81][0.01 sec][Host: euno-1.api.microsoftstream.com][52.169.186.119][PLAIN TEXT (microsoftstream)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 59 UDP 192.168.1.6:57504 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][cat: Collaborative/15][1 pkts/92 bytes <-> 1 pkts/222 bytes][Goodput ratio: 54/81][0.04 sec][Host: chatsvcagg.svcs.teams.office.com][52.114.88.59][PLAIN TEXT (chatsvcagg)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |