diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2024-06-14 20:27:27 +0200 |
|---|---|---|
| committer | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-06-17 10:19:55 +0200 |
| commit | bbe52da5cfaaab9d67c189fbf56970bdcb0de389 (patch) | |
| tree | 08b4ade8974c724cbd43a99cccca6f808e2e4af9 | |
| parent | 526cf6f2919398e1c9c5698b1b5783f18ed41fff (diff) | |
Zoom: harden RTP/RTCP detection
| -rw-r--r-- | src/lib/protocols/zoom.c | 45 | ||||
| -rw-r--r-- | tests/cfgs/default/result/jrmi.pcap.out | 1 | ||||
| -rw-r--r-- | tests/cfgs/default/result/zoom2.pcap.out | 2 | ||||
| -rw-r--r-- | tests/cfgs/zoom_extra_dissection/result/zoom2.pcap.out | 8 |
4 files changed, 34 insertions, 22 deletions
diff --git a/src/lib/protocols/zoom.c b/src/lib/protocols/zoom.c index bb677d4de..f24d53b94 100644 --- a/src/lib/protocols/zoom.c +++ b/src/lib/protocols/zoom.c @@ -47,6 +47,7 @@ PACK_ON struct zoom_media_enc { /* Zoom media encapsulation */ static int zoom_search_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +static int keep_extra_dissection(struct ndpi_flow_struct *flow); static void ndpi_int_zoom_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, @@ -54,11 +55,13 @@ static void ndpi_int_zoom_add_connection(struct ndpi_detection_module_struct *nd NDPI_LOG_INFO(ndpi_struct, "found Zoom\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZOOM, master, NDPI_CONFIDENCE_DPI); - /* Keep looking for RTP. It is similar to the STUN logic... */ - if(master == NDPI_PROTOCOL_UNKNOWN && - ndpi_struct->cfg.zoom_max_packets_extra_dissection > 0) { - flow->max_extra_packets_to_check = ndpi_struct->cfg.zoom_max_packets_extra_dissection; - flow->extra_packets_func = zoom_search_again; + if(!flow->extra_packets_func) { + if(keep_extra_dissection(flow) && + ndpi_struct->cfg.zoom_max_packets_extra_dissection > 0) { + NDPI_LOG_DBG(ndpi_struct, "Enabling extra dissection\n"); + flow->max_extra_packets_to_check = ndpi_struct->cfg.zoom_max_packets_extra_dissection; + flow->extra_packets_func = zoom_search_again; + } } } @@ -71,7 +74,8 @@ static int is_zoom_port(struct ndpi_flow_struct *flow) return 0; } -static int is_zme(struct ndpi_flow_struct *flow, +static int is_zme(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, const u_char *payload, u_int16_t payload_len) { if(payload_len > sizeof(struct zoom_media_enc)) { @@ -80,21 +84,24 @@ static int is_zme(struct ndpi_flow_struct *flow, switch(enc->enc_type) { case 13: /* Screen Share */ case 30: /* Screen Share */ - if(payload_len >= 27) { + if(payload_len > 27 && + is_rtp_or_rtcp(ndpi_struct, payload + 27, payload_len - 27, NULL) == IS_RTP) { flow->flow_multimedia_type = ndpi_multimedia_screen_sharing_flow; return 1; } break; case 15: /* RTP Audio */ - if(payload_len >= 27) { + if(payload_len > 19 && + is_rtp_or_rtcp(ndpi_struct, payload + 19, payload_len - 19, NULL) == IS_RTP) { flow->flow_multimedia_type = ndpi_multimedia_audio_flow; return 1; } break; case 16: /* RTP Video */ - if(payload_len >= 32) { + if(payload_len > 24 && + is_rtp_or_rtcp(ndpi_struct, payload + 24, payload_len - 24, NULL) == IS_RTP) { flow->flow_multimedia_type = ndpi_multimedia_video_flow; return 1; } @@ -103,7 +110,8 @@ static int is_zme(struct ndpi_flow_struct *flow, case 33: /* RTCP */ case 34: /* RTCP */ case 35: /* RTCP */ - if(payload_len >= 36) { + if(payload_len > 16 && + is_rtp_or_rtcp(ndpi_struct, payload + 16, payload_len - 16, NULL) == IS_RTCP) { return 1; } break; @@ -124,27 +132,32 @@ static int is_sfu_5(struct ndpi_detection_module_struct *ndpi_struct, if(packet->payload[0] == 0x05 && packet->payload_packet_len > sizeof(struct zoom_sfu_enc) + sizeof(struct zoom_media_enc)) { - return is_zme(flow, &packet->payload[sizeof(struct zoom_sfu_enc)], + return is_zme(ndpi_struct, flow, &packet->payload[sizeof(struct zoom_sfu_enc)], packet->payload_packet_len - sizeof(struct zoom_sfu_enc)); } return 0; } +static int keep_extra_dissection(struct ndpi_flow_struct *flow) +{ + return flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN; /* No sub-classification */ +} + static int zoom_search_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - if(is_sfu_5(ndpi_struct, flow)) { + if(!flow->l4.udp.zoom_p2p && + is_sfu_5(ndpi_struct, flow)) { ndpi_int_zoom_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SRTP); - return 0; /* Stop */ } if(flow->l4.udp.zoom_p2p && - is_zme(flow, packet->payload, packet->payload_packet_len)) { + is_zme(ndpi_struct, flow, packet->payload, packet->payload_packet_len)) { ndpi_int_zoom_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SRTP); - return 0; /* Stop */ } - return 1; /* Keep looking */ + + return keep_extra_dissection(flow); } static void ndpi_search_zoom(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/tests/cfgs/default/result/jrmi.pcap.out b/tests/cfgs/default/result/jrmi.pcap.out index de2c9eaa0..4e16b79f2 100644 --- a/tests/cfgs/default/result/jrmi.pcap.out +++ b/tests/cfgs/default/result/jrmi.pcap.out @@ -7,7 +7,6 @@ LRU cache stun: 0/0/0 (insert/search/found) LRU cache tls_cert: 0/0/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) -LRU cache stun_zoom: 0/0/0 (insert/search/found) Automa host: 0/0 (search/found) Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) diff --git a/tests/cfgs/default/result/zoom2.pcap.out b/tests/cfgs/default/result/zoom2.pcap.out index 71ddfcf90..3a607826e 100644 --- a/tests/cfgs/default/result/zoom2.pcap.out +++ b/tests/cfgs/default/result/zoom2.pcap.out @@ -31,5 +31,5 @@ JA3 Host Stats: 1 UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 189/Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][7 pkts/2996 bytes <-> 66 pkts/64200 bytes][Goodput ratio: 90/96][0.82 sec][bytes ratio: -0.911 (Download)][IAT c2s/s2c min/avg/max/stddev: 12/0 72/10 101/100 36/15][Pkt Len c2s/s2c min/avg/max/stddev: 165/60 428/973 1078/1078 411/306][PLAIN TEXT (replace)][Plen Bins: 2,6,0,2,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,85,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.1.178:58117 <-> 144.195.73.154:8801 [proto: 189/Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][64 pkts/9307 bytes <-> 98 pkts/17843 bytes][Goodput ratio: 71/77][4.02 sec][bytes ratio: -0.314 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/36 141/131 42/37][Pkt Len c2s/s2c min/avg/max/stddev: 106/60 145/182 209/368 23/79][PLAIN TEXT (replace)][Plen Bins: 1,3,44,26,10,1,0,5,6,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Stream Content: Screen Sharing][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 189/Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 192.168.1.178:50076 <-> 144.195.73.154:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 8][cat: Video/26][12 pkts/3043 bytes <-> 8 pkts/5520 bytes][Goodput ratio: 74/90][0.73 sec][Hostname/SNI: zoomsjccv154mmr.sjc.zoom.us][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.289 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/58 175/174 83/82][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 254/690 1506/1506 404/622][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 832952db10f1453442636675bed2702b][JA4: t13d141200_ad449869e501_b11171733d3d][ServerNames: *.sjc.zoom.us][JA3S: 8aca82d60194883e764ab2743e60c380][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us][Certificate SHA-1: 43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7][Firefox][Validity: 2021-04-13 00:00:00 - 2022-04-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,10,10,10,10,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,30,0,0] diff --git a/tests/cfgs/zoom_extra_dissection/result/zoom2.pcap.out b/tests/cfgs/zoom_extra_dissection/result/zoom2.pcap.out index 68428c85a..69ab67c25 100644 --- a/tests/cfgs/zoom_extra_dissection/result/zoom2.pcap.out +++ b/tests/cfgs/zoom_extra_dissection/result/zoom2.pcap.out @@ -1,5 +1,5 @@ DPI Packets (TCP): 8 (8.00 pkts/flow) -DPI Packets (UDP): 25 (8.33 pkts/flow) +DPI Packets (UDP): 172 (57.33 pkts/flow) Confidence DPI : 4 (flows) Num dissector calls: 373 (93.25 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) @@ -29,7 +29,7 @@ JA3 Host Stats: 1 192.168.1.178 1 - 1 UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Stream Content: Screen Sharing][Encrypted][Confidence: DPI][DPI packets: 10][cat: Video/26][7 pkts/2996 bytes <-> 66 pkts/64200 bytes][Goodput ratio: 90/96][0.82 sec][bytes ratio: -0.911 (Download)][IAT c2s/s2c min/avg/max/stddev: 12/0 72/10 101/100 36/15][Pkt Len c2s/s2c min/avg/max/stddev: 165/60 428/973 1078/1078 411/306][PLAIN TEXT (replace)][Plen Bins: 2,6,0,2,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,85,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.1.178:58117 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Stream Content: Screen Sharing][Encrypted][Confidence: DPI][DPI packets: 10][cat: Video/26][64 pkts/9307 bytes <-> 98 pkts/17843 bytes][Goodput ratio: 71/77][4.02 sec][bytes ratio: -0.314 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/36 141/131 42/37][Pkt Len c2s/s2c min/avg/max/stddev: 106/60 145/182 209/368 23/79][PLAIN TEXT (replace)][Plen Bins: 1,3,44,26,10,1,0,5,6,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Stream Content: Screen Sharing][Encrypted][Confidence: DPI][DPI packets: 5][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 189/Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 73][cat: Video/26][7 pkts/2996 bytes <-> 66 pkts/64200 bytes][Goodput ratio: 90/96][0.82 sec][bytes ratio: -0.911 (Download)][IAT c2s/s2c min/avg/max/stddev: 12/0 72/10 101/100 36/15][Pkt Len c2s/s2c min/avg/max/stddev: 165/60 428/973 1078/1078 411/306][PLAIN TEXT (replace)][Plen Bins: 2,6,0,2,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,85,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.1.178:58117 <-> 144.195.73.154:8801 [proto: 338.189/SRTP.Zoom][IP: 189/Zoom][Stream Content: Audio][Encrypted][Confidence: DPI][DPI packets: 12][cat: Video/26][64 pkts/9307 bytes <-> 98 pkts/17843 bytes][Goodput ratio: 71/77][4.02 sec][bytes ratio: -0.314 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/36 141/131 42/37][Pkt Len c2s/s2c min/avg/max/stddev: 106/60 145/182 209/368 23/79][PLAIN TEXT (replace)][Plen Bins: 1,3,44,26,10,1,0,5,6,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 189/Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 87][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 192.168.1.178:50076 <-> 144.195.73.154:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][DPI packets: 8][cat: Video/26][12 pkts/3043 bytes <-> 8 pkts/5520 bytes][Goodput ratio: 74/90][0.73 sec][Hostname/SNI: zoomsjccv154mmr.sjc.zoom.us][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.289 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 72/58 175/174 83/82][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 254/690 1506/1506 404/622][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 832952db10f1453442636675bed2702b][JA4: t13d141200_ad449869e501_b11171733d3d][ServerNames: *.sjc.zoom.us][JA3S: 8aca82d60194883e764ab2743e60c380][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us][Certificate SHA-1: 43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7][Firefox][Validity: 2021-04-13 00:00:00 - 2022-04-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,10,10,10,10,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,30,0,0] |