diff options
| author | Luca Deri <deri@ntop.org> | 2019-05-28 23:35:49 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2019-05-28 23:35:49 +0200 |
| commit | 5da363cbde633138ccb97e3d209ede9c6c333a54 (patch) | |
| tree | 20488464309951b0ef382f372f170ce4f4f9d6ab | |
| parent | 53119e71f410ce467634a6ce65e047a37b76ff1d (diff) | |
Fixed MySQL dissector
SSL dissector now reports the protocol version
Fixed bug in ndpiReader that ivalidates in some cases the protocl dissection and used to slow down the dissection
| -rw-r--r-- | example/ndpiReader.c | 20 | ||||
| -rw-r--r-- | example/ndpi_util.c | 75 | ||||
| -rw-r--r-- | example/ndpi_util.h | 1 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 1 | ||||
| -rw-r--r-- | src/lib/protocols/dropbox.c | 10 | ||||
| -rw-r--r-- | src/lib/protocols/mysql.c | 51 | ||||
| -rw-r--r-- | src/lib/protocols/ssl.c | 5 |
7 files changed, 79 insertions, 84 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index a7aa79e17..1a5dbbfd0 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -763,6 +763,24 @@ static char* print_cipher(ndpi_cipher_weakness c) { return(""); } } + +/* ********************************** */ + +static char* ssl_version2str(u_int16_t version) { + static char v[8]; + + switch(version) { + case 0x300: return("SSLv3"); + case 0x301: return("TLSv1"); + case 0x302: return("TLSv1.1"); + case 0x303: return("TLSv1.2"); + case 0x304: return("TLSv1.3"); + } + + snprintf(v, sizeof(v), "%04X", version); + return(v); +} + /* ********************************** */ /** @@ -819,7 +837,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info); - + if(flow->ssh_ssl.ssl_version != 0) fprintf(out, "[%s]", ssl_version2str(flow->ssh_ssl.ssl_version)); if(flow->ssh_ssl.ja3_client[0] != '\0') fprintf(out, "[JA3C: %s%s]", flow->ssh_ssl.ja3_client, print_cipher(flow->ssh_ssl.client_unsafe_cipher)); if(flow->ssh_ssl.server_info[0] != '\0') fprintf(out, "[server: %s]", flow->ssh_ssl.server_info); diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 2c05ddcd1..4b8ffb894 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -562,6 +562,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl /* SSL */ else if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSL) || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSL)) { + flow->ssh_ssl.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version; snprintf(flow->ssh_ssl.client_info, sizeof(flow->ssh_ssl.client_info), "%s", flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate); snprintf(flow->ssh_ssl.server_info, sizeof(flow->ssh_ssl.server_info), "%s", @@ -576,7 +577,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } } - if(flow->detection_completed && !flow->check_extra_packets) { + if(flow->detection_completed && (!flow->check_extra_packets)) { if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { if(workflow->__flow_giveup_callback != NULL) workflow->__flow_giveup_callback(workflow, flow, workflow->__flow_giveup_udata); @@ -646,63 +647,37 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, return(nproto); } - /* The lines below are no longer necessary as this hsould be called automatically by ndpi_detection_process_packet */ -#if 0 - /* Protocol already detected */ - if(flow->detection_completed) { - if(flow->check_extra_packets && ndpi_flow != NULL && ndpi_flow->check_extra_packets) { - if(ndpi_flow->num_extra_packets_checked == 0 && ndpi_flow->max_extra_packets_to_check == 0) { - /* Protocols can set this, but we set it here in case they didn't */ - ndpi_flow->max_extra_packets_to_check = MAX_EXTRA_PACKETS_TO_CHECK; - } - if(ndpi_flow->num_extra_packets_checked < ndpi_flow->max_extra_packets_to_check) { - ndpi_process_extra_packet(workflow->ndpi_struct, ndpi_flow, - iph ? (uint8_t *)iph : (uint8_t *)iph6, - ipsize, time, src, dst); - if(ndpi_flow->check_extra_packets == 0) { - flow->check_extra_packets = 0; - process_ndpi_collected_info(workflow, flow); - } - } - } else if(ndpi_flow != NULL) { - /* If this wasn't NULL we should do the half free */ - /* TODO: When half_free is deprecated, get rid of this */ - ndpi_free_flow_info_half(flow); - } - - return(flow->detected_protocol); - } -#endif + if(!flow->detection_completed) { + flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, + iph ? (uint8_t *)iph : (uint8_t *)iph6, + ipsize, time, src, dst); - flow->detected_protocol = - ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, - iph ? (uint8_t *)iph : (uint8_t *)iph6, - ipsize, time, src, dst); - - if((flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) - || ((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > 8)) - || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > 10))) { - /* New protocol detected or give up */ - flow->detection_completed = 1; - /* Check if we should keep checking extra packets */ - if(ndpi_flow && ndpi_flow->check_extra_packets) - flow->check_extra_packets = 1; - - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) - flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow, - enable_protocol_guess); + if((flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) + || ((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > 8)) + || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > 10))) { + /* New protocol detected or give up */ + flow->detection_completed = 1; - process_ndpi_collected_info(workflow, flow); - } + /* Check if we should keep checking extra packets */ + if(ndpi_flow && ndpi_flow->check_extra_packets) + flow->check_extra_packets = 1; + if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) + flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow, + enable_protocol_guess); + + process_ndpi_collected_info(workflow, flow); + } + } + return(flow->detected_protocol); } /* ****************************************************** */ -struct ndpi_proto ndpi_workflow_process_packet (struct ndpi_workflow * workflow, - const struct pcap_pkthdr *header, - const u_char *packet) { +struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, + const struct pcap_pkthdr *header, + const u_char *packet) { /* * Declare pointers to packet headers */ diff --git a/example/ndpi_util.h b/example/ndpi_util.h index a1b61454d..538753834 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -97,6 +97,7 @@ typedef struct ndpi_flow_info { char bittorent_hash[41]; struct { + u_int16_t ssl_version; char client_info[64], server_info[64], server_organization[64], ja3_client[33], ja3_server[33]; ndpi_cipher_weakness client_unsafe_cipher, server_unsafe_cipher; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 69970a3e1..21e2199e5 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1097,6 +1097,7 @@ struct ndpi_flow_struct { struct { struct { + u_int16_t ssl_version; char client_certificate[64], server_certificate[64], server_organization[64]; char ja3_client[33], ja3_server[33]; u_int16_t server_cipher; diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index 39bb96ff2..895bb0164 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -30,11 +30,9 @@ #define DB_LSP_PORT 17500 - static void ndpi_int_dropbox_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) -{ + u_int8_t due_to_correlation) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_UNKNOWN); } @@ -51,8 +49,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, if(packet->udp->dest == dropbox_port) { if(packet->udp->source == dropbox_port) { if(payload_len > 10) { - if(ndpi_strnstr((const char *)packet->payload, "\"host_int\"", payload_len) != NULL) { - + if(ndpi_strnstr((const char *)packet->payload, "\"host_int\"", payload_len) != NULL) { NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); return; @@ -60,8 +57,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, } } else { if(payload_len > 10) { - if(ndpi_strnstr((const char *)packet->payload, "Bus17Cmd", payload_len) != NULL) { - + if(ndpi_strnstr((const char *)packet->payload, "Bus17Cmd", payload_len) != NULL) { NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); return; diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c index d1602a2fe..83a5bf8ed 100644 --- a/src/lib/protocols/mysql.c +++ b/src/lib/protocols/mysql.c @@ -29,42 +29,45 @@ #include "ndpi_api.h" - -static void ndpi_int_mysql_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN); -} - -void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; NDPI_LOG_DBG(ndpi_struct, "search MySQL\n"); if(packet->tcp) { - if (packet->payload_packet_len > 38 //min length - && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length - && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length - && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet - && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0 - && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7 - && get_u_int8_t(packet->payload, 6) == 0x2e //dot - ) { + if(packet->payload_packet_len > 38 //min length + && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length + && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length + && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet + && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0 + && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7 + && get_u_int8_t(packet->payload, 6) == 0x2e //dot + ) { +#if 0 + /* Old code */ u_int32_t a; - for (a = 7; a + 31 < packet->payload_packet_len; a++) { - if (packet->payload[a] == 0x00) { - if (get_u_int8_t(packet->payload, a + 13) == 0x00 //filler byte - && get_u_int64_t(packet->payload, a + 19) == 0x0ULL //13 more - && get_u_int32_t(packet->payload, a + 27) == 0x0 //filler bytes - && get_u_int8_t(packet->payload, a + 31) == 0x0) { + + for(a = 7; a + 31 < packet->payload_packet_len; a++) { + if(packet->payload[a] == 0x00) { + if(get_u_int8_t(packet->payload, a + 13) == 0x00 // filler byte + && get_u_int64_t(packet->payload, a + 19) == 0x0ULL // 13 more + && get_u_int32_t(packet->payload, a + 27) == 0x0 // filler bytes + && get_u_int8_t(packet->payload, a + 31) == 0x0) { NDPI_LOG_INFO(ndpi_struct, "found MySQL\n"); - ndpi_int_mysql_add_connection(ndpi_struct, flow); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN); return; } + break; } } +#else + if(strncmp(&packet->payload[packet->payload_packet_len-22], "mysql_", 6) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found MySQL\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN); + return; + } +#endif } } diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 1f51ab4b6..eee31e94b 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -356,7 +356,6 @@ struct ja3_info { /* **************************************** */ - /* code fixes courtesy of Alexsandro Brahm <alex@digistar.com.br> */ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, @@ -369,11 +368,13 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, MD5_CTX ctx; u_char md5_hash[16]; + flow->protos.stun_ssl.ssl.ssl_version = ssl_version; + memset(&ja3, 0, sizeof(ja3)); #ifdef CERTIFICATE_DEBUG { - u_int16_t ssl_len = (packet->payload[3] << 8) + packet->payload[4]; + u_int16_t ssl_len = (packet->payload[3] << 8) + packet->payload[4]; printf("SSL Record [version: %u][len: %u]\n", ssl_version, ssl_len); } |