Added new risk for clear text credentials

author: Luca Deri <deri@ntop.org> 2021-09-10 22:00:04 +0200
committer: Luca Deri <deri@ntop.org> 2021-09-10 22:00:04 +0200
commit: 00857abf2c008b77f3e1d9eba9505b1b22239543 (patch)
tree: ce6adc2088f29a1e10bccc98363e190982d77bc2
parent: 1fadf4754a1741e6fd690dbb65ae778fd1dc0313 (diff)
15 files changed, 56 insertions, 7 deletions
diff --git a/python/ndpi.py b/python/ndpi.py
index 8746e4f71..fb5c8af2c 100644
--- a/python/ndpi.py
+++ b/python/ndpi.py
@@ -327,6 +327,7 @@ typedef enum {
   NDPI_TLS_SUSPICIOUS_EXTENSION,
   NDPI_TLS_FATAL_ALERT,
   NDPI_SUSPICIOUS_ENTROPY,
+  NDPI_CLEAR_TEXT_CREDENTIALS,
 
   /* Leave this as last member */
   NDPI_MAX_RISK
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 8cb47b776..d11451ad1 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -105,6 +105,7 @@ typedef enum {
   NDPI_TLS_SUSPICIOUS_EXTENSION,
   NDPI_TLS_FATAL_ALERT,
   NDPI_SUSPICIOUS_ENTROPY,
+  NDPI_CLEAR_TEXT_CREDENTIALS,
   
   /* Leave this as last member */
   NDPI_MAX_RISK /* must be <= 63 due to (**) */
@@ -898,6 +899,7 @@ struct ndpi_packet_struct {
   struct ndpi_int_one_line_struct content_line;
   struct ndpi_int_one_line_struct content_disposition_line;
   struct ndpi_int_one_line_struct accept_line;
+  struct ndpi_int_one_line_struct authorization_line;
   struct ndpi_int_one_line_struct user_agent_line;
   struct ndpi_int_one_line_struct http_url_name;
   struct ndpi_int_one_line_struct http_encoding;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index d5a169eac..138d1777d 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -106,6 +106,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_TLS_SUSPICIOUS_EXTENSION,              NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE },
   { NDPI_TLS_FATAL_ALERT,                       NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE },
   { NDPI_SUSPICIOUS_ENTROPY,                    NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
+  { NDPI_CLEAR_TEXT_CREDENTIALS,                NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE },
 
   /* Leave this as last member */
   { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE }
@@ -5166,6 +5167,7 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str,
 static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) {
   packet->parsed_lines = 0, packet->empty_line_position_set = 0, packet->host_line.ptr = NULL,
     packet->host_line.len = 0, packet->referer_line.ptr = NULL, packet->referer_line.len = 0,
+    packet->authorization_line.len = 0,
     packet->content_line.ptr = NULL, packet->content_line.len = 0, packet->accept_line.ptr = NULL,
     packet->accept_line.len = 0, packet->user_agent_line.ptr = NULL, packet->user_agent_line.len = 0,
     packet->http_url_name.ptr = NULL, packet->http_url_name.len = 0, packet->http_encoding.ptr = NULL,
@@ -5894,6 +5896,19 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str,
 	}
 	packet->http_num_headers++;
       }
+
+      /* "Authorization:" header line in HTTP. */
+      if(packet->line[packet->parsed_lines].len > 15 &&
+	 (strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Authorization: ", 15) == 0)) {
+	packet->authorization_line.ptr = &packet->line[packet->parsed_lines].ptr[15];
+	packet->authorization_line.len = packet->line[packet->parsed_lines].len - 15;
+
+	while((packet->authorization_line.len > 0) && (packet->authorization_line.ptr[0] == ' '))
+	  packet->authorization_line.len--, packet->authorization_line.ptr++;
+
+	packet->http_num_headers++;
+      }
+      
       /* "Content-Type:" header line in HTTP. */
       if(packet->line[packet->parsed_lines].len > 14 &&
 	 (strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Content-Type: ", 14) == 0 ||
@@ -5906,6 +5921,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str,
 
 	packet->http_num_headers++;
       }
+
       /* "Content-Type:" header line in HTTP AGAIN. Probably a bogus response without space after ":" */
       if((packet->content_line.len == 0) && (packet->line[packet->parsed_lines].len > 13) &&
 	 (strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Content-type:", 13) == 0)) {
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index b1d1fcdb0..ed5ffd228 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1783,6 +1783,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
   case NDPI_SUSPICIOUS_ENTROPY:
     return("Suspicious entropy");
 
+  case NDPI_CLEAR_TEXT_CREDENTIALS:
+    return("Clear-text credentials");
+
   default:
     snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c
index 7bf35e719..55ea192b0 100644
--- a/src/lib/protocols/ftp_control.c
+++ b/src/lib/protocols/ftp_control.c
@@ -41,7 +41,8 @@ static void ndpi_int_ftp_control_add_connection(struct ndpi_detection_module_str
 
 /* *************************************************************** */
 
-static int ndpi_ftp_control_check_request(struct ndpi_flow_struct *flow,
+static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *ndpi_struct,
+					  struct ndpi_flow_struct *flow,
 					  const u_int8_t *payload,
 					  size_t payload_len) {
 #ifdef FTP_DEBUG
@@ -52,6 +53,7 @@ static int ndpi_ftp_control_check_request(struct ndpi_flow_struct *flow,
     ndpi_user_pwd_payload_copy((u_int8_t*)flow->protos.ftp_imap_pop_smtp.username,
 			       sizeof(flow->protos.ftp_imap_pop_smtp.username), 5,
 			       payload, payload_len);
+    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
     return 1;
   }
 
@@ -602,7 +604,8 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str
     if(flow->ftp_control_stage == 0) {
       NDPI_LOG_DBG2(ndpi_struct, "FTP_CONTROL stage 0: \n");
 
-      if((payload_len > 0) && ndpi_ftp_control_check_request(flow, packet->payload, payload_len)) {
+      if((payload_len > 0) && ndpi_ftp_control_check_request(ndpi_struct,
+							     flow, packet->payload, payload_len)) {
 	NDPI_LOG_DBG2(ndpi_struct,
 		      "Possible FTP_CONTROL request detected, we will look further for the response..\n");
 
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 1a3e2e357..0da3a16e7 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -625,6 +625,13 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
     }
   }
 
+  /* check for authorization line */
+  if(packet->authorization_line.ptr != NULL) {
+    NDPI_LOG_DBG2(ndpi_struct, "Authorization line found %.*s\n",
+		  packet->authorization_line.len, packet->authorization_line.ptr);
+    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
+  }
+
   if(packet->content_line.ptr != NULL && packet->content_line.len != 0) {
     NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n",
 		  packet->content_line.len, packet->content_line.ptr);
diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c
index 7fc50c4b7..5810ec219 100644
--- a/src/lib/protocols/mail_imap.c
+++ b/src/lib/protocols/mail_imap.c
@@ -162,6 +162,8 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	  /* xxxx LOGIN "username" "password" */
 	  char str[256], *item;
 	  u_int len = packet->payload_packet_len >= sizeof(str) ? sizeof(str)-1 : packet->payload_packet_len;
+
+	  ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
 	  
 	  strncpy(str, (const char*)packet->payload, len);
 	  str[len] = '\0';
diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c
index feb2757a2..e522fc187 100644
--- a/src/lib/protocols/mail_pop.c
+++ b/src/lib/protocols/mail_pop.c
@@ -80,7 +80,8 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod
       ndpi_user_pwd_payload_copy((u_int8_t*)flow->protos.ftp_imap_pop_smtp.username,
 				 sizeof(flow->protos.ftp_imap_pop_smtp.username), 5,
 				 packet->payload, packet->payload_packet_len);
-      
+
+      ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
       flow->l4.tcp.pop_command_bitmask |= POP_BIT_USER;
       return 1;
     } else if((packet->payload[0] == 'P' || packet->payload[0] == 'p')
@@ -90,7 +91,8 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod
       ndpi_user_pwd_payload_copy((u_int8_t*)flow->protos.ftp_imap_pop_smtp.password,
 				 sizeof(flow->protos.ftp_imap_pop_smtp.password), 5,
 				 packet->payload, packet->payload_packet_len);
-      
+
+      ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
       flow->l4.tcp.pop_command_bitmask |= POP_BIT_PASS;
       return 1;
     } else if((packet->payload[0] == 'C' || packet->payload[0] == 'c')
diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c
index 66e4cc0f0..256026c25 100644
--- a/src/lib/protocols/mail_smtp.c
+++ b/src/lib/protocols/mail_smtp.c
@@ -187,6 +187,8 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 
 		  ndpi_free(out);
 		}
+		
+		ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
 	      } else if(flow->protos.ftp_imap_pop_smtp.password[0] == '\0') {
 		/* Password */
 		u_int8_t buf[48];
@@ -210,6 +212,8 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 
 		  ndpi_free(out);
 		}
+
+		ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
 	      } else {
 		flow->host_server_name[0] = '\0';
 		NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
diff --git a/tests/pcap/http_auth.pcap b/tests/pcap/http_auth.pcap
new file mode 100644
index 000000000..44dc8cd2a
--- /dev/null
+++ b/tests/pcap/http_auth.pcap
diff --git a/tests/result/ftp.pcap.out b/tests/result/ftp.pcap.out
index a6dc5da4c..fd2971f57 100644
--- a/tests/result/ftp.pcap.out
+++ b/tests/result/ftp.pcap.out
@@ -6,7 +6,7 @@ Unknown	1115	1122198	1
 FTP_CONTROL	68	5571	1
 FTP_DATA	9	1819	1
 
-	1	TCP 192.168.1.212:50694 <-> 90.130.70.73:21 [proto: 1/FTP_CONTROL][ClearText][cat: Download/7][41 pkts/2892 bytes <-> 27 pkts/2679 bytes][Goodput ratio: 6/33][8.48 sec][User: anonymous][Pwd: NcFTP@][bytes ratio: 0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 236/108 4743/1377 849/305][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 71/99 96/307 7/45][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 74,18,5,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.1.212:50694 <-> 90.130.70.73:21 [proto: 1/FTP_CONTROL][ClearText][cat: Download/7][41 pkts/2892 bytes <-> 27 pkts/2679 bytes][Goodput ratio: 6/33][8.48 sec][User: anonymous][Pwd: NcFTP@][bytes ratio: 0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 236/108 4743/1377 849/305][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 71/99 96/307 7/45][Risk: ** Unsafe Protocol **** Clear-text credentials **][Risk Score: 110][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 74,18,5,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	2	TCP 192.168.1.212:50695 <-> 90.130.70.73:25685 [proto: 175/FTP_DATA][ClearText][cat: Download/7][5 pkts/342 bytes <-> 4 pkts/1477 bytes][Goodput ratio: 0/82][0.09 sec][bytes ratio: -0.624 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/28 14/28 29/29 14/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/369 78/1271 5/521][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT (    1 0        0        1073741)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
 
 
diff --git a/tests/result/fuzz-2006-09-29-28586.pcap.out b/tests/result/fuzz-2006-09-29-28586.pcap.out
index 98aae9104..3d6b5b03f 100644
--- a/tests/result/fuzz-2006-09-29-28586.pcap.out
+++ b/tests/result/fuzz-2006-09-29-28586.pcap.out
@@ -10,7 +10,7 @@ Cloudflare	1	854	1
 	1	TCP 172.20.3.5:2601 <-> 172.20.3.13:80 [proto: 7/HTTP][ClearText][cat: Web/5][9 pkts/6343 bytes <-> 4 pkts/409 bytes][Goodput ratio: 92/46][11.25 sec][bytes ratio: 0.879 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/104 67/128 469/152 164/24][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 705/102 1514/243 721/81][PLAIN TEXT (POST /servlets/mms HTTP/1.1)][Plen Bins: 16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,67,0,0]
 	2	TCP 172.20.3.5:2606 <-> 172.20.3.13:80 [proto: 7/HTTP][ClearText][cat: Web/5][8 pkts/2287 bytes <-> 5 pkts/2963 bytes][Goodput ratio: 80/91][11.18 sec][Host: 172.20.3.13][bytes ratio: -0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/58 177/172 83/81][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 286/593 1514/1514 478/662][URL: 172.20.3.13/servlets/mms?message-id=189301][StatusCode: 0][Risk: ** HTTP Numeric IP Address **][Risk Score: 10][PLAIN TEXT (GET /servlets/mms)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,50,0,0]
 	3	TCP 172.20.3.5:2604 <-> 172.20.3.13:80 [proto: 7/HTTP][ClearText][cat: Web/5][5 pkts/1754 bytes <-> 4 pkts/583 bytes][Goodput ratio: 83/62][11.17 sec][Host: 172.20.3.13][bytes ratio: 0.501 (Upload)][IAT c2s/s2c min/avg/max/stddev: 307/81 2793/3724 10864/10997 4662/5143][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 351/146 1514/417 582/157][URL: 172.20.3.13/servlets/mms?message-id=189001][StatusCode: 200][User-Agent: SonyEricssonT68/R201A][Risk: ** HTTP Numeric IP Address **][Risk Score: 10][PLAIN TEXT (GET /servlets/mms)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0]
-	4	TCP 172.20.3.13:53132 <-> 172.20.3.5:80 [proto: 7/HTTP][ClearText][cat: Web/5][9 pkts/1650 bytes <-> 4 pkts/240 bytes][Goodput ratio: 70/0][5.14 sec][Host: %s][bytes ratio: 0.746 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 734/1 4911/1 1706/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 183/60 894/60 270/0][URL: %s][StatusCode: 0][Req Content-Type: multipart/related][User-Agent: MMS-Relay-DeliveryInitiator][PLAIN TEXT (POST /ppgctrl/ppgcontrollogic.d)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	TCP 172.20.3.13:53132 <-> 172.20.3.5:80 [proto: 7/HTTP][ClearText][cat: Web/5][9 pkts/1650 bytes <-> 4 pkts/240 bytes][Goodput ratio: 70/0][5.14 sec][Host: %s][bytes ratio: 0.746 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 734/1 4911/1 1706/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 183/60 894/60 270/0][URL: %s][StatusCode: 0][Req Content-Type: multipart/related][User-Agent: MMS-Relay-DeliveryInitiator][Risk: ** Clear-text credentials **][Risk Score: 100][PLAIN TEXT (POST /ppgctrl/ppgcontrollogic.d)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	5	TCP 172.20.3.5:2602 <-> 172.20.3.13:80 [proto: 7/HTTP][ClearText][cat: Web/5][4 pkts/942 bytes <-> 4 pkts/703 bytes][Goodput ratio: 75/69][11.10 sec][Host: 172.20.3.13][bytes ratio: 0.145 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/106 3699/5548 10844/10989 5054/5442][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 236/176 762/541 304/211][URL: 172.20.3.13.servlets/mms][StatusCode: 200][Req Content-Type: application/xml][Content-Type: application/xml][Risk: ** HTTP Numeric IP Address **][Risk Score: 10][PLAIN TEXT (POST .servlets/mms HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	6	TCP 172.20.3.13:53136 <-> 172.20.3.5:80 [proto: 7/HTTP][ClearText][cat: Web/5][5 pkts/586 bytes <-> 6 pkts/999 bytes][Goodput ratio: 54/66][5.21 sec][bytes ratio: -0.261 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/96 1737/1302 4910/5010 2247/2141][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 117/166 370/481 126/150][PLAIN TEXT (POST /ppgctrl/ppgcon)][Plen Bins: 0,0,25,0,25,0,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	7	TCP 172.20.3.5:9587 -> 172.20.3.13:80 [proto: 7/HTTP][ClearText][cat: Web/5][1 pkts/1514 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][PLAIN TEXT (POST /servlets/mms HTTP/)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0]
diff --git a/tests/result/http_auth.pcap.out b/tests/result/http_auth.pcap.out
new file mode 100644
index 000000000..8284b1582
--- /dev/null
+++ b/tests/result/http_auth.pcap.out
@@ -0,0 +1,7 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	6	(6.00 pkts/flow)
+
+HTTP	33	20574	1
+
+	1	TCP 192.168.0.4:54337 <-> 192.254.189.169:80 [proto: 7/HTTP][ClearText][cat: Web/5][14 pkts/1675 bytes <-> 19 pkts/18899 bytes][Goodput ratio: 44/93][7.10 sec][Host: browserspy.dk][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 204/31 1269/206 376/69][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/995 805/1514 190/642][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-text credentials **][Risk Score: 100][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0]
diff --git a/tests/result/irc.pcap.out b/tests/result/irc.pcap.out
index a28b819b1..503f63ef8 100644
--- a/tests/result/irc.pcap.out
+++ b/tests/result/irc.pcap.out
@@ -4,4 +4,4 @@ DPI Packets (TCP):	7	(7.00 pkts/flow)
 
 IRC	29	8945	1
 
-	1	TCP 10.180.156.249:45921 <-> 38.229.70.20:8000 [proto: 65/IRC][ClearText][cat: Chat/9][14 pkts/1046 bytes <-> 15 pkts/7899 bytes][Goodput ratio: 11/87][14.57 sec][bytes ratio: -0.766 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1314/1206 8864/8864 2852/2736][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75/527 107/1514 14/611][Risk: ** Known protocol on non standard port **** Unsafe Protocol **][Risk Score: 20][PLAIN TEXT (USER xx)][Plen Bins: 13,41,6,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0]
+	1	TCP 10.180.156.249:45921 <-> 38.229.70.20:8000 [proto: 65/IRC][ClearText][cat: Chat/9][14 pkts/1046 bytes <-> 15 pkts/7899 bytes][Goodput ratio: 11/87][14.57 sec][bytes ratio: -0.766 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1314/1206 8864/8864 2852/2736][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75/527 107/1514 14/611][Risk: ** Known protocol on non standard port **** Unsafe Protocol **** Clear-text credentials **][Risk Score: 120][PLAIN TEXT (USER xx)][Plen Bins: 13,41,6,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0]
diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua
index 12347dff0..d2737ac71 100644
--- a/wireshark/ndpi.lua
+++ b/wireshark/ndpi.lua
@@ -74,6 +74,8 @@ flow_risks[32] = ProtoField.bool("ndpi.flow_risk.cert_validity_too_long", "TLS c
 flow_risks[33] = ProtoField.bool("ndpi.flow_risk.suspicious_extension", "TLS suspicious extension", num_bits_flow_risks, nil, bit(1), "nDPI Flow Risk: TLS suspicious extension")
 flow_risks[34] = ProtoField.bool("ndpi.flow_risk.fatal_alert", "TLS fatal alert detected", num_bits_flow_risks, nil, bit(2), "nDPI Flow Risk: TLS fatal alert")
 flow_risks[35] = ProtoField.bool("ndpi.flow_risk.suspicious_entropy", "Suspicious entropy", num_bits_flow_risks, nil, bit(3), "nDPI Flow Risk: suspicious entropy")
+flow_risks[36] = ProtoField.bool("ndpi.flow_risk.clear_text_credentials", "Cleat-Text credentials", num_bits_flow_risks, nil, bit(3), "nDPI Flow Risk: cleat-text credentials")
+
 -- Last one: keep in sync the bitmask when adding new risks!!
 flow_risks[64] = ProtoField.new("Unused", "ndpi.flow_risk.unused", ftypes.UINT32, nil, base.HEX, bit(32) - bit(4))
author	Luca Deri <deri@ntop.org>	2021-09-10 22:00:04 +0200
committer	Luca Deri <deri@ntop.org>	2021-09-10 22:00:04 +0200
commit	00857abf2c008b77f3e1d9eba9505b1b22239543 (patch)
tree	ce6adc2088f29a1e10bccc98363e190982d77bc2
parent	1fadf4754a1741e6fd690dbb65ae778fd1dc0313 (diff)