diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-03-08 00:21:51 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-08 00:21:51 +0100 |
| commit | 269be6c7ef038d2de377546813fbb2bacf80e510 (patch) | |
| tree | 33119a500bca58ce4694c6223481506587aec648 | |
| parent | f91218360b8bce56dd96fac888c83a6a1c6bdc32 (diff) | |
Some small fixes (#1481)
FTP: if the authentication fails, stop analyzing the flow
WSD: call the initialization routine; the dissector code has never been
triggered
MINING: fix dissection
| -rw-r--r-- | src/lib/ndpi_main.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/ftp_control.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/mining.c | 3 | ||||
| -rw-r--r-- | tests/result/bitcoin.pcap.out | 18 | ||||
| -rw-r--r-- | tests/result/ftp_failed.pcap.out | 8 | ||||
| -rw-r--r-- | tests/result/upnp.pcap.out | 10 |
6 files changed, 25 insertions, 19 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index c1fb6fc1d..187081c1d 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4280,6 +4280,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* EthernetIP */ init_ethernet_ip_dissector(ndpi_str, &a, detection_bitmask); + /* WSD */ + init_wsd_dissector(ndpi_str, &a, detection_bitmask); + #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main_init.c" #endif diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index 04a5d2e96..6cc5c612a 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -570,6 +570,7 @@ static int ndpi_ftp_control_check_response(struct ndpi_flow_struct *flow, case '4': case '5': flow->l4.tcp.ftp_imap_pop_smtp.auth_failed = 1; + flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; return(1); break; } @@ -636,6 +637,7 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str #endif if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0' && + flow->l4.tcp.ftp_imap_pop_smtp.auth_done == 0 && flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 0) /* TODO: any values on dissecting TLS handshake? */ flow->ftp_control_stage = 0; else diff --git a/src/lib/protocols/mining.c b/src/lib/protocols/mining.c index 7d1f32e67..f9e260689 100644 --- a/src/lib/protocols/mining.c +++ b/src/lib/protocols/mining.c @@ -87,7 +87,8 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, /* Check connection over TCP */ if(packet->tcp && (packet->payload_packet_len > 10)) { - if(packet->tcp->source == htons(8333)) { + if(packet->tcp->source == htons(8333) || + packet->tcp->dest == htons(8333)) { /* Bitcoin diff --git a/tests/result/bitcoin.pcap.out b/tests/result/bitcoin.pcap.out index a210dc898..56a67e60a 100644 --- a/tests/result/bitcoin.pcap.out +++ b/tests/result/bitcoin.pcap.out @@ -1,13 +1,13 @@ -Guessed flow protos: 6 +Guessed flow protos: 0 -DPI Packets (TCP): 370 (61.67 pkts/flow) -Confidence Match by port : 6 (flows) +DPI Packets (TCP): 6 (1.00 pkts/flow) +Confidence DPI : 6 (flows) Mining 637 581074 6 - 1 TCP 192.168.1.142:55328 <-> 69.118.54.122:8333 [proto: 42/Mining][ClearText][Confidence: Match by port][cat: Mining/99][2 pkts/281 bytes <-> 137 pkts/191029 bytes][Goodput ratio: 53/95][330.56 sec][bytes ratio: -0.997 (Download)][IAT c2s/s2c min/avg/max/stddev: 141657/0 141657/2644 141657/76010 0/11325][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 140/1394 171/1514 30/378][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (version)][Plen Bins: 0,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,92,0,0] - 2 TCP 192.168.1.142:55348 <-> 74.89.181.229:8333 [proto: 42/Mining][ClearText][Confidence: Match by port][cat: Mining/99][55 pkts/28663 bytes <-> 117 pkts/134830 bytes][Goodput ratio: 87/94][1491.26 sec][bytes ratio: -0.649 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21789/4882 100110/64236 26995/11546][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 521/1152 1514/1514 578/589][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (version)][Plen Bins: 0,32,0,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,59,0,0] - 3 TCP 192.168.1.142:55383 <-> 66.68.83.22:8333 [proto: 42/Mining][ClearText][Confidence: Match by port][cat: Mining/99][65 pkts/45271 bytes <-> 96 pkts/70339 bytes][Goodput ratio: 91/91][1337.01 sec][bytes ratio: -0.217 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18993/12001 134322/105866 27575/21527][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 696/733 1514/1514 637/653][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (version)][Plen Bins: 0,47,0,4,0,0,0,0,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] - 4 TCP 192.168.1.142:55400 <-> 195.218.16.178:8333 [proto: 42/Mining][ClearText][Confidence: Match by port][cat: Mining/99][47 pkts/26824 bytes <-> 72 pkts/55927 bytes][Goodput ratio: 88/92][1107.93 sec][bytes ratio: -0.352 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22661/13162 91604/95856 25520/24264][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 571/777 1514/1514 606/673][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (version)][Plen Bins: 0,53,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,39,0,0] - 5 TCP 192.168.1.142:55317 <-> 188.165.213.169:8333 [proto: 42/Mining][ClearText][Confidence: Match by port][cat: Mining/99][16 pkts/21673 bytes <-> 3 pkts/1771 bytes][Goodput ratio: 95/89][1.27 sec][bytes ratio: 0.849 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/136 90/212 655/289 169/76][Pkt Len c2s/s2c min/avg/max/stddev: 171/86 1355/590 1514/1514 369/654][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (version)][Plen Bins: 5,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,74,0,0] - 6 TCP 192.168.1.142:55487 <-> 184.58.165.119:8333 [proto: 42/Mining][ClearText][Confidence: Match by port][cat: Mining/99][24 pkts/3082 bytes <-> 3 pkts/1384 bytes][Goodput ratio: 49/86][506.07 sec][bytes ratio: 0.380 (Upload)][IAT c2s/s2c min/avg/max/stddev: 238/256 21944/256 75340/256 19965/0][Pkt Len c2s/s2c min/avg/max/stddev: 121/86 128/461 171/1127 12/472][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (version)][Plen Bins: 3,82,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.1.142:55328 <-> 69.118.54.122:8333 [proto: 42/Mining][ClearText][Confidence: DPI][cat: Mining/99][2 pkts/281 bytes <-> 137 pkts/191029 bytes][Goodput ratio: 53/95][330.56 sec][ETH][bytes ratio: -0.997 (Download)][IAT c2s/s2c min/avg/max/stddev: 141657/0 141657/2644 141657/76010 0/11325][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 140/1394 171/1514 30/378][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (version)][Plen Bins: 0,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,92,0,0] + 2 TCP 192.168.1.142:55348 <-> 74.89.181.229:8333 [proto: 42/Mining][ClearText][Confidence: DPI][cat: Mining/99][55 pkts/28663 bytes <-> 117 pkts/134830 bytes][Goodput ratio: 87/94][1491.26 sec][ETH][bytes ratio: -0.649 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 21789/4882 100110/64236 26995/11546][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 521/1152 1514/1514 578/589][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (version)][Plen Bins: 0,32,0,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,59,0,0] + 3 TCP 192.168.1.142:55383 <-> 66.68.83.22:8333 [proto: 42/Mining][ClearText][Confidence: DPI][cat: Mining/99][65 pkts/45271 bytes <-> 96 pkts/70339 bytes][Goodput ratio: 91/91][1337.01 sec][ETH][bytes ratio: -0.217 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 18993/12001 134322/105866 27575/21527][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 696/733 1514/1514 637/653][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (version)][Plen Bins: 0,47,0,4,0,0,0,0,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,40,0,0] + 4 TCP 192.168.1.142:55400 <-> 195.218.16.178:8333 [proto: 42/Mining][ClearText][Confidence: DPI][cat: Mining/99][47 pkts/26824 bytes <-> 72 pkts/55927 bytes][Goodput ratio: 88/92][1107.93 sec][ETH][bytes ratio: -0.352 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22661/13162 91604/95856 25520/24264][Pkt Len c2s/s2c min/avg/max/stddev: 110/86 571/777 1514/1514 606/673][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (version)][Plen Bins: 0,53,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,39,0,0] + 5 TCP 192.168.1.142:55317 <-> 188.165.213.169:8333 [proto: 42/Mining][ClearText][Confidence: DPI][cat: Mining/99][16 pkts/21673 bytes <-> 3 pkts/1771 bytes][Goodput ratio: 95/89][1.27 sec][ETH][bytes ratio: 0.849 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/136 90/212 655/289 169/76][Pkt Len c2s/s2c min/avg/max/stddev: 171/86 1355/590 1514/1514 369/654][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (version)][Plen Bins: 5,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,74,0,0] + 6 TCP 192.168.1.142:55487 <-> 184.58.165.119:8333 [proto: 42/Mining][ClearText][Confidence: DPI][cat: Mining/99][24 pkts/3082 bytes <-> 3 pkts/1384 bytes][Goodput ratio: 49/86][506.07 sec][ETH][bytes ratio: 0.380 (Upload)][IAT c2s/s2c min/avg/max/stddev: 238/256 21944/256 75340/256 19965/0][Pkt Len c2s/s2c min/avg/max/stddev: 121/86 128/461 171/1127 12/472][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (version)][Plen Bins: 3,82,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/ftp_failed.pcap.out b/tests/result/ftp_failed.pcap.out index 7bbd594d1..5ec13b393 100644 --- a/tests/result/ftp_failed.pcap.out +++ b/tests/result/ftp_failed.pcap.out @@ -1,8 +1,8 @@ -Guessed flow protos: 1 +Guessed flow protos: 0 -DPI Packets (TCP): 18 (18.00 pkts/flow) -Confidence Match by port : 1 (flows) +DPI Packets (TCP): 8 (8.00 pkts/flow) +Confidence DPI : 1 (flows) FTP_CONTROL 18 1700 1 - 1 TCP [2a00:d40:1:3:192:12:193:11]:44724 <-> [2a00:800:1010::1]:21 [proto: 1/FTP_CONTROL][ClearText][Confidence: Match by port][cat: Download/7][10 pkts/892 bytes <-> 8 pkts/808 bytes][Goodput ratio: 3/14][7.24 sec][User: hello][Pwd: ][Auth Failed][bytes ratio: 0.049 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 896/1442 5304/5318 1757/2052][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 89/101 98/126 4/15][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 71,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP [2a00:d40:1:3:192:12:193:11]:44724 <-> [2a00:800:1010::1]:21 [proto: 1/FTP_CONTROL][ClearText][Confidence: DPI][cat: Download/7][10 pkts/892 bytes <-> 8 pkts/808 bytes][Goodput ratio: 3/14][7.24 sec][User: hello][Pwd: ][Auth Failed][bytes ratio: 0.049 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 896/1442 5304/5318 1757/2052][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 89/101 98/126 4/15][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 71,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/upnp.pcap.out b/tests/result/upnp.pcap.out index f320f01e4..1d9a7be8b 100644 --- a/tests/result/upnp.pcap.out +++ b/tests/result/upnp.pcap.out @@ -1,9 +1,9 @@ -Guessed flow protos: 2 +Guessed flow protos: 0 -DPI Packets (UDP): 14 (7.00 pkts/flow) -Confidence Match by port : 2 (flows) +DPI Packets (UDP): 2 (1.00 pkts/flow) +Confidence DPI : 2 (flows) WSD 14 9912 2 - 1 UDP [fe80::3441:3d24:6d30:a807]:58932 -> [ff02::c]:3702 [proto: 153/WSD][ClearText][Confidence: Match by port][cat: Network/14][7 pkts/5026 bytes -> 0 pkts/0 bytes][Goodput ratio: 91/0][5.63 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 118/0 938/0 2000/0 752/0][Pkt Len c2s/s2c min/avg/max/stddev: 718/0 718/0 718/0 0/0][PLAIN TEXT (xml version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.61.66:58931 -> 239.255.255.250:3702 [proto: 153/WSD][ClearText][Confidence: Match by port][cat: Network/14][7 pkts/4886 bytes -> 0 pkts/0 bytes][Goodput ratio: 94/0][6.64 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 179/0 1107/0 2004/0 740/0][Pkt Len c2s/s2c min/avg/max/stddev: 698/0 698/0 698/0 0/0][PLAIN TEXT (xml version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP [fe80::3441:3d24:6d30:a807]:58932 -> [ff02::c]:3702 [proto: 153/WSD][ClearText][Confidence: DPI][cat: Network/14][7 pkts/5026 bytes -> 0 pkts/0 bytes][Goodput ratio: 91/0][5.63 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 118/0 938/0 2000/0 752/0][Pkt Len c2s/s2c min/avg/max/stddev: 718/0 718/0 718/0 0/0][PLAIN TEXT (xml version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.61.66:58931 -> 239.255.255.250:3702 [proto: 153/WSD][ClearText][Confidence: DPI][cat: Network/14][7 pkts/4886 bytes -> 0 pkts/0 bytes][Goodput ratio: 94/0][6.64 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 179/0 1107/0 2004/0 740/0][Pkt Len c2s/s2c min/avg/max/stddev: 698/0 698/0 698/0 0/0][PLAIN TEXT (xml version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |