diff options
| author | Luca Deri <deri@ntop.org> | 2020-07-22 15:58:46 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-07-22 15:58:46 +0200 |
| commit | 3cd1ec5c9a165c8c53e49568b2da820222252986 (patch) | |
| tree | 741a39a121e6d6222a6c3847f4506bbe7edec625 | |
| parent | 36af97a14cec89af777b3b87ea2c18cc966b7fa4 (diff) | |
Added changes for handlign SSSH cipher detection
| -rw-r--r-- | example/ndpiReader.c | 7 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 2 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 31 |
3 files changed, 35 insertions, 5 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index b8695f5c2..4f1767846 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -2513,7 +2513,12 @@ static void printFlowsStats() { ntohs(all_flows[i].flow->dst_port)); print_bin(out, NULL, &bins[i]); - printf("][score: %f]\n", ndpi_bin_similarity(¢roids[j], &bins[i], 0)); + printf("][score: %f]", ndpi_bin_similarity(¢roids[j], &bins[i], 0)); + + if(all_flows[i].flow->ssh_tls.client_requested_server_name[0] != '\0') + fprintf(out, "[%s]", all_flows[i].flow->ssh_tls.client_requested_server_name); + + printf("\n"); num_printed++; } diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 5f980b506..824e2585f 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1172,7 +1172,7 @@ struct ndpi_flow_struct { u_char host_server_name[240]; u_int8_t initial_binary_bytes[8], initial_binary_bytes_len; u_int8_t risk_checked; - u_int32_t risk; /* Issues found with this flow [bitmask of ndpi_risk] */ + ndpi_risk risk; /* Issues found with this flow [bitmask of ndpi_risk] */ /* This structure below will not not stay inside the protos diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 7679a2337..5aca9b350 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -70,7 +70,28 @@ static void ssh_analyse_signature_version(struct ndpi_detection_module_struct *n if(obsolete_ssh_version) NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE : NDPI_SSH_OBSOLETE_SERVER_SIGNATURE); */ +} + +/* ************************************************************************ */ + +static void ssh_analyse_cipher(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + char *cipher, u_int cipher_len, + u_int8_t is_client_signature) { + /* + List of obsolete ciphers can be found at + https://www.linuxminion.com/deprecated-ssh-cryptographic-settings/ + */ +#ifdef SSH_DEBUG + u_int i; + printf("[%s] ", is_client_signature ? "CLIENT" : "SERVER"); + + for(i=0; i<cipher_len; i++) + printf("%c", cipher[i]); + + printf("\n"); +#endif } /* ************************************************************************ */ @@ -108,7 +129,9 @@ static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct /* ************************************************************************ */ -static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, +static u_int16_t concat_hash_string(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + struct ndpi_packet_struct *packet, char *buf, u_int8_t client_hash) { u_int32_t offset = 22, len, buf_out_len = 0, max_payload_len = packet->payload_packet_len-sizeof(u_int32_t); const u_int32_t len_max = 65565; @@ -150,6 +173,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, goto invalid_payload; strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); + ssh_analyse_cipher(ndpi_struct, flow, (char*)&packet->payload[offset], len, 1 /* client */); buf_out_len += len; buf[buf_out_len++] = ';'; } @@ -170,6 +194,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, goto invalid_payload; strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); + ssh_analyse_cipher(ndpi_struct, flow, (char*)&packet->payload[offset], len, 0 /* server */); buf_out_len += len; buf[buf_out_len++] = ';'; } @@ -355,7 +380,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct if(packet->packet_direction == 0 /* client */) { u_char fingerprint_client[16]; - len = concat_hash_string(packet, hassh_buf, 1 /* client */); + len = concat_hash_string(ndpi_struct, flow, packet, hassh_buf, 1 /* client */); ndpi_MD5Init(&ctx); ndpi_MD5Update(&ctx, (const unsigned char *)hassh_buf, len); @@ -373,7 +398,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct } else { u_char fingerprint_server[16]; - len = concat_hash_string(packet, hassh_buf, 0 /* server */); + len = concat_hash_string(ndpi_struct, flow, packet, hassh_buf, 0 /* server */); ndpi_MD5Init(&ctx); ndpi_MD5Update(&ctx, (const unsigned char *)hassh_buf, len); |