diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2025-03-25 21:35:01 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-03-25 21:35:01 +0100 |
| commit | 29eb89a88ff4ab3a5b19f102bf81461ed026a387 (patch) | |
| tree | 2fe71d07117d1525f4e526a4960a3e4591c0395d | |
| parent | c9ae313bd82e655f805043ced2547771fa1b093e (diff) | |
Improved configuration to enable/disable export of flow risk info (#2780)
Follow-up of f56831336334dddcff00eaf2132e5e0f226f0e32: now the
configuration is for flow-risk, not global
| -rw-r--r-- | doc/configuration_parameters.md | 2 | ||||
| -rw-r--r-- | example/obfuscation.conf | 3 | ||||
| -rw-r--r-- | fuzz/fuzz_config.cpp | 11 | ||||
| -rw-r--r-- | src/include/ndpi_private.h | 3 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 28 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 15 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 38 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 20 | ||||
| -rw-r--r-- | tests/cfgs/flow_risk_infos_disabled/config.txt | 2 | ||||
| -rw-r--r-- | tests/cfgs/ndpireader_conf_file/result/openvpn_obfuscated.pcapng.out | 6 | ||||
| -rw-r--r-- | tests/cfgs/ndpireader_conf_file/result/signal_videocall.pcapng.out | 2 |
13 files changed, 81 insertions, 55 deletions
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md index c2a643f25..d11a11868 100644 --- a/doc/configuration_parameters.md +++ b/doc/configuration_parameters.md @@ -19,8 +19,8 @@ List of the supported configuration options: | NULL | "dpi.guess_on_giveup" | 0x03 | 0x00 | 0x03 | Tell the library to guess flow classification, if any DPI algorithms/logics fail. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable guessing by port; 0x02 = enable guessing by ip | | NULL | "dpi.guess_ip_before_port" | disable | NULL | NULL | Enable/disable guessing by IP first when guessing flow classifcation. Disabled = guess by port first. | | NULL | "flow_risk.$FLOWRISK_NAME_OR_ID" | enable | NULL | NULL | Enable/disable the specific flow risk. Use "any" as flow risk name if you want to easily enable/disable all flow risks. The names of the flow risks are available at `src/include/ndpi_typedefs.h`: look for `ndpi_risk_shortnames` | +| NULL | "flow_risk.$FLOWRISK_NAME_OR_ID.info" | enable | NULL | NULL | Enable/disable the export of flow risk information, i.e. some strings clarifing some details about the specific flow risk set. Use "any" as flow risk name if you want to easily enable/disable flow info for all flow risks. The names of the flow risks are available at `src/include/ndpi_typedefs.h`: look for `ndpi_risk_shortnames` | | NULL | "flow_risk_lists.load" | 1 | NULL | NULL | Enable/disable loading of every IP addresses lists used to check any flow risks | -| NULL | "flow_risk_infos" | enable | NULL | NULL | Enable/disable the export of flow risk information, i.e. some strings clarifing some details about the specific flow risk set | | NULL | "flow_risk.anonymous_subscriber.list.icloudprivaterelay.load" | 1 | NULL | NULL | Enable/disable loading of internal iCouldPrivateRealy IP address list used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk | | NULL | "flow_risk.anonymous_subscriber.list.protonvpn.load" | 1 | NULL | NULL | Enable/disable loading of internal IP address list of ProtonVPN exit nodes used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk | | NULL | "flow_risk.anonymous_subscriber.list.tor.load" | 1 | NULL | NULL | Enable/disable loading of internal IP address list of TOR exit nodes used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk | diff --git a/example/obfuscation.conf b/example/obfuscation.conf index 56a87e732..0a453c5d7 100644 --- a/example/obfuscation.conf +++ b/example/obfuscation.conf @@ -1,5 +1,8 @@ #Useful ndpiReader configuration to analyse VPN and/or obfuscated traffic +#Flow risk info: only about obfuscation +--cfg=flow_risk.all.info,0 --cfg=flow_risk.obfuscated.info,1 + #Generic limits --cfg=packets_limit_per_flow,255 -U 0 -T 0 #Fully encrypted protocols diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index 97b748a32..6c70bf411 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -482,6 +482,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { snprintf(cfg_param, sizeof(cfg_param), "flow_risk.%d", pid); ndpi_set_config(ndpi_info_mod, NULL, cfg_param, cfg_value); ndpi_get_config(ndpi_info_mod, NULL, cfg_param, cfg_value, sizeof(cfg_value)); + + if(fuzzed_data.ConsumeBool() && pid < NDPI_MAX_RISK) + snprintf(cfg_param, sizeof(cfg_param), "flow_risk.%s.info", ndpi_risk_shortnames[pid]); + else + snprintf(cfg_param, sizeof(cfg_param), "flow_risk.%d.info", pid); + ndpi_set_config(ndpi_info_mod, NULL, cfg_param, cfg_value); } if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); @@ -491,11 +497,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); snprintf(cfg_value, sizeof(cfg_value), "%d", value); - ndpi_set_config(ndpi_info_mod, NULL, "flow_risk_infos", cfg_value); - } - if(fuzzed_data.ConsumeBool()) { - value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); - snprintf(cfg_value, sizeof(cfg_value), "%d", value); ndpi_set_config(ndpi_info_mod, NULL, "flow_risk.anonymous_subscriber.list.icloudprivaterelay.load", cfg_value); } if(fuzzed_data.ConsumeBool()) { diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index f5da3ed46..9ed27b15e 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -329,9 +329,9 @@ struct ndpi_detection_module_config_struct { NDPI_PROTOCOL_BITMASK monitoring; NDPI_PROTOCOL_BITMASK flowrisk_bitmask; + NDPI_PROTOCOL_BITMASK flowrisk_info_bitmask; int flow_risk_lists_enabled; - int flow_risk_infos_enabled; int risk_anonymous_subscriber_list_icloudprivaterelay_enabled; int risk_anonymous_subscriber_list_protonvpn_enabled; int risk_anonymous_subscriber_list_tor_exit_nodes_enabled; @@ -682,6 +682,7 @@ bool ndpi_cache_address(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t epoch_now, u_int32_t ttl); int is_monitoring_enabled(struct ndpi_detection_module_struct *ndpi_str, int protoId); +int is_flowrisk_info_enabled(struct ndpi_detection_module_struct *ndpi_str, ndpi_risk_enum flowrisk_id); /* TLS */ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index f1b06f8b8..42cc33c1b 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -10654,7 +10654,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ string_to_match, string_to_match_len, &proto_id, NULL, NULL); if(rc1 > 0) { - if(ndpi_str->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_str, NDPI_RISKY_DOMAIN)) { char str[64] = { '\0' }; strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1)); @@ -10667,7 +10667,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ /* Add punycode check */ if(ndpi_check_punycode_string(string_to_match, string_to_match_len)) { - if(ndpi_str->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_str, NDPI_PUNYCODE_IDN)) { char str[64] = { '\0' }; strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1)); @@ -11753,20 +11753,27 @@ static char *_get_param_flowrisk_enable_disable(void *_variable, const char *pro static ndpi_cfg_error _set_param_flowrisk_enable_disable(struct ndpi_detection_module_struct *ndpi_str, void *_variable, const char *value, const char *min_value, const char *max_value, - const char *proto, const char *param) + const char *proto, const char *_param) { NDPI_PROTOCOL_BITMASK *bitmask = (NDPI_PROTOCOL_BITMASK *)_variable; ndpi_risk_enum flowrisk_id; + char param[128] = {0}; (void)ndpi_str; (void)min_value; (void)max_value; (void)proto; - if(strncmp(param, "flow_risk.", 10) != 0) + if(strncmp(_param, "flow_risk.", 10) != 0) return NDPI_CFG_INVALID_PARAM; - param += 10; /* Strip initial "flow_risk." */ + _param += 10; /* Strip initial "flow_risk." */ + + if(strlen(_param) > 5 && + strncmp(_param + (strlen(_param) - 5), ".info", 5) == 0) + memcpy(param, _param, ndpi_min(strlen(_param) - 5, sizeof(param))); /* Strip trailing ".info" */ + else + strncpy(param, _param, sizeof(param)); if(strcmp(param, "any") == 0 || strcmp(param, "all") == 0 || @@ -11953,9 +11960,9 @@ static const struct cfg_param { { NULL, "metadata.tcp_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tcp_fingerprint_enabled), NULL }, { NULL, "flow_risk_lists.load", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(flow_risk_lists_enabled), NULL }, - { NULL, "flow_risk_infos", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(flow_risk_infos_enabled), NULL }, { NULL, "flow_risk.$FLOWRISK_NAME_OR_ID", "enable", NULL, NULL, CFG_PARAM_FLOWRISK_ENABLE_DISABLE, __OFF(flowrisk_bitmask), NULL }, + { NULL, "flow_risk.$FLOWRISK_NAME_OR_ID.info", "enable", NULL, NULL, CFG_PARAM_FLOWRISK_ENABLE_DISABLE, __OFF(flowrisk_info_bitmask), NULL }, { NULL, "flow_risk.anonymous_subscriber.list.icloudprivaterelay.load", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(risk_anonymous_subscriber_list_icloudprivaterelay_enabled), NULL }, { NULL, "flow_risk.anonymous_subscriber.list.protonvpn.load", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(risk_anonymous_subscriber_list_protonvpn_enabled), NULL }, @@ -12033,8 +12040,13 @@ ndpi_cfg_error ndpi_set_config(struct ndpi_detection_module_struct *ndpi_str, strcmp(c->proto, "$PROTO_NAME_OR_ID") == 0 && strcmp(param, c->param) == 0) || (proto == NULL && c->proto == NULL && - strncmp(c->param, "flow_risk.", 10) == 0 && - strncmp(param, "flow_risk.", 10) == 0)) { + strncmp(c->param, "flow_risk.$FLOWRISK_NAME_OR_ID", 30) == 0 && + strncmp(param, "flow_risk.", 10) == 0 && + !ndpi_str_endswith(param, ".info")) || + (proto == NULL && c->proto == NULL && + strncmp(c->param, "flow_risk.$FLOWRISK_NAME_OR_ID.info", 35) == 0 && + strncmp(param, "flow_risk.", 10) == 0 && + ndpi_str_endswith(param, ".info"))) { rc = cfg_ops[c->type].fn_set(ndpi_str, (void *)((char *)&ndpi_str->cfg + c->offset), value, c->min_value, c->max_value, proto, param); diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 9e18da9ab..3fce19746 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -3023,6 +3023,15 @@ static int is_flowrisk_enabled(struct ndpi_detection_module_struct *ndpi_str, nd /* ********************************************************************************* */ +int is_flowrisk_info_enabled(struct ndpi_detection_module_struct *ndpi_str, ndpi_risk_enum flowrisk_id) +{ + if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_str->cfg.flowrisk_info_bitmask, flowrisk_id) == 0) + return 0; + return 1; +} + +/* ********************************************************************************* */ + void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { if(flow->risk == 0) return; /* Nothing to do */ @@ -3100,7 +3109,7 @@ void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_fl // ndpi_handle_risk_exceptions(ndpi_str, flow); if(flow->risk != 0 /* check if it has been masked */) { - if(ndpi_str->cfg.flow_risk_infos_enabled && + if(is_flowrisk_info_enabled(ndpi_str, r) && risk_message != NULL) { if(flow->num_risk_infos < MAX_NUM_RISK_INFOS) { char *s = ndpi_strdup(risk_message); @@ -3113,7 +3122,7 @@ void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_fl } } } - } else if(ndpi_str->cfg.flow_risk_infos_enabled && risk_message) { + } else if(is_flowrisk_info_enabled(ndpi_str, r) && risk_message) { u_int8_t i; for(i = 0; i < flow->num_risk_infos; i++) @@ -3146,7 +3155,7 @@ void ndpi_unset_risk(struct ndpi_detection_module_struct *ndpi_str, flow->risk &= ~v; - if(!ndpi_str->cfg.flow_risk_infos_enabled) + if(!is_flowrisk_info_enabled(ndpi_str, r)) return; for(i = 0; i < flow->num_risk_infos; i++) { diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index de0a74d8b..9acc49216 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -828,7 +828,7 @@ static void search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct flow->protos.dns.num_answers = dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs; if(flow->protos.dns.reply_code != 0) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_ERROR_CODE_DETECTED)) { char str[32], buf[16]; snprintf(str, sizeof(str), "DNS Error Code %s", @@ -870,7 +870,7 @@ static void search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct packet->udp && packet->payload_packet_len > PKT_LEN_ALERT && packet->payload_packet_len > flow->protos.dns.edns0_udp_payload_size) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_DNS_LARGE_PACKET)) { char str[48]; snprintf(str, sizeof(str), "%u Bytes DNS Packet", packet->payload_packet_len); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 25d78b1cf..61d75cc8d 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -199,7 +199,7 @@ static void ndpi_http_check_human_redeable_content(struct ndpi_detection_module_ && (content[3] == 0x00)) { /* Looks like compressed data */ } else { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_CONTENT)) { char str[32]; snprintf(str, sizeof(str), "Susp content %02X%02X%02X%02X", @@ -718,7 +718,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru float upper_case_ratio = (float)upper_case_count / (float)ua_len; if (upper_case_ratio >= 0.2f) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_USER_AGENT)) { char str[64]; snprintf(str, sizeof(str), "UA %s", ua); @@ -733,7 +733,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru if((!strncmp(ua, "<?", 2)) || strchr(ua, '$') ) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_USER_AGENT)) { char str[64]; snprintf(str, sizeof(str), "UA %s", ua); @@ -747,7 +747,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru if(double_slash != ua) /* We're not at the beginning of the user agent */{ if((double_slash[-1] != 'p') /* http:// */ && (double_slash[-1] != 's') /* https:// */) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_USER_AGENT)) { char str[64]; snprintf(str, sizeof(str), "UA %s", ua); @@ -782,7 +782,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru || ndpi_strncasestr(ua, "Crawler", ua_len) || ndpi_strncasestr(ua, "Bot", ua_len) /* bot/robot */ ) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_CRAWLER_BOT)) { char str[64]; snprintf(str, sizeof(str), "UA %s", ua); @@ -885,7 +885,7 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru ip_addr.s_addr = inet_addr(buf); if(strcmp(inet_ntoa(ip_addr), buf) == 0) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_NUMERIC_IP_HOST)) { char str[64]; snprintf(str, sizeof(str), "Found host %s", buf); @@ -935,14 +935,14 @@ static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_str char msg[64]; if((off == 7) && (version < MIN_APACHE_VERSION)) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_OBSOLETE_SERVER)) { snprintf(msg, sizeof(msg), "Obsolete Apache server %s", buf); ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg); } else { ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, NULL); } } else if((off == 6) && (version < MIN_NGINX_VERSION)) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_OBSOLETE_SERVER)) { snprintf(msg, sizeof(msg), "Obsolete nginx server %s", buf); ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg); } else { @@ -1161,7 +1161,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(ndpi_is_valid_hostname((char *)packet->host_line.ptr, packet->host_line.len) == 0) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_INVALID_CHARACTERS)) { char str[128]; snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); @@ -1181,7 +1181,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ /* IPv4 */ if(ndpi_struct->packet.iph->daddr != inet_addr(flow->host_server_name)) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) { char buf[64], msg[128]; snprintf(msg, sizeof(msg), "Expected %s, found %s", @@ -1326,7 +1326,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str switch(packet->line[i].ptr[0]) { case 'A': if(is_a_suspicious_header(suspicious_http_header_keys_A, packet->line[i])) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) { char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); @@ -1339,7 +1339,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str break; case 'C': if(is_a_suspicious_header(suspicious_http_header_keys_C, packet->line[i])) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) { char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); @@ -1352,7 +1352,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str break; case 'M': if(is_a_suspicious_header(suspicious_http_header_keys_M, packet->line[i])) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) { char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); @@ -1365,7 +1365,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str break; case 'O': if(is_a_suspicious_header(suspicious_http_header_keys_O, packet->line[i])) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) { char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); @@ -1378,7 +1378,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str break; case 'R': if(is_a_suspicious_header(suspicious_http_header_keys_R, packet->line[i])) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) { char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); @@ -1391,7 +1391,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str break; case 'S': if(is_a_suspicious_header(suspicious_http_header_keys_S, packet->line[i])) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) { char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); @@ -1404,7 +1404,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str break; case 'T': if(is_a_suspicious_header(suspicious_http_header_keys_T, packet->line[i])) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) { char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); @@ -1417,7 +1417,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str break; case 'U': if(is_a_suspicious_header(suspicious_http_header_keys_U, packet->line[i])) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) { char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); @@ -1430,7 +1430,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str break; case 'X': if(is_a_suspicious_header(suspicious_http_header_keys_X, packet->line[i])) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) { char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index e19e1b27a..b63df5d87 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1468,7 +1468,7 @@ void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, if(ndpi_is_valid_hostname((char *)&crypto_data[tag_offset_start + prev_offset], len) == 0) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_INVALID_CHARACTERS)) { char str[128]; snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 6e010ef62..b61387a3c 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -828,7 +828,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct ndpi_struct->cfg.tls_cert_issuer_enabled) { flow->protos.tls_quic.issuerDN = ndpi_strdup(rdnSeqBuf); if(ndpi_normalize_printable_string(rdnSeqBuf, rdn_len) == 0) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_INVALID_CHARACTERS)) { char str[64]; snprintf(str, sizeof(str), "Invalid issuerDN %s", flow->protos.tls_quic.issuerDN); ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); @@ -908,7 +908,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct if(flow->protos.tls_quic.notBefore > TLS_LIMIT_DATE) if((flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) > TLS_THRESHOLD) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_CERT_VALIDITY_TOO_LONG)) { char str[64]; snprintf(str, sizeof(str), "TLS Cert lasts %u days", @@ -921,7 +921,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct } if((time_sec < flow->protos.tls_quic.notBefore) || (time_sec > flow->protos.tls_quic.notAfter)) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_CERTIFICATE_EXPIRED)) { char str[96], b[32], e[32]; struct tm result; time_t theTime; @@ -939,7 +939,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct } } else if((time_sec > flow->protos.tls_quic.notBefore) && (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->cfg.tls_certificate_expire_in_x_days * 86400)))) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE)) { char str[96], b[32], e[32]; struct tm result; time_t theTime; @@ -1112,7 +1112,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct } /* while */ if(!matched_name) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_CERTIFICATE_MISMATCH)) { char str[128]; snprintf(str, sizeof(str), "%s vs %s", flow->host_server_name, flow->protos.tls_quic.server_names); @@ -1929,7 +1929,7 @@ static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struc alpn_len = comma_or_nul - alpn_start; if(!is_a_common_alpn(ndpi_struct, alpn_start, alpn_len)) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_UNCOMMON_ALPN)) { char str[64]; size_t str_len; @@ -2043,7 +2043,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, printf("[TLS] suspicious extension id: %u\n", extension_id); #endif - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_SUSPICIOUS_EXTENSION)) { char str[64]; snprintf(str, sizeof(str), "Extn id %u", extension_id); @@ -2064,7 +2064,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id); #endif - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_SUSPICIOUS_EXTENSION)) { char str[64]; snprintf(str, sizeof(str), "Extn id %u", extension_id); @@ -2395,7 +2395,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(ndpi_struct->cfg.tls_cipher_enabled) { if((flow->protos.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja.server.cipher[0])) != NDPI_CIPHER_SAFE) { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_WEAK_CIPHER)) { char str[64]; char unknown_cipher[8]; @@ -2627,7 +2627,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.tls_quic.ssl_version = ja.client.tls_handshake_version = tls_version; if(flow->protos.tls_quic.ssl_version < 0x0303) /* < TLSv1.2 */ { - if(ndpi_struct->cfg.flow_risk_infos_enabled) { + if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_OBSOLETE_VERSION)) { char str[32], buf[32]; u_int8_t unknown_tls_version; diff --git a/tests/cfgs/flow_risk_infos_disabled/config.txt b/tests/cfgs/flow_risk_infos_disabled/config.txt index a081f2099..3aaa83b6b 100644 --- a/tests/cfgs/flow_risk_infos_disabled/config.txt +++ b/tests/cfgs/flow_risk_infos_disabled/config.txt @@ -1 +1 @@ ---cfg=flow_risk_infos,0 +--cfg=flow_risk.all.info,0 diff --git a/tests/cfgs/ndpireader_conf_file/result/openvpn_obfuscated.pcapng.out b/tests/cfgs/ndpireader_conf_file/result/openvpn_obfuscated.pcapng.out index 2c2bf0877..b35f8e47a 100644 --- a/tests/cfgs/ndpireader_conf_file/result/openvpn_obfuscated.pcapng.out +++ b/tests/cfgs/ndpireader_conf_file/result/openvpn_obfuscated.pcapng.out @@ -28,6 +28,6 @@ NordVPN 30 10598 1 Safe 60 17222 1 Acceptable 117 36067 2 - 1 TCP 107.161.86.131:443 <-> 192.168.12.156:48072 [proto: 159/OpenVPN][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 40][cat: VPN/2][40 pkts/9272 bytes <-> 47 pkts/16197 bytes][Goodput ratio: 70/81][3.15 sec][bytes ratio: -0.272 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 57/52 212/303 66/79][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 232/345 1514/1090 370/406][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated OpenVPN / Expected on port 1194][PLAIN TEXT (MhLYoT)][Plen Bins: 35,3,3,15,1,1,0,0,1,3,5,1,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,18,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0] - 2 TCP 192.168.12.156:37976 <-> 185.128.25.99:465 [proto: 91/TLS][IP: 426/NordVPN][Encrypted][Confidence: DPI (aggressive)][FPC: 426/NordVPN, Confidence: IP address][DPI packets: 19][cat: Web/5][29 pkts/7410 bytes <-> 31 pkts/9812 bytes][Goodput ratio: 74/79][1.73 sec][bytes ratio: -0.139 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 66/26 1019/153 204/31][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 256/317 1090/1514 256/424][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS traffic / Expected on port 443][TCP Fingerprint: 2_64_65535_685ad951a756/Android][Plen Bins: 0,0,14,30,14,2,0,2,5,0,5,5,2,0,0,2,0,0,0,0,0,2,0,2,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0] - 3 UDP 192.168.12.156:47128 <-> 149.102.238.108:1214 [proto: 159.426/OpenVPN.NordVPN][IP: 426/NordVPN][Encrypted][Confidence: DPI (aggressive)][FPC: 426/NordVPN, Confidence: IP address][DPI packets: 10][cat: VPN/2][19 pkts/3629 bytes <-> 11 pkts/6969 bytes][Goodput ratio: 78/93][1.26 sec][bytes ratio: -0.315 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 78/132 1156/1023 278/337][Pkt Len c2s/s2c min/avg/max/stddev: 115/136 191/634 782/1158 153/438][Risk: ** Known Proto on Non Std Port **** Susp Entropy **** Obfuscated Traffic **][Risk Score: 160][Risk Info: Obfuscated OpenVPN / Entropy: 6.051 (Executable?) / Expected on port 1194][PLAIN TEXT (SFhAFI)][Plen Bins: 0,0,23,41,3,0,0,0,3,0,3,6,0,0,0,0,0,0,0,0,0,0,0,3,0,3,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 107.161.86.131:443 <-> 192.168.12.156:48072 [proto: 159/OpenVPN][IP: 0/Unknown][Encrypted][Confidence: DPI (aggressive)][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 40][cat: VPN/2][40 pkts/9272 bytes <-> 47 pkts/16197 bytes][Goodput ratio: 70/81][3.15 sec][bytes ratio: -0.272 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 57/52 212/303 66/79][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 232/345 1514/1090 370/406][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated OpenVPN][PLAIN TEXT (MhLYoT)][Plen Bins: 35,3,3,15,1,1,0,0,1,3,5,1,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,18,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0] + 2 TCP 192.168.12.156:37976 <-> 185.128.25.99:465 [proto: 91/TLS][IP: 426/NordVPN][Encrypted][Confidence: DPI (aggressive)][FPC: 426/NordVPN, Confidence: IP address][DPI packets: 19][cat: Web/5][29 pkts/7410 bytes <-> 31 pkts/9812 bytes][Goodput ratio: 74/79][1.73 sec][bytes ratio: -0.139 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 66/26 1019/153 204/31][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 256/317 1090/1514 256/424][Risk: ** Known Proto on Non Std Port **** Obfuscated Traffic **][Risk Score: 150][Risk Info: Obfuscated TLS traffic][TCP Fingerprint: 2_64_65535_685ad951a756/Android][Plen Bins: 0,0,14,30,14,2,0,2,5,0,5,5,2,0,0,2,0,0,0,0,0,2,0,2,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0] + 3 UDP 192.168.12.156:47128 <-> 149.102.238.108:1214 [proto: 159.426/OpenVPN.NordVPN][IP: 426/NordVPN][Encrypted][Confidence: DPI (aggressive)][FPC: 426/NordVPN, Confidence: IP address][DPI packets: 10][cat: VPN/2][19 pkts/3629 bytes <-> 11 pkts/6969 bytes][Goodput ratio: 78/93][1.26 sec][bytes ratio: -0.315 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 78/132 1156/1023 278/337][Pkt Len c2s/s2c min/avg/max/stddev: 115/136 191/634 782/1158 153/438][Risk: ** Known Proto on Non Std Port **** Susp Entropy **** Obfuscated Traffic **][Risk Score: 160][Risk Info: Obfuscated OpenVPN][PLAIN TEXT (SFhAFI)][Plen Bins: 0,0,23,41,3,0,0,0,3,0,3,6,0,0,0,0,0,0,0,0,0,0,0,3,0,3,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/ndpireader_conf_file/result/signal_videocall.pcapng.out b/tests/cfgs/ndpireader_conf_file/result/signal_videocall.pcapng.out index 0f428c771..0ef342f82 100644 --- a/tests/cfgs/ndpireader_conf_file/result/signal_videocall.pcapng.out +++ b/tests/cfgs/ndpireader_conf_file/result/signal_videocall.pcapng.out @@ -25,6 +25,6 @@ SignalVoip 334 123259 3 Acceptable 334 123259 3 - 1 UDP 192.168.12.67:47926 <-> 35.219.252.146:56377 [proto: 338.269/SRTP.SignalVoip][IP: 284/GoogleCloud][Stream Content: Audio, Video][Encrypted][Confidence: DPI][FPC: 78.269/STUN.SignalVoip, Confidence: DPI][DPI packets: 298][DPI packets before monitoring: 201][cat: VoIP/10][167 pkts/87565 bytes <-> 131 pkts/31930 bytes][Goodput ratio: 92/83][10.75 sec][bytes ratio: 0.466 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 64/82 2304/2449 291/279][Pkt Len c2s/s2c min/avg/max/stddev: 70/70 524/244 1223/900 385/198][Mapped IP/Port: 93.35.168.30:45266, 35.219.252.146:56377][RTP packets: 68/124][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: Expected on port 3478][PLAIN TEXT (17uAgN)][Plen Bins: 3,28,9,7,0,0,0,0,16,8,1,0,0,1,1,0,1,1,0,1,0,0,0,0,7,3,0,1,0,0,1,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.12.67:47926 <-> 35.219.252.146:56377 [proto: 338.269/SRTP.SignalVoip][IP: 284/GoogleCloud][Stream Content: Audio, Video][Encrypted][Confidence: DPI][FPC: 78.269/STUN.SignalVoip, Confidence: DPI][DPI packets: 298][DPI packets before monitoring: 201][cat: VoIP/10][167 pkts/87565 bytes <-> 131 pkts/31930 bytes][Goodput ratio: 92/83][10.75 sec][bytes ratio: 0.466 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 64/82 2304/2449 291/279][Pkt Len c2s/s2c min/avg/max/stddev: 70/70 524/244 1223/900 385/198][Mapped IP/Port: 93.35.168.30:45266, 35.219.252.146:56377][RTP packets: 68/124][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (17uAgN)][Plen Bins: 3,28,9,7,0,0,0,0,16,8,1,0,0,1,1,0,1,1,0,1,0,0,0,0,7,3,0,1,0,0,1,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.12.67:47926 <-> 35.219.252.146:3478 [proto: 78.269/STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI][FPC: 78/STUN, Confidence: DPI][DPI packets: 26][cat: VoIP/10][13 pkts/1258 bytes <-> 13 pkts/1454 bytes][Goodput ratio: 57/62][10.01 sec][Hostname/SNI: signal.org][bytes ratio: -0.072 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 6/6 804/804 4015/4015 1248/1248][Pkt Len c2s/s2c min/avg/max/stddev: 62/94 97/112 162/126 43/14][Mapped IP/Port: 93.35.168.30:45265][Peer IP/Port: 35.219.252.146:56377, 35.219.252.146:34099, 35.219.252.146:37175][Relayed IP/Port: 35.219.252.146:40378][PLAIN TEXT (BFODsIPgWuCIX)][Plen Bins: 34,19,30,15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 192.168.12.67:47926 <-> 35.216.234.234:3478 [proto: 78.269/STUN.SignalVoip][IP: 284/GoogleCloud][ClearText][Confidence: DPI (cache)][FPC: 78/STUN, Confidence: DPI][DPI packets: 10][cat: VoIP/10][5 pkts/510 bytes <-> 5 pkts/542 bytes][Goodput ratio: 59/61][10.02 sec][Hostname/SNI: signal.org][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 5/4 2503/2503 9988/9988 4321/4321][Pkt Len c2s/s2c min/avg/max/stddev: 62/94 102/108 158/126 46/15][Mapped IP/Port: 93.35.168.30:45265][Relayed IP/Port: 35.216.234.234:29688][PLAIN TEXT (42oPBlgi)][Plen Bins: 30,30,20,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |