Silenced

NDPI_SUSPICIOUS_DGA_DOMAIN, NDPI_BINARY_APPLICATION_TRANSFER, NDPI_HTTP_NUMERIC_IP_HOST, NDPI_MALICIOUS_JA3, for predefined connectivity check and cybersec categories
author: Luca Deri <deri@ntop.org> 2022-02-14 23:38:21 +0100
committer: Luca Deri <deri@ntop.org> 2022-02-14 23:38:21 +0100
commit: 8a2a47e62a0d7b1bc8815dc4f09c35b73393454e (patch)
tree: 23dca6dbaa8168b0b1ee63c95a715b17a8af1d76
parent: 92da30f01750a2d10a1db697cefe33e6efed1fd7 (diff)
4 files changed, 22 insertions, 14 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index cb59883ce..2c4781e82 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -1911,6 +1911,7 @@ static ndpi_protocol_match host_match[] =
    { "malwarebytes.com",                 "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "trendmicro.com",                   "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { ".eset.com",                        "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { ".e5.sk",                           "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "bullguard.com",                    "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "paloaltonetworks.com",             "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "crowdstrike.com",                  "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 87a9bff87..7c0e8f3b1 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -2519,13 +2519,6 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
 static void ndpi_add_domain_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str) {
   const char *domains[] = {
     ".local",
-    ".msftconnecttest.com",
-    "amupdatedl.microsoft.com",
-    "update.microsoft.com.akadns.net",
-    ".windowsupdate.com",
-    ".ras.microsoft.com",
-    "e5.sk",
-    "sophosxl.net",
     NULL /* End */
   };
   const ndpi_risk risks_to_mask[] = {
@@ -2543,6 +2536,19 @@ static void ndpi_add_domain_risk_exceptions(struct ndpi_detection_module_struct
 
   for(i=0; domains[i] != NULL; i++)
     ndpi_add_host_risk_mask(ndpi_str, (char*)domains[i], mask);
+  
+  for(i=0; host_match[i].string_to_match != NULL; i++) {
+    switch(host_match[i].protocol_category) {
+    case NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK:
+    case NDPI_PROTOCOL_CATEGORY_CYBERSECURITY:
+      ndpi_add_host_risk_mask(ndpi_str, (char*)host_match[i].string_to_match, mask); 
+      break;
+
+    default:
+      /* Nothing to do */
+      break;
+    }
+  }
 }
 
 /* *********************************************** */
diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out
index c8bacda64..27d99fa62 100644
--- a/tests/result/skype.pcap.out
+++ b/tests/result/skype.pcap.out
@@ -18,10 +18,11 @@ ICMP	8	656	1
 IGMP	5	258	4
 TLS	443	45600	30
 Dropbox	38	17948	5
-Skype_Teams	627	223508	33
+Skype_Teams	613	222206	31
 Apple	3	168	1
 AppleiCloud	88	20520	2
 Spotify	5	430	1
+Microsoft	14	1302	2
 ApplePush	12	1877	1
 
 JA3 Host Stats: 
@@ -74,8 +75,8 @@ JA3 Host Stats:
 	43	UDP [fe80::c62c:3ff:fe06:49fe]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][ClearText][Confidence: DPI][cat: Network/14][4 pkts/908 bytes -> 0 pkts/0 bytes][Goodput ratio: 73/0][13.03 sec][Hostname/SNI: _afpovertcp._tcp.local][_afpovertcp._tcp.local][PLAIN TEXT (afpovertc)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	44	UDP 192.168.1.92:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][ClearText][Confidence: DPI][cat: Network/14][4 pkts/828 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][13.03 sec][Hostname/SNI: _afpovertcp._tcp.local][_afpovertcp._tcp.local][PLAIN TEXT (afpovertc)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	45	ICMP 192.168.1.1:0 -> 192.168.1.34:0 [proto: 81/ICMP][ClearText][Confidence: DPI][cat: Network/14][8 pkts/656 bytes -> 0 pkts/0 bytes][Goodput ratio: 49/0][34.64 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 253/0 4948/0 31039/0 10656/0][Pkt Len c2s/s2c min/avg/max/stddev: 82/0 82/0 82/0 0/0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	46	UDP 192.168.1.34:55159 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][ClearText][Confidence: DPI][cat: VoIP/10][7 pkts/651 bytes -> 0 pkts/0 bytes][Goodput ratio: 55/0][26.45 sec][Hostname/SNI: a.config.skype.trafficmanager.net][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1091/0 4409/0 9094/0 3390/0][Pkt Len c2s/s2c min/avg/max/stddev: 93/0 93/0 93/0 0/0][PLAIN TEXT (config)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	47	UDP 192.168.1.34:63108 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][ClearText][Confidence: DPI][cat: VoIP/10][7 pkts/651 bytes -> 0 pkts/0 bytes][Goodput ratio: 55/0][26.45 sec][Hostname/SNI: a.config.skype.trafficmanager.net][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1091/0 4409/0 9094/0 3391/0][Pkt Len c2s/s2c min/avg/max/stddev: 93/0 93/0 93/0 0/0][PLAIN TEXT (config)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	46	UDP 192.168.1.34:55159 -> 192.168.1.1:53 [proto: 5.212/DNS.Microsoft][ClearText][Confidence: DPI][cat: Web/5][7 pkts/651 bytes -> 0 pkts/0 bytes][Goodput ratio: 55/0][26.45 sec][Hostname/SNI: a.config.skype.trafficmanager.net][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1091/0 4409/0 9094/0 3390/0][Pkt Len c2s/s2c min/avg/max/stddev: 93/0 93/0 93/0 0/0][PLAIN TEXT (config)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	47	UDP 192.168.1.34:63108 -> 192.168.1.1:53 [proto: 5.212/DNS.Microsoft][ClearText][Confidence: DPI][cat: Web/5][7 pkts/651 bytes -> 0 pkts/0 bytes][Goodput ratio: 55/0][26.45 sec][Hostname/SNI: a.config.skype.trafficmanager.net][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1091/0 4409/0 9094/0 3391/0][Pkt Len c2s/s2c min/avg/max/stddev: 93/0 93/0 93/0 0/0][PLAIN TEXT (config)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	48	UDP 192.168.1.34:49903 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][ClearText][Confidence: DPI][cat: VoIP/10][9 pkts/648 bytes -> 0 pkts/0 bytes][Goodput ratio: 42/0][80.52 sec][Hostname/SNI: ui.skype.com][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1001/0 10065/0 27100/0 10269/0][Pkt Len c2s/s2c min/avg/max/stddev: 72/0 72/0 72/0 0/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	49	UDP 192.168.1.34:52850 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][ClearText][Confidence: DPI][cat: VoIP/10][8 pkts/648 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][53.50 sec][Hostname/SNI: conn.skype.akadns.net][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1098/0 7643/0 27099/0 8538/0][Pkt Len c2s/s2c min/avg/max/stddev: 81/0 81/0 81/0 0/0][PLAIN TEXT (akadns)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	50	UDP 192.168.1.34:55711 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][ClearText][Confidence: DPI][cat: VoIP/10][8 pkts/648 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][53.50 sec][Hostname/SNI: conn.skype.akadns.net][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1098/0 7643/0 27099/0 8538/0][Pkt Len c2s/s2c min/avg/max/stddev: 81/0 81/0 81/0 0/0][PLAIN TEXT (akadns)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/teams.pcap.out b/tests/result/teams.pcap.out
index c7c5a1f7b..8bf7ccdf3 100644
--- a/tests/result/teams.pcap.out
+++ b/tests/result/teams.pcap.out
@@ -9,7 +9,7 @@ Confidence Match by IP      : 2 (flows)
 Confidence DPI              : 79 (flows)
 
 Unknown	4	456	1
-DNS	14	1902	7
+DNS	10	1357	5
 DHCP	7	2323	2
 ntop	40	9816	3
 SkypeCall	49	10800	4
@@ -19,7 +19,7 @@ Dropbox	18	11162	3
 Skype_Teams	44	21248	3
 Spotify	1	82	1
 Telegram	3	186	1
-Microsoft	401	283503	10
+Microsoft	405	284048	12
 Microsoft365	136	52120	6
 Teams	1916	1034899	34
 Azure	136	57684	6
@@ -98,11 +98,11 @@ JA3 Host Stats:
 	67	UDP 192.168.1.6:55765 <-> 192.168.1.1:53 [proto: 5.276/DNS.Azure][ClearText][Confidence: DPI][cat: Cloud/13][1 pkts/109 bytes <-> 1 pkts/185 bytes][Goodput ratio: 61/77][0.01 sec][Hostname/SNI: b-tr-teams-euno-05.northeurope.cloudapp.azure.com][::][PLAIN TEXT (northeurope)][Plen Bins: 0,0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	68	UDP 192.168.1.6:59403 <-> 192.168.1.1:53 [proto: 5.219/DNS.Microsoft365][ClearText][Confidence: DPI][cat: Collaborative/15][1 pkts/80 bytes <-> 1 pkts/214 bytes][Goodput ratio: 47/80][0.01 sec][Hostname/SNI: substrate.office.com][13.107.18.11][PLAIN TEXT (substrate)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	69	UDP 192.168.1.6:49514 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][ClearText][Confidence: DPI][cat: Collaborative/15][1 pkts/86 bytes <-> 1 pkts/204 bytes][Goodput ratio: 51/79][0.01 sec][Hostname/SNI: config.teams.microsoft.com][52.113.194.132][PLAIN TEXT (config)][Plen Bins: 0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	70	UDP 192.168.1.6:57530 <-> 192.168.1.1:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/100 bytes <-> 1 pkts/181 bytes][Goodput ratio: 57/76][0.03 sec][Hostname/SNI: presence.services.sfb.trafficmanager.net][52.114.77.58][PLAIN TEXT (presence)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	70	UDP 192.168.1.6:57530 <-> 192.168.1.1:53 [proto: 5.212/DNS.Microsoft][ClearText][Confidence: DPI][cat: Web/5][1 pkts/100 bytes <-> 1 pkts/181 bytes][Goodput ratio: 57/76][0.03 sec][Hostname/SNI: presence.services.sfb.trafficmanager.net][52.114.77.58][PLAIN TEXT (presence)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	71	UDP 192.168.1.6:53678 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][ClearText][Confidence: DPI][cat: Collaborative/15][1 pkts/103 bytes <-> 1 pkts/173 bytes][Goodput ratio: 59/75][0.01 sec][Hostname/SNI: trouter2-asse-a.trouter.teams.microsoft.com][2a01:111:f100:7000::6fdd:54a1][PLAIN TEXT (trouter)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	72	UDP 192.168.1.6:60837 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][ClearText][Confidence: DPI][cat: Collaborative/15][1 pkts/100 bytes <-> 1 pkts/176 bytes][Goodput ratio: 57/76][0.01 sec][Hostname/SNI: c-flightproxy-euno-01-teams.cloudapp.net][::][PLAIN TEXT (flightproxy)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	73	UDP 192.168.1.6:65230 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][ClearText][Confidence: DPI][cat: Collaborative/15][1 pkts/103 bytes <-> 1 pkts/161 bytes][Goodput ratio: 59/73][0.01 sec][Hostname/SNI: trouter2-asse-a.trouter.teams.microsoft.com][52.114.15.45][PLAIN TEXT (trouter)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	74	UDP 192.168.1.6:65387 <-> 192.168.1.1:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/171 bytes][Goodput ratio: 54/75][0.01 sec][Hostname/SNI: northeuropecns.trafficmanager.net][52.114.76.48][PLAIN TEXT (northeuropecns)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	74	UDP 192.168.1.6:65387 <-> 192.168.1.1:53 [proto: 5.212/DNS.Microsoft][ClearText][Confidence: DPI][cat: Web/5][1 pkts/93 bytes <-> 1 pkts/171 bytes][Goodput ratio: 54/75][0.01 sec][Hostname/SNI: northeuropecns.trafficmanager.net][52.114.76.48][PLAIN TEXT (northeuropecns)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	75	UDP 192.168.1.6:51033 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][ClearText][Confidence: DPI][cat: VoIP/10][1 pkts/80 bytes <-> 1 pkts/182 bytes][Goodput ratio: 47/77][0.04 sec][Hostname/SNI: eu-api.asm.skype.com][52.114.75.69][PLAIN TEXT (trafficmanager)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	76	UDP 192.168.1.6:51309 <-> 192.168.1.1:53 [proto: 5/DNS][ClearText][Confidence: DPI][cat: Network/14][1 pkts/93 bytes <-> 1 pkts/169 bytes][Goodput ratio: 54/75][0.01 sec][Hostname/SNI: skypedataprdcolneu04.cloudapp.net][::][PLAIN TEXT (skypedataprdcolneu04)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	77	UDP 192.168.1.6:62863 <-> 192.168.1.1:53 [proto: 5.250/DNS.Teams][ClearText][Confidence: DPI][cat: Collaborative/15][1 pkts/103 bytes <-> 1 pkts/158 bytes][Goodput ratio: 59/73][0.07 sec][Hostname/SNI: emea.ng.msg.teams-msgapi.trafficmanager.net][52.114.108.8][PLAIN TEXT (msgapi)][Plen Bins: 0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Luca Deri <deri@ntop.org>	2022-02-14 23:38:21 +0100
committer	Luca Deri <deri@ntop.org>	2022-02-14 23:38:21 +0100
commit	8a2a47e62a0d7b1bc8815dc4f09c35b73393454e (patch)
tree	23dca6dbaa8168b0b1ee63c95a715b17a8af1d76
parent	92da30f01750a2d10a1db697cefe33e6efed1fd7 (diff)