aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIvan Nardi <12729895+IvanNardi@users.noreply.github.com>2025-02-15 15:13:01 +0100
committerGitHub <noreply@github.com>2025-02-15 15:13:01 +0100
commit9bf513b342f252547a0a6839df4eee94df2cacae (patch)
tree1e6a3778769dd1492a17bf54f123eb0ce1338497
parent091e1423e246263cc294c12c0f8ab0cdda845b94 (diff)
DNS: fix dissection (#2726)
Diffstat
-rw-r--r--src/include/ndpi_define.h.in3
-rw-r--r--src/lib/protocols/dns.c4
-rw-r--r--tests/cfgs/default/pcap/dns_lots_of_answers.pcapngbin0 -> 3096 bytes
-rw-r--r--tests/cfgs/default/result/dns_fragmented.pcap.out4
-rw-r--r--tests/cfgs/default/result/dns_lots_of_answers.pcapng.out29
-rw-r--r--tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out6
-rw-r--r--windows/src/ndpi_define.h3
7 files changed, 37 insertions, 12 deletions
diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in
index f5468e822..9cd6f221d 100644
--- a/src/include/ndpi_define.h.in
+++ b/src/include/ndpi_define.h.in
@@ -218,9 +218,6 @@ static inline uint64_t get_u_int64_t(const uint8_t* X, int O)
#endif /* WIN32 */
-#define NDPI_MAX_DNS_REQUESTS 16
-#define NDPI_MIN_NUM_STUN_DETECTION 8
-
#define NDPI_MAJOR @NDPI_MAJOR@
#define NDPI_MINOR @NDPI_MINOR@
#define NDPI_PATCH @NDPI_PATCH@
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 205777024..dab225a56 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -38,6 +38,8 @@
#define PKT_LEN_ALERT 512
+#define NDPI_MAX_DNS_REQUESTS 48
+
static void search_dns(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow);
@@ -161,7 +163,7 @@ static u_int getNameLength(u_int i, const u_int8_t *payload, u_int payloadLen) {
return(0);
else if(payload[i] == 0x00)
return(1);
- else if(payload[i] == 0xC0)
+ else if((payload[i] & 0xC0)== 0xC0)
return(2);
else {
u_int8_t len = payload[i];
diff --git a/tests/cfgs/default/pcap/dns_lots_of_answers.pcapng b/tests/cfgs/default/pcap/dns_lots_of_answers.pcapng
new file mode 100644
index 000000000..e462e8659
--- /dev/null
+++ b/tests/cfgs/default/pcap/dns_lots_of_answers.pcapng
Binary files differ
diff --git a/tests/cfgs/default/result/dns_fragmented.pcap.out b/tests/cfgs/default/result/dns_fragmented.pcap.out
index a4f3c747a..6ced5553f 100644
--- a/tests/cfgs/default/result/dns_fragmented.pcap.out
+++ b/tests/cfgs/default/result/dns_fragmented.pcap.out
@@ -34,8 +34,8 @@ Acceptable 59 21695 21
7 UDP 194.247.5.6:51791 <-> 193.24.227.238:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/94 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 55/97][0.01 sec][Hostname/SNI: weberlab.de][0.0.0.0][DNS Id: 0x89ce][Risk: ** Large DNS Packet (512+ bytes) **** Fragmented DNS Message **][Risk Score: 100][Risk Info: 1472 Bytes DNS Packet][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0]
8 UDP 74.125.47.136:59330 <-> 193.24.227.238:53 [proto: 5/DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 48/97][0.00 sec][Hostname/SNI: weberlab.de][0.0.0.0][DNS Id: 0x15a8][Risk: ** Large DNS Packet (512+ bytes) **** Fragmented DNS Message **][Risk Score: 100][Risk Info: 1472 Bytes DNS Packet][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0]
9 UDP 172.217.40.76:56680 <-> 193.24.227.238:53 [proto: 5/DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 48/97][< 1 sec][Hostname/SNI: weberlab.de][0.0.0.0][DNS Id: 0xd43f][Risk: ** Large DNS Packet (512+ bytes) **** Fragmented DNS Message **][Risk Score: 100][Risk Info: 1472 Bytes DNS Packet][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0]
- 10 UDP [2a00:1450:400c:c00::106]:54430 <-> [2001:470:765b::a25:53]:53 [proto: 5/DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/121 bytes <-> 1 pkts/886 bytes][Goodput ratio: 48/93][0.00 sec][Hostname/SNI: fg2.weberlab.de][0.0.0.0][DNS Id: 0xa438][Risk: ** Large DNS Packet (512+ bytes) **][Risk Score: 50][Risk Info: 824 Bytes DNS Packet][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 11 UDP [2a00:1450:4013:c05::10e]:34944 <-> [2001:470:765b::a25:53]:53 [proto: 5/DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/121 bytes <-> 1 pkts/886 bytes][Goodput ratio: 48/93][< 1 sec][Hostname/SNI: fg2.weberlab.de][0.0.0.0][DNS Id: 0x9e06][Risk: ** Large DNS Packet (512+ bytes) **][Risk Score: 50][Risk Info: 824 Bytes DNS Packet][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 10 UDP [2a00:1450:400c:c00::106]:54430 <-> [2001:470:765b::a25:53]:53 [proto: 5/DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/121 bytes <-> 1 pkts/886 bytes][Goodput ratio: 48/93][0.00 sec][Hostname/SNI: fg2.weberlab.de][0.0.0.0][DNS Id: 0xa438][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 11 UDP [2a00:1450:4013:c05::10e]:34944 <-> [2001:470:765b::a25:53]:53 [proto: 5/DNS][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/121 bytes <-> 1 pkts/886 bytes][Goodput ratio: 48/93][< 1 sec][Hostname/SNI: fg2.weberlab.de][0.0.0.0][DNS Id: 0x9e06][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
12 UDP [2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb]:33592 <-> [2001:470:765b::a25:53]:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/123 bytes <-> 1 pkts/300 bytes][Goodput ratio: 49/79][0.01 sec][Hostname/SNI: fg2-mgmt.weberlab.de][2001:470:1f0b:16b0::1][DNS Id: 0xbda9][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
13 UDP [2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb]:46316 <-> [2001:470:765b::a25:53]:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/123 bytes <-> 1 pkts/300 bytes][Goodput ratio: 49/79][0.01 sec][Hostname/SNI: fg2-mgmt.weberlab.de][2001:470:1f0b:16b0::1][DNS Id: 0xdd84][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
14 UDP [2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb]:46440 <-> [2001:470:765b::a25:53]:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/123 bytes <-> 1 pkts/300 bytes][Goodput ratio: 49/79][0.01 sec][Hostname/SNI: fg2-mgmt.weberlab.de][2001:470:1f0b:16b0::1][DNS Id: 0xea02][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/dns_lots_of_answers.pcapng.out b/tests/cfgs/default/result/dns_lots_of_answers.pcapng.out
new file mode 100644
index 000000000..ac78a68b0
--- /dev/null
+++ b/tests/cfgs/default/result/dns_lots_of_answers.pcapng.out
@@ -0,0 +1,29 @@
+DPI Packets (TCP): 9 (9.00 pkts/flow)
+DPI Packets (UDP): 2 (2.00 pkts/flow)
+Confidence DPI : 2 (flows)
+Num dissector calls: 2 (1.00 diss/flow)
+LRU cache ookla: 0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun: 0/0/0 (insert/search/found)
+LRU cache tls_cert: 0/0/0 (insert/search/found)
+LRU cache mining: 0/0/0 (insert/search/found)
+LRU cache msteams: 0/0/0 (insert/search/found)
+LRU cache fpc_dns: 2/1/0 (insert/search/found)
+Automa host: 4/4 (search/found)
+Automa domain: 4/0 (search/found)
+Automa tls cert: 0/0 (search/found)
+Automa risk mask: 1/0 (search/found)
+Automa common alpns: 0/0 (search/found)
+Patricia risk mask: 2/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk: 0/0 (search/found)
+Patricia risk IPv6: 0/0 (search/found)
+Patricia protocols: 4/0 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+DNS 16 2200 2
+
+Acceptable 16 2200 2
+
+ 1 TCP 192.168.12.169:4026 <-> 192.168.12.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: Network/14][8 pkts/586 bytes <-> 6 pkts/1118 bytes][Goodput ratio: 7/62][3.17 sec][Hostname/SNI: bstream.hzmklvdieo.com][169.197.119.239][DNS Id: 0x474c][bytes ratio: -0.312 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/2 443/359 1056/716 375/357][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 73/186 108/764 14/258][TCP Fingerprint: 2_64_65535_685ad951a756/Android][PLAIN TEXT (bstream)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 2 UDP 192.168.12.156:54660 <-> 192.168.12.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/91 bytes <-> 1 pkts/405 bytes][Goodput ratio: 53/89][0.32 sec][Hostname/SNI: dinamicx.alibabausercontent.com][163.181.50.229][DNS Id: 0x0c54][PLAIN TEXT (dinamic)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
index f9e4ac6b7..e3ac9625a 100644
--- a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
+++ b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out
@@ -14,8 +14,8 @@ LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/66/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache fpc_dns: 0/66/0 (insert/search/found)
-Automa host: 237/0 (search/found)
-Automa domain: 230/0 (search/found)
+Automa host: 238/0 (search/found)
+Automa domain: 231/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 125/0 (search/found)
Automa common alpns: 0/0 (search/found)
@@ -110,7 +110,7 @@ Unrated 33 4066 33
67 UDP 192.168.1.2:2739 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/105 bytes][Goodput ratio: 48/59][0.00 sec][Hostname/SNI: 1.0.0.127.in-addr.arpa][0.0.0.0][DNS Id: 0x6ade][DNS Ptr: localhost][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
68 UDP 192.168.1.2:2743 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/105 bytes][Goodput ratio: 48/59][0.00 sec][Hostname/SNI: 1.0.0.127.in-addr.arpa][0.0.0.0][DNS Id: 0x7cc2][DNS Ptr: local_ost][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
69 UDP 192.168.1.2:2753 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/105 bytes][Goodput ratio: 48/59][0.00 sec][Hostname/SNI: 1.0.0.527.in-addr.arpa][0.0.0.0][DNS Id: 0x48ce][DNS Ptr: locathost][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
- 70 UDP 192.168.1.2:2755 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/105 bytes][Goodput ratio: 48/59][0.00 sec][0.0.0.0][DNS Id: 0x55f0][Risk: ** Malformed Packet **][Risk Score: 10][Risk Info: Invalid DNS Header][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+ 70 UDP 192.168.1.2:2755 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/105 bytes][Goodput ratio: 48/59][0.00 sec][Hostname/SNI: 1.0.0.127.in-addr.arpa][0.0.0.0][DNS Id: 0x55f0][DNS Ptr: localhost][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
71 UDP 192.168.1.2:2757 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/105 bytes][Goodput ratio: 48/59][0.00 sec][0.0.0.0][DNS Id: 0xdff0][Risk: ** Malformed Packet **** Non-Printable/Invalid Chars Detected **][Risk Score: 110][Risk Info: Invalid DNS Query Lenght / Invalid chars detected in domain name][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
72 UDP 192.168.1.2:2761 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/105 bytes][Goodput ratio: 11/59][0.00 sec][0.0.0.0][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
73 UDP 192.168.1.2:2767 <-> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/82 bytes <-> 1 pkts/105 bytes][Goodput ratio: 48/59][0.00 sec][Hostname/SNI: 1.0.0.127.in-addr.arpa][0.0.0.0][DNS Id: 0x78fd][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/windows/src/ndpi_define.h b/windows/src/ndpi_define.h
index f03f41cb5..6792df9a5 100644
--- a/windows/src/ndpi_define.h
+++ b/windows/src/ndpi_define.h
@@ -215,9 +215,6 @@ static inline u_int64_t get_u_int64_t(const u_int8_t* X, int O)
#endif /* WIN32 */
-#define NDPI_MAX_DNS_REQUESTS 16
-#define NDPI_MIN_NUM_STUN_DETECTION 8
-
/*
* Not supported for Visual Studio.
*/
Powered by cgit, Themed by Ted Yin.