Added NDPI_DESKTOP_OR_FILE_SHARING_SESSION flow risk

author: Luca Deri <deri@ntop.org> 2021-04-11 14:42:27 +0200
committer: Luca Deri <deri@ntop.org> 2021-04-11 14:42:27 +0200
commit: bf318e0b86ecfe88db3c15ed7ae285b43e51c304 (patch)
tree: d78a0f58151855e15cf6c0cc23f09b53df04f718
parent: ceb98a3f9c7987820da3998f6c80a5bf9bd65743 (diff)
5 files changed, 17 insertions, 5 deletions
diff --git a/python/ndpi.py b/python/ndpi.py
index f8b2c0a6a..54e12b82b 100644
--- a/python/ndpi.py
+++ b/python/ndpi.py
@@ -317,6 +317,12 @@ typedef enum {
   NDPI_DNS_SUSPICIOUS_TRAFFIC,
   NDPI_TLS_MISSING_SNI,
   NDPI_HTTP_SUSPICIOUS_CONTENT,
+  NDPI_RISKY_ASN,
+  NDPI_RISKY_DOMAIN,
+  NDPI_MALICIOUS_JA3,
+  NDPI_MALICIOUS_SHA1_CERTIFICATE,
+  NDPI_DESKTOP_OR_FILE_SHARING_SESSION,
+
   /* Leave this as last member */
   NDPI_MAX_RISK
 } ndpi_risk_enum;
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 802d650f4..7434758bf 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -95,8 +95,8 @@ typedef enum {
   NDPI_RISKY_ASN,
   NDPI_RISKY_DOMAIN,
   NDPI_MALICIOUS_JA3,
-  NDPI_MALICIOUS_SHA1,
-
+  NDPI_MALICIOUS_SHA1_CERTIFICATE,
+  NDPI_DESKTOP_OR_FILE_SHARING_SESSION,
   
   /* Leave this as last member */
   NDPI_MAX_RISK /* must be <= 31 due to (**) */
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 8c2af79da..9ff1af500 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1767,9 +1767,12 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
   case NDPI_MALICIOUS_JA3:
     return("Possibly Malicious JA3 Fingerprint");
 
-  case NDPI_MALICIOUS_SHA1:
+  case NDPI_MALICIOUS_SHA1_CERTIFICATE:
     return("Possibly Malicious SSL Certificate SHA1 Fingerprint");
 
+  case NDPI_DESKTOP_OR_FILE_SHARING_SESSION:
+    return("Desktop/File Sharing Session");
+    
   default:
     snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
diff --git a/src/lib/protocols/teamviewer.c b/src/lib/protocols/teamviewer.c
index 5c221fada..97a8b3c1e 100644
--- a/src/lib/protocols/teamviewer.c
+++ b/src/lib/protocols/teamviewer.c
@@ -72,6 +72,7 @@ void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struct, stru
 	if (flow->l4.udp.teamviewer_stage == 4 ||
 	    packet->udp->dest == ntohs(5938) || packet->udp->source == ntohs(5938)) {
 	  ndpi_int_teamview_add_connection(ndpi_struct, flow);
+	  ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance (UDP only) */
 	}
 	return;
       }
@@ -90,8 +91,10 @@ void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struct, stru
       else if (flow->l4.udp.teamviewer_stage) {
 	if (packet->payload[0] == 0x11 && packet->payload[1] == 0x30) {
 	  flow->l4.udp.teamviewer_stage++;
-	  if (flow->l4.udp.teamviewer_stage == 4)
+	  if (flow->l4.udp.teamviewer_stage == 4) {
 	    ndpi_int_teamview_add_connection(ndpi_struct, flow);
+	    ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance (UDP only) */
+	  }
 	}
 	return;
       }
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 985b5ee1e..ffb3740c8 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -674,7 +674,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
         u_int16_t rc1 = ndpi_match_string(ndpi_struct->malicious_sha1_automa.ac_automa, sha1_str);
 
         if(rc1 > 0)
-          ndpi_set_risk(flow, NDPI_MALICIOUS_SHA1);
+          ndpi_set_risk(flow, NDPI_MALICIOUS_SHA1_CERTIFICATE);
       }
 
       processCertificateElements(ndpi_struct, flow, certificates_offset, certificate_len);
author	Luca Deri <deri@ntop.org>	2021-04-11 14:42:27 +0200
committer	Luca Deri <deri@ntop.org>	2021-04-11 14:42:27 +0200
commit	bf318e0b86ecfe88db3c15ed7ae285b43e51c304 (patch)
tree	d78a0f58151855e15cf6c0cc23f09b53df04f718
parent	ceb98a3f9c7987820da3998f6c80a5bf9bd65743 (diff)