diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2025-01-06 16:53:29 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-06 16:53:29 +0100 |
| commit | bf830b4236132b1100fb9c4863a737fb53eb669f (patch) | |
| tree | 553dcba7218a50c247baa182d8c294fbc297e198 | |
| parent | c3d19be26f8a437fbfc3fbae14d13c260cbe77d7 (diff) | |
Add the ability to enable/disable every specific flow risks (#2653)
40 files changed, 437 insertions, 218 deletions
diff --git a/doc/configuration_parameters.md b/doc/configuration_parameters.md index 3beb7124b..1f455c3f3 100644 --- a/doc/configuration_parameters.md +++ b/doc/configuration_parameters.md @@ -18,6 +18,7 @@ TODO | NULL | "metadata.tcp_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of TCP fingerprint for all TCP flows | NULL | "dpi.guess_on_giveup" | 0x03 | 0x00 | 0x03 | Tell the library to guess flow classification, if any DPI algorithms/logics fail. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable guessing by port; 0x02 = enable guessing by ip | | NULL | "dpi.guess_ip_before_port" | disable | NULL | NULL | Enable/disable guessing by IP first when guessing flow classifcation. Disabled = guess by port first. | +| NULL | "flow_risk.$FLOWRISK_NAME_OR_ID" | enable | NULL | NULL | Enable/disable the specific flow risk. Use "any" as flow risk name if you want to easily enable/disable all flow risks. The names of the flow risks are available at `src/include/ndpi_typedefs.h`: look for `ndpi_risk_shortnames` | | NULL | "flow_risk_lists.load" | 1 | NULL | NULL | Enable/disable loading of every IP addresses lists used to check any flow risks | | NULL | "flow_risk.anonymous_subscriber.list.icloudprivaterelay.load" | 1 | NULL | NULL | Enable/disable loading of internal iCouldPrivateRealy IP address list used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk | | NULL | "flow_risk.anonymous_subscriber.list.protonvpn.load" | 1 | NULL | NULL | Enable/disable loading of internal IP address list of ProtonVPN exit nodes used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk | diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index c8d8d7a65..8ced9381b 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -398,6 +398,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_set_config(ndpi_info_mod, NULL, "metadata.tcp_fingerprint", cfg_value); } if(fuzzed_data.ConsumeBool()) { + pid = fuzzed_data.ConsumeIntegralInRange<u_int16_t>(0, NDPI_MAX_RISK + 1); /* + 1 to trigger invalid pid */ + value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); + snprintf(cfg_value, sizeof(cfg_value), "%d", value); + if(fuzzed_data.ConsumeBool() && pid < NDPI_MAX_RISK) + snprintf(cfg_param, sizeof(cfg_param), "flow_risk.%s", ndpi_risk_shortnames[pid]); + else + snprintf(cfg_param, sizeof(cfg_param), "flow_risk.%d", pid); + ndpi_set_config(ndpi_info_mod, NULL, cfg_param, cfg_value); + ndpi_get_config(ndpi_info_mod, NULL, cfg_param, cfg_value, sizeof(cfg_value)); + } + if(fuzzed_data.ConsumeBool()) { value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1); snprintf(cfg_value, sizeof(cfg_value), "%d", value); ndpi_set_config(ndpi_info_mod, NULL, "flow_risk_lists.load", cfg_value); diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index e96d96b91..6bbeb320c 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -93,8 +93,8 @@ extern "C" { ndpi_protocol_category_t protoCategory, ndpi_port_range *tcpDefPorts, ndpi_port_range *udpDefPorts); - void ndpi_set_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r, - char *risk_message); + void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, + ndpi_risk_enum r, char *risk_message); void ndpi_unset_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r); int ndpi_isset_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r); int ndpi_is_printable_buffer(u_int8_t const * const buf, size_t len); @@ -108,7 +108,7 @@ extern "C" { #define NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(entropy) (entropy >= 7.312f) float ndpi_entropy(u_int8_t const * const buf, size_t len); char *ndpi_entropy2str(float entropy, char *buf, size_t len); - void ndpi_entropy2risk(struct ndpi_flow_struct *flow); + void ndpi_entropy2risk(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); #ifdef __cplusplus } diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 43ffe5fc8..3491efcf8 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -292,6 +292,8 @@ struct ndpi_detection_module_config_struct { NDPI_PROTOCOL_BITMASK ip_list_bitmask; NDPI_PROTOCOL_BITMASK monitoring; + NDPI_PROTOCOL_BITMASK flowrisk_bitmask; + int flow_risk_lists_enabled; int risk_anonymous_subscriber_list_icloudprivaterelay_enabled; int risk_anonymous_subscriber_list_protonvpn_enabled; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 9800f26e4..9e4f61296 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -97,7 +97,7 @@ typedef enum { NOTE When the typedef below is modified don't forget to update - nDPI/wireshark/ndpi.lua - - ndpi_risk2str, ndpi_risk2code, ndpi_code2risk (in ndpi_utils.c) + - ndpi_risk2str, ndpi_risk2code, ndpi_code2risk, ndpi_risk_shortnames (in ndpi_utils.c) - doc/flow_risks.rst - ndpi_known_risks (ndpi_main.c) @@ -175,6 +175,9 @@ typedef enum { typedef u_int64_t ndpi_risk; /* (**) */ +/*Used mainly by configuration */ +extern const char *ndpi_risk_shortnames[NDPI_MAX_RISK]; + typedef enum { NDPI_PARAM_HOSTNAME /* char* */, NDPI_PARAM_ISSUER_DN /* char* */, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 6b3435f16..ce7277017 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4466,7 +4466,7 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str snprintf(buf, sizeof(buf), "Packet too short (%d vs %u)", packet->payload_packet_len, (unsigned int)sizeof(struct ndpi_icmphdr)); - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, buf); + ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, buf); } else { u_int8_t icmp_type = (u_int8_t)packet->payload[0]; u_int8_t icmp_code = (u_int8_t)packet->payload[1]; @@ -4479,20 +4479,20 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str snprintf(buf, sizeof(buf), "Invalid type (%u)/code(%u)", icmp_type, icmp_code); - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, buf); + ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, buf); } if(packet->payload_packet_len > sizeof(struct ndpi_icmphdr)) { if(ndpi_str->cfg.compute_entropy && (flow->skip_entropy_check == 0)) { flow->entropy = ndpi_entropy(packet->payload + sizeof(struct ndpi_icmphdr), packet->payload_packet_len - sizeof(struct ndpi_icmphdr)); - ndpi_entropy2risk(flow); + ndpi_entropy2risk(ndpi_str, flow); } u_int16_t chksm = icmp4_checksum(packet->payload, packet->payload_packet_len); if(chksm) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid ICMP checksum"); + ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, "Invalid ICMP checksum"); } } } @@ -4518,7 +4518,7 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str snprintf(buf, sizeof(buf), "Packet too short (%d vs %u)", packet->payload_packet_len, (unsigned int)sizeof(struct ndpi_icmp6hdr)); - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, buf); + ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, buf); } else { u_int8_t icmp6_type = (u_int8_t)packet->payload[0]; u_int8_t icmp6_code = (u_int8_t)packet->payload[1]; @@ -4531,7 +4531,7 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str snprintf(buf, sizeof(buf), "Invalid type (%u)/code(%u)", icmp6_type, icmp6_code); - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, buf); + ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, buf); } } } @@ -7196,9 +7196,9 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s u_int8_t flags = ((u_int8_t*)tcph)[13]; if(flags == 0) - ndpi_set_risk(flow, NDPI_TCP_ISSUES, "TCP NULL scan"); + ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP NULL scan"); else if(flags == (TH_FIN | TH_PUSH | TH_URG)) - ndpi_set_risk(flow, NDPI_TCP_ISSUES, "TCP XMAS scan"); + ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP XMAS scan"); if(ndpi_str->cfg.direction_detect_enabled && (tcph->source != tcph->dest)) @@ -7206,7 +7206,7 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s if(packet->packet_direction == 0 /* cli -> srv */) { if(flags == TH_FIN) - ndpi_set_risk(flow, NDPI_TCP_ISSUES, "TCP FIN scan"); + ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP FIN scan"); flow->l4.tcp.cli2srv_tcp_flags |= flags; } else @@ -7380,9 +7380,9 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s /* ! (multicast or broadcast) */ if(flow->packet_direction_complete_counter[flow->client_packet_direction] == 0) - ndpi_set_risk(flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No client to server traffic"); /* Should never happen */ + ndpi_set_risk(ndpi_str, flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No client to server traffic"); /* Should never happen */ else if(flow->packet_direction_complete_counter[!flow->client_packet_direction] == 0) - ndpi_set_risk(flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No server to client traffic"); + ndpi_set_risk(ndpi_str, flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No server to client traffic"); else { ndpi_unset_risk(flow, NDPI_UNIDIRECTIONAL_TRAFFIC); /* Clear bit */ } @@ -7814,12 +7814,12 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s break; case NDPI_PROTOCOL_RDP: - ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ + ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ break; case NDPI_PROTOCOL_ANYDESK: if(flow->l4_proto == IPPROTO_TCP) /* TCP only */ - ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found AnyDesk"); /* Remote assistance */ + ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found AnyDesk"); /* Remote assistance */ break; /* Generic container for microsoft subprotocols */ @@ -7877,7 +7877,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s } if(!skip_risk) - ndpi_set_risk(flow, NDPI_UNSAFE_PROTOCOL, NULL); + ndpi_set_risk(ndpi_str, flow, NDPI_UNSAFE_PROTOCOL, NULL); break; default: @@ -7942,28 +7942,29 @@ int search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_struc As these conditions won't happen with nDPI protocol-detected protocols it is not necessary to call this function elsewhere */ -static void ndpi_check_tcp_flags(struct ndpi_flow_struct *flow) { +static void ndpi_check_tcp_flags(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { // printf("[TOTAL] %u / %u [tot: %u]\n", flow->packet_direction_complete_counter[0], flow->packet_direction_complete_counter[1], flow->all_packets_counter); bool is_probing = false; if((flow->l4.tcp.cli2srv_tcp_flags & TH_SYN) && (flow->l4.tcp.srv2cli_tcp_flags & TH_RST) && (flow->packet_counter == 0 /* Ignore connections terminated by RST but that exchanged data (3WH + RST) */)) - ndpi_set_risk(flow, NDPI_TCP_ISSUES, "Connection refused (server)"), is_probing = true; + ndpi_set_risk(ndpi_struct, flow, NDPI_TCP_ISSUES, "Connection refused (server)"), is_probing = true; else if((flow->l4.tcp.cli2srv_tcp_flags & TH_SYN) && (flow->l4.tcp.cli2srv_tcp_flags & TH_RST) && (flow->packet_counter == 0 /* Ignore connections terminated by RST but that exchanged data (3WH + RST) */)) - ndpi_set_risk(flow, NDPI_TCP_ISSUES, "Connection refused (client)"), is_probing = true; + ndpi_set_risk(ndpi_struct, flow, NDPI_TCP_ISSUES, "Connection refused (client)"), is_probing = true; else if((flow->l4.tcp.srv2cli_tcp_flags & TH_RST) && (flow->packet_direction_complete_counter[1 /* server -> client */] == 1)) - ndpi_set_risk(flow, NDPI_TCP_ISSUES, "Connection refused"), is_probing = true; + ndpi_set_risk(ndpi_struct, flow, NDPI_TCP_ISSUES, "Connection refused"), is_probing = true; if(is_probing) - ndpi_set_risk(flow, NDPI_PROBING_ATTEMPT, "TCP probing attempt"); + ndpi_set_risk(ndpi_struct, flow, NDPI_PROBING_ATTEMPT, "TCP probing attempt"); } /* ******************************************************************** */ -static void ndpi_check_probing_attempt(struct ndpi_flow_struct *flow) { +static void ndpi_check_probing_attempt(struct ndpi_detection_module_struct *ndpi_str, + struct ndpi_flow_struct *flow) { /* TODO: check UDP traffic too */ if((flow->l4_proto == IPPROTO_TCP) @@ -7979,7 +7980,7 @@ static void ndpi_check_probing_attempt(struct ndpi_flow_struct *flow) { switch(flow->detected_protocol_stack[0]) { case NDPI_PROTOCOL_SSH: if(flow->protos.ssh.hassh_server[0] == '\0') - ndpi_set_risk(flow, NDPI_PROBING_ATTEMPT, "SSH Probing"); + ndpi_set_risk(ndpi_str, flow, NDPI_PROBING_ATTEMPT, "SSH Probing"); break; case NDPI_PROTOCOL_TLS: @@ -7988,12 +7989,12 @@ static void ndpi_check_probing_attempt(struct ndpi_flow_struct *flow) { case NDPI_PROTOCOL_MAIL_IMAPS: case NDPI_PROTOCOL_DTLS: if(flow->host_server_name[0] == '\0') - ndpi_set_risk(flow, NDPI_PROBING_ATTEMPT, "TLS Probing"); + ndpi_set_risk(ndpi_str, flow, NDPI_PROBING_ATTEMPT, "TLS Probing"); break; case NDPI_PROTOCOL_QUIC: if(flow->host_server_name[0] == '\0') - ndpi_set_risk(flow, NDPI_PROBING_ATTEMPT, "QUIC Probing"); + ndpi_set_risk(ndpi_str, flow, NDPI_PROBING_ATTEMPT, "QUIC Probing"); break; } } @@ -8016,8 +8017,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st return(ret); if(flow->l4_proto == IPPROTO_TCP) { - ndpi_check_tcp_flags(flow); - ndpi_check_probing_attempt(flow); + ndpi_check_tcp_flags(ndpi_str, flow); + ndpi_check_probing_attempt(ndpi_str, flow); } /* Init defaults */ @@ -8058,7 +8059,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st /* TODO: not sure about the best "order" among fully encrypted logic, classification by-port and classification by-ip...*/ if(ret.proto.app_protocol == NDPI_PROTOCOL_UNKNOWN && flow->first_pkt_fully_encrypted == 1) { - ndpi_set_risk(flow, NDPI_FULLY_ENCRYPTED, NULL); + ndpi_set_risk(ndpi_str, flow, NDPI_FULLY_ENCRYPTED, NULL); } /* If guess_ip_before_port is enabled, classify by-ip first */ @@ -8350,7 +8351,7 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str ret->custom_category_userdata = node->custom_user_data; if((ret->category == CUSTOM_CATEGORY_MALWARE) && (match_client == false)) { - ndpi_set_risk(flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host"); + ndpi_set_risk(ndpi_str, flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host"); } return(1); @@ -8396,7 +8397,7 @@ int ndpi_fill_ipv6_protocol_category(struct ndpi_detection_module_struct *ndpi_s ret->custom_category_userdata = node->custom_user_data; if((ret->category == CUSTOM_CATEGORY_MALWARE) && (match_client == false)) { - ndpi_set_risk(flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host"); + ndpi_set_risk(ndpi_str, flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host"); } return(1); @@ -8481,7 +8482,7 @@ static void ndpi_search_shellscript(struct ndpi_detection_module_struct *ndpi_st return; NDPI_LOG_INFO(ndpi_struct, "found Shellscript\n"); - ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Shellscript found"); + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Shellscript found"); } /* ********************************************************************************* */ @@ -8506,7 +8507,7 @@ static void ndpi_search_elf(struct ndpi_detection_module_struct *ndpi_struct, return; NDPI_LOG_INFO(ndpi_struct, "found ELF file\n"); - ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, "ELF found"); + ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER, "ELF found"); } /* ********************************************************************************* */ @@ -8532,7 +8533,7 @@ static void ndpi_search_portable_executable(struct ndpi_detection_module_struct return; NDPI_LOG_INFO(ndpi_struct, "found Portable Executable (PE) file\n"); - ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, "Portable Executable (PE32/PE32+) found"); + ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER, "Portable Executable (PE32/PE32+) found"); } /* ********************************************************************************* */ @@ -8920,7 +8921,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio if(default_ports && (default_ports[0] != 0)) { char str[64]; - ndpi_set_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, + ndpi_set_risk(ndpi_str, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, ndpi_expected_ports_str(default_ports, str, sizeof(str))); } } @@ -8967,7 +8968,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio if(default_ports && (default_ports[0] != 0)) { char str[64]; - ndpi_set_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, + ndpi_set_risk(ndpi_str, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, ndpi_expected_ports_str(default_ports, str, sizeof(str))); } } @@ -9001,7 +9002,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio } if(net_risk != NDPI_NO_RISK) - ndpi_set_risk(flow, net_risk, NULL); + ndpi_set_risk(ndpi_str, flow, net_risk, NULL); flow->tree_risk_checked = 1; } @@ -9040,7 +9041,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio flow->entropy = ndpi_entropy(packet->payload, packet->payload_packet_len); } - ndpi_entropy2risk(flow); + ndpi_entropy2risk(ndpi_str, flow); } /* First Packet Classification */ @@ -10338,7 +10339,7 @@ void ndpi_check_subprotocol_risk(struct ndpi_detection_module_struct *ndpi_str, switch(subprotocol_id) { case NDPI_PROTOCOL_ANYDESK: - ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found AnyDesk"); /* Remote assistance */ + ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found AnyDesk"); /* Remote assistance */ break; } } @@ -10379,7 +10380,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ char str[64] = { '\0' }; strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1)); - ndpi_set_risk(flow, NDPI_RISKY_DOMAIN, str); + ndpi_set_risk(ndpi_str, flow, NDPI_RISKY_DOMAIN, str); } } @@ -10388,7 +10389,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ char str[64] = { '\0' }; strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1)); - ndpi_set_risk(flow, NDPI_PUNYCODE_IDN, str); + ndpi_set_risk(ndpi_str, flow, NDPI_PUNYCODE_IDN, str); } return(rc); @@ -10532,7 +10533,7 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp !!flow->extra_packets_func); if(!flow->extra_packets_func) { - ndpi_check_probing_attempt(flow); + ndpi_check_probing_attempt(ndpi_str, flow); return(0); } @@ -10775,7 +10776,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, if(rc) { if(flow) - ndpi_set_risk(flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); + ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); } return(rc); @@ -10922,7 +10923,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, || ((max_domain_element_len >= 19 /* word too long. Example bbcbedxhgjmdobdprmen.com */) && ((num_char_repetitions > 1) || (num_digits > 1))) ) { if(flow) { - ndpi_set_risk(flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); + ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); } NDPI_LOG_DBG2(ndpi_str, "[DGA] Found!"); @@ -11076,7 +11077,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, NDPI_LOG_DBG2(ndpi_str, "[DGA] Result: %u\n", rc); if(rc && flow) - ndpi_set_risk(flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); + ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); return(rc); } @@ -11223,16 +11224,45 @@ static u_int16_t __get_proto_id(const char *proto_name_or_id) /* ******************************************************************** */ +static ndpi_risk_enum __get_flowrisk_id(const char *flowrisk_name_or_id) +{ + char *endptr; + long val; + int i; + + /* Let try to decode the string as numerical flow risk id */ + /* We can't easily use ndpi_strtonum because we want to be sure that there are no + others characters after the number */ + errno = 0; /* To distinguish success/failure after call */ + val = strtol(flowrisk_name_or_id, &endptr, 10); + if(errno == 0 && *endptr == '\0' && + (val >= 0 && val < NDPI_MAX_RISK)) { + return val; + + } + + /* Try to decode the string as flow risk name */ + for(i = 0; i < NDPI_MAX_RISK; i++) { + if(strcmp(ndpi_risk_shortnames[i], flowrisk_name_or_id) == 0) + return i; + } + + return NDPI_NO_RISK; +} + +/* ******************************************************************** */ + static ndpi_cfg_error _set_param_enable_disable(struct ndpi_detection_module_struct *ndpi_str, void *_variable, const char *value, const char *min_value, const char *max_value, - const char *proto) { + const char *proto, const char *param) { int *variable = (int *)_variable; (void)ndpi_str; (void)min_value; (void)max_value; (void)proto; + (void)param; if(strcmp(value, "1") == 0 || strcmp(value, "enable") == 0) { @@ -11254,13 +11284,14 @@ static ndpi_cfg_error _set_param_enable_disable(struct ndpi_detection_module_str static ndpi_cfg_error _set_param_int(struct ndpi_detection_module_struct *ndpi_str, void *_variable, const char *value, const char *min_value, const char *max_value, - const char *proto) { + const char *proto, const char *param) { int *variable = (int *)_variable; const char *errstrp; long val; (void)ndpi_str; (void)proto; + (void)param; val = ndpi_strtonum(value, LONG_MIN, LONG_MAX, &errstrp, 0); if(errstrp) { @@ -11307,13 +11338,14 @@ static char *_get_param_string(void *_variable, const char *proto, char *buf, in static ndpi_cfg_error _set_param_filename(struct ndpi_detection_module_struct *ndpi_str, void *_variable, const char *value, const char *min_value, const char *max_value, - const char *proto) { + const char *proto, const char *param) { char *variable = (char *)_variable; (void)ndpi_str; (void)min_value; (void)max_value; (void)proto; + (void)param; if(value == NULL) { /* Valid value */ variable[0] = '\0'; @@ -11331,11 +11363,11 @@ static ndpi_cfg_error _set_param_filename(struct ndpi_detection_module_struct *n static ndpi_cfg_error _set_param_filename_config(struct ndpi_detection_module_struct *ndpi_str, void *_variable, const char *value, const char *min_value, const char *max_value, - const char *proto) { + const char *proto, const char *param) { int rc; FILE *fd; - rc = _set_param_filename(ndpi_str, _variable, value, min_value, max_value, proto); + rc = _set_param_filename(ndpi_str, _variable, value, min_value, max_value, proto, param); if(rc != 0 || value == NULL || ndpi_str == NULL) return rc; @@ -11374,7 +11406,7 @@ static char *_get_param_protocol_enable_disable(void *_variable, const char *pro static ndpi_cfg_error _set_param_protocol_enable_disable(struct ndpi_detection_module_struct *ndpi_str, void *_variable, const char *value, const char *min_value, const char *max_value, - const char *proto) + const char *proto, const char *param) { NDPI_PROTOCOL_BITMASK *bitmask = (NDPI_PROTOCOL_BITMASK *)_variable; u_int16_t proto_id; @@ -11382,6 +11414,7 @@ static ndpi_cfg_error _set_param_protocol_enable_disable(struct ndpi_detection_m (void)ndpi_str; (void)min_value; (void)max_value; + (void)param; if(strcmp(proto, "any") == 0 || strcmp(proto, "all") == 0 || @@ -11415,6 +11448,71 @@ static ndpi_cfg_error _set_param_protocol_enable_disable(struct ndpi_detection_m return NDPI_CFG_INVALID_PARAM; } +static char *_get_param_flowrisk_enable_disable(void *_variable, const char *proto, + char *buf, int buf_len) +{ + NDPI_PROTOCOL_BITMASK *bitmask = (NDPI_PROTOCOL_BITMASK *)_variable; + ndpi_risk_enum flowrisk_id; + + flowrisk_id = __get_flowrisk_id(proto); + if(flowrisk_id == NDPI_NO_RISK) + return NULL; + + snprintf(buf, buf_len, "%d", !!NDPI_ISSET(bitmask, flowrisk_id)); + buf[buf_len - 1] = '\0'; + return buf; +} + +static ndpi_cfg_error _set_param_flowrisk_enable_disable(struct ndpi_detection_module_struct *ndpi_str, + void *_variable, const char *value, + const char *min_value, const char *max_value, + const char *proto, const char *param) +{ + NDPI_PROTOCOL_BITMASK *bitmask = (NDPI_PROTOCOL_BITMASK *)_variable; + ndpi_risk_enum flowrisk_id; + + (void)ndpi_str; + (void)min_value; + (void)max_value; + (void)proto; + + if(strncmp(param, "flow_risk.", 10) != 0) + return NDPI_CFG_INVALID_PARAM; + + param += 10; /* Strip initial "flow_risk." */ + + if(strcmp(param, "any") == 0 || + strcmp(param, "all") == 0 || + strcmp(param, "$FLOWRISK_NAME_OR_ID") == 0) { + if(strcmp(value, "1") == 0 || + strcmp(value, "enable") == 0) { + NDPI_BITMASK_SET_ALL(*bitmask); + return NDPI_CFG_OK; + } + if(strcmp(value, "0") == 0 || + strcmp(value, "disable") == 0) { + NDPI_BITMASK_RESET(*bitmask); + return NDPI_CFG_OK; + } + } + + flowrisk_id = __get_flowrisk_id(param); + if(flowrisk_id == NDPI_NO_RISK) + return NDPI_CFG_INVALID_PARAM; + + if(strcmp(value, "1") == 0 || + strcmp(value, "enable") == 0) { + NDPI_BITMASK_ADD(*bitmask, flowrisk_id); + return NDPI_CFG_OK; + } + if(strcmp(value, "0") == 0 || + strcmp(value, "disable") == 0) { + NDPI_BITMASK_DEL(*bitmask, flowrisk_id); + return NDPI_CFG_OK; + } + return NDPI_CFG_INVALID_PARAM; +} + static int clbk_only_with_global_ctx(struct ndpi_detection_module_struct *ndpi_str, void *_variable, const char *proto, const char *param) @@ -11438,12 +11536,13 @@ enum cfg_param_type { CFG_PARAM_INT, CFG_PARAM_PROTOCOL_ENABLE_DISABLE, CFG_PARAM_FILENAME_CONFIG, /* We call ndpi_set_config() immediately for each row in it */ + CFG_PARAM_FLOWRISK_ENABLE_DISABLE, }; typedef ndpi_cfg_error (*cfg_set)(struct ndpi_detection_module_struct *ndpi_str, void *_variable, const char *value, const char *min_value, const char *max_value, - const char *proto); + const char *proto, const char *param); typedef char *(*cfg_get)(void *_variable, const char *proto, char *buf, int buf_len); typedef int (*cfg_calback)(struct ndpi_detection_module_struct *ndpi_str, void *_variable, const char *proto, const char *param); @@ -11456,6 +11555,7 @@ static const struct cfg_op { { CFG_PARAM_INT, _set_param_int, _get_param_int }, { CFG_PARAM_PROTOCOL_ENABLE_DISABLE, _set_param_protocol_enable_disable, _get_param_protocol_enable_disable }, { CFG_PARAM_FILENAME_CONFIG, _set_param_filename_config, _get_param_string }, + { CFG_PARAM_FLOWRISK_ENABLE_DISABLE, _set_param_flowrisk_enable_disable, _get_param_flowrisk_enable_disable }, }; #define __OFF(a) offsetof(struct ndpi_detection_module_config_struct, a) @@ -11548,6 +11648,8 @@ static const struct cfg_param { { NULL, "flow_risk_lists.load", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(flow_risk_lists_enabled), NULL }, + { NULL, "flow_risk.$FLOWRISK_NAME_OR_ID", "enable", NULL, NULL, CFG_PARAM_FLOWRISK_ENABLE_DISABLE, __OFF(flowrisk_bitmask), NULL }, + { NULL, "flow_risk.anonymous_subscriber.list.icloudprivaterelay.load", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(risk_anonymous_subscriber_list_icloudprivaterelay_enabled), NULL }, { NULL, "flow_risk.anonymous_subscriber.list.protonvpn.load", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(risk_anonymous_subscriber_list_protonvpn_enabled), NULL }, { NULL, "flow_risk.crawler_bot.list.load", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(risk_crawler_bot_list_enabled), NULL }, @@ -11597,7 +11699,7 @@ static void set_default_config(struct ndpi_detection_module_config_struct *cfg) for(c = &cfg_params[0]; c && c->param; c++) { cfg_ops[c->type].fn_set(NULL, (void *)((char *)cfg + c->offset), - c->default_value, c->min_value, c->max_value, c->proto); + c->default_value, c->min_value, c->max_value, c->proto, c->param); } } @@ -11621,10 +11723,13 @@ ndpi_cfg_error ndpi_set_config(struct ndpi_detection_module_struct *ndpi_str, strcmp(param, c->param) == 0) || (proto && c->proto && strcmp(c->proto, "$PROTO_NAME_OR_ID") == 0 && - strcmp(param, c->param) == 0)) { + strcmp(param, c->param) == 0) || + (proto == NULL && c->proto == NULL && + strncmp(c->param, "flow_risk.", 10) == 0 && + strncmp(param, "flow_risk.", 10) == 0)) { rc = cfg_ops[c->type].fn_set(ndpi_str, (void *)((char *)&ndpi_str->cfg + c->offset), - value, c->min_value, c->max_value, proto); + value, c->min_value, c->max_value, proto, param); if(rc == NDPI_CFG_OK && c->fn_callback) { ret = c->fn_callback(ndpi_str, (void *)((char *)&ndpi_str->cfg + c->offset), proto, param); @@ -11670,6 +11775,9 @@ char *ndpi_get_config(struct ndpi_detection_module_struct *ndpi_str, strcmp(param, c->param) == 0) || (proto && c->proto && strcmp(c->proto, "$PROTO_NAME_OR_ID") == 0 && + strcmp(param, c->param) == 0) || + (proto == NULL && c->proto == NULL && + strcmp(c->param, "flow_risk.$FLOWRISK_NAME_OR_ID") == 0 && strcmp(param, c->param) == 0)) { return cfg_ops[c->type].fn_get((void *)((char *)&ndpi_str->cfg + c->offset), proto, buf, buf_len); @@ -11720,6 +11828,15 @@ char *ndpi_dump_config(struct ndpi_detection_module_struct *ndpi_str, c->default_value); fprintf(fd, "\n"); break; + /* TODO */ + case CFG_PARAM_FLOWRISK_ENABLE_DISABLE: + fprintf(fd, " *) %s %s: %s [all %s]", + c->proto ? c->proto : "NULL", + c->param, + /* TODO */ _get_param_flowrisk_enable_disable((void *)((char *)&ndpi_str->cfg + c->offset), "any", buf, sizeof(buf)), + c->default_value); + fprintf(fd, "\n"); + break; } } return NULL; diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 5df42a13c..ddc20b196 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2573,6 +2573,66 @@ u_int16_t ndpi_risk2score(ndpi_risk risk, return(score); } +const char *ndpi_risk_shortnames[NDPI_MAX_RISK] = { + "unknown", /* NDPI_NO_RISK */ + "xss", + "sql", + "rce", + "binary_transfer", + "non_standard_port", + "tls_selfsigned_cert", + "tls_obsolete_ver", + "tls_weak_cipher", + "tls_cert_expired", + "tls_cert_mismatch", /* NDPI_TLS_CERTIFICATE_MISMATCH */ + "http_susp_ua", + "numeric_ip_host", + "http_susp_url", + "http_susp_header", + "tls_not_https", + "dga", + "malformed_pkt", + "ssh_obsolete_client", + "ssh_obsolete_server", + "smb_insecure_ver", /* NDPI_SMB_INSECURE_VERSION */ + "tls_esni", + "unsafe_proto", + "dns_susp", + "tls_no_sni", + "http_susp_content", + "risky_asn", + "risky_domain", + "malicious_fingerprint", + "malicious_cert", + "desktop_sharing", /* NDPI_DESKTOP_OR_FILE_SHARING_SESSION */ + "uls_uncommon_alpn", + "tls_cert_too_long", + "tls_susp_ext", + "tls_fatal_err", + "susp_entropy", + "clear_credential", + "dns_large_pkt", + "dns_fragmented", + "invalid_characters", + "exploit", /* NDPI_POSSIBLE_EXPLOIT */ + "tls_cert_about_to_expire", + "punycode", + "error_code", + "crawler_bot", + "anonymous_subscriber", + "unidirectional", + "http_obsolete_server", + "periodic_flow", + "minor_issues", + "tcp_issues", /* NDPI_TCP_ISSUES */ + "fully_encrypted", + "tls_alpn_mismatch", + "malware_host", + "binary_data_transfer", + "probing", + "obfuscated", +}; + /* ******************************************************************** */ const char* ndpi_http_method2str(ndpi_http_method m) { @@ -2876,6 +2936,15 @@ static u_int8_t ndpi_check_ipv6_exception(struct ndpi_detection_module_struct *n /* ********************************************************************************* */ +static int is_flowrisk_enabled(struct ndpi_detection_module_struct *ndpi_str, ndpi_risk_enum flowrisk_id) +{ + if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_str->cfg.flowrisk_bitmask, flowrisk_id) == 0) + return 0; + return 1; +} + +/* ********************************************************************************* */ + void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { if(flow->risk == 0) return; /* Nothing to do */ @@ -2931,10 +3000,13 @@ void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************************************** */ -void ndpi_set_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r, - char *risk_message) { +void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, + ndpi_risk_enum r, char *risk_message) { if(!flow) return; + if(!is_flowrisk_enabled(ndpi_str, r)) + return; + /* Check if the risk is not yet set */ if(!ndpi_isset_risk(flow, r)) { ndpi_risk v = 1ull << r; @@ -3124,7 +3196,8 @@ char *ndpi_entropy2str(float entropy, char *buf, size_t len) { /* ******************************************************************** */ -void ndpi_entropy2risk(struct ndpi_flow_struct *flow) { +void ndpi_entropy2risk(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { char str[64]; if (NDPI_ENTROPY_PLAINTEXT(flow->entropy)) @@ -3142,7 +3215,7 @@ void ndpi_entropy2risk(struct ndpi_flow_struct *flow) { if (flow->confidence != NDPI_CONFIDENCE_DPI && flow->confidence != NDPI_CONFIDENCE_DPI_CACHE) { - ndpi_set_risk(flow, NDPI_SUSPICIOUS_ENTROPY, + ndpi_set_risk(ndpi_struct, flow, NDPI_SUSPICIOUS_ENTROPY, ndpi_entropy2str(flow->entropy, str, sizeof(str))); return; } @@ -3161,7 +3234,7 @@ void ndpi_entropy2risk(struct ndpi_flow_struct *flow) { flow->category == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED || flow->category == NDPI_PROTOCOL_CATEGORY_WEB) { - ndpi_set_risk(flow, NDPI_SUSPICIOUS_ENTROPY, + ndpi_set_risk(ndpi_struct, flow, NDPI_SUSPICIOUS_ENTROPY, ndpi_entropy2str(flow->entropy, str, sizeof(str))); return; } diff --git a/src/lib/protocols/can.c b/src/lib/protocols/can.c index 0f1e1e243..fc12866a8 100644 --- a/src/lib/protocols/can.c +++ b/src/lib/protocols/can.c @@ -67,7 +67,7 @@ static void ndpi_search_can(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_can_add_connection(ndpi_struct, flow); if (can_header->version != 0x01) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid CAN Header"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid CAN Header"); } } diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 927e09af2..ce991735d 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -44,7 +44,8 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, /* *********************************************** */ -static void ndpi_check_dns_type(struct ndpi_flow_struct *flow, +static void ndpi_check_dns_type(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, u_int16_t dns_type) { /* https://en.wikipedia.org/wiki/List_of_DNS_record_types */ @@ -92,7 +93,7 @@ static void ndpi_check_dns_type(struct ndpi_flow_struct *flow, case 106: case 107: case 259: - ndpi_set_risk(flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Obsolete DNS record type"); + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Obsolete DNS record type"); break; } } @@ -321,7 +322,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, } } else { if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid DNS Header"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid DNS Header"); return(1 /* invalid */); } } else { @@ -351,10 +352,10 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, snprintf(str, sizeof(str), "DNS Error Code %s", dns_error_code2string(flow->protos.dns.reply_code, buf, sizeof(buf))); - ndpi_set_risk(flow, NDPI_ERROR_CODE_DETECTED, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, str); } else { if(ndpi_isset_risk(flow, NDPI_SUSPICIOUS_DGA_DOMAIN)) { - ndpi_set_risk(flow, NDPI_RISKY_DOMAIN, "DGA Name Query with no Error Code"); + ndpi_set_risk(ndpi_struct, flow, NDPI_RISKY_DOMAIN, "DGA Name Query with no Error Code"); } } @@ -431,7 +432,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, rsp_ttl = ntohl(*((u_int32_t*)&packet->payload[x+2])); if(rsp_ttl == 0) - ndpi_set_risk(flow, NDPI_MINOR_ISSUES, "DNS Record with zero TTL"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MINOR_ISSUES, "DNS Record with zero TTL"); #ifdef DNS_DEBUG printf("[DNS] TTL = %u\n", rsp_ttl); @@ -439,7 +440,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, #endif if(found == 0) { - ndpi_check_dns_type(flow, rsp_type); + ndpi_check_dns_type(ndpi_struct, flow, rsp_type); flow->protos.dns.rsp_type = rsp_type; } @@ -776,7 +777,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st #ifdef DNS_DEBUG printf("[DNS] Invalid query len [%u >= %u]\n", i+4, packet->payload_packet_len); #endif - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid DNS Query Lenght"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid DNS Query Lenght"); break; } else { idx = i+5, num_queries++; @@ -788,7 +789,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st ndpi_hostname_sni_set(flow, (const u_int8_t *)_hostname, len, is_mdns ? NDPI_HOSTNAME_NORM_LC : NDPI_HOSTNAME_NORM_ALL); if (hostname_is_valid == 0) - ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, "Invalid chars detected in domain name"); + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, "Invalid chars detected in domain name"); /* Ignore reverse DNS queries */ if(strstr(_hostname, ".in-addr.") == NULL) { @@ -812,7 +813,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st ) ; /* Check common domain exceptions [TODO: if the list grows too much use a different datastructure] */ else - ndpi_set_risk(flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Long DNS host name"); + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Long DNS host name"); } } } @@ -908,7 +909,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st char str[48]; snprintf(str, sizeof(str), "%u Bytes DNS Packet", packet->payload_packet_len); - ndpi_set_risk(flow, NDPI_DNS_LARGE_PACKET, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_LARGE_PACKET, str); } if(packet->iph != NULL) { @@ -918,14 +919,14 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st /* 0: fragmented; 1: not fragmented */ if((flags & 0x20) || (iph_is_valid_and_not_fragmented(packet->iph, packet->l3_packet_len) == 0)) { - ndpi_set_risk(flow, NDPI_DNS_FRAGMENTED, NULL); + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED, NULL); } } else if(packet->iphv6 != NULL) { /* IPv6 */ const struct ndpi_ip6_hdrctl *ip6_hdr = &packet->iphv6->ip6_hdr; if(ip6_hdr->ip6_un1_nxt == 0x2C /* Next Header: Fragment Header for IPv6 (44) */) { - ndpi_set_risk(flow, NDPI_DNS_FRAGMENTED, NULL); + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED, NULL); } } } diff --git a/src/lib/protocols/fastcgi.c b/src/lib/protocols/fastcgi.c index 10384a13e..52518b0c9 100644 --- a/src/lib/protocols/fastcgi.c +++ b/src/lib/protocols/fastcgi.c @@ -204,7 +204,7 @@ static void ndpi_search_fastcgi(struct ndpi_detection_module_struct *ndpi_struct if (fcgi_parse_params(flow, packet) != 0) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid FastCGI PARAMS header"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid FastCGI PARAMS header"); ndpi_int_fastcgi_add_connection(ndpi_struct, flow, NULL); } else { ndpi_match_host_subprotocol(ndpi_struct, flow, @@ -218,10 +218,10 @@ static void ndpi_search_fastcgi(struct ndpi_detection_module_struct *ndpi_struct char str[128]; snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); - ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); /* This looks like an attack */ - ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious hostname: attack ?"); + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious hostname: attack ?"); } ndpi_int_fastcgi_add_connection(ndpi_struct, flow, &ret_match); } diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index 7118ff295..266fc414a 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -42,7 +42,8 @@ static void ndpi_int_ftp_control_add_connection(struct ndpi_detection_module_str /* *************************************************************** */ -static int ndpi_ftp_control_check_request(struct ndpi_flow_struct *flow, +static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, const u_int8_t *payload, size_t payload_len) { #ifdef FTP_DEBUG @@ -58,7 +59,7 @@ static int ndpi_ftp_control_check_request(struct ndpi_flow_struct *flow, snprintf(buf, sizeof(buf), "Found FTP username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); return 1; } @@ -602,7 +603,7 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str if(flow->ftp_control_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "FTP_CONTROL stage 0: \n"); - if((payload_len > 0) && ndpi_ftp_control_check_request(flow, + if((payload_len > 0) && ndpi_ftp_control_check_request(ndpi_struct, flow, packet->payload, payload_len)) { NDPI_LOG_DBG2(ndpi_struct, "Possible FTP_CONTROL request detected, we will look further for the response..\n"); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index fb1cf446b..80ea122fd 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -65,11 +65,11 @@ static char* forge_attempt_msg(struct ndpi_flow_struct *flow, char *msg, char *b /* *********************************************** */ -static void ndpi_set_binary_data_transfer(struct ndpi_flow_struct *flow, +static void ndpi_set_binary_data_transfer(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *msg) { char buf[256]; - ndpi_set_risk(flow, NDPI_BINARY_DATA_TRANSFER, + ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_DATA_TRANSFER, forge_attempt_msg(flow, msg, buf, sizeof(buf))); } @@ -91,7 +91,7 @@ static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_st else { char buf[256]; - ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, forge_attempt_msg(flow, msg, buf, sizeof(buf))); + ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER, forge_attempt_msg(flow, msg, buf, sizeof(buf))); } } @@ -203,7 +203,7 @@ static void ndpi_http_check_human_redeable_content(struct ndpi_detection_module_ snprintf(str, sizeof(str), "Susp content %02X%02X%02X%02X", content[0], content[1], content[2], content[3]); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_CONTENT, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_CONTENT, str); } } } @@ -255,7 +255,7 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi https://corelight.com/blog/detecting-log4j-exploits-via-zeek-when-java-downloads-java */ - ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); } } @@ -263,7 +263,7 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi } if((flow->http.user_agent == NULL) || (flow->http.user_agent[0] == '\0')) - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); } /* *********************************************** */ @@ -305,7 +305,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo NDPI_LOG_INFO(ndpi_struct, "found HTTP file transfer"); snprintf(str, sizeof(str), "Found binary mime %s", cmp_mimes[i]); - ndpi_set_binary_data_transfer(flow, str); + ndpi_set_binary_data_transfer(ndpi_struct, flow, str); found = true; break; } @@ -403,7 +403,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo /* No executable but just data transfer */ snprintf(str, sizeof(str), "File download %s", flow->http.filename ? flow->http.filename : ""); - ndpi_set_binary_data_transfer(flow, str); + ndpi_set_binary_data_transfer(ndpi_struct, flow, str); } } } @@ -667,7 +667,7 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp if(!flow->http.username) flow->http.username = ndpi_strdup(value); } else if((strcmp(key, "pwd") == 0) || (strcmp(key, "password") == 0)) { if(!flow->http.password) flow->http.password = ndpi_strdup(value); - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); } key = strtok_r(NULL, "=", &tmp); @@ -681,7 +681,8 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp /* ************************************************************* */ -static void ndpi_check_user_agent(struct ndpi_flow_struct *flow, +static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, char const *ua, size_t ua_len) { char *double_slash; @@ -715,7 +716,7 @@ static void ndpi_check_user_agent(struct ndpi_flow_struct *flow, char str[64]; snprintf(str, sizeof(str), "UA %s", ua); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); } } } @@ -726,7 +727,7 @@ static void ndpi_check_user_agent(struct ndpi_flow_struct *flow, char str[64]; snprintf(str, sizeof(str), "UA %s", ua); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); } if((double_slash = strstr(ua, "://")) != NULL) { @@ -736,14 +737,14 @@ static void ndpi_check_user_agent(struct ndpi_flow_struct *flow, char str[64]; snprintf(str, sizeof(str), "UA %s", ua); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); } } } /* no else */ if(!strncmp(ua, "jndi:ldap://", 12)) /* Log4J */ { - ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); } else if( (ua_len < 4) /* Too short */ || (ua_len > 256) /* Too long */ @@ -751,7 +752,7 @@ static void ndpi_check_user_agent(struct ndpi_flow_struct *flow, || strchr(ua, '{') || strchr(ua, '}') ) { - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Suspicious Log4J"); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Suspicious Log4J"); } /* @@ -768,7 +769,7 @@ static void ndpi_check_user_agent(struct ndpi_flow_struct *flow, snprintf(str, sizeof(str), "UA %s", ua); - ndpi_set_risk(flow, NDPI_HTTP_CRAWLER_BOT, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_CRAWLER_BOT, str); } } @@ -838,7 +839,7 @@ void http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct, if(ndpi_user_agent_set(flow, ua_ptr, ua_ptr_len) != NULL) { ndpi_unset_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); - ndpi_check_user_agent(flow, flow->http.user_agent, ua_ptr_len); + ndpi_check_user_agent(ndpi_struct, flow, flow->http.user_agent, ua_ptr_len); } else { NDPI_LOG_DBG2(ndpi_struct, "Could not set HTTP user agent (already set?)\n"); } @@ -849,7 +850,8 @@ void http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct, /* ************************************************************* */ -static void ndpi_check_numeric_ip(struct ndpi_flow_struct *flow, +static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, char *ip, u_int ip_len) { char buf[22], *double_dot; struct in_addr ip_addr; @@ -865,20 +867,21 @@ static void ndpi_check_numeric_ip(struct ndpi_flow_struct *flow, char str[64]; snprintf(str, sizeof(str), "Found host %s", buf); - ndpi_set_risk(flow, NDPI_NUMERIC_IP_HOST, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, str); } } /* ************************************************************* */ -static void ndpi_check_http_url(struct ndpi_flow_struct *flow, +static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, char *url) { if(strstr(url, "<php>") != NULL /* PHP code in the URL */) - ndpi_set_risk(flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "PHP code in URL"); + ndpi_set_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "PHP code in URL"); else if(strncmp(url, "/shell?", 7) == 0) - ndpi_set_risk(flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "Possible WebShell detected"); + ndpi_set_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "Possible WebShell detected"); else if(strncmp(url, "/.", 2) == 0) - ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "URL starting with dot"); + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "URL starting with dot"); } /* ************************************************************* */ @@ -886,7 +889,8 @@ static void ndpi_check_http_url(struct ndpi_flow_struct *flow, #define MIN_APACHE_VERSION 2004000 /* 2.4.X [https://endoflife.date/apache] */ #define MIN_NGINX_VERSION 1022000 /* 1.22.0 [https://endoflife.date/nginx] */ -static void ndpi_check_http_server(struct ndpi_flow_struct *flow, +static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, const char *server, u_int server_len) { if(server[0] != '\0') { if(server_len > 7) { @@ -907,10 +911,10 @@ static void ndpi_check_http_server(struct ndpi_flow_struct *flow, if((off == 7) && (version < MIN_APACHE_VERSION)) { snprintf(msg, sizeof(msg), "Obsolete Apache server %s", buf); - ndpi_set_risk(flow, NDPI_HTTP_OBSOLETE_SERVER, msg); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg); } else if((off == 6) && (version < MIN_NGINX_VERSION)) { snprintf(msg, sizeof(msg), "Obsolete nginx server %s", buf); - ndpi_set_risk(flow, NDPI_HTTP_OBSOLETE_SERVER, msg); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg); } } } @@ -918,7 +922,7 @@ static void ndpi_check_http_server(struct ndpi_flow_struct *flow, /* Check server content */ for(i=0; i<server_len; i++) { if(!ndpi_isprint(server[i])) { - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, "Suspicious Agent"); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, "Suspicious Agent"); break; } } @@ -945,7 +949,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(ndpi_isdigit(packet->host_line.ptr[0]) && (packet->host_line.len < 21)) - ndpi_check_numeric_ip(flow, (char*)packet->host_line.ptr, packet->host_line.len); + ndpi_check_numeric_ip(ndpi_struct, flow, (char*)packet->host_line.ptr, packet->host_line.len); flow->http.url = ndpi_malloc(len); if(flow->http.url) { @@ -976,7 +980,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ flow->http.url[offset] = '\0'; } - ndpi_check_http_url(flow, &flow->http.url[host_end]); + ndpi_check_http_url(ndpi_struct, flow, &flow->http.url[host_end]); } } @@ -985,7 +989,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ (u_int16_t)packet->http_method.len); if(packet->server_line.ptr != NULL) - ndpi_check_http_server(flow, (const char *)packet->server_line.ptr, packet->server_line.len); + ndpi_check_http_server(ndpi_struct, flow, (const char *)packet->server_line.ptr, packet->server_line.len); if(packet->user_agent_line.ptr != NULL) { http_process_user_agent(ndpi_struct, flow, packet->user_agent_line.ptr, packet->user_agent_line.len); @@ -1051,7 +1055,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ ndpi_free(content); } - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found credentials in HTTP Auth Line"); } } @@ -1114,10 +1118,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ char str[128]; snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); - ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); /* This looks like an attack */ - ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious hostname: attack ?"); + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious hostname: attack ?"); } double_col = strchr((char*)flow->host_server_name, ':'); @@ -1131,7 +1135,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ snprintf(msg, sizeof(msg), "Expected %s, found %s", ndpi_intoav4(ntohl(ndpi_struct->packet.iph->daddr), buf, sizeof(buf)), flow->host_server_name); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, msg); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, msg); } } } @@ -1274,7 +1278,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1283,7 +1287,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1292,7 +1296,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1301,7 +1305,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1310,7 +1314,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1319,7 +1323,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1328,7 +1332,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1337,7 +1341,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1346,7 +1350,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } @@ -1376,7 +1380,7 @@ static void parse_response_code(struct ndpi_detection_module_struct *ndpi_struct if(flow->http.response_status_code >= 400) { snprintf(ec, sizeof(ec), "HTTP Error Code %u", flow->http.response_status_code); - ndpi_set_risk(flow, NDPI_ERROR_CODE_DETECTED, ec); + ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, ec); if(flow->http.url != NULL) { /* Let's check for Wordpress */ @@ -1387,7 +1391,7 @@ static void parse_response_code(struct ndpi_detection_module_struct *ndpi_struct || ((flow->http.method == NDPI_HTTP_METHOD_GET) && (strncmp(slash, "/wp-content/uploads/", 20) == 0)) )) { /* Example of popular exploits https://www.wordfence.com/blog/2022/05/millions-of-attacks-target-tatsu-builder-plugin/ */ - ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Possible Wordpress Exploit"); + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Possible Wordpress Exploit"); } } } @@ -1464,7 +1468,7 @@ static void process_request(struct ndpi_detection_module_struct *ndpi_struct, if(flow->http.user_agent == NULL || flow->http.user_agent[0] == '\0') { - ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); } } diff --git a/src/lib/protocols/ipsec.c b/src/lib/protocols/ipsec.c index 9a3e519df..fdd08cb6f 100644 --- a/src/lib/protocols/ipsec.c +++ b/src/lib/protocols/ipsec.c @@ -43,7 +43,7 @@ static void ndpi_int_ipsec_add_connection(struct ndpi_detection_module_struct * return; case ISAKMP_MALFORMED: NDPI_LOG_INFO(ndpi_struct, "found malformed ISAKMP (UDP)\n"); - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid IPSec/ISAKMP Header"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid IPSec/ISAKMP Header"); break; case ISAKMP_V1: NDPI_LOG_INFO(ndpi_struct, "found ISAKMPv1 (UDP)\n"); diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 02b105a0f..2ef11edb5 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -156,7 +156,7 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct sp[0] = '\0'; snprintf(msg, sizeof(msg), "Found IRC username (%s)", buf); - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); } NDPI_LOG_DBG2(ndpi_struct, diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c index dd47704ea..1b8b31287 100644 --- a/src/lib/protocols/mail_imap.c +++ b/src/lib/protocols/mail_imap.c @@ -186,7 +186,7 @@ static void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_ snprintf(buf, sizeof(buf), "Found IMAP username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); pwd = strtok_r(NULL, " \"\r\n", &saveptr); if(pwd) { diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c index 0cb4512d7..5741eba0e 100644 --- a/src/lib/protocols/mail_pop.c +++ b/src/lib/protocols/mail_pop.c @@ -88,7 +88,7 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod snprintf(buf, sizeof(buf), "Found username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); flow->l4.tcp.pop_command_bitmask |= POP_BIT_USER; return 1; @@ -100,7 +100,7 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod sizeof(flow->l4.tcp.ftp_imap_pop_smtp.password), 5, packet->payload, packet->payload_packet_len); - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); flow->l4.tcp.pop_command_bitmask |= POP_BIT_PASS; return 1; } else if((packet->payload[0] == 'C' || packet->payload[0] == 'c') diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index f27e43ffe..6e4629ac9 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -66,7 +66,8 @@ static void smtpInitExtraPacketProcessing(struct ndpi_flow_struct *flow); /* **************************************** */ -static void get_credentials_auth_plain(struct ndpi_flow_struct *flow, +static void get_credentials_auth_plain(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, const u_int8_t *line, u_int16_t line_len) { u_int8_t buf[255]; @@ -101,7 +102,7 @@ static void get_credentials_auth_plain(struct ndpi_flow_struct *flow, snprintf(buf, sizeof(buf), "Found username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); if(1 + user_len + 1 < out_len) { unsigned int pwd_len; @@ -221,7 +222,7 @@ static void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_ } else if(packet->line[a].ptr[5] == 'P' || packet->line[a].ptr[5] == 'p') { flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_AUTH_PLAIN; /* AUTH PLAIN: username and pwd here */ - get_credentials_auth_plain(flow, + get_credentials_auth_plain(ndpi_struct, flow, packet->line[a].ptr, packet->line[a].len); flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; } @@ -261,7 +262,7 @@ static void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_ snprintf(msg, sizeof(msg), "Found SMTP username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); } else if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0') { /* Password */ u_int8_t buf[48]; @@ -286,7 +287,7 @@ static void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_ ndpi_free(out); } - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; } else { diff --git a/src/lib/protocols/munin.c b/src/lib/protocols/munin.c index 6ca9ca9c3..06e50d3a6 100644 --- a/src/lib/protocols/munin.c +++ b/src/lib/protocols/munin.c @@ -64,7 +64,7 @@ static void ndpi_search_munin(struct ndpi_detection_module_struct *ndpi_struct, if (packet->payload[packet->payload_packet_len - 1] != '\n') { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); return; } @@ -73,7 +73,7 @@ static void ndpi_search_munin(struct ndpi_detection_module_struct *ndpi_struct, { ndpi_hostname_sni_set(flow, packet->payload + NDPI_STATICSTRING_LEN(munin_prefix), host_len, NDPI_HOSTNAME_NORM_ALL); } else { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); } } diff --git a/src/lib/protocols/natpmp.c b/src/lib/protocols/natpmp.c index ccb025c89..4c259c91c 100644 --- a/src/lib/protocols/natpmp.c +++ b/src/lib/protocols/natpmp.c @@ -122,7 +122,7 @@ static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_st if (natpmp_is_valid(packet, &natpmp_type) == 0) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid NATPMP Header"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid NATPMP Header"); return 0; } @@ -136,7 +136,7 @@ static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_st flow->protos.natpmp.external_port = ntohs(get_u_int16_t(packet->payload, 6)); if (flow->protos.natpmp.internal_port == 0) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Request Port Mapping: Internal port must not 0"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Request Port Mapping: Internal port must not 0"); } break; case NATPMP_RESPONSE_ADDRESS: @@ -144,7 +144,7 @@ static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_st flow->protos.natpmp.external_address.ipv4 = get_u_int32_t(packet->payload, 8); if (flow->protos.natpmp.result_code != 0 && flow->protos.natpmp.external_address.ipv4 != 0) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Address Response: Result code indicates an error, but External IPv4 Address is set"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Address Response: Result code indicates an error, but External IPv4 Address is set"); } break; case NATPMP_RESPONSE_UDP_MAPPING: @@ -154,7 +154,7 @@ static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_st flow->protos.natpmp.external_port = ntohs(get_u_int16_t(packet->payload, 10)); if (flow->protos.natpmp.internal_port == 0 || flow->protos.natpmp.external_port == 0) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Port Mapping Response: Internal/External port must not 0"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Port Mapping Response: Internal/External port must not 0"); } break; } diff --git a/src/lib/protocols/nomachine.c b/src/lib/protocols/nomachine.c index ce26b30fd..4cf4e1d8d 100644 --- a/src/lib/protocols/nomachine.c +++ b/src/lib/protocols/nomachine.c @@ -35,7 +35,7 @@ static void ndpi_int_nomachine_add_connection(struct ndpi_detection_module_struc NDPI_LOG_INFO(ndpi_struct, "found NoMachine\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NOMACHINE, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found NoMachine"); + ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found NoMachine"); } static void ndpi_search_nomachine(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/openvpn.c b/src/lib/protocols/openvpn.c index bf34bf3a9..dab6a77ab 100644 --- a/src/lib/protocols/openvpn.c +++ b/src/lib/protocols/openvpn.c @@ -481,7 +481,7 @@ static void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct ndpi_int_openvpn_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); } else if (flow->ovpn_alg_heur_opcode_state == 2) { ndpi_int_openvpn_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_AGGRESSIVE); - ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated OpenVPN"); + ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated OpenVPN"); } else if(flow->ovpn_alg_standard_state == 1 && flow->ovpn_alg_heur_opcode_state == 1) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 498ca9802..7e1a08ac1 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1471,10 +1471,10 @@ void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, char str[128]; snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); - ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); /* This looks like an attack */ - ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious hostname: attack ?"); + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious hostname: attack ?"); } sni_found = 1; @@ -1513,7 +1513,7 @@ void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, /* Add check for missing SNI */ if(flow->host_server_name[0] == '\0') { /* This is a bit suspicious */ - ndpi_set_risk(flow, NDPI_TLS_MISSING_SNI, "SNI should be present all time: attack ?"); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI, "SNI should be present all time: attack ?"); } } diff --git a/src/lib/protocols/radmin.c b/src/lib/protocols/radmin.c index 3b08c5084..b9ab63631 100644 --- a/src/lib/protocols/radmin.c +++ b/src/lib/protocols/radmin.c @@ -36,7 +36,7 @@ static void ndpi_int_radmin_add_connection(struct ndpi_detection_module_struct * ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RADMIN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found Radmin"); + ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found Radmin"); } static void ndpi_search_radmin(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c index bc2994286..e7683d16e 100644 --- a/src/lib/protocols/rdp.c +++ b/src/lib/protocols/rdp.c @@ -41,7 +41,7 @@ static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndp struct ndpi_flow_struct *flow) { NDPI_LOG_INFO(ndpi_struct, "found RDP\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ + ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ } /* **************************************** */ diff --git a/src/lib/protocols/rsh.c b/src/lib/protocols/rsh.c index 6048e2f54..6addb7404 100644 --- a/src/lib/protocols/rsh.c +++ b/src/lib/protocols/rsh.c @@ -139,7 +139,7 @@ static void ndpi_search_rsh(struct ndpi_detection_module_struct * ndpi_struct, flow->protos.rsh.command) < 0) str[0] = '\0'; - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, str); } return; diff --git a/src/lib/protocols/slp.c b/src/lib/protocols/slp.c index e7fd6b105..81c1cabd9 100644 --- a/src/lib/protocols/slp.c +++ b/src/lib/protocols/slp.c @@ -285,7 +285,7 @@ static void ndpi_dissect_slp_v2(struct ndpi_detection_module_struct *ndpi_struct } } else if (url_entry_count_offset > 0 && packet->payload_packet_len > sizeof(*hdr) + url_entry_count_offset + 2) { if (slp_dissect_url_entries(ndpi_struct, flow, sizeof(*hdr) + url_entry_count_offset) != 0) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid URL entries"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid URL entries"); } } else if (packet->payload_packet_len > sizeof(*hdr) + url_offset + 2) { url_length_or_count = ntohs(*(uint16_t *)&packet->payload[sizeof(*hdr) + url_offset]); // FID_SrvReg or FID_SrvDeReg diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c index 3733b3747..3997c7aac 100644 --- a/src/lib/protocols/smb.c +++ b/src/lib/protocols/smb.c @@ -64,7 +64,7 @@ static void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct */ if(packet->payload[8] != 0x25) /* Skip SMB command Trans */ - ndpi_set_risk(flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1"); + ndpi_set_risk(ndpi_struct, flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1"); } return; } else if(memcmp(&packet->payload[4], smbv2, sizeof(smbv2)) == 0) { diff --git a/src/lib/protocols/snmp_proto.c b/src/lib/protocols/snmp_proto.c index 632365bb9..75e829126 100644 --- a/src/lib/protocols/snmp_proto.c +++ b/src/lib/protocols/snmp_proto.c @@ -129,7 +129,7 @@ static void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, char str[64]; snprintf(str, sizeof(str), "SNMP Error %d", error_status); - ndpi_set_risk(flow, NDPI_ERROR_CODE_DETECTED, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, str); } } } diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 06f58fd60..bf2af2aac 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -68,7 +68,8 @@ typedef struct { /* ************************************************************************ */ -static void ssh_analyze_signature_version(struct ndpi_flow_struct *flow, +static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, char *str_to_check, u_int8_t is_client_signature) { u_int i; @@ -111,14 +112,15 @@ static void ssh_analyze_signature_version(struct ndpi_flow_struct *flow, } if(obsolete_ssh_version) - ndpi_set_risk(flow, + ndpi_set_risk(ndpi_struct, flow, (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER), NULL); } /* ************************************************************************ */ -static void ssh_analyse_cipher(struct ndpi_flow_struct *flow, +static void ssh_analyse_cipher(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, char *ciphers, u_int cipher_len, u_int8_t is_client_signature) { @@ -174,7 +176,7 @@ static void ssh_analyse_cipher(struct ndpi_flow_struct *flow, char str[64]; snprintf(str, sizeof(str), "Found cipher %s", obsolete_ciphers[found_obsolete_cipher]); - ndpi_set_risk(flow, + ndpi_set_risk(ndpi_struct, flow, (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER), str); } @@ -213,7 +215,8 @@ static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct /* ************************************************************************ */ -static u_int16_t concat_hash_string(struct ndpi_flow_struct *flow, +static u_int16_t concat_hash_string(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, struct ndpi_packet_struct *packet, char *buf, u_int8_t client_hash) { u_int32_t offset = 22, len, buf_out_len = 0, max_payload_len = packet->payload_packet_len-sizeof(u_int32_t); @@ -256,7 +259,7 @@ static u_int16_t concat_hash_string(struct ndpi_flow_struct *flow, goto invalid_payload; strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); - ssh_analyse_cipher(flow, (char*)&packet->payload[offset], len, 1 /* client */); + ssh_analyse_cipher(ndpi_struct, flow, (char*)&packet->payload[offset], len, 1 /* client */); buf_out_len += len; buf[buf_out_len++] = ';'; } @@ -277,7 +280,7 @@ static u_int16_t concat_hash_string(struct ndpi_flow_struct *flow, goto invalid_payload; strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); - ssh_analyse_cipher(flow, (char*)&packet->payload[offset], len, 0 /* server */); + ssh_analyse_cipher(ndpi_struct, flow, (char*)&packet->payload[offset], len, 0 /* server */); buf_out_len += len; buf[buf_out_len++] = ';'; } @@ -411,7 +414,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->protos.ssh.client_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); - ssh_analyze_signature_version(flow, flow->protos.ssh.client_signature, 1); + ssh_analyze_signature_version(ndpi_struct, flow, flow->protos.ssh.client_signature, 1); #ifdef SSH_DEBUG printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); @@ -431,7 +434,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->protos.ssh.server_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); - ssh_analyze_signature_version(flow, flow->protos.ssh.server_signature, 0); + ssh_analyze_signature_version(ndpi_struct, flow, flow->protos.ssh.server_signature, 0); #ifdef SSH_DEBUG printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); @@ -463,7 +466,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct if(packet->packet_direction == 0 /* client */) { u_char fingerprint_client[16]; - len = concat_hash_string(flow, packet, hassh_buf, 1 /* client */); + len = concat_hash_string(ndpi_struct, flow, packet, hassh_buf, 1 /* client */); ndpi_MD5Init(&ctx); ndpi_MD5Update(&ctx, (const unsigned char *)hassh_buf, len); @@ -485,7 +488,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct } else { u_char fingerprint_server[16]; - len = concat_hash_string(flow, packet, hassh_buf, 0 /* server */); + len = concat_hash_string(ndpi_struct, flow, packet, hassh_buf, 0 /* server */); ndpi_MD5Init(&ctx); ndpi_MD5Update(&ctx, (const unsigned char *)hassh_buf, len); diff --git a/src/lib/protocols/teamviewer.c b/src/lib/protocols/teamviewer.c index 49b7a5862..4ed7f1269 100644 --- a/src/lib/protocols/teamviewer.c +++ b/src/lib/protocols/teamviewer.c @@ -51,7 +51,7 @@ static void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struc if (flow->teamviewer_stage == 4 || packet->udp->dest == ntohs(5938) || packet->udp->source == ntohs(5938)) { ndpi_int_teamview_add_connection(ndpi_struct, flow); - ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found TeamViewer"); /* Remote assistance (UDP only) */ + ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found TeamViewer"); /* Remote assistance (UDP only) */ } return; } diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index 035bcc862..42b7624b5 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -65,7 +65,7 @@ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, return(1); flow->protos.telnet.password_detected = 1; - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); flow->protos.telnet.password[flow->protos.telnet.character_id] = '\0'; return(0); } @@ -99,7 +99,7 @@ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, snprintf(buf, sizeof(buf), "Found Telnet username (%s)", flow->protos.telnet.username); - ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); return(1); } diff --git a/src/lib/protocols/thrift.c b/src/lib/protocols/thrift.c index 79ee6ebb5..c6afe0570 100644 --- a/src/lib/protocols/thrift.c +++ b/src/lib/protocols/thrift.c @@ -110,27 +110,29 @@ static int thrift_validate_type(uint8_t message_type) return message_type < TMT_TYPE_MAX; } -static void thrift_set_method(struct ndpi_flow_struct *flow, +static void thrift_set_method(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, char const * const method, size_t method_length) { if (thrift_validate_method(method, method_length) == 0) { - ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, "Invalid method name"); + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, "Invalid method name"); flow->protos.thrift.method[0] = '\0'; } else { strncpy(flow->protos.thrift.method, method, ndpi_min(sizeof(flow->protos.thrift.method), method_length)); } } -static void thrift_set_type(struct ndpi_flow_struct *flow, +static void thrift_set_type(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, uint8_t message_type) { if (message_type == TMT_INVALID_TMESSAGE_TYPE) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid message type"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid message type"); } flow->protos.thrift.message_type = message_type; if (message_type == TMT_EXCEPTION) { - ndpi_set_risk(flow, NDPI_ERROR_CODE_DETECTED, "Apache Thrift Exception"); + ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, "Apache Thrift Exception"); } } @@ -163,8 +165,8 @@ static void ndpi_dissect_strict_hdr(struct ndpi_detection_module_struct *ndpi_st ndpi_int_thrift_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); - thrift_set_method(flow, strict_hdr->method, method_length); - thrift_set_type(flow, strict_hdr->message_type); + thrift_set_method(ndpi_struct, flow, strict_hdr->method, method_length); + thrift_set_type(ndpi_struct, flow, strict_hdr->message_type); } static void ndpi_dissect_compact_hdr(struct ndpi_detection_module_struct *ndpi_struct, @@ -195,8 +197,8 @@ static void ndpi_dissect_compact_hdr(struct ndpi_detection_module_struct *ndpi_s ndpi_int_thrift_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); - thrift_set_method(flow, compact_hdr->method, compact_hdr->method_length); - thrift_set_type(flow, compact_hdr->message_type); + thrift_set_method(ndpi_struct, flow, compact_hdr->method, compact_hdr->method_length); + thrift_set_type(ndpi_struct, flow, compact_hdr->message_type); } static void ndpi_search_thrift_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/tivoconnect.c b/src/lib/protocols/tivoconnect.c index 208e3f8ae..4bfd041e9 100644 --- a/src/lib/protocols/tivoconnect.c +++ b/src/lib/protocols/tivoconnect.c @@ -55,7 +55,7 @@ static void dissect_tivoconnect_data(struct ndpi_detection_module_struct *ndpi_s if (value == NULL) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Missing value type in TiViConnect beacon"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Missing value type in TiViConnect beacon"); continue; } value++; @@ -108,7 +108,7 @@ static void dissect_tivoconnect_data(struct ndpi_detection_module_struct *ndpi_s if ((size_t)(key - payload) != payload_len) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "TiViConnect beacon malformed packet"); } } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 0fdac846a..db0f2b419 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -435,14 +435,14 @@ static int tls_obfuscated_heur_search_again(struct ndpi_detection_module_struct* if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_AGGRESSIVE); - ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS traffic"); + ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS traffic"); } else { flow->confidence = NDPI_CONFIDENCE_DPI_AGGRESSIVE; /* Update the value */ if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS || flow->detected_protocol_stack[1] == NDPI_PROTOCOL_TLS) - ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS-in-TLS traffic"); + ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS-in-TLS traffic"); else - ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS-in-HTTP-WebSocket traffic"); + ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated TLS-in-HTTP-WebSocket traffic"); } ndpi_protocol ret = { { __get_master(ndpi_struct, flow), NDPI_PROTOCOL_UNKNOWN }, NDPI_PROTOCOL_UNKNOWN /* unused */, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NULL}; @@ -773,7 +773,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct char str[64]; snprintf(str, sizeof(str), "Invalid issuerDN %s", flow->protos.tls_quic.issuerDN); - ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); } } @@ -851,7 +851,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct snprintf(str, sizeof(str), "TLS Cert lasts %u days", (flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) / 86400); - ndpi_set_risk(flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG, str); /* Certificate validity longer than 13 months */ + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG, str); /* Certificate validity longer than 13 months */ } if((time_sec < flow->protos.tls_quic.notBefore) || (time_sec > flow->protos.tls_quic.notAfter)) { @@ -866,7 +866,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct strftime(e, sizeof(e), "%d/%b/%Y %H:%M:%S", ndpi_gmtime_r(&theTime, &result)); snprintf(str, sizeof(str), "%s - %s", b, e); - ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_EXPIRED, str); /* Certificate expired */ + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED, str); /* Certificate expired */ } else if((time_sec > flow->protos.tls_quic.notBefore) && (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->cfg.tls_certificate_expire_in_x_days * 86400)))) { char str[96], b[32], e[32]; @@ -880,7 +880,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct strftime(e, sizeof(e), "%d/%b/%Y %H:%M:%S", ndpi_gmtime_r(&theTime, &result)); snprintf(str, sizeof(str), "%s - %s", b, e); - ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE, str); /* Certificate almost expired */ + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE, str); /* Certificate almost expired */ } } } @@ -965,10 +965,10 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct here that will create false positives */ if(ndpi_normalize_printable_string(dNSName, dNSName_len) == 0) { - ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, dNSName); + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, dNSName); /* This looks like an attack */ - ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Invalid dNSName name"); + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Invalid dNSName name"); } if(matched_name == 0) { @@ -1026,7 +1026,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct #if DEBUG_TLS printf("[TLS] Leftover %u bytes", packet->payload_packet_len - i); #endif - ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, buf); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, buf); break; } } else { @@ -1038,7 +1038,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct char str[128]; snprintf(str, sizeof(str), "%s vs %s", flow->host_server_name, flow->protos.tls_quic.server_names); - ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_MISMATCH, str); /* Certificate mismatch */ + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_MISMATCH, str); /* Certificate mismatch */ } } } @@ -1082,7 +1082,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct return; /* This is a trusted DN */ if(!flow->protos.tls_quic.webrtc) - ndpi_set_risk(flow, NDPI_TLS_SELFSIGNED_CERTIFICATE, flow->protos.tls_quic.subjectDN); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SELFSIGNED_CERTIFICATE, flow->protos.tls_quic.subjectDN); } #if DEBUG_TLS @@ -1111,7 +1111,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, if((packet->payload_packet_len != (length + 4 + (is_dtls ? 8 : 0))) || (packet->payload[1] != 0x0) || certificates_offset >= packet->payload_packet_len) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Unvalid lenght"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Unvalid lenght"); return(-1); /* Invalid length */ } @@ -1120,7 +1120,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, packet->payload[certificates_offset - 1]; if((packet->payload[certificates_offset - 3] != 0x0) || ((certificates_length+3) != length)) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid certificate offset"); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid certificate offset"); return(-2); /* Invalid length */ } @@ -1197,7 +1197,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_sha1_hashmap, sha1_str, sha1_siz * 2, NULL); if(rc1 == 0) - ndpi_set_risk(flow, NDPI_MALICIOUS_SHA1_CERTIFICATE, sha1_str); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_SHA1_CERTIFICATE, sha1_str); } } @@ -1412,7 +1412,7 @@ int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t alert_level = message->buffer[5]; if(alert_level == 2 /* Warning (1), Fatal (2) */) - ndpi_set_risk(flow, NDPI_TLS_FATAL_ALERT, "Found fatal TLS alert"); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_FATAL_ALERT, "Found fatal TLS alert"); } u_int16_t const alert_len = ntohs(*(u_int16_t const *)&message->buffer[3]); @@ -1713,7 +1713,7 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t alert_level = block[13]; if(alert_level == 2 /* Warning (1), Fatal (2) */) - ndpi_set_risk(flow, NDPI_TLS_FATAL_ALERT, "Found fatal TLS alert"); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_FATAL_ALERT, "Found fatal TLS alert"); } } else { #ifdef DEBUG_TLS @@ -1863,7 +1863,7 @@ static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struc str[str_len - 1] = '\0'; } - ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, str); break; } @@ -1917,7 +1917,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, printf("[TLS] extension length exceeds remaining packet length: %u > %u.\n", extension_len, packet->payload_packet_len - extension_payload_offset); #endif - ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, "Invalid extension len"); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, "Invalid extension len"); return; } @@ -1959,7 +1959,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("[TLS] suspicious extension id: %u\n", extension_id); #endif - ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); return; } } @@ -1976,7 +1976,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id); #endif - ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); return; } } @@ -2307,7 +2307,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, char unknown_cipher[8]; snprintf(str, sizeof(str), "Cipher %s", ndpi_cipher2str(ja.server.cipher[0], unknown_cipher)); - ndpi_set_risk(flow, NDPI_TLS_WEAK_CIPHER, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_WEAK_CIPHER, str); } flow->protos.tls_quic.server_cipher = ja.server.cipher[0]; @@ -2396,12 +2396,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, s_offset += alpn_len, alpn_str_len += alpn_len;; } else { alpn_str[alpn_str_len] = '\0'; - ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); break; } } else { alpn_str[alpn_str_len] = '\0'; - ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); break; } } /* while */ @@ -2412,7 +2412,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, printf("Server TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len); #endif if(ndpi_normalize_printable_string(alpn_str, alpn_str_len) == 0) - ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, alpn_str); + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, alpn_str); if(flow->protos.tls_quic.negotiated_alpn == NULL) flow->protos.tls_quic.negotiated_alpn = ndpi_strdup(alpn_str); @@ -2535,7 +2535,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, snprintf(str, sizeof(str), "%s", ndpi_ssl_version2str(buf, sizeof(buf), flow->protos.tls_quic.ssl_version, &unknown_tls_version)); - ndpi_set_risk(flow, NDPI_TLS_OBSOLETE_VERSION, str); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_OBSOLETE_VERSION, str); } if((session_id_len+base_offset+3) > packet->payload_packet_len) @@ -2744,10 +2744,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, printf("[TLS] SNI: [%s]\n", sni); #endif if(ndpi_is_valid_hostname((char *)&packet->payload[offset+extension_offset+5], len) == 0) { - ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, sni); + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, sni); /* This looks like an attack */ - ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Invalid chars found in SNI: exploit or misconfiguration?"); + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Invalid chars found in SNI: exploit or misconfiguration?"); } if(!is_quic) { @@ -2762,7 +2762,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if((flow->protos.tls_quic.subprotocol_detected == 0) && (check_sni_is_numeric_ip(sni) == 1)) { - ndpi_set_risk(flow, NDPI_NUMERIC_IP_HOST, sni); + ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, sni); } if(ndpi_check_dga_name(ndpi_struct, flow, sni, 1, 0)) { @@ -3110,7 +3110,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, } } else if(extension_id == 65486 /* encrypted server name */) { /* ESNI has been superseded by ECH */ - ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE, NULL); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE, NULL); } else if(extension_id == 65037 /* ECH: latest drafts */) { #ifdef DEBUG_TLS printf("Client TLS: ECH version 0x%x\n", extension_id); @@ -3196,7 +3196,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("Padding length: %d\n", extension_len); #endif - ndpi_set_risk(flow, NDPI_OBFUSCATED_TRAFFIC, "Abnormal Client Hello/Padding length"); + ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, "Abnormal Client Hello/Padding length"); } } @@ -3279,7 +3279,7 @@ compute_ja3c: NULL); if(rc1 == 0) - ndpi_set_risk(flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja3_client); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, flow->protos.tls_quic.ja3_client); } } @@ -3293,7 +3293,7 @@ compute_ja3c: if((flow->protos.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */ && !flow->protos.tls_quic.webrtc && (flow->protos.tls_quic.advertised_alpns == NULL) /* No ALPN */) { - ndpi_set_risk(flow, NDPI_TLS_NOT_CARRYING_HTTPS, "No ALPN"); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_NOT_CARRYING_HTTPS, "No ALPN"); } /* Add check for missing SNI */ @@ -3302,7 +3302,7 @@ compute_ja3c: && !flow->protos.tls_quic.webrtc ) { /* This is a bit suspicious */ - ndpi_set_risk(flow, NDPI_TLS_MISSING_SNI, "SNI should always be present"); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI, "SNI should always be present"); if(flow->protos.tls_quic.advertised_alpns != NULL) { char buf[256], *tmp, *item; @@ -3314,7 +3314,7 @@ compute_ja3c: while(item != NULL) { if(item[0] == 'h') { /* Example 'h2' */ - ndpi_set_risk(flow, NDPI_TLS_ALPN_SNI_MISMATCH, item); + ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_ALPN_SNI_MISMATCH, item); break; } else item = strtok_r(NULL, ",", &tmp); diff --git a/src/lib/protocols/vnc.c b/src/lib/protocols/vnc.c index 33010046e..52c644224 100644 --- a/src/lib/protocols/vnc.c +++ b/src/lib/protocols/vnc.c @@ -52,7 +52,7 @@ static void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) { NDPI_LOG_INFO(ndpi_struct, "found vnc\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found VNC"); /* Remote assistance */ + ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found VNC"); /* Remote assistance */ return; } } diff --git a/tests/cfgs/disable_metadata/config.txt b/tests/cfgs/disable_metadata_and_flowrisks/config.txt index 2be9374b6..7dae53d2f 100644 --- a/tests/cfgs/disable_metadata/config.txt +++ b/tests/cfgs/disable_metadata_and_flowrisks/config.txt @@ -1 +1 @@ ---cfg=tls,metadata.sha1_fingerprint,0 --cfg=tls,metadata.ja3c_fingerprint,0 --cfg=tls,metadata.ja3s_fingerprint,0 --cfg=tls,metadata.ja4c_fingerprint,0 --cfg=metadata.tcp_fingerprint,0 --cfg=sip,metadata.attribute.from,0 --cfg=sip,metadata.attribute.to,0 +--cfg=tls,metadata.sha1_fingerprint,0 --cfg=tls,metadata.ja3c_fingerprint,0 --cfg=tls,metadata.ja3s_fingerprint,0 --cfg=tls,metadata.ja4c_fingerprint,0 --cfg=metadata.tcp_fingerprint,0 --cfg=sip,metadata.attribute.from,0 --cfg=sip,metadata.attribute.to,0 --cfg=flow_risk.all,0 diff --git a/tests/cfgs/disable_metadata/pcap/sip.pcap b/tests/cfgs/disable_metadata_and_flowrisks/pcap/sip.pcap index 471ca4bd0..471ca4bd0 120000 --- a/tests/cfgs/disable_metadata/pcap/sip.pcap +++ b/tests/cfgs/disable_metadata_and_flowrisks/pcap/sip.pcap diff --git a/tests/cfgs/disable_metadata/pcap/tls_verylong_certificate.pcap b/tests/cfgs/disable_metadata_and_flowrisks/pcap/tls_verylong_certificate.pcap index 2f722f28e..2f722f28e 120000 --- a/tests/cfgs/disable_metadata/pcap/tls_verylong_certificate.pcap +++ b/tests/cfgs/disable_metadata_and_flowrisks/pcap/tls_verylong_certificate.pcap diff --git a/tests/cfgs/disable_metadata/result/sip.pcap.out b/tests/cfgs/disable_metadata_and_flowrisks/result/sip.pcap.out index c4812fb6a..4ce3fd591 100644 --- a/tests/cfgs/disable_metadata/result/sip.pcap.out +++ b/tests/cfgs/disable_metadata_and_flowrisks/result/sip.pcap.out @@ -14,7 +14,7 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 6/0 (search/found) +Patricia risk mask: 0/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) @@ -34,4 +34,4 @@ Unrated 1 146 1 Undetected flows: - 1 UDP 192.168.1.2:30001 -> 212.242.33.36:40393 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][1 pkts/146 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][< 1 sec][Risk: ** Susp Entropy **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Entropy: 5.220 (Executable?)][PLAIN TEXT (11894297)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.1.2:30001 -> 212.242.33.36:40393 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][1 pkts/146 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][< 1 sec][PLAIN TEXT (11894297)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/disable_metadata/result/tls_verylong_certificate.pcap.out b/tests/cfgs/disable_metadata_and_flowrisks/result/tls_verylong_certificate.pcap.out index b224f0cd9..b224f0cd9 100644 --- a/tests/cfgs/disable_metadata/result/tls_verylong_certificate.pcap.out +++ b/tests/cfgs/disable_metadata_and_flowrisks/result/tls_verylong_certificate.pcap.out |