diff options
| author | Luca Deri <deri@ntop.org> | 2020-05-15 22:49:55 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-05-15 22:49:55 +0200 |
| commit | c375782b96faf30558b3f91a7fe05eae62fc79c2 (patch) | |
| tree | 21e9a729a848140d42649cc79ecdc9fd13a0627a | |
| parent | 8e7b1ea7a136cc4e4aa9880072ec2d69900a825e (diff) | |
Added check for binary scripts
Added NDPI_HTTP_NUMERIC_IP_HOST risk
ndpi_risk moved to 32 bit
| -rw-r--r-- | example/ndpiReader.c | 12 | ||||
| -rw-r--r-- | src/include/ndpi_define.h.in | 13 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 4 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 40 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 10 |
7 files changed, 57 insertions, 28 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 30a6f9589..83144b46e 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1220,7 +1220,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa fprintf(out, "[Risk: "); for(i=0; i<NDPI_MAX_RISK; i++) - if(NDPI_ISSET_BIT_16(flow->risk, i)) + if(NDPI_ISSET_BIT(flow->risk, i)) fprintf(out, "** %s **", ndpi_risk2str(i)); fprintf(out, "]"); @@ -3044,17 +3044,17 @@ void test_lib() { /* *********************************************** */ static void bitmapUnitTest() { - u_int16_t val, i, j; + u_int32_t val, i, j; for(i=0; i<16; i++) { - NDPI_ZERO_16(val); - NDPI_SET_BIT_16(val, i); + val = 0; + NDPI_SET_BIT(val, i); - assert(NDPI_ISSET_BIT_16(val, i)); + assert(NDPI_ISSET_BIT(val, i)); for(j=0; j<16; j++) { if(j != i) { - assert(!NDPI_ISSET_BIT_16(val, j)); + assert(!NDPI_ISSET_BIT(val, j)); } } } diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in index f173e6ce7..77e961550 100644 --- a/src/include/ndpi_define.h.in +++ b/src/include/ndpi_define.h.in @@ -187,7 +187,7 @@ (*(mod->ndpi_debug_printf))(proto, mod, log_level, __FILE__, __FUNCTION__, __LINE__, args); \ } - /* We must define NDPI_CURRENT_PROTO before include ndpi_main.h !!! + /* We must define NDPI_CURRENT_PROTO before include ndpi_main.h !!! * * #include "ndpi_protocol_ids.h" * #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_XXXX @@ -274,11 +274,10 @@ #define NDPI_BITMASK_SET_ALL(a) NDPI_ONE(&a) #define NDPI_BITMASK_SET(a, b) { memcpy(&a, &b, sizeof(NDPI_PROTOCOL_BITMASK)); } -#define NDPI_SET_BIT_16(num, n) num |= 1UL << n -#define NDPI_CLR_BIT_16(num, n) num &= ~(1UL << n) -#define NDPI_CLR_BIT_16(num, n) num &= ~(1UL << n) -#define NDPI_ZERO_16(num) num = 0 -#define NDPI_ISSET_BIT_16(num, n) (num & (1 << n)) +#define NDPI_SET_BIT(num, n) num |= 1UL << n +#define NDPI_CLR_BIT(num, n) num &= ~(1UL << n) +#define NDPI_CLR_BIT(num, n) num &= ~(1UL << n) +#define NDPI_ISSET_BIT(num, n) (num & (1 << n)) /* this is a very very tricky macro *g*, * the compiler will remove all shifts here if the protocol is static... @@ -334,7 +333,7 @@ #define match_first_bytes(payload,st) (memcmp((payload),(st),(sizeof(st)-1))==0) #if defined(WIN32) && !defined(snprintf) -#define snprintf _snprintf +#define snprintf _snprintf #endif #define NDPI_MAX_DNS_REQUESTS 16 diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 10d150877..4d8796261 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -63,6 +63,7 @@ typedef enum { NDPI_TLS_CERTIFICATE_EXPIRED, NDPI_TLS_CERTIFICATE_MISMATCH, NDPI_HTTP_SUSPICIOUS_USER_AGENT, + NDPI_HTTP_NUMERIC_IP_HOST, /* Leave this as last member */ NDPI_MAX_RISK @@ -1167,7 +1168,7 @@ struct ndpi_flow_struct { u_char host_server_name[240]; u_int8_t initial_binary_bytes[8], initial_binary_bytes_len; u_int8_t risk_checked; - u_int16_t risk; /* Issues found with this flow [bitmask of ndpi_risk] */ + u_int32_t risk; /* Issues found with this flow [bitmask of ndpi_risk] */ /* This structure below will not not stay inside the protos diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 59d4f3491..fc7a5e530 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4600,7 +4600,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct && (found->proto->protoId != NDPI_PROTOCOL_UNKNOWN) && (found->proto->protoId != ret.master_protocol)) { // printf("******** %u / %u\n", found->proto->protoId, ret.master_protocol); - NDPI_SET_BIT_16(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); } else if(default_ports && (default_ports[0] != 0)) { u_int8_t found = 0, i; @@ -4613,7 +4613,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(!found) { // printf("******** Invalid default port\n"); - NDPI_SET_BIT_16(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); } } diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index f2c2c2bc9..2f4419344 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1440,6 +1440,9 @@ const char* ndpi_risk2str(ndpi_risk risk) { case NDPI_HTTP_SUSPICIOUS_USER_AGENT: return("HTTP Suspicious User-Agent"); + + case NDPI_HTTP_NUMERIC_IP_HOST: + return("HTTP Numeric IP Address"); default: return(""); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 1c81f8cfb..b648bf754 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -51,18 +51,23 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc static void ndpi_analyze_content_signature(struct ndpi_flow_struct *flow) { if((flow->initial_binary_bytes_len >= 2) && (flow->initial_binary_bytes[0] == 0x4D) && (flow->initial_binary_bytes[1] == 0x5A)) - NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Win executable */ + NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Win executable */ else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0x7F) && (flow->initial_binary_bytes[1] == 'E') && (flow->initial_binary_bytes[2] == 'L') && (flow->initial_binary_bytes[3] == 'F')) - NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */ + NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */ else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0xCF) && (flow->initial_binary_bytes[1] == 0xFA) && (flow->initial_binary_bytes[2] == 0xED) && (flow->initial_binary_bytes[3] == 0xFE)) - NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */ + NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */ + else if((flow->initial_binary_bytes_len >= 3) + && (flow->initial_binary_bytes[0] == '#') + && (flow->initial_binary_bytes[1] == '!') + && (flow->initial_binary_bytes[2] == '/')) + NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Unix script (e.g. #!/bin/sh) */ else if(flow->initial_binary_bytes_len >= 8) { u_int8_t exec_pattern[] = { 0x64, 0x65, 0x78, 0x0A, 0x30, 0x33, 0x35, 0x00 }; if(memcmp(flow->initial_binary_bytes, exec_pattern, 8) == 0) - NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Dalvik Executable (Android) */ + NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Dalvik Executable (Android) */ } } @@ -111,7 +116,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo for (int i = 0; binary_file_mimes[i] != NULL; i++) { if (ndpi_strncasestr(app, binary_file_mimes[i], app_len_avail) != NULL) { flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; - NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); + NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer"); return(flow->category); } @@ -128,7 +133,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo if (ndpi_strncasestr((const char*)&packet->content_disposition_line.ptr[attachment_len], binary_file_ext[i], filename_len)) { flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; - NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); + NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer"); return(flow->category); } @@ -246,7 +251,24 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru || (!strcmp(ua, "test")) || (!strcmp(ua, "<?")) || ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, ua)) { - NDPI_SET_BIT_16(flow->risk, NDPI_HTTP_SUSPICIOUS_USER_AGENT); + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_USER_AGENT); + } +} + +/* ************************************************************* */ + +static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + char *ip, u_int ip_len) { + char buf[22]; + struct in_addr ip_addr; + + strncpy(buf, ip, ip_len); + buf[ip_len] = '\0'; + + ip_addr.s_addr = inet_addr(buf);; + if(strcmp(inet_ntoa(ip_addr), buf) == 0) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_NUMERIC_IP_HOST); } } @@ -270,6 +292,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ && (packet->host_line.len > 0)) { int len = packet->http_url_name.len + packet->host_line.len + 1; + if(isdigit(packet->host_line.ptr[0]) + && (packet->host_line.len < 21)) + ndpi_check_numeric_ip(ndpi_struct, flow, (char*)packet->host_line.ptr, packet->host_line.len); + flow->http.url = ndpi_malloc(len); if(flow->http.url) { strncpy(flow->http.url, (char*)packet->host_line.ptr, packet->host_line.len); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 327f7dc15..62b2e3cf8 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -376,7 +376,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if((flow->packet.tick_timestamp < flow->protos.stun_ssl.ssl.notBefore) || (flow->packet.tick_timestamp > flow->protos.stun_ssl.ssl.notAfter)) - NDPI_SET_BIT_16(flow->risk, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */ + NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */ } } } @@ -460,7 +460,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi } /* while */ if(!matched_name) - NDPI_SET_BIT_16(flow->risk, NDPI_TLS_CERTIFICATE_MISMATCH); /* Certificate mismatch */ + NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_MISMATCH); /* Certificate mismatch */ } } @@ -468,7 +468,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(flow->protos.stun_ssl.ssl.subjectDN && flow->protos.stun_ssl.ssl.issuerDN && (!strcmp(flow->protos.stun_ssl.ssl.subjectDN, flow->protos.stun_ssl.ssl.issuerDN))) - NDPI_SET_BIT_16(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE); + NDPI_SET_BIT(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE); #if DEBUG_TLS printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf); @@ -855,7 +855,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, tls_version = ntohs(*((u_int16_t*)&packet->payload[version_offset])); flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version; if(flow->protos.stun_ssl.ssl.ssl_version < 0x0302) /* TLSv1.1 */ - NDPI_SET_BIT_16(flow->risk, NDPI_TLS_OBSOLETE_VERSION); + NDPI_SET_BIT(flow->risk, NDPI_TLS_OBSOLETE_VERSION); if(handshake_type == 0x02 /* Server Hello */) { int i, rc; @@ -880,7 +880,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); if((flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1) - NDPI_SET_BIT_16(flow->risk, NDPI_TLS_WEAK_CIPHER); + NDPI_SET_BIT(flow->risk, NDPI_TLS_WEAK_CIPHER); flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; |