diff options
| author | Toni <matzeton@googlemail.com> | 2022-02-07 18:05:23 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-07 18:05:23 +0100 |
| commit | d59f0327a592d6cedfdd29eacb5356abdda9388d (patch) | |
| tree | 69ff279cc07564e9215cd3ab99355cf1f0e3ab3b | |
| parent | ff38d4b98008d3b10dbdee0330e9b8c62a99ce9a (diff) | |
Improved MDNS/LLMNR detection. (#1437)
* Checking for port 5353/5355 is not enough.
* Added additional multicast address and header checks.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | src/lib/protocols/dns.c | 33 | ||||
| -rw-r--r-- | tests/pcap/dnscrypt-v2.pcap | bin | 0 -> 4420 bytes | |||
| -rw-r--r-- | tests/result/dnscrypt-v2.pcap.out | 10 |
3 files changed, 43 insertions, 0 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 96b1f5da7..847fc5f24 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -119,6 +119,26 @@ static u_int16_t checkPort(u_int16_t port) { /* *********************************************** */ +static int isMDNSMulticastAddress(struct ndpi_packet_struct * const packet) +{ + return (packet->iph && ntohl(packet->iph->daddr) == 0xE00000FB /* multicast: 224.0.0.251 */) || + (packet->iphv6 && ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) == 0xFF020000 && + ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[1]) == 0x00000000 && + ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[2]) == 0x00000000 && + ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[3]) == 0x000000FB /* multicast: FF02::FB */); +} + +static int isLLMNRMulticastAddress(struct ndpi_packet_struct *const packet) +{ + return (packet->iph && ntohl(packet->iph->daddr) == 0xE00000FC /* multicast: 224.0.0.252 */) || + (packet->iphv6 && ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) == 0xFF020000 && + ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[1]) == 0x00000000 && + ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[2]) == 0x00000000 && + ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[3]) == 0x00010003 /* multicast: FF02::1:3 */); +} + +/* *********************************************** */ + static u_int16_t checkDNSSubprotocol(u_int16_t sport, u_int16_t dport) { u_int16_t rc = checkPort(sport); @@ -354,6 +374,19 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st s_port = ntohs(packet->udp->source); d_port = ntohs(packet->udp->dest); payload_offset = 0; + + /* For MDNS/LLMNR: If the packet is not a response, dest addr needs to be multicast. */ + if ((d_port == MDNS_PORT && isMDNSMulticastAddress(packet) == 0) || + (d_port == LLMNR_PORT && isLLMNRMulticastAddress(packet) == 0)) + { + if (packet->payload_packet_len > 5 && + ntohs(get_u_int16_t(packet->payload, 2)) != 0 && + ntohs(get_u_int16_t(packet->payload, 4)) != 0) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } } else if(packet->tcp != NULL) /* pkt size > 512 bytes */ { s_port = ntohs(packet->tcp->source); d_port = ntohs(packet->tcp->dest); diff --git a/tests/pcap/dnscrypt-v2.pcap b/tests/pcap/dnscrypt-v2.pcap Binary files differnew file mode 100644 index 000000000..676ab73a3 --- /dev/null +++ b/tests/pcap/dnscrypt-v2.pcap diff --git a/tests/result/dnscrypt-v2.pcap.out b/tests/result/dnscrypt-v2.pcap.out new file mode 100644 index 000000000..5b0cd7915 --- /dev/null +++ b/tests/result/dnscrypt-v2.pcap.out @@ -0,0 +1,10 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 6 (2.00 pkts/flow) +Confidence DPI : 3 (flows) + +DNScrypt 6 4300 3 + + 1 UDP 127.0.0.1:50893 <-> 127.0.0.2:5353 [proto: 208/DNScrypt][Encrypted][Confidence: DPI][cat: Network/14][1 pkts/1130 bytes <-> 1 pkts/410 bytes][Goodput ratio: 96/90][0.01 sec][Risk: ** Known Protocol on Non Standard Port **][Risk Score: 50][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 127.0.0.1:38650 <-> 127.0.0.2:5353 [proto: 208/DNScrypt][Encrypted][Confidence: DPI][cat: Network/14][1 pkts/1130 bytes <-> 1 pkts/282 bytes][Goodput ratio: 96/85][0.01 sec][Risk: ** Known Protocol on Non Standard Port **][Risk Score: 50][Plen Bins: 0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 127.0.0.1:42883 <-> 127.0.0.2:5353 [proto: 208/DNScrypt][Encrypted][Confidence: DPI][cat: Network/14][1 pkts/1130 bytes <-> 1 pkts/218 bytes][Goodput ratio: 96/80][0.01 sec][Risk: ** Known Protocol on Non Standard Port **][Risk Score: 50][Plen Bins: 0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0] |