diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2020-06-16 22:39:23 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2020-06-17 01:23:03 +0200 |
| commit | da37f2444f5b5ab2e583d3686e5124e8e1738b7a (patch) | |
| tree | 7a8d721e037b50be1b732930b36c5a331946f12d | |
| parent | 0ddc3a0052cfd3ad539ae0540aa4879bcae80ee5 (diff) | |
Implemented proprietary AnyDesk protocol
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 10 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 5 | ||||
| -rw-r--r-- | tests/pcap/anydesk.pcap | bin | 0 -> 2906892 bytes | |||
| -rw-r--r-- | tests/result/anydesk.pcap.out | 9 |
5 files changed, 25 insertions, 0 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index e2951ec22..01f54c0f9 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -281,6 +281,7 @@ typedef enum { NDPI_PROTOCOL_S7COMM = 249, NDPI_PROTOCOL_MSTEAMS = 250, NDPI_PROTOCOL_WEBSOCKET = 251, /* Leonn Paiva <leonn.paiva@gmail.com> */ + NDPI_PROTOCOL_ANYDESK = 252, /* Toni Uhlig <matzeton@googlemail.com> */ #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 148ee9443..facd57544 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8390,6 +8390,14 @@ static ndpi_network host_protocol_list[] = { { 0xD0163900 /* 208.22.57.0/24 */, 24, NDPI_PROTOCOL_BLOOMBERG }, { 0x45BFC000 /* 69.191.192.0/18 */, 18, NDPI_PROTOCOL_BLOOMBERG }, + /* AnyDesk */ + { 0x3353EF8E /* 51.83.239.142/31 */, 31, NDPI_PROTOCOL_ANYDESK }, + { 0x3353EF90 /* 51.83.239.144/31 */, 31, NDPI_PROTOCOL_ANYDESK }, + { 0x3353EEC8 /* 51.83.238.200/29 */, 29, NDPI_PROTOCOL_ANYDESK }, + { 0x3353EED0 /* 51.83.238.208/29 */, 29, NDPI_PROTOCOL_ANYDESK }, + { 0x3353EED8 /* 51.83.238.216/30 */, 30, NDPI_PROTOCOL_ANYDESK }, + { 0x3353EEDC /* 51.83.238.220/31 */, 31, NDPI_PROTOCOL_ANYDESK }, + /* Microsoft @@ -9127,6 +9135,8 @@ static ndpi_protocol_match host_match[] = { "brasilbandalarga.com.br", "EAQ", NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { ".eaqbr.com.br", "EAQ", NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { ".net.anydesk.com", "AnyDesk", NDPI_PROTOCOL_ANYDESK, NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_ACCEPTABLE }, + { NULL, NULL, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE } }; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 59780d288..325f33233 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1476,6 +1476,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "WebSocket", NDPI_PROTOCOL_CATEGORY_WEB, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ANYDESK, + 1 /* no subprotocol */, no_master, + no_master, "AnyDesk", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main.c" diff --git a/tests/pcap/anydesk.pcap b/tests/pcap/anydesk.pcap Binary files differnew file mode 100644 index 000000000..8b9c70352 --- /dev/null +++ b/tests/pcap/anydesk.pcap diff --git a/tests/result/anydesk.pcap.out b/tests/result/anydesk.pcap.out new file mode 100644 index 000000000..d973bd9f4 --- /dev/null +++ b/tests/result/anydesk.pcap.out @@ -0,0 +1,9 @@ +AnyDesk 6963 2795460 2 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.149.129 1 + + + 1 TCP 192.168.149.129:43535 <-> 51.83.238.219:80 [proto: 91.252/TLS.AnyDesk][cat: RemoteAccess/12][2942 pkts/175103 bytes <-> 4001 pkts/2618640 bytes][Goodput ratio: 9/92][55.97 sec][bytes ratio: -0.875 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/14 7028/7028 153/126][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 60/654 1514/1514 50/618][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **][TLSv1.2][JA3C: 201999283915cc31cee6b15472ef3332][JA3S: 107030a763c7224285717ff1569a17f3][Issuer: CN=AnyNet Root CA, O=philandro Software GmbH, C=DE][Subject: C=DE, O=philandro Software GmbH, CN=AnyNet Relay][Certificate SHA-1: 9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3][Validity: 2018-11-18 02:14:23 - 2028-11-15 02:14:23][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384] + 2 TCP 192.168.149.129:36351 <-> 51.83.239.144:80 [proto: 7.252/HTTP.AnyDesk][cat: RemoteAccess/12][10 pkts/792 bytes <-> 10 pkts/925 bytes][Goodput ratio: 32/38][45.83 sec][bytes ratio: -0.077 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 32/31 5700/5700 15000/15001 7162/7162][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 79/92 105/213 25/45] |