diff options
| author | Toni <matzeton@googlemail.com> | 2021-02-26 17:00:05 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-02-26 17:00:05 +0100 |
| commit | 16890a6632b237020848c7210d3cca6c19645f9d (patch) | |
| tree | caded29f6ab0db37365b3d182ff065ac304b1fd6 /example/ndpiReader.c | |
| parent | fba61adf5eb56ecd40686f11aab2296f56dd4bbe (diff) | |
Added NDPI_MALICIOUS_SHA1 flow risk. (#1142)
* An external file which contains known malicious SSL certificate SHA-1 hashes
can be loaded via ndpi_load_malicious_sha1_file(...)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'example/ndpiReader.c')
| -rw-r--r-- | example/ndpiReader.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index abb5ddb3d..e268b0198 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -68,6 +68,7 @@ static char * bpfFilter = NULL; /**< bpf filter */ static char *_protoFilePath = NULL; /**< Protocol file path */ static char *_customCategoryFilePath= NULL; /**< Custom categories file path */ static char *_maliciousJA3Path = NULL; /**< Malicious JA3 signatures */ +static char *_maliciousSHA1Path = NULL; /**< Malicious SSL certificate SHA1 fingerprints */ static char *_riskyDomainFilePath = NULL; /**< Risky domain files */ static u_int8_t live_capture = 0; static u_int8_t undetected_flows_deleted = 0; @@ -439,7 +440,7 @@ static void help(u_int long_help) { "[-f <filter>][-s <duration>][-m <duration>][-b <num bin clusters>]\n" " [-p <protos>][-l <loops> [-q][-d][-J][-h][-D][-e <len>][-t][-v <level>]\n" " [-n <threads>][-w <file>][-c <file>][-C <file>][-j <file>][-x <file>]\n" - " [-r <file>][-j <file>][-T <num>][-U <num>] [-x <domain>]\n\n" + " [-r <file>][-j <file>][-S <file>][-T <num>][-U <num>] [-x <domain>]\n\n" "Usage:\n" " -i <file.pcap|device> | Specify a pcap file/playlist to read packets from or a\n" " | device for live capture (comma-separated list)\n" @@ -471,6 +472,7 @@ static void help(u_int long_help) { " -C <path> | Write output in CSV format on the specified file\n" " -r <path> | Load risky domain file\n" " -j <path> | Load malicious JA3 fingeprints\n" + " -S <path> | Load malicious SSL certificate SHA1 fingerprints\n" " -w <path> | Write test output on the specified file. This is useful for\n" " | testing purposes in order to compare results across runs\n" " -h | This help\n" @@ -765,7 +767,7 @@ static void parseOptions(int argc, char **argv) { } #endif - while((opt = getopt_long(argc, argv, "b:e:c:C:dDf:g:i:Ij:hp:P:l:r:s:tu:v:V:n:Jrp:x:w:q0123:456:7:89:m:T:U:", + while((opt = getopt_long(argc, argv, "b:e:c:C:dDf:g:i:Ij:S:hp:P:l:r:s:tu:v:V:n:Jrp:x:w:q0123:456:7:89:m:T:U:", longopts, &option_idx)) != EOF) { #ifdef DEBUG_TRACE if(trace) fprintf(trace, " #### -%c [%s] #### \n", opt, optarg ? optarg : ""); @@ -802,6 +804,10 @@ static void parseOptions(int argc, char **argv) { _maliciousJA3Path = optarg; break; + case 'S': + _maliciousSHA1Path = optarg; + break; + case 'm': pcap_analysis_duration = atol(optarg); break; @@ -2069,6 +2075,9 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { if(_maliciousJA3Path) ndpi_load_malicious_ja3_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _maliciousJA3Path); + if(_maliciousSHA1Path) + ndpi_load_malicious_sha1_file(ndpi_thread_info[thread_id].workflow->ndpi_struct, _maliciousSHA1Path); + ndpi_finalize_initialization(ndpi_thread_info[thread_id].workflow->ndpi_struct); if(enable_doh_dot_detection) |