Added NDPI_MALICIOUS_SHA1 flow risk. (#1142)

* An external file which contains known malicious SSL certificate SHA-1 hashes
   can be loaded via ndpi_load_malicious_sha1_file(...)

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

2 files changed, 11 insertions, 1 deletions

diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index 4e63d1d22..0e6a50518 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -716,6 +716,15 @@ extern "C" {
   int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, const char *path);
 
   /**
+   * Read a file and load the list of malicious SSL certificate SHA1 fingerprints.
+   * @par     ndpi_mod = the detection module
+   * @par     path     = the path of the file
+   * @return  0 if the file is loaded correctly;
+   *          -1 else
+   */
+  int ndpi_load_malicious_sha1_file(struct ndpi_detection_module_struct *ndpi_str, const char *path);
+
+  /**
    * Get the total number of the supported protocols
    *
    * @par     ndpi_mod = the detection module
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 973e08670..79ccf9c1c 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -92,6 +92,7 @@ typedef enum {
   NDPI_RISKY_ASN,
   NDPI_RISKY_DOMAIN,
   NDPI_MALICIOUS_JA3,
+  NDPI_MALICIOUS_SHA1,
 
   
   /* Leave this as last member */
@@ -1101,7 +1102,7 @@ struct ndpi_detection_module_struct {
     subprotocol_automa,                        /* Used for HTTP subprotocol_detection */
     bigrams_automa, impossible_bigrams_automa, /* TOR */
     risky_domain_automa, tls_cert_subject_automa,
-    malicious_ja3_automa;
+    malicious_ja3_automa, malicious_sha1_automa;
   /* IMPORTANT: please update ndpi_finalize_initialization() whenever you add a new automa */
   
   struct {