diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2021-11-24 10:46:48 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-11-24 10:46:48 +0100 |
| commit | a8ffcd8bb0273d59600c6310a80b81206096c113 (patch) | |
| tree | 2a62911824363509ea5e7c69afa189e98556e495 /src/include | |
| parent | fd02e1b3043eecc5711eb8254aadaa3f43ca7503 (diff) | |
Rework how hostname/SNI info is saved (#1330)
Looking at `struct ndpi_flow_struct` the two bigger fields are
`host_server_name[240]` (mainly for HTTP hostnames and DNS domains) and
`protos.tls_quic.client_requested_server_name[256]`
(for TLS/QUIC SNIs).
This commit aims to reduce `struct ndpi_flow_struct` size, according to
two simple observations:
1) maximum one of these two fields is used for each flow. So it seems safe
to merge them;
2) even if hostnames/SNIs might be very long, in practice they are rarely
longer than a fews tens of bytes. So, using a (single) large buffer is a
waste of memory for all kinds of flows. If we need to truncate the name,
we keep the *last* characters, easing domain matching.
Analyzing some real traffic, it seems safe to assume that the vast
majority of hostnames/SNIs is shorter than 80 bytes.
Hostnames/SNIs are always converted to lowercase.
Attention was given so as to be sure that unit-tests outputs are not
affected by this change.
Because of a bug, TLS/QUIC SNI were always truncated to 64 bytes (the
*first* 64 ones): as a consequence, there were some "Suspicious DGA
domain name" and "TLS Certificate Mismatch" false positives.
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/ndpi_main.h | 3 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 11 |
2 files changed, 11 insertions, 3 deletions
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index 66fb5ea1b..190bdc45a 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -155,6 +155,9 @@ extern "C" { void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str); u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str, const char *alpn_to_check, u_int alpn_to_check_len); + + char *ndpi_hostname_sni_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len); + #ifdef __cplusplus } #endif diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 3d6e0dd65..c6e79a951 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1193,8 +1193,14 @@ struct ndpi_flow_struct { /* Place textual flow info here */ char flow_extra_info[16]; - /* HTTP host or DNS query */ - u_char host_server_name[240]; + /* General purpose field used to save mainly hostname/SNI information. + * In details it used for: DNS and NETBIOS name, HTTP and DHCP hostname, + * WHOIS request, TLS/QUIC server name and STUN realm. + * + * Please, think *very* hard before increasing its size! + */ + char host_server_name[80]; + u_int8_t initial_binary_bytes[8], initial_binary_bytes_len; u_int8_t risk_checked:1, ip_risk_mask_evaluated:1, host_risk_mask_evaluated:1, _notused:5; ndpi_risk risk_mask; /* Stores the flow risk mask for flow peers */ @@ -1262,7 +1268,6 @@ struct ndpi_flow_struct { struct { char ssl_version_str[12]; u_int16_t ssl_version, server_names_len; - char client_requested_server_name[256]; /* SNI hostname length: RFC 4366 */ char *server_names, *alpn, *tls_supported_versions, *issuerDN, *subjectDN; u_int32_t notBefore, notAfter; char ja3_client[33], ja3_server[33]; |