diff options
| author | Luca Deri <deri@ntop.org> | 2021-03-30 17:50:19 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-03-30 17:50:19 +0200 |
| commit | c1d6e3f14591b1203ed502aa3f4d023a9ed97c08 (patch) | |
| tree | 2d6d50b6d9a7d904f183183fcf55fdef4f934561 /src/lib/protocols/mining.c | |
| parent | 637b2063edff2bcf7d5c35b73cd552b20a276131 (diff) | |
Improved mining detection support
Diffstat (limited to 'src/lib/protocols/mining.c')
| -rw-r--r-- | src/lib/protocols/mining.c | 38 |
1 files changed, 33 insertions, 5 deletions
diff --git a/src/lib/protocols/mining.c b/src/lib/protocols/mining.c index bed0cc711..16b82eb7f 100644 --- a/src/lib/protocols/mining.c +++ b/src/lib/protocols/mining.c @@ -26,6 +26,16 @@ /* ************************************************************************** */ +static void cacheMiningHostTwins(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t host_keys /* network byte order */) { + if(ndpi_struct->mining_cache == NULL) ndpi_struct->mining_cache = ndpi_lru_cache_init(1024); + + if(ndpi_struct->mining_cache) + ndpi_lru_add_to_cache(ndpi_struct->mining_cache, host_keys, NDPI_PROTOCOL_MINING); +} + +/* ************************************************************************** */ + void ndpi_search_mining_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -51,6 +61,7 @@ void ndpi_search_mining_udp(struct ndpi_detection_module_struct *ndpi_struct, else { snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + cacheMiningHostTwins(ndpi_struct, flow->packet.iph->saddr + flow->packet.iph->daddr); return; } } @@ -60,6 +71,12 @@ void ndpi_search_mining_udp(struct ndpi_detection_module_struct *ndpi_struct, /* ************************************************************************** */ +static u_int8_t isEthPort(u_int16_t dport) { + return(((dport >= 30300) && (dport <= 30305)) ? 1 : 0); +} + +/* ************************************************************************** */ + void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -68,7 +85,6 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, /* Check connection over TCP */ if(packet->payload_packet_len > 10) { - if(packet->tcp->source == htons(8333)) { /* Bitcoin @@ -80,15 +96,23 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, if((*to_match == magic) || (*to_match == magic1)) { snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + cacheMiningHostTwins(ndpi_struct, flow->packet.iph->saddr + flow->packet.iph->daddr); + return; } } - if((packet->payload_packet_len > 450) + if((packet->payload_packet_len > 300) && (packet->payload_packet_len < 600) - && (packet->tcp->dest == htons(30303) /* Ethereum port */) && (packet->payload[2] == 0x04)) { - snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + + if(isEthPort(ntohs(packet->tcp->dest)) /* Ethereum port */) { + snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + cacheMiningHostTwins(ndpi_struct, flow->packet.iph->saddr + flow->packet.iph->daddr); + return; + } else + flow->guessed_protocol_id = NDPI_PROTOCOL_MINING; + } else if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len) && ( ndpi_strnstr((const char *)packet->payload, "\"eth1.0\"", packet->payload_packet_len) @@ -104,6 +128,8 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, */ snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + cacheMiningHostTwins(ndpi_struct, flow->packet.iph->saddr + flow->packet.iph->daddr); + return; } else if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len) && (ndpi_strnstr((const char *)packet->payload, "\"method\":", packet->payload_packet_len) || ndpi_strnstr((const char *)packet->payload, "\"blob\":", packet->payload_packet_len) @@ -125,6 +151,8 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, */ snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ZCash/Monero"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + cacheMiningHostTwins(ndpi_struct, flow->packet.iph->saddr + flow->packet.iph->daddr); + return; } } |