diff options
| author | Luca Deri <deri@ntop.org> | 2021-05-10 21:14:55 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-05-10 21:14:55 +0200 |
| commit | fff60ec31721c32fa4737aba9e40f4d45bd21eca (patch) | |
| tree | 47997003f141f392ce971f590683558612b64d2c /src/lib/protocols/mongodb.c | |
| parent | 66ebe444aed368fcb0c272034daa0a189a54aa48 (diff) | |
Added check to reduce MongoDB false positive detection
Diffstat (limited to 'src/lib/protocols/mongodb.c')
| -rw-r--r-- | src/lib/protocols/mongodb.c | 70 |
1 files changed, 36 insertions, 34 deletions
diff --git a/src/lib/protocols/mongodb.c b/src/lib/protocols/mongodb.c index 69f18ca7f..b212cd92c 100644 --- a/src/lib/protocols/mongodb.c +++ b/src/lib/protocols/mongodb.c @@ -27,7 +27,7 @@ #include "ndpi_api.h" enum mongo_opcodes -{ + { OP_REPLY = 1, OP_UPDATE = 2001, OP_INSERT = 2002, @@ -37,26 +37,26 @@ enum mongo_opcodes OP_DELETE = 2006, OP_KILL_CURSORS = 2007, OP_MSG = 2013 -}; + }; struct mongo_message_header { - uint32_t message_length; - uint32_t request_id; - uint32_t response_to; - enum mongo_opcodes op_code; + uint32_t message_length; + uint32_t request_id; + uint32_t response_to; + enum mongo_opcodes op_code; }; static void set_mongodb_detected(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { + struct ndpi_flow_struct *flow) { if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { ndpi_search_tcp_or_udp(ndpi_struct, flow); /* If no custom protocol has been detected */ /* if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) */ - ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MONGODB, flow->guessed_host_protocol_id); + ndpi_int_reset_protocol(flow); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MONGODB, flow->guessed_host_protocol_id); } } @@ -64,7 +64,7 @@ static void set_mongodb_detected(struct ndpi_detection_module_struct *ndpi_struc /*************************************************************************************************/ static void ndpi_check_mongodb(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { + struct ndpi_flow_struct *flow) { struct mongo_message_header mongodb_hdr; struct ndpi_packet_struct *packet = &flow->packet; @@ -75,35 +75,38 @@ static void ndpi_check_mongodb(struct ndpi_detection_module_struct *ndpi_struct, memcpy(&mongodb_hdr, packet->payload, sizeof(struct mongo_message_header)); - mongodb_hdr.message_length = ntohs(mongodb_hdr.message_length); + /* All MongoDB numbers are in host byte order */ + // mongodb_hdr.message_length = ntohl(mongodb_hdr.message_length); - if (mongodb_hdr.message_length < 4) { + if((mongodb_hdr.message_length < 4) + || (mongodb_hdr.message_length > 1000000) /* Used to avoid false positives */ + ) { NDPI_LOG_DBG(ndpi_struct, "Invalid MONGODB length"); NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } switch(mongodb_hdr.op_code) { - case OP_REPLY: - case OP_UPDATE: - case OP_INSERT: - case RESERVED: - case OP_QUERY: - case OP_GET_MORE: - case OP_DELETE: - case OP_KILL_CURSORS: - case OP_MSG: - set_mongodb_detected(ndpi_struct, flow); - break; - default: - NDPI_LOG_DBG(ndpi_struct, "Invalid MONGODB length"); - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - break; + case OP_REPLY: + case OP_UPDATE: + case OP_INSERT: + case RESERVED: + case OP_QUERY: + case OP_GET_MORE: + case OP_DELETE: + case OP_KILL_CURSORS: + case OP_MSG: + set_mongodb_detected(ndpi_struct, flow); + break; + default: + NDPI_LOG_DBG(ndpi_struct, "Invalid MONGODB length"); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + break; } } void ndpi_search_mongodb(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -127,13 +130,12 @@ void ndpi_search_mongodb(struct ndpi_detection_module_struct *ndpi_struct, void init_mongodb_dissector(struct ndpi_detection_module_struct *ndpi_struct, - u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("MongoDB", ndpi_struct, detection_bitmask, - *id, NDPI_PROTOCOL_MONGODB, ndpi_search_mongodb, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD, - SAVE_DETECTION_BITMASK_AS_UNKNOWN, - ADD_TO_DETECTION_BITMASK); + *id, NDPI_PROTOCOL_MONGODB, ndpi_search_mongodb, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); *id += 1; } |