diff options
| author | Luca Deri <deri@ntop.org> | 2021-03-03 00:41:07 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-03-03 00:41:07 +0100 |
| commit | 56bfb439f85b3e4054bd7c6b849a6e06e5c2ac27 (patch) | |
| tree | 6c7e2066917acc1c2a313321c7c7be3043df195f /src/lib/protocols/tor.c | |
| parent | 4c00ff89dfa64f1026c2f1d267dc081a86b45243 (diff) | |
Improved DGA detection with trigrams. Disadvantage: slower startup time
Reworked Tor dissector embedded in TLS (fixes #1141)
Removed false positive on HTTP User-Agent
Diffstat (limited to 'src/lib/protocols/tor.c')
| -rw-r--r-- | src/lib/protocols/tor.c | 106 |
1 files changed, 0 insertions, 106 deletions
diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c deleted file mode 100644 index 71172e211..000000000 --- a/src/lib/protocols/tor.c +++ /dev/null @@ -1,106 +0,0 @@ -/* - * tor.c - * - * Copyright (C) 2016-18 ntop.org - * Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr> - * - */ -#include "ndpi_protocol_ids.h" - -#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TOR - -#include "ndpi_api.h" - - -static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_UNKNOWN); -} - - -int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, char *certificate) { - int len; - char dummy[48], *dot, *name; - - if((certificate == NULL) || (certificate[0] == '\0')) - return(0); - else - len = strlen(certificate); - - /* Check if it ends in .com or .net */ - if(len>=4 && strcmp(&certificate[len-4], ".com") && strcmp(&certificate[len-4], ".net")) - return(0); - - if((len < 6) - || (!strncmp(certificate, "*.", 2)) /* Wildcard certificate */ - || (strncmp(certificate, "www.", 4)) /* Not starting with www.... */ - ) - return(0); - - // printf("***** [SSL] %s(): %s\n", __FUNCTION__, certificate); - - snprintf(dummy, sizeof(dummy), "%s", certificate); - - if((dot = strrchr(dummy, '.')) == NULL) return(0); - dot[0] = '\0'; - - if((dot = strrchr(dummy, '.')) == NULL) return(0); - name = &dot[1]; - - if(ndpi_check_dga_name(ndpi_struct, flow, name, 1)) { - ndpi_int_tor_add_connection(ndpi_struct, flow); - return(1); - } else { -#ifdef PEDANTIC_TOR_CHECK - if(gethostbyname(certificate) == NULL) { - ndpi_int_tor_add_connection(ndpi_struct, flow); - return(1); - } -#endif - } - - return(0); -} - -/* ******************************************* */ - -void ndpi_search_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - - NDPI_LOG_DBG(ndpi_struct, "search for TOR\n"); - - if((packet->tcp != NULL) - && (!packet->tls_certificate_detected)) { - u_int16_t dport, sport; - - sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); - NDPI_LOG_DBG2(ndpi_struct, "calculating TOR over tcp\n"); - - if ((((dport == 9001) || (sport == 9001)) || ((dport == 9030) || (sport == 9030))) - && ((packet->payload[0] == 0x17) || (packet->payload[0] == 0x16)) - && (packet->payload[1] == 0x03) - && (packet->payload[2] == 0x01) - && (packet->payload[3] == 0x00)) { - NDPI_LOG_INFO(ndpi_struct, "found tor\n"); - ndpi_int_tor_add_connection(ndpi_struct, flow); - } - } else { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } -} - - -void init_tor_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ - ndpi_set_bitmask_protocol_detection("Tor", ndpi_struct, detection_bitmask, *id, - NDPI_PROTOCOL_TOR, - ndpi_search_tor, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, - SAVE_DETECTION_BITMASK_AS_UNKNOWN, - ADD_TO_DETECTION_BITMASK); - - *id += 1; -} - |