diff options
| author | Luca Deri <deri@ntop.org> | 2020-09-21 19:57:23 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-09-21 19:57:23 +0200 |
| commit | 60a9f6610d7b15c33ecd8db865cf8f7519ad0ef0 (patch) | |
| tree | 9dbe80b23501ba77cd9bfc782d7ae34ec16b3381 /src/lib/protocols | |
| parent | 0259ff58e13d94ee497d07072505c94ee8144a42 (diff) | |
Added risks for checking
- invalid DNS traffic (probably carrying exfiltrated data)
- TLS traffic with no SNI extension
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/dns.c | 72 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 25 |
2 files changed, 85 insertions, 12 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 12c6d0338..f8f590a5b 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -35,7 +35,64 @@ #define LLMNR_PORT 5355 #define MDNS_PORT 5353 -static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + +/* *********************************************** */ + +static void ndpi_check_dns_type(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t dns_type) { + /* https://en.wikipedia.org/wiki/List_of_DNS_record_types */ + + switch(dns_type) { + /* Obsolete record types */ + case 3: + case 4: + case 254: + case 7: + case 8: + case 9: + case 14: + case 253: + case 11: + case 33: + case 10: + case 38: + case 30: + case 25: + case 24: + case 13: + case 17: + case 19: + case 20: + case 21: + case 22: + case 23: + case 26: + case 31: + case 32: + case 34: + case 42: + case 40: + case 27: + case 100: + case 101: + case 102: + case 103: + case 99: + case 56: + case 57: + case 58: + case 104: + case 105: + case 106: + case 107: + case 259: + NDPI_SET_BIT(flow->risk, NDPI_DNS_SUSPICIOUS_TRAFFIC); + break; + } +} /* *********************************************** */ @@ -153,7 +210,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.dns.query_type = get16(&x, flow->packet.payload); #ifdef DNS_DEBUG NDPI_LOG_DBG2(ndpi_struct, "query_type=%2d\n", flow->protos.dns.query_type); - printf("[DNS] query_type=%d\n", flow->protos.dns.query_type); + printf("[DNS] [request] query_type=%d\n", flow->protos.dns.query_type); #endif break; } else @@ -199,7 +256,8 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, break; } - if((data_len = getNameLength(x, flow->packet.payload, flow->packet.payload_packet_len)) == 0) { + if((data_len = getNameLength(x, flow->packet.payload, + flow->packet.payload_packet_len)) == 0) { break; } else x += data_len; @@ -207,7 +265,15 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, if((x+2) >= flow->packet.payload_packet_len) { break; } + rsp_type = get16(&x, flow->packet.payload); + +#ifdef DNS_DEBUG + printf("[DNS] [response] response_type=%d\n", rsp_type); +#endif + + ndpi_check_dns_type(ndpi_struct, flow, rsp_type); + flow->protos.dns.rsp_type = rsp_type; /* here x points to the response "class" field */ diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 134dfe614..dc54a7964 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -325,7 +325,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(rdn_len && (flow->protos.stun_ssl.ssl.issuerDN == NULL)) flow->protos.stun_ssl.ssl.issuerDN = ndpi_strdup(rdnSeqBuf); - + rdn_len = 0; /* Reset buffer */ } @@ -607,10 +607,10 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS_BLOCKS printf("*** [TLS Block] Enough blocks dissected\n"); #endif - - flow->extra_packets_func = NULL; /* We're good now */ + + flow->extra_packets_func = NULL; /* We're good now */ } - + return(1); } @@ -665,10 +665,10 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t len, p_len; const u_int8_t *p; u_int8_t content_type; - + if(flow->l4.tcp.tls.message.buffer_used < 5) return(1); /* Keep working */ - + len = (flow->l4.tcp.tls.message.buffer[3] << 8) + flow->l4.tcp.tls.message.buffer[4] + 5; if(len > flow->l4.tcp.tls.message.buffer_used) { @@ -694,7 +694,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, #endif content_type = flow->l4.tcp.tls.message.buffer[0]; - + /* Overwriting packet payload */ p = packet->payload, p_len = packet->payload_packet_len; /* Backup */ @@ -722,7 +722,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, } processTLSBlock(ndpi_struct, flow); - + processed += packet->payload_packet_len; } } else { @@ -731,7 +731,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow) flow->l4.tcp.tls.tls_application_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] = (packet->packet_direction == 0) ? (len-5) : -(len-5); - + #ifdef DEBUG_TLS_BLOCKS printf("*** [TLS Block] [len: %u][num_tls_blocks: %u/%u]\n", len-5, flow->l4.tcp.tls.num_tls_blocks, ndpi_struct->num_tls_blocks_to_follow); @@ -1512,6 +1512,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, NDPI_SET_BIT(flow->risk, NDPI_TLS_SUSPICIOUS_ESNI_USAGE); } + /* Add check for missing SNI */ + if((flow->protos.stun_ssl.ssl.client_requested_server_name[0] == 0) + && (flow->protos.stun_ssl.ssl.ssl_version >= 0x0302) /* TLSv1.1 */) { + /* This is a bit suspicious */ + NDPI_SET_BIT(flow->risk, NDPI_TLS_MISSING_SNI); + } + return(2 /* Client Certificate */); } else { #ifdef DEBUG_TLS |