Added extension to detect nested subdomains as used in Browsertunnel attack tool

https://github.com/veggiedefender/browsertunnel

5 files changed, 7 insertions, 9 deletions

diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 5e6d01d69..03ac7b9d2 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -301,7 +301,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
     if(j > 0) {
       ndpi_protocol_match_result ret_match;
 
-      ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name);
+      ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1);
       
       ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow,
 						     (char *)flow->host_server_name,
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 0e3e0d413..acfa55769 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -263,15 +263,12 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
 				  char *ua) {
   if((!ua) || (ua[0] == '\0')) return;
 
-  // printf("***** [%s:%d] ==> '%s'\n", __FILE__, __LINE__, ua);
-  // printf("***** %u\n", ndpi_check_dga_name(ndpi_struct, NULL, "uclient-fetch]"));
-
   if((strlen(ua) < 4)
      || (!strncmp(ua, "test", 4))
      || (!strncmp(ua, "<?", 2))
      || strchr(ua, '{')
      || strchr(ua, '}')
-     || ndpi_check_dga_name(ndpi_struct, NULL, ua)
+     || ndpi_check_dga_name(ndpi_struct, NULL, ua, 0)
      // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua)
      ) {
     NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_USER_AGENT);
@@ -438,7 +435,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
     flow->host_server_name[len] = '\0';
     flow->extra_packets_func = NULL; /* We're good now */
 
-    if(len > 0) ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name);
+    if(len > 0) ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1);
     flow->server_id = flow->dst;
 
     if(packet->forwarded_line.ptr) {
diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c
index 6ca691c7e..1f3850cbd 100644
--- a/src/lib/protocols/netbios.c
+++ b/src/lib/protocols/netbios.c
@@ -85,7 +85,7 @@ static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct
 				 flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) {
       snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name);
 
-      ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name);
+      ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1);
   }
 
   if(sub_protocol == NDPI_PROTOCOL_UNKNOWN)
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index aa3836442..71fb2d5c3 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1161,7 +1161,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		      flow->l4.tcp.tls.subprotocol_detected = 1;
 		  }
 
-		  ndpi_check_dga_name(ndpi_struct, flow, flow->protos.stun_ssl.ssl.client_requested_server_name);
+		  ndpi_check_dga_name(ndpi_struct, flow,
+				      flow->protos.stun_ssl.ssl.client_requested_server_name, 1);
 		} else {
 #ifdef DEBUG_TLS
 		  printf("[TLS] Extensions server len too short: %u vs %u\n",
diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c
index 7318685e7..71172e211 100644
--- a/src/lib/protocols/tor.c
+++ b/src/lib/protocols/tor.c
@@ -48,7 +48,7 @@ int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct,
   if((dot = strrchr(dummy, '.')) == NULL) return(0);
   name = &dot[1];
 
-  if(ndpi_check_dga_name(ndpi_struct, flow, name)) {
+  if(ndpi_check_dga_name(ndpi_struct, flow, name, 1)) {
     ndpi_int_tor_add_connection(ndpi_struct, flow);
     return(1);
   } else {