diff options
| author | Luca Deri <deri@ntop.org> | 2020-10-26 21:40:59 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-10-26 21:40:59 +0100 |
| commit | 948a9060378a2a33f5701947386492ff10cb2de6 (patch) | |
| tree | 82ad122f24bc6ee7a9f5abea09abf790099091fe /src/lib/protocols | |
| parent | 9873972acb2be4682434543b051833feff071f6e (diff) | |
Added -D flag for detecting DoH in the wild
Removed heuristic from CiscoVPN as it leads to false positives
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/ciscovpn.c | 23 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 14 |
2 files changed, 19 insertions, 18 deletions
diff --git a/src/lib/protocols/ciscovpn.c b/src/lib/protocols/ciscovpn.c index c97ab25db..b503f1184 100644 --- a/src/lib/protocols/ciscovpn.c +++ b/src/lib/protocols/ciscovpn.c @@ -57,7 +57,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru if((tdport == 10000 && tsport == 10000) || ((tsport == 443 || tdport == 443) && (packet->payload_packet_len >= 4) && - (packet->payload[0] == 0x17 && + (packet->payload[0] == 0x17 /* TLS Application Data */ && packet->payload[1] == 0x01 && packet->payload[2] == 0x00 && packet->payload[3] == 0x00) @@ -68,28 +68,27 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); return; } +#if 0 + /* Code disabled as it is too generic and it can lead to false positives */ else if(((tsport == 443 || tdport == 443) || (tsport == 80 || tdport == 80)) && (packet->payload_packet_len >= 5) && - ((packet->payload[0] == 0x17 && - packet->payload[1] == 0x03 && - packet->payload[2] == 0x03 && - packet->payload[3] == 0x00 && - packet->payload[4] == 0x3A))) + ((packet->payload[0] == 0x17 /* TLS Application Data */ && + packet->payload[1] == 0x03 && packet->payload[2] == 0x03 && /* TLS 1.2 */ + packet->payload[3] == 0x00 && packet->payload[4] == 0x3A /* Length */))) { /* TLS signature of Cisco AnyConnect 0X170303003A */ NDPI_LOG_INFO(ndpi_struct, "found CISCO Anyconnect VPN\n"); ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); return; } +#endif else if(((tsport == 8009 || tdport == 8009) || (tsport == 8008 || tdport == 8008)) && (packet->payload_packet_len >= 5) && - ((packet->payload[0] == 0x17 && - packet->payload[1] == 0x03 && - packet->payload[2] == 0x03 && - packet->payload[3] == 0x00 && - packet->payload[4] == 0x69))) + ((packet->payload[0] == 0x17 /* TLS Application Data */ && + packet->payload[1] == 0x03 && packet->payload[2] == 0x03 && /* TLS 1.2 */ + packet->payload[3] == 0x00 && packet->payload[4] == 0x69 /* Length */))) { /* TCP signature of Cisco AnyConnect 0X1703030069 */ NDPI_LOG_INFO(ndpi_struct, "found CISCO Anyconnect VPN\n"); @@ -116,7 +115,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru (usport == 443 || udport == 443) && (packet->payload_packet_len >= 5) && - (packet->payload[0] == 0x17 && + (packet->payload[0] == 0x17 /* TLS Application Data */ && packet->payload[1] == 0x01 && packet->payload[2] == 0x00 && packet->payload[3] == 0x00 && diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 192625c5c..7f9e8d5c0 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -712,12 +712,14 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, p = packet->payload, p_len = packet->payload_packet_len; /* Backup */ if(content_type == 0x14 /* Change Cipher Spec */) { - /* - Ignore Application Data up until change cipher - so in this case we reset the number of observed - TLS blocks - */ - flow->l4.tcp.tls.num_tls_blocks = 0; + if(ndpi_struct->skip_tls_blocks_until_change_cipher) { + /* + Ignore Application Data up until change cipher + so in this case we reset the number of observed + TLS blocks + */ + flow->l4.tcp.tls.num_tls_blocks = 0; + } } if((len > 9) |