diff options
| author | Toni <matzeton@googlemail.com> | 2024-04-03 14:10:21 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-03 14:10:21 +0200 |
| commit | 41eef9246c6a3055e3876e3dd7aeaadecb4b76c0 (patch) | |
| tree | 275c7300abf2233e8d89896a3a888ada01fef4bb /src/lib/protocols | |
| parent | b5e8bc22147d37011621ae62b680742c8fa105dc (diff) | |
Disable `-Wno-unused-parameter -Wno-unused-function`. (#2358)
* unused parameters and functions pollute the code and decrease readability
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src/lib/protocols')
46 files changed, 284 insertions, 324 deletions
diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index d1c9dd323..f80bb0d36 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -509,8 +509,7 @@ static u_int8_t is_port(u_int16_t a, u_int16_t b, u_int16_t what) { /* ************************************* */ static void ndpi_skip_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - struct ndpi_packet_struct *packet) { + struct ndpi_flow_struct *flow) { if(search_into_bittorrent_cache(ndpi_struct, flow)) ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 0, NDPI_CONFIDENCE_DPI_CACHE); else @@ -553,7 +552,7 @@ static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_str if((ntohs(packet->udp->source) < 1024) || (ntohs(packet->udp->dest) < 1024) /* High ports only */) { - ndpi_skip_bittorrent(ndpi_struct, flow, packet); + ndpi_skip_bittorrent(ndpi_struct, flow); return; } @@ -639,12 +638,12 @@ static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_str return; } - ndpi_skip_bittorrent(ndpi_struct, flow, packet); + ndpi_skip_bittorrent(ndpi_struct, flow); } } if(flow->packet_counter > 8) { - ndpi_skip_bittorrent(ndpi_struct, flow, packet); + ndpi_skip_bittorrent(ndpi_struct, flow); } } diff --git a/src/lib/protocols/bjnp.c b/src/lib/protocols/bjnp.c index bf7e24b75..91277ecda 100644 --- a/src/lib/protocols/bjnp.c +++ b/src/lib/protocols/bjnp.c @@ -6,8 +6,7 @@ #include "ndpi_private.h" static void ndpi_int_bjnp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) { + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BJNP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } @@ -25,7 +24,7 @@ static void ndpi_check_bjnp(struct ndpi_detection_module_struct *ndpi_struct, st || (memcmp((const char *)packet->payload, "MFNP", 4) == 0) ) { NDPI_LOG_INFO(ndpi_struct, "found bjnp\n"); - ndpi_int_bjnp_add_connection(ndpi_struct, flow, 0); + ndpi_int_bjnp_add_connection(ndpi_struct, flow); return; } } diff --git a/src/lib/protocols/btlib.c b/src/lib/protocols/btlib.c index 7223167e8..ae3c1e365 100644 --- a/src/lib/protocols/btlib.c +++ b/src/lib/protocols/btlib.c @@ -154,7 +154,7 @@ static void print_safe_str(char *msg,bt_parse_data_cb_t *cbd) { #define STREQ(a,b) !strcmp(a,b) -void cb_data(bt_parse_data_cb_t *cbd,int *ret) { +void cb_data(bt_parse_data_cb_t *cbd) { struct bt_parse_protocol *p = &(cbd->p); const u_int8_t *s; const char *ss; @@ -432,7 +432,7 @@ const u_int8_t *bt_decode(const u_int8_t *b, size_t *l, int *ret, bt_parse_data_ do { b = bt_decode(b,l,ret,cbd); if(*ret < 0 || *l == 0) goto bad_data; - cb_data(cbd,ret); + cb_data(cbd); if(*ret < 0) goto bad_data; cbd->t = 0; } while (*b != 'e' && *l != 0); @@ -455,7 +455,7 @@ const u_int8_t *bt_decode(const u_int8_t *b, size_t *l, int *ret, bt_parse_data_ } b = bt_decode(b,l,ret,cbd); if(*ret < 0 || *l == 0) goto bad_data; - cb_data(cbd,ret); + cb_data(cbd); if(*ret < 0) goto bad_data; cbd->t = 0; *ls = 0; diff --git a/src/lib/protocols/can.c b/src/lib/protocols/can.c index fc12866a8..0f1e1e243 100644 --- a/src/lib/protocols/can.c +++ b/src/lib/protocols/can.c @@ -67,7 +67,7 @@ static void ndpi_search_can(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_can_add_connection(ndpi_struct, flow); if (can_header->version != 0x01) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid CAN Header"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid CAN Header"); } } diff --git a/src/lib/protocols/collectd.c b/src/lib/protocols/collectd.c index f9ec9a783..4e37a0768 100644 --- a/src/lib/protocols/collectd.c +++ b/src/lib/protocols/collectd.c @@ -103,14 +103,13 @@ static int ndpi_int_collectd_check_type(u_int16_t block_type) static int ndpi_int_collectd_dissect_hostname(struct ndpi_flow_struct * const flow, struct ndpi_packet_struct const * const packet, - u_int16_t block_offset, u_int16_t block_length) + u_int16_t block_length) { return (ndpi_hostname_sni_set(flow, &packet->payload[4], block_length, NDPI_HOSTNAME_NORM_ALL) == NULL); } static int ndpi_int_collectd_dissect_username(struct ndpi_flow_struct * const flow, - struct ndpi_packet_struct const * const packet, - u_int16_t block_offset) + struct ndpi_packet_struct const * const packet) { u_int16_t username_length = ntohs(get_u_int16_t(packet->payload, 4)); @@ -134,7 +133,7 @@ static void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struc struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; u_int16_t num_blocks; u_int16_t block_offset = 0, block_type, block_length; - u_int16_t hostname_offset, hostname_length = 0; + u_int16_t hostname_length = 0; NDPI_LOG_DBG(ndpi_struct, "search collectd\n"); @@ -158,7 +157,6 @@ static void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struc * Dissect the hostname later, when we are sure that it is * the collectd protocol. */ - hostname_offset = block_offset; if(block_length > 4) hostname_length = block_length - 4; /* Ignore type and length fields */ } else if (block_type == COLELCTD_TYPE_ENCR_AES256) { @@ -169,7 +167,7 @@ static void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struc */ if (block_length != packet->payload_packet_len || block_length < COLLECTD_ENCR_AES256_MIN_BLOCK_SIZE || - ndpi_int_collectd_dissect_username(flow, packet, block_offset) != 0) + ndpi_int_collectd_dissect_username(flow, packet) != 0) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } else { @@ -187,10 +185,9 @@ static void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struc } if (hostname_length > 0 && - ndpi_int_collectd_dissect_hostname(flow, packet, hostname_offset, - hostname_length) != 0) + ndpi_int_collectd_dissect_hostname(flow, packet, hostname_length) != 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid collectd Header"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid collectd Header"); } ndpi_int_collectd_add_connection(ndpi_struct, flow); diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c index edf8125f6..838d5f292 100644 --- a/src/lib/protocols/dcerpc.c +++ b/src/lib/protocols/dcerpc.c @@ -35,7 +35,7 @@ static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DCERPC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } -static bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet, struct ndpi_flow_struct *flow) +static bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet) { if((packet->tcp != NULL) && (packet->payload_packet_len >= 64) @@ -48,7 +48,7 @@ static bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet, str return false; } -static bool is_connectionless_dcerpc(struct ndpi_packet_struct *packet, struct ndpi_flow_struct *flow) +static bool is_connectionless_dcerpc(struct ndpi_packet_struct *packet) { u_int16_t fragment_len; @@ -83,7 +83,7 @@ static void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &ndpi_struct->packet; NDPI_LOG_DBG(ndpi_struct, "search DCERPC\n"); - if (is_connection_oriented_dcerpc(packet, flow) || is_connectionless_dcerpc(packet, flow)) { + if (is_connection_oriented_dcerpc(packet) || is_connectionless_dcerpc(packet)) { NDPI_LOG_INFO(ndpi_struct, "found DCERPC\n"); ndpi_int_dcerpc_add_connection(ndpi_struct, flow); return; diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 95f3626c9..70b8cd451 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -44,8 +44,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, /* *********************************************** */ -static void ndpi_check_dns_type(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ndpi_check_dns_type(struct ndpi_flow_struct *flow, u_int16_t dns_type) { /* https://en.wikipedia.org/wiki/List_of_DNS_record_types */ @@ -93,7 +92,7 @@ static void ndpi_check_dns_type(struct ndpi_detection_module_struct *ndpi_struct case 106: case 107: case 259: - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Obsolete DNS record type"); + ndpi_set_risk(flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Obsolete DNS record type"); break; } } @@ -321,7 +320,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, x++; } } else { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid DNS Header"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid DNS Header"); return(1 /* invalid */); } } else { @@ -351,10 +350,10 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, snprintf(str, sizeof(str), "DNS Error Code %s", dns_error_code2string(flow->protos.dns.reply_code, buf, sizeof(buf))); - ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, str); + ndpi_set_risk(flow, NDPI_ERROR_CODE_DETECTED, str); } else { - if(ndpi_isset_risk(ndpi_struct, flow, NDPI_SUSPICIOUS_DGA_DOMAIN)) { - ndpi_set_risk(ndpi_struct, flow, NDPI_RISKY_DOMAIN, "DGA Name Query with no Error Code"); + if(ndpi_isset_risk(flow, NDPI_SUSPICIOUS_DGA_DOMAIN)) { + ndpi_set_risk(flow, NDPI_RISKY_DOMAIN, "DGA Name Query with no Error Code"); } } @@ -431,7 +430,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, rsp_ttl = ntohl(*((u_int32_t*)&packet->payload[x+2])); if(rsp_ttl == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_MINOR_ISSUES, "DNS Record with zero TTL"); + ndpi_set_risk(flow, NDPI_MINOR_ISSUES, "DNS Record with zero TTL"); #ifdef DNS_DEBUG printf("[DNS] TTL = %u\n", rsp_ttl); @@ -439,7 +438,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, #endif if(found == 0) { - ndpi_check_dns_type(ndpi_struct, flow, rsp_type); + ndpi_check_dns_type(flow, rsp_type); flow->protos.dns.rsp_type = rsp_type; } @@ -755,7 +754,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st #ifdef DNS_DEBUG printf("[DNS] Invalid query len [%u >= %u]\n", i+4, packet->payload_packet_len); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid DNS Query Lenght"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid DNS Query Lenght"); break; } else { idx = i+5, num_queries++; @@ -767,7 +766,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st ndpi_hostname_sni_set(flow, (const u_int8_t *)_hostname, len, is_mdns ? NDPI_HOSTNAME_NORM_LC : NDPI_HOSTNAME_NORM_ALL); if (hostname_is_valid == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, NULL); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, NULL); dot = strchr(_hostname, '.'); if(dot) { @@ -779,7 +778,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st and this might be an issue or indicate an exfiltration */ - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Long DNS host name"); + ndpi_set_risk(flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Long DNS host name"); } } @@ -867,7 +866,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st char str[48]; snprintf(str, sizeof(str), "%u Bytes DNS Packet", packet->payload_packet_len); - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_LARGE_PACKET, str); + ndpi_set_risk(flow, NDPI_DNS_LARGE_PACKET, str); } if(packet->iph != NULL) { @@ -877,14 +876,14 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st /* 0: fragmented; 1: not fragmented */ if((flags & 0x20) || (iph_is_valid_and_not_fragmented(packet->iph, packet->l3_packet_len) == 0)) { - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED, NULL); + ndpi_set_risk(flow, NDPI_DNS_FRAGMENTED, NULL); } } else if(packet->iphv6 != NULL) { /* IPv6 */ const struct ndpi_ip6_hdrctl *ip6_hdr = &packet->iphv6->ip6_hdr; if(ip6_hdr->ip6_un1_nxt == 0x2C /* Next Header: Fragment Header for IPv6 (44) */) { - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED, NULL); + ndpi_set_risk(flow, NDPI_DNS_FRAGMENTED, NULL); } } } diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index eed06d4d5..2ac2f7d8a 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -32,8 +32,7 @@ #define DB_LSP_PORT 17500 static void ndpi_int_dropbox_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) { + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } @@ -49,7 +48,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, if(payload_len > 10) { if(ndpi_strnstr((const char *)packet->payload, "\"host_int\"", payload_len) != NULL) { NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); - ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); + ndpi_int_dropbox_add_connection(ndpi_struct, flow); return; } } @@ -57,7 +56,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, if(payload_len > 10) { if(ndpi_strnstr((const char *)packet->payload, "Bus17Cmd", payload_len) != NULL) { NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); - ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); + ndpi_int_dropbox_add_connection(ndpi_struct, flow); return; } } diff --git a/src/lib/protocols/fastcgi.c b/src/lib/protocols/fastcgi.c index 6a1baa758..a9f9113d3 100644 --- a/src/lib/protocols/fastcgi.c +++ b/src/lib/protocols/fastcgi.c @@ -204,7 +204,7 @@ static void ndpi_search_fastcgi(struct ndpi_detection_module_struct *ndpi_struct if (fcgi_parse_params(flow, packet) != 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid FastCGI PARAMS header"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid FastCGI PARAMS header"); ndpi_int_fastcgi_add_connection(ndpi_struct, flow, NULL); } else { ndpi_match_host_subprotocol(ndpi_struct, flow, @@ -218,10 +218,10 @@ static void ndpi_search_fastcgi(struct ndpi_detection_module_struct *ndpi_struct char str[128]; snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str); /* This looks like an attack */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, NULL); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, NULL); } ndpi_int_fastcgi_add_connection(ndpi_struct, flow, &ret_match); } diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index ce7903397..7118ff295 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -42,8 +42,7 @@ static void ndpi_int_ftp_control_add_connection(struct ndpi_detection_module_str /* *************************************************************** */ -static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static int ndpi_ftp_control_check_request(struct ndpi_flow_struct *flow, const u_int8_t *payload, size_t payload_len) { #ifdef FTP_DEBUG @@ -59,7 +58,7 @@ static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *n snprintf(buf, sizeof(buf), "Found FTP username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); return 1; } @@ -555,8 +554,7 @@ static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *n /* *************************************************************** */ static int ndpi_ftp_control_check_response(struct ndpi_flow_struct *flow, - const u_int8_t *payload, - size_t payload_len) { + const u_int8_t *payload) { #ifdef FTP_DEBUG printf("%s() [%.*s]\n", __FUNCTION__, (int)payload_len, payload); #endif @@ -604,8 +602,8 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str if(flow->ftp_control_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "FTP_CONTROL stage 0: \n"); - if((payload_len > 0) && ndpi_ftp_control_check_request(ndpi_struct, - flow, packet->payload, payload_len)) { + if((payload_len > 0) && ndpi_ftp_control_check_request(flow, + packet->payload, payload_len)) { NDPI_LOG_DBG2(ndpi_struct, "Possible FTP_CONTROL request detected, we will look further for the response..\n"); @@ -627,7 +625,7 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str } /* This is a packet in another direction. Check if we find the proper response. */ - if((payload_len > 0) && ndpi_ftp_control_check_response(flow, packet->payload, payload_len)) { + if((payload_len > 0) && ndpi_ftp_control_check_response(flow, packet->payload)) { NDPI_LOG_INFO(ndpi_struct, "found FTP_CONTROL\n"); #ifdef FTP_DEBUG diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c index 567669e3d..048097156 100644 --- a/src/lib/protocols/ftp_data.c +++ b/src/lib/protocols/ftp_data.c @@ -34,7 +34,7 @@ static void ndpi_int_ftp_data_add_connection(struct ndpi_detection_module_struct ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FTP_DATA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } -static int ndpi_match_ftp_data_port(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +static int ndpi_match_ftp_data_port(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; /* Check connection over TCP */ @@ -46,7 +46,7 @@ static int ndpi_match_ftp_data_port(struct ndpi_detection_module_struct *ndpi_st return 0; } -static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int32_t payload_len = packet->payload_packet_len; @@ -70,7 +70,7 @@ static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *nd return 0; } -static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int32_t payload_len = packet->payload_packet_len; @@ -235,9 +235,9 @@ static void ndpi_check_ftp_data(struct ndpi_detection_module_struct *ndpi_struct */ if(ndpi_seen_flow_beginning(flow)) { if((packet->payload_packet_len > 0) - && (ndpi_match_file_header(ndpi_struct, flow) - || ndpi_match_ftp_data_directory(ndpi_struct, flow) - || ndpi_match_ftp_data_port(ndpi_struct, flow) + && (ndpi_match_file_header(ndpi_struct) + || ndpi_match_ftp_data_directory(ndpi_struct) + || ndpi_match_ftp_data_port(ndpi_struct) ) ) { NDPI_LOG_INFO(ndpi_struct, "found FTP_DATA request\n"); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 8e4c60a5f..8c3da111c 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -68,7 +68,7 @@ static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_st ) ; else - ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER, msg); + ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, msg); } /* *********************************************** */ @@ -160,7 +160,7 @@ static void ndpi_http_check_human_redeable_content(struct ndpi_detection_module_ snprintf(str, sizeof(str), "Susp content %02X%02X%02X%02X", content[0], content[1], content[2], content[3]); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_CONTENT, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_CONTENT, str); } } } @@ -198,7 +198,7 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi /* Final checks */ - if(ndpi_isset_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER) + if(ndpi_isset_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER) && flow->http.user_agent && flow->http.content_type) { if(((strncmp((const char *)flow->http.user_agent, "Java/", 5) == 0)) && @@ -209,7 +209,7 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi https://corelight.com/blog/detecting-log4j-exploits-via-zeek-when-java-downloads-java */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); } } @@ -217,7 +217,7 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi } if((flow->http.user_agent == NULL) || (flow->http.user_agent[0] == '\0')) - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); } /* *********************************************** */ @@ -391,8 +391,7 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd /* ************************************************************* */ -static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, char *ua) { +static void setHttpUserAgent(struct ndpi_flow_struct *flow, char *ua) { if( !strcmp(ua, "Windows NT 5.0")) ua = "Windows 2000"; else if(!strcmp(ua, "Windows NT 5.1")) ua = "Windows XP"; else if(!strcmp(ua, "Windows NT 5.2")) ua = "Windows Server 2003"; @@ -427,7 +426,7 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp if(packet->server_line.len > 7 && strncmp((const char *)packet->server_line.ptr, "ntopng ", 7) == 0) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTOP, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); - ndpi_unset_risk(ndpi_struct, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + ndpi_unset_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); } /* Matching on Content-Type. @@ -529,7 +528,7 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp (strstr(flow->http.url, "delivery.mp.microsoft.com/") || strstr(flow->http.url, "download.windowsupdate.com/")) && strstr(flow->http.user_agent, "Microsoft-Delivery-Optimization/") && - ndpi_isset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST)) { + ndpi_isset_risk(flow, NDPI_NUMERIC_IP_HOST)) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WINDOWS_UPDATE, master_protocol, NDPI_CONFIDENCE_DPI); } @@ -560,8 +559,7 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp /* ************************************************************* */ -static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ndpi_check_user_agent(struct ndpi_flow_struct *flow, char const *ua, size_t ua_len) { char *double_slash; @@ -595,7 +593,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru char str[64]; snprintf(str, sizeof(str), "UA %s", ua); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); } } } @@ -606,7 +604,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru char str[64]; snprintf(str, sizeof(str), "UA %s", ua); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); } if((double_slash = strstr(ua, "://")) != NULL) { @@ -616,14 +614,14 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru char str[64]; snprintf(str, sizeof(str), "UA %s", ua); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); } } } /* no else */ if(!strncmp(ua, "jndi:ldap://", 12)) /* Log4J */ { - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); } else if( (ua_len < 4) /* Too short */ || (ua_len > 256) /* Too long */ @@ -631,7 +629,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru || strchr(ua, '{') || strchr(ua, '}') ) { - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Suspicious Log4J"); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Suspicious Log4J"); } /* @@ -648,7 +646,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru snprintf(str, sizeof(str), "UA %s", ua); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_CRAWLER_BOT, str); + ndpi_set_risk(flow, NDPI_HTTP_CRAWLER_BOT, str); } } @@ -710,15 +708,15 @@ void http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct, } if(token) - setHttpUserAgent(ndpi_struct, flow, token); + setHttpUserAgent(flow, token); } } } } if(ndpi_user_agent_set(flow, ua_ptr, ua_ptr_len) != NULL) { - ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); - ndpi_check_user_agent(ndpi_struct, flow, flow->http.user_agent, ua_ptr_len); + ndpi_unset_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); + ndpi_check_user_agent(flow, flow->http.user_agent, ua_ptr_len); } else { NDPI_LOG_DBG2(ndpi_struct, "Could not set HTTP user agent (already set?)\n"); } @@ -729,8 +727,7 @@ void http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct, /* ************************************************************* */ -static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ndpi_check_numeric_ip(struct ndpi_flow_struct *flow, char *ip, u_int ip_len) { char buf[22], *double_dot; struct in_addr ip_addr; @@ -746,21 +743,20 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru char str[64]; snprintf(str, sizeof(str), "Found host %s", buf); - ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, str); + ndpi_set_risk(flow, NDPI_NUMERIC_IP_HOST, str); } } /* ************************************************************* */ -static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ndpi_check_http_url(struct ndpi_flow_struct *flow, char *url) { if(strstr(url, "<php>") != NULL /* PHP code in the URL */) - ndpi_set_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "PHP code in URL"); + ndpi_set_risk(flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "PHP code in URL"); else if(strncmp(url, "/shell?", 7) == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "Possible WebShell detected"); + ndpi_set_risk(flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "Possible WebShell detected"); else if(strncmp(url, "/.", 2) == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "URL starting with dot"); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "URL starting with dot"); } /* ************************************************************* */ @@ -768,8 +764,7 @@ static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct #define MIN_APACHE_VERSION 2004000 /* 2.4.X [https://endoflife.date/apache] */ #define MIN_NGINX_VERSION 1022000 /* 1.22.0 [https://endoflife.date/nginx] */ -static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ndpi_check_http_server(struct ndpi_flow_struct *flow, const char *server, u_int server_len) { if(server[0] != '\0') { if(server_len > 7) { @@ -790,10 +785,10 @@ static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_str if((off == 7) && (version < MIN_APACHE_VERSION)) { snprintf(msg, sizeof(msg), "Obsolete Apache server %s", buf); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg); + ndpi_set_risk(flow, NDPI_HTTP_OBSOLETE_SERVER, msg); } else if((off == 6) && (version < MIN_NGINX_VERSION)) { snprintf(msg, sizeof(msg), "Obsolete nginx server %s", buf); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg); + ndpi_set_risk(flow, NDPI_HTTP_OBSOLETE_SERVER, msg); } } } @@ -801,7 +796,7 @@ static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_str /* Check server content */ for(i=0; i<server_len; i++) { if(!ndpi_isprint(server[i])) { - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, "Suspicious Agent"); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, "Suspicious Agent"); break; } } @@ -828,7 +823,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(ndpi_isdigit(packet->host_line.ptr[0]) && (packet->host_line.len < 21)) - ndpi_check_numeric_ip(ndpi_struct, flow, (char*)packet->host_line.ptr, packet->host_line.len); + ndpi_check_numeric_ip(flow, (char*)packet->host_line.ptr, packet->host_line.len); flow->http.url = ndpi_malloc(len); if(flow->http.url) { @@ -859,7 +854,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ flow->http.url[offset] = '\0'; } - ndpi_check_http_url(ndpi_struct, flow, &flow->http.url[host_end]); + ndpi_check_http_url(flow, &flow->http.url[host_end]); } } @@ -868,7 +863,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ (u_int16_t)packet->http_method.len); if(packet->server_line.ptr != NULL) - ndpi_check_http_server(ndpi_struct, flow, (const char *)packet->server_line.ptr, packet->server_line.len); + ndpi_check_http_server(flow, (const char *)packet->server_line.ptr, packet->server_line.len); if(packet->user_agent_line.ptr != NULL) { http_process_user_agent(ndpi_struct, flow, packet->user_agent_line.ptr, packet->user_agent_line.len); @@ -905,7 +900,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ "Basic", packet->authorization_line.len) || ndpi_strncasestr((const char*)packet->authorization_line.ptr, "Digest", packet->authorization_line.len)) { - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found credentials in HTTP Auth Line"); } } @@ -963,10 +958,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ char str[128]; snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str); /* This looks like an attack */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, NULL); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, NULL); } double_col = strchr((char*)flow->host_server_name, ':'); @@ -980,7 +975,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ snprintf(msg, sizeof(msg), "Expected %s, found %s", ndpi_intoav4(ntohl(ndpi_struct->packet.iph->daddr), buf, sizeof(buf)), flow->host_server_name); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, msg); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, msg); } } } @@ -1038,7 +1033,7 @@ static struct l_string { }; static const char *http_fs = "CDGHOPR"; -static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; unsigned int i; @@ -1117,7 +1112,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1126,7 +1121,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1135,7 +1130,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1144,7 +1139,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1153,7 +1148,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1162,7 +1157,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1171,7 +1166,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1180,7 +1175,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } break; @@ -1189,7 +1184,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str char str[64]; snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER, str); return; } @@ -1219,7 +1214,7 @@ static void parse_response_code(struct ndpi_detection_module_struct *ndpi_struct if(flow->http.response_status_code >= 400) { snprintf(ec, sizeof(ec), "HTTP Error Code %u", flow->http.response_status_code); - ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, ec); + ndpi_set_risk(flow, NDPI_ERROR_CODE_DETECTED, ec); if(flow->http.url != NULL) { /* Let's check for Wordpress */ @@ -1230,19 +1225,18 @@ static void parse_response_code(struct ndpi_detection_module_struct *ndpi_struct || ((flow->http.method == NDPI_HTTP_METHOD_GET) && (strncmp(slash, "/wp-content/uploads/", 20) == 0)) )) { /* Example of popular exploits https://www.wordfence.com/blog/2022/05/millions-of-attacks-target-tatsu-builder-plugin/ */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Possible Wordpress Exploit"); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Possible Wordpress Exploit"); } } } } } -static int is_request(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +static int is_request(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t filename_start; - filename_start = http_request_url_offset(ndpi_struct, flow); + filename_start = http_request_url_offset(ndpi_struct); /* This check is required as RTSP is pretty similiar to HTTP */ if(filename_start > 0 && strncasecmp((const char *)packet->payload + filename_start, @@ -1251,8 +1245,7 @@ static int is_request(struct ndpi_detection_module_struct *ndpi_struct, return filename_start; } -static int is_response(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +static int is_response(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; if(packet->payload_packet_len >= 7 && strncasecmp((const char *)packet->payload, "HTTP/1.", 7) == 0) @@ -1309,7 +1302,7 @@ static void process_request(struct ndpi_detection_module_struct *ndpi_struct, if(flow->http.user_agent == NULL || flow->http.user_agent[0] == '\0') { - ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); + ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); } } @@ -1324,7 +1317,7 @@ static void process_response(struct ndpi_detection_module_struct *ndpi_struct, } static void reset(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { + struct ndpi_flow_struct *flow) { NDPI_LOG_DBG2(ndpi_struct, "Reset status and risks\n"); @@ -1371,19 +1364,19 @@ static void reset(struct ndpi_detection_module_struct *ndpi_struct, /* Reset flow risks. We should reset only those risks triggered by the previous HTTP response... */ /* TODO */ - ndpi_unset_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); - ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_CONTENT); - ndpi_unset_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); - ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); - ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_CRAWLER_BOT); - ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); - ndpi_unset_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION); - ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER); - ndpi_unset_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS); - ndpi_unset_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); - ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER); - ndpi_unset_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED); - ndpi_unset_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET); + ndpi_unset_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER); + ndpi_unset_risk(flow, NDPI_HTTP_SUSPICIOUS_CONTENT); + ndpi_unset_risk(flow, NDPI_POSSIBLE_EXPLOIT); + ndpi_unset_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); + ndpi_unset_risk(flow, NDPI_HTTP_CRAWLER_BOT); + ndpi_unset_risk(flow, NDPI_NUMERIC_IP_HOST); + ndpi_unset_risk(flow, NDPI_URL_POSSIBLE_RCE_INJECTION); + ndpi_unset_risk(flow, NDPI_HTTP_OBSOLETE_SERVER); + ndpi_unset_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS); + ndpi_unset_risk(flow, NDPI_INVALID_CHARACTERS); + ndpi_unset_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER); + ndpi_unset_risk(flow, NDPI_ERROR_CODE_DETECTED); + ndpi_unset_risk(flow, NDPI_MALFORMED_PACKET); } static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, @@ -1393,13 +1386,13 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct NDPI_LOG_DBG(ndpi_struct, "http_stage %d dir %d req/res %d/%d\n", flow->l4.tcp.http_stage, packet->packet_direction, - is_request(ndpi_struct, flow), is_response(ndpi_struct, flow)); + is_request(ndpi_struct), is_response(ndpi_struct)); if(flow->l4.tcp.http_stage == 0) { /* Start: waiting for (the beginning of) a request */ - filename_start = is_request(ndpi_struct, flow); + filename_start = is_request(ndpi_struct); if(filename_start == 0) { /* Flow starting with a response? */ - if(is_response(ndpi_struct, flow)) { + if(is_response(ndpi_struct)) { NDPI_LOG_DBG2(ndpi_struct, "Response where a request were expected\n"); /* This is tricky. Two opposing goals: 1) We want to correctly match request with response!! -> Skip this response @@ -1436,7 +1429,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct /* Another pkt from the same direction (probably another fragment of the request) Keep lookng for the response */ NDPI_LOG_DBG2(ndpi_struct, "Another piece of request\n"); - filename_start = is_request(ndpi_struct, flow); + filename_start = is_request(ndpi_struct); if(filename_start > 0) { /* Probably a new, separated request (asymmetric flow or missing pkts?). What should we do? We definitely don't want to mix data from different @@ -1452,7 +1445,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct ndpi_parse_packet_line_info(ndpi_struct, flow); check_content_type_and_change_protocol(ndpi_struct, flow); return; - } else if(is_response(ndpi_struct, flow)) { + } else if(is_response(ndpi_struct)) { NDPI_LOG_DBG2(ndpi_struct, "Response where expected\n"); process_response(ndpi_struct, flow); @@ -1469,7 +1462,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct /* Another pkt from the same direction (probably another fragment of the response) Keep lookng for the request */ NDPI_LOG_DBG2(ndpi_struct, "Another piece of response\n"); - if(is_response(ndpi_struct, flow)) { + if(is_response(ndpi_struct)) { /* See the comment above about how we handle consecutive requests/responses */ if(flow->l4.tcp.http_asymmetric_stage < 2) flow->l4.tcp.http_asymmetric_stage++; @@ -1525,8 +1518,7 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc /* ********************************* */ -ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +ndpi_http_method ndpi_get_http_method(struct ndpi_flow_struct *flow) { if(!flow) { return(NDPI_HTTP_METHOD_UNKNOWN); } else @@ -1535,8 +1527,7 @@ ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_ /* ********************************* */ -char* ndpi_get_http_url(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +char* ndpi_get_http_url(struct ndpi_flow_struct *flow) { if((!flow) || (!flow->http.url)) return(""); else @@ -1545,8 +1536,7 @@ char* ndpi_get_http_url(struct ndpi_detection_module_struct *ndpi_struct, /* ********************************* */ -char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +char* ndpi_get_http_content_type(struct ndpi_flow_struct *flow) { if((!flow) || (!flow->http.content_type)) return(""); else diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index b910e2628..38967a781 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -44,7 +44,7 @@ static void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_st if((packet->payload_packet_len < 500 && packet->payload_packet_len >= 7 && memcmp(packet->payload, "SOURCE ", 7) == 0) || flow->l4.tcp.icecast_stage) { - ndpi_parse_packet_line_info_any(ndpi_struct, flow); + ndpi_parse_packet_line_info_any(ndpi_struct); NDPI_LOG_DBG2(ndpi_struct, "Icecast lines=%d\n", packet->parsed_lines); for (i = 0; i < packet->parsed_lines; i++) { if(packet->line[i].ptr != NULL && packet->line[i].len > 4 diff --git a/src/lib/protocols/ipsec.c b/src/lib/protocols/ipsec.c index fdd08cb6f..9a3e519df 100644 --- a/src/lib/protocols/ipsec.c +++ b/src/lib/protocols/ipsec.c @@ -43,7 +43,7 @@ static void ndpi_int_ipsec_add_connection(struct ndpi_detection_module_struct * return; case ISAKMP_MALFORMED: NDPI_LOG_INFO(ndpi_struct, "found malformed ISAKMP (UDP)\n"); - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid IPSec/ISAKMP Header"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid IPSec/ISAKMP Header"); break; case ISAKMP_V1: NDPI_LOG_INFO(ndpi_struct, "found ISAKMPv1 (UDP)\n"); diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 354e27fd1..c316a557c 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -35,7 +35,7 @@ static void ndpi_int_irc_add_connection(struct ndpi_detection_module_struct *ndp ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IRC, NDPI_PROTOCOL_UNKNOWN, confidence); } -static u_int8_t ndpi_check_for_NOTICE_or_PRIVMSG(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +static u_int8_t ndpi_check_for_NOTICE_or_PRIVMSG(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; @@ -60,7 +60,7 @@ static u_int8_t ndpi_check_for_NOTICE_or_PRIVMSG(struct ndpi_detection_module_st } -static u_int8_t ndpi_check_for_Nickname(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +static u_int8_t ndpi_check_for_Nickname(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t i, packetl = packet->payload_packet_len; @@ -82,7 +82,7 @@ static u_int8_t ndpi_check_for_Nickname(struct ndpi_detection_module_struct *ndp return 0; } -static u_int8_t ndpi_check_for_cmd(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +static u_int8_t ndpi_check_for_cmd(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t i; @@ -369,7 +369,7 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct if (memcmp(packet->payload, ":", 1) == 0) { if (packet->payload[packet->payload_packet_len - 2] != 0x0d && packet->payload[packet->payload_packet_len - 1] == 0x0a) { - ndpi_parse_packet_line_info_any(ndpi_struct, flow); + ndpi_parse_packet_line_info_any(ndpi_struct); } else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) { ndpi_parse_packet_line_info(ndpi_struct, flow); } else { @@ -396,7 +396,7 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct if ((memcmp(packet->payload, "USER ", 5) == 0) || (memcmp(packet->payload, "NICK ", 5) == 0) || (memcmp(packet->payload, "PASS ", 5) == 0) - || (memcmp(packet->payload, ":", 1) == 0 && ndpi_check_for_NOTICE_or_PRIVMSG(ndpi_struct, flow) != 0) + || (memcmp(packet->payload, ":", 1) == 0 && ndpi_check_for_NOTICE_or_PRIVMSG(ndpi_struct) != 0) || (memcmp(packet->payload, "PONG ", 5) == 0) || (memcmp(packet->payload, "PING ", 5) == 0) || (memcmp(packet->payload, "JOIN ", 5) == 0) @@ -414,7 +414,7 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct sp[0] = '\0'; snprintf(msg, sizeof(msg), "Found IRC username (%s)", buf); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); } NDPI_LOG_DBG2(ndpi_struct, @@ -450,7 +450,7 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct } } else if (packet->payload[packet->payload_packet_len - 1] == 0x0a) { - ndpi_parse_packet_line_info_any(ndpi_struct, flow); + ndpi_parse_packet_line_info_any(ndpi_struct); if (packet->parsed_lines > 1) { NDPI_LOG_DBG2(ndpi_struct, "packet contains more than one line"); for (c = 1; c < packet->parsed_lines; c++) { @@ -504,10 +504,10 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct if ((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC) && (flow->l4.tcp.irc_stage == 1)) { if ((((packet->payload_packet_len - http_content_ptr_len) > 10) && (memcmp(packet->payload + http_content_ptr_len, "interface=", 10) == 0) - && (ndpi_check_for_Nickname(ndpi_struct, flow) != 0)) + && (ndpi_check_for_Nickname(ndpi_struct) != 0)) || (((packet->payload_packet_len - http_content_ptr_len) > 5) && (memcmp(packet->payload + http_content_ptr_len, "item=", 5) == 0) - && (ndpi_check_for_cmd(ndpi_struct, flow) != 0))) { + && (ndpi_check_for_cmd(ndpi_struct) != 0))) { NDPI_LOG_INFO(ndpi_struct, "found IRC: Nickname, cmd, one time"); ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; @@ -523,7 +523,7 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct if (packet->payload[packet->payload_packet_len - 2] != 0x0d && packet->payload[packet->payload_packet_len - 1] == 0x0a) { NDPI_LOG_DBG2(ndpi_struct, "ndpi_parse_packet_line_info_any(ndpi_struct, flow);"); - ndpi_parse_packet_line_info_any(ndpi_struct, flow); + ndpi_parse_packet_line_info_any(ndpi_struct); } else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) { ndpi_parse_packet_line_info(ndpi_struct, flow); } else { diff --git a/src/lib/protocols/lisp.c b/src/lib/protocols/lisp.c index a124d6aee..b66a2e52d 100644 --- a/src/lib/protocols/lisp.c +++ b/src/lib/protocols/lisp.c @@ -29,8 +29,7 @@ #define LISP_PORT1 4342 /* TCP and UDP */ static void ndpi_int_lisp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_LISP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); @@ -47,7 +46,7 @@ static void ndpi_check_lisp(struct ndpi_detection_module_struct *ndpi_struct, st if((packet->udp->source == lisp_port && packet->udp->dest == lisp_port) || (packet->udp->source == lisp_port1 && packet->udp->dest == lisp_port1)) { NDPI_LOG_INFO(ndpi_struct, "found lisp\n"); - ndpi_int_lisp_add_connection(ndpi_struct, flow, 0); + ndpi_int_lisp_add_connection(ndpi_struct, flow); return; } } else { @@ -63,7 +62,7 @@ static void ndpi_check_lisp(struct ndpi_detection_module_struct *ndpi_struct, st packet->payload[packet->payload_packet_len - 3] == 0xAC && packet->payload[packet->payload_packet_len - 4] == 0x9F) { NDPI_LOG_INFO(ndpi_struct, "found lisp\n"); - ndpi_int_lisp_add_connection(ndpi_struct, flow, 0); + ndpi_int_lisp_add_connection(ndpi_struct, flow); return; } } diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c index 1b8b31287..dd47704ea 100644 --- a/src/lib/protocols/mail_imap.c +++ b/src/lib/protocols/mail_imap.c @@ -186,7 +186,7 @@ static void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_ snprintf(buf, sizeof(buf), "Found IMAP username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); pwd = strtok_r(NULL, " \"\r\n", &saveptr); if(pwd) { diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c index 5741eba0e..0cb4512d7 100644 --- a/src/lib/protocols/mail_pop.c +++ b/src/lib/protocols/mail_pop.c @@ -88,7 +88,7 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod snprintf(buf, sizeof(buf), "Found username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); flow->l4.tcp.pop_command_bitmask |= POP_BIT_USER; return 1; @@ -100,7 +100,7 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod sizeof(flow->l4.tcp.ftp_imap_pop_smtp.password), 5, packet->payload, packet->payload_packet_len); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); flow->l4.tcp.pop_command_bitmask |= POP_BIT_PASS; return 1; } else if((packet->payload[0] == 'C' || packet->payload[0] == 'c') diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index 66f40c6ee..f27e43ffe 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -66,8 +66,7 @@ static void smtpInitExtraPacketProcessing(struct ndpi_flow_struct *flow); /* **************************************** */ -static void get_credentials_auth_plain(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void get_credentials_auth_plain(struct ndpi_flow_struct *flow, const u_int8_t *line, u_int16_t line_len) { u_int8_t buf[255]; @@ -102,7 +101,7 @@ static void get_credentials_auth_plain(struct ndpi_detection_module_struct *ndpi snprintf(buf, sizeof(buf), "Found username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); if(1 + user_len + 1 < out_len) { unsigned int pwd_len; @@ -222,7 +221,7 @@ static void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_ } else if(packet->line[a].ptr[5] == 'P' || packet->line[a].ptr[5] == 'p') { flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_AUTH_PLAIN; /* AUTH PLAIN: username and pwd here */ - get_credentials_auth_plain(ndpi_struct, flow, + get_credentials_auth_plain(flow, packet->line[a].ptr, packet->line[a].len); flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; } @@ -262,7 +261,7 @@ static void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_ snprintf(msg, sizeof(msg), "Found SMTP username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); } else if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0') { /* Password */ u_int8_t buf[48]; @@ -287,7 +286,7 @@ static void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_ ndpi_free(out); } - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; } else { diff --git a/src/lib/protocols/munin.c b/src/lib/protocols/munin.c index 06e50d3a6..6ca9ca9c3 100644 --- a/src/lib/protocols/munin.c +++ b/src/lib/protocols/munin.c @@ -64,7 +64,7 @@ static void ndpi_search_munin(struct ndpi_detection_module_struct *ndpi_struct, if (packet->payload[packet->payload_packet_len - 1] != '\n') { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); return; } @@ -73,7 +73,7 @@ static void ndpi_search_munin(struct ndpi_detection_module_struct *ndpi_struct, { ndpi_hostname_sni_set(flow, packet->payload + NDPI_STATICSTRING_LEN(munin_prefix), host_len, NDPI_HOSTNAME_NORM_ALL); } else { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); } } diff --git a/src/lib/protocols/natpmp.c b/src/lib/protocols/natpmp.c index 4c259c91c..ccb025c89 100644 --- a/src/lib/protocols/natpmp.c +++ b/src/lib/protocols/natpmp.c @@ -122,7 +122,7 @@ static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_st if (natpmp_is_valid(packet, &natpmp_type) == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid NATPMP Header"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid NATPMP Header"); return 0; } @@ -136,7 +136,7 @@ static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_st flow->protos.natpmp.external_port = ntohs(get_u_int16_t(packet->payload, 6)); if (flow->protos.natpmp.internal_port == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Request Port Mapping: Internal port must not 0"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Request Port Mapping: Internal port must not 0"); } break; case NATPMP_RESPONSE_ADDRESS: @@ -144,7 +144,7 @@ static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_st flow->protos.natpmp.external_address.ipv4 = get_u_int32_t(packet->payload, 8); if (flow->protos.natpmp.result_code != 0 && flow->protos.natpmp.external_address.ipv4 != 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Address Response: Result code indicates an error, but External IPv4 Address is set"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Address Response: Result code indicates an error, but External IPv4 Address is set"); } break; case NATPMP_RESPONSE_UDP_MAPPING: @@ -154,7 +154,7 @@ static int ndpi_search_natpmp_extra(struct ndpi_detection_module_struct *ndpi_st flow->protos.natpmp.external_port = ntohs(get_u_int16_t(packet->payload, 10)); if (flow->protos.natpmp.internal_port == 0 || flow->protos.natpmp.external_port == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Port Mapping Response: Internal/External port must not 0"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Port Mapping Response: Internal/External port must not 0"); } break; } diff --git a/src/lib/protocols/nintendo.c b/src/lib/protocols/nintendo.c index 29cf1bbbf..7c46439ff 100644 --- a/src/lib/protocols/nintendo.c +++ b/src/lib/protocols/nintendo.c @@ -29,8 +29,7 @@ #include "ndpi_private.h" static void ndpi_int_nintendo_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) { + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NINTENDO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } @@ -46,7 +45,7 @@ static void ndpi_search_nintendo(struct ndpi_detection_module_struct *ndpi_struc if(memcmp(payload, nintendo_pattern, 5) == 0) { NDPI_LOG_INFO(ndpi_struct, "found nintendo\n"); - ndpi_int_nintendo_add_connection(ndpi_struct, flow, 0); + ndpi_int_nintendo_add_connection(ndpi_struct, flow); return; } } diff --git a/src/lib/protocols/nomachine.c b/src/lib/protocols/nomachine.c index 33cf71dc9..21319a2aa 100644 --- a/src/lib/protocols/nomachine.c +++ b/src/lib/protocols/nomachine.c @@ -35,7 +35,7 @@ static void ndpi_int_nomachine_add_connection(struct ndpi_detection_module_struc NDPI_LOG_INFO(ndpi_struct, "found NoMachine\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NOMACHINE, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found NoMachine"); + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found NoMachine"); } static void ndpi_search_nomachine(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 89a6730e7..4734433e0 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -643,7 +643,8 @@ static int quic_get_pn_cipher_algo(int cipher_algo, int *hp_cipher_mode) * algorithm output. */ static int quic_hp_cipher_prepare(struct ndpi_detection_module_struct *ndpi_struct, - quic_hp_cipher *hp_cipher, int hash_algo, int cipher_algo, uint8_t *secret, u_int32_t version) + quic_hp_cipher *hp_cipher, int hash_algo, int cipher_algo, + uint8_t *secret, u_int32_t version) { #if 0 /* Clear previous state (if any). */ @@ -674,7 +675,8 @@ static int quic_hp_cipher_prepare(struct ndpi_detection_module_struct *ndpi_stru return 1; } static int quic_pp_cipher_prepare(struct ndpi_detection_module_struct *ndpi_struct, - quic_pp_cipher *pp_cipher, int hash_algo, int cipher_algo, int cipher_mode, uint8_t *secret, u_int32_t version) + quic_pp_cipher *pp_cipher, int hash_algo, int cipher_algo, + int cipher_mode, uint8_t *secret, u_int32_t version) { #if 0 /* Clear previous state (if any). */ @@ -699,7 +701,8 @@ static int quic_pp_cipher_prepare(struct ndpi_detection_module_struct *ndpi_stru return 1; } static int quic_ciphers_prepare(struct ndpi_detection_module_struct *ndpi_struct, - quic_ciphers *ciphers, int hash_algo, int cipher_algo, int cipher_mode, uint8_t *secret, u_int32_t version) + quic_ciphers *ciphers, int hash_algo, int cipher_algo, + int cipher_mode, uint8_t *secret, u_int32_t version) { int ret; @@ -981,7 +984,7 @@ static int quic_derive_initial_secrets(struct ndpi_detection_module_struct *ndpi static uint8_t *decrypt_initial_packet(struct ndpi_detection_module_struct *ndpi_struct, const uint8_t *orig_dest_conn_id, uint8_t orig_dest_conn_id_len, - const uint8_t *dest_conn_id, uint8_t dest_conn_id_len, + uint8_t dest_conn_id_len, uint8_t source_conn_id_len, uint32_t version, uint32_t *clear_payload_len) { @@ -1049,8 +1052,7 @@ static uint8_t *decrypt_initial_packet(struct ndpi_detection_module_struct *ndpi quic_ciphers_reset(&ciphers); return NULL; } - quic_decrypt_message(ndpi_struct, - &ciphers.pp_cipher, &packet->payload[0], pn_offset + payload_length, + quic_decrypt_message(ndpi_struct, &ciphers.pp_cipher, &packet->payload[0], pn_offset + payload_length, offset, first_byte, pkn_len, packet_number, &decryption); quic_ciphers_reset(&ciphers); @@ -1370,7 +1372,7 @@ static uint8_t *get_clear_payload(struct ndpi_detection_module_struct *ndpi_stru clear_payload = decrypt_initial_packet(ndpi_struct, flow->l4.udp.quic_orig_dest_conn_id, flow->l4.udp.quic_orig_dest_conn_id_len, - dest_conn_id, dest_conn_id_len, + dest_conn_id_len, source_conn_id_len, version, clear_payload_len); } @@ -1470,10 +1472,10 @@ void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, char str[128]; snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str); /* This looks like an attack */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, NULL); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, NULL); } sni_found = 1; @@ -1501,12 +1503,11 @@ void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, /* Add check for missing SNI */ if(flow->host_server_name[0] == '\0') { /* This is a bit suspicious */ - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI, NULL); + ndpi_set_risk(flow, NDPI_TLS_MISSING_SNI, NULL); } } -static int may_be_gquic_rej(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) +static int may_be_gquic_rej(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; void *ptr; @@ -1527,7 +1528,7 @@ static int may_be_gquic_rej(struct ndpi_detection_module_struct *ndpi_struct, } static int may_be_0rtt(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, uint32_t *version) + uint32_t *version) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int8_t first_byte; @@ -1683,7 +1684,7 @@ static int may_be_initial_pkt(struct ndpi_detection_module_struct *ndpi_struct, /* ***************************************************************** */ static int eval_extra_processing(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) + struct ndpi_flow_struct *flow) { u_int32_t version = flow->protos.tls_quic.quic_version; @@ -1783,8 +1784,7 @@ static int ndpi_search_quic_extra(struct ndpi_detection_module_struct *ndpi_stru return 0; } -static int is_vn(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) +static int is_vn(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int32_t version; @@ -1845,7 +1845,7 @@ static int ndpi_search_quic_extra_vn(struct ndpi_detection_module_struct *ndpi_s return 1; /* Keep going */ if(flow->l4.udp.quic_vn_pair == 0) { - if(is_vn(ndpi_struct, flow)) { + if(is_vn(ndpi_struct)) { NDPI_LOG_DBG(ndpi_struct, "Valid VN\n"); flow->l4.udp.quic_vn_pair = 1; return 1; @@ -1892,7 +1892,7 @@ static void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, is_initial_quic = may_be_initial_pkt(ndpi_struct, &version); if(!is_initial_quic) { if(!is_ch_reassembler_pending(flow)) { /* Better safe than sorry */ - ret = may_be_0rtt(ndpi_struct, flow, &version); + ret = may_be_0rtt(ndpi_struct, &version); if(ret == 1) { NDPI_LOG_DBG(ndpi_struct, "Found 0-RTT, keep looking for Initial\n"); flow->l4.udp.quic_0rtt_found = 1; @@ -1910,7 +1910,7 @@ static void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.tls_quic.quic_version = 0; /* unknown */ return; } - ret = may_be_gquic_rej(ndpi_struct, flow); + ret = may_be_gquic_rej(ndpi_struct); if(ret == 1) { NDPI_LOG_INFO(ndpi_struct, "GQUIC REJ\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); diff --git a/src/lib/protocols/radmin.c b/src/lib/protocols/radmin.c index 174c8e3f7..6554b0074 100644 --- a/src/lib/protocols/radmin.c +++ b/src/lib/protocols/radmin.c @@ -36,7 +36,7 @@ static void ndpi_int_radmin_add_connection(struct ndpi_detection_module_struct * ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RADMIN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found Radmin"); + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found Radmin"); } static void ndpi_search_radmin(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/raknet.c b/src/lib/protocols/raknet.c index c7b52ad38..8aeaddc2d 100644 --- a/src/lib/protocols/raknet.c +++ b/src/lib/protocols/raknet.c @@ -47,8 +47,7 @@ static size_t raknet_dissect_ip(struct ndpi_packet_struct * const packet, size_t return (packet->payload[offset] == 0x04 ? 4 : 16); } -static int is_custom_version(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) +static int is_custom_version(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; unsigned char magic[] = { 0x00, 0xFF, 0xFF, 0x00, 0xFE, 0xFE, 0xFE, 0xFE, @@ -104,7 +103,7 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct, */ if (flow->packet_counter == 1) { - flow->l4.udp.raknet_custom = is_custom_version(ndpi_struct, flow); + flow->l4.udp.raknet_custom = is_custom_version(ndpi_struct); } if (packet->payload_packet_len < 7) diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c index f641f7690..9c42f0055 100644 --- a/src/lib/protocols/rdp.c +++ b/src/lib/protocols/rdp.c @@ -36,7 +36,7 @@ static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndp struct ndpi_flow_struct *flow) { NDPI_LOG_INFO(ndpi_struct, "found RDP\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ } static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/rsh.c b/src/lib/protocols/rsh.c index 6addb7404..6048e2f54 100644 --- a/src/lib/protocols/rsh.c +++ b/src/lib/protocols/rsh.c @@ -139,7 +139,7 @@ static void ndpi_search_rsh(struct ndpi_detection_module_struct * ndpi_struct, flow->protos.rsh.command) < 0) str[0] = '\0'; - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, str); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, str); } return; diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index b88c6afcd..afa5e2bf2 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -84,8 +84,7 @@ static int is_valid_rtcp_payload_type(uint8_t type) return (type >= 192 && type <= 213); } -int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) +int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int8_t padding, csrc_count, ext_header; @@ -170,7 +169,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, return; } - is_rtp = is_rtp_or_rtcp(ndpi_struct, flow); + is_rtp = is_rtp_or_rtcp(ndpi_struct); if(is_rtp == IS_RTP) { if(flow->l4.udp.rtp_stage == 2) { if(flow->l4.udp.line_pkts[0] >= 2 && flow->l4.udp.line_pkts[1] >= 2) { diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index dd6b2a346..b6963584c 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -30,8 +30,7 @@ #include "ndpi_private.h" static void ndpi_int_sip_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) { + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SIP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } @@ -65,7 +64,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip NOTIFY\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } @@ -73,14 +72,14 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct && (memcmp(&packet_payload[9], "SIP:", 4) == 0 || memcmp(&packet_payload[9], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip REGISTER\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "INVITE ", 7) == 0 || memcmp(packet_payload, "invite ", 7) == 0) && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip INVITE\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } @@ -92,20 +91,20 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct /* if(memcmp(packet_payload, "SIP/2.0 200 OK", 14) == 0 || memcmp(packet_payload, "sip/2.0 200 OK", 14) == 0) { NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 0K\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } */ if(memcmp(packet_payload, "SIP/2.0 ", 8) == 0 || memcmp(packet_payload, "sip/2.0 ", 8) == 0) { NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 *\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "BYE ", 4) == 0 || memcmp(packet_payload, "bye ", 4) == 0) && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip BYE\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } @@ -113,7 +112,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct && ((memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0) || (memcmp(&packet_payload[4], "TEL:", 4) == 0 || memcmp(&packet_payload[4], "tel:", 4) == 0))) { NDPI_LOG_INFO(ndpi_struct, "found sip ACK\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } @@ -121,21 +120,21 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct && ((memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0) || (memcmp(&packet_payload[7], "TEL:", 4) == 0 || memcmp(&packet_payload[7], "tel:", 4) == 0))) { NDPI_LOG_INFO(ndpi_struct, "found sip CANCEL\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "PUBLISH ", 8) == 0 || memcmp(packet_payload, "publish ", 8) == 0) && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip PUBLISH\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "SUBSCRIBE ", 10) == 0 || memcmp(packet_payload, "subscribe ", 10) == 0) && (memcmp(&packet_payload[10], "SIP:", 4) == 0 || memcmp(&packet_payload[10], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip SUBSCRIBE\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } @@ -143,7 +142,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct if((memcmp(packet_payload, "MESSAGE ", 8) == 0 || memcmp(packet_payload, "message ", 8) == 0) && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip MESSAGE\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } @@ -153,28 +152,28 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct && ((memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0) || (memcmp(&packet_payload[8], "TEL:", 4) == 0 || memcmp(&packet_payload[8], "tel:", 4) == 0))) { NDPI_LOG_INFO(ndpi_struct, "found sip OPTIONS\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "REFER ", 6) == 0 || memcmp(packet_payload, "refer ", 6) == 0) && (memcmp(&packet_payload[6], "SIP:", 4) == 0 || memcmp(&packet_payload[6], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip REFER\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "PRACK ", 6) == 0 || memcmp(packet_payload, "prack ", 6) == 0) && (memcmp(&packet_payload[6], "SIP:", 4) == 0 || memcmp(&packet_payload[6], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip PRACK\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } if((memcmp(packet_payload, "INFO ", 5) == 0 || memcmp(packet_payload, "info ", 5) == 0) && (memcmp(&packet_payload[5], "SIP:", 4) == 0 || memcmp(&packet_payload[5], "sip:", 4) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found sip INFO\n"); - ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + ndpi_int_sip_add_connection(ndpi_struct, flow); return; } } diff --git a/src/lib/protocols/slp.c b/src/lib/protocols/slp.c index 81c1cabd9..e7fd6b105 100644 --- a/src/lib/protocols/slp.c +++ b/src/lib/protocols/slp.c @@ -285,7 +285,7 @@ static void ndpi_dissect_slp_v2(struct ndpi_detection_module_struct *ndpi_struct } } else if (url_entry_count_offset > 0 && packet->payload_packet_len > sizeof(*hdr) + url_entry_count_offset + 2) { if (slp_dissect_url_entries(ndpi_struct, flow, sizeof(*hdr) + url_entry_count_offset) != 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid URL entries"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid URL entries"); } } else if (packet->payload_packet_len > sizeof(*hdr) + url_offset + 2) { url_length_or_count = ntohs(*(uint16_t *)&packet->payload[sizeof(*hdr) + url_offset]); // FID_SrvReg or FID_SrvDeReg diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c index ead48f0a0..b0255cb63 100644 --- a/src/lib/protocols/smb.c +++ b/src/lib/protocols/smb.c @@ -52,7 +52,7 @@ static void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct if(packet->payload[8] != 0x72) /* Skip Negotiate request */ { NDPI_LOG_INFO(ndpi_struct, "found SMBv1\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(ndpi_struct, flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1"); + ndpi_set_risk(flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1"); } return; } else if(memcmp(&packet->payload[4], smbv2, sizeof(smbv2)) == 0) { diff --git a/src/lib/protocols/snmp_proto.c b/src/lib/protocols/snmp_proto.c index 75e829126..632365bb9 100644 --- a/src/lib/protocols/snmp_proto.c +++ b/src/lib/protocols/snmp_proto.c @@ -129,7 +129,7 @@ static void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, char str[64]; snprintf(str, sizeof(str), "SNMP Error %d", error_status); - ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, str); + ndpi_set_risk(flow, NDPI_ERROR_CODE_DETECTED, str); } } } diff --git a/src/lib/protocols/spotify.c b/src/lib/protocols/spotify.c index 4bb9ce452..7f40ca6dc 100644 --- a/src/lib/protocols/spotify.c +++ b/src/lib/protocols/spotify.c @@ -30,8 +30,7 @@ static void ndpi_int_spotify_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } @@ -50,7 +49,7 @@ static void ndpi_check_spotify(struct ndpi_detection_module_struct *ndpi_struct, if(payload_len >= 7) { if(memcmp(packet->payload, "SpotUdp", 7) == 0) { NDPI_LOG_INFO(ndpi_struct, "found spotify udp dissector\n"); - ndpi_int_spotify_add_connection(ndpi_struct, flow, 0); + ndpi_int_spotify_add_connection(ndpi_struct, flow); return; } } @@ -62,7 +61,7 @@ static void ndpi_check_spotify(struct ndpi_detection_module_struct *ndpi_struct, packet->payload[6] == 0x52 && (packet->payload[7] == 0x0e || packet->payload[7] == 0x0f) && packet->payload[8] == 0x50 ) { NDPI_LOG_INFO(ndpi_struct, "found spotify tcp dissector\n"); - ndpi_int_spotify_add_connection(ndpi_struct, flow, 0); + ndpi_int_spotify_add_connection(ndpi_struct, flow); } } diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index d950ede95..fb5e200b8 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -68,8 +68,7 @@ typedef struct { /* ************************************************************************ */ -static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ssh_analyze_signature_version(struct ndpi_flow_struct *flow, char *str_to_check, u_int8_t is_client_signature) { @@ -122,8 +121,7 @@ static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *n /* ************************************************************************ */ -static void ssh_analyse_cipher(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ssh_analyse_cipher(struct ndpi_flow_struct *flow, char *ciphers, u_int cipher_len, u_int8_t is_client_signature) { @@ -179,7 +177,7 @@ static void ssh_analyse_cipher(struct ndpi_detection_module_struct *ndpi_struct, char str[64]; snprintf(str, sizeof(str), "Found cipher %s", obsolete_ciphers[found_obsolete_cipher]); - ndpi_set_risk(ndpi_struct, flow, + ndpi_set_risk(flow, (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER), str); } @@ -218,8 +216,7 @@ static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct /* ************************************************************************ */ -static u_int16_t concat_hash_string(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static u_int16_t concat_hash_string(struct ndpi_flow_struct *flow, struct ndpi_packet_struct *packet, char *buf, u_int8_t client_hash) { u_int32_t offset = 22, len, buf_out_len = 0, max_payload_len = packet->payload_packet_len-sizeof(u_int32_t); @@ -262,7 +259,7 @@ static u_int16_t concat_hash_string(struct ndpi_detection_module_struct *ndpi_st goto invalid_payload; strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); - ssh_analyse_cipher(ndpi_struct, flow, (char*)&packet->payload[offset], len, 1 /* client */); + ssh_analyse_cipher(flow, (char*)&packet->payload[offset], len, 1 /* client */); buf_out_len += len; buf[buf_out_len++] = ';'; } @@ -283,7 +280,7 @@ static u_int16_t concat_hash_string(struct ndpi_detection_module_struct *ndpi_st goto invalid_payload; strncpy(&buf[buf_out_len], (const char *)&packet->payload[offset], len); - ssh_analyse_cipher(ndpi_struct, flow, (char*)&packet->payload[offset], len, 0 /* server */); + ssh_analyse_cipher(flow, (char*)&packet->payload[offset], len, 0 /* server */); buf_out_len += len; buf[buf_out_len++] = ';'; } @@ -417,7 +414,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->protos.ssh.client_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); - ssh_analyze_signature_version(ndpi_struct, flow, flow->protos.ssh.client_signature, 1); + ssh_analyze_signature_version(flow, flow->protos.ssh.client_signature, 1); #ifdef SSH_DEBUG printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); @@ -437,7 +434,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->protos.ssh.server_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); - ssh_analyze_signature_version(ndpi_struct, flow, flow->protos.ssh.server_signature, 0); + ssh_analyze_signature_version(flow, flow->protos.ssh.server_signature, 0); #ifdef SSH_DEBUG printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); @@ -469,7 +466,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct if(packet->packet_direction == 0 /* client */) { u_char fingerprint_client[16]; - len = concat_hash_string(ndpi_struct, flow, packet, hassh_buf, 1 /* client */); + len = concat_hash_string(flow, packet, hassh_buf, 1 /* client */); ndpi_MD5Init(&ctx); ndpi_MD5Update(&ctx, (const unsigned char *)hassh_buf, len); @@ -491,7 +488,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct } else { u_char fingerprint_server[16]; - len = concat_hash_string(ndpi_struct, flow, packet, hassh_buf, 0 /* server */); + len = concat_hash_string(flow, packet, hassh_buf, 0 /* server */); ndpi_MD5Init(&ctx); ndpi_MD5Update(&ctx, (const unsigned char *)hassh_buf, len); diff --git a/src/lib/protocols/starcraft.c b/src/lib/protocols/starcraft.c index d04f2a381..a4d130e8e 100644 --- a/src/lib/protocols/starcraft.c +++ b/src/lib/protocols/starcraft.c @@ -48,7 +48,7 @@ static u_int8_t sc2_match_logon_ip(struct ndpi_packet_struct* packet) transfer generated by the user interaction with the client, e.g. chatting or looking at someone's match history. The current way to detect this is plain dumb packet matching. */ -static u_int8_t ndpi_check_starcraft_tcp(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) +static u_int8_t ndpi_check_starcraft_tcp(struct ndpi_detection_module_struct* ndpi_struct) { struct ndpi_packet_struct* packet = &ndpi_struct->packet; @@ -132,7 +132,7 @@ static void ndpi_search_starcraft(struct ndpi_detection_module_struct* ndpi_stru } } else if (packet->tcp != NULL) { - result = ndpi_check_starcraft_tcp(ndpi_struct, flow); + result = ndpi_check_starcraft_tcp(ndpi_struct); if (result == 1) { NDPI_LOG_INFO(ndpi_struct, "Found Starcraft 2 [Client, TCP]\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STARCRAFT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 305feabf1..4f25420a7 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -417,8 +417,7 @@ int is_stun(struct ndpi_detection_module_struct *ndpi_struct, return 1; } -static int keep_extra_dissection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) +static int keep_extra_dissection(struct ndpi_flow_struct *flow) { if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN /* No subclassification */) return 1; @@ -518,10 +517,10 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct, old_proto_stack[1] = flow->detected_protocol_stack[1]; /* TODO: right way? It is a bit scary... do we need to reset something else too? */ - reset_detected_protocol(ndpi_struct, flow); + reset_detected_protocol(flow); /* We keep the category related to STUN traffic */ /* STUN often triggers this risk; clear it. TODO: clear other risks? */ - ndpi_unset_risk(ndpi_struct, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + ndpi_unset_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); /* Give room for DTLS handshake, where we might have retransmissions and fragments */ @@ -589,7 +588,7 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "QUIC range. Unexpected\n"); } else if(first_byte <= 191) { - rtp_rtcp = is_rtp_or_rtcp(ndpi_struct, flow); + rtp_rtcp = is_rtp_or_rtcp(ndpi_struct); if(rtp_rtcp == IS_RTP) { NDPI_LOG_DBG(ndpi_struct, "RTP (dir %d)\n", packet->packet_direction); NDPI_LOG_INFO(ndpi_struct, "Found RTP over STUN\n"); @@ -621,7 +620,7 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct, } else { NDPI_LOG_DBG(ndpi_struct, "QUIC range. Unexpected\n"); } - return keep_extra_dissection(ndpi_struct, flow); + return keep_extra_dissection(flow); } /* ************************************************************ */ diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c index 2f3e37f72..59d137b50 100644 --- a/src/lib/protocols/tcp_udp.c +++ b/src/lib/protocols/tcp_udp.c @@ -25,7 +25,6 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int8_t protocol, u_int32_t saddr, u_int32_t daddr) /* host endianess */ { u_int16_t rc; @@ -56,7 +55,6 @@ void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, st if(packet->iph /* IPv4 Only: we need to support packet->iphv6 at some point */) { proto = ndpi_search_tcp_or_udp_raw(ndpi_struct, flow, - flow->l4_proto, ntohl(packet->iph->saddr), ntohl(packet->iph->daddr)); diff --git a/src/lib/protocols/teamviewer.c b/src/lib/protocols/teamviewer.c index 4ed7f1269..49b7a5862 100644 --- a/src/lib/protocols/teamviewer.c +++ b/src/lib/protocols/teamviewer.c @@ -51,7 +51,7 @@ static void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struc if (flow->teamviewer_stage == 4 || packet->udp->dest == ntohs(5938) || packet->udp->source == ntohs(5938)) { ndpi_int_teamview_add_connection(ndpi_struct, flow); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found TeamViewer"); /* Remote assistance (UDP only) */ + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found TeamViewer"); /* Remote assistance (UDP only) */ } return; } diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index d543c6efa..035bcc862 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -65,7 +65,7 @@ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, return(1); flow->protos.telnet.password_detected = 1; - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); flow->protos.telnet.password[flow->protos.telnet.character_id] = '\0'; return(0); } @@ -99,7 +99,7 @@ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, snprintf(buf, sizeof(buf), "Found Telnet username (%s)", flow->protos.telnet.username); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); + ndpi_set_risk(flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); return(1); } @@ -146,8 +146,7 @@ __mingw_forceinline static #else __forceinline static #endif -u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { +u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t a; @@ -189,7 +188,7 @@ static void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct *ndpi_str struct ndpi_flow_struct *flow) { NDPI_LOG_DBG(ndpi_struct, "search telnet\n"); - if(search_iac(ndpi_struct, flow) == 1) { + if(search_iac(ndpi_struct) == 1) { if(flow->l4.tcp.telnet_stage == 2) { NDPI_LOG_INFO(ndpi_struct, "found telnet\n"); ndpi_int_telnet_add_connection(ndpi_struct, flow); diff --git a/src/lib/protocols/thrift.c b/src/lib/protocols/thrift.c index 1e1749b9f..d9be27ca5 100644 --- a/src/lib/protocols/thrift.c +++ b/src/lib/protocols/thrift.c @@ -113,29 +113,27 @@ static int thrift_validate_type(uint8_t message_type) return message_type < TMT_TYPE_MAX; } -static void thrift_set_method(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void thrift_set_method(struct ndpi_flow_struct *flow, char const * const method, size_t method_length) { if (thrift_validate_method(method, method_length) == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, "Invalid method name"); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, "Invalid method name"); flow->protos.thrift.method[0] = '\0'; } else { strncpy(flow->protos.thrift.method, method, ndpi_min(sizeof(flow->protos.thrift.method), method_length)); } } -static void thrift_set_type(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void thrift_set_type(struct ndpi_flow_struct *flow, uint8_t message_type) { if (message_type == TMT_INVALID_TMESSAGE_TYPE) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid message type"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid message type"); } flow->protos.thrift.message_type = message_type; if (message_type == TMT_EXCEPTION) { - ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, "Apache Thrift Exception"); + ndpi_set_risk(flow, NDPI_ERROR_CODE_DETECTED, "Apache Thrift Exception"); } } @@ -168,8 +166,8 @@ static void ndpi_dissect_strict_hdr(struct ndpi_detection_module_struct *ndpi_st ndpi_int_thrift_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); - thrift_set_method(ndpi_struct, flow, strict_hdr->method, method_length); - thrift_set_type(ndpi_struct, flow, strict_hdr->message_type); + thrift_set_method(flow, strict_hdr->method, method_length); + thrift_set_type(flow, strict_hdr->message_type); } static void ndpi_dissect_compact_hdr(struct ndpi_detection_module_struct *ndpi_struct, @@ -200,8 +198,8 @@ static void ndpi_dissect_compact_hdr(struct ndpi_detection_module_struct *ndpi_s ndpi_int_thrift_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); - thrift_set_method(ndpi_struct, flow, compact_hdr->method, compact_hdr->method_length); - thrift_set_type(ndpi_struct, flow, compact_hdr->message_type); + thrift_set_method(flow, compact_hdr->method, compact_hdr->method_length); + thrift_set_type(flow, compact_hdr->message_type); } static void ndpi_search_thrift_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/tivoconnect.c b/src/lib/protocols/tivoconnect.c index 4bfd041e9..208e3f8ae 100644 --- a/src/lib/protocols/tivoconnect.c +++ b/src/lib/protocols/tivoconnect.c @@ -55,7 +55,7 @@ static void dissect_tivoconnect_data(struct ndpi_detection_module_struct *ndpi_s if (value == NULL) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Missing value type in TiViConnect beacon"); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Missing value type in TiViConnect beacon"); continue; } value++; @@ -108,7 +108,7 @@ static void dissect_tivoconnect_data(struct ndpi_detection_module_struct *ndpi_s if ((size_t)(key - payload) != payload_len) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "TiViConnect beacon malformed packet"); } } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 7e9552004..882f463fb 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -149,9 +149,7 @@ static u_int32_t __get_master(struct ndpi_detection_module_struct *ndpi_struct, /* **************************************** */ -static int ndpi_search_tls_memory(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - const u_int8_t *payload, +static int ndpi_search_tls_memory(const u_int8_t *payload, u_int16_t payload_len, u_int32_t seq, message_t *message) { @@ -354,7 +352,7 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI_CACHE); flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, cached_proto); - ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); + ndpi_unset_risk(flow, NDPI_NUMERIC_IP_HOST); } } } @@ -450,7 +448,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct char str[64]; snprintf(str, sizeof(str), "Invalid issuerDN %s", flow->protos.tls_quic.issuerDN); - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, str); } } @@ -528,7 +526,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct snprintf(str, sizeof(str), "TLS Cert lasts %u days", (flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) / 86400); - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG, str); /* Certificate validity longer than 13 months */ + ndpi_set_risk(flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG, str); /* Certificate validity longer than 13 months */ } if((time_sec < flow->protos.tls_quic.notBefore) || (time_sec > flow->protos.tls_quic.notAfter)) { @@ -543,7 +541,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct strftime(e, sizeof(e), "%d/%b/%Y %H:%M:%S", ndpi_gmtime_r(&theTime, &result)); snprintf(str, sizeof(str), "%s - %s", b, e); - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED, str); /* Certificate expired */ + ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_EXPIRED, str); /* Certificate expired */ } else if((time_sec > flow->protos.tls_quic.notBefore) && (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->cfg.tls_certificate_expire_in_x_days * 86400)))) { char str[96], b[32], e[32]; @@ -557,7 +555,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct strftime(e, sizeof(e), "%d/%b/%Y %H:%M:%S", ndpi_gmtime_r(&theTime, &result)); snprintf(str, sizeof(str), "%s - %s", b, e); - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE, str); /* Certificate almost expired */ + ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE, str); /* Certificate almost expired */ } } } @@ -642,10 +640,10 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct here that will create false positives */ if(ndpi_normalize_printable_string(dNSName, dNSName_len) == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, dNSName); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, dNSName); /* This looks like an attack */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, NULL); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, NULL); } if(matched_name == 0) { @@ -692,7 +690,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct if(!flow->protos.tls_quic.subprotocol_detected) if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), dNSName, dNSName_len)) { flow->protos.tls_quic.subprotocol_detected = 1; - ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); + ndpi_unset_risk(flow, NDPI_NUMERIC_IP_HOST); } i += len; @@ -700,7 +698,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct #if DEBUG_TLS printf("[TLS] Leftover %u bytes", packet->payload_packet_len - i); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, NULL); + ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, NULL); break; } } else { @@ -712,7 +710,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct char str[128]; snprintf(str, sizeof(str), "%s vs %s", flow->host_server_name, flow->protos.tls_quic.server_names); - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_MISMATCH, str); /* Certificate mismatch */ + ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_MISMATCH, str); /* Certificate mismatch */ } } } @@ -737,7 +735,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, proto_id); - ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); + ndpi_unset_risk(flow, NDPI_NUMERIC_IP_HOST); if(ndpi_struct->tls_cert_cache) { u_int64_t key = make_tls_cert_key(packet, 0 /* from the server */); @@ -754,7 +752,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct if(ndpi_check_issuerdn_risk_exception(ndpi_struct, flow->protos.tls_quic.issuerDN)) return; /* This is a trusted DN */ - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SELFSIGNED_CERTIFICATE, flow->protos.tls_quic.subjectDN); + ndpi_set_risk(flow, NDPI_TLS_SELFSIGNED_CERTIFICATE, flow->protos.tls_quic.subjectDN); } #if DEBUG_TLS @@ -783,7 +781,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, if((packet->payload_packet_len != (length + 4 + (is_dtls ? 8 : 0))) || (packet->payload[1] != 0x0) || certificates_offset >= packet->payload_packet_len) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, NULL); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); return(-1); /* Invalid length */ } @@ -792,7 +790,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, packet->payload[certificates_offset - 1]; if((packet->payload[certificates_offset - 3] != 0x0) || ((certificates_length+3) != length)) { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, NULL); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); return(-2); /* Invalid length */ } @@ -869,7 +867,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_sha1_hashmap, sha1_str, sha1_siz * 2, NULL); if(rc1 == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_SHA1_CERTIFICATE, sha1_str); + ndpi_set_risk(flow, NDPI_MALICIOUS_SHA1_CERTIFICATE, sha1_str); } } @@ -987,7 +985,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, } message = &flow->tls_quic.message[packet->packet_direction]; - if(ndpi_search_tls_memory(ndpi_struct, flow, packet->payload, + if(ndpi_search_tls_memory(packet->payload, packet->payload_packet_len, ntohl(packet->tcp->seq), message) == -1) return 0; /* Error -> stop */ @@ -1058,7 +1056,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t alert_level = message->buffer[5]; if(alert_level == 2 /* Warning (1), Fatal (2) */) - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_FATAL_ALERT, NULL); + ndpi_set_risk(flow, NDPI_TLS_FATAL_ALERT, NULL); } u_int16_t const alert_len = ntohs(*(u_int16_t const *)&message->buffer[3]); @@ -1176,7 +1174,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, suited than NDPI_CONFIDENCE_DPI_CACHE */ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI_AGGRESSIVE); /* TLS over port 8080 usually triggers that risk; clear it */ - ndpi_unset_risk(ndpi_struct, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + ndpi_unset_risk(flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); flow->extra_packets_func = NULL; return(0); /* That's all */ } else { @@ -1286,11 +1284,11 @@ static int ndpi_search_tls_udp(struct ndpi_detection_module_struct *ndpi_struct, } if(handshake_frag_off == 0) { - rc = ndpi_search_tls_memory(ndpi_struct, flow, &block[13], + rc = ndpi_search_tls_memory(&block[13], handshake_frag_len + 12, handshake_frag_off, message); } else { - rc = ndpi_search_tls_memory(ndpi_struct, flow, &block[13 + 12], + rc = ndpi_search_tls_memory(&block[13 + 12], handshake_frag_len, handshake_frag_off + 12, message); } @@ -1472,7 +1470,7 @@ static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struc str[str_len - 1] = '\0'; } - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, str); + ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN, str); break; } @@ -1518,7 +1516,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, printf("[TLS] extension length exceeds remaining packet length: %u > %u.\n", extension_len, packet->payload_packet_len - extension_payload_offset); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, NULL); + ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, NULL); return; } @@ -1560,7 +1558,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("[TLS] suspicious extension id: %u\n", extension_id); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); + ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); return; } } @@ -1577,7 +1575,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); + ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); return; } } @@ -1601,8 +1599,7 @@ static int u_int16_t_cmpfunc(const void * a, const void * b) { return(*(u_int16_ /* **************************************** */ -static void ndpi_compute_ja4(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, +static void ndpi_compute_ja4(struct ndpi_flow_struct *flow, u_int32_t quic_version, union ja_info *ja) { u_int8_t tmp_str[JA_STR_LEN]; @@ -1680,7 +1677,7 @@ static void ndpi_compute_ja4(struct ndpi_detection_module_struct *ndpi_struct, break; } - ja_str[3] = ndpi_isset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST) ? 'i' : 'd', ja_str_len = 4; + ja_str[3] = ndpi_isset_risk(flow, NDPI_NUMERIC_IP_HOST) ? 'i' : 'd', ja_str_len = 4; /* JA4_a */ rc = ndpi_snprintf(&ja_str[ja_str_len], ja_max_len - ja_str_len, "%02u%02u%c%c_", @@ -1827,7 +1824,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, char unknown_cipher[8]; snprintf(str, sizeof(str), "Cipher %s", ndpi_cipher2str(ja.server.cipher[0], unknown_cipher)); - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_WEAK_CIPHER, str); + ndpi_set_risk(flow, NDPI_TLS_WEAK_CIPHER, str); } flow->protos.tls_quic.server_cipher = ja.server.cipher[0]; @@ -1916,12 +1913,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, s_offset += alpn_len, alpn_str_len += alpn_len;; } else { alpn_str[alpn_str_len] = '\0'; - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); + ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); break; } } else { alpn_str[alpn_str_len] = '\0'; - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); + ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); break; } } /* while */ @@ -1932,7 +1929,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, printf("Server TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len); #endif if(ndpi_normalize_printable_string(alpn_str, alpn_str_len) == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, alpn_str); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, alpn_str); if(flow->protos.tls_quic.negotiated_alpn == NULL) flow->protos.tls_quic.negotiated_alpn = ndpi_strdup(alpn_str); @@ -2055,7 +2052,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, snprintf(str, sizeof(str), "%s", ndpi_ssl_version2str(buf, sizeof(buf), flow->protos.tls_quic.ssl_version, &unknown_tls_version)); - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_OBSOLETE_VERSION, str); + ndpi_set_risk(flow, NDPI_TLS_OBSOLETE_VERSION, str); } if((session_id_len+base_offset+3) > packet->payload_packet_len) @@ -2264,10 +2261,10 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, printf("[TLS] SNI: [%s]\n", sni); #endif if(ndpi_is_valid_hostname((char *)&packet->payload[offset+extension_offset+5], len) == 0) { - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, sni); + ndpi_set_risk(flow, NDPI_INVALID_CHARACTERS, sni); /* This looks like an attack */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, NULL); + ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, NULL); } if(!is_quic) { @@ -2280,7 +2277,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if((flow->protos.tls_quic.subprotocol_detected == 0) && (check_sni_is_numeric_ip(sni) == 1)) { - ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, sni); + ndpi_set_risk(flow, NDPI_NUMERIC_IP_HOST, sni); } if(ndpi_check_dga_name(ndpi_struct, flow, sni, 1, 0)) { @@ -2733,8 +2730,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS printf("UA [%.*s]\n", (int)param_len, &packet->payload[s_offset]); #endif - http_process_user_agent(ndpi_struct, flow, - &packet->payload[s_offset], param_len); + http_process_user_agent(ndpi_struct, flow, &packet->payload[s_offset], param_len); break; } s_offset += param_len; @@ -2820,12 +2816,12 @@ compute_ja3c: NULL); if(rc1 == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_JA3, flow->protos.tls_quic.ja3_client); + ndpi_set_risk(flow, NDPI_MALICIOUS_JA3, flow->protos.tls_quic.ja3_client); } } if(ndpi_struct->cfg.tls_ja4c_fingerprint_enabled) { - ndpi_compute_ja4(ndpi_struct, flow, quic_version, &ja); + ndpi_compute_ja4(flow, quic_version, &ja); } /* End JA3/JA4 */ } @@ -2834,14 +2830,14 @@ compute_ja3c: if((flow->protos.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */ && !(flow->stun.maybe_dtls == 1 && is_dtls && use_srtp) /* Webrtc traffic */ && (flow->protos.tls_quic.advertised_alpns == NULL) /* No ALPN */) { - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_NOT_CARRYING_HTTPS, "No ALPN"); + ndpi_set_risk(flow, NDPI_TLS_NOT_CARRYING_HTTPS, "No ALPN"); } /* Suspicious Domain Fronting: https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */ if(flow->protos.tls_quic.encrypted_sni.esni && flow->host_server_name[0] != '\0') { - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE, "Found ESNI w/o SNI"); + ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE, "Found ESNI w/o SNI"); } /* Add check for missing SNI */ @@ -2851,7 +2847,7 @@ compute_ja3c: && (flow->protos.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */ ) { /* This is a bit suspicious */ - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI, NULL); + ndpi_set_risk(flow, NDPI_TLS_MISSING_SNI, NULL); if(flow->protos.tls_quic.advertised_alpns != NULL) { char buf[256], *tmp, *item; @@ -2863,7 +2859,7 @@ compute_ja3c: while(item != NULL) { if(item[0] == 'h') { /* Example 'h2' */ - ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_ALPN_SNI_MISMATCH, NULL); + ndpi_set_risk(flow, NDPI_TLS_ALPN_SNI_MISMATCH, NULL); break; } else item = strtok_r(NULL, ",", &tmp); diff --git a/src/lib/protocols/vnc.c b/src/lib/protocols/vnc.c index 52c644224..33010046e 100644 --- a/src/lib/protocols/vnc.c +++ b/src/lib/protocols/vnc.c @@ -52,7 +52,7 @@ static void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) { NDPI_LOG_INFO(ndpi_struct, "found vnc\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found VNC"); /* Remote assistance */ + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found VNC"); /* Remote assistance */ return; } } diff --git a/src/lib/protocols/z3950.c b/src/lib/protocols/z3950.c index 1d1028f4e..96ae80560 100644 --- a/src/lib/protocols/z3950.c +++ b/src/lib/protocols/z3950.c @@ -35,7 +35,6 @@ static void ndpi_int_z3950_add_connection(struct ndpi_detection_module_struct *n /* ***************************************************************** */ static int z3950_parse_sequences(struct ndpi_packet_struct const * const packet, - struct ndpi_flow_struct *flow, int max_sequences) { size_t payload_offset = 2; int cur_sequences = 0; @@ -92,7 +91,7 @@ static void ndpi_search_z3950(struct ndpi_detection_module_struct *ndpi_struct, if(packet->tcp != NULL && packet->payload_packet_len >= 6 && flow->packet_counter >= 1 && flow->packet_counter <= 8) { - int ret = z3950_parse_sequences(packet, flow, minimum_expected_sequences); + int ret = z3950_parse_sequences(packet, minimum_expected_sequences); if(ret < 0) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); diff --git a/src/lib/protocols/zattoo.c b/src/lib/protocols/zattoo.c index 66743aeec..aba720243 100644 --- a/src/lib/protocols/zattoo.c +++ b/src/lib/protocols/zattoo.c @@ -34,7 +34,7 @@ __mingw_forceinline static #else __forceinline static #endif -u_int8_t ndpi_int_zattoo_user_agent_set(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +u_int8_t ndpi_int_zattoo_user_agent_set(struct ndpi_detection_module_struct *ndpi_struct) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; @@ -90,7 +90,7 @@ static void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, * that might be changed later */ ndpi_parse_packet_line_info(ndpi_struct, flow); - if(ndpi_int_zattoo_user_agent_set(ndpi_struct, flow)) { + if(ndpi_int_zattoo_user_agent_set(ndpi_struct)) { NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with pattern GET / or POST /\n"); ZATTOO_DETECTED; |