Improved DGA detection with trigrams. Disadvantage: slower startup time

Reworked Tor dissector embedded in TLS (fixes #1141) Removed false positive on HTTP User-Agent
author: Luca Deri <deri@ntop.org> 2021-03-03 00:41:07 +0100
committer: Luca Deri <deri@ntop.org> 2021-03-03 00:41:07 +0100
commit: 56bfb439f85b3e4054bd7c6b849a6e06e5c2ac27 (patch)
tree: 6c7e2066917acc1c2a313321c7c7be3043df195f /src/lib/protocols
parent: 4c00ff89dfa64f1026c2f1d267dc081a86b45243 (diff)
7 files changed, 62 insertions, 149 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index abfc6aae8..27ef7c35f 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -89,7 +89,7 @@ static void ndpi_check_dns_type(struct ndpi_detection_module_struct *ndpi_struct
   case 106:
   case 107:
   case 259:
-    NDPI_SET_BIT(flow->risk, NDPI_DNS_SUSPICIOUS_TRAFFIC);
+    ndpi_set_risk(flow, NDPI_DNS_SUSPICIOUS_TRAFFIC);
     break;
   }
 }
@@ -194,7 +194,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
   else if((dns_header->flags & FLAGS_MASK) == 0x8000)
     *is_query = 0;
   else {
-    NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET);
+    ndpi_set_risk(flow, NDPI_MALFORMED_PACKET);
     return(1 /* invalid */);
   }
 
@@ -219,7 +219,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
 	  x++;
       }
     } else {
-      NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET);
+      ndpi_set_risk(flow, NDPI_MALFORMED_PACKET);
       return(1 /* invalid */);
     }
   } else {
@@ -408,7 +408,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
 #ifdef DNS_DEBUG
 	printf("[DNS] Invalid query len [%u >= %u]\n", i+4, flow->packet.payload_packet_len);
 #endif
-	NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET);
+	ndpi_set_risk(flow, NDPI_MALFORMED_PACKET);
 	break;
       } else
 	idx += tot_len+4, num_queries++;
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 07b777863..c941fe145 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -51,23 +51,23 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc
 
 static void ndpi_analyze_content_signature(struct ndpi_flow_struct *flow) {
   if((flow->initial_binary_bytes_len >= 2) && (flow->initial_binary_bytes[0] == 0x4D) && (flow->initial_binary_bytes[1] == 0x5A))
-    NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Win executable */
+    ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Win executable */
   else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0x7F) && (flow->initial_binary_bytes[1] == 'E')
 	  && (flow->initial_binary_bytes[2] == 'L') && (flow->initial_binary_bytes[3] == 'F'))
-    NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
+    ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
   else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0xCF) && (flow->initial_binary_bytes[1] == 0xFA)
 	  && (flow->initial_binary_bytes[2] == 0xED) && (flow->initial_binary_bytes[3] == 0xFE))
-    NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
+    ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
   else if((flow->initial_binary_bytes_len >= 3)
 	  && (flow->initial_binary_bytes[0] == '#')
 	  && (flow->initial_binary_bytes[1] == '!')
 	  && (flow->initial_binary_bytes[2] == '/'))
-    NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Unix script (e.g. #!/bin/sh) */
+    ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Unix script (e.g. #!/bin/sh) */
   else if(flow->initial_binary_bytes_len >= 8) {
     u_int8_t exec_pattern[] = { 0x64, 0x65, 0x78, 0x0A, 0x30, 0x33, 0x35, 0x00 };
 
     if(memcmp(flow->initial_binary_bytes, exec_pattern, 8) == 0)
-      NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Dalvik Executable (Android) */
+      ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Dalvik Executable (Android) */
   }
 }
 
@@ -128,7 +128,7 @@ static void ndpi_http_check_human_redeable_content(struct ndpi_detection_module_
 	 && (content[3] == 0x00)) {
 	/* Looks like compressed data */
       } else
-	NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_CONTENT);		  
+	ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_CONTENT);		  
     }
   }
 }
@@ -220,7 +220,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 	    for(i = 0; cmp_mimes[i] != NULL; i++) {
 	      if(strncasecmp(app, cmp_mimes[i], app_len_avail) == 0) {
 		flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
-		NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER);
+		ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER);
 		NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
 		return(flow->category);
 	      }
@@ -248,7 +248,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 	      if(memcmp((const char*)&packet->content_disposition_line.ptr[attachment_len],
 			binary_file_ext[i], ATTACHMENT_LEN) == 0) {
 		flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
-		NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER);
+		ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER);
 		NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
 		return(flow->category);
 	      }
@@ -367,10 +367,10 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
      || (!strncmp(ua, "<?", 2))
      || strchr(ua, '{')
      || strchr(ua, '}')
-     || ndpi_check_dga_name(ndpi_struct, NULL, ua, 0)
+     // || ndpi_check_dga_name(ndpi_struct, NULL, ua, 0)
      // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua)
      ) {
-    NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_USER_AGENT);
+    ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT);
   }
 }
 
@@ -470,7 +470,7 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru
   
   ip_addr.s_addr = inet_addr(buf);
   if(strcmp(inet_ntoa(ip_addr), buf) == 0)
-    NDPI_SET_BIT(flow->risk, NDPI_HTTP_NUMERIC_IP_HOST);
+    ndpi_set_risk(flow, NDPI_HTTP_NUMERIC_IP_HOST);
 }
 
 /* ************************************************************* */
@@ -781,55 +781,55 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
     switch(packet->line[i].ptr[0]){
     case 'A':
       if(is_a_suspicious_header(suspicious_http_header_keys_A, packet->line[i])) {
-	NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+	ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
 	return;
       }
       break;
     case 'C':
       if(is_a_suspicious_header(suspicious_http_header_keys_C, packet->line[i])) {
-	NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+	ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
 	return;
       }
       break;
     case 'M':
       if(is_a_suspicious_header(suspicious_http_header_keys_M, packet->line[i])) {
-	NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+	ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
 	return;
       }
       break;
     case 'O':
       if(is_a_suspicious_header(suspicious_http_header_keys_O, packet->line[i])) {
-	NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+	ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
 	return;
       }
       break;
     case 'R':
       if(is_a_suspicious_header(suspicious_http_header_keys_R, packet->line[i])) {
-	NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+	ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
 	return;
       }
       break;
     case 'S':
       if(is_a_suspicious_header(suspicious_http_header_keys_S, packet->line[i])) {
-	NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+	ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
 	return;
       }
       break;
     case 'T':
       if(is_a_suspicious_header(suspicious_http_header_keys_T, packet->line[i])) {
-	NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+	ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
 	return;
       }
       break;
     case 'U':
       if(is_a_suspicious_header(suspicious_http_header_keys_U, packet->line[i])) {
-	NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+	ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
 	return;
       }
       break;
     case 'X':
       if(is_a_suspicious_header(suspicious_http_header_keys_X, packet->line[i])) {
-	NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+	ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
 	return;
       }
 
@@ -1151,7 +1151,7 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc
 ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_mod,
 				      struct ndpi_flow_struct *flow) {
   if(!flow) {
-    NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET);
+    ndpi_set_risk(flow, NDPI_MALFORMED_PACKET);
     return(NDPI_HTTP_METHOD_UNKNOWN);
   } else
     return(flow->http.method);
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index 655d90aa5..dd3493064 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -1283,7 +1283,7 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
   /* Add check for missing SNI */
   if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0') {
     /* This is a bit suspicious */
-    NDPI_SET_BIT(flow->risk, NDPI_TLS_MISSING_SNI);
+    ndpi_set_risk(flow, NDPI_TLS_MISSING_SNI);
   }
 }
 
diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c
index 9f8364ec1..ec301c504 100644
--- a/src/lib/protocols/smb.c
+++ b/src/lib/protocols/smb.c
@@ -46,7 +46,7 @@ void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
       if(memcmp(&packet->payload[4], smbv1, sizeof(smbv1)) == 0) {
 	if(packet->payload[8] != 0x72) /* Skip Negotiate request */ {	  
 	  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS);
-	  NDPI_SET_BIT(flow->risk, NDPI_SMB_INSECURE_VERSION);
+	  ndpi_set_risk(flow, NDPI_SMB_INSECURE_VERSION);
 	}
       } else
 	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_NETBIOS);
diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c
index 95120cfa3..8ca70e62d 100644
--- a/src/lib/protocols/ssh.c
+++ b/src/lib/protocols/ssh.c
@@ -175,7 +175,7 @@ static void ssh_analyse_cipher(struct ndpi_detection_module_struct *ndpi_struct,
   }
 
   if(found_obsolete_cipher) {
-    NDPI_SET_BIT(flow->risk, (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER));
+    ndpi_set_risk(flow, (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER));
   }
 
   ndpi_free(cipher_copy);
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index f9d96f55c..8597f05bb 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -417,7 +417,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
 	    if((time_sec < flow->protos.tls_quic_stun.tls_quic.notBefore)
 	       || (time_sec > flow->protos.tls_quic_stun.tls_quic.notAfter))
-	    NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
+	    ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
 	  }
 	}
       }
@@ -509,7 +509,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 	    } /* while */
 
 	    if(!matched_name)
-	      NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_MISMATCH); /* Certificate mismatch */
+	      ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_MISMATCH); /* Certificate mismatch */
 	  }
 	}
       }
@@ -533,7 +533,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
   if(flow->protos.tls_quic_stun.tls_quic.subjectDN && flow->protos.tls_quic_stun.tls_quic.issuerDN
      && (!strcmp(flow->protos.tls_quic_stun.tls_quic.subjectDN, flow->protos.tls_quic_stun.tls_quic.issuerDN)))
-    NDPI_SET_BIT(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE);
+    ndpi_set_risk(flow, NDPI_TLS_SELFSIGNED_CERTIFICATE);
 
 #if DEBUG_TLS
   printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf);
@@ -561,7 +561,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
 #endif
 
   if((packet->payload_packet_len != (length + 4 + (is_dtls ? 8 : 0))) || (packet->payload[1] != 0x0)) {
-    NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET);
+    ndpi_set_risk(flow, NDPI_MALFORMED_PACKET);
     return(-1); /* Invalid length */
   }
 
@@ -570,7 +570,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
                         packet->payload[certificates_offset - 1];
 
   if((packet->payload[certificates_offset - 3] != 0x0) || ((certificates_length+3) != length)) {
-    NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET);
+    ndpi_set_risk(flow, NDPI_MALFORMED_PACKET);
     return(-2); /* Invalid length */
   }
 
@@ -644,7 +644,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
         u_int16_t rc1 = ndpi_match_string(ndpi_struct->malicious_sha1_automa.ac_automa, sha1_str);
 
         if(rc1 > 0)
-          NDPI_SET_BIT(flow->risk, NDPI_MALICIOUS_SHA1);
+          ndpi_set_risk(flow, NDPI_MALICIOUS_SHA1);
       }
 
       processCertificateElements(ndpi_struct, flow, certificates_offset, certificate_len);
@@ -1065,7 +1065,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
     tls_version = ntohs(*((u_int16_t*)&packet->payload[version_offset]));
     flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.tls_handshake_version = tls_version;
     if(flow->protos.tls_quic_stun.tls_quic.ssl_version < 0x0302) /* TLSv1.1 */
-      NDPI_SET_BIT(flow->risk, NDPI_TLS_OBSOLETE_VERSION);
+      ndpi_set_risk(flow, NDPI_TLS_OBSOLETE_VERSION);
 
     if(handshake_type == 0x02 /* Server Hello */) {
       int i, rc;
@@ -1090,7 +1090,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
       ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
       if((flow->protos.tls_quic_stun.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1)
-	NDPI_SET_BIT(flow->risk, NDPI_TLS_WEAK_CIPHER);
+	ndpi_set_risk(flow, NDPI_TLS_WEAK_CIPHER);
 
       flow->protos.tls_quic_stun.tls_quic.server_cipher = ja3.cipher[0];
 
@@ -1324,9 +1324,28 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		    if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, buffer, strlen(buffer)))
 		      flow->l4.tcp.tls.subprotocol_detected = 1;
 		  }
-
-		  ndpi_check_dga_name(ndpi_struct, flow,
-				      flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, 1);
+	  
+		  if(ndpi_check_dga_name(ndpi_struct, flow,
+					 flow->protos.tls_quic_stun.tls_quic.client_requested_server_name, 1)) {
+		    char *sni = flow->protos.tls_quic_stun.tls_quic.client_requested_server_name;
+		    int len = strlen(sni);
+
+#ifdef DEBUG_TLS
+		    printf("[TLS] SNI: (DGA) [%s]\n", flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
+#endif
+		    
+		    if((len >= 4)
+		       && strcmp(&sni[len-4], ".com") /* Check if it ends in .com or .net */
+		       && strcmp(&sni[len-4], ".net")
+		       && strncmp(sni, "www.", 4)) /* Not starting with www.... */
+		      ;
+		    else
+		      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_TLS);
+		  } else {
+#ifdef DEBUG_TLS
+		    printf("[TLS] SNI: (NO DGA) [%s]\n", flow->protos.tls_quic_stun.tls_quic.client_requested_server_name);
+#endif
+		  }
 		} else {
 #ifdef DEBUG_TLS
 		  printf("[TLS] Extensions server len too short: %u vs %u\n",
@@ -1661,21 +1680,21 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 						  flow->protos.tls_quic_stun.tls_quic.ja3_client);
 		
 		if(rc1 > 0)
-		  NDPI_SET_BIT(flow->risk, NDPI_MALICIOUS_JA3);
+		  ndpi_set_risk(flow, NDPI_MALICIOUS_JA3);
 	      }	      
 	    }
 
 	    /* Before returning to the caller we need to make a final check */
 	    if((flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */
 	       && (flow->protos.tls_quic_stun.tls_quic.alpn == NULL) /* No ALPN */) {
-	      NDPI_SET_BIT(flow->risk, NDPI_TLS_NOT_CARRYING_HTTPS);
+	      ndpi_set_risk(flow, NDPI_TLS_NOT_CARRYING_HTTPS);
 	    }
 
 	    /* Suspicious Domain Fronting:
 	       https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */
 	    if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni &&
 	       flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0') {
-	      NDPI_SET_BIT(flow->risk, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
+	      ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
 	    }
 
 	    /* Add check for missing SNI */
@@ -1684,7 +1703,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 	       && (flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */
 	       ) {
 	      /* This is a bit suspicious */
-	      NDPI_SET_BIT(flow->risk, NDPI_TLS_MISSING_SNI);
+	      ndpi_set_risk(flow, NDPI_TLS_MISSING_SNI);
 	    }
 
 	    return(2 /* Client Certificate */);
diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c
deleted file mode 100644
index 71172e211..000000000
--- a/src/lib/protocols/tor.c
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
- * tor.c
- *
- * Copyright (C) 2016-18 ntop.org
- * Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr>
- *
- */
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TOR
-
-#include "ndpi_api.h"
-
-
-static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct
-					*ndpi_struct, struct ndpi_flow_struct *flow) {
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_UNKNOWN);
-}
-
-
-int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct,
-		    struct ndpi_flow_struct *flow, char *certificate) {  
-  int len;
-  char dummy[48], *dot, *name;
-  
-  if((certificate == NULL) || (certificate[0] == '\0'))
-    return(0);
-  else
-    len = strlen(certificate);
-
-  /* Check if it ends in .com or .net */
-  if(len>=4 && strcmp(&certificate[len-4], ".com") && strcmp(&certificate[len-4], ".net"))
-    return(0);
-  
-  if((len < 6)
-     || (!strncmp(certificate, "*.", 2))  /* Wildcard certificate */
-     || (strncmp(certificate, "www.", 4)) /* Not starting with www.... */
-     )
-    return(0);
-
-  // printf("***** [SSL] %s(): %s\n", __FUNCTION__, certificate);
-
-  snprintf(dummy, sizeof(dummy), "%s", certificate);
-
-  if((dot = strrchr(dummy, '.')) == NULL) return(0);
-  dot[0] = '\0';
-
-  if((dot = strrchr(dummy, '.')) == NULL) return(0);
-  name = &dot[1];
-
-  if(ndpi_check_dga_name(ndpi_struct, flow, name, 1)) {
-    ndpi_int_tor_add_connection(ndpi_struct, flow);
-    return(1);
-  } else {
-#ifdef PEDANTIC_TOR_CHECK
-    if(gethostbyname(certificate) == NULL) {
-      ndpi_int_tor_add_connection(ndpi_struct, flow);
-      return(1);
-    }
-#endif
-  }
-
-  return(0);
-}
-
-/* ******************************************* */
-
-void ndpi_search_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
-  struct ndpi_packet_struct *packet = &flow->packet;
-
-  NDPI_LOG_DBG(ndpi_struct, "search for TOR\n");
-
-  if((packet->tcp != NULL)
-     && (!packet->tls_certificate_detected)) {
-    u_int16_t dport, sport;
-    
-    sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest);
-    NDPI_LOG_DBG2(ndpi_struct, "calculating TOR over tcp\n");
-
-    if ((((dport == 9001) || (sport == 9001)) || ((dport == 9030) || (sport == 9030)))
-	&& ((packet->payload[0] == 0x17) || (packet->payload[0] == 0x16)) 
-	&& (packet->payload[1] == 0x03) 
-	&& (packet->payload[2] == 0x01) 
-	&& (packet->payload[3] == 0x00)) {
-      NDPI_LOG_INFO(ndpi_struct, "found tor\n");
-      ndpi_int_tor_add_connection(ndpi_struct, flow);
-    }
-  } else {
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-  }
-}
-
-
-void init_tor_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
-{
-  ndpi_set_bitmask_protocol_detection("Tor", ndpi_struct, detection_bitmask, *id,
-				      NDPI_PROTOCOL_TOR,
-				      ndpi_search_tor,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
-				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
-				      ADD_TO_DETECTION_BITMASK);
-
-  *id += 1;
-}
-
author	Luca Deri <deri@ntop.org>	2021-03-03 00:41:07 +0100
committer	Luca Deri <deri@ntop.org>	2021-03-03 00:41:07 +0100
commit	56bfb439f85b3e4054bd7c6b849a6e06e5c2ac27 (patch)
tree	6c7e2066917acc1c2a313321c7c7be3043df195f /src/lib/protocols
parent	4c00ff89dfa64f1026c2f1d267dc081a86b45243 (diff)