aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
diff options
context:
space:
mode:
authorLuca Deri <deri@ntop.org>2021-07-23 17:26:56 +0200
committerLuca Deri <deri@ntop.org>2021-07-23 17:27:15 +0200
commit61fc5be202f05113de07c063fa3fc9ccc47625d8 (patch)
treee7cb3b63e579a5f7c072de7c8836bd3aace04b33 /src/lib/protocols
parent4ffe1eb3c00d59fe746f4668ec9c6b3726848fce (diff)
Reworked flow risk implementation
Diffstat (limited to 'src/lib/protocols')
-rw-r--r--src/lib/protocols/dns.c8
-rw-r--r--src/lib/protocols/http.c51
-rw-r--r--src/lib/protocols/quic.c2
-rw-r--r--src/lib/protocols/rdp.c11
-rw-r--r--src/lib/protocols/rtp.c9
-rw-r--r--src/lib/protocols/smb.c2
-rw-r--r--src/lib/protocols/ssh.c3
-rw-r--r--src/lib/protocols/teamviewer.c4
-rw-r--r--src/lib/protocols/tls.c61
-rw-r--r--src/lib/protocols/vnc.c2
10 files changed, 81 insertions, 72 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 07d129ea1..5e1f100cc 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -89,7 +89,7 @@ static void ndpi_check_dns_type(struct ndpi_detection_module_struct *ndpi_struct
case 106:
case 107:
case 259:
- ndpi_set_risk(flow, NDPI_DNS_SUSPICIOUS_TRAFFIC);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC);
break;
}
}
@@ -194,7 +194,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
else if((dns_header->flags & FLAGS_MASK) == 0x8000)
*is_query = 0;
else {
- ndpi_set_risk(flow, NDPI_MALFORMED_PACKET);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET);
return(1 /* invalid */);
}
@@ -219,7 +219,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
x++;
}
} else {
- ndpi_set_risk(flow, NDPI_MALFORMED_PACKET);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET);
return(1 /* invalid */);
}
} else {
@@ -419,7 +419,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
#ifdef DNS_DEBUG
printf("[DNS] Invalid query len [%u >= %u]\n", i+4, flow->packet.payload_packet_len);
#endif
- ndpi_set_risk(flow, NDPI_MALFORMED_PACKET);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET);
break;
} else {
idx = i+5, num_queries++;
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 15cef3184..647bd6c2b 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -48,25 +48,26 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc
/* *********************************************** */
-static void ndpi_analyze_content_signature(struct ndpi_flow_struct *flow) {
+static void ndpi_analyze_content_signature(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
if((flow->initial_binary_bytes_len >= 2) && (flow->initial_binary_bytes[0] == 0x4D) && (flow->initial_binary_bytes[1] == 0x5A))
- ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Win executable */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Win executable */
else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0x7F) && (flow->initial_binary_bytes[1] == 'E')
&& (flow->initial_binary_bytes[2] == 'L') && (flow->initial_binary_bytes[3] == 'F'))
- ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0xCF) && (flow->initial_binary_bytes[1] == 0xFA)
&& (flow->initial_binary_bytes[2] == 0xED) && (flow->initial_binary_bytes[3] == 0xFE))
- ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
else if((flow->initial_binary_bytes_len >= 3)
&& (flow->initial_binary_bytes[0] == '#')
&& (flow->initial_binary_bytes[1] == '!')
&& (flow->initial_binary_bytes[2] == '/'))
- ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Unix script (e.g. #!/bin/sh) */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Unix script (e.g. #!/bin/sh) */
else if(flow->initial_binary_bytes_len >= 8) {
u_int8_t exec_pattern[] = { 0x64, 0x65, 0x78, 0x0A, 0x30, 0x33, 0x35, 0x00 };
if(memcmp(flow->initial_binary_bytes, exec_pattern, 8) == 0)
- ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Dalvik Executable (Android) */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Dalvik Executable (Android) */
}
}
@@ -86,7 +87,7 @@ static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_
) {
/* stop extra processing */
- if(flow->initial_binary_bytes_len) ndpi_analyze_content_signature(flow);
+ if(flow->initial_binary_bytes_len) ndpi_analyze_content_signature(ndpi_struct, flow);
flow->extra_packets_func = NULL; /* We're good now */
return(0);
}
@@ -127,7 +128,7 @@ static void ndpi_http_check_human_redeable_content(struct ndpi_detection_module_
&& (content[3] == 0x00)) {
/* Looks like compressed data */
} else
- ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_CONTENT);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_CONTENT);
}
}
}
@@ -219,7 +220,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
for(i = 0; cmp_mimes[i] != NULL; i++) {
if(strncasecmp(app, cmp_mimes[i], app_len_avail) == 0) {
flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
- ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER);
NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
return(flow->category);
}
@@ -247,7 +248,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
if(memcmp((const char*)&packet->content_disposition_line.ptr[attachment_len],
binary_file_ext[i], ATTACHMENT_LEN) == 0) {
flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
- ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER);
NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
return(flow->category);
}
@@ -376,7 +377,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
// || ndpi_check_dga_name(ndpi_struct, NULL, ua, 0)
// || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua)
) {
- ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT);
}
}
@@ -476,7 +477,7 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru
ip_addr.s_addr = inet_addr(buf);
if(strcmp(inet_ntoa(ip_addr), buf) == 0)
- ndpi_set_risk(flow, NDPI_HTTP_NUMERIC_IP_HOST);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_NUMERIC_IP_HOST);
}
/* ************************************************************* */
@@ -788,55 +789,55 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
switch(packet->line[i].ptr[0]){
case 'A':
if(is_a_suspicious_header(suspicious_http_header_keys_A, packet->line[i])) {
- ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER);
return;
}
break;
case 'C':
if(is_a_suspicious_header(suspicious_http_header_keys_C, packet->line[i])) {
- ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER);
return;
}
break;
case 'M':
if(is_a_suspicious_header(suspicious_http_header_keys_M, packet->line[i])) {
- ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER);
return;
}
break;
case 'O':
if(is_a_suspicious_header(suspicious_http_header_keys_O, packet->line[i])) {
- ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER);
return;
}
break;
case 'R':
if(is_a_suspicious_header(suspicious_http_header_keys_R, packet->line[i])) {
- ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER);
return;
}
break;
case 'S':
if(is_a_suspicious_header(suspicious_http_header_keys_S, packet->line[i])) {
- ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER);
return;
}
break;
case 'T':
if(is_a_suspicious_header(suspicious_http_header_keys_T, packet->line[i])) {
- ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER);
return;
}
break;
case 'U':
if(is_a_suspicious_header(suspicious_http_header_keys_U, packet->line[i])) {
- ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER);
return;
}
break;
case 'X':
if(is_a_suspicious_header(suspicious_http_header_keys_X, packet->line[i])) {
- ndpi_set_risk(flow, NDPI_HTTP_SUSPICIOUS_HEADER);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER);
return;
}
@@ -1166,10 +1167,10 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc
/* ********************************* */
-ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_mod,
+ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
if(!flow) {
- ndpi_set_risk(flow, NDPI_MALFORMED_PACKET);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET);
return(NDPI_HTTP_METHOD_UNKNOWN);
} else
return(flow->http.method);
@@ -1177,7 +1178,7 @@ ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_
/* ********************************* */
-char* ndpi_get_http_url(struct ndpi_detection_module_struct *ndpi_mod,
+char* ndpi_get_http_url(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
if((!flow) || (!flow->http.url))
return("");
@@ -1187,7 +1188,7 @@ char* ndpi_get_http_url(struct ndpi_detection_module_struct *ndpi_mod,
/* ********************************* */
-char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_mod,
+char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
if((!flow) || (!flow->http.content_type))
return("");
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index 8e3c21278..999ea61e5 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -1400,7 +1400,7 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
/* Add check for missing SNI */
if(flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] == '\0') {
/* This is a bit suspicious */
- ndpi_set_risk(flow, NDPI_TLS_MISSING_SNI);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI);
}
}
diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c
index 4776ab9c1..e783d7d4e 100644
--- a/src/lib/protocols/rdp.c
+++ b/src/lib/protocols/rdp.c
@@ -29,14 +29,13 @@
#include "ndpi_api.h"
-static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct
- *ndpi_struct, struct ndpi_flow_struct *flow)
-{
+static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_UNKNOWN);
}
-void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
+void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
NDPI_LOG_DBG(ndpi_struct, "search RDP\n");
@@ -49,7 +48,7 @@ void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, struct nd
&& get_u_int16_t(packet->payload, 6) == 0 && get_u_int16_t(packet->payload, 8) == 0 && get_u_int8_t(packet->payload, 10) == 0) {
NDPI_LOG_INFO(ndpi_struct, "found RDP\n");
ndpi_int_rdp_add_connection(ndpi_struct, flow);
- ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */
return;
}
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
index b2998bb2a..111c57737 100644
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@@ -77,10 +77,15 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
const u_int8_t * payload, const u_int16_t payload_len) {
u_int8_t payloadType, payload_type;
-
+ u_int16_t d_port = ntohs(flow->packet.udp->dest);
+
NDPI_LOG_DBG(ndpi_struct, "search RTP\n");
- if((payload_len < 2) || flow->protos.tls_quic_stun.stun.num_binding_requests) {
+ if((payload_len < 2)
+ || (d_port == 5355 /* LLMNR_PORT */)
+ || (d_port == 5353 /* MDNS_PORT */)
+ || flow->protos.tls_quic_stun.stun.num_binding_requests
+ ) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c
index ec301c504..27d13df44 100644
--- a/src/lib/protocols/smb.c
+++ b/src/lib/protocols/smb.c
@@ -46,7 +46,7 @@ void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
if(memcmp(&packet->payload[4], smbv1, sizeof(smbv1)) == 0) {
if(packet->payload[8] != 0x72) /* Skip Negotiate request */ {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS);
- ndpi_set_risk(flow, NDPI_SMB_INSECURE_VERSION);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_SMB_INSECURE_VERSION);
}
} else
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_NETBIOS);
diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c
index 8ca70e62d..6d62c3724 100644
--- a/src/lib/protocols/ssh.c
+++ b/src/lib/protocols/ssh.c
@@ -175,7 +175,8 @@ static void ssh_analyse_cipher(struct ndpi_detection_module_struct *ndpi_struct,
}
if(found_obsolete_cipher) {
- ndpi_set_risk(flow, (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER));
+ ndpi_set_risk(ndpi_struct, flow,
+ (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER));
}
ndpi_free(cipher_copy);
diff --git a/src/lib/protocols/teamviewer.c b/src/lib/protocols/teamviewer.c
index 97a8b3c1e..d279b1a8a 100644
--- a/src/lib/protocols/teamviewer.c
+++ b/src/lib/protocols/teamviewer.c
@@ -72,7 +72,7 @@ void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struct, stru
if (flow->l4.udp.teamviewer_stage == 4 ||
packet->udp->dest == ntohs(5938) || packet->udp->source == ntohs(5938)) {
ndpi_int_teamview_add_connection(ndpi_struct, flow);
- ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance (UDP only) */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance (UDP only) */
}
return;
}
@@ -93,7 +93,7 @@ void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struct, stru
flow->l4.udp.teamviewer_stage++;
if (flow->l4.udp.teamviewer_stage == 4) {
ndpi_int_teamview_add_connection(ndpi_struct, flow);
- ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance (UDP only) */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance (UDP only) */
}
}
return;
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 752c4b780..cec43c890 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -305,7 +305,7 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct
flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS;
flow->category = ndpi_get_proto_category(ndpi_struct, ret);
- ndpi_check_subprotocol_risk(flow, cached_proto);
+ ndpi_check_subprotocol_risk(ndpi_struct, flow, cached_proto);
}
}
}
@@ -463,11 +463,11 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
if (flow->protos.tls_quic_stun.tls_quic.notBefore > TLS_LIMIT_DATE)
if((flow->protos.tls_quic_stun.tls_quic.notAfter-flow->protos.tls_quic_stun.tls_quic.notBefore) > TLS_THRESHOLD)
- ndpi_set_risk(flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months*/
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG); /* Certificate validity longer than 13 months*/
if((time_sec < flow->protos.tls_quic_stun.tls_quic.notBefore)
|| (time_sec > flow->protos.tls_quic_stun.tls_quic.notAfter))
- ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
}
}
}
@@ -516,7 +516,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
#endif
if (ndpi_is_printable_string(dNSName, len) == 0)
{
- ndpi_set_risk(flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
}
if(matched_name == 0) {
@@ -576,7 +576,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
} /* while */
if(!matched_name)
- ndpi_set_risk(flow, NDPI_TLS_CERTIFICATE_MISMATCH); /* Certificate mismatch */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_MISMATCH); /* Certificate mismatch */
}
}
}
@@ -601,7 +601,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS;
flow->category = ndpi_get_proto_category(ndpi_struct, ret);
- ndpi_check_subprotocol_risk(flow, proto_id);
+ ndpi_check_subprotocol_risk(ndpi_struct, flow, proto_id);
if(ndpi_struct->tls_cert_cache == NULL)
ndpi_struct->tls_cert_cache = ndpi_lru_cache_init(1024);
@@ -617,7 +617,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
if(flow->protos.tls_quic_stun.tls_quic.subjectDN && flow->protos.tls_quic_stun.tls_quic.issuerDN
&& (!strcmp(flow->protos.tls_quic_stun.tls_quic.subjectDN, flow->protos.tls_quic_stun.tls_quic.issuerDN)))
- ndpi_set_risk(flow, NDPI_TLS_SELFSIGNED_CERTIFICATE);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SELFSIGNED_CERTIFICATE);
#if DEBUG_TLS
printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf);
@@ -645,7 +645,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
#endif
if((packet->payload_packet_len != (length + 4 + (is_dtls ? 8 : 0))) || (packet->payload[1] != 0x0)) {
- ndpi_set_risk(flow, NDPI_MALFORMED_PACKET);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET);
return(-1); /* Invalid length */
}
@@ -654,7 +654,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
packet->payload[certificates_offset - 1];
if((packet->payload[certificates_offset - 3] != 0x0) || ((certificates_length+3) != length)) {
- ndpi_set_risk(flow, NDPI_MALFORMED_PACKET);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET);
return(-2); /* Invalid length */
}
@@ -728,7 +728,7 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
u_int16_t rc1 = ndpi_match_string(ndpi_struct->malicious_sha1_automa.ac_automa, sha1_str);
if(rc1 > 0)
- ndpi_set_risk(flow, NDPI_MALICIOUS_SHA1_CERTIFICATE);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_SHA1_CERTIFICATE);
}
processCertificateElements(ndpi_struct, flow, certificates_offset, certificate_len);
@@ -1062,8 +1062,9 @@ static void tlsInitExtraPacketProcessing(struct ndpi_detection_module_struct *nd
/* **************************************** */
-static void tlsCheckUncommonALPN(struct ndpi_flow_struct *flow)
-{
+static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
+ /* TODO: make search more efficient instead of a linear scan */
/* see: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
static char const * const common_alpns[] = {
"http/0.9", "http/1.0", "http/1.1",
@@ -1114,7 +1115,7 @@ static void tlsCheckUncommonALPN(struct ndpi_flow_struct *flow)
#ifdef DEBUG_TLS
printf("TLS uncommon ALPN found: %.*s\n", alpn_len, alpn);
#endif
- ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN);
break;
}
@@ -1152,7 +1153,8 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
/* **************************************** */
-static void checkExtensions(struct ndpi_flow_struct * const flow, int is_dtls,
+static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct * const flow, int is_dtls,
u_int16_t extension_id, u_int16_t extension_len, u_int16_t extension_payload_offset)
{
struct ndpi_packet_struct const * const packet = &flow->packet;
@@ -1163,7 +1165,7 @@ static void checkExtensions(struct ndpi_flow_struct * const flow, int is_dtls,
printf("[TLS] extension length exceeds remaining packet length: %u > %u.\n",
extension_len, packet->payload_packet_len - extension_payload_offset);
#endif
- ndpi_set_risk(flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
return;
}
@@ -1200,7 +1202,7 @@ static void checkExtensions(struct ndpi_flow_struct * const flow, int is_dtls,
#ifdef DEBUG_TLS
printf("[TLS] suspicious extension id: %u\n", extension_id);
#endif
- ndpi_set_risk(flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
return;
}
}
@@ -1213,7 +1215,7 @@ static void checkExtensions(struct ndpi_flow_struct * const flow, int is_dtls,
#ifdef DEBUG_TLS
printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id);
#endif
- ndpi_set_risk(flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
return;
}
}
@@ -1295,7 +1297,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
ja3.server.num_cipher = 1, ja3.server.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
if((flow->protos.tls_quic_stun.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.server.cipher[0])) == 1)
- ndpi_set_risk(flow, NDPI_TLS_WEAK_CIPHER);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_WEAK_CIPHER);
flow->protos.tls_quic_stun.tls_quic.server_cipher = ja3.server.cipher[0];
@@ -1330,7 +1332,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
printf("TLS [server][extension_id: %u/0x%04X][len: %u]\n",
extension_id, extension_id, extension_len);
#endif
- checkExtensions(flow, is_dtls, extension_id, extension_len, offset + 4);
+ checkExtensions(ndpi_struct, flow, is_dtls, extension_id, extension_len, offset + 4);
if(extension_id == 43 /* supported versions */) {
if(extension_len >= 2) {
@@ -1375,11 +1377,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
s_offset += alpn_len, alpn_str_len += alpn_len;;
} else {
- ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN);
break;
}
} else {
- ndpi_set_risk(flow, NDPI_TLS_UNCOMMON_ALPN);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN);
break;
}
} /* while */
@@ -1393,7 +1395,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
flow->protos.tls_quic_stun.tls_quic.alpn = ndpi_strdup(alpn_str);
if(flow->protos.tls_quic_stun.tls_quic.alpn != NULL)
- tlsCheckUncommonALPN(flow);
+ tlsCheckUncommonALPN(ndpi_struct, flow);
snprintf(ja3.server.alpn, sizeof(ja3.server.alpn), "%s", alpn_str);
@@ -1495,7 +1497,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
flow->protos.tls_quic_stun.tls_quic.ssl_version = ja3.client.tls_handshake_version = tls_version;
if(flow->protos.tls_quic_stun.tls_quic.ssl_version < 0x0302) /* TLSv1.1 */
- ndpi_set_risk(flow, NDPI_TLS_OBSOLETE_VERSION);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_OBSOLETE_VERSION);
if((session_id_len+base_offset+3) > packet->payload_packet_len)
return(0); /* Not found */
@@ -1661,7 +1663,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef DEBUG_TLS
printf("Client TLS [extension_id: %u][extension_len: %u]\n", extension_id, extension_len);
#endif
- checkExtensions(flow, is_dtls, extension_id, extension_len, offset + extension_offset);
+ checkExtensions(ndpi_struct, flow, is_dtls,
+ extension_id, extension_len, offset + extension_offset);
if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1])) {
/* Skip GREASE */
@@ -1701,7 +1704,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
#endif
if (ndpi_is_printable_string(buffer, len) == 0)
{
- ndpi_set_risk(flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_EXTENSION_SUSPICIOUS);
}
if(!is_quic) {
@@ -2217,21 +2220,21 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
flow->protos.tls_quic_stun.tls_quic.ja3_client);
if(rc1 > 0)
- ndpi_set_risk(flow, NDPI_MALICIOUS_JA3);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_JA3);
}
}
/* Before returning to the caller we need to make a final check */
if((flow->protos.tls_quic_stun.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */
&& (flow->protos.tls_quic_stun.tls_quic.alpn == NULL) /* No ALPN */) {
- ndpi_set_risk(flow, NDPI_TLS_NOT_CARRYING_HTTPS);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_NOT_CARRYING_HTTPS);
}
/* Suspicious Domain Fronting:
https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */
if(flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni &&
flow->protos.tls_quic_stun.tls_quic.client_requested_server_name[0] != '\0') {
- ndpi_set_risk(flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
}
/* Add check for missing SNI */
@@ -2240,7 +2243,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
&& (flow->protos.tls_quic_stun.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */
) {
/* This is a bit suspicious */
- ndpi_set_risk(flow, NDPI_TLS_MISSING_SNI);
+ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI);
}
return(2 /* Client Certificate */);
diff --git a/src/lib/protocols/vnc.c b/src/lib/protocols/vnc.c
index a97debbf4..4bcd0e35c 100644
--- a/src/lib/protocols/vnc.c
+++ b/src/lib/protocols/vnc.c
@@ -51,7 +51,7 @@ void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) {
NDPI_LOG_INFO(ndpi_struct, "found vnc\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN);
- ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */
+ ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */
return;
}
}
Powered by cgit, Themed by Ted Yin.