diff options
| author | Luca Deri <deri@ntop.org> | 2024-03-05 11:14:34 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2024-03-05 11:14:34 +0100 |
| commit | 65b9ad88a964cfed149185914f6ffb494665027a (patch) | |
| tree | 968389867f4863b4bc6e65890631d288c6e83b40 /src/lib/protocols | |
| parent | e7f1946ae72121c0f0c03cdbf12248464239c73c (diff) | |
Improved alert on suspicious DNS traffic
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/dns.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 64e3a38d8..95f3626c9 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -773,14 +773,13 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st if(dot) { uintptr_t first_element_len = dot - _hostname; - if((first_element_len > 32) && (!is_mdns)) { + if((first_element_len > 48) && (!is_mdns)) { /* The lenght of the first element in the query is very long and this might be an issue or indicate an exfiltration */ - /* printf("**** %lu [%s][%s]\n", first_element_len, dot, _hostname); */ - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, NULL); + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Long DNS host name"); } } |