diff options
| author | Luca Deri <deri@ntop.org> | 2021-04-12 18:11:14 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-04-12 18:11:14 +0200 |
| commit | 18c6c1c2d68c4cc185d4c2fa0583776edf523042 (patch) | |
| tree | 742591a0d5fd4c68a7714c5184f314379d779e41 /src | |
| parent | bf318e0b86ecfe88db3c15ed7ae285b43e51c304 (diff) | |
Added NDPI_DESKTOP_OR_FILE_SHARING_SESSION risk to remote protocols for remote assistance sessions
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/ndpi_main.c | 9 | ||||
| -rw-r--r-- | src/lib/protocols/rdp.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/vnc.c | 23 |
4 files changed, 24 insertions, 15 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index baf076a75..3ae724391 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4180,7 +4180,7 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str flow->packet.l4_packet_len = l4len; flow->l4_proto = l4protocol; - /* tcp / udp detection */ + /* TCP / UDP detection */ if(l4protocol == IPPROTO_TCP && flow->packet.l4_packet_len >= 20 /* min size of tcp */) { /* tcp */ flow->packet.tcp = (struct ndpi_tcphdr *) l4ptr; @@ -5035,6 +5035,8 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, } #endif + // printf("====>> %u.%u [%u]\n", ret->master_protocol, ret->app_protocol, flow->detected_protocol_stack[0]); + switch(ret->app_protocol) { /* Skype for a host doing MS Teams means MS Teams @@ -5077,6 +5079,11 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, } } break; + + case NDPI_PROTOCOL_ANYDESK: + if(flow->packet.tcp) /* TCP only */ + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ + break; } /* switch */ if(flow) { diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c index e117b3d2f..4776ab9c1 100644 --- a/src/lib/protocols/rdp.c +++ b/src/lib/protocols/rdp.c @@ -49,6 +49,7 @@ void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, struct nd && get_u_int16_t(packet->payload, 6) == 0 && get_u_int16_t(packet->payload, 8) == 0 && get_u_int8_t(packet->payload, 10) == 0) { NDPI_LOG_INFO(ndpi_struct, "found RDP\n"); ndpi_int_rdp_add_connection(ndpi_struct, flow); + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ return; } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index ffb3740c8..3a09f444b 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -555,9 +555,13 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi int rc = ndpi_match_string_value(ndpi_struct->tls_cert_subject_automa.ac_automa, rdnSeqBuf, strlen(rdnSeqBuf),&proto_id); - if(rc == 0) + if(rc == 0) { flow->detected_protocol_stack[0] = proto_id, flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS; + + if(proto_id == NDPI_PROTOCOL_ANYDESK) + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ + } } } diff --git a/src/lib/protocols/vnc.c b/src/lib/protocols/vnc.c index 32fe4d4dd..a97debbf4 100644 --- a/src/lib/protocols/vnc.c +++ b/src/lib/protocols/vnc.c @@ -33,28 +33,25 @@ void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG_DBG(ndpi_struct, "search vnc\n"); /* search over TCP */ if(packet->tcp) { - + if(flow->l4.tcp.vnc_stage == 0) { - if((packet->payload_packet_len == 12) && - ((memcmp(packet->payload, "RFB 003.003", 11) == 0 && packet->payload[11] == 0x0a) || - (memcmp(packet->payload, "RFB 003.007", 11) == 0 && packet->payload[11] == 0x0a) || - (memcmp(packet->payload, "RFB 003.008", 11) == 0 && packet->payload[11] == 0x0a) || - (memcmp(packet->payload, "RFB 004.001", 11) == 0 && packet->payload[11] == 0x0a))) { + (((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a)) + || + ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) { NDPI_LOG_DBG2(ndpi_struct, "reached vnc stage one\n"); flow->l4.tcp.vnc_stage = 1 + packet->packet_direction; return; } } else if(flow->l4.tcp.vnc_stage == 2 - packet->packet_direction) { - + if((packet->payload_packet_len == 12) && - ((memcmp(packet->payload, "RFB 003.003", 11) == 0 && packet->payload[11] == 0x0a) || - (memcmp(packet->payload, "RFB 003.007", 11) == 0 && packet->payload[11] == 0x0a) || - (memcmp(packet->payload, "RFB 003.008", 11) == 0 && packet->payload[11] == 0x0a) || - (memcmp(packet->payload, "RFB 004.001", 11) == 0 && packet->payload[11] == 0x0a))) { - + (((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a)) + || + ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) { NDPI_LOG_INFO(ndpi_struct, "found vnc\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN); + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ return; } } @@ -71,6 +68,6 @@ void init_vnc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); - + *id += 1; } |