Tuned DNS risk values

Modified NDPI_BINARY_TRANSFER_ATTEMPT in NDPI_BINARY_DATA_TRANSFER
author: Luca Deri <deri@ntop.org> 2024-04-09 10:22:01 +0200
committer: Luca Deri <deri@ntop.org> 2024-04-09 10:22:01 +0200
commit: bd2968dcd36e78adcef0570550277332d164fc2d (patch)
tree: f0f4a8d995e8da26ad8b0dc0b954d294b6fd2ba2 /src
parent: 00a360f30a89fd479465db64d7e92e761645c101 (diff)
4 files changed, 43 insertions, 11 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 4f1935776..9721829dc 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -167,7 +167,7 @@ typedef enum {
   NDPI_FULLY_ENCRYPTED,        /* This (unknown) session is fully encrypted */
   NDPI_TLS_ALPN_SNI_MISMATCH,  /* Invalid ALPN/SNI combination */
   NDPI_MALWARE_HOST_CONTACTED, /* Flow client contacted a malware host */
-  NDPI_BINARY_TRANSFER_ATTEMPT,/* Attempt to transfer something in binary format */
+  NDPI_BINARY_DATA_TRANSFER,   /* Attempt to transfer something in binary format */
   
   /* Leave this as last member */
   NDPI_MAX_RISK /* must be <= 63 due to (**) */
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index b0a9107c0..06c609606 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -163,7 +163,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_SMB_INSECURE_VERSION,                  NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_TLS_SUSPICIOUS_ESNI_USAGE,             NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_UNSAFE_PROTOCOL,                       NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE   },
-  { NDPI_DNS_SUSPICIOUS_TRAFFIC,                NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
+  { NDPI_DNS_SUSPICIOUS_TRAFFIC,                NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_TLS_MISSING_SNI,                       NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_HTTP_SUSPICIOUS_CONTENT,               NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE, NDPI_SERVER_ACCOUNTABLE },
   { NDPI_RISKY_ASN,                             NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_SERVER_ACCOUNTABLE },
@@ -194,7 +194,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_FULLY_ENCRYPTED,                       NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_TLS_ALPN_SNI_MISMATCH,                 NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_MALWARE_HOST_CONTACTED,                NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
-  { NDPI_BINARY_TRANSFER_ATTEMPT,               NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
+  { NDPI_BINARY_DATA_TRANSFER,                  NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   
   /* Leave this as last member */
   { NDPI_MAX_RISK,                              NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY   }
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index d04c457b0..037645d66 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2055,8 +2055,8 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
   case NDPI_MALWARE_HOST_CONTACTED:
     return("Client contacted a malware host");
 
-  case NDPI_BINARY_TRANSFER_ATTEMPT:
-    return("Binary Data Transfer Attemot");
+  case NDPI_BINARY_DATA_TRANSFER:
+    return("Binary file/data transfer (attempt)");
 
   default:
     ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk);
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 1d41eb61e..8d5d92f3e 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -54,6 +54,28 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
 
 /* *********************************************** */
 
+static char* forge_attempt_msg(struct ndpi_flow_struct *flow, char *msg, char *buf, u_int buf_len) {
+  if((flow->http.response_status_code >= 200) && (flow->http.response_status_code < 300))
+    return(msg);
+  else {
+    snprintf(buf, buf_len, "%s (attempt)", msg);
+    return(buf);
+  }
+}
+
+/* *********************************************** */
+
+static void ndpi_set_binary_data_transfer(struct ndpi_detection_module_struct *ndpi_struct,
+					  struct ndpi_flow_struct *flow,
+					  char *msg) {
+  char buf[256];
+  
+  ndpi_set_risk(flow, NDPI_BINARY_DATA_TRANSFER,
+		forge_attempt_msg(flow, msg, buf, sizeof(buf)));
+}
+
+/* *********************************************** */
+
 static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_struct *ndpi_struct,
 						 struct ndpi_flow_struct *flow,
 						 char *msg) {
@@ -68,14 +90,13 @@ static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_st
      )
     ;
   else {
-    if((flow->http.response_status_code >= 200) && (flow->http.response_status_code < 300))
-      ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, msg);
-    else
-      ndpi_set_risk(flow, NDPI_BINARY_TRANSFER_ATTEMPT, msg);
+    char buf[256];
+    
+    ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, forge_attempt_msg(flow, msg, buf, sizeof(buf)));
   }
  }
 
-  /* *********************************************** */
+/* *********************************************** */
 
 static void ndpi_analyze_content_signature(struct ndpi_detection_module_struct *ndpi_struct,
 					   struct ndpi_flow_struct *flow) {
@@ -257,8 +278,13 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 
 	    for(i = 0; cmp_mimes[i] != NULL; i++) {
 	      if(strncasecmp(app, cmp_mimes[i], app_len_avail) == 0) {
+		char str[64];	       		
+
 		flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
 		NDPI_LOG_INFO(ndpi_struct, "found HTTP file transfer");
+
+		snprintf(str, sizeof(str), "Found binary mime %s", cmp_mimes[i]);
+		ndpi_set_binary_data_transfer(ndpi_struct, flow, str);
 		found = true;
 		break;
 	      }
@@ -338,11 +364,12 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 	  attachment_len += filename_len-ATTACHMENT_LEN-1;
 
 	  if((attachment_len+ATTACHMENT_LEN) <= packet->content_disposition_line.len) {
+	    char str[64];
+	    
 	    for(i = 0; binary_exec_file_ext[i] != NULL; i++) {
 	      /* Use memcmp in case content-disposition contains binary data */
 	      if(memcmp(&packet->content_disposition_line.ptr[attachment_len],
 			binary_exec_file_ext[i], ATTACHMENT_LEN) == 0) {
-		char str[64];
 
 		snprintf(str, sizeof(str), "Found file extn %s", binary_exec_file_ext[i]);
 		flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
@@ -351,6 +378,11 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 		return(flow->category);
 	      }
 	    }
+
+	    /* No executable but just data transfer */
+	    snprintf(str, sizeof(str), "File download %s",
+		     flow->http.filename ? flow->http.filename : "");
+	    ndpi_set_binary_data_transfer(ndpi_struct, flow, str);
 	  }
 	}
       }
author	Luca Deri <deri@ntop.org>	2024-04-09 10:22:01 +0200
committer	Luca Deri <deri@ntop.org>	2024-04-09 10:22:01 +0200
commit	bd2968dcd36e78adcef0570550277332d164fc2d (patch)
tree	f0f4a8d995e8da26ad8b0dc0b954d294b6fd2ba2 /src
parent	00a360f30a89fd479465db64d7e92e761645c101 (diff)