diff options
author | Luca Deri <deri@ntop.org> | 2024-04-09 10:22:01 +0200 |
---|---|---|
committer | Luca Deri <deri@ntop.org> | 2024-04-09 10:22:01 +0200 |
commit | bd2968dcd36e78adcef0570550277332d164fc2d (patch) | |
tree | f0f4a8d995e8da26ad8b0dc0b954d294b6fd2ba2 /src | |
parent | 00a360f30a89fd479465db64d7e92e761645c101 (diff) |
Tuned DNS risk values
Modified NDPI_BINARY_TRANSFER_ATTEMPT in NDPI_BINARY_DATA_TRANSFER
Diffstat (limited to 'src')
-rw-r--r-- | src/include/ndpi_typedefs.h | 2 | ||||
-rw-r--r-- | src/lib/ndpi_main.c | 4 | ||||
-rw-r--r-- | src/lib/ndpi_utils.c | 4 | ||||
-rw-r--r-- | src/lib/protocols/http.c | 44 |
4 files changed, 43 insertions, 11 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 4f1935776..9721829dc 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -167,7 +167,7 @@ typedef enum { NDPI_FULLY_ENCRYPTED, /* This (unknown) session is fully encrypted */ NDPI_TLS_ALPN_SNI_MISMATCH, /* Invalid ALPN/SNI combination */ NDPI_MALWARE_HOST_CONTACTED, /* Flow client contacted a malware host */ - NDPI_BINARY_TRANSFER_ATTEMPT,/* Attempt to transfer something in binary format */ + NDPI_BINARY_DATA_TRANSFER, /* Attempt to transfer something in binary format */ /* Leave this as last member */ NDPI_MAX_RISK /* must be <= 63 due to (**) */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index b0a9107c0..06c609606 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -163,7 +163,7 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_SMB_INSECURE_VERSION, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_TLS_SUSPICIOUS_ESNI_USAGE, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_UNSAFE_PROTOCOL, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE }, - { NDPI_DNS_SUSPICIOUS_TRAFFIC, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, + { NDPI_DNS_SUSPICIOUS_TRAFFIC, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_TLS_MISSING_SNI, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_HTTP_SUSPICIOUS_CONTENT, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_SERVER_ACCOUNTABLE }, { NDPI_RISKY_ASN, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_SERVER_ACCOUNTABLE }, @@ -194,7 +194,7 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_FULLY_ENCRYPTED, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_TLS_ALPN_SNI_MISMATCH, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_MALWARE_HOST_CONTACTED, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, - { NDPI_BINARY_TRANSFER_ATTEMPT, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, + { NDPI_BINARY_DATA_TRANSFER, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, /* Leave this as last member */ { NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY } diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index d04c457b0..037645d66 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2055,8 +2055,8 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_MALWARE_HOST_CONTACTED: return("Client contacted a malware host"); - case NDPI_BINARY_TRANSFER_ATTEMPT: - return("Binary Data Transfer Attemot"); + case NDPI_BINARY_DATA_TRANSFER: + return("Binary file/data transfer (attempt)"); default: ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 1d41eb61e..8d5d92f3e 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -54,6 +54,28 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str /* *********************************************** */ +static char* forge_attempt_msg(struct ndpi_flow_struct *flow, char *msg, char *buf, u_int buf_len) { + if((flow->http.response_status_code >= 200) && (flow->http.response_status_code < 300)) + return(msg); + else { + snprintf(buf, buf_len, "%s (attempt)", msg); + return(buf); + } +} + +/* *********************************************** */ + +static void ndpi_set_binary_data_transfer(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + char *msg) { + char buf[256]; + + ndpi_set_risk(flow, NDPI_BINARY_DATA_TRANSFER, + forge_attempt_msg(flow, msg, buf, sizeof(buf))); +} + +/* *********************************************** */ + static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *msg) { @@ -68,14 +90,13 @@ static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_st ) ; else { - if((flow->http.response_status_code >= 200) && (flow->http.response_status_code < 300)) - ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, msg); - else - ndpi_set_risk(flow, NDPI_BINARY_TRANSFER_ATTEMPT, msg); + char buf[256]; + + ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, forge_attempt_msg(flow, msg, buf, sizeof(buf))); } } - /* *********************************************** */ +/* *********************************************** */ static void ndpi_analyze_content_signature(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -257,8 +278,13 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo for(i = 0; cmp_mimes[i] != NULL; i++) { if(strncasecmp(app, cmp_mimes[i], app_len_avail) == 0) { + char str[64]; + flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; NDPI_LOG_INFO(ndpi_struct, "found HTTP file transfer"); + + snprintf(str, sizeof(str), "Found binary mime %s", cmp_mimes[i]); + ndpi_set_binary_data_transfer(ndpi_struct, flow, str); found = true; break; } @@ -338,11 +364,12 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo attachment_len += filename_len-ATTACHMENT_LEN-1; if((attachment_len+ATTACHMENT_LEN) <= packet->content_disposition_line.len) { + char str[64]; + for(i = 0; binary_exec_file_ext[i] != NULL; i++) { /* Use memcmp in case content-disposition contains binary data */ if(memcmp(&packet->content_disposition_line.ptr[attachment_len], binary_exec_file_ext[i], ATTACHMENT_LEN) == 0) { - char str[64]; snprintf(str, sizeof(str), "Found file extn %s", binary_exec_file_ext[i]); flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; @@ -351,6 +378,11 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo return(flow->category); } } + + /* No executable but just data transfer */ + snprintf(str, sizeof(str), "File download %s", + flow->http.filename ? flow->http.filename : ""); + ndpi_set_binary_data_transfer(ndpi_struct, flow, str); } } } |