aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLuca Deri <deri@ntop.org>2024-04-09 10:22:01 +0200
committerLuca Deri <deri@ntop.org>2024-04-09 10:22:01 +0200
commitbd2968dcd36e78adcef0570550277332d164fc2d (patch)
treef0f4a8d995e8da26ad8b0dc0b954d294b6fd2ba2 /src
parent00a360f30a89fd479465db64d7e92e761645c101 (diff)
Tuned DNS risk values
Modified NDPI_BINARY_TRANSFER_ATTEMPT in NDPI_BINARY_DATA_TRANSFER
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_typedefs.h2
-rw-r--r--src/lib/ndpi_main.c4
-rw-r--r--src/lib/ndpi_utils.c4
-rw-r--r--src/lib/protocols/http.c44
4 files changed, 43 insertions, 11 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 4f1935776..9721829dc 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -167,7 +167,7 @@ typedef enum {
NDPI_FULLY_ENCRYPTED, /* This (unknown) session is fully encrypted */
NDPI_TLS_ALPN_SNI_MISMATCH, /* Invalid ALPN/SNI combination */
NDPI_MALWARE_HOST_CONTACTED, /* Flow client contacted a malware host */
- NDPI_BINARY_TRANSFER_ATTEMPT,/* Attempt to transfer something in binary format */
+ NDPI_BINARY_DATA_TRANSFER, /* Attempt to transfer something in binary format */
/* Leave this as last member */
NDPI_MAX_RISK /* must be <= 63 due to (**) */
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index b0a9107c0..06c609606 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -163,7 +163,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
{ NDPI_SMB_INSECURE_VERSION, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
{ NDPI_TLS_SUSPICIOUS_ESNI_USAGE, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
{ NDPI_UNSAFE_PROTOCOL, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_BOTH_ACCOUNTABLE },
- { NDPI_DNS_SUSPICIOUS_TRAFFIC, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
+ { NDPI_DNS_SUSPICIOUS_TRAFFIC, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
{ NDPI_TLS_MISSING_SNI, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
{ NDPI_HTTP_SUSPICIOUS_CONTENT, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_SERVER_ACCOUNTABLE },
{ NDPI_RISKY_ASN, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_SERVER_ACCOUNTABLE },
@@ -194,7 +194,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
{ NDPI_FULLY_ENCRYPTED, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
{ NDPI_TLS_ALPN_SNI_MISMATCH, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
{ NDPI_MALWARE_HOST_CONTACTED, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
- { NDPI_BINARY_TRANSFER_ATTEMPT, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
+ { NDPI_BINARY_DATA_TRANSFER, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
/* Leave this as last member */
{ NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY }
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index d04c457b0..037645d66 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2055,8 +2055,8 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
case NDPI_MALWARE_HOST_CONTACTED:
return("Client contacted a malware host");
- case NDPI_BINARY_TRANSFER_ATTEMPT:
- return("Binary Data Transfer Attemot");
+ case NDPI_BINARY_DATA_TRANSFER:
+ return("Binary file/data transfer (attempt)");
default:
ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk);
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 1d41eb61e..8d5d92f3e 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -54,6 +54,28 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
/* *********************************************** */
+static char* forge_attempt_msg(struct ndpi_flow_struct *flow, char *msg, char *buf, u_int buf_len) {
+ if((flow->http.response_status_code >= 200) && (flow->http.response_status_code < 300))
+ return(msg);
+ else {
+ snprintf(buf, buf_len, "%s (attempt)", msg);
+ return(buf);
+ }
+}
+
+/* *********************************************** */
+
+static void ndpi_set_binary_data_transfer(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow,
+ char *msg) {
+ char buf[256];
+
+ ndpi_set_risk(flow, NDPI_BINARY_DATA_TRANSFER,
+ forge_attempt_msg(flow, msg, buf, sizeof(buf)));
+}
+
+/* *********************************************** */
+
static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
char *msg) {
@@ -68,14 +90,13 @@ static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_st
)
;
else {
- if((flow->http.response_status_code >= 200) && (flow->http.response_status_code < 300))
- ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, msg);
- else
- ndpi_set_risk(flow, NDPI_BINARY_TRANSFER_ATTEMPT, msg);
+ char buf[256];
+
+ ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, forge_attempt_msg(flow, msg, buf, sizeof(buf)));
}
}
- /* *********************************************** */
+/* *********************************************** */
static void ndpi_analyze_content_signature(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
@@ -257,8 +278,13 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
for(i = 0; cmp_mimes[i] != NULL; i++) {
if(strncasecmp(app, cmp_mimes[i], app_len_avail) == 0) {
+ char str[64];
+
flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
NDPI_LOG_INFO(ndpi_struct, "found HTTP file transfer");
+
+ snprintf(str, sizeof(str), "Found binary mime %s", cmp_mimes[i]);
+ ndpi_set_binary_data_transfer(ndpi_struct, flow, str);
found = true;
break;
}
@@ -338,11 +364,12 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
attachment_len += filename_len-ATTACHMENT_LEN-1;
if((attachment_len+ATTACHMENT_LEN) <= packet->content_disposition_line.len) {
+ char str[64];
+
for(i = 0; binary_exec_file_ext[i] != NULL; i++) {
/* Use memcmp in case content-disposition contains binary data */
if(memcmp(&packet->content_disposition_line.ptr[attachment_len],
binary_exec_file_ext[i], ATTACHMENT_LEN) == 0) {
- char str[64];
snprintf(str, sizeof(str), "Found file extn %s", binary_exec_file_ext[i]);
flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
@@ -351,6 +378,11 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
return(flow->category);
}
}
+
+ /* No executable but just data transfer */
+ snprintf(str, sizeof(str), "File download %s",
+ flow->http.filename ? flow->http.filename : "");
+ ndpi_set_binary_data_transfer(ndpi_struct, flow, str);
}
}
}