Better DGA detection (slightly decreased accuracy)

2 files changed, 4 insertions, 6 deletions

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 50fccbefa..f4b949b2b 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -7464,7 +7464,7 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
 	     - https://www.akamai.com/uk/en/multimedia/documents/state-of-the-internet/ddos-reflection-netbios-name-server-rpc-portmap-sentinel-udp-threat-advisory.pdf
 	     - http://ubiqx.org/cifs/NetBIOS.html
 	   */
-	   || (max_domain_element_len >= 19 /* word too long. Example bbcbedxhgjmdobdprmen.com */)
+	   || ((max_domain_element_len >= 19 /* word too long. Example bbcbedxhgjmdobdprmen.com */) && ((num_char_repetitions > 1) || (num_digits > 1)))	       
 	   ) {
 	  if(flow) ndpi_set_risk(flow, NDPI_SUSPICIOUS_DGA_DOMAIN);
 
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index fdd59cb67..d7116ee6e 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1444,11 +1444,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 #endif
 
 		    if((len >= 4)
-		       && strcmp(&sni[len-4], ".com") /* Check if it ends in .com or .net */
-		       && strcmp(&sni[len-4], ".net")
-		       && strncmp(sni, "www.", 4)) /* Not starting with www.... */
-		      ;
-		    else
+		       /* Check if it ends in .com or .net */ 
+		       && ((strcmp(&sni[len-4], ".com") == 0) || (strcmp(&sni[len-4], ".net") == 0))
+		       && (strncmp(sni, "www.", 4) == 0)) /* Not starting with www.... */
 		      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_TLS);
 		  } else {
 #ifdef DEBUG_TLS