Added ndpi_risk2code and ndpi_code2risk

author: Luca Deri <deri@ntop.org> 2024-08-27 15:41:40 +0200
committer: Luca Deri <deri@ntop.org> 2024-08-27 15:41:40 +0200
commit: 5436dddef55e068095ca56b114715a91a551bf26 (patch)
tree: 9aaebdc88757bfa9b0c711eed8d2dd29dfdadfce /src
parent: 34e1ac0bbbc33698953a9b4a3de67bb1b8f2445c (diff)
3 files changed, 248 insertions, 7 deletions
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index 9a2515ac5..480b652c5 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -1801,6 +1801,8 @@ extern "C" {
                             ndpi_confidence_t confidence,
                             ndpi_protocol l7_protocol);
   const char* ndpi_risk2str(ndpi_risk_enum risk);
+  const char* ndpi_risk2code(ndpi_risk_enum risk);
+  ndpi_risk_enum ndpi_code2risk(const char* risk);
   const char* ndpi_severity2str(ndpi_risk_severity s);
   ndpi_risk_info* ndpi_risk2severity(ndpi_risk_enum risk);
   u_int16_t ndpi_risk2score(ndpi_risk risk,
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index aeda1ab61..6c07341f7 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -99,7 +99,7 @@ typedef enum {
   NOTE
   When the typedef below is modified don't forget to update
   - nDPI/wireshark/ndpi.lua
-  - ndpi_risk2str (in ndpi_utils.c)
+  - ndpi_risk2str, ndpi_risk2code, ndpi_code2risk (in ndpi_utils.c)
   - doc/flow_risks.rst
   - ndpi_known_risks (ndpi_main.c)
 
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index e0fd63796..03fb4f8a9 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2096,7 +2096,7 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
 
   case NDPI_PROBING_ATTEMPT:
     return("Probing attempt");
-    
+
   default:
     ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);
@@ -2105,6 +2105,245 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
 
 /* ******************************************************************** */
 
+#define STRINGIFY(x) #x
+
+const char* ndpi_risk2code(ndpi_risk_enum risk) {
+  switch(risk) {
+  case NDPI_NO_RISK:
+    return STRINGIFY(NDPI_NO_RISK);
+  case NDPI_URL_POSSIBLE_SQL_INJECTION:
+    return STRINGIFY(NDPI_URL_POSSIBLE_SQL_INJECTION);
+  case NDPI_URL_POSSIBLE_RCE_INJECTION:
+    return STRINGIFY(NDPI_URL_POSSIBLE_RCE_INJECTION);
+  case NDPI_BINARY_APPLICATION_TRANSFER:
+    return STRINGIFY(NDPI_BINARY_APPLICATION_TRANSFER);
+  case NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT:
+    return STRINGIFY(NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
+  case NDPI_TLS_SELFSIGNED_CERTIFICATE:
+    return STRINGIFY(NDPI_TLS_SELFSIGNED_CERTIFICATE);
+  case NDPI_TLS_OBSOLETE_VERSION:
+    return STRINGIFY(NDPI_TLS_OBSOLETE_VERSION);
+  case NDPI_TLS_WEAK_CIPHER:
+    return STRINGIFY(NDPI_TLS_WEAK_CIPHER);
+  case NDPI_TLS_CERTIFICATE_EXPIRED:
+    return STRINGIFY(NDPI_TLS_CERTIFICATE_EXPIRED);
+  case NDPI_TLS_CERTIFICATE_MISMATCH:
+    return STRINGIFY(NDPI_TLS_CERTIFICATE_MISMATCH);
+  case NDPI_HTTP_SUSPICIOUS_USER_AGENT:
+    return STRINGIFY(NDPI_HTTP_SUSPICIOUS_USER_AGENT);
+  case NDPI_NUMERIC_IP_HOST:
+    return STRINGIFY(NDPI_NUMERIC_IP_HOST);
+  case NDPI_HTTP_SUSPICIOUS_URL:
+    return STRINGIFY(NDPI_HTTP_SUSPICIOUS_URL);
+  case NDPI_HTTP_SUSPICIOUS_HEADER:
+    return STRINGIFY(NDPI_HTTP_SUSPICIOUS_HEADER);
+  case NDPI_TLS_NOT_CARRYING_HTTPS:
+    return STRINGIFY(NDPI_TLS_NOT_CARRYING_HTTPS);
+  case NDPI_SUSPICIOUS_DGA_DOMAIN:
+    return STRINGIFY(NDPI_SUSPICIOUS_DGA_DOMAIN);
+  case NDPI_MALFORMED_PACKET:
+    return STRINGIFY(NDPI_MALFORMED_PACKET);
+  case NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER:
+    return STRINGIFY(NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER);
+  case NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER:
+    return STRINGIFY(NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER);
+  case NDPI_SMB_INSECURE_VERSION:
+    return STRINGIFY(NDPI_SMB_INSECURE_VERSION);
+  case NDPI_TLS_SUSPICIOUS_ESNI_USAGE:
+    return STRINGIFY(NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
+  case NDPI_UNSAFE_PROTOCOL:
+    return STRINGIFY(NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
+  case NDPI_DNS_SUSPICIOUS_TRAFFIC:
+    return STRINGIFY(NDPI_DNS_SUSPICIOUS_TRAFFIC);
+  case NDPI_TLS_MISSING_SNI:
+    return STRINGIFY(NDPI_TLS_MISSING_SNI);
+  case NDPI_HTTP_SUSPICIOUS_CONTENT:
+    return STRINGIFY(NDPI_HTTP_SUSPICIOUS_CONTENT);
+  case NDPI_RISKY_ASN:
+    return STRINGIFY(NDPI_RISKY_ASN);
+  case NDPI_RISKY_DOMAIN:
+    return STRINGIFY(NDPI_RISKY_DOMAIN);
+  case NDPI_MALICIOUS_FINGERPRINT:
+    return STRINGIFY(NDPI_MALICIOUS_FINGERPRINT);
+  case NDPI_MALICIOUS_SHA1_CERTIFICATE:
+    return STRINGIFY(NDPI_MALICIOUS_SHA1_CERTIFICATE);
+  case NDPI_DESKTOP_OR_FILE_SHARING_SESSION:
+    return STRINGIFY(NDPI_DESKTOP_OR_FILE_SHARING_SESSION);
+  case NDPI_TLS_UNCOMMON_ALPN:
+    return STRINGIFY(NDPI_TLS_UNCOMMON_ALPN);
+  case NDPI_TLS_CERT_VALIDITY_TOO_LONG:
+    return STRINGIFY(NDPI_TLS_CERT_VALIDITY_TOO_LONG);
+  case NDPI_TLS_SUSPICIOUS_EXTENSION:
+    return STRINGIFY(NDPI_TLS_SUSPICIOUS_EXTENSION);
+  case NDPI_TLS_FATAL_ALERT:
+    return STRINGIFY(NDPI_TLS_FATAL_ALERT);
+  case NDPI_SUSPICIOUS_ENTROPY:
+    return STRINGIFY(NDPI_SUSPICIOUS_ENTROPY);
+  case NDPI_CLEAR_TEXT_CREDENTIALS:
+    return STRINGIFY(NDPI_CLEAR_TEXT_CREDENTIALS);
+  case NDPI_DNS_LARGE_PACKET:
+    return STRINGIFY(NDPI_DNS_LARGE_PACKET);
+  case NDPI_DNS_FRAGMENTED:
+    return STRINGIFY(NDPI_DNS_FRAGMENTED);
+  case NDPI_INVALID_CHARACTERS:
+    return STRINGIFY(NDPI_INVALID_CHARACTERS);
+  case NDPI_POSSIBLE_EXPLOIT:
+    return STRINGIFY(NDPI_POSSIBLE_EXPLOIT);
+  case NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE:
+    return STRINGIFY(NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE);
+  case NDPI_PUNYCODE_IDN:
+    return STRINGIFY(NDPI_PUNYCODE_IDN);
+  case NDPI_ERROR_CODE_DETECTED:
+    return STRINGIFY(NDPI_ERROR_CODE_DETECTED);
+  case NDPI_HTTP_CRAWLER_BOT:
+    return STRINGIFY(NDPI_HTTP_CRAWLER_BOT);
+  case NDPI_ANONYMOUS_SUBSCRIBER:
+    return STRINGIFY(NDPI_ANONYMOUS_SUBSCRIBER);
+  case NDPI_UNIDIRECTIONAL_TRAFFIC:
+    return STRINGIFY(NDPI_UNIDIRECTIONAL_TRAFFIC);
+  case NDPI_HTTP_OBSOLETE_SERVER:
+    return STRINGIFY(NDPI_HTTP_OBSOLETE_SERVER);
+  case NDPI_PERIODIC_FLOW:
+    return STRINGIFY(NDPI_PERIODIC_FLOW);
+  case NDPI_MINOR_ISSUES:
+    return STRINGIFY(NDPI_MINOR_ISSUES);
+  case NDPI_TCP_ISSUES:
+    return STRINGIFY(NDPI_MINOR_ISSUES);
+  case NDPI_FULLY_ENCRYPTED:
+    return STRINGIFY(NDPI_FULLY_ENCRYPTED);
+  case NDPI_TLS_ALPN_SNI_MISMATCH:
+    return STRINGIFY(NDPI_TLS_ALPN_SNI_MISMATCH);
+  case NDPI_MALWARE_HOST_CONTACTED:
+    return STRINGIFY(NDPI_MALWARE_HOST_CONTACTED);
+  case NDPI_BINARY_DATA_TRANSFER:
+    return STRINGIFY(NDPI_BINARY_DATA_TRANSFER);
+  case NDPI_PROBING_ATTEMPT:
+    return STRINGIFY(NDPI_PROBING_ATTEMPT);
+
+  default:
+    return("Unknown risk");
+  }
+}
+
+/* ******************************************************************** */
+
+ndpi_risk_enum ndpi_code2risk(const char* risk) {
+  if(strcmp(STRINGIFY(NDPI_NO_RISK), risk) == 0)
+    return(NDPI_NO_RISK);
+  else if(strcmp(STRINGIFY(NDPI_URL_POSSIBLE_SQL_INJECTION), risk) == 0)
+    return(NDPI_URL_POSSIBLE_SQL_INJECTION);
+  else if(strcmp(STRINGIFY(NDPI_URL_POSSIBLE_RCE_INJECTION), risk) == 0)
+    return(NDPI_URL_POSSIBLE_RCE_INJECTION);
+  else if(strcmp(STRINGIFY(NDPI_BINARY_APPLICATION_TRANSFER), risk) == 0)
+    return(NDPI_BINARY_APPLICATION_TRANSFER);
+  else if(strcmp(STRINGIFY(NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT), risk) == 0)
+    return(NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
+  else if(strcmp(STRINGIFY(NDPI_TLS_SELFSIGNED_CERTIFICATE), risk) == 0)
+    return(NDPI_TLS_SELFSIGNED_CERTIFICATE);
+  else if(strcmp(STRINGIFY(NDPI_TLS_OBSOLETE_VERSION), risk) == 0)
+    return(NDPI_TLS_OBSOLETE_VERSION);
+  else if(strcmp(STRINGIFY(NDPI_TLS_WEAK_CIPHER), risk) == 0)
+    return(NDPI_TLS_WEAK_CIPHER);
+  else if(strcmp(STRINGIFY(NDPI_TLS_CERTIFICATE_EXPIRED), risk) == 0)
+    return(NDPI_TLS_CERTIFICATE_EXPIRED);
+  else if(strcmp(STRINGIFY(NDPI_TLS_CERTIFICATE_MISMATCH), risk) == 0)
+    return(NDPI_TLS_CERTIFICATE_MISMATCH);
+  else if(strcmp(STRINGIFY(NDPI_HTTP_SUSPICIOUS_USER_AGENT), risk) == 0)
+    return(NDPI_HTTP_SUSPICIOUS_USER_AGENT);
+  else if(strcmp(STRINGIFY(NDPI_NUMERIC_IP_HOST), risk) == 0)
+    return(NDPI_NUMERIC_IP_HOST);
+  else if(strcmp(STRINGIFY(NDPI_HTTP_SUSPICIOUS_URL), risk) == 0)
+    return(NDPI_HTTP_SUSPICIOUS_URL);
+  else if(strcmp(STRINGIFY(NDPI_HTTP_SUSPICIOUS_HEADER), risk) == 0)
+    return(NDPI_HTTP_SUSPICIOUS_HEADER);
+  else if(strcmp(STRINGIFY(NDPI_TLS_NOT_CARRYING_HTTPS), risk) == 0)
+    return(NDPI_TLS_NOT_CARRYING_HTTPS);
+  else if(strcmp(STRINGIFY(NDPI_SUSPICIOUS_DGA_DOMAIN), risk) == 0)
+    return(NDPI_SUSPICIOUS_DGA_DOMAIN);
+  else if(strcmp(STRINGIFY(NDPI_MALFORMED_PACKET), risk) == 0)
+    return(NDPI_MALFORMED_PACKET);
+  else if(strcmp(STRINGIFY(NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER), risk) == 0)
+    return(NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER);
+  else if(strcmp(STRINGIFY(NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER), risk) == 0)
+    return(NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER);
+  else if(strcmp(STRINGIFY(NDPI_SMB_INSECURE_VERSION), risk) == 0)
+    return(NDPI_SMB_INSECURE_VERSION);
+  else if(strcmp(STRINGIFY(NDPI_TLS_SUSPICIOUS_ESNI_USAGE), risk) == 0)
+    return(NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
+  else if(strcmp(STRINGIFY(NDPI_UNSAFE_PROTOCOL), risk) == 0)
+    return(NDPI_TLS_SUSPICIOUS_ESNI_USAGE);
+  else if(strcmp(STRINGIFY(NDPI_DNS_SUSPICIOUS_TRAFFIC), risk) == 0)
+    return(NDPI_DNS_SUSPICIOUS_TRAFFIC);
+  else if(strcmp(STRINGIFY(NDPI_TLS_MISSING_SNI), risk) == 0)
+    return(NDPI_TLS_MISSING_SNI);
+  else if(strcmp(STRINGIFY(NDPI_HTTP_SUSPICIOUS_CONTENT), risk) == 0)
+    return(NDPI_HTTP_SUSPICIOUS_CONTENT);
+  else if(strcmp(STRINGIFY(NDPI_RISKY_ASN), risk) == 0)
+    return(NDPI_RISKY_ASN);
+  else if(strcmp(STRINGIFY(NDPI_RISKY_DOMAIN), risk) == 0)
+    return(NDPI_RISKY_DOMAIN);
+  else if(strcmp(STRINGIFY(NDPI_MALICIOUS_FINGERPRINT), risk) == 0)
+    return(NDPI_MALICIOUS_FINGERPRINT);
+  else if(strcmp(STRINGIFY(NDPI_MALICIOUS_SHA1_CERTIFICATE), risk) == 0)
+    return(NDPI_MALICIOUS_SHA1_CERTIFICATE);
+  else if(strcmp(STRINGIFY(NDPI_DESKTOP_OR_FILE_SHARING_SESSION), risk) == 0)
+    return(NDPI_DESKTOP_OR_FILE_SHARING_SESSION);
+  else if(strcmp(STRINGIFY(NDPI_TLS_UNCOMMON_ALPN), risk) == 0)
+    return(NDPI_TLS_UNCOMMON_ALPN);
+  else if(strcmp(STRINGIFY(NDPI_TLS_CERT_VALIDITY_TOO_LONG), risk) == 0)
+    return(NDPI_TLS_CERT_VALIDITY_TOO_LONG);
+  else if(strcmp(STRINGIFY(NDPI_TLS_SUSPICIOUS_EXTENSION), risk) == 0)
+    return(NDPI_TLS_SUSPICIOUS_EXTENSION);
+  else if(strcmp(STRINGIFY(NDPI_TLS_FATAL_ALERT), risk) == 0)
+    return(NDPI_TLS_FATAL_ALERT);
+  else if(strcmp(STRINGIFY(NDPI_SUSPICIOUS_ENTROPY), risk) == 0)
+    return(NDPI_SUSPICIOUS_ENTROPY);
+  else if(strcmp(STRINGIFY(NDPI_CLEAR_TEXT_CREDENTIALS), risk) == 0)
+    return(NDPI_CLEAR_TEXT_CREDENTIALS);
+  else if(strcmp(STRINGIFY(NDPI_DNS_LARGE_PACKET), risk) == 0)
+    return(NDPI_DNS_LARGE_PACKET);
+  else if(strcmp(STRINGIFY(NDPI_DNS_FRAGMENTED), risk) == 0)
+    return(NDPI_DNS_FRAGMENTED);
+  else if(strcmp(STRINGIFY(NDPI_INVALID_CHARACTERS), risk) == 0)
+    return(NDPI_INVALID_CHARACTERS);
+  else if(strcmp(STRINGIFY(NDPI_POSSIBLE_EXPLOIT), risk) == 0)
+    return(NDPI_POSSIBLE_EXPLOIT);
+  else if(strcmp(STRINGIFY(NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE), risk) == 0)
+    return(NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE);
+  else if(strcmp(STRINGIFY(NDPI_PUNYCODE_IDN), risk) == 0)
+    return(NDPI_PUNYCODE_IDN);
+  else if(strcmp(STRINGIFY(NDPI_ERROR_CODE_DETECTED), risk) == 0)
+    return(NDPI_ERROR_CODE_DETECTED);
+  else if(strcmp(STRINGIFY(NDPI_HTTP_CRAWLER_BOT), risk) == 0)
+    return(NDPI_HTTP_CRAWLER_BOT);
+  else if(strcmp(STRINGIFY(NDPI_ANONYMOUS_SUBSCRIBER), risk) == 0)
+    return(NDPI_ANONYMOUS_SUBSCRIBER);
+  else if(strcmp(STRINGIFY(NDPI_UNIDIRECTIONAL_TRAFFIC), risk) == 0)
+    return(NDPI_UNIDIRECTIONAL_TRAFFIC);
+  else if(strcmp(STRINGIFY(NDPI_HTTP_OBSOLETE_SERVER), risk) == 0)
+    return(NDPI_HTTP_OBSOLETE_SERVER);
+  else if(strcmp(STRINGIFY(NDPI_PERIODIC_FLOW), risk) == 0)
+    return(NDPI_PERIODIC_FLOW);
+  else if(strcmp(STRINGIFY(NDPI_MINOR_ISSUES), risk) == 0)
+    return(NDPI_MINOR_ISSUES);
+  else if(strcmp(STRINGIFY(NDPI_TCP_ISSUES), risk) == 0)
+    return(NDPI_MINOR_ISSUES);
+  else if(strcmp(STRINGIFY(NDPI_FULLY_ENCRYPTED), risk) == 0)
+    return(NDPI_FULLY_ENCRYPTED);
+  else if(strcmp(STRINGIFY(NDPI_TLS_ALPN_SNI_MISMATCH), risk) == 0)
+    return(NDPI_TLS_ALPN_SNI_MISMATCH);
+  else if(strcmp(STRINGIFY(NDPI_MALWARE_HOST_CONTACTED), risk) == 0)
+    return(NDPI_MALWARE_HOST_CONTACTED);
+  else if(strcmp(STRINGIFY(NDPI_BINARY_DATA_TRANSFER), risk) == 0)
+    return(NDPI_BINARY_DATA_TRANSFER);
+  else if(strcmp(STRINGIFY(NDPI_PROBING_ATTEMPT), risk) == 0)
+    return(NDPI_PROBING_ATTEMPT);
+  else
+    return(NDPI_MAX_RISK);
+}
+
+/* ******************************************************************** */
+
 const char* ndpi_severity2str(ndpi_risk_severity s) {
   switch(s) {
   case NDPI_RISK_LOW:
@@ -2289,13 +2528,13 @@ void ndpi_hash_free(ndpi_str_hash **h) {
   if(h != NULL) {
     ndpi_str_hash_priv *h_priv = *((ndpi_str_hash_priv **)h);
     ndpi_str_hash_priv *current, *tmp;
-    
+
     HASH_ITER(hh, h_priv, current, tmp) {
       HASH_DEL(h_priv, current);
       ndpi_free(current->key);
       ndpi_free(current);
     }
-    
+
     *h = NULL;
   }
 }
@@ -3284,7 +3523,7 @@ u_int ndpi_encode_domain(struct ndpi_detection_module_struct *ndpi_str,
   }
 
   domain_len = strlen(domain);
-  
+
   if(domain_len >= (out_len-3))
     return(0);
 
@@ -3296,7 +3535,7 @@ u_int ndpi_encode_domain(struct ndpi_detection_module_struct *ndpi_str,
 
   if(suffix == NULL)
     return((u_int)snprintf(out, out_len, "%s", domain));  /* Unknown suffix */
-  
+
   snprintf((char*)domain_buf, sizeof(domain_buf), "%s", domain);
   domain_buf_len = strlen((char*)domain_buf), suffix_len = strlen(suffix);
 
@@ -3343,7 +3582,7 @@ u_int ndpi_encode_domain(struct ndpi_detection_module_struct *ndpi_str,
       out_idx = compressed_len;
     }
   }
-  
+
   /* Add trailer domainId value */
   out[out_idx++] = (domain_id >> 8) & 0xFF;
   out[out_idx++] = domain_id & 0xFF;
author	Luca Deri <deri@ntop.org>	2024-08-27 15:41:40 +0200
committer	Luca Deri <deri@ntop.org>	2024-08-27 15:41:40 +0200
commit	5436dddef55e068095ca56b114715a91a551bf26 (patch)
tree	9aaebdc88757bfa9b0c711eed8d2dd29dfdadfce /src
parent	34e1ac0bbbc33698953a9b4a3de67bb1b8f2445c (diff)