mining: a better identification logic (#2221)

It is quite simple (and not so efficient) but it should fix all the false positives reported in #2216. Add support for Ethereum mining. Merge all the mining traces. Remove duplicated function. Close #2216
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2023-12-20 10:46:57 +0100
committer: GitHub <noreply@github.com> 2023-12-20 10:46:57 +0100
commit: 8aa09f9c994bd234e17b4f4ad8b6808e2561c4d6 (patch)
tree: 819fe1a0e083f92cf0e06027a241fc6e700a3ed8 /src
parent: 308b2663333387008cd2331d99a5a75b0a343f53 (diff)
2 files changed, 34 insertions, 41 deletions
diff --git a/src/lib/protocols/ethereum.c b/src/lib/protocols/ethereum.c
index 6440330ab..3f2531597 100644
--- a/src/lib/protocols/ethereum.c
+++ b/src/lib/protocols/ethereum.c
@@ -34,19 +34,6 @@ enum ether_disc_packet_type {
   DISC_ENRRESPONSE = 0x06
 };
 
-/* ************************************************************************** */
-
-u_int32_t mining_make_lru_cache_key(struct ndpi_flow_struct *flow) {
-  u_int32_t key;
-
-  /* network byte order */
-  if(flow->is_ipv6)
-    key = ndpi_quick_hash(flow->c_address.v6, 16) + ndpi_quick_hash(flow->s_address.v6, 16);
-  else
-    key = flow->c_address.v4 + flow->s_address.v4;
-
-  return key;
-}
 
 /* ************************************************************************** */
 
diff --git a/src/lib/protocols/mining.c b/src/lib/protocols/mining.c
index 9e4c8754d..e6cdcf487 100644
--- a/src/lib/protocols/mining.c
+++ b/src/lib/protocols/mining.c
@@ -1,5 +1,5 @@
 /*
- * mining.c [ZCash, Monero]
+ * mining.c
  *
  * Copyright (C) 2018-22 - ntop.org
  *
@@ -28,7 +28,7 @@
 
 /* ************************************************************************** */
 
-u_int32_t make_mining_key(struct ndpi_flow_struct *flow) {
+u_int32_t mining_make_lru_cache_key(struct ndpi_flow_struct *flow) {
   u_int32_t key;
 
   /* network byte order */
@@ -45,7 +45,7 @@ u_int32_t make_mining_key(struct ndpi_flow_struct *flow) {
 static void cacheMiningHostTwins(struct ndpi_detection_module_struct *ndpi_struct,
 				 struct ndpi_flow_struct *flow) {
   if(ndpi_struct->mining_cache)
-    ndpi_lru_add_to_cache(ndpi_struct->mining_cache, make_mining_key(flow), NDPI_PROTOCOL_MINING, ndpi_get_current_time(flow));
+    ndpi_lru_add_to_cache(ndpi_struct->mining_cache, mining_make_lru_cache_key(flow), NDPI_PROTOCOL_MINING, ndpi_get_current_time(flow));
 }
 
 /* ************************************************************************** */
@@ -56,31 +56,37 @@ static void ndpi_search_mining(struct ndpi_detection_module_struct *ndpi_struct,
 
   NDPI_LOG_DBG(ndpi_struct, "search MINING\n");
 
-  if(packet->payload_packet_len > 10) {
-    if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len)
-	      && (ndpi_strnstr((const char *)packet->payload, "\"method\":", packet->payload_packet_len)
-		  || ndpi_strnstr((const char *)packet->payload, "\"blob\":", packet->payload_packet_len)
-		  /* || ndpi_strnstr((const char *)packet->payload, "\"id\":", packet->payload_packet_len) - Removed as too generic */
-		)
-      ) {
-      /*
-	ZCash
-
-	{"method":"login","params":{"login":"4BCeEPhodgPMbPWFN1dPwhWXdRX8q4mhhdZdA1dtSMLTLCEYvAj9QXjXAfF7CugEbmfBhgkqHbdgK9b2wKA6nqRZQCgvCDm.cb2b73415c4faf214035a73b9d947c202342f3bf3bdf632132bd6d7af98cb257.ryzen","pass":"x","agent":"xmr-stak-cpu/1.3.0-1.5.0"},"id":1}
-	{"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"479059546883218","job":{"blob":"0606e89883d205a65d8ee78991838a1cf3ec2ebbc5fb1fa43dec5fa1cd2bee4069212a549cd731000000005a88235653097aa3e97ef2ceef4aee610751a828f9be1a0758a78365fb0a4c8c05","job_id":"722134174127131","target":"dc460300"},"status":"OK"}}
-	{"method":"submit","params":{"id":"479059546883218","job_id":"722134174127131","nonce":"98024001","result":"c9be9381a68d533c059d614d961e0534d7d8785dd5c339c2f9596eb95f320100"},"id":1}
-
-	Monero
-	
-	{"method":"login","params":{"login":"4BCeEPhodgPMbPWFN1dPwhWXdRX8q4mhhdZdA1dtSMLTLCEYvAj9QXjXAfF7CugEbmfBhgkqHbdgK9b2wKA6nqRZQCgvCDm.cb2b73415c4faf214035a73b9d947c202342f3bf3bdf632132bd6d7af98cb257.ryzen","pass":"x","agent":"xmr-stak-cpu/1.3.0-1.5.0"},"id":1}
-	{"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"479059546883218","job":{"blob":"0606e89883d205a65d8ee78991838a1cf3ec2ebbc5fb1fa43dec5fa1cd2bee4069212a549cd731000000005a88235653097aa3e97ef2ceef4aee610751a828f9be1a0758a78365fb0a4c8c05","job_id":"722134174127131","target":"dc460300"},"status":"OK"}}
-	{"method":"submit","params":{"id":"479059546883218","job_id":"722134174127131","nonce":"98024001","result":"c9be9381a68d533c059d614d961e0534d7d8785dd5c339c2f9596eb95f320100"},"id":1}
-      */
-      ndpi_snprintf(flow->protos.mining.currency, sizeof(flow->protos.mining.currency), "%s", "ZCash/Monero");
-      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-      cacheMiningHostTwins(ndpi_struct, flow);
-      return;
-    }
+  /* Quick test: we are looking for only Json format */
+  if(packet->payload[0] != '{') {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+
+  /* STRATUMv1 */
+  if(ndpi_strnstr((const char *)packet->payload, "\"mining.subscribe\"", packet->payload_packet_len) ||
+     ndpi_strnstr((const char *)packet->payload, "\"mining.configure\"", packet->payload_packet_len)) {
+
+    /* Try matching some zcash domains like "eu1-zcash.flypool.org" */
+    if(ndpi_strnstr((const char *)packet->payload, "zcash", packet->payload_packet_len))
+      ndpi_snprintf(flow->protos.mining.currency, sizeof(flow->protos.mining.currency), "%s", "ZCash");
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+    cacheMiningHostTwins(ndpi_struct, flow);
+    return;
+  }
+
+  /* Xmr-stak-cpu is a ZCash/Monero CPU miner */
+  if(ndpi_strnstr((const char *)packet->payload, "\"agent\":\"xmr-stak-cpu", packet->payload_packet_len)) {
+    ndpi_snprintf(flow->protos.mining.currency, sizeof(flow->protos.mining.currency), "%s", "ZCash/Monero");
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+    cacheMiningHostTwins(ndpi_struct, flow);
+    return;
+  }
+  
+  if(ndpi_strnstr((const char *)packet->payload, "\"method\": \"eth_submitLogin", packet->payload_packet_len)) {
+    ndpi_snprintf(flow->protos.mining.currency, sizeof(flow->protos.mining.currency), "%s", "Ethereum");
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+    cacheMiningHostTwins(ndpi_struct, flow);
+    return;
   }
 
   NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2023-12-20 10:46:57 +0100
committer	GitHub <noreply@github.com>	2023-12-20 10:46:57 +0100
commit	8aa09f9c994bd234e17b4f4ad8b6808e2561c4d6 (patch)
tree	819fe1a0e083f92cf0e06027a241fc6e700a3ed8 /src
parent	308b2663333387008cd2331d99a5a75b0a343f53 (diff)