diff options
| -rw-r--r-- | example/ndpiReader.c | 30 | ||||
| -rw-r--r-- | example/reader_util.c | 10 | ||||
| -rw-r--r-- | example/reader_util.h | 1 | ||||
| -rw-r--r-- | src/include/ndpi_api.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 6 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 73 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 4 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 164 | ||||
| -rw-r--r-- | src/lib/protocols/telnet.c | 27 | ||||
| -rw-r--r-- | tests/pcap/WebattackSQLinj.pcap | bin | 0 -> 31536 bytes | |||
| -rw-r--r-- | tests/pcap/WebattackXSS.pcap | bin | 0 -> 4871156 bytes | |||
| -rw-r--r-- | tests/result/whatsapp_login_chat.pcap.out | 2 |
12 files changed, 283 insertions, 36 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 2f4d41465..d52e4a3a9 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -89,7 +89,7 @@ static u_int8_t stats_flag = 0, bpf_filter_flag = 0; static u_int8_t file_first_time = 1; #endif u_int8_t human_readeable_string_len = 5; -u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 32 /* due to telnet */; +u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */; static u_int32_t pcap_analysis_duration = (u_int32_t)-1; static u_int16_t decode_tunnels = 0; static u_int16_t num_loops = 1; @@ -602,7 +602,7 @@ void printCSVHeader() { /* Flow info */ fprintf(csv_fp, "client_info,server_info,"); fprintf(csv_fp, "tls_version,ja3c,tls_client_unsafe,"); - fprintf(csv_fp, "tls_server_info,ja3s,tls_server_unsafe,"); + fprintf(csv_fp, "ja3s,tls_server_unsafe,"); fprintf(csv_fp, "ssh_client_hassh,ssh_server_hassh"); fprintf(csv_fp, "\n"); } @@ -998,6 +998,23 @@ static char* is_unsafe_cipher(ndpi_cipher_weakness c) { /* ********************************** */ +char* printUrlRisk(ndpi_url_risk risk) { + switch(risk) { + case ndpi_url_no_problem: + return(""); + break; + case ndpi_url_possible_xss: + return(" ** XSS **"); + break; + case ndpi_url_possible_sql_injection: + return(" ** SQL Injection **"); + break; + } + + return(""); +} +/* ********************************** */ + /** * @brief Print the flow */ @@ -1011,7 +1028,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if(csv_fp != NULL) { float data_ratio = ndpi_data_ratio(flow->src2dst_bytes, flow->dst2src_bytes); - float f = (float)flow->first_seen, l = (float)flow->last_seen; + double f = (double)flow->first_seen, l = (double)flow->last_seen; /* PLEASE KEEP IN SYNC WITH printCSVHeader() */ @@ -1147,8 +1164,10 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa } if(flow->http.url[0] != '\0') - fprintf(out, "[URL: %s][StatusCode: %u][ContentType: %s][UserAgent: %s]", - flow->http.url, flow->http.response_status_code, + fprintf(out, "[URL: %s%s][StatusCode: %u][ContentType: %s][UserAgent: %s]", + flow->http.url, + printUrlRisk(ndpi_validate_url(flow->http.url)), + flow->http.response_status_code, flow->http.content_type, flow->http.user_agent); if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ssh_tls.ssl_version, &known_tls)); @@ -1790,6 +1809,7 @@ static void node_idle_scan_walker(const void *node, ndpi_VISIT which, int depth, undetected_flows_deleted = 1; ndpi_free_flow_info_half(flow); + ndpi_free_flow_data_analysis(flow); ndpi_thread_info[thread_id].workflow->stats.ndpi_flow_count--; /* adding to a queue (we can't delete it from the tree inline ) */ diff --git a/example/reader_util.c b/example/reader_util.c index 3b04a427b..dd6676cec 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -458,6 +458,14 @@ void ndpi_flow_info_freer(void *node) { ndpi_free_flow_info_half(flow); + ndpi_free_flow_data_analysis(flow); + + ndpi_free(flow); +} + +/* ***************************************************** */ + +void ndpi_free_flow_data_analysis(struct ndpi_flow_info *flow) { if(flow->iat_c_to_s) ndpi_free_data_analysis(flow->iat_c_to_s); if(flow->iat_s_to_c) ndpi_free_data_analysis(flow->iat_s_to_c); @@ -465,8 +473,6 @@ void ndpi_flow_info_freer(void *node) { if(flow->pktlen_s_to_c) ndpi_free_data_analysis(flow->pktlen_s_to_c); if(flow->iat_flow) ndpi_free_data_analysis(flow->iat_flow); - - ndpi_free(flow); } /* ***************************************************** */ diff --git a/example/reader_util.h b/example/reader_util.h index d16a5a00c..2cb880646 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -304,6 +304,7 @@ int ndpi_workflow_node_cmp(const void *a, const void *b); void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow); u_int32_t ethernet_crc32(const void* data, size_t n_bytes); void ndpi_flow_info_freer(void *node); +void ndpi_free_flow_data_analysis(struct ndpi_flow_info *flow); const char* print_cipher_id(u_int32_t cipher); float ndpi_flow_get_byte_count_entropy(const uint32_t byte_count[256], unsigned int num_bytes); diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index b049755ab..2552800ab 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -941,6 +941,8 @@ extern "C" { const char* ndpi_data_ratio2str(float ratio); void ndpi_data_print_window_values(struct ndpi_analyze_struct *s); /* debug */ + + ndpi_url_risk ndpi_validate_url(char *url); #ifdef __cplusplus } #endif diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 1e71ee89e..55438dee3 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -49,6 +49,12 @@ typedef enum { ndpi_tzsp_tunnel, } ndpi_packet_tunnel; +typedef enum { + ndpi_url_no_problem = 0, + ndpi_url_possible_xss, + ndpi_url_possible_sql_injection +} ndpi_url_risk; + /* NDPI_VISIT */ typedef enum { ndpi_preorder, diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index c8c233777..a3c19dedc 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -979,6 +979,8 @@ static ndpi_network host_protocol_list[] = { { 0x4237DF00 /* 65.55.223.0 */, 26, NDPI_PROTOCOL_SKYPE }, { 0x17600000 /* 23.96.0.0 */, 13, NDPI_PROTOCOL_SKYPE }, { 0x34724A05 /* 52.114.74.5 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x14B40000 /* 20.180.0.0 */, 14, NDPI_PROTOCOL_SKYPE }, + { 0x14B80000 /* 20.184.0.0 */, 13, NDPI_PROTOCOL_SKYPE }, /* Blizzard Entertainment, Inc @@ -1120,10 +1122,10 @@ static ndpi_network host_protocol_list[] = { Tor http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv From 09.09.2019 - + Use utils/toripaddr2list.py to convert them */ - + { 0x0122a339 /* 1.34.163.57/32 */, 32, NDPI_PROTOCOL_TOR }, { 0x01EA0B8E /* 1.234.11.142/32 */, 32, NDPI_PROTOCOL_TOR }, { 0x01F4E33D /* 1.244.227.61/32 */, 32, NDPI_PROTOCOL_TOR }, @@ -8220,7 +8222,7 @@ static ndpi_network host_protocol_list[] = { { 0xD04EA400 /* 208.78.164.0/22 */, 22, NDPI_PROTOCOL_STEAM }, /* Line */ - { 0x7DD1FC00 /* 125.209.252.0/24 */, 24, NDPI_PROTOCOL_LINE }, + { 0x7DD1FC00 /* 125.209.252.0/24 */, 24, NDPI_PROTOCOL_LINE }, /* Zoom video conference app. */ { 0x03501480 /* 3.80.20.128/25 */, 25, NDPI_PROTOCOL_ZOOM }, @@ -8629,7 +8631,7 @@ static ndpi_protocol_match host_match[] = { { ".bloombergvault.com", NULL, "\\.bloombergvault.\\com" TLD, "Bloomberg", NDPI_PROTOCOL_BLOOMBERG, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, { ".bloomberg.com", NULL, "\\.bloomberg.\\com" TLD, "Bloomberg", NDPI_PROTOCOL_BLOOMBERG, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, - + { ".push.apple.com", NULL, "\\.push\\.apple" TLD, "ApplePush", NDPI_PROTOCOL_APPLE_PUSH, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, { ".apple-dns.net", NULL, "\\.apple-dns" TLD, "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".mzstatic.com", NULL, "\\.mzstatic" TLD, "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, @@ -8708,8 +8710,10 @@ static ndpi_protocol_match host_match[] = { This traffic will bypass checks and blocks as it will include all the communications from/to the browser instead of using the standard communication mechanisms SSL/HTTP(S)/DNS - */ - { ".googlezip.net", NULL, ".googlezip\\.net" TLD, "DataSaver", NDPI_PROTOCOL_DATASAVER, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + + https://github.com/curl/curl/wiki/DNS-over-HTTPS +*/ + { ".googlezip.net", NULL, ".googlezip\\.net" TLD, "DataSaver", NDPI_PROTOCOL_DATASAVER, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "datasaver.googleapis.com", NULL, "datasaver\\.googleapis\\.com" TLD, "DataSaver", NDPI_PROTOCOL_DATASAVER, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, /* http://check.googlezip.net/connect [check browser connectivity] */ @@ -8718,6 +8722,50 @@ static ndpi_protocol_match host_match[] = { { "dns.google", NULL, "dns\\.google" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, // { "mozilla.cloudflare-dns.com", NULL, "mozilla\\.cloudflare-dns\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, /* Firefox */ { "cloudflare-dns.com", NULL, "cloudflare-dns\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "commons.host", NULL, "commons\\.host" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.li", NULL, "doh\\.li" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns9.quad9.net", NULL, "dns9\\.quad9\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.opendns.com", NULL, "doh\\.opendns\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.dns.sb", NULL, "doh\\.dns\\.sb" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.netweaver.uk", NULL, "doh\\.netweaver\\.uk" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns.dns-over-https.com", NULL, "dns\\.dns-over-https\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "jp.tiarap.org", NULL, "jp\\.tiarap\\.org" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns.dnsoverhttps.net", NULL, "dns\\.dnsoverhttps\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.powerdns.org", NULL, "doh\\.powerdns\\.org" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "adblock.mydns.network", NULL, "adblock\\.mydns\\.network" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "jp.tiar.app", NULL, "jp\\.tiar\\.app" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.crypto.sx", NULL, "doh\\.crypto\\.sx" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns.quad9.net", NULL, "dns\\.quad9\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns.containerpi.com", NULL, "dns\\.containerpi\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "ibksturm.synology.me", NULL, "ibksturm\\.synology\\.me" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.captnemo.in", NULL, "doh\\.captnemo\\.in" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns.rubyfish.cn", NULL, "dns\\.rubyfish\\.cn" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.42l.fr", NULL, "doh\\.42l\\.fr" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns-family.adguard.com", NULL, "dns-family\\.adguard\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "appliedprivacy.net", NULL, "appliedprivacy\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.cleanbrowsing.org", NULL, "doh\\.cleanbrowsing\\.org" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns10.quad9.net", NULL, "dns10\\.quad9\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh-ch.blahdns.com", NULL, "doh-ch\\.blahdns\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.seby.io", NULL, "doh\\.seby\\.io" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns.adguard.com", NULL, "dns\\.adguard\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "ibuki.cgnat.net", NULL, "ibuki\\.cgnat\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "jcdns.fun", NULL, "jcdns\\.fun" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh-2.seby.io", NULL, "doh-2\\.seby\\.io" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.tiar.app", NULL, "doh\\.tiar\\.app" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.dnswarden.com", NULL, "doh\\.dnswarden\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh-de.blahdns.com", NULL, "doh-de\\.blahdns\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh-jp.blahdns.com", NULL, "doh-jp\\.blahdns\\.com" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.appliedprivacy.net", NULL, "doh\\.appliedprivacy\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.tiarap.org", NULL, "doh\\.tiarap\\.org" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.armadillodns.net", NULL, "doh\\.armadillodns\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns-nyc.aaflalo.me", NULL, "dns-nyc\\.aaflalo\\.me" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns.aa.net.uk", NULL, "dns\\.aa\\.net\\.uk" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns.aaflalo.me", NULL, "dns\\.aaflalo\\.me" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns11.quad9.net", NULL, "dns11\\.quad9\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "dns.nextdns.io", NULL, "dns\\.nextdns\\.io" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "doh.securedns.eu", NULL, "doh\\.securedns\\.eu" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "rdns.faelix.net", NULL, "rdns\\.faelix\\.net" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { "captnemo.in", NULL, "captnemo\\.in" TLD, "DNSoverHTTPS", NDPI_PROTOCOL_DNS_OVER_HTTPS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, /* @@ -8797,7 +8845,7 @@ static ndpi_protocol_match host_match[] = { { "e4593.dspg.akamaiedge.net", NULL, "e4593\\.dspg\\.akamaiedge" TLD,"Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, { "e4593.g.akamaiedge.net", NULL, "e4593\\.g\\.akamaiedge" TLD, "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, { "*.gateway.messenger.live.com", NULL, "\\*\\.gateway\\.messenger\\.live" TLD, "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, - + { ".tuenti.com", NULL, "\\.tuenti" TLD, "Tuenti", NDPI_PROTOCOL_TUENTI, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, { ".twttr.com", NULL, "\\.twttr" TLD, "Twitter", NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, @@ -8851,6 +8899,7 @@ static ndpi_protocol_match host_match[] = { { "ttvnw.net", NULL, "ttvnw" TLD, "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN }, { "static-cdn.jtvnw.net", NULL, "static-cdn\\.jtvnw" TLD, "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN }, { "www-cdn.jtvnw.net", NULL, "www-cdn\\.jtvnw" TLD, "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN }, + { "twitch.tv", NULL, "twitch\\.tv$", "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN }, { ".qq.com", NULL, "\\.qq" TLD, "QQ", NDPI_PROTOCOL_QQ, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN }, { ".gtimg.com", NULL, "\\.gtimg" TLD, "QQ", NDPI_PROTOCOL_QQ, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN }, @@ -8994,12 +9043,13 @@ static ndpi_protocol_match host_match[] = { { "tupdate.com", NULL, "tupdate" TLD, "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE }, { ".pastebin.com", NULL, "\\.pastebin" TLD, "Pastebin", NDPI_PROTOCOL_PASTEBIN, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, + { "pastebin.com", NULL, "^pastebin" TLD, "Pastebin", NDPI_PROTOCOL_PASTEBIN, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, { ".ppstream.com", NULL, "\\.ppstream" TLD, "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN }, { ".pps.tv", NULL, "\\.pps\\.tv$", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN }, { ".hulu.com", NULL, "\\.hulu", "Hulu", NDPI_PROTOCOL_HULU, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN }, - + /* VidTO streaming service */ @@ -9014,11 +9064,14 @@ static ndpi_protocol_match host_match[] = { { "musical.ly", NULL, "musical\\.ly" TLD, "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, { "muscdn.com", NULL, "muscndl\\.com" TLD, "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, + { "brasilbandalarga.com.br", NULL, "brasilbandalarga\\.com" TLD, "EAQ", NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { ".eaqbr.com.br", NULL, "\\.eaqbr\\.com" TLD, "EAQ", NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { NULL, NULL, NULL, 0 } }; /* ******************************************************************** */ - + static ndpi_category_match category_match[] = { { ".edgecastcdn.net", "egdecastcdn" TLD, NDPI_PROTOCOL_CATEGORY_MEDIA }, { ".hwcdn.net", "hwcdn" TLD, NDPI_PROTOCOL_CATEGORY_MEDIA }, @@ -9152,5 +9205,3 @@ static const char *ndpi_en_impossible_bigrams[] = { "yj", "yq", "yv", "yz", "yw", "zb", "zc", "zg", "zh", "zj", "zn", "zq", "zs", "zx", "wh", "wk", "wb", "zk", "kp", "zk", "xy", NULL }; - - diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index e71ca668e..6fe1e8065 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -5940,9 +5940,11 @@ char* ndpi_get_proto_breed_name(struct ndpi_detection_module_struct *ndpi_str, return("Unsafe"); break; case NDPI_PROTOCOL_POTENTIALLY_DANGEROUS: + return("Potentially Dangerous"); + break; + case NDPI_PROTOCOL_DANGEROUS: return("Dangerous"); break; - case NDPI_PROTOCOL_UNRATED: default: return("Unrated"); diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 091cac927..da6b59f72 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -759,11 +759,11 @@ void ndpi_user_pwd_payload_copy(u_int8_t *dest, u_int dest_len, u_int offset, const u_int8_t *src, u_int src_len) { u_int i, j=0, k = dest_len-1; - + for(i=offset; (i<src_len) && (j<=k); i++) { if((j == k) || (src[i] < ' ')) break; - + dest[j++] = src[i]; } @@ -857,7 +857,7 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t src_v4, u_int32_t dst_v4, struct ndpi_in6_addr *src_v6, struct ndpi_in6_addr *dst_v6, u_int16_t src_port, u_int16_t dst_port, - ndpi_protocol l7_protocol, + ndpi_protocol l7_protocol, ndpi_serializer *serializer) { char buf[64], src_name[32], dst_name[32]; @@ -976,7 +976,7 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_start_of_block(serializer, "http"); if(flow->host_server_name[0] != '\0') ndpi_serialize_string_string(serializer, "hostname", (const char*)flow->host_server_name); - ndpi_serialize_string_string(serializer, "url", flow->http.url); + ndpi_serialize_string_string(serializer, "url", flow->http.url); ndpi_serialize_string_uint32(serializer, "code", flow->http.response_status_code); ndpi_serialize_string_string(serializer, "content_type", flow->http.content_type); ndpi_serialize_string_string(serializer, "user_agent", flow->http.user_agent); @@ -989,28 +989,28 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password); ndpi_serialize_end_of_block(serializer); break; - + case NDPI_PROTOCOL_MAIL_POP: ndpi_serialize_start_of_block(serializer, "pop"); ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username); ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password); ndpi_serialize_end_of_block(serializer); break; - + case NDPI_PROTOCOL_MAIL_SMTP: ndpi_serialize_start_of_block(serializer, "smtp"); ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username); ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password); ndpi_serialize_end_of_block(serializer); break; - + case NDPI_PROTOCOL_FTP_CONTROL: ndpi_serialize_start_of_block(serializer, "ftp"); ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username); ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password); ndpi_serialize_end_of_block(serializer); break; - + case NDPI_PROTOCOL_SSH: ndpi_serialize_start_of_block(serializer, "ssh"); ndpi_serialize_string_string(serializer, "client_signature", flow->protos.ssh.client_signature); @@ -1041,7 +1041,7 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_string_string(serializer, "issuer", flow->protos.stun_ssl.ssl.server_organization); if(before) { - strftime(notBefore, sizeof(notBefore), "%F %T", before); + strftime(notBefore, sizeof(notBefore), "%F %T", before); ndpi_serialize_string_string(serializer, "notbefore", notBefore); } @@ -1061,7 +1061,7 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_string_string(serializer, "fingerprint", buf); } - + ndpi_serialize_end_of_block(serializer); } } @@ -1094,3 +1094,147 @@ const char* ndpi_tunnel2str(ndpi_packet_tunnel tt) { } /* ********************************** */ + +/* + /dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27JUL2D3WXHEGWRAFJE2PI7OS71Z4Z8RFUHXGNFLUFYVP6M3OL55%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E + /dv/vulnerabilities/sqli/?id=1%27+and+1%3D1+union+select+null%2C+table_name+from+information_schema.tables%23&Submit=Submit +*/ + +/* https://www.rosettacode.org/wiki/URL_decoding#C */ +static int ishex(int x) { + return(x >= '0' && x <= '9') || (x >= 'a' && x <= 'f') || (x >= 'A' && x <= 'F'); +} + +/* ********************************** */ + +static int ndpi_url_decode(const char *s, char *out) { + char *o; + const char *end = s + strlen(s); + int c; + + for(o = out; s <= end; o++) { + c = *s++; + if(c == '+') c = ' '; + else if(c == '%' && (!ishex(*s++)|| + !ishex(*s++)|| + !sscanf(s - 2, "%2x", &c))) + return(-1); + + if(out) *o = c; + } + + return(o - out); +} + +/* ********************************** */ + +/* #define URL_CHECK_DEBUG 1 */ + +static int find_occurrency(char *str, char *what) { + char *found = strstr(str, what); + u_int len; + +#ifdef URL_CHECK_DEBUG + printf("%s() [%s][%s]\n", __FUNCTION__, str, what); +#endif + + if(!found) return(0); + + len = strlen(what); + + if((found[len] != '\0') && (found[len] != ' ') + && ((found == str) || (found[-1] == ' '))) + return(1); + else + return(find_occurrency(&found[len], what)); +} + +/* ********************************** */ + +static int ndpi_check_tokens(char* query, char* keywords[]) { +#ifdef URL_CHECK_DEBUG + printf("%s() [%s]\n", __FUNCTION__, query); +#endif + + for(int i=0; keywords[i] != NULL; i++) { + if(find_occurrency(query, keywords[i]) > 0) + return(1); + } + + return(0); +} + +/* ********************************** */ + +static int ndpi_is_sql_injection(char* query) { + char* sql_keywords[] = { "select", "from", "where", "any", "all", "join", "inner", "left", "right", "full", + "table", "alter", "create", "delete", "union", "update", "drop", "group", "order", + "limit", "primary", "column", NULL }; + return(ndpi_check_tokens(query, sql_keywords)); +} + +/* ********************************** */ + +static int ndpi_is_xss_injection(char* query) { + char* js_keywords[] = { "<script>", "console.", "log.", NULL }; + return(ndpi_check_tokens(query, js_keywords)); +} + +/* ********************************** */ + +ndpi_url_risk ndpi_validate_url(char *url) { + char *orig_str = NULL, *str = NULL, *question_mark = strchr(url, '?'); + ndpi_url_risk rc = ndpi_url_no_problem; + + if(question_mark) { + char *tmp; + + orig_str = str = ndpi_strdup(&question_mark[1]); /* Skip ? */ + + if(!str) goto validate_rc; + + str = strtok_r(str, "&", &tmp); + + while(str != NULL) { + char *value = strchr(str, '='); + char *decoded; + + if(!value) + break; + else + value = &value[1]; + + if(value[0] != '\0') { + if(!(decoded = (char*)ndpi_malloc(strlen(value)+1))) + break; + + if(ndpi_url_decode(value, decoded) < 0) { + /* Invalid string */ + } else if(decoded[0] != '\0') { + /* Valid string */ + + if(ndpi_is_xss_injection(decoded)) + rc = ndpi_url_possible_xss; + else if(ndpi_is_sql_injection(decoded)) + rc = ndpi_url_possible_sql_injection; + +#ifdef URL_CHECK_DEBUG + printf("=>> [rc: %u] %s\n", rc, decoded); +#endif + } + + ndpi_free(decoded); + + if(rc != ndpi_url_no_problem) + break; + } + + str = strtok_r(NULL, "&", &tmp); + } + } + + validate_rc: + if(orig_str) ndpi_free(orig_str); + return(rc); +} + diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index 59b1e4978..0fd00e6d4 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -29,14 +29,18 @@ #include "ndpi_api.h" +/* #define TELNET_DEBUG 1 */ + /* ************************************************************************ */ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - // printf("==> %s()\n", __FUNCTION__); - +#ifdef TELNET_DEBUG + printf("==> %s() [%s]\n", __FUNCTION__, packet->payload); +#endif + if(packet->payload[0] == 0xFF) return(1); @@ -81,7 +85,7 @@ static void ndpi_int_telnet_add_connection(struct ndpi_detection_module_struct /* This is necessary to inform the core to call this dissector again */ flow->check_extra_packets = 1; - flow->max_extra_packets_to_check = 32; + flow->max_extra_packets_to_check = 64; flow->extra_packets_func = search_telnet_again; ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELNET, NDPI_PROTOCOL_UNKNOWN); @@ -102,6 +106,10 @@ u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t a; +#ifdef TELNET_DEBUG + printf("==> %s()\n", __FUNCTION__); +#endif + if(packet->payload_packet_len < 3) return(0); @@ -147,11 +155,18 @@ void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct *ndpi_struct, return; } - if(((flow->packet_counter < 12) && (flow->l4.tcp.telnet_stage > 0)) || (flow->packet_counter < 6)) + if(((flow->packet_counter < 12) && (flow->l4.tcp.telnet_stage > 0)) || (flow->packet_counter < 6)) { +#ifdef TELNET_DEBUG + printf("==> [%s:%u] %s()\n", __FILE__, __LINE__, __FUNCTION__); +#endif return; - else + } else { +#ifdef TELNET_DEBUG + printf("==> [%s:%u] %s()\n", __FILE__, __LINE__, __FUNCTION__); +#endif NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - + } + return; } diff --git a/tests/pcap/WebattackSQLinj.pcap b/tests/pcap/WebattackSQLinj.pcap Binary files differnew file mode 100644 index 000000000..f63da5f80 --- /dev/null +++ b/tests/pcap/WebattackSQLinj.pcap diff --git a/tests/pcap/WebattackXSS.pcap b/tests/pcap/WebattackXSS.pcap Binary files differnew file mode 100644 index 000000000..8fc8a89e8 --- /dev/null +++ b/tests/pcap/WebattackXSS.pcap diff --git a/tests/result/whatsapp_login_chat.pcap.out b/tests/result/whatsapp_login_chat.pcap.out index 8c4f22240..48c4c95fa 100644 --- a/tests/result/whatsapp_login_chat.pcap.out +++ b/tests/result/whatsapp_login_chat.pcap.out @@ -6,7 +6,7 @@ WhatsApp 32 3243 2 Spotify 1 86 1 ApplePush 6 2095 1 - 1 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][24 pkts/15117 bytes <-> 20 pkts/6254 bytes][bytes ratio: 0.415 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 179.5/27.0 2803/212 622.4/56.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 629.9/312.7 1494/1002 544.4/369.6] + 1 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][24 pkts/15117 bytes <-> 20 pkts/6254 bytes][bytes ratio: 0.415 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 179.5/27.0 2803/212 622.4/56.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 629.9/312.7 1494/1002 544.4/369.6][PLAIN TEXT (BjmkLnl)] 2 TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 142/WhatsApp][cat: Chat/9][17 pkts/1794 bytes <-> 13 pkts/1169 bytes][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/10 1370.8/2065.9 10513/10479 2987.9/3556.1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 105.5/89.9 267/144 67.5/22.2][PLAIN TEXT (iPhone)] 3 TCP 17.110.229.14:5223 -> 192.168.2.4:49193 [proto: 238/ApplePush][cat: Cloud/13][6 pkts/2095 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 659/0 4000.2/0.0 10199/0 3475.6/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 220/0 349.2/0.0 375/0 57.8/0.0] 4 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][6 pkts/2052 bytes -> 0 pkts/0 bytes][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1983/0 5058.0/0.0 8569/0 2765.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] |