diff options
| -rw-r--r-- | example/ndpiReader.c | 38 | ||||
| -rw-r--r-- | example/ndpiSimpleIntegration.c | 2 | ||||
| -rw-r--r-- | example/reader_util.c | 10 | ||||
| -rw-r--r-- | example/reader_util.h | 4 | ||||
| -rw-r--r-- | python/ndpi.py | 7 | ||||
| -rw-r--r-- | python/ndpi_typestruct.py | 2 | ||||
| -rw-r--r-- | src/include/ndpi_main.h | 3 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 11 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 55 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 21 | ||||
| -rw-r--r-- | src/lib/protocols/dhcp.c | 11 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 54 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 10 | ||||
| -rw-r--r-- | src/lib/protocols/mail_smtp.c | 11 | ||||
| -rw-r--r-- | src/lib/protocols/netbios.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 20 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 14 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 71 | ||||
| -rw-r--r-- | src/lib/protocols/whoisdas.c | 5 | ||||
| -rw-r--r-- | tests/result/dns_exfiltration.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/fuzz-2006-06-26-2594.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/reddit.pcap.out | 6 |
22 files changed, 171 insertions, 192 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index ecbcafd1f..0938de127 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -742,7 +742,7 @@ void extcap_capture() { void printCSVHeader() { if(!csv_fp) return; - fprintf(csv_fp, "#flow_id,protocol,first_seen,last_seen,duration,src_ip,src_port,dst_ip,dst_port,ndpi_proto_num,ndpi_proto,server_name,"); + fprintf(csv_fp, "#flow_id,protocol,first_seen,last_seen,duration,src_ip,src_port,dst_ip,dst_port,ndpi_proto_num,ndpi_proto,server_name_sni,"); fprintf(csv_fp, "benign_score,dos_slow_score,dos_goldeneye_score,dos_hulk_score,ddos_score,hearthbleed_score,ftp_patator_score,ssh_patator_score,infiltration_score,"); fprintf(csv_fp, "c_to_s_pkts,c_to_s_bytes,c_to_s_goodput_bytes,s_to_c_pkts,s_to_c_bytes,s_to_c_goodput_bytes,"); fprintf(csv_fp, "data_ratio,str_data_ratio,c_to_s_goodput_ratio,s_to_c_goodput_ratio,"); @@ -767,7 +767,7 @@ void printCSVHeader() { fprintf(csv_fp, "c_to_s_init_win,s_to_c_init_win,"); /* Flow info */ - fprintf(csv_fp, "client_info,server_info,"); + fprintf(csv_fp, "server_info,"); fprintf(csv_fp, "tls_version,ja3c,tls_client_unsafe,"); fprintf(csv_fp, "ja3s,tls_server_unsafe,"); fprintf(csv_fp, "tls_alpn,tls_supported_versions,"); @@ -1311,8 +1311,7 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa /* TCP window */ fprintf(csv_fp, "%u,%u,", flow->c_to_s_init_win, flow->s_to_c_init_win); - fprintf(csv_fp, "%s,%s,", - (flow->ssh_tls.client_requested_server_name[0] != '\0') ? flow->ssh_tls.client_requested_server_name : "", + fprintf(csv_fp, "%s,", (flow->ssh_tls.server_info[0] != '\0') ? flow->ssh_tls.server_info : ""); fprintf(csv_fp, "%s,%s,%s,%s,%s,", @@ -1421,7 +1420,15 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa if(flow->telnet.username) fprintf(out, "[Username: %s]", flow->telnet.username); if(flow->telnet.password) fprintf(out, "[Password: %s]", flow->telnet.password); - if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); + + if((flow->detected_protocol.master_protocol != NDPI_PROTOCOL_TLS) + && (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_TLS) + && (flow->detected_protocol.master_protocol != NDPI_PROTOCOL_QUIC) + && (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_QUIC) + && (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_SSH) + && (flow->detected_protocol.master_protocol != NDPI_PROTOCOL_SSH)) { + if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); + } if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info); if(flow->flow_extra_info[0] != '\0') fprintf(out, "[%s]", flow->flow_extra_info); @@ -1482,7 +1489,16 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa } if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(flow->ndpi_flow, flow->ssh_tls.ssl_version, &known_tls)); - if(flow->ssh_tls.client_requested_server_name[0] != '\0') fprintf(out, "[Client: %s]", flow->ssh_tls.client_requested_server_name); + + if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) + || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_QUIC) + || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_QUIC) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH) + || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH)) { + if(flow->host_server_name[0] != '\0') fprintf(out, "[Client: %s]", flow->host_server_name); + } + if(flow->ssh_tls.client_hassh[0] != '\0') fprintf(out, "[HASSH-C: %s]", flow->ssh_tls.client_hassh); if(flow->ssh_tls.ja3_client[0] != '\0') fprintf(out, "[JA3C: %s%s]", flow->ssh_tls.ja3_client, @@ -2424,7 +2440,7 @@ static void printFlowsStats() { newHost->host_server_info_hasht = NULL; newHost->ip_string = all_flows[i].flow->src_name; newHost->ip = all_flows[i].flow->src_ip; - newHost->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name; + newHost->dns_name = all_flows[i].flow->host_server_name; ndpi_ja3_info *newJA3 = ndpi_malloc(sizeof(ndpi_ja3_info)); newJA3->ja3 = all_flows[i].flow->ssh_tls.ja3_client; @@ -2457,7 +2473,7 @@ static void printFlowsStats() { newHost->ip = all_flows[i].flow->src_ip; newHost->ip_string = all_flows[i].flow->src_name; - newHost->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name;; + newHost->dns_name = all_flows[i].flow->host_server_name; ndpi_ja3_fingerprints_host *newElement = ndpi_malloc(sizeof(ndpi_ja3_fingerprints_host)); newElement->ja3 = all_flows[i].flow->ssh_tls.ja3_client; @@ -2474,7 +2490,7 @@ static void printFlowsStats() { ndpi_ip_dns *newInnerElement = ndpi_malloc(sizeof(ndpi_ip_dns)); newInnerElement->ip = all_flows[i].flow->src_ip; newInnerElement->ip_string = all_flows[i].flow->src_name; - newInnerElement->dns_name = all_flows[i].flow->ssh_tls.client_requested_server_name; + newInnerElement->dns_name = all_flows[i].flow->host_server_name; HASH_ADD_INT(hostByJA3Found->ipToDNS_ht, ip, newInnerElement); } } @@ -2829,8 +2845,8 @@ static void printFlowsStats() { printf("][similarity: %f]", (similarity = ndpi_bin_similarity(¢roids[j], &bins[i], 0))); - if(all_flows[i].flow->ssh_tls.client_requested_server_name[0] != '\0') - fprintf(out, "[%s]", all_flows[i].flow->ssh_tls.client_requested_server_name); + if(all_flows[i].flow->host_server_name[0] != '\0') + fprintf(out, "[%s]", all_flows[i].flow->host_server_name); if(enable_doh_dot_detection) { if(((all_flows[i].flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c index d5cc728ad..3a63f7ba4 100644 --- a/example/ndpiSimpleIntegration.c +++ b/example/ndpiSimpleIntegration.c @@ -924,7 +924,7 @@ static void ndpi_process_packet(uint8_t * const args, ndpi_ssl_version2str(flow_to_process->ndpi_flow, flow_to_process->ndpi_flow->protos.tls_quic.ssl_version, &unknown_tls_version), - flow_to_process->ndpi_flow->protos.tls_quic.client_requested_server_name, + flow_to_process->ndpi_flow->host_server_name, (flow_to_process->ndpi_flow->protos.tls_quic.alpn != NULL ? flow_to_process->ndpi_flow->protos.tls_quic.alpn : "-")); flow_to_process->tls_client_hello_seen = 1; diff --git a/example/reader_util.c b/example/reader_util.c index 3a161d684..d5638d183 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1105,8 +1105,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } /* MDNS */ else if(is_ndpi_proto(flow, NDPI_PROTOCOL_MDNS)) { - char *name = (char*)flow->ndpi_flow->host_server_name; /* Trick to avoid warning(s) */ - snprintf(flow->info, sizeof(flow->info), "%s", name); + snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->host_server_name); } /* UBNTAC2 */ else if(is_ndpi_proto(flow, NDPI_PROTOCOL_UBNTAC2)) { @@ -1161,8 +1160,8 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl if(flow->ndpi_flow->protos.telnet.password[0] != '\0') flow->telnet.password = ndpi_strdup(flow->ndpi_flow->protos.telnet.password); } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)) { - snprintf(flow->ssh_tls.client_requested_server_name, - sizeof(flow->ssh_tls.client_requested_server_name), "%s", + snprintf(flow->host_server_name, + sizeof(flow->host_server_name), "%s", flow->ndpi_flow->protos.ssh.client_signature); snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", flow->ndpi_flow->protos.ssh.server_signature); @@ -1178,9 +1177,6 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl || (flow->ndpi_flow->protos.tls_quic.ja3_client[0] != '\0') ) { flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.tls_quic.ssl_version; - snprintf(flow->ssh_tls.client_requested_server_name, - sizeof(flow->ssh_tls.client_requested_server_name), "%s", - flow->ndpi_flow->protos.tls_quic.client_requested_server_name); snprintf(flow->http.user_agent, sizeof(flow->http.user_agent), "%s", flow->ndpi_flow->http.user_agent ? flow->ndpi_flow->http.user_agent : ""); diff --git a/example/reader_util.h b/example/reader_util.h index bb4747ecc..791829ad1 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -197,7 +197,7 @@ typedef struct ndpi_flow_info { char info[255]; char flow_extra_info[16]; - char host_server_name[240]; + char host_server_name[80]; /* Hostname/SNI */ char *bittorent_hash; char *dhcp_fingerprint; char *dhcp_class_ident; @@ -205,7 +205,7 @@ typedef struct ndpi_flow_info { struct { u_int16_t ssl_version; - char client_requested_server_name[256], server_info[64], + char server_info[64], client_hassh[33], server_hassh[33], *server_names, *tls_alpn, *tls_supported_versions, *tls_issuerDN, *tls_subjectDN, diff --git a/python/ndpi.py b/python/ndpi.py index a31a41a17..ba081acb9 100644 --- a/python/ndpi.py +++ b/python/ndpi.py @@ -986,8 +986,8 @@ struct ndpi_flow_struct { /* Place textual flow info here */ char flow_extra_info[16]; - /* HTTP host or DNS query */ - uint8_t host_server_name[240]; + char host_server_name[80]; + uint8_t initial_binary_bytes[8], initial_binary_bytes_len; uint8_t risk_checked; ndpi_risk risk; /* Issues found with this flow [bitmask of ndpi_risk] */ @@ -1051,8 +1051,7 @@ struct ndpi_flow_struct { struct { char ssl_version_str[12]; uint16_t ssl_version, server_names_len; - char client_requested_server_name[64], *server_names, - *alpn, *tls_supported_versions, *issuerDN, *subjectDN; + char *server_names, *alpn, *tls_supported_versions, *issuerDN, *subjectDN; uint32_t notBefore, notAfter; char ja3_client[33], ja3_server[33]; uint16_t server_cipher; diff --git a/python/ndpi_typestruct.py b/python/ndpi_typestruct.py index 09c1f7d7e..3909897ee 100644 --- a/python/ndpi_typestruct.py +++ b/python/ndpi_typestruct.py @@ -686,7 +686,7 @@ NDPIFlowStruct._fields_ = [ ("num_processed_pkts", c_uint8), ("extra_packets_func", CFUNCTYPE(c_int, POINTER(NDPIDetectionModuleStruct), POINTER(NDPIFlowStruct))), ("l4", L4), - ("host_server_name", c_ubyte * 256), + ("host_server_name", c_char * 80), ("http", Http), ("stun", Stun), ("ftp_imap_pop_smtp", FtpImapPopSmtp), diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index 66fb5ea1b..190bdc45a 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -155,6 +155,9 @@ extern "C" { void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str); u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str, const char *alpn_to_check, u_int alpn_to_check_len); + + char *ndpi_hostname_sni_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len); + #ifdef __cplusplus } #endif diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 3d6e0dd65..c6e79a951 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1193,8 +1193,14 @@ struct ndpi_flow_struct { /* Place textual flow info here */ char flow_extra_info[16]; - /* HTTP host or DNS query */ - u_char host_server_name[240]; + /* General purpose field used to save mainly hostname/SNI information. + * In details it used for: DNS and NETBIOS name, HTTP and DHCP hostname, + * WHOIS request, TLS/QUIC server name and STUN realm. + * + * Please, think *very* hard before increasing its size! + */ + char host_server_name[80]; + u_int8_t initial_binary_bytes[8], initial_binary_bytes_len; u_int8_t risk_checked:1, ip_risk_mask_evaluated:1, host_risk_mask_evaluated:1, _notused:5; ndpi_risk risk_mask; /* Stores the flow risk mask for flow peers */ @@ -1262,7 +1268,6 @@ struct ndpi_flow_struct { struct { char ssl_version_str[12]; u_int16_t ssl_version, server_names_len; - char client_requested_server_name[256]; /* SNI hostname length: RFC 4366 */ char *server_names, *alpn, *tls_supported_versions, *issuerDN, *subjectDN; u_int32_t notBefore, notAfter; char ja3_client[33], ja3_server[33]; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 993aac969..d417d247e 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4916,7 +4916,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN); } else if((flow->protos.tls_quic.hello_processed == 1) && - (flow->protos.tls_quic.client_requested_server_name[0] != '\0')) { + (flow->host_server_name[0] != '\0')) { *protocol_was_guessed = 1; ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN); } else if(enable_guess) { @@ -5198,21 +5198,8 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str, if(flow->host_server_name[0] != '\0') { u_int32_t id; - int rc = ndpi_match_custom_category(ndpi_str, (char *) flow->host_server_name, - strlen((char *) flow->host_server_name), &id); - - if(rc == 0) { - flow->category = ret->category = (ndpi_protocol_category_t) id; - return; - } - } - - if(flow->protos.tls_quic.hello_processed == 1 && - flow->protos.tls_quic.client_requested_server_name[0] != '\0') { - u_int32_t id; - int rc = ndpi_match_custom_category(ndpi_str, (char *) flow->protos.tls_quic.client_requested_server_name, - strlen(flow->protos.tls_quic.client_requested_server_name), &id); - + int rc = ndpi_match_custom_category(ndpi_str, flow->host_server_name, + strlen(flow->host_server_name), &id); if(rc == 0) { flow->category = ret->category = (ndpi_protocol_category_t) id; return; @@ -5389,7 +5376,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct struct ndpi_id_struct *src, struct ndpi_id_struct *dst) { struct ndpi_packet_struct *packet = &ndpi_str->packet; NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet; - u_int32_t a, num_calls = 0; + u_int32_t num_calls = 0; ndpi_protocol ret = { flow->detected_protocol_stack[1], flow->detected_protocol_stack[0], flow->category }; if(ndpi_str->ndpi_log_level >= NDPI_LOG_TRACE) @@ -5467,23 +5454,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct num_calls = ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet); - a = flow->detected_protocol_stack[0]; - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_str->detection_bitmask, a) == 0) - a = NDPI_PROTOCOL_UNKNOWN; - - if(a != NDPI_PROTOCOL_UNKNOWN) { - unsigned int i; - - for(i = 0; i < sizeof(flow->host_server_name); i++) { - if(flow->host_server_name[i] != '\0') - flow->host_server_name[i] = tolower(flow->host_server_name[i]); - else { - flow->host_server_name[i] = '\0'; - break; - } - } - } - ret_protocols: if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) { ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; @@ -7783,3 +7753,20 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, ndpi_risk_info* ndpi_risk2severity(ndpi_risk_enum risk) { return(&ndpi_known_risks[risk]); } + +/* ******************************************************************** */ + +char *ndpi_hostname_sni_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len) +{ + char *dst; + size_t len, i; + + len = ndpi_min(value_len, sizeof(flow->host_server_name) - 1); + dst = flow->host_server_name; + + for(i = 0; i < len; i++) + dst[i] = tolower(value[value_len - len + i]); + dst[i] = '\0'; + + return dst; +} diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 626f5ade3..14be40d86 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -862,12 +862,12 @@ static const char* ndpi_get_flow_info_by_proto_id(struct ndpi_flow_struct const { case NDPI_PROTOCOL_DNS: case NDPI_PROTOCOL_HTTP: - return (char const *)flow->host_server_name; + return flow->host_server_name; case NDPI_PROTOCOL_QUIC: case NDPI_PROTOCOL_TLS: if (flow->protos.tls_quic.hello_processed != 0) { - return flow->protos.tls_quic.client_requested_server_name; + return flow->host_server_name; } break; } @@ -1150,7 +1150,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, switch(l7_protocol.master_protocol ? l7_protocol.master_protocol : l7_protocol.app_protocol) { case NDPI_PROTOCOL_DHCP: ndpi_serialize_start_of_block(serializer, "dhcp"); - ndpi_serialize_string_string(serializer, "hostname", (const char*)flow->host_server_name); + ndpi_serialize_string_string(serializer, "hostname", flow->host_server_name); ndpi_serialize_string_string(serializer, "fingerprint", flow->protos.dhcp.fingerprint); ndpi_serialize_string_string(serializer, "class_ident", flow->protos.dhcp.class_ident); ndpi_serialize_end_of_block(serializer); @@ -1179,7 +1179,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, case NDPI_PROTOCOL_DNS: ndpi_serialize_start_of_block(serializer, "dns"); if(flow->host_server_name[0] != '\0') - ndpi_serialize_string_string(serializer, "query", (const char*)flow->host_server_name); + ndpi_serialize_string_string(serializer, "query", flow->host_server_name); ndpi_serialize_string_uint32(serializer, "num_queries", flow->protos.dns.num_queries); ndpi_serialize_string_uint32(serializer, "num_answers", flow->protos.dns.num_answers); ndpi_serialize_string_uint32(serializer, "reply_code", flow->protos.dns.reply_code); @@ -1200,7 +1200,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, case NDPI_PROTOCOL_MDNS: ndpi_serialize_start_of_block(serializer, "mdns"); - ndpi_serialize_string_string(serializer, "answer", (const char*)flow->host_server_name); + ndpi_serialize_string_string(serializer, "answer", flow->host_server_name); ndpi_serialize_end_of_block(serializer); break; @@ -1228,7 +1228,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, case NDPI_PROTOCOL_HTTP: ndpi_serialize_start_of_block(serializer, "http"); if(flow->host_server_name[0] != '\0') - ndpi_serialize_string_string(serializer, "hostname", (const char*)flow->host_server_name); + ndpi_serialize_string_string(serializer, "hostname", flow->host_server_name); if(flow->http.url != NULL){ ndpi_serialize_string_string(serializer, "url", flow->http.url); ndpi_serialize_string_uint32(serializer, "code", flow->http.response_status_code); @@ -1240,9 +1240,9 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, case NDPI_PROTOCOL_QUIC: ndpi_serialize_start_of_block(serializer, "quic"); - if(flow->protos.tls_quic.client_requested_server_name[0] != '\0') + if(flow->host_server_name[0] != '\0') ndpi_serialize_string_string(serializer, "client_requested_server_name", - flow->protos.tls_quic.client_requested_server_name); + flow->host_server_name); if(flow->protos.tls_quic.server_names) ndpi_serialize_string_string(serializer, "server_names", flow->protos.tls_quic.server_names); if(flow->http.user_agent) @@ -1318,7 +1318,7 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_start_of_block(serializer, "tls"); ndpi_serialize_string_string(serializer, "version", version); ndpi_serialize_string_string(serializer, "client_requested_server_name", - flow->protos.tls_quic.client_requested_server_name); + flow->host_server_name); if(flow->protos.tls_quic.server_names) ndpi_serialize_string_string(serializer, "server_names", flow->protos.tls_quic.server_names); @@ -2199,9 +2199,6 @@ char* ndpi_get_flow_name(struct ndpi_flow_struct *flow) { if(flow->host_server_name[0] != '\0') return((char*)flow->host_server_name); - if(flow->protos.tls_quic.client_requested_server_name[0] != '\0') - return(flow->protos.tls_quic.client_requested_server_name); - no_flow_info: return((char*)""); } diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c index d40bb5c35..23d358b74 100644 --- a/src/lib/protocols/dhcp.c +++ b/src/lib/protocols/dhcp.c @@ -159,17 +159,14 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru strncpy((char*)flow->protos.dhcp.class_ident, name, j); flow->protos.dhcp.class_ident[j] = '\0'; } else if(id == 12 /* Host Name */) { - char *name = (char*)&dhcp->options[i+2]; - int j = 0; - + u_int8_t *name = &dhcp->options[i+2]; + #ifdef DHCP_DEBUG NDPI_LOG_DBG2(ndpi_struct, "[DHCP] '%.*s'\n",name,len); // while(j < len) { printf( "%c", name[j]); j++; }; printf("\n"); #endif - j = ndpi_min(len, sizeof(flow->host_server_name)-1); - strncpy((char*)flow->host_server_name, name, j); - flow->host_server_name[j] = '\0'; - } + ndpi_hostname_sni_set(flow, name, len); + } i += len + 2; } diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 98c6bf142..eb5af5a34 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -368,6 +368,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st int invalid = search_valid_dns(ndpi_struct, flow, &dns_header, payload_offset, &is_query); ndpi_protocol ret; u_int num_queries, idx; + char _hostname[256]; ret.master_protocol = NDPI_PROTOCOL_UNKNOWN; ret.app_protocol = (d_port == LLMNR_PORT) ? NDPI_PROTOCOL_LLMNR : ((d_port == MDNS_PORT) ? NDPI_PROTOCOL_MDNS : NDPI_PROTOCOL_DNS); @@ -378,7 +379,6 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st } /* extract host name server */ - max_len = sizeof(flow->host_server_name)-1; off = sizeof(struct ndpi_dns_packet_header) + payload_offset; /* Before continuing let's dissect the following queries to see if they are valid */ @@ -434,6 +434,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st } /* for */ u_int8_t hostname_is_valid = 1; + max_len = sizeof(_hostname)-1; while((j < max_len) && (off < packet->payload_packet_len) && (packet->payload[off] != '\0')) { uint8_t c, cl = packet->payload[off++]; @@ -443,40 +444,43 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st break; } - if(j && (j < max_len)) flow->host_server_name[j++] = '.'; - - while((j < max_len) && (cl != 0)) { - u_int32_t shift; - - c = packet->payload[off++]; - shift = ((u_int32_t) 1) << (c & 0x1f); - if ((dns_validchar[c >> 5] & shift)) { - flow->host_server_name[j++] = tolower(c); - } else { - if (isprint(c) == 0) { - hostname_is_valid = 0; - flow->host_server_name[j++] = '?'; - } else { - flow->host_server_name[j++] = '_'; - } - } - cl--; - } + if(j && (j < max_len)) _hostname[j++] = '.'; + + while((j < max_len) && (cl != 0)) { + u_int32_t shift; + + c = packet->payload[off++]; + shift = ((u_int32_t) 1) << (c & 0x1f); + if((dns_validchar[c >> 5] & shift)) { + _hostname[j++] = tolower(c); + } else { + if (isprint(c) == 0) { + hostname_is_valid = 0; + _hostname[j++] = '?'; + } else { + _hostname[j++] = '_'; + } + } + cl--; + } } + + _hostname[j] = '\0'; + + ndpi_hostname_sni_set(flow, (const u_int8_t *)_hostname, j); + if (hostname_is_valid == 0) { ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); } - flow->host_server_name[j] = '\0'; - if(j > 0) { ndpi_protocol_match_result ret_match; - ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1); + ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1); ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow, - (char *)flow->host_server_name, - strlen((const char*)flow->host_server_name), + flow->host_server_name, + strlen(flow->host_server_name), &ret_match, NDPI_PROTOCOL_DNS); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index cef8b3cfc..bc0ca1fc2 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -371,8 +371,8 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp if(double_col) double_col[0] = '\0'; if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, - (char *)flow->host_server_name, - strlen((const char *)flow->host_server_name)) == 0) { + flow->host_server_name, + strlen(flow->host_server_name)) == 0) { if(flow->http.url && ((strstr(flow->http.url, ":8080/downloading?n=0.") != NULL) || (strstr(flow->http.url, ":8080/upload?n=0.") != NULL))) { @@ -566,12 +566,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->host_line.len, packet->host_line.ptr); /* Copy result for nDPI apps */ - len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1); - strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len); - flow->host_server_name[len] = '\0'; + ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len); flow->extra_packets_func = NULL; /* We're good now */ - if(len > 0) ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1); + if(strlen(flow->host_server_name) > 0) ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1); if(packet->forwarded_line.ptr) { len = ndpi_min(packet->forwarded_line.len, sizeof(flow->http.nat_ip)-1); diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index 31310202b..e1d98dd35 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -147,12 +147,11 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct, && (packet->line[a].ptr[i+1] != '\n')) { len = i-4; /* Copy result for nDPI apps */ - len = ndpi_min(len, sizeof(flow->host_server_name)-1); - strncpy((char*)flow->host_server_name, (char*)&packet->line[a].ptr[4], len); - flow->host_server_name[len] = '\0'; - if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_SMTP, - (char *)flow->host_server_name, - strlen((const char *)flow->host_server_name))) { + ndpi_hostname_sni_set(flow, &packet->line[a].ptr[4], len); + + if (ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_SMTP, + flow->host_server_name, + strlen(flow->host_server_name))) { /* We set the protocols; we need to initialize extra dissection to search for credentials */ NDPI_LOG_DBG(ndpi_struct, "SMTP: hostname matched\n"); diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index ccf910489..88c211551 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -102,9 +102,9 @@ static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct if((off < packet->payload_packet_len) && ndpi_netbios_name_interpret((unsigned char*)&packet->payload[off], (u_int)(packet->payload_packet_len - off), name, sizeof(name)-1) > 0) { - snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); + ndpi_hostname_sni_set(flow, (const u_int8_t *)name, strlen((char *)name)); - ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1); + ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1); } if(sub_protocol == NDPI_PROTOCOL_UNKNOWN) diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 358edb064..6bae70524 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1324,7 +1324,7 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, uint32_t i; uint16_t num_tags; uint32_t prev_offset; - uint32_t tag_offset_start, offset, len, sni_len; + uint32_t tag_offset_start, offset, len; ndpi_protocol_match_result ret_match; int sni_found = 0, ua_found = 0; @@ -1356,22 +1356,20 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, crypto_data_len, tag_offset_start, prev_offset, offset, len); #endif if(memcmp(tag, "SNI\0", 4) == 0) { - sni_len = MIN(len, sizeof(flow->protos.tls_quic.client_requested_server_name) - 1); - memcpy(flow->protos.tls_quic.client_requested_server_name, - &crypto_data[tag_offset_start + prev_offset], sni_len); - flow->protos.tls_quic.client_requested_server_name[sni_len] = '\0'; + + ndpi_hostname_sni_set(flow, &crypto_data[tag_offset_start + prev_offset], len); NDPI_LOG_DBG2(ndpi_struct, "SNI: [%s]\n", - flow->protos.tls_quic.client_requested_server_name); + flow->host_server_name); ndpi_match_host_subprotocol(ndpi_struct, flow, - (char *)flow->protos.tls_quic.client_requested_server_name, - strlen((const char*)flow->protos.tls_quic.client_requested_server_name), + flow->host_server_name, + strlen(flow->host_server_name), &ret_match, NDPI_PROTOCOL_QUIC); flow->protos.tls_quic.hello_processed = 1; /* Allow matching of custom categories */ ndpi_check_dga_name(ndpi_struct, flow, - flow->protos.tls_quic.client_requested_server_name, 1); + flow->host_server_name, 1); sni_found = 1; if (ua_found) @@ -1396,7 +1394,7 @@ static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "Something went wrong in tags iteration\n"); /* Add check for missing SNI */ - if(flow->protos.tls_quic.client_requested_server_name[0] == '\0') { + if(flow->host_server_name[0] == '\0') { /* This is a bit suspicious */ ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI); } @@ -1508,7 +1506,7 @@ static int eval_extra_processing(struct ndpi_detection_module_struct *ndpi_struc */ if((version == V_Q046 && - flow->protos.tls_quic.client_requested_server_name[0] == '\0') || + flow->host_server_name[0] == '\0') || is_ch_reassembler_pending(flow)) { NDPI_LOG_DBG2(ndpi_struct, "We have further work to do\n"); return 1; diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index f0884fae3..1ffa8afef 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -349,25 +349,21 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * u_int16_t realm_len = ntohs(*((u_int16_t*)&payload[offset+2])); if(flow->host_server_name[0] == '\0') { - u_int i; u_int k = offset+4; - i = ndpi_min(realm_len, sizeof(flow->host_server_name) - 1); - i = ndpi_min(i, payload_length - k); - memcpy(flow->host_server_name, payload + k, i); - flow->host_server_name[i] = '\0'; - + ndpi_hostname_sni_set(flow, payload + k, ndpi_min(realm_len, payload_length - k)); + #ifdef DEBUG_STUN printf("==> [%s]\n", flow->host_server_name); #endif - if(strstr((char*) flow->host_server_name, "google.com") != NULL) { + if(strstr(flow->host_server_name, "google.com") != NULL) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; return(NDPI_IS_STUN); - } else if(strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) { + } else if(strstr(flow->host_server_name, "whispersystems.org") != NULL) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL; return(NDPI_IS_STUN); - } else if(strstr((char*) flow->host_server_name, "facebook") != NULL) { + } else if(strstr(flow->host_server_name, "facebook") != NULL) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER; return(NDPI_IS_STUN); } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index d912ae947..a75e26eb2 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -478,7 +478,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi u_int8_t matched_name = 0; /* If the client hello was not observed or the requested name was missing, there is no need to trigger an alert */ - if(flow->protos.tls_quic.client_requested_server_name[0] == '\0') + if(flow->host_server_name[0] == '\0') matched_name = 1; #ifdef DEBUG_TLS @@ -520,7 +520,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi #if DEBUG_TLS printf("[TLS] dNSName %s [%s][len: %u][leftover: %d]\n", dNSName, - flow->protos.tls_quic.client_requested_server_name, len, + flow->host_server_name, len, packet->payload_packet_len-i-len); #endif if (ndpi_is_printable_string(dNSName, len) == 0) { @@ -530,27 +530,24 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(matched_name == 0) { #if DEBUG_TLS printf("[TLS] Trying to match '%s' with '%s'\n", - flow->protos.tls_quic.client_requested_server_name, + flow->host_server_name, dNSName); #endif - if(flow->protos.tls_quic.client_requested_server_name[0] == '\0') + if(flow->host_server_name[0] == '\0') { matched_name = 1; /* No SNI */ - else if (dNSName[0] == '*') - { - char * label = strstr(flow->protos.tls_quic.client_requested_server_name, &dNSName[1]); - - if (label != NULL) - { - char * first_dot = strchr(flow->protos.tls_quic.client_requested_server_name, '.'); - - if (first_dot == NULL || first_dot >= label) - { - matched_name = 1; - } - } - } - else if(strcmp(flow->protos.tls_quic.client_requested_server_name, dNSName) == 0) { + } else if (dNSName[0] == '*') { + char * label = strstr(flow->host_server_name, &dNSName[1]); + + if (label != NULL) { + char * first_dot = strchr(flow->host_server_name, '.'); + + if (first_dot == NULL || first_dot >= label) { + matched_name = 1; + } + } + } + else if(strcmp(flow->host_server_name, dNSName) == 0) { matched_name = 1; } } @@ -1244,7 +1241,6 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t i, j; u_int16_t total_len; u_int8_t handshake_type; - char buffer[64] = { '\0' }; int is_quic = (quic_version != 0); int is_dtls = packet->udp && (!is_quic); @@ -1721,50 +1717,41 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if((offset+extension_offset+4) < packet->payload_packet_len) { len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4]; - len = (u_int)ndpi_min(len, sizeof(buffer)-1); if((offset+extension_offset+5+len) <= packet->payload_packet_len) { - strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len); - buffer[len] = '\0'; - cleanupServerName(buffer, sizeof(buffer)); - - snprintf(flow->protos.tls_quic.client_requested_server_name, - sizeof(flow->protos.tls_quic.client_requested_server_name), - "%s", buffer); + char *sni = ndpi_hostname_sni_set(flow, &packet->payload[offset+extension_offset+5], len); + int sni_len = strlen(sni); #ifdef DEBUG_TLS - printf("[TLS] SNI: [%s]\n", buffer); + printf("[TLS] SNI: [%s]\n", sni); #endif - if (ndpi_is_printable_string(buffer, len) == 0) + if (ndpi_is_printable_string(sni, sni_len) == 0) { ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); } if(!is_quic) { - if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer))) + if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, sni, sni_len)) flow->protos.tls_quic.subprotocol_detected = 1; } else { - if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, buffer, strlen(buffer))) + if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, sni, sni_len)) flow->protos.tls_quic.subprotocol_detected = 1; } if(ndpi_check_dga_name(ndpi_struct, flow, - flow->protos.tls_quic.client_requested_server_name, 1)) { - char *sni = flow->protos.tls_quic.client_requested_server_name; - int len = strlen(sni); - + sni, 1)) { #ifdef DEBUG_TLS - printf("[TLS] SNI: (DGA) [%s]\n", flow->protos.tls_quic.client_requested_server_name); + printf("[TLS] SNI: (DGA) [%s]\n", sni); #endif - if((len >= 4) + if((sni_len >= 4) /* Check if it ends in .com or .net */ - && ((strcmp(&sni[len-4], ".com") == 0) || (strcmp(&sni[len-4], ".net") == 0)) + && ((strcmp(&sni[sni_len-4], ".com") == 0) || (strcmp(&sni[sni_len-4], ".net") == 0)) && (strncmp(sni, "www.", 4) == 0)) /* Not starting with www.... */ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_TLS); } else { #ifdef DEBUG_TLS - printf("[TLS] SNI: (NO DGA) [%s]\n", flow->protos.tls_quic.client_requested_server_name); + printf("[TLS] SNI: (NO DGA) [%s]\n", sni); #endif } } else { @@ -2268,12 +2255,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, /* Suspicious Domain Fronting: https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */ if(flow->protos.tls_quic.encrypted_sni.esni && - flow->protos.tls_quic.client_requested_server_name[0] != '\0') { + flow->host_server_name[0] != '\0') { ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_ESNI_USAGE); } /* Add check for missing SNI */ - if((flow->protos.tls_quic.client_requested_server_name[0] == 0) + if(flow->host_server_name[0] == '\0' && (flow->protos.tls_quic.ssl_version >= 0x0302) /* TLSv1.1 */ && (flow->protos.tls_quic.encrypted_sni.esni == NULL) /* No ESNI */ ) { diff --git a/src/lib/protocols/whoisdas.c b/src/lib/protocols/whoisdas.c index 7321626d2..6f6f2a06b 100644 --- a/src/lib/protocols/whoisdas.c +++ b/src/lib/protocols/whoisdas.c @@ -41,10 +41,7 @@ void ndpi_search_whois_das(struct ndpi_detection_module_struct *ndpi_struct, str ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHOIS_DAS, NDPI_PROTOCOL_UNKNOWN); if((dport == 43) || (dport == 4343)) { /* Request */ - u_int hostname_len = ndpi_min(sizeof(flow->host_server_name) - 1, (long unsigned int)packet->payload_packet_len - 2); /* Skip \r\n */ - - memcpy(flow->host_server_name, &packet->payload[0], hostname_len); - flow->host_server_name[hostname_len] = '\0'; + ndpi_hostname_sni_set(flow, &packet->payload[0], packet->payload_packet_len - 2); /* Skip \r\n */ NDPI_LOG_INFO(ndpi_struct, "[WHOIS/DAS] %s\n", flow->host_server_name); } return; diff --git a/tests/result/dns_exfiltration.pcap.out b/tests/result/dns_exfiltration.pcap.out index 726e452b9..245d6cc57 100644 --- a/tests/result/dns_exfiltration.pcap.out +++ b/tests/result/dns_exfiltration.pcap.out @@ -4,4 +4,4 @@ DPI Packets (UDP): 2 (2.00 pkts/flow) DNS 300 73545 1 - 1 UDP 192.168.220.56:56373 <-> 192.168.203.167:53 [proto: 5/DNS][ClearText][cat: Network/14][150 pkts/32419 bytes <-> 150 pkts/41126 bytes][Goodput ratio: 81/85][59.99 sec][Host: dnscat.546b03f50000000000a6023ed4df184d6ac5c2628b47714fdee584fed739.5a03b5b1e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02][::][bytes ratio: -0.118 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/1 398/397 1035/1015 491/489][Pkt Len c2s/s2c min/avg/max/stddev: 101/148 216/274 300/386 97/97][Risk: ** Suspicious DGA domain name **][Risk Score: 100][PLAIN TEXT (dnscat)][Plen Bins: 0,24,0,23,0,0,0,0,26,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.220.56:56373 <-> 192.168.203.167:53 [proto: 5/DNS][ClearText][cat: Network/14][150 pkts/32419 bytes <-> 150 pkts/41126 bytes][Goodput ratio: 81/85][59.99 sec][Host: e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02][::][bytes ratio: -0.118 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/1 398/397 1035/1015 491/489][Pkt Len c2s/s2c min/avg/max/stddev: 101/148 216/274 300/386 97/97][Risk: ** Suspicious DGA domain name **][Risk Score: 100][PLAIN TEXT (dnscat)][Plen Bins: 0,24,0,23,0,0,0,0,26,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/fuzz-2006-06-26-2594.pcap.out b/tests/result/fuzz-2006-06-26-2594.pcap.out index 60bd4a672..65cd73735 100644 --- a/tests/result/fuzz-2006-06-26-2594.pcap.out +++ b/tests/result/fuzz-2006-06-26-2594.pcap.out @@ -17,7 +17,7 @@ SIP 85 39540 15 1 UDP 212.242.33.35:5060 <-> 192.168.1.2:5060 [proto: 100/SIP][ClearText][cat: VoIP/10][23 pkts/11772 bytes <-> 37 pkts/14743 bytes][Goodput ratio: 91/89][1521.43 sec][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 19/227 32597/38366 167478/304738 41340/57147][Pkt Len c2s/s2c min/avg/max/stddev: 344/47 512/398 711/1118 86/358][PLAIN TEXT (SIP/2.0 401 Unauthorized)][Plen Bins: 29,0,0,0,0,0,0,0,0,3,6,0,3,6,8,13,1,0,3,0,1,15,0,0,0,5,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.1.2:5060 <-> 200.68.120.81:5060 [proto: 100/SIP][ClearText][cat: VoIP/10][9 pkts/4647 bytes <-> 3 pkts/1944 bytes][Goodput ratio: 92/93][66.58 sec][bytes ratio: 0.410 (Upload)][IAT c2s/s2c min/avg/max/stddev: 507/34556 8170/34556 32608/34556 10578/0][Pkt Len c2s/s2c min/avg/max/stddev: 417/637 516/648 864/656 186/8][PLAIN TEXT (INVITEKsip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,59,0,0,0,0,0,0,8,16,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 192.168.1.2:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][ClearText][cat: System/18][71 pkts/6532 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1527.12 sec][Host: eci_domain][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 741/0 20522/0 93225/0 24163/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( EFEDEJ)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 TCP 192.168.1.2:2720 <-> 147.234.1.253:21 [proto: 1/FTP_CONTROL][ClearText][cat: Download/7][11 pkts/624 bytes <-> 14 pkts/1080 bytes][Goodput ratio: 4/27][0.32 sec][Host: ProFTPD][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/7 115/18 38/8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 57/77 70/113 5/19][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (220 ProFTPD Server In ECI Telec)][Plen Bins: 66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 192.168.1.2:2720 <-> 147.234.1.253:21 [proto: 1/FTP_CONTROL][ClearText][cat: Download/7][11 pkts/624 bytes <-> 14 pkts/1080 bytes][Goodput ratio: 4/27][0.32 sec][Host: proftpd][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/7 115/18 38/8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 57/77 70/113 5/19][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (220 ProFTPD Server In ECI Telec)][Plen Bins: 66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 UDP 192.168.1.2:5060 -> 212.242.33.35:17860 [proto: 100/SIP][ClearText][cat: VoIP/10][1 pkts/1118 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][PLAIN TEXT (INVITE six)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 UDP 192.168.1.2:30000 -> 212.242.33.36:40392 [proto: 87/RTP][ClearText][cat: Media/1][5 pkts/1070 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.05 sec][PLAIN TEXT (goxcffj)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 UDP 192.168.1.2:68 <-> 192.168.1.1:67 [proto: 18/DHCP][ClearText][cat: Network/14][1 pkts/342 bytes <-> 1 pkts/590 bytes][Goodput ratio: 87/93][0.00 sec][Host: d002465][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,43][DHCP Class Ident: MSFT 5.0][PLAIN TEXT (002465Q)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/reddit.pcap.out b/tests/result/reddit.pcap.out index 2becdb7e1..83220c286 100644 --- a/tests/result/reddit.pcap.out +++ b/tests/result/reddit.pcap.out @@ -2,10 +2,10 @@ Guessed flow protos: 1 DPI Packets (TCP): 445 (7.42 pkts/flow) -TLS 612 384211 15 +TLS 577 373106 14 Twitter 863 686585 3 YouTube 881 966947 3 -Google 618 334683 13 +Google 653 345788 14 Amazon 100 59185 2 Reddit 8337 9059073 20 GoogleServices 271 87487 4 @@ -39,7 +39,7 @@ JA3 Host Stats: 22 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:56782 <-> [64:ff9b::68f4:2ac8]:443 [proto: 91.120/TLS.Twitter][Encrypted][cat: SocialNetwork/6][23 pkts/5030 bytes <-> 22 pkts/7292 bytes][Goodput ratio: 61/74][4.33 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.184 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 216/228 2512/2545 565/587][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 219/331 854/1474 227/405][TLSv1.2][Client: syndication.twitter.com][JA3C: b32309a26951912be7dba376398abc3b][ServerNames: syndication.twitter.com,syndication.twimg.com,syndication-o.twitter.com,syndication-o.twimg.com,cdn.syndication.twitter.com,cdn.syndication.twimg.com][JA3S: 8d2a028aa94425f76ced7826b1f39039][Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA][Subject: C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=syndication.twitter.com][Certificate SHA-1: 09:D3:FE:9A:3E:39:A7:E2:90:5B:C9:1F:3B:7D:CE:7C:7E:08:1C:6F][Chrome][Validity: 2020-01-02 00:00:00 - 2020-12-24 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,15,0,20,0,0,4,4,4,15,0,0,4,0,4,0,4,0,0,0,4,0,4,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0] 23 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:56640 <-> [64:ff9b::9765:798c]:443 [proto: 91.205/TLS.Reddit][Encrypted][cat: SocialNetwork/6][23 pkts/3696 bytes <-> 22 pkts/8527 bytes][Goodput ratio: 46/78][0.57 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.395 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27/30 307/307 76/75][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 161/388 603/1134 157/388][TLSv1.2][Client: gateway.reddit.com][JA3C: b32309a26951912be7dba376398abc3b][ServerNames: reddit.com,*.reddit.com][JA3S: 16c0b3e6a7b8173c16d944cfeaeee9cf][Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA][Subject: C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com][Certificate SHA-1: DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81][Chrome][Validity: 2020-08-26 00:00:00 - 2021-02-22 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,14,20,4,4,0,0,0,4,0,0,4,9,0,0,9,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 24 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:46646 <-> [64:ff9b::345f:7ca5]:443 [proto: 91.178/TLS.Amazon][Encrypted][cat: Web/5][14 pkts/3201 bytes <-> 13 pkts/8450 bytes][Goodput ratio: 62/87][0.22 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.451 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/17 60/42 22/16][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 229/650 762/1446 254/571][TLSv1.2][Client: aax-eu.amazon-adsystem.com][JA3C: b32309a26951912be7dba376398abc3b][ServerNames: aax-eu.amazon-adsystem.com,aax.amazon-adsystem.com,aax-cpm.amazon-adsystem.com,aax-dtb-web.amazon-adsystem.com][JA3S: 49b45fc1ab090aa3a159778313fc9b9e][Issuer: C=US, O=Amazon, OU=Server CA 1B, CN=Amazon][Subject: CN=aax-eu.amazon-adsystem.com][Certificate SHA-1: 5D:18:8E:CB:B7:91:5C:79:26:B5:08:49:FF:2C:24:D8:06:54:91:8B][Chrome][Validity: 2020-06-15 00:00:00 - 2021-06-15 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,8,0,0,0,0,8,0,0,0,8,0,0,8,8,0,0,0,8,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,34,0,0,0,0,0] - 25 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:59624 <-> [2a00:1450:4007:80b::2001]:443 [proto: 91/TLS][Encrypted][cat: Web/5][18 pkts/2649 bytes <-> 17 pkts/8456 bytes][Goodput ratio: 41/83][0.15 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.523 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/5 34/33 12/10][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 147/497 603/1294 137/490][Risk: ** Suspicious DGA domain name **][Risk Score: 100][TLSv1.3][Client: 8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.co][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 12,12,12,0,0,0,0,0,0,0,6,0,6,0,6,0,6,0,6,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0] + 25 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:59624 <-> [2a00:1450:4007:80b::2001]:443 [proto: 91.126/TLS.Google][Encrypted][cat: Web/5][18 pkts/2649 bytes <-> 17 pkts/8456 bytes][Goodput ratio: 41/83][0.15 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.523 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/5 34/33 12/10][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 147/497 603/1294 137/490][TLSv1.3][Client: 8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.com][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 12,12,12,0,0,0,0,0,0,0,6,0,6,0,6,0,6,0,6,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0] 26 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:46808 <-> [2a00:1450:4007:808::2001]:443 [proto: 91/TLS][Encrypted][cat: Web/5][15 pkts/1843 bytes <-> 13 pkts/9101 bytes][Goodput ratio: 32/88][0.12 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.663 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/5 32/32 11/10][Pkt Len c2s/s2c min/avg/max/stddev: 74/86 123/700 603/1294 129/569][TLSv1.3][Client: cdn.ampproject.org][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,60,0,0,0,0,0,0,0,0,0,0] 27 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:46810 <-> [2a00:1450:4007:808::2001]:443 [proto: 91/TLS][Encrypted][cat: Web/5][15 pkts/1843 bytes <-> 13 pkts/9100 bytes][Goodput ratio: 32/88][0.12 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.663 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/6 31/34 11/11][Pkt Len c2s/s2c min/avg/max/stddev: 74/86 123/700 603/1294 129/569][TLSv1.3][Client: cdn.ampproject.org][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,60,0,0,0,0,0,0,0,0,0,0] 28 TCP [2a01:cb01:2049:8b07:991d:ec85:28df:f629]:46814 <-> [2a00:1450:4007:808::2001]:443 [proto: 91/TLS][Encrypted][cat: Web/5][14 pkts/1769 bytes <-> 13 pkts/9102 bytes][Goodput ratio: 33/88][0.12 sec][ALPN: h2;http/1.1][TLS Supported Versions: GREASE;TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.675 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 10/5 43/36 15/11][Pkt Len c2s/s2c min/avg/max/stddev: 74/86 126/700 603/1294 133/569][TLSv1.3][Client: cdn.ampproject.org][JA3C: b32309a26951912be7dba376398abc3b][JA3S: eb1d94daa7e0344597e756a1fb6e7054][Chrome][Cipher: TLS_AES_128_GCM_SHA256][Plen Bins: 0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,10,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,60,0,0,0,0,0,0,0,0,0,0] |