diff options
| -rw-r--r-- | python/ndpi.py | 2 | ||||
| -rw-r--r-- | python/ndpi_typestruct.py | 10 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/ftp_control.c | 17 | ||||
| -rw-r--r-- | tests/pcap/ftp-start-tls.pcap | bin | 0 -> 8350 bytes | |||
| -rw-r--r-- | tests/result/ftp-start-tls.pcap.out | 7 |
7 files changed, 30 insertions, 11 deletions
diff --git a/python/ndpi.py b/python/ndpi.py index a7b568451..3eea870e2 100644 --- a/python/ndpi.py +++ b/python/ndpi.py @@ -1086,7 +1086,7 @@ struct ndpi_flow_struct { } http; struct { - uint8_t auth_found:1, auth_failed:1, _pad:5; + uint8_t auth_found:1, auth_failed:1, auth_tls:1, _pad:5; char username[16], password[16]; } ftp_imap_pop_smtp; diff --git a/python/ndpi_typestruct.py b/python/ndpi_typestruct.py index 9413ca039..a0bdcee84 100644 --- a/python/ndpi_typestruct.py +++ b/python/ndpi_typestruct.py @@ -507,6 +507,15 @@ class Http2(Structure): ("nat_ip", c_char * 24) ] +class FtpImapPopSmtp(Structure): + _fields_ = [ + ("auth_found", c_uint8, 1), + ("auth_failed", c_uint8, 1), + ("auth_tls", c_uint8, 1), + ("_pad", c_uint8, 5), + ("username", c_char * 16), + ("password", c_char * 16) + ] class Bittorrent(Structure): _fields_ = [("hash", c_char * 20)] @@ -529,6 +538,7 @@ class Protos(Union): ("mdns", Mdns), ("ubntac2", Ubntac2), ("http", Http2), + ("ftp_imap_pop_smtp", FtpImapPopSmtp), ("bittorrent", Bittorrent), ("dhcp", Dhcp) ] diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 2347d0429..6181c21e8 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1350,7 +1350,7 @@ struct ndpi_flow_struct { } http; struct { - u_int8_t auth_found:1, auth_failed:1, _pad:5; + u_int8_t auth_found:1, auth_failed:1, auth_tls:1, _pad:5; char username[16], password[16]; } ftp_imap_pop_smtp; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 4776095ef..cc1db9ccb 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -7242,7 +7242,8 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp case NDPI_PROTOCOL_MAIL_POP: case NDPI_PROTOCOL_MAIL_IMAP: case NDPI_PROTOCOL_MAIL_SMTP: - if(flow->protos.ftp_imap_pop_smtp.password[0] == '\0') + if(flow->protos.ftp_imap_pop_smtp.password[0] == '\0' && + flow->protos.ftp_imap_pop_smtp.auth_tls == 0) return(1); break; diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index 55ea192b0..3635d1118 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -64,6 +64,11 @@ static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *n return 1; } + if(ndpi_match_strprefix(payload, payload_len, "AUTH") || + ndpi_match_strprefix(payload, payload_len, "auth")) { + flow->protos.ftp_imap_pop_smtp.auth_found = 1; + return 1; + } /* ***************************************************** */ if(ndpi_match_strprefix(payload, payload_len, "ABOR")) { @@ -86,9 +91,6 @@ static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *n return 1; } - if(ndpi_match_strprefix(payload, payload_len, "AUTH")) { - return 1; - } if(ndpi_match_strprefix(payload, payload_len, "CCC")) { return 1; } @@ -321,10 +323,6 @@ static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *n return 1; } - if(ndpi_match_strprefix(payload, payload_len, "auth")) { - return 1; - } - if(ndpi_match_strprefix(payload, payload_len, "ccc")) { return 1; } @@ -564,6 +562,8 @@ static int ndpi_ftp_control_check_response(struct ndpi_flow_struct *flow, case '2': case '3': case '6': + if(flow->protos.ftp_imap_pop_smtp.auth_found == 1) + flow->protos.ftp_imap_pop_smtp.auth_tls = 1; return(1); break; @@ -635,7 +635,8 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str flow->protos.ftp_imap_pop_smtp.username, flow->protos.ftp_imap_pop_smtp.password); #endif - if(flow->protos.ftp_imap_pop_smtp.password[0] == '\0') + if(flow->protos.ftp_imap_pop_smtp.password[0] == '\0' && + flow->protos.ftp_imap_pop_smtp.auth_tls == 0) /* TODO: any values on dissecting TLS handshake? */ flow->ftp_control_stage = 0; else ndpi_int_ftp_control_add_connection(ndpi_struct, flow); diff --git a/tests/pcap/ftp-start-tls.pcap b/tests/pcap/ftp-start-tls.pcap Binary files differnew file mode 100644 index 000000000..738ccba4e --- /dev/null +++ b/tests/pcap/ftp-start-tls.pcap diff --git a/tests/result/ftp-start-tls.pcap.out b/tests/result/ftp-start-tls.pcap.out new file mode 100644 index 000000000..e793099ab --- /dev/null +++ b/tests/result/ftp-start-tls.pcap.out @@ -0,0 +1,7 @@ +Guessed flow protos: 0 + +DPI Packets (TCP): 10 (10.00 pkts/flow) + +FTP_CONTROL 51 7510 1 + + 1 TCP 10.238.26.36:62092 <-> 10.220.50.76:21 [proto: 1/FTP_CONTROL][ClearText][cat: Download/7][16 pkts/1744 bytes <-> 35 pkts/5766 bytes][Goodput ratio: 49/66][0.33 sec][bytes ratio: -0.536 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 13/4 34/34 13/8][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 109/165 384/566 80/152][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (Authorized users only. All acti)][Plen Bins: 22,25,32,0,2,0,5,0,0,0,2,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |