diff options
| -rw-r--r-- | src/include/ndpi_define.h.in | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 8 | ||||
| -rw-r--r-- | tests/result/fuzz-2006-06-26-2594.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/skype.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/skype_no_unknown.pcap.out | 2 |
6 files changed, 13 insertions, 5 deletions
diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in index 6e2c4e90c..366b04b26 100644 --- a/src/include/ndpi_define.h.in +++ b/src/include/ndpi_define.h.in @@ -156,6 +156,7 @@ /* misc definitions */ #define NDPI_DEFAULT_MAX_TCP_RETRANSMISSION_WINDOW_SIZE 0x10000 +#define NDPI_MAX_NUM_PKTS_PER_FLOW_TO_DISSECT 32 /* TODO: rebuild all memory areas to have a more aligned memory block here */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 493c71aea..c4535c768 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -5416,6 +5416,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct flow->num_processed_pkts++; + if(flow->num_processed_pkts > NDPI_MAX_NUM_PKTS_PER_FLOW_TO_DISSECT) + return(ret); /* Avoid spending too much time with this flow */ + /* Init default */ ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index ecd5f177e..67909fc87 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -918,10 +918,14 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, processed += packet->payload_packet_len; } - } else { + } else if(len > 5 /* Minimum block size */) { /* Process element as a whole */ if(content_type == 0x17 /* Application Data */) { - ndpi_looks_like_tls(ndpi_struct, flow); + u_int32_t block_len = ntohs((flow->l4.tcp.tls.message.buffer[3] << 16) + (flow->l4.tcp.tls.message.buffer[4] << 8)); + + /* Let's do a quick check to make sure this really looks like TLS */ + if(block_len < 16384 /* Max TLS block size */) + ndpi_looks_like_tls(ndpi_struct, flow); if(flow->l4.tcp.tls.certificate_processed) { if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow) diff --git a/tests/result/fuzz-2006-06-26-2594.pcap.out b/tests/result/fuzz-2006-06-26-2594.pcap.out index ba00c132b..60d530c9f 100644 --- a/tests/result/fuzz-2006-06-26-2594.pcap.out +++ b/tests/result/fuzz-2006-06-26-2594.pcap.out @@ -17,7 +17,7 @@ SIP 85 39540 15 1 UDP 212.242.33.35:5060 <-> 192.168.1.2:5060 [proto: 100/SIP][ClearText][cat: VoIP/10][23 pkts/11772 bytes <-> 37 pkts/14743 bytes][Goodput ratio: 91/89][1521.43 sec][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 19/227 32597/38366 167478/304738 41340/57147][Pkt Len c2s/s2c min/avg/max/stddev: 344/47 512/398 711/1118 86/358][PLAIN TEXT (SIP/2.0 401 Unauthorized)][Plen Bins: 29,0,0,0,0,0,0,0,0,3,6,0,3,6,8,13,1,0,3,0,1,15,0,0,0,5,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.1.2:5060 <-> 200.68.120.81:5060 [proto: 100/SIP][ClearText][cat: VoIP/10][9 pkts/4647 bytes <-> 3 pkts/1944 bytes][Goodput ratio: 92/93][66.58 sec][bytes ratio: 0.410 (Upload)][IAT c2s/s2c min/avg/max/stddev: 507/34556 8170/34556 32608/34556 10578/0][Pkt Len c2s/s2c min/avg/max/stddev: 417/637 516/648 864/656 186/8][PLAIN TEXT (INVITEKsip)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,59,0,0,0,0,0,0,8,16,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 UDP 192.168.1.2:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][ClearText][cat: System/18][71 pkts/6532 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][1527.12 sec][Host: eci_domain][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 741/0 20522/0 93225/0 24163/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 92/0 92/0 0/0][PLAIN TEXT ( EFEDEJ)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 TCP 192.168.1.2:2720 <-> 147.234.1.253:21 [proto: 1/FTP_CONTROL][ClearText][cat: Download/7][11 pkts/624 bytes <-> 14 pkts/1080 bytes][Goodput ratio: 4/27][0.32 sec][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/7 115/18 38/8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 57/77 70/113 5/19][PLAIN TEXT (220 ProFTPD Server In ECI Telec)][Plen Bins: 66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 192.168.1.2:2720 <-> 147.234.1.253:21 [proto: 1/FTP_CONTROL][ClearText][cat: Download/7][11 pkts/624 bytes <-> 14 pkts/1080 bytes][Goodput ratio: 4/27][0.32 sec][Host: ProFTPD][bytes ratio: -0.268 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 24/7 115/18 38/8][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 57/77 70/113 5/19][PLAIN TEXT (220 ProFTPD Server In ECI Telec)][Plen Bins: 66,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 UDP 192.168.1.2:5060 -> 212.242.33.35:17860 [proto: 100/SIP][ClearText][cat: VoIP/10][1 pkts/1118 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][PLAIN TEXT (INVITE six)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 UDP 192.168.1.2:30000 -> 212.242.33.36:40392 [proto: 87/RTP][ClearText][cat: Media/1][5 pkts/1070 bytes -> 0 pkts/0 bytes][Goodput ratio: 80/0][0.05 sec][PLAIN TEXT (goxcffj)][Plen Bins: 0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 UDP 192.168.1.2:68 <-> 192.168.1.1:67 [proto: 18/DHCP][ClearText][cat: Network/14][1 pkts/342 bytes <-> 1 pkts/590 bytes][Goodput ratio: 87/93][0.00 sec][Host: d002465][DHCP Fingerprint: 1,15,3,6,44,46,47,31,33,43][PLAIN TEXT (002465Q)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index 75c177ea4..5ce3e16dc 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -109,7 +109,7 @@ JA3 Host Stats: 84 UDP 192.168.1.34:56387 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][Encrypted][cat: VoIP/10][7 pkts/616 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][26.25 sec][Host: 335.0.7.7.3.rst5.r.skype.net][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1007/0 4374/0 9080/0 3405/0][Pkt Len c2s/s2c min/avg/max/stddev: 88/0 88/0 88/0 0/0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 85 UDP 192.168.1.34:57288 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][Encrypted][cat: VoIP/10][7 pkts/616 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][26.40 sec][Host: 335.0.7.7.3.rst6.r.skype.net][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1088/0 4399/0 9084/0 3383/0][Pkt Len c2s/s2c min/avg/max/stddev: 88/0 88/0 88/0 0/0][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 86 TCP 192.168.1.34:50146 -> 157.56.53.51:443 [proto: 91/TLS][Encrypted][cat: Web/5][8 pkts/608 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][11.02 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1001/0 1574/0 4002/0 1050/0][Pkt Len c2s/s2c min/avg/max/stddev: 62/0 76/0 78/0 5/0][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 87 TCP 192.168.1.34:50129 <-> 91.190.218.125:12350 [proto: 91.125/TLS.Skype_Teams][Encrypted][cat: VoIP/10][6 pkts/353 bytes <-> 4 pkts/246 bytes][Goodput ratio: 1/2][8.32 sec][bytes ratio: 0.179 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/64 1663/2751 6736/6736 2591/2874][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 59/62 78/66 9/3][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 87 TCP 192.168.1.34:50129 <-> 91.190.218.125:12350 [proto: 125/Skype_Teams][Encrypted][cat: VoIP/10][6 pkts/353 bytes <-> 4 pkts/246 bytes][Goodput ratio: 1/2][8.32 sec][bytes ratio: 0.179 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/64 1663/2751 6736/6736 2591/2874][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 59/62 78/66 9/3][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 88 UDP 192.168.1.34:49163 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][Encrypted][cat: VoIP/10][7 pkts/546 bytes -> 0 pkts/0 bytes][Goodput ratio: 46/0][26.42 sec][Host: b.config.skype.com][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1010/0 4403/0 9097/0 3414/0][Pkt Len c2s/s2c min/avg/max/stddev: 78/0 78/0 78/0 0/0][PLAIN TEXT (config)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 89 UDP 192.168.1.34:51802 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][Encrypted][cat: VoIP/10][7 pkts/546 bytes -> 0 pkts/0 bytes][Goodput ratio: 46/0][26.31 sec][Host: b.config.skype.com][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1060/0 4384/0 9098/0 3397/0][Pkt Len c2s/s2c min/avg/max/stddev: 78/0 78/0 78/0 0/0][PLAIN TEXT (config)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 90 UDP 192.168.1.34:52714 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][Encrypted][cat: VoIP/10][7 pkts/546 bytes -> 0 pkts/0 bytes][Goodput ratio: 46/0][26.31 sec][Host: b.config.skype.com][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1060/0 4384/0 9098/0 3397/0][Pkt Len c2s/s2c min/avg/max/stddev: 78/0 78/0 78/0 0/0][PLAIN TEXT (config)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index e194116ae..f5f04292c 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -73,7 +73,7 @@ JA3 Host Stats: 48 UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][ClearText][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][30.05 sec][PLAIN TEXT ( 3375359593)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 49 UDP 192.168.1.92:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][ClearText][cat: Cloud/13][2 pkts/1088 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][30.05 sec][PLAIN TEXT ( 3375359593)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 50 UDP 192.168.1.34:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][ClearText][cat: System/18][7 pkts/680 bytes -> 0 pkts/0 bytes][Goodput ratio: 57/0][1.26 sec][Host: __msbrowse__][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 210/0 1261/0 470/0][Pkt Len c2s/s2c min/avg/max/stddev: 92/0 97/0 110/0 8/0][PLAIN TEXT (FPFPENFDECFCEPFHFDEFFPFPACAB)][Plen Bins: 0,71,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 51 TCP 192.168.1.34:51299 <-> 91.190.216.125:12350 [proto: 91.125/TLS.Skype_Teams][Encrypted][cat: VoIP/10][6 pkts/353 bytes <-> 5 pkts/306 bytes][Goodput ratio: 1/2][11.59 sec][bytes ratio: 0.071 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2640/2885 10417/10457 4490/4391][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 59/61 78/66 9/2][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 51 TCP 192.168.1.34:51299 <-> 91.190.216.125:12350 [proto: 125/Skype_Teams][Encrypted][cat: VoIP/10][6 pkts/353 bytes <-> 5 pkts/306 bytes][Goodput ratio: 1/2][11.59 sec][bytes ratio: 0.071 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2640/2885 10417/10457 4490/4391][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 59/61 78/66 9/2][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 52 UDP 192.168.1.34:58631 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][Encrypted][cat: VoIP/10][8 pkts/648 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][53.50 sec][Host: conn.skype.akadns.net][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1093/0 7642/0 27046/0 8520/0][Pkt Len c2s/s2c min/avg/max/stddev: 81/0 81/0 81/0 0/0][PLAIN TEXT (akadns)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 53 UDP 192.168.1.34:60688 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][Encrypted][cat: VoIP/10][8 pkts/648 bytes -> 0 pkts/0 bytes][Goodput ratio: 48/0][53.50 sec][Host: conn.skype.akadns.net][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1093/0 7642/0 27046/0 8520/0][Pkt Len c2s/s2c min/avg/max/stddev: 81/0 81/0 81/0 0/0][PLAIN TEXT (akadns)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 54 UDP 192.168.1.34:50055 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype_Teams][Encrypted][cat: VoIP/10][7 pkts/623 bytes -> 0 pkts/0 bytes][Goodput ratio: 53/0][26.41 sec][Host: pipe.prd.skypedata.akadns.net][::][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1071/0 4400/0 9094/0 3403/0][Pkt Len c2s/s2c min/avg/max/stddev: 89/0 89/0 89/0 0/0][PLAIN TEXT (skypedata)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |