diff options
| -rw-r--r-- | src/lib/ndpi_main.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 2 | ||||
| -rw-r--r-- | tests/result/dns_fragmented.pcap.out | 14 | ||||
| -rw-r--r-- | wireshark/ndpi.lua | 6 |
5 files changed, 14 insertions, 13 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index ba6c66a4f..c8da3b3d5 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -5162,7 +5162,7 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str, static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) { packet->parsed_lines = 0, packet->empty_line_position_set = 0, packet->host_line.ptr = NULL, packet->host_line.len = 0, packet->referer_line.ptr = NULL, packet->referer_line.len = 0, - packet->authorization_line.len = 0, + packet->authorization_line.len = 0, packet->authorization_line.ptr = NULL, packet->content_line.ptr = NULL, packet->content_line.len = 0, packet->accept_line.ptr = NULL, packet->accept_line.len = 0, packet->user_agent_line.ptr = NULL, packet->user_agent_line.len = 0, packet->http_url_name.ptr = NULL, packet->http_url_name.len = 0, packet->http_encoding.ptr = NULL, diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 7df539a88..987133213 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -521,6 +521,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st if((flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_DNS) || (flow->packet.detected_protocol_stack[1] == NDPI_PROTOCOL_DNS)) { + /* TODO: add support to RFC6891 to avoid some false positives */ if(flow->packet.udp != NULL && flow->packet.payload_packet_len > PKT_LEN_ALERT) ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_LARGE_PACKET); @@ -529,7 +530,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st u_int8_t flags = ((u_int8_t*)flow->packet.iph)[6]; /* 0: fragmented; 1: not fragmented */ - if((flags & 0xE0) + if((flags & 0x20) || (ndpi_iph_is_valid_and_not_fragmented(flow->packet.iph, flow->packet.l3_packet_len) == 0)) { ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED); } diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 9461765c6..7db718ac8 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -202,7 +202,7 @@ int quic_len(const uint8_t *buf, uint64_t *value) /* Necessary as simple cast crashes on ARM */ memcpy(&n, buf, sizeof(u_int64_t)); - *value = ndpi_ntohll(n & 0x3FFFFFFFFFFFFFFF); + *value = ndpi_ntohll(n) & 0x3FFFFFFFFFFFFFFF; } return 8; default: /* No Possible */ diff --git a/tests/result/dns_fragmented.pcap.out b/tests/result/dns_fragmented.pcap.out index 20e4e6016..a8f70b6b4 100644 --- a/tests/result/dns_fragmented.pcap.out +++ b/tests/result/dns_fragmented.pcap.out @@ -9,13 +9,13 @@ Google 6 4807 3 1 TCP [2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb]:57089 <-> [2001:470:1f0b:16b0::a26:53]:53 [proto: 5/DNS][ClearText][cat: Network/14][6 pkts/578 bytes <-> 4 pkts/2084 bytes][Goodput ratio: 9/83][0.00 sec][Host: weberlab.de][::][bytes ratio: -0.566 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 1/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 96/521 140/1818 20/749][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] 2 TCP 194.247.5.6:39005 <-> 194.247.5.14:53 [proto: 5/DNS][ClearText][cat: Network/14][6 pkts/458 bytes <-> 4 pkts/2004 bytes][Goodput ratio: 12/86][0.00 sec][Host: weberlab.de][::][bytes ratio: -0.628 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 76/501 120/1798 20/749][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50] - 3 UDP 173.194.169.104:59464 <-> 193.24.227.238:53 [proto: 5.126/DNS.Google][Encrypted][cat: Web/5][1 pkts/101 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 58/97][< 1 sec][Host: fg2.weberlab.de][194.247.4.10][Risk: ** DNS packet larger than 512 bytes **][Risk Score: 50][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0] - 4 UDP 194.247.5.6:51791 <-> 193.24.227.238:53 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/94 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 55/97][0.01 sec][Host: weberlab.de][::][Risk: ** DNS packet larger than 512 bytes **][Risk Score: 50][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0] - 5 UDP 74.125.47.136:59330 <-> 193.24.227.238:53 [proto: 5.126/DNS.Google][Encrypted][cat: Web/5][1 pkts/82 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 48/97][0.00 sec][Host: weberlab.de][::][Risk: ** DNS packet larger than 512 bytes **][Risk Score: 50][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0] - 6 UDP 172.217.40.76:56680 <-> 193.24.227.238:53 [proto: 5.126/DNS.Google][Encrypted][cat: Web/5][1 pkts/82 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 48/97][< 1 sec][Host: weberlab.de][::][Risk: ** DNS packet larger than 512 bytes **][Risk Score: 50][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0] - 7 UDP [2001:470:765b::a25:53]:4352 -> [2a00:1450:4013:c06::105]:1 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/1510 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Host: fg2.weberlab.de][194.247.4.10][Risk: ** DNS packet larger than 512 bytes **][Risk Score: 50][PLAIN TEXT (weberlab)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] - 8 UDP [2001:470:765b::a25:53]:4352 -> [2a00:1450:4013:c03::10a]:1 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/1510 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Host: pa.weberlab.de][2001:470:1f0b:1024::2][Risk: ** DNS packet larger than 512 bytes **][Risk Score: 50][PLAIN TEXT (weberlab)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] - 9 UDP [2001:470:765b::a25:53]:4352 -> [2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb]:1 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/1494 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Host: weberlab.de][::][Risk: ** DNS packet larger than 512 bytes **][Risk Score: 50][PLAIN TEXT (weberlab)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0] + 3 UDP 173.194.169.104:59464 <-> 193.24.227.238:53 [proto: 5.126/DNS.Google][Encrypted][cat: Web/5][1 pkts/101 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 58/97][< 1 sec][Host: fg2.weberlab.de][194.247.4.10][Risk: ** DNS packet larger than 512 bytes **** Fragmented DNS message **][Risk Score: 100][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0] + 4 UDP 194.247.5.6:51791 <-> 193.24.227.238:53 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/94 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 55/97][0.01 sec][Host: weberlab.de][::][Risk: ** DNS packet larger than 512 bytes **** Fragmented DNS message **][Risk Score: 100][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0] + 5 UDP 74.125.47.136:59330 <-> 193.24.227.238:53 [proto: 5.126/DNS.Google][Encrypted][cat: Web/5][1 pkts/82 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 48/97][0.00 sec][Host: weberlab.de][::][Risk: ** DNS packet larger than 512 bytes **** Fragmented DNS message **][Risk Score: 100][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0] + 6 UDP 172.217.40.76:56680 <-> 193.24.227.238:53 [proto: 5.126/DNS.Google][Encrypted][cat: Web/5][1 pkts/82 bytes <-> 1 pkts/1514 bytes][Goodput ratio: 48/97][< 1 sec][Host: weberlab.de][::][Risk: ** DNS packet larger than 512 bytes **** Fragmented DNS message **][Risk Score: 100][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0] + 7 UDP [2001:470:765b::a25:53]:4352 -> [2a00:1450:4013:c06::105]:1 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/1510 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Host: fg2.weberlab.de][194.247.4.10][Risk: ** DNS packet larger than 512 bytes **** Fragmented DNS message **][Risk Score: 100][PLAIN TEXT (weberlab)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] + 8 UDP [2001:470:765b::a25:53]:4352 -> [2a00:1450:4013:c03::10a]:1 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/1510 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Host: pa.weberlab.de][2001:470:1f0b:1024::2][Risk: ** DNS packet larger than 512 bytes **** Fragmented DNS message **][Risk Score: 100][PLAIN TEXT (weberlab)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] + 9 UDP [2001:470:765b::a25:53]:4352 -> [2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb]:1 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/1494 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Host: weberlab.de][::][Risk: ** DNS packet larger than 512 bytes **** Fragmented DNS message **][Risk Score: 100][PLAIN TEXT (weberlab)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0] 10 UDP [2a00:1450:400c:c00::106]:54430 <-> [2001:470:765b::a25:53]:53 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/121 bytes <-> 1 pkts/886 bytes][Goodput ratio: 48/93][0.00 sec][Host: fg2.weberlab.de][::][Risk: ** DNS packet larger than 512 bytes **][Risk Score: 50][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 11 UDP [2a00:1450:4013:c05::10e]:34944 <-> [2001:470:765b::a25:53]:53 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/121 bytes <-> 1 pkts/886 bytes][Goodput ratio: 48/93][< 1 sec][Host: fg2.weberlab.de][::][Risk: ** DNS packet larger than 512 bytes **][Risk Score: 50][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 12 UDP [2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb]:33592 <-> [2001:470:765b::a25:53]:53 [proto: 5/DNS][ClearText][cat: Network/14][1 pkts/123 bytes <-> 1 pkts/300 bytes][Goodput ratio: 49/79][0.01 sec][Host: fg2-mgmt.weberlab.de][2001:470:1f0b:16b0::1][PLAIN TEXT (weberlab)][Plen Bins: 0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua index 643dc3235..9b168f580 100644 --- a/wireshark/ndpi.lua +++ b/wireshark/ndpi.lua @@ -74,9 +74,9 @@ flow_risks[32] = ProtoField.bool("ndpi.flow_risk.cert_validity_too_long", "TLS c flow_risks[33] = ProtoField.bool("ndpi.flow_risk.suspicious_extension", "TLS suspicious extension", num_bits_flow_risks, nil, bit(1), "nDPI Flow Risk: TLS suspicious extension") flow_risks[34] = ProtoField.bool("ndpi.flow_risk.fatal_alert", "TLS fatal alert detected", num_bits_flow_risks, nil, bit(2), "nDPI Flow Risk: TLS fatal alert") flow_risks[35] = ProtoField.bool("ndpi.flow_risk.suspicious_entropy", "Suspicious entropy", num_bits_flow_risks, nil, bit(3), "nDPI Flow Risk: suspicious entropy") -flow_risks[36] = ProtoField.bool("ndpi.flow_risk.clear_text_credentials", "Cleat-Text credentials", num_bits_flow_risks, nil, bit(3), "nDPI Flow Risk: cleat-text credentials") -flow_risks[37] = ProtoField.bool("ndpi.flow_risk.dns_large_packet", "DNS large packet", num_bits_flow_risks, nil, bit(4), "nDPI Flow Risk: DNS packet is larger than 512 bytes") -flow_risks[38] = ProtoField.bool("ndpi.flow_risk.dns_fragmented", "DNS fragmented", num_bits_flow_risks, nil, bit(5), "nDPI Flow Risk: DNS message is fragmented") +flow_risks[36] = ProtoField.bool("ndpi.flow_risk.clear_text_credentials", "Cleat-Text credentials", num_bits_flow_risks, nil, bit(4), "nDPI Flow Risk: cleat-text credentials") +flow_risks[37] = ProtoField.bool("ndpi.flow_risk.dns_large_packet", "DNS large packet", num_bits_flow_risks, nil, bit(5), "nDPI Flow Risk: DNS packet is larger than 512 bytes") +flow_risks[38] = ProtoField.bool("ndpi.flow_risk.dns_fragmented", "DNS fragmented", num_bits_flow_risks, nil, bit(6), "nDPI Flow Risk: DNS message is fragmented") -- Last one: keep in sync the bitmask when adding new risks!! flow_risks[64] = ProtoField.new("Unused", "ndpi.flow_risk.unused", ftypes.UINT32, nil, base.HEX, bit(32) - bit(7)) |