aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/protocols/ssh.c86
-rw-r--r--tests/result/KakaoTalk_chat.pcap.out2
-rw-r--r--tests/result/instagram.pcap.out2
3 files changed, 48 insertions, 42 deletions
diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c
index 8f2eecb9a..5bdf78959 100644
--- a/src/lib/protocols/ssh.c
+++ b/src/lib/protocols/ssh.c
@@ -60,8 +60,34 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct
/* ************************************************************************ */
+static int search_ssh_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
+ ndpi_search_ssh_tcp(ndpi_struct, flow);
+
+ if((flow->protos.ssh.hassh_client[0] != '\0')
+ && (flow->protos.ssh.hassh_server[0] != '\0')) {
+ /* stop extra processing */
+ flow->extra_packets_func = NULL; /* We're good now */
+ return(0);
+ }
+
+ /* Possibly more processing */
+ return(1);
+}
+
+/* ************************************************************************ */
+
static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct
*ndpi_struct, struct ndpi_flow_struct *flow) {
+ if(flow->extra_packets_func != NULL)
+ return;
+
+ flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH;
+
+ /* This is necessary to inform the core to call this dissector again */
+ flow->check_extra_packets = 1;
+ flow->max_extra_packets_to_check = 12;
+ flow->extra_packets_func = search_ssh_again;
+
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSH, NDPI_PROTOCOL_UNKNOWN);
}
@@ -185,7 +211,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
/* ssh.languages_server_to_client [None] */
#ifdef SSH_DEBUG
- printf("\n[SSH] %s\n", buf);
+ printf("[SSH] %s\n", buf);
#endif
return(buf_out_len);
@@ -193,7 +219,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet,
invalid_payload:
#ifdef SSH_DEBUG
- printf("\n[SSH] Invalid packet payload\n");
+ printf("[SSH] Invalid packet payload\n");
#endif
return(0);
@@ -215,27 +241,11 @@ static void ndpi_ssh_zap_cr(char *str, int len) {
/* ************************************************************************ */
-static int search_ssh_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- ndpi_search_ssh_tcp(ndpi_struct, flow);
-
- if((flow->protos.ssh.hassh_client[0] != '\0')
- && (flow->protos.ssh.hassh_server[0] == '\0')) {
- /* stop extra processing */
- flow->extra_packets_func = NULL; /* We're good now */
- return(0);
- }
-
- /* Possibly more processing */
- return(1);
-}
-
-/* ************************************************************************ */
-
static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
#ifdef SSH_DEBUG
- printf("\n[SSH] [stage: %u]\n", flow->l4.tcp.ssh_stage);
+ printf("[SSH] %s()\n", __FUNCTION__);
#endif
if(flow->l4.tcp.ssh_stage == 0) {
@@ -249,20 +259,13 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct
ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len);
#ifdef SSH_DEBUG
- printf("\n[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature);
+ printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature);
#endif
}
NDPI_LOG_DBG2(ndpi_struct, "ssh stage 0 passed\n");
flow->l4.tcp.ssh_stage = 1 + packet->packet_direction;
- flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH;
ndpi_int_ssh_add_connection(ndpi_struct, flow);
-
- /* This is necessary to inform the core to call this dissector again */
- flow->check_extra_packets = 1;
- flow->max_extra_packets_to_check = 8;
- flow->extra_packets_func = search_ssh_again;
-
return;
}
} else if(flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) {
@@ -276,7 +279,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct
ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len);
#ifdef SSH_DEBUG
- printf("\n[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature);
+ printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature);
#endif
NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n");
@@ -287,7 +290,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct
}
#ifdef SSH_DEBUG
- printf("\n[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage);
+ printf("[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage);
#endif
flow->l4.tcp.ssh_stage = 3;
@@ -297,16 +300,16 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct
u_int8_t msgcode = *(packet->payload + 5);
ndpi_MD5_CTX ctx;
-#ifdef SSH_DEBUG
- printf("\n[SSH] [stage: %u][msg: %u]\n", flow->l4.tcp.ssh_stage, msgcode);
-#endif
-
if(msgcode == 20 /* key exchange init */) {
char *hassh_buf = calloc(packet->payload_packet_len, sizeof(char));
u_int i, len;
+#ifdef SSH_DEBUG
+ printf("[SSH] [stage: %u][msg: %u][direction: %u][key exchange init]\n", flow->l4.tcp.ssh_stage, msgcode, packet->packet_direction);
+#endif
+
if(hassh_buf) {
- if(flow->l4.tcp.ssh_stage == 3) {
+ if(packet->packet_direction == 0 /* client */) {
u_char fingerprint_client[16];
len = concat_hash_string(packet, hassh_buf, 1 /* client */);
@@ -317,7 +320,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct
#ifdef SSH_DEBUG
{
- printf("\n[SSH] [client][%s][", hassh_buf);
+ printf("[SSH] [client][%s][", hassh_buf);
for(i=0; i<16; i++) printf("%02X", fingerprint_client[i]);
printf("]\n");
}
@@ -335,7 +338,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct
#ifdef SSH_DEBUG
{
- printf("\n[SSH] [server][%s][", hassh_buf);
+ printf("[SSH] [server][%s][", hassh_buf);
for(i=0; i<16; i++) printf("%02X", fingerprint_server[i]);
printf("]\n");
}
@@ -347,11 +350,14 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct
free(hassh_buf);
}
- }
- if(flow->l4.tcp.ssh_stage++ == 4) {
- NDPI_LOG_INFO(ndpi_struct, "found ssh\n");
ndpi_int_ssh_add_connection(ndpi_struct, flow);
+ }
+
+ if((flow->protos.ssh.hassh_client[0] != '\0') && (flow->protos.ssh.hassh_server[0] != '\0')) {
+#ifdef SSH_DEBUG
+ printf("[SSH] Dissection completed\n");
+#endif
flow->extra_packets_func = NULL; /* We're good now */
}
@@ -359,7 +365,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct
}
#ifdef SSH_DEBUG
- printf("\n[SSH] Excluding SSH");
+ printf("[SSH] Excluding SSH");
#endif
NDPI_LOG_DBG(ndpi_struct, "excluding ssh at stage %d\n", flow->l4.tcp.ssh_stage);
diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out
index ffb8495c9..2be2a505d 100644
--- a/tests/result/KakaoTalk_chat.pcap.out
+++ b/tests/result/KakaoTalk_chat.pcap.out
@@ -16,7 +16,7 @@ JA3 Host Stats:
1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][bytes ratio: -0.283 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 33.1/57.0 123/297 41.2/77.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 203.6/364.4 1053/1336 304.3/448.8][TLSv1.2][Client: graph.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
2 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][bytes ratio: -0.433 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 31.2/34.8 106/208 36.5/55.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 183.9/433.5 1257/1336 331.5/513.1][TLSv1.2][Client: developers.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
3 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][bytes ratio: -0.329 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 95.6/75.0 312/350 98.3/119.1][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 258.4/569.2 1401/1456 416.1/539.9][TLSv1.2][Client: api.facebook.com][JA3C: 051d20e8adbe8dac78945de300764d5e][Server: *.facebook.com][JA3S: 6806b8fe92d7d465715d771eb102ff04][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
- 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][bytes ratio: -0.249 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 410.8/374.9 2329/2320 582.3/599.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 142.4/263.4 710/1336 154.7/439.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA]
+ 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][bytes ratio: -0.249 (Download)][IAT c2s/s2c min/avg/max/stddev: 3/4 410.8/374.9 2329/2320 582.3/599.4][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 142.4/263.4 710/1336 154.7/439.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA]
5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][bytes ratio: -0.337 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 71.3/71.2 489/365 131.0/103.2][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 167.2/388.7 899/1336 222.0/490.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA]
6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][bytes ratio: -0.332 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2049.7/118.1 26937/448 6904.3/126.7][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 132.8/264.6 578/1336 133.6/439.4][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.facebook.com][JA3S: 6c13ac74a6f75099ef2480748e5d94d2][Organization: Facebook, Inc.][Certificate SHA-1: A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4][Validity: 2014-08-28 00:00:00 - 2015-10-28 12:00:00][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA]
7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91/TLS][cat: Web/5][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][bytes ratio: -0.429 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1113.6/74.5 10357/172 3082.4/61.9][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 156.6/363.6 429/1336 151.9/450.9][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][Server: *.kakao.com][JA3S: 4192c0a946c5bd9b544b4656d9f624a4 (WEAK)][Organization: Kakao Corp.][Certificate SHA-1: 0D:14:6D:8D:5E:EB:F5:F5:42:87:CD:AB:AE:A1:DC:AA:5A:76:6F:E4][Validity: 2014-04-18 00:00:00 - 2016-04-17 23:59:59][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA]
diff --git a/tests/result/instagram.pcap.out b/tests/result/instagram.pcap.out
index 0cc0115fa..f1496cbcd 100644
--- a/tests/result/instagram.pcap.out
+++ b/tests/result/instagram.pcap.out
@@ -14,7 +14,7 @@ JA3 Host Stats:
1 TCP 31.13.86.52:80 <-> 192.168.0.103:58216 [proto: 7.119/HTTP.Facebook][cat: SocialNetwork/6][103 pkts/150456 bytes <-> 47 pkts/3102 bytes][bytes ratio: 0.960 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 18.6/40.9 1246/1247 136.9/216.6][Pkt Len c2s/s2c min/avg/max/stddev: 1128/66 1460.7/66.0 1464/66 32.9/0.0][PLAIN TEXT (dnlN/L)]
2 TCP 192.168.0.103:38816 <-> 46.33.70.160:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][13 pkts/1118 bytes <-> 39 pkts/57876 bytes][Host: photos-h.ak.instagram.com][bytes ratio: -0.962 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5.6/0.3 33/2 11.2/0.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/1484 86.0/1484.0 326/1484 69.3/0.0][URL: photos-h.ak.instagram.com/hphotos-ak-xap1/t51.2885-15/e35/10859994_1009433792434447_1627646062_n.jpg?se=7][StatusCode: 200][PLAIN TEXT (GET /hphotos)]
3 TCP 192.168.0.103:58052 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][37 pkts/2702 bytes <-> 38 pkts/54537 bytes][Host: photos-g.ak.instagram.com][bytes ratio: -0.906 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2.4/0.5 62/2 11.3/0.6][Pkt Len c2s/s2c min/avg/max/stddev: 66/396 73.0/1435.2 326/1484 42.2/209.5][URL: photos-g.ak.instagram.com/hphotos-ak-xaf1/t51.2885-15/e35/11417349_1610424452559638_1559096152_n.jpg?se=7][StatusCode: 200][PLAIN TEXT (GET /hphotos)]
- 4 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][41 pkts/3392 bytes <-> 40 pkts/50024 bytes][Host: photos-e.ak.instagram.com][bytes ratio: -0.873 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 244.3/12.2 7254/372 1260.5/65.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82.7/1250.6 325/1484 55.7/506.8][URL: photos-e.ak.instagram.com/hphotos-ak-xaf1/t51.2885-15/e35/11379148_1449120228745316_607477962_n.jpg?se=7][StatusCode: 0][PLAIN TEXT (GET /hphotos)]
+ 4 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][41 pkts/3392 bytes <-> 40 pkts/50024 bytes][Host: photos-e.ak.instagram.com][bytes ratio: -0.873 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 244.3/12.2 7254/372 1260.5/65.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 82.7/1250.6 325/1484 55.7/506.8][URL: photos-e.ak.instagram.com/hphotos-ak-xaf1/t51.2885-15/e35/11379148_1449120228745316_607477962_n.jpg?se=7][StatusCode: 200][PLAIN TEXT (GET /hphotos)]
5 TCP 192.168.0.103:57936 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][cat: SocialNetwork/6][24 pkts/1837 bytes <-> 34 pkts/48383 bytes][Host: photos-g.ak.instagram.com][bytes ratio: -0.927 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 27.5/0.3 321/2 76.4/0.5][Pkt Len c2s/s2c min/avg/max/stddev: 66/186 76.5/1423.0 319/1484 50.6/248.6][URL: photos-g.ak.instagram.com/hphotos-ak-xaf1/t51.2885-15/e15/11386524_110257619317430_379513654_n.jpg][StatusCode: 200][PLAIN TEXT (GET /hphotos)]
6 TCP 192.168.0.103:33936 <-> 31.13.93.52:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][34 pkts/5555 bytes <-> 34 pkts/40133 bytes][bytes ratio: -0.757 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 364.1/362.3 7669/7709 1462.3/1471.7][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 163.4/1180.4 1431/1464 317.9/494.8]
7 TCP 2.22.236.51:80 <-> 192.168.0.103:44151 [proto: 7/HTTP][cat: Web/5][25 pkts/37100 bytes <-> 24 pkts/1584 bytes][bytes ratio: 0.918 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1.2/1.3 7/7 1.7/1.7][Pkt Len c2s/s2c min/avg/max/stddev: 1484/66 1484.0/66.0 1484/66 0.0/0.0][PLAIN TEXT (inOCIM)]
Powered by cgit, Themed by Ted Yin.