diff options
| -rw-r--r-- | python/ndpi.py | 1 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 16 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/ftp_control.c | 7 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 7 | ||||
| -rw-r--r-- | src/lib/protocols/mail_imap.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/mail_pop.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/mail_smtp.c | 4 | ||||
| -rw-r--r-- | tests/pcap/http_auth.pcap | bin | 0 -> 21126 bytes | |||
| -rw-r--r-- | tests/result/ftp.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/fuzz-2006-09-29-28586.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/http_auth.pcap.out | 7 | ||||
| -rw-r--r-- | tests/result/irc.pcap.out | 2 | ||||
| -rw-r--r-- | wireshark/ndpi.lua | 2 |
15 files changed, 56 insertions, 7 deletions
diff --git a/python/ndpi.py b/python/ndpi.py index 8746e4f71..fb5c8af2c 100644 --- a/python/ndpi.py +++ b/python/ndpi.py @@ -327,6 +327,7 @@ typedef enum { NDPI_TLS_SUSPICIOUS_EXTENSION, NDPI_TLS_FATAL_ALERT, NDPI_SUSPICIOUS_ENTROPY, + NDPI_CLEAR_TEXT_CREDENTIALS, /* Leave this as last member */ NDPI_MAX_RISK diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 8cb47b776..d11451ad1 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -105,6 +105,7 @@ typedef enum { NDPI_TLS_SUSPICIOUS_EXTENSION, NDPI_TLS_FATAL_ALERT, NDPI_SUSPICIOUS_ENTROPY, + NDPI_CLEAR_TEXT_CREDENTIALS, /* Leave this as last member */ NDPI_MAX_RISK /* must be <= 63 due to (**) */ @@ -898,6 +899,7 @@ struct ndpi_packet_struct { struct ndpi_int_one_line_struct content_line; struct ndpi_int_one_line_struct content_disposition_line; struct ndpi_int_one_line_struct accept_line; + struct ndpi_int_one_line_struct authorization_line; struct ndpi_int_one_line_struct user_agent_line; struct ndpi_int_one_line_struct http_url_name; struct ndpi_int_one_line_struct http_encoding; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index d5a169eac..138d1777d 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -106,6 +106,7 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_TLS_SUSPICIOUS_EXTENSION, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE }, { NDPI_TLS_FATAL_ALERT, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE }, { NDPI_SUSPICIOUS_ENTROPY, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_CLEAR_TEXT_CREDENTIALS, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE }, /* Leave this as last member */ { NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE } @@ -5166,6 +5167,7 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_str, static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) { packet->parsed_lines = 0, packet->empty_line_position_set = 0, packet->host_line.ptr = NULL, packet->host_line.len = 0, packet->referer_line.ptr = NULL, packet->referer_line.len = 0, + packet->authorization_line.len = 0, packet->content_line.ptr = NULL, packet->content_line.len = 0, packet->accept_line.ptr = NULL, packet->accept_line.len = 0, packet->user_agent_line.ptr = NULL, packet->user_agent_line.len = 0, packet->http_url_name.ptr = NULL, packet->http_url_name.len = 0, packet->http_encoding.ptr = NULL, @@ -5894,6 +5896,19 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, } packet->http_num_headers++; } + + /* "Authorization:" header line in HTTP. */ + if(packet->line[packet->parsed_lines].len > 15 && + (strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Authorization: ", 15) == 0)) { + packet->authorization_line.ptr = &packet->line[packet->parsed_lines].ptr[15]; + packet->authorization_line.len = packet->line[packet->parsed_lines].len - 15; + + while((packet->authorization_line.len > 0) && (packet->authorization_line.ptr[0] == ' ')) + packet->authorization_line.len--, packet->authorization_line.ptr++; + + packet->http_num_headers++; + } + /* "Content-Type:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 14 && (strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Content-Type: ", 14) == 0 || @@ -5906,6 +5921,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, packet->http_num_headers++; } + /* "Content-Type:" header line in HTTP AGAIN. Probably a bogus response without space after ":" */ if((packet->content_line.len == 0) && (packet->line[packet->parsed_lines].len > 13) && (strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Content-type:", 13) == 0)) { diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index b1d1fcdb0..ed5ffd228 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1783,6 +1783,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_SUSPICIOUS_ENTROPY: return("Suspicious entropy"); + case NDPI_CLEAR_TEXT_CREDENTIALS: + return("Clear-text credentials"); + default: snprintf(buf, sizeof(buf), "%d", (int)risk); return(buf); diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index 7bf35e719..55ea192b0 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -41,7 +41,8 @@ static void ndpi_int_ftp_control_add_connection(struct ndpi_detection_module_str /* *************************************************************** */ -static int ndpi_ftp_control_check_request(struct ndpi_flow_struct *flow, +static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, const u_int8_t *payload, size_t payload_len) { #ifdef FTP_DEBUG @@ -52,6 +53,7 @@ static int ndpi_ftp_control_check_request(struct ndpi_flow_struct *flow, ndpi_user_pwd_payload_copy((u_int8_t*)flow->protos.ftp_imap_pop_smtp.username, sizeof(flow->protos.ftp_imap_pop_smtp.username), 5, payload, payload_len); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS); return 1; } @@ -602,7 +604,8 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str if(flow->ftp_control_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "FTP_CONTROL stage 0: \n"); - if((payload_len > 0) && ndpi_ftp_control_check_request(flow, packet->payload, payload_len)) { + if((payload_len > 0) && ndpi_ftp_control_check_request(ndpi_struct, + flow, packet->payload, payload_len)) { NDPI_LOG_DBG2(ndpi_struct, "Possible FTP_CONTROL request detected, we will look further for the response..\n"); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 1a3e2e357..0da3a16e7 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -625,6 +625,13 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } + /* check for authorization line */ + if(packet->authorization_line.ptr != NULL) { + NDPI_LOG_DBG2(ndpi_struct, "Authorization line found %.*s\n", + packet->authorization_line.len, packet->authorization_line.ptr); + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS); + } + if(packet->content_line.ptr != NULL && packet->content_line.len != 0) { NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n", packet->content_line.len, packet->content_line.ptr); diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c index 7fc50c4b7..5810ec219 100644 --- a/src/lib/protocols/mail_imap.c +++ b/src/lib/protocols/mail_imap.c @@ -162,6 +162,8 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, /* xxxx LOGIN "username" "password" */ char str[256], *item; u_int len = packet->payload_packet_len >= sizeof(str) ? sizeof(str)-1 : packet->payload_packet_len; + + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS); strncpy(str, (const char*)packet->payload, len); str[len] = '\0'; diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c index feb2757a2..e522fc187 100644 --- a/src/lib/protocols/mail_pop.c +++ b/src/lib/protocols/mail_pop.c @@ -80,7 +80,8 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod ndpi_user_pwd_payload_copy((u_int8_t*)flow->protos.ftp_imap_pop_smtp.username, sizeof(flow->protos.ftp_imap_pop_smtp.username), 5, packet->payload, packet->payload_packet_len); - + + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS); flow->l4.tcp.pop_command_bitmask |= POP_BIT_USER; return 1; } else if((packet->payload[0] == 'P' || packet->payload[0] == 'p') @@ -90,7 +91,8 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod ndpi_user_pwd_payload_copy((u_int8_t*)flow->protos.ftp_imap_pop_smtp.password, sizeof(flow->protos.ftp_imap_pop_smtp.password), 5, packet->payload, packet->payload_packet_len); - + + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS); flow->l4.tcp.pop_command_bitmask |= POP_BIT_PASS; return 1; } else if((packet->payload[0] == 'C' || packet->payload[0] == 'c') diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index 66e4cc0f0..256026c25 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -187,6 +187,8 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct, ndpi_free(out); } + + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS); } else if(flow->protos.ftp_imap_pop_smtp.password[0] == '\0') { /* Password */ u_int8_t buf[48]; @@ -210,6 +212,8 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct, ndpi_free(out); } + + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS); } else { flow->host_server_name[0] = '\0'; NDPI_EXCLUDE_PROTO(ndpi_struct, flow); diff --git a/tests/pcap/http_auth.pcap b/tests/pcap/http_auth.pcap Binary files differnew file mode 100644 index 000000000..44dc8cd2a --- /dev/null +++ b/tests/pcap/http_auth.pcap diff --git a/tests/result/ftp.pcap.out b/tests/result/ftp.pcap.out index a6dc5da4c..fd2971f57 100644 --- a/tests/result/ftp.pcap.out +++ b/tests/result/ftp.pcap.out @@ -6,7 +6,7 @@ Unknown 1115 1122198 1 FTP_CONTROL 68 5571 1 FTP_DATA 9 1819 1 - 1 TCP 192.168.1.212:50694 <-> 90.130.70.73:21 [proto: 1/FTP_CONTROL][ClearText][cat: Download/7][41 pkts/2892 bytes <-> 27 pkts/2679 bytes][Goodput ratio: 6/33][8.48 sec][User: anonymous][Pwd: NcFTP@][bytes ratio: 0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 236/108 4743/1377 849/305][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 71/99 96/307 7/45][Risk: ** Unsafe Protocol **][Risk Score: 10][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 74,18,5,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.1.212:50694 <-> 90.130.70.73:21 [proto: 1/FTP_CONTROL][ClearText][cat: Download/7][41 pkts/2892 bytes <-> 27 pkts/2679 bytes][Goodput ratio: 6/33][8.48 sec][User: anonymous][Pwd: NcFTP@][bytes ratio: 0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 236/108 4743/1377 849/305][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 71/99 96/307 7/45][Risk: ** Unsafe Protocol **** Clear-text credentials **][Risk Score: 110][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 74,18,5,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 TCP 192.168.1.212:50695 <-> 90.130.70.73:25685 [proto: 175/FTP_DATA][ClearText][cat: Download/7][5 pkts/342 bytes <-> 4 pkts/1477 bytes][Goodput ratio: 0/82][0.09 sec][bytes ratio: -0.624 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/28 14/28 29/29 14/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/369 78/1271 5/521][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT ( 1 0 0 1073741)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/fuzz-2006-09-29-28586.pcap.out b/tests/result/fuzz-2006-09-29-28586.pcap.out index 98aae9104..3d6b5b03f 100644 --- a/tests/result/fuzz-2006-09-29-28586.pcap.out +++ b/tests/result/fuzz-2006-09-29-28586.pcap.out @@ -10,7 +10,7 @@ Cloudflare 1 854 1 1 TCP 172.20.3.5:2601 <-> 172.20.3.13:80 [proto: 7/HTTP][ClearText][cat: Web/5][9 pkts/6343 bytes <-> 4 pkts/409 bytes][Goodput ratio: 92/46][11.25 sec][bytes ratio: 0.879 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/104 67/128 469/152 164/24][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 705/102 1514/243 721/81][PLAIN TEXT (POST /servlets/mms HTTP/1.1)][Plen Bins: 16,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,67,0,0] 2 TCP 172.20.3.5:2606 <-> 172.20.3.13:80 [proto: 7/HTTP][ClearText][cat: Web/5][8 pkts/2287 bytes <-> 5 pkts/2963 bytes][Goodput ratio: 80/91][11.18 sec][Host: 172.20.3.13][bytes ratio: -0.129 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 58/58 177/172 83/81][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 286/593 1514/1514 478/662][URL: 172.20.3.13/servlets/mms?message-id=189301][StatusCode: 0][Risk: ** HTTP Numeric IP Address **][Risk Score: 10][PLAIN TEXT (GET /servlets/mms)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,50,0,0] 3 TCP 172.20.3.5:2604 <-> 172.20.3.13:80 [proto: 7/HTTP][ClearText][cat: Web/5][5 pkts/1754 bytes <-> 4 pkts/583 bytes][Goodput ratio: 83/62][11.17 sec][Host: 172.20.3.13][bytes ratio: 0.501 (Upload)][IAT c2s/s2c min/avg/max/stddev: 307/81 2793/3724 10864/10997 4662/5143][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 351/146 1514/417 582/157][URL: 172.20.3.13/servlets/mms?message-id=189001][StatusCode: 200][User-Agent: SonyEricssonT68/R201A][Risk: ** HTTP Numeric IP Address **][Risk Score: 10][PLAIN TEXT (GET /servlets/mms)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0] - 4 TCP 172.20.3.13:53132 <-> 172.20.3.5:80 [proto: 7/HTTP][ClearText][cat: Web/5][9 pkts/1650 bytes <-> 4 pkts/240 bytes][Goodput ratio: 70/0][5.14 sec][Host: %s][bytes ratio: 0.746 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 734/1 4911/1 1706/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 183/60 894/60 270/0][URL: %s][StatusCode: 0][Req Content-Type: multipart/related][User-Agent: MMS-Relay-DeliveryInitiator][PLAIN TEXT (POST /ppgctrl/ppgcontrollogic.d)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 172.20.3.13:53132 <-> 172.20.3.5:80 [proto: 7/HTTP][ClearText][cat: Web/5][9 pkts/1650 bytes <-> 4 pkts/240 bytes][Goodput ratio: 70/0][5.14 sec][Host: %s][bytes ratio: 0.746 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 734/1 4911/1 1706/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 183/60 894/60 270/0][URL: %s][StatusCode: 0][Req Content-Type: multipart/related][User-Agent: MMS-Relay-DeliveryInitiator][Risk: ** Clear-text credentials **][Risk Score: 100][PLAIN TEXT (POST /ppgctrl/ppgcontrollogic.d)][Plen Bins: 0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 TCP 172.20.3.5:2602 <-> 172.20.3.13:80 [proto: 7/HTTP][ClearText][cat: Web/5][4 pkts/942 bytes <-> 4 pkts/703 bytes][Goodput ratio: 75/69][11.10 sec][Host: 172.20.3.13][bytes ratio: 0.145 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/106 3699/5548 10844/10989 5054/5442][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 236/176 762/541 304/211][URL: 172.20.3.13.servlets/mms][StatusCode: 200][Req Content-Type: application/xml][Content-Type: application/xml][Risk: ** HTTP Numeric IP Address **][Risk Score: 10][PLAIN TEXT (POST .servlets/mms HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 6 TCP 172.20.3.13:53136 <-> 172.20.3.5:80 [proto: 7/HTTP][ClearText][cat: Web/5][5 pkts/586 bytes <-> 6 pkts/999 bytes][Goodput ratio: 54/66][5.21 sec][bytes ratio: -0.261 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/96 1737/1302 4910/5010 2247/2141][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 117/166 370/481 126/150][PLAIN TEXT (POST /ppgctrl/ppgcon)][Plen Bins: 0,0,25,0,25,0,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 7 TCP 172.20.3.5:9587 -> 172.20.3.13:80 [proto: 7/HTTP][ClearText][cat: Web/5][1 pkts/1514 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][PLAIN TEXT (POST /servlets/mms HTTP/)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] diff --git a/tests/result/http_auth.pcap.out b/tests/result/http_auth.pcap.out new file mode 100644 index 000000000..8284b1582 --- /dev/null +++ b/tests/result/http_auth.pcap.out @@ -0,0 +1,7 @@ +Guessed flow protos: 0 + +DPI Packets (TCP): 6 (6.00 pkts/flow) + +HTTP 33 20574 1 + + 1 TCP 192.168.0.4:54337 <-> 192.254.189.169:80 [proto: 7/HTTP][ClearText][cat: Web/5][14 pkts/1675 bytes <-> 19 pkts/18899 bytes][Goodput ratio: 44/93][7.10 sec][Host: browserspy.dk][bytes ratio: -0.837 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 204/31 1269/206 376/69][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/995 805/1514 190/642][URL: browserspy.dk/password-ok.php][StatusCode: 401][Content-Type: text/html][User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36][Risk: ** Clear-text credentials **][Risk Score: 100][PLAIN TEXT (GET /password)][Plen Bins: 0,0,6,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,6,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,0,0] diff --git a/tests/result/irc.pcap.out b/tests/result/irc.pcap.out index a28b819b1..503f63ef8 100644 --- a/tests/result/irc.pcap.out +++ b/tests/result/irc.pcap.out @@ -4,4 +4,4 @@ DPI Packets (TCP): 7 (7.00 pkts/flow) IRC 29 8945 1 - 1 TCP 10.180.156.249:45921 <-> 38.229.70.20:8000 [proto: 65/IRC][ClearText][cat: Chat/9][14 pkts/1046 bytes <-> 15 pkts/7899 bytes][Goodput ratio: 11/87][14.57 sec][bytes ratio: -0.766 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1314/1206 8864/8864 2852/2736][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75/527 107/1514 14/611][Risk: ** Known protocol on non standard port **** Unsafe Protocol **][Risk Score: 20][PLAIN TEXT (USER xx)][Plen Bins: 13,41,6,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0] + 1 TCP 10.180.156.249:45921 <-> 38.229.70.20:8000 [proto: 65/IRC][ClearText][cat: Chat/9][14 pkts/1046 bytes <-> 15 pkts/7899 bytes][Goodput ratio: 11/87][14.57 sec][bytes ratio: -0.766 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1314/1206 8864/8864 2852/2736][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75/527 107/1514 14/611][Risk: ** Known protocol on non standard port **** Unsafe Protocol **** Clear-text credentials **][Risk Score: 120][PLAIN TEXT (USER xx)][Plen Bins: 13,41,6,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0] diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua index 12347dff0..d2737ac71 100644 --- a/wireshark/ndpi.lua +++ b/wireshark/ndpi.lua @@ -74,6 +74,8 @@ flow_risks[32] = ProtoField.bool("ndpi.flow_risk.cert_validity_too_long", "TLS c flow_risks[33] = ProtoField.bool("ndpi.flow_risk.suspicious_extension", "TLS suspicious extension", num_bits_flow_risks, nil, bit(1), "nDPI Flow Risk: TLS suspicious extension") flow_risks[34] = ProtoField.bool("ndpi.flow_risk.fatal_alert", "TLS fatal alert detected", num_bits_flow_risks, nil, bit(2), "nDPI Flow Risk: TLS fatal alert") flow_risks[35] = ProtoField.bool("ndpi.flow_risk.suspicious_entropy", "Suspicious entropy", num_bits_flow_risks, nil, bit(3), "nDPI Flow Risk: suspicious entropy") +flow_risks[36] = ProtoField.bool("ndpi.flow_risk.clear_text_credentials", "Cleat-Text credentials", num_bits_flow_risks, nil, bit(3), "nDPI Flow Risk: cleat-text credentials") + -- Last one: keep in sync the bitmask when adding new risks!! flow_risks[64] = ProtoField.new("Unused", "ndpi.flow_risk.unused", ftypes.UINT32, nil, base.HEX, bit(32) - bit(4)) |