diff options
| -rw-r--r-- | src/lib/protocols/dns.c | 5 | ||||
| -rw-r--r-- | tests/cfgs/default/result/bad-dns-traffic.pcap.out | 6 | ||||
| -rw-r--r-- | tests/cfgs/default/result/dns-exf.pcap.out | 2 |
3 files changed, 6 insertions, 7 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 64e3a38d8..95f3626c9 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -773,14 +773,13 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st if(dot) { uintptr_t first_element_len = dot - _hostname; - if((first_element_len > 32) && (!is_mdns)) { + if((first_element_len > 48) && (!is_mdns)) { /* The lenght of the first element in the query is very long and this might be an issue or indicate an exfiltration */ - /* printf("**** %lu [%s][%s]\n", first_element_len, dot, _hostname); */ - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, NULL); + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Long DNS host name"); } } diff --git a/tests/cfgs/default/result/bad-dns-traffic.pcap.out b/tests/cfgs/default/result/bad-dns-traffic.pcap.out index c8233185b..a077f0098 100644 --- a/tests/cfgs/default/result/bad-dns-traffic.pcap.out +++ b/tests/cfgs/default/result/bad-dns-traffic.pcap.out @@ -25,6 +25,6 @@ DNS 382 99374 3 Acceptable 382 99374 3 - 1 UDP 192.168.43.91:56354 <-> 4.2.2.4:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Network/14][203 pkts/51588 bytes <-> 146 pkts/43285 bytes][Goodput ratio: 83/86][92.47 sec][Hostname/SNI: c75900fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org][::][bytes ratio: 0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 6/15 482/284 1046/2080 456/471][Pkt Len c2s/s2c min/avg/max/stddev: 95/95 254/296 290/325 74/65][Risk: ** Susp DGA Domain name **** Susp DNS Traffic **** Risky Domain Name **][Risk Score: 250][Risk Info: 244300fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org / DGA Name Query with no Error Code][PLAIN TEXT (8244300)][Plen Bins: 0,5,5,0,0,0,0,50,39,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 UDP 192.168.43.91:35966 <-> 4.2.2.4:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Network/14][10 pkts/1125 bytes <-> 9 pkts/1293 bytes][Goodput ratio: 63/71][7.51 sec][Hostname/SNI: 958700a621c3620001636f6e736f6c65202873697276696d65732900.skullseclabs.org][::][bytes ratio: -0.069 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 78/49 782/776 1050/1358 405/481][Pkt Len c2s/s2c min/avg/max/stddev: 95/126 112/144 194/229 31/33][Risk: ** Susp DGA Domain name **** Susp DNS Traffic **** Risky Domain Name **][Risk Score: 250][Risk Info: 05e100a621c3620001636f6e736f6c65202873697276696d65732900.skullseclabs.org / DGA Name Query with no Error Code][PLAIN TEXT (3620001636f)][Plen Bins: 0,36,47,5,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP 192.168.43.91:46961 <-> 4.2.2.4:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][7 pkts/926 bytes <-> 7 pkts/1157 bytes][Goodput ratio: 68/75][3.49 sec][Hostname/SNI: a05700e6da83510001636f6e736f6c65202873697276696d65732900.skullseclabs.org][::][bytes ratio: -0.111 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 87/56 668/645 1019/1049 428/481][Pkt Len c2s/s2c min/avg/max/stddev: 95/126 132/165 290/323 66/66][Risk: ** Susp DGA Domain name **** Susp DNS Traffic **** Risky Domain Name **][Risk Score: 250][Risk Info: a05700e6da83510001636f6e736f6c65202873697276696d65732900.skullseclabs.org / DGA Name Query with no Error Code][PLAIN TEXT (da83510001636)][Plen Bins: 0,28,42,14,0,0,0,7,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.43.91:56354 <-> 4.2.2.4:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Network/14][203 pkts/51588 bytes <-> 146 pkts/43285 bytes][Goodput ratio: 83/86][92.47 sec][Hostname/SNI: c75900fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org][::][bytes ratio: 0.088 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 6/15 482/284 1046/2080 456/471][Pkt Len c2s/s2c min/avg/max/stddev: 95/95 254/296 290/325 74/65][Risk: ** Susp DGA Domain name **** Susp DNS Traffic **** Risky Domain Name **][Risk Score: 250][Risk Info: Long DNS host name / 244300fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org / DGA Name Query with no Error ][PLAIN TEXT (8244300)][Plen Bins: 0,5,5,0,0,0,0,50,39,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.43.91:35966 <-> 4.2.2.4:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: Network/14][10 pkts/1125 bytes <-> 9 pkts/1293 bytes][Goodput ratio: 63/71][7.51 sec][Hostname/SNI: 958700a621c3620001636f6e736f6c65202873697276696d65732900.skullseclabs.org][::][bytes ratio: -0.069 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 78/49 782/776 1050/1358 405/481][Pkt Len c2s/s2c min/avg/max/stddev: 95/126 112/144 194/229 31/33][Risk: ** Susp DGA Domain name **** Susp DNS Traffic **** Risky Domain Name **][Risk Score: 250][Risk Info: Long DNS host name / 05e100a621c3620001636f6e736f6c65202873697276696d65732900.skullseclabs.org / DGA Name Query with no Error ][PLAIN TEXT (3620001636f)][Plen Bins: 0,36,47,5,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.43.91:46961 <-> 4.2.2.4:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][7 pkts/926 bytes <-> 7 pkts/1157 bytes][Goodput ratio: 68/75][3.49 sec][Hostname/SNI: a05700e6da83510001636f6e736f6c65202873697276696d65732900.skullseclabs.org][::][bytes ratio: -0.111 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 87/56 668/645 1019/1049 428/481][Pkt Len c2s/s2c min/avg/max/stddev: 95/126 132/165 290/323 66/66][Risk: ** Susp DGA Domain name **** Susp DNS Traffic **** Risky Domain Name **][Risk Score: 250][Risk Info: Long DNS host name / a05700e6da83510001636f6e736f6c65202873697276696d65732900.skullseclabs.org / DGA Name Query with no Error ][PLAIN TEXT (da83510001636)][Plen Bins: 0,28,42,14,0,0,0,7,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/dns-exf.pcap.out b/tests/cfgs/default/result/dns-exf.pcap.out index f2de61f11..e5baf5b8c 100644 --- a/tests/cfgs/default/result/dns-exf.pcap.out +++ b/tests/cfgs/default/result/dns-exf.pcap.out @@ -25,4 +25,4 @@ DNS 2 342 1 Acceptable 2 342 1 - 1 UDP 192.168.2.225:45290 <-> 192.168.2.134:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/163 bytes <-> 1 pkts/179 bytes][Goodput ratio: 74/76][0.00 sec][Hostname/SNI: 4sicn03_2qaa3rlc3qudhh0aavjycxwakjehelu5klueow0zjxulgage-.4s2fgaaaa__-.test.txt][::][Risk: ** Susp DNS Traffic **** Non-Printable/Invalid Chars Detected **** Minor Issues **][Risk Score: 210][Risk Info: DNS Record with zero TTL][PLAIN TEXT (sICN03)][Plen Bins: 0,0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.2.225:45290 <-> 192.168.2.134:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 2][cat: Network/14][1 pkts/163 bytes <-> 1 pkts/179 bytes][Goodput ratio: 74/76][0.00 sec][Hostname/SNI: 4sicn03_2qaa3rlc3qudhh0aavjycxwakjehelu5klueow0zjxulgage-.4s2fgaaaa__-.test.txt][::][Risk: ** Susp DNS Traffic **** Non-Printable/Invalid Chars Detected **** Minor Issues **][Risk Score: 210][Risk Info: Long DNS host name / DNS Record with zero TTL][PLAIN TEXT (sICN03)][Plen Bins: 0,0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |