aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/include/ndpi_utils.h2
-rw-r--r--src/lib/ndpi_main.c42
-rw-r--r--src/lib/protocols/http.c32
3 files changed, 49 insertions, 27 deletions
diff --git a/src/include/ndpi_utils.h b/src/include/ndpi_utils.h
index 983aae283..6ba83b4da 100644
--- a/src/include/ndpi_utils.h
+++ b/src/include/ndpi_utils.h
@@ -16,6 +16,8 @@ extern void printRawData(const uint8_t *ptr, size_t len);
//extern uint8_t add_segment_to_buffer( struct ndpi_flow_struct *flow, struct ndpi_tcphdr const * tcph, uint32_t waited);
//extern uint8_t check_for_sequence( struct ndpi_flow_struct *flow, struct ndpi_tcphdr const * tcph);
+extern u_int8_t ndpi_ends_with(char *str, char *ends);
+
/* **************************************** */
/* Can't call libc functions from kernel space, define some stub instead */
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index f29fc9322..cd24e52df 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -72,33 +72,33 @@ static ndpi_risk_info ndpi_known_risks[] = {
{ NDPI_URL_POSSIBLE_SQL_INJECTION, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE },
{ NDPI_URL_POSSIBLE_RCE_INJECTION, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE },
{ NDPI_BINARY_APPLICATION_TRANSFER, NDPI_RISK_SEVERE, CLIENT_FAIR_RISK_PERCENTAGE },
- { NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE },
- { NDPI_TLS_SELFSIGNED_CERTIFICATE, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
- { NDPI_TLS_OBSOLETE_VERSION, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
- { NDPI_TLS_WEAK_CIPHER, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
+ { NDPI_TLS_SELFSIGNED_CERTIFICATE, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_TLS_OBSOLETE_VERSION, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_TLS_WEAK_CIPHER, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
{ NDPI_TLS_CERTIFICATE_EXPIRED, NDPI_RISK_HIGH, CLIENT_FAIR_RISK_PERCENTAGE },
{ NDPI_TLS_CERTIFICATE_MISMATCH, NDPI_RISK_HIGH, CLIENT_FAIR_RISK_PERCENTAGE },
- { NDPI_HTTP_SUSPICIOUS_USER_AGENT, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_HTTP_SUSPICIOUS_USER_AGENT, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
{ NDPI_HTTP_NUMERIC_IP_HOST, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE },
{ NDPI_HTTP_SUSPICIOUS_URL, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
- { NDPI_HTTP_SUSPICIOUS_HEADER, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_HTTP_SUSPICIOUS_HEADER, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
{ NDPI_TLS_NOT_CARRYING_HTTPS, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE },
{ NDPI_SUSPICIOUS_DGA_DOMAIN, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
{ NDPI_MALFORMED_PACKET, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE },
- { NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
{ NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER, NDPI_RISK_MEDIUM, CLIENT_LOW_RISK_PERCENTAGE },
- { NDPI_SMB_INSECURE_VERSION, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
- { NDPI_TLS_SUSPICIOUS_ESNI_USAGE, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_SMB_INSECURE_VERSION, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_TLS_SUSPICIOUS_ESNI_USAGE, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
{ NDPI_UNSAFE_PROTOCOL, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE },
- { NDPI_DNS_SUSPICIOUS_TRAFFIC, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
- { NDPI_TLS_MISSING_SNI, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
- { NDPI_HTTP_SUSPICIOUS_CONTENT, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_DNS_SUSPICIOUS_TRAFFIC, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_TLS_MISSING_SNI, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
+ { NDPI_HTTP_SUSPICIOUS_CONTENT, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
{ NDPI_RISKY_ASN, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
{ NDPI_RISKY_DOMAIN, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
- { NDPI_MALICIOUS_JA3, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_MALICIOUS_JA3, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
{ NDPI_MALICIOUS_SHA1_CERTIFICATE, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
{ NDPI_DESKTOP_OR_FILE_SHARING_SESSION, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE },
- { NDPI_TLS_UNCOMMON_ALPN, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE },
+ { NDPI_TLS_UNCOMMON_ALPN, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
{ NDPI_TLS_CERT_VALIDITY_TOO_LONG, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE },
{ NDPI_TLS_SUSPICIOUS_EXTENSION, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE },
{ NDPI_TLS_FATAL_ALERT, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE },
@@ -7433,10 +7433,12 @@ static int enough(int a, int b) {
/* ******************************************************************** */
-static u_int8_t endsWith(char *str, char *ends, u_int8_t ends_len) {
+u_int8_t ndpi_ends_with(char *str, char *ends) {
u_int str_len = str ? strlen(str) : 0;
+ u_int8_t ends_len = strlen(ends);
u_int8_t rc;
+
if(str_len < ends_len) return(0);
rc = (strncmp(&str[str_len-ends_len], ends, ends_len) != 0) ? 0 : 1;
@@ -7499,12 +7501,12 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
if((!name)
|| (strchr(name, '_') != NULL)
- || (endsWith(name, "in-addr.arpa", 12))
- || (endsWith(name, "ip6.arpa", 8))
+ || (ndpi_ends_with(name, "in-addr.arpa"))
+ || (ndpi_ends_with(name, "ip6.arpa"))
/* Ignore TLD .local .lan and .home */
- || (endsWith(name, ".local", 6))
- || (endsWith(name, ".lan", 4))
- || (endsWith(name, ".home", 5))
+ || (ndpi_ends_with(name, ".local"))
+ || (ndpi_ends_with(name, ".lan"))
+ || (ndpi_ends_with(name, ".home"))
)
return(0);
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 055726af0..e291bc908 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -50,27 +50,45 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc
/* *********************************************** */
+static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
+ /*
+ Check known exceptions
+ */
+ if(ndpi_ends_with((char*)flow->host_server_name, ".windowsupdate.com"))
+ ;
+ else
+ ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER);
+ }
+
+ /* *********************************************** */
+
static void ndpi_analyze_content_signature(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
+ u_int8_t set_risk = 0;
+
if((flow->initial_binary_bytes_len >= 2) && (flow->initial_binary_bytes[0] == 0x4D) && (flow->initial_binary_bytes[1] == 0x5A))
- ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Win executable */
+ set_risk = 1; /* Win executable */
else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0x7F) && (flow->initial_binary_bytes[1] == 'E')
&& (flow->initial_binary_bytes[2] == 'L') && (flow->initial_binary_bytes[3] == 'F'))
- ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
+ set_risk = 1; /* Linux executable */
else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0xCF) && (flow->initial_binary_bytes[1] == 0xFA)
&& (flow->initial_binary_bytes[2] == 0xED) && (flow->initial_binary_bytes[3] == 0xFE))
- ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
+ set_risk = 1; /* Linux executable */
else if((flow->initial_binary_bytes_len >= 3)
&& (flow->initial_binary_bytes[0] == '#')
&& (flow->initial_binary_bytes[1] == '!')
&& (flow->initial_binary_bytes[2] == '/'))
- ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Unix script (e.g. #!/bin/sh) */
+ set_risk = 1; /* Unix script (e.g. #!/bin/sh) */
else if(flow->initial_binary_bytes_len >= 8) {
u_int8_t exec_pattern[] = { 0x64, 0x65, 0x78, 0x0A, 0x30, 0x33, 0x35, 0x00 };
if(memcmp(flow->initial_binary_bytes, exec_pattern, 8) == 0)
- ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); /* Dalvik Executable (Android) */
+ set_risk = 1; /* Dalvik Executable (Android) */
}
+
+ if(set_risk)
+ ndpi_set_binary_application_transfer(ndpi_struct, flow);
}
/* *********************************************** */
@@ -222,7 +240,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
for(i = 0; cmp_mimes[i] != NULL; i++) {
if(strncasecmp(app, cmp_mimes[i], app_len_avail) == 0) {
flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
- ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER);
+ ndpi_set_binary_application_transfer(ndpi_struct, flow);
NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
return(flow->category);
}
@@ -251,7 +269,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
if(memcmp(&packet->content_disposition_line.ptr[attachment_len],
binary_file_ext[i], ATTACHMENT_LEN) == 0) {
flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
- ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER);
+ ndpi_set_binary_application_transfer(ndpi_struct, flow);
NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
return(flow->category);
}
Powered by cgit, Themed by Ted Yin.