diff options
| -rw-r--r-- | src/lib/ndpi_main.c | 39 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/elf.pcap | bin | 0 -> 63040 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/elf.pcap.out | 33 |
3 files changed, 66 insertions, 6 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index a2d31d024..ad4638a64 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -8160,6 +8160,35 @@ static int ndpi_is_ntop_protocol(ndpi_protocol *ret) { /* ********************************************************************************* */ +/* ELF format specs: https://man7.org/linux/man-pages/man5/elf.5.html */ +static void ndpi_search_elf(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + static const uint32_t elf_signature = 0x7f454c46; /* [DEL]ELF */ + static const uint32_t max_version = 6; + + NDPI_LOG_DBG(ndpi_struct, "search ELF file\n"); + + if (packet->payload_packet_len < 24) + { + return; + } + + if (ntohl(get_u_int32_t(packet->payload, 0)) != elf_signature) + { + return; + } + + if (le32toh(get_u_int32_t(packet->payload, 20)) > max_version) + { + return; + } + + NDPI_LOG_INFO(ndpi_struct, "found ELF file\n"); + ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, "ELF found"); +} + /* PE32/PE32+ format specs: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format */ static void ndpi_search_portable_executable(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -8170,11 +8199,6 @@ static void ndpi_search_portable_executable(struct ndpi_detection_module_struct NDPI_LOG_DBG(ndpi_struct, "search Portable Executable (PE) file\n"); - if (flow->packet_counter > 5) - { - return; - } - if (packet->payload_packet_len < 0x3C /* offset to PE header */ + 4) { return; @@ -8591,8 +8615,11 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio flow->first_pkt_fully_encrypted = fully_enc_heuristic(ndpi_str, flow); } - if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) { + if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && + flow->packet_counter <= 5) + { ndpi_search_portable_executable(ndpi_str, flow); + ndpi_search_elf(ndpi_str, flow); } if(flow->first_pkt_fully_encrypted == 0 && diff --git a/tests/cfgs/default/pcap/elf.pcap b/tests/cfgs/default/pcap/elf.pcap Binary files differnew file mode 100644 index 000000000..18ededdb5 --- /dev/null +++ b/tests/cfgs/default/pcap/elf.pcap diff --git a/tests/cfgs/default/result/elf.pcap.out b/tests/cfgs/default/result/elf.pcap.out new file mode 100644 index 000000000..e05890415 --- /dev/null +++ b/tests/cfgs/default/result/elf.pcap.out @@ -0,0 +1,33 @@ +DPI Packets (TCP): 10 (10.00 pkts/flow) +DPI Packets (UDP): 2 (2.00 pkts/flow) +Confidence Unknown : 2 (flows) +Num dissector calls: 331 (165.50 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/6/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/2/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/1/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 4/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +Unknown 12 62824 2 + +Unrated 12 62824 2 + + + +Undetected flows: + 1 TCP 127.0.0.1:41150 <-> 127.0.0.1:33333 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 10][5 pkts/31370 bytes <-> 5 pkts/338 bytes][Goodput ratio: 99/0][3.64 sec][bytes ratio: 0.979 (Upload)][IAT c2s/s2c min/avg/max/stddev: 3641/0 910/0 3641/0 1577/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 6274/68 16450/74 7620/3][Risk: ** Binary App Transfer **][Risk Score: 150][Risk Info: ELF found][PLAIN TEXT (/lib64/ld)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100] + 2 UDP 127.0.0.1:60150 -> 127.0.0.1:33333 [proto: 0/Unknown][IP: 0/Unknown][ClearText][Confidence: Unknown][DPI packets: 2][2 pkts/31116 bytes -> 0 pkts/0 bytes][Goodput ratio: 100/0][< 1 sec][Risk: ** Binary App Transfer **** Unidirectional Traffic **][Risk Score: 160][Risk Info: No server to client traffic / ELF found][PLAIN TEXT (/lib64/ld)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100] |