diff options
| -rw-r--r-- | src/lib/protocols/dns.c | 28 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/dns_response_only.pcap | bin | 0 -> 144 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/dns_response_only.pcap.out | 27 | ||||
| -rw-r--r-- | tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out | 4 |
4 files changed, 33 insertions, 26 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 5471b6177..607c4867b 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -329,23 +329,6 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, } else { /* DNS Reply */ - if(flow->protos.dns.query_type == 0) { - /* In case we missed the query packet... */ - - while(x+2 < packet->payload_packet_len) { - if(packet->payload[x] == '\0') { - x++; - flow->protos.dns.query_type = get16(&x, packet->payload); -#ifdef DNS_DEBUG - NDPI_LOG_DBG2(ndpi_struct, "query_type=%2d\n", flow->protos.dns.query_type); - printf("[DNS] [request] query_type=%d\n", flow->protos.dns.query_type); -#endif - break; - } else - x++; - } - } - flow->protos.dns.transaction_id = dns_header->tr_id; flow->protos.dns.reply_code = dns_header->flags & 0x0F; @@ -369,9 +352,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, /* This is a good reply: we dissect it both for request and response */ if(dns_header->num_queries > 0) { -#ifdef DNS_DEBUG u_int16_t rsp_type; -#endif u_int16_t num; for(num = 0; num < dns_header->num_queries; num++) { @@ -391,16 +372,15 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, break; } - /* To avoid warning: variable ‘rsp_type’ set but not used [-Wunused-but-set-variable] */ -#ifdef DNS_DEBUG rsp_type = get16(&x, packet->payload); -#else - get16(&x, packet->payload); -#endif #ifdef DNS_DEBUG printf("[DNS] [response (query)] response_type=%d\n", rsp_type); #endif + if(flow->protos.dns.query_type == 0) { + /* In case we missed the query packet... */ + flow->protos.dns.query_type = rsp_type; + } /* here x points to the response "class" field */ x += 2; /* Skip class */ diff --git a/tests/cfgs/default/pcap/dns_response_only.pcap b/tests/cfgs/default/pcap/dns_response_only.pcap Binary files differnew file mode 100644 index 000000000..3196d127e --- /dev/null +++ b/tests/cfgs/default/pcap/dns_response_only.pcap diff --git a/tests/cfgs/default/result/dns_response_only.pcap.out b/tests/cfgs/default/result/dns_response_only.pcap.out new file mode 100644 index 000000000..52ca28f80 --- /dev/null +++ b/tests/cfgs/default/result/dns_response_only.pcap.out @@ -0,0 +1,27 @@ +DPI Packets (UDP): 1 (1.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 1 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache fpc_dns: 1/0/0 (insert/search/found) +Automa host: 1/1 (search/found) +Automa domain: 1/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 1/1 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +Github 1 104 1 + +Acceptable 1 104 1 + + 1 UDP 8.8.8.8:53 -> 192.168.255.251:56550 [proto: 5.203/DNS.Github][IP: 126/Google][ClearText][Confidence: DPI][FPC: 5.203/DNS.Github, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/104 bytes -> 0 pkts/0 bytes][Goodput ratio: 59/0][< 1 sec][Hostname/SNI: www.github.com][140.82.121.4][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (github)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out index a8a6644e0..daa46d547 100644 --- a/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out +++ b/tests/cfgs/default/result/fuzz-2006-06-26-2594.pcap.out @@ -135,7 +135,7 @@ Unrated 33 4066 33 92 UDP 192.168.1.2:2814 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.01 sec][Hostname/SNI: _sib._udp.sip.cybercity.dk][0.0.0.0][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid DNS Query Lenght][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 93 UDP 192.168.1.2:2829 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][1.00 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 94 UDP 192.168.1.2:2716 -> 192.168.1.1:53 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][2 pkts/168 bytes -> 0 pkts/0 bytes][Goodput ratio: 50/0][353.97 sec][Hostname/SNI: _sip._udp.sip.cybercity.dk][0.0.0.0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 95 UDP 192.168.1.3:53 -> 192.168.1.2:2712 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][< 1 sec][Hostname/SNI: sip.cybercity.dk][0.0.0.0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 95 UDP 192.168.1.3:53 -> 192.168.1.2:2712 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/144 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][< 1 sec][Hostname/SNI: sip.cybercity.dk][212.242.33.35][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 96 TCP 147.234.1.253:21 -> 192.169.1.2:2720 [proto: 1/FTP_CONTROL][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Download/7][1 pkts/130 bytes -> 0 pkts/0 bytes][Goodput ratio: 58/0][< 1 sec][Risk: ** Unsafe Protocol **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No client to server traffic][PLAIN TEXT (331 Anonymous login ok)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 97 TCP 192.168.1.2:2718 -> 147.137.21.94:139 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 2][cat: System/18][2 pkts/124 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][2.92 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][TCP Fingerprint: 2_128_16384_44bd01ba086e/Unknown][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 98 TCP 147.234.1.253:21 -> 192.168.1.2:2732 [proto: 1/FTP_CONTROL][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: Download/7][1 pkts/113 bytes -> 0 pkts/0 bytes][Goodput ratio: 52/0][< 1 sec][Risk: ** Unsafe Protocol **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No client to server traffic][PLAIN TEXT ( Files larger then 250MB will b)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -174,7 +174,7 @@ Unrated 33 4066 33 131 UDP 192.168.1.2:29440 -> 192.168.1.37:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10/NetBIOS, Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (EFEDEJFPEEEPENEBEJEOCACACACACAB)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 132 UDP 192.168.1.41:137 -> 107.168.1.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10/NetBIOS, Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: workgroup][PLAIN TEXT ( FHEPFCELEHFCEPFFFACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 133 UDP 192.168.1.41:137 -> 192.168.37.115:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10/NetBIOS, Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: workgroup][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT ( FHEPFCELEHFCEPFFFACACACACACACA)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 134 UDP 192.168.1.46:53 -> 192.168.1.2:2726 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: sip.cybercity.dk][0.0.0.0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 134 UDP 192.168.1.46:53 -> 192.168.1.2:2726 [proto: 5/DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: sip.cybercity.dk][212.242.33.35][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][PLAIN TEXT (cybercity)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 135 UDP 192.168.1.202:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10/NetBIOS, Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: eci_dom][PLAIN TEXT ( EFEDEJ)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 136 UDP 192.184.189.41:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 10/NetBIOS, Confidence: DPI][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][Hostname/SNI: workg][PLAIN TEXT ( FHEPFCELEH)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 137 UDP 217.168.1.2:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][IP: 0/Unknown][ClearText][Confidence: Match by port][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 1][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Goodput ratio: 54/0][< 1 sec][PLAIN TEXT ( EFEDEJ)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |