diff options
Diffstat (limited to 'src/lib/ndpi_main.c')
| -rw-r--r-- | src/lib/ndpi_main.c | 61 |
1 files changed, 40 insertions, 21 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 52c2b8f85..68c2bd244 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3128,7 +3128,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str, /* Run some basic consistency tests */ if(packet->payload_packet_len < sizeof(struct ndpi_icmphdr)) - ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET); + ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, NULL); else { u_int8_t icmp_type = (u_int8_t)packet->payload[0]; u_int8_t icmp_code = (u_int8_t)packet->payload[1]; @@ -3136,19 +3136,22 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str, /* https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml */ if(((icmp_type >= 44) && (icmp_type <= 252)) || (icmp_code > 15)) - ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET); + ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, NULL); if (packet->payload_packet_len > sizeof(struct ndpi_icmphdr)) { flow->entropy = ndpi_entropy(packet->payload + sizeof(struct ndpi_icmphdr), packet->payload_packet_len - sizeof(struct ndpi_icmphdr)); if (NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(flow->entropy) != 0) { - ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_ENTROPY); + char str[32]; + + snprintf(str, sizeof(str), "Entropy %.2f", flow->entropy); + ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_ENTROPY, str); } u_int16_t chksm = ndpi_calculate_icmp4_checksum(packet->payload, packet->payload_packet_len); if (chksm) { - ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET); + ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, NULL); } } } @@ -3175,7 +3178,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str, /* Run some basic consistency tests */ if(packet->payload_packet_len < sizeof(struct ndpi_icmphdr)) - ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET); + ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, NULL); else { u_int8_t icmp6_type = (u_int8_t)packet->payload[0]; u_int8_t icmp6_code = (u_int8_t)packet->payload[1]; @@ -3183,7 +3186,7 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str, /* https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6 */ if(((icmp6_type >= 5) && (icmp6_type <= 127)) || ((icmp6_code >= 156) && (icmp6_type != 255))) - ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET); + ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET, NULL); } } return(NDPI_PROTOCOL_IP_ICMPV6); @@ -4709,6 +4712,13 @@ static u_int8_t ndpi_detection_get_l4_internal(struct ndpi_detection_module_stru void ndpi_free_flow_data(struct ndpi_flow_struct* flow) { if(flow) { + if(flow->num_risk_infos) { + u_int i; + + for(i=0; i<flow->num_risk_infos; i++) + ndpi_free(flow->risk_infos[i]); + } + if(flow->http.url) ndpi_free(flow->http.url); @@ -5305,12 +5315,12 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s break; case NDPI_PROTOCOL_RDP: - ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ + ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ break; case NDPI_PROTOCOL_ANYDESK: if(flow->l4_proto == IPPROTO_TCP) /* TCP only */ - ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ + ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found AnyDesk"); /* Remote assistance */ break; } /* switch */ @@ -5319,7 +5329,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s case NDPI_PROTOCOL_UNSAFE: case NDPI_PROTOCOL_POTENTIALLY_DANGEROUS: case NDPI_PROTOCOL_DANGEROUS: - ndpi_set_risk(ndpi_str, flow, NDPI_UNSAFE_PROTOCOL); + ndpi_set_risk(ndpi_str, flow, NDPI_UNSAFE_PROTOCOL, NULL); break; default: /* Nothing to do */ @@ -6152,7 +6162,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if((r == NULL) || ((r->proto->protoId != ret.app_protocol) && (r->proto->protoId != ret.master_protocol))) - ndpi_set_risk(ndpi_str, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + ndpi_set_risk(ndpi_str, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, NULL); } } } else if((!ndpi_is_ntop_protocol(&ret)) && default_ports && (default_ports[0] != 0)) { @@ -6182,7 +6192,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if((r == NULL) || ((r->proto->protoId != ret.app_protocol) && (r->proto->protoId != ret.master_protocol))) - ndpi_set_risk(ndpi_str, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); + ndpi_set_risk(ndpi_str, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT,NULL); } } @@ -6203,8 +6213,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct addr.s_addr = packet->iph->daddr; net_risk = ndpi_network_risk_ptree_match(ndpi_str, &addr); } + if(net_risk != NDPI_NO_RISK) - ndpi_set_risk(ndpi_str, flow, net_risk); + ndpi_set_risk(ndpi_str, flow, net_risk, NULL); } } flow->tree_risk_checked = 1; @@ -7653,7 +7664,7 @@ void ndpi_check_subprotocol_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, u_int16_t subprotocol_id) { switch(subprotocol_id) { case NDPI_PROTOCOL_ANYDESK: - ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ + ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found AnyDesk"); /* Remote assistance */ break; } } @@ -7686,15 +7697,23 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ if(ndpi_str->risky_domain_automa.ac_automa != NULL) { u_int32_t proto_id; u_int16_t rc1 = ndpi_match_string_common(ndpi_str->risky_domain_automa.ac_automa, - string_to_match,string_to_match_len, + string_to_match, string_to_match_len, &proto_id, NULL, NULL); - if(rc1 > 0) - ndpi_set_risk(ndpi_str, flow, NDPI_RISKY_DOMAIN); + if(rc1 > 0) { + char str[64] = { '\0' }; + + strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1)); + ndpi_set_risk(ndpi_str, flow, NDPI_RISKY_DOMAIN, str); + } } /* Add punycode check */ - if(ndpi_strnstr(string_to_match, "xn--", string_to_match_len)) - ndpi_set_risk(ndpi_str, flow, NDPI_PUNYCODE_IDN); + if(ndpi_strnstr(string_to_match, "xn--", string_to_match_len)) { + char str[64] = { '\0' }; + + strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1)); + ndpi_set_risk(ndpi_str, flow, NDPI_PUNYCODE_IDN, str); + } return(rc); } @@ -8191,7 +8210,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, if(rc) { if(flow) - ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN); + ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); } return(rc); @@ -8340,7 +8359,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, || ((max_domain_element_len >= 19 /* word too long. Example bbcbedxhgjmdobdprmen.com */) && ((num_char_repetitions > 1) || (num_digits > 1))) ) { if(flow) { - ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN); + ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); } if(ndpi_verbose_dga_detection) @@ -8501,7 +8520,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, printf("[DGA] Result: %u\n", rc); if(rc && flow) - ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN); + ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN, name); return(rc); } |