diff options
Diffstat (limited to 'src/lib/ndpi_main.c')
| -rw-r--r-- | src/lib/ndpi_main.c | 60 |
1 files changed, 57 insertions, 3 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index ad6745d8f..8a27184e3 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2142,6 +2142,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs ndpi_str->bigrams_automa.ac_automa = ac_automata_init(ac_match_handler); ndpi_str->impossible_bigrams_automa.ac_automa = ac_automata_init(ac_match_handler); ndpi_str->tls_cert_subject_automa.ac_automa = ac_automata_init(ac_match_handler); + ndpi_str->malicious_ja3_automa.ac_automa = NULL; /* Initialized on demand */ ndpi_str->risky_domain_automa.ac_automa = NULL; /* Initialized on demand */ if((sizeof(categories) / sizeof(char *)) != NDPI_PROTOCOL_NUM_CATEGORIES) { @@ -2196,13 +2197,13 @@ void ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str) break; case 4: - automa = &ndpi_str->risky_domain_automa; + automa = &ndpi_str->tls_cert_subject_automa; break; case 5: - automa = &ndpi_str->tls_cert_subject_automa; + automa = &ndpi_str->malicious_ja3_automa; break; - + default: return; } @@ -2465,6 +2466,9 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) { if(ndpi_str->tls_cert_subject_automa.ac_automa != NULL) ac_automata_release((AC_AUTOMATA_t *) ndpi_str->tls_cert_subject_automa.ac_automa, 0); + if(ndpi_str->malicious_ja3_automa.ac_automa != NULL) + ac_automata_release((AC_AUTOMATA_t *) ndpi_str->malicious_ja3_automa.ac_automa, 0); + if(ndpi_str->custom_categories.hostnames.ac_automa != NULL) ac_automata_release((AC_AUTOMATA_t *) ndpi_str->custom_categories.hostnames.ac_automa, 1 /* free patterns strings memory */); @@ -2912,6 +2916,56 @@ int ndpi_load_risk_domain_file(struct ndpi_detection_module_struct *ndpi_str, co /* ******************************************************************** */ /* + * Format: + * + * <domain name>[,<other info>] + * + */ +int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, const char *path) { + char buffer[128], *line; + FILE *fd; + int len, num = 0; + + if(ndpi_str->malicious_ja3_automa.ac_automa == NULL) + ndpi_str->malicious_ja3_automa.ac_automa = ac_automata_init(ac_match_handler); + + fd = fopen(path, "r"); + + if(fd == NULL) { + NDPI_LOG_ERR(ndpi_str, "Unable to open file %s [%s]\n", path, strerror(errno)); + return(-1); + } + + while(1) { + char *comma; + + line = fgets(buffer, sizeof(buffer), fd); + + if(line == NULL) + break; + + len = strlen(line); + + if((len <= 1) || (line[0] == '#')) + continue; + + line[len - 1] = '\0'; + + if((comma = strchr(line, ',')) != NULL) + comma[0] = '\0'; + + if(ndpi_add_string_to_automa(ndpi_str->malicious_ja3_automa.ac_automa, line) >= 0) + num++; + } + + fclose(fd); + + return(num); +} + +/* ******************************************************************** */ + +/* Format: <tcp|udp>:<port>,<tcp|udp>:<port>,.....@<proto> |