diff options
Diffstat (limited to 'src/lib/ndpi_main.c')
| -rw-r--r-- | src/lib/ndpi_main.c | 147 |
1 files changed, 106 insertions, 41 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 59780d288..a945573a1 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -131,7 +131,7 @@ void *ndpi_realloc(void *ptr, size_t old_size, size_t new_size) { /* ****************************************** */ char *ndpi_strdup(const char *s) { - if( s == NULL ){ + if(s == NULL ){ return NULL; } @@ -571,9 +571,14 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp // ac_automata_display(ndpi_str->host_automa.ac_automa, 'n'); #endif +#if 1 for (i = 0; ndpi_en_bigrams[i] != NULL; i++) ndpi_string_to_automa(ndpi_str, &ndpi_str->bigrams_automa, (char *) ndpi_en_bigrams[i], 1, 1, 1, 0); - +#else + for (i = 0; ndpi_en_popular_bigrams[i] != NULL; i++) + ndpi_string_to_automa(ndpi_str, &ndpi_str->bigrams_automa, (char *) ndpi_en_popular_bigrams[i], 1, 1, 1, 0); +#endif + for (i = 0; ndpi_en_impossible_bigrams[i] != NULL; i++) ndpi_string_to_automa(ndpi_str, &ndpi_str->impossible_bigrams_automa, (char *) ndpi_en_impossible_bigrams[i], 1, 1, 1, 0); @@ -1476,6 +1481,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "WebSocket", NDPI_PROTOCOL_CATEGORY_WEB, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ANYDESK, + 1 /* no subprotocol */, no_master, + no_master, "AnyDesk", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main.c" @@ -4367,6 +4377,13 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s Skype for a host doing MS Teams means MS Teams (MS Teams uses Skype as transport protocol for voice/video) */ + + if(flow) { + /* Do not go for DNS when there is an application protocol. Example DNS.Apple */ + if((flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) + && (flow->detected_protocol_stack[0] /* app */ != flow->detected_protocol_stack[1] /* major */)) + NDPI_CLR_BIT(flow->risk, NDPI_SUSPICIOUS_DGA_DOMAIN); + } switch(ret->app_protocol) { case NDPI_PROTOCOL_MSTEAMS: @@ -6078,8 +6095,12 @@ int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_str, return(-1); if(!automa->ac_automa_finalized) { +#if 1 + ndpi_finalize_initalization(ndpi_str); +#else printf("[%s:%d] [NDPI] Internal error: please call ndpi_finalize_initalization()\n", __FILE__, __LINE__); return(0); /* No matches */ +#endif } ac_input_text.astring = bigram_to_match, ac_input_text.length = 2; @@ -6478,79 +6499,123 @@ void ndpi_md5(const u_char *data, size_t data_len, u_char hash[16]) { static int enough(int a, int b) { u_int8_t percentage = 20; - + if(b == 0) return(0); if(a == 0) return(1); - if(b > ((a*percentage)/100)) return(1); - + if(b > (((a+1)*percentage)/100)) return(1); + return(0); } /* ******************************************************************** */ +// #define DGA_DEBUG 1 + int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, char *name) { - int len = strlen(name), rc = 0; - + int len, rc = 0; + + len = strlen(name); + if(len >= 5) { - int i, j, num_found = 0, num_impossible = 0, num_bigram_checks = 0; - char tmp[128]; + int i, j, num_found = 0, num_impossible = 0, num_bigram_checks = 0, num_digits = 0, num_vowels = 0, num_words = 0; + char tmp[128], *word, *tok_tmp; len = snprintf(tmp, sizeof(tmp)-1, "%s", name); if(len < 0) return(0); - + for(i=0, j=0; (i<len) && (j<(sizeof(tmp)-1)); i++) { - if(isdigit(name[i])) - continue; - else tmp[j++] = tolower(name[i]); } + tmp[j] = '\0'; len = j; - - for(i = 0; tmp[i+1] != '\0'; i++) { - if(isdigit(tmp[i])) continue; + + for(word = strtok_r(tmp, ".", &tok_tmp); ; word = strtok_r(NULL, ".", &tok_tmp)) { + if(!word) break; + + num_words++; + + if(strlen(word) < 3) continue; + +#ifdef DGA_DEBUG + printf("-> %s [%s][len: %u]\n", word, name, (unsigned int)strlen(word)); +#endif + + for(i = 0; word[i+1] != '\0'; i++) { + if(isdigit(word[i])) { + num_digits++; + + // if(!isdigit(word[i+1])) num_impossible++; + + continue; + } - switch(tmp[i]) { - case '-': - case ':': - case '.': - continue; - break; - } + switch(word[i]) { + case '_': + case '-': + case ':': + continue; + break; + + case '.': + continue; + break; + } - if(isdigit(tmp[i+1])) continue; - - num_bigram_checks++; + switch(word[i]) { + case 'a': + case 'e': + case 'i': + case 'o': + case 'u': + num_vowels++; + break; + } + + if(isdigit(word[i+1])) { + num_digits++; + // num_impossible++; + continue; + } + + num_bigram_checks++; - if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &tmp[i])) { - num_found++; - } else if(ndpi_match_bigram(ndpi_str, - &ndpi_str->impossible_bigrams_automa, - &tmp[i])) { + if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &word[i])) { + num_found++; + } else { + if(ndpi_match_bigram(ndpi_str, + &ndpi_str->impossible_bigrams_automa, + &word[i])) { #ifdef DGA_DEBUG - printf("IMPOSSIBLE %s\n", &tmp[i]); + printf("IMPOSSIBLE %s\n", &word[i]); #endif - num_impossible++; - } - } + num_impossible++; + } + } + } /* for */ + } /* for */ +#ifdef DGA_DEBUG + printf("[num_found: %u][num_impossible: %u][num_digits: %u][num_bigram_checks: %u][num_vowels: %u/%u]\n", + num_found, num_impossible, num_digits, num_bigram_checks, num_vowels, j-num_vowels); +#endif + if(num_bigram_checks - && ((num_found == 0) - || (enough(num_found, num_impossible)))) - rc = 1; + && ((num_found == 0) || ((num_digits > 5) && (num_words <= 3)) || enough(num_found, num_impossible))) + rc = 1; if(rc && flow) NDPI_SET_BIT(flow->risk, NDPI_SUSPICIOUS_DGA_DOMAIN); #ifdef DGA_DEBUG if(rc) - printf("DGA %s [%s][num_found: %u][num_impossible: %u]\n", - tmp, name, num_found, num_impossible); + printf("DGA %s [num_found: %u][num_impossible: %u]\n", + name, num_found, num_impossible); #endif } - + return(rc); } |