diff options
Diffstat (limited to 'src/lib/protocols/dns.c')
| -rw-r--r-- | src/lib/protocols/dns.c | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 5e1f100cc..0d3ac276d 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -35,6 +35,8 @@ #define LLMNR_PORT 5355 #define MDNS_PORT 5353 +#define PKT_LEN_ALERT 512 + static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -333,6 +335,8 @@ static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, st /* *********************************************** */ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + + int payload_offset; u_int8_t is_query; u_int16_t s_port = 0, d_port = 0; @@ -513,8 +517,31 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st if(flow->packet_counter > 3) NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + + if((flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_DNS) + || (flow->packet.detected_protocol_stack[1] == NDPI_PROTOCOL_DNS)) { + + if(flow->packet.udp != NULL && flow->packet.payload_packet_len > PKT_LEN_ALERT) + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_LARGE_PACKET); + + const struct ndpi_iphdr *iph = flow->packet.iph; + const u_int8_t *l3 = (const u_int8_t *) flow->packet.iph; + const struct ndpi_ipv6hdr *iph_v6 = NULL; + const u_int16_t ipsize = flow->packet.l3_packet_len; + + // TODO: add support to RFC6891 to avoid some false positive + if(iph != NULL && iph->version == 6 && ipsize >= sizeof(struct ndpi_ipv6hdr)) { + iph_v6 = (const struct ndpi_ipv6hdr *) l3; + iph = NULL; + } + + if((iph != NULL && (ipsize < iph->ihl * 4 || ipsize < ntohs(iph->tot_len) || ntohs(iph->tot_len) < iph->ihl * 4 + || ((iph->frag_off & htons(0x1FFF)) != 0) || ((iph->frag_off & htons(0x3FFF)) != 0))) + || (iph_v6 != NULL && iph_v6->ip6_hdr.ip6_un1_nxt == 44)) + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED); + + } } - void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("DNS", ndpi_struct, detection_bitmask, *id, @@ -525,4 +552,5 @@ void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct, ADD_TO_DETECTION_BITMASK); *id += 1; + } |