diff options
Diffstat (limited to 'src/lib/protocols/dns.c')
| -rw-r--r-- | src/lib/protocols/dns.c | 31 |
1 files changed, 20 insertions, 11 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 58c9f968c..8c387e304 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -94,7 +94,7 @@ static void ndpi_check_dns_type(struct ndpi_detection_module_struct *ndpi_struct case 106: case 107: case 259: - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC); + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, NULL); break; } } @@ -220,7 +220,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, else if((dns_header->flags & FLAGS_MASK) == 0x8000) *is_query = 0; else { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid DNS Flags"); return(1 /* invalid */); } @@ -246,15 +246,19 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, x++; } } else { - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid DNS Header"); return(1 /* invalid */); } } else { /* DNS Reply */ flow->protos.dns.reply_code = dns_header->flags & 0x0F; - if(flow->protos.dns.reply_code != 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED); + if(flow->protos.dns.reply_code != 0) { + char str[32]; + + snprintf(str, sizeof(str), "DNS Error Code %d", flow->protos.dns.reply_code); + ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, str); + } if((dns_header->num_queries > 0) && (dns_header->num_queries <= NDPI_MAX_DNS_REQUESTS) /* Don't assume that num_queries must be zero */ && ((((dns_header->num_answers > 0) && (dns_header->num_answers <= NDPI_MAX_DNS_REQUESTS)) @@ -463,7 +467,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st #ifdef DNS_DEBUG printf("[DNS] Invalid query len [%u >= %u]\n", i+4, packet->payload_packet_len); #endif - ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET); + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid DNS Query Lenght"); break; } else { idx = i+5, num_queries++; @@ -507,7 +511,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st ndpi_hostname_sni_set(flow, (const u_int8_t *)_hostname, j); if (hostname_is_valid == 0) - ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); + ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, NULL); if(j > 0) { ndpi_protocol_match_result ret_match; @@ -577,9 +581,14 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DNS) || (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_DNS)) { /* TODO: add support to RFC6891 to avoid some false positives */ - if(packet->udp != NULL && packet->payload_packet_len > PKT_LEN_ALERT) - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_LARGE_PACKET); + if((packet->udp != NULL) + && (packet->payload_packet_len > PKT_LEN_ALERT)) { + char str[48]; + snprintf(str, sizeof(str), "%u Bytes DNS Packet", packet->payload_packet_len); + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_LARGE_PACKET, str); + } + if(packet->iph != NULL) { /* IPv4 */ u_int8_t flags = ((u_int8_t*)packet->iph)[6]; @@ -587,14 +596,14 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st /* 0: fragmented; 1: not fragmented */ if((flags & 0x20) || (ndpi_iph_is_valid_and_not_fragmented(packet->iph, packet->l3_packet_len) == 0)) { - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED); + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED, NULL); } } else if(packet->iphv6 != NULL) { /* IPv6 */ const struct ndpi_ip6_hdrctl *ip6_hdr = &packet->iphv6->ip6_hdr; if(ip6_hdr->ip6_un1_nxt == 0x2C /* Next Header: Fragment Header for IPv6 (44) */) { - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED); + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED, NULL); } } } |