diff options
Diffstat (limited to 'src/lib/protocols/tls.c')
| -rw-r--r-- | src/lib/protocols/tls.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 299e59ecb..6b56529dd 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -347,6 +347,7 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI_CACHE); flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, cached_proto); + ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); } } } @@ -682,8 +683,10 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi } if(!flow->protos.tls_quic.subprotocol_detected) - if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), dNSName, dNSName_len)) + if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), dNSName, dNSName_len)) { flow->protos.tls_quic.subprotocol_detected = 1; + ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); + } i += len; } else { @@ -727,6 +730,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, proto_id); + ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); if(ndpi_struct->tls_cert_cache) { u_int32_t key = make_tls_cert_key(packet, 0 /* from the server */); @@ -1508,6 +1512,19 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct, /* **************************************** */ +static int check_sni_is_numeric_ip(char *sni) { + unsigned char buf[sizeof(struct in6_addr)]; + + if(inet_pton(AF_INET, sni, buf) == 1) + return 1; + if(inet_pton(AF_INET6, sni, buf) == 1) + return 1; + return 0; +} + + +/* **************************************** */ + int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, uint32_t quic_version) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; @@ -2050,6 +2067,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.tls_quic.subprotocol_detected = 1; } + if(flow->protos.tls_quic.subprotocol_detected == 0 && + check_sni_is_numeric_ip(sni) == 1) { + ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, sni); + } + if(ndpi_check_dga_name(ndpi_struct, flow, sni, 1, 0)) { #ifdef DEBUG_TLS |