diff options
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/dns.c | 14 | ||||
| -rw-r--r-- | src/lib/protocols/mdns_proto.c | 29 | ||||
| -rw-r--r-- | src/lib/protocols/mining.c | 18 |
3 files changed, 32 insertions, 29 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index f77040020..e282eb4d3 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -63,7 +63,7 @@ static u_int getNameLength(u_int i, const u_int8_t *payload, u_int payloadLen) { /* *********************************************** */ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - int x; + int x, payload_offset; u_int8_t is_query; u_int16_t s_port = 0, d_port = 0; @@ -72,16 +72,18 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd if(flow->packet.udp != NULL) { s_port = ntohs(flow->packet.udp->source); d_port = ntohs(flow->packet.udp->dest); - x = 0; + payload_offset = 0; } else if(flow->packet.tcp != NULL) /* pkt size > 512 bytes */ { s_port = ntohs(flow->packet.tcp->source); d_port = ntohs(flow->packet.tcp->dest); - x = 2; + payload_offset = 2; } else { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } + x = payload_offset; + if((s_port == 53 || d_port == 53 || d_port == 5355) && (flow->packet.payload_packet_len > sizeof(struct ndpi_dns_packet_header)+x)) { struct ndpi_dns_packet_header dns_header; @@ -175,7 +177,8 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd } } } - } + } else + invalid = 1; } if(invalid) { @@ -184,8 +187,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd } /* extract host name server */ - int j = 0, max_len = sizeof(flow->host_server_name)-1, off = sizeof(struct ndpi_dns_packet_header) + 1; - + int j = 0, max_len = sizeof(flow->host_server_name)-1, off = sizeof(struct ndpi_dns_packet_header) + 1 + payload_offset; while(off < flow->packet.payload_packet_len && flow->packet.payload[off] != '\0') { flow->host_server_name[j] = flow->packet.payload[off]; if(j < max_len) { diff --git a/src/lib/protocols/mdns_proto.c b/src/lib/protocols/mdns_proto.c index 00c7c8748..75eab720b 100644 --- a/src/lib/protocols/mdns_proto.c +++ b/src/lib/protocols/mdns_proto.c @@ -63,17 +63,15 @@ static int ndpi_int_check_mdns_payload(struct ndpi_detection_module_struct struct ndpi_packet_struct *packet = &flow->packet; struct mdns_header *h = (struct mdns_header*)packet->payload; u_int16_t questions = ntohs(h->questions), answers = ntohs(h->answers); + + if((questions > NDPI_MAX_MDNS_REQUESTS) + || (answers > NDPI_MAX_MDNS_REQUESTS)) + return(0); - if(((packet->payload[2] & 0x80) == 0) - && (questions <= NDPI_MAX_MDNS_REQUESTS) - && (answers <= NDPI_MAX_MDNS_REQUESTS)) { + if((packet->payload[2] & 0x80) == 0) { NDPI_LOG_INFO(ndpi_struct, "found MDNS with question query\n"); return 1; - } - else if(((packet->payload[2] & 0x80) != 0) - && (questions == 0) - && (answers <= NDPI_MAX_MDNS_REQUESTS) - && (answers != 0)) { + } else if((packet->payload[2] & 0x80) != 0) { char answer[256]; int i, j, len; @@ -100,8 +98,6 @@ static int ndpi_int_check_mdns_payload(struct ndpi_detection_module_struct void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - u_int16_t dport; - NDPI_LOG_DBG(ndpi_struct, "search MDNS\n"); /** @@ -111,15 +107,13 @@ void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct n /* check if UDP packet */ if(packet->udp != NULL) { /* read destination port */ - dport = ntohs(packet->udp->dest); + u_int16_t sport = ntohs(packet->udp->source); + u_int16_t dport = ntohs(packet->udp->dest); /* check standard MDNS ON port 5353 */ - if(dport == 5353 && packet->payload_packet_len >= 12) { - /* mdns protocol must have destination address 224.0.0.251 */ - if(packet->iph != NULL /* && ntohl(packet->iph->daddr) == 0xe00000fb */) { - - NDPI_LOG_INFO(ndpi_struct, "found MDNS with destination address 224.0.0.251 (=0xe00000fb)\n"); - + if(((dport == 5353) || (sport == 5353)) + && (packet->payload_packet_len >= 12)) { + if(packet->iph != NULL) { if(ndpi_int_check_mdns_payload(ndpi_struct, flow) == 1) { ndpi_int_mdns_add_connection(ndpi_struct, flow); return; @@ -141,6 +135,7 @@ void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct n #endif } } + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/mining.c b/src/lib/protocols/mining.c index ec094e7d3..b4361e270 100644 --- a/src/lib/protocols/mining.c +++ b/src/lib/protocols/mining.c @@ -44,9 +44,12 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, if((*to_match == magic) || (*to_match == magic1)) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); } - } if(ndpi_strnstr((const char *)packet->payload, "\"eth1.0\"", packet->payload_packet_len) - || ndpi_strnstr((const char *)packet->payload, "\"worker\"", packet->payload_packet_len) - || ndpi_strnstr((const char *)packet->payload, "\"id\"", packet->payload_packet_len)) { + } if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len) + && ( + ndpi_strnstr((const char *)packet->payload, "\"eth1.0\"", packet->payload_packet_len) + || ndpi_strnstr((const char *)packet->payload, "\"worker\":", packet->payload_packet_len) + /* || ndpi_strnstr((const char *)packet->payload, "\"id\":", packet->payload_packet_len) - Removed as too generic */ + )) { /* Ethereum @@ -55,9 +58,12 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, {"worker": "", "jsonrpc": "2.0", "params": [], "id": 3, "method": "eth_getWork"} */ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); - } else if(ndpi_strnstr((const char *)packet->payload, "\"method\"", packet->payload_packet_len) - || ndpi_strnstr((const char *)packet->payload, "\"blob\"", packet->payload_packet_len) - || ndpi_strnstr((const char *)packet->payload, "\"id\"", packet->payload_packet_len)) { + } else if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len) + && (ndpi_strnstr((const char *)packet->payload, "\"method\":", packet->payload_packet_len) + || ndpi_strnstr((const char *)packet->payload, "\"blob\":", packet->payload_packet_len) + /* || ndpi_strnstr((const char *)packet->payload, "\"id\":", packet->payload_packet_len) - Removed as too generic */ + ) + ) { /* ZCash |