diff options
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/dns.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/netbios.c | 55 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 46 | ||||
| -rw-r--r-- | src/lib/protocols/tor.c | 43 |
5 files changed, 66 insertions, 88 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 460117c96..099f343e4 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -292,8 +292,10 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st cl--; } } - flow->host_server_name[j] = '\0'; + flow->host_server_name[j] = '\0'; + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); + if(j > 0) { ndpi_protocol_match_result ret_match; diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 7b83b91e7..a896c6214 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -284,9 +284,8 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru buf[ip_len] = '\0'; ip_addr.s_addr = inet_addr(buf); - if(strcmp(inet_ntoa(ip_addr), buf) == 0) { + if(strcmp(inet_ntoa(ip_addr), buf) == 0) NDPI_SET_BIT(flow->risk, NDPI_HTTP_NUMERIC_IP_HOST); - } } /* ************************************************************* */ @@ -294,7 +293,7 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *url) { - + /* Nothing to do */ } /* ************************************************************* */ @@ -451,6 +450,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ flow->host_server_name[len] = '\0'; flow->extra_packets_func = NULL; /* We're good now */ + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); flow->server_id = flow->dst; if(packet->forwarded_line.ptr) { diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index 7e4c98265..c396a392b 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -19,7 +19,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ @@ -41,14 +41,14 @@ struct netbios_header { int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len) { int ret = 0, len; char *b; - + len = (*in++)/2; b = out; *out = 0; if(len > (out_len-1) || len < 1 || 2*len > inlen) - return(-1); - + return(-1); + while (len--) { if(in[0] < 'A' || in[0] > 'P' || in[1] < 'A' || in[1] > 'P') { *out = 0; @@ -56,7 +56,7 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len } *out = ((in[0]-'A')<<4) + (in[1]-'A'); - + in += 2; if(isprint(*out)) @@ -76,13 +76,16 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int16_t sub_protocol) { + u_int16_t sub_protocol) { char name[64]; u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14; if((off < flow->packet.payload_packet_len) && - ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) - snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); + ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) { + snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); + + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); + } if(sub_protocol == NDPI_PROTOCOL_UNKNOWN) ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETBIOS, NDPI_PROTOCOL_UNKNOWN); @@ -96,9 +99,9 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport; - + NDPI_LOG_DBG(ndpi_struct, "search netbios\n"); - + if(packet->udp != NULL) { dport = ntohs(packet->udp->dest); @@ -110,7 +113,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, h.transaction_id = ntohs(h.transaction_id), h.flags = ntohs(h.flags), h.questions = ntohs(h.questions), h.answer_rrs = ntohs(h.answer_rrs), h.authority_rrs = ntohs(h.authority_rrs), h.additional_rrs = ntohs(h.additional_rrs); - + NDPI_LOG_DBG(ndpi_struct, "found netbios port 137 and payload_packet_len 50\n"); if(h.flags == 0 && @@ -123,18 +126,18 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(((h.flags & 0x8710) == 0x10) && h.questions == 1 && h.answer_rrs == 0 && h.authority_rrs == 0) { NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers = 0, authority = 0 and broadcast \n"); - + ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(packet->payload[2] == 0x80 && h.questions == 1 && h.answer_rrs == 0 && @@ -145,7 +148,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0x4000 && h.questions == 1 && h.answer_rrs == 0 && @@ -156,7 +159,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0x8400 && h.questions == 0 && h.answer_rrs == 1 && @@ -168,7 +171,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0x8500 && h.questions == 0 && h.answer_rrs == 1 && @@ -180,7 +183,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(((h.flags == 0x2900) || (h.flags == 0x2910)) && h.questions == 1 && h.answer_rrs == 0 && @@ -192,7 +195,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0xAD86 && h.questions == 0 && h.answer_rrs == 1 && @@ -204,7 +207,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0x0110 && h.questions == 1 && h.answer_rrs == 0 && @@ -333,25 +336,25 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, } /* TODO: extend according to rfc1002 */ } - + /* check standard NETBIOS over udp to port 138 */ /* netbios header token from http://www.protocolbase.net/protocols/protocol_NBDGM.php */ if((dport == 138) && (packet->payload_packet_len >= 14)) { u_int16_t netbios_len = ntohs(get_u_int16_t(packet->payload, 10)); - - if(netbios_len == packet->payload_packet_len - 14) { + + if(netbios_len == packet->payload_packet_len - 14) { NDPI_LOG_DBG2(ndpi_struct, "found netbios port 138 and payload length >= 112 \n"); - + if(packet->payload[0] >= 0x10 && packet->payload[0] <= 0x16) { u_int32_t source_ip = ntohl(get_u_int32_t(packet->payload, 4)); - + NDPI_LOG_DBG2(ndpi_struct, "found netbios with MSG-type 0x10,0x11,0x12,0x13,0x14,0x15 or 0x16\n"); if(source_ip == ntohl(packet->iph->saddr)) { int16_t leftover = netbios_len - 82; /* NetBIOS len */ - + NDPI_LOG_INFO(ndpi_struct, "found netbios with checked ip-address\n"); ndpi_int_netbios_add_connection(ndpi_struct, flow, (leftover > 0) ? NDPI_PROTOCOL_SMBV1 : NDPI_PROTOCOL_UNKNOWN); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 7d9e99171..816b23a50 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -223,7 +223,7 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet, if(rc > 0) (*rdnSeqBuf_offset) += rc; } - + return(is_printable); } @@ -244,7 +244,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ for(i = p_offset; i < certificate_len; i++) { - /* + /* See https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q009860_.htm for X.509 certificate labels */ @@ -252,7 +252,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi /* Common Name */ int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "CN"); if(rc == -1) break; - + #ifdef DEBUG_TLS printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Common Name", buffer); #endif @@ -260,7 +260,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi /* Country */ int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "C"); if(rc == -1) break; - + #ifdef DEBUG_TLS printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Country", buffer); #endif @@ -315,10 +315,10 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if((offset+len) < packet->payload_packet_len) { char utcDate[32]; - + #ifdef DEBUG_TLS u_int j; - + printf("[CERTIFICATE] notBefore [len: %u][", len); for(j=0; j<len; j++) printf("%c", packet->payload[i+4+j]); printf("]\n"); @@ -352,7 +352,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi u_int32_t time_sec = flow->packet.current_time_ms / 1000; #ifdef DEBUG_TLS u_int j; - + printf("[CERTIFICATE] notAfter [len: %u][", len); for(j=0; j<len; j++) printf("%c", packet->payload[offset+j]); printf("]\n"); @@ -375,7 +375,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi } } - + if((time_sec < flow->protos.stun_ssl.ssl.notBefore) || (time_sec > flow->protos.stun_ssl.ssl.notAfter)) NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */ @@ -385,7 +385,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x1d) && (packet->payload[i+2] == 0x11)) { /* Organization OID: 2.5.29.17 (subjectAltName) */ u_int8_t matched_name = 0; - + #ifdef DEBUG_TLS printf("******* [TLS] Found subjectAltName\n"); #endif @@ -428,7 +428,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi else if(strcmp(flow->protos.stun_ssl.ssl.client_requested_server_name, dNSName) == 0) matched_name = 1; } - + if(flow->protos.stun_ssl.ssl.server_names == NULL) flow->protos.stun_ssl.ssl.server_names = ndpi_strdup(dNSName), flow->protos.stun_ssl.ssl.server_names_len = strlen(dNSName); @@ -477,7 +477,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(flow->protos.stun_ssl.ssl.subjectDN && flow->protos.stun_ssl.ssl.issuerDN && (!strcmp(flow->protos.stun_ssl.ssl.subjectDN, flow->protos.stun_ssl.ssl.issuerDN))) NDPI_SET_BIT(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE); - + #if DEBUG_TLS printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf); #endif @@ -864,7 +864,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version; if(flow->protos.stun_ssl.ssl.ssl_version < 0x0302) /* TLSv1.1 */ NDPI_SET_BIT(flow->risk, NDPI_TLS_OBSOLETE_VERSION); - + if(handshake_type == 0x02 /* Server Hello */) { int i, rc; @@ -889,7 +889,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); if((flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1) NDPI_SET_BIT(flow->risk, NDPI_TLS_WEAK_CIPHER); - + flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; #ifdef DEBUG_TLS @@ -1108,6 +1108,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer))) flow->l4.tcp.tls.subprotocol_detected = 1; + + ndpi_check_dga_name(ndpi_struct, flow, flow->protos.stun_ssl.ssl.client_requested_server_name); } else { #ifdef DEBUG_TLS printf("[TLS] Extensions server len too short: %u vs %u\n", @@ -1261,8 +1263,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.stun_ssl.ssl.tls_supported_versions = ndpi_strdup(version_str); } } else if(extension_id == 65486 /* encrypted server name */) { - /* - - https://tools.ietf.org/html/draft-ietf-tls-esni-06 + /* + - https://tools.ietf.org/html/draft-ietf-tls-esni-06 - https://blog.cloudflare.com/encrypted-sni/ */ u_int16_t e_offset = offset+extension_offset; @@ -1270,9 +1272,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t e_sni_len, cipher_suite = ntohs(*((u_int16_t*)&packet->payload[e_offset])); flow->protos.stun_ssl.ssl.encrypted_sni.cipher_suite = cipher_suite; - + e_offset += 2; /* Cipher suite len */ - + /* Key Share Entry */ e_offset += 2; /* Group */ e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */ @@ -1280,11 +1282,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if((e_offset+4) < packet->payload_packet_len) { /* Record Digest */ e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */ - + if((e_offset+4) < packet->payload_packet_len) { e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset])); e_offset += 2; - + if((e_offset+e_sni_len-extension_len-initial_offset) >= 0) { #ifdef DEBUG_ENCRYPTED_SNI printf("Client SSL [Encrypted Server Name len: %u]\n", e_sni_len); @@ -1292,13 +1294,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(flow->protos.stun_ssl.ssl.encrypted_sni.esni == NULL) { flow->protos.stun_ssl.ssl.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1); - + if(flow->protos.stun_ssl.ssl.encrypted_sni.esni) { u_int16_t i, off; - + for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) { int rc = sprintf(&flow->protos.stun_ssl.ssl.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF); - + if(rc <= 0) { flow->protos.stun_ssl.ssl.encrypted_sni.esni[off] = '\0'; break; diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index 9dd14046e..7318685e7 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -48,45 +48,16 @@ int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct, if((dot = strrchr(dummy, '.')) == NULL) return(0); name = &dot[1]; - len = strlen(name); - - if(len >= 5) { - int i, prev_num = 0, numbers_found = 0, num_found = 0, num_impossible = 0; - - for(i = 0; name[i+1] != '\0'; i++) { - // printf("***** [SSL] %s(): [%d][%c]", __FUNCTION__, i, name[i]); - - if((name[i] >= '0') && (name[i] <= '9')) { - if(prev_num != 1) { - numbers_found++; - - if(numbers_found == 2) { - ndpi_int_tor_add_connection(ndpi_struct, flow); - return(1); - } - prev_num = 1; - } - } else - prev_num = 0; - - if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, &name[i])) { - num_found++; - } else if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) { - num_impossible++; - } - } - - if((num_found == 0) || (num_impossible > 1)) { + if(ndpi_check_dga_name(ndpi_struct, flow, name)) { + ndpi_int_tor_add_connection(ndpi_struct, flow); + return(1); + } else { +#ifdef PEDANTIC_TOR_CHECK + if(gethostbyname(certificate) == NULL) { ndpi_int_tor_add_connection(ndpi_struct, flow); return(1); - } else { -#ifdef PEDANTIC_TOR_CHECK - if(gethostbyname(certificate) == NULL) { - ndpi_int_tor_add_connection(ndpi_struct, flow); - return(1); - } -#endif } +#endif } return(0); |