aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/protocols')
-rw-r--r--src/lib/protocols/dns.c4
-rw-r--r--src/lib/protocols/http.c6
-rw-r--r--src/lib/protocols/netbios.c55
-rw-r--r--src/lib/protocols/tls.c46
-rw-r--r--src/lib/protocols/tor.c43
5 files changed, 66 insertions, 88 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 460117c96..099f343e4 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -292,8 +292,10 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
cl--;
}
}
- flow->host_server_name[j] = '\0';
+ flow->host_server_name[j] = '\0';
+ ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name);
+
if(j > 0) {
ndpi_protocol_match_result ret_match;
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 7b83b91e7..a896c6214 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -284,9 +284,8 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru
buf[ip_len] = '\0';
ip_addr.s_addr = inet_addr(buf);
- if(strcmp(inet_ntoa(ip_addr), buf) == 0) {
+ if(strcmp(inet_ntoa(ip_addr), buf) == 0)
NDPI_SET_BIT(flow->risk, NDPI_HTTP_NUMERIC_IP_HOST);
- }
}
/* ************************************************************* */
@@ -294,7 +293,7 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru
static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
char *url) {
-
+ /* Nothing to do */
}
/* ************************************************************* */
@@ -451,6 +450,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
flow->host_server_name[len] = '\0';
flow->extra_packets_func = NULL; /* We're good now */
+ ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name);
flow->server_id = flow->dst;
if(packet->forwarded_line.ptr) {
diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c
index 7e4c98265..c396a392b 100644
--- a/src/lib/protocols/netbios.c
+++ b/src/lib/protocols/netbios.c
@@ -19,7 +19,7 @@
*
* You should have received a copy of the GNU Lesser General Public License
* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
- *
+ *
*/
@@ -41,14 +41,14 @@ struct netbios_header {
int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len) {
int ret = 0, len;
char *b;
-
+
len = (*in++)/2;
b = out;
*out = 0;
if(len > (out_len-1) || len < 1 || 2*len > inlen)
- return(-1);
-
+ return(-1);
+
while (len--) {
if(in[0] < 'A' || in[0] > 'P' || in[1] < 'A' || in[1] > 'P') {
*out = 0;
@@ -56,7 +56,7 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len
}
*out = ((in[0]-'A')<<4) + (in[1]-'A');
-
+
in += 2;
if(isprint(*out))
@@ -76,13 +76,16 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len
static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
- u_int16_t sub_protocol) {
+ u_int16_t sub_protocol) {
char name[64];
u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14;
if((off < flow->packet.payload_packet_len) &&
- ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], flow->packet.payload_packet_len - off, name, sizeof(name)) > 0)
- snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name);
+ ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) {
+ snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name);
+
+ ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name);
+ }
if(sub_protocol == NDPI_PROTOCOL_UNKNOWN)
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETBIOS, NDPI_PROTOCOL_UNKNOWN);
@@ -96,9 +99,9 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
u_int16_t dport;
-
+
NDPI_LOG_DBG(ndpi_struct, "search netbios\n");
-
+
if(packet->udp != NULL) {
dport = ntohs(packet->udp->dest);
@@ -110,7 +113,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct,
h.transaction_id = ntohs(h.transaction_id), h.flags = ntohs(h.flags),
h.questions = ntohs(h.questions), h.answer_rrs = ntohs(h.answer_rrs),
h.authority_rrs = ntohs(h.authority_rrs), h.additional_rrs = ntohs(h.additional_rrs);
-
+
NDPI_LOG_DBG(ndpi_struct, "found netbios port 137 and payload_packet_len 50\n");
if(h.flags == 0 &&
@@ -123,18 +126,18 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN);
return;
}
-
+
if(((h.flags & 0x8710) == 0x10) &&
h.questions == 1 &&
h.answer_rrs == 0 &&
h.authority_rrs == 0) {
NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers = 0, authority = 0 and broadcast \n");
-
+
ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN);
return;
}
-
+
if(packet->payload[2] == 0x80 &&
h.questions == 1 &&
h.answer_rrs == 0 &&
@@ -145,7 +148,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN);
return;
}
-
+
if(h.flags == 0x4000 &&
h.questions == 1 &&
h.answer_rrs == 0 &&
@@ -156,7 +159,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN);
return;
}
-
+
if(h.flags == 0x8400 &&
h.questions == 0 &&
h.answer_rrs == 1 &&
@@ -168,7 +171,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN);
return;
}
-
+
if(h.flags == 0x8500 &&
h.questions == 0 &&
h.answer_rrs == 1 &&
@@ -180,7 +183,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN);
return;
}
-
+
if(((h.flags == 0x2900) || (h.flags == 0x2910)) &&
h.questions == 1 &&
h.answer_rrs == 0 &&
@@ -192,7 +195,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN);
return;
}
-
+
if(h.flags == 0xAD86 &&
h.questions == 0 &&
h.answer_rrs == 1 &&
@@ -204,7 +207,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN);
return;
}
-
+
if(h.flags == 0x0110 &&
h.questions == 1 &&
h.answer_rrs == 0 &&
@@ -333,25 +336,25 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct,
}
/* TODO: extend according to rfc1002 */
}
-
+
/* check standard NETBIOS over udp to port 138 */
/* netbios header token from http://www.protocolbase.net/protocols/protocol_NBDGM.php */
if((dport == 138) && (packet->payload_packet_len >= 14)) {
u_int16_t netbios_len = ntohs(get_u_int16_t(packet->payload, 10));
-
- if(netbios_len == packet->payload_packet_len - 14) {
+
+ if(netbios_len == packet->payload_packet_len - 14) {
NDPI_LOG_DBG2(ndpi_struct, "found netbios port 138 and payload length >= 112 \n");
-
+
if(packet->payload[0] >= 0x10 && packet->payload[0] <= 0x16) {
u_int32_t source_ip = ntohl(get_u_int32_t(packet->payload, 4));
-
+
NDPI_LOG_DBG2(ndpi_struct, "found netbios with MSG-type 0x10,0x11,0x12,0x13,0x14,0x15 or 0x16\n");
if(source_ip == ntohl(packet->iph->saddr)) {
int16_t leftover = netbios_len - 82; /* NetBIOS len */
-
+
NDPI_LOG_INFO(ndpi_struct, "found netbios with checked ip-address\n");
ndpi_int_netbios_add_connection(ndpi_struct, flow, (leftover > 0) ? NDPI_PROTOCOL_SMBV1 : NDPI_PROTOCOL_UNKNOWN);
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 7d9e99171..816b23a50 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -223,7 +223,7 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet,
if(rc > 0)
(*rdnSeqBuf_offset) += rc;
}
-
+
return(is_printable);
}
@@ -244,7 +244,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
/* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
for(i = p_offset; i < certificate_len; i++) {
- /*
+ /*
See https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q009860_.htm
for X.509 certificate labels
*/
@@ -252,7 +252,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
/* Common Name */
int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "CN");
if(rc == -1) break;
-
+
#ifdef DEBUG_TLS
printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Common Name", buffer);
#endif
@@ -260,7 +260,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
/* Country */
int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "C");
if(rc == -1) break;
-
+
#ifdef DEBUG_TLS
printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Country", buffer);
#endif
@@ -315,10 +315,10 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
if((offset+len) < packet->payload_packet_len) {
char utcDate[32];
-
+
#ifdef DEBUG_TLS
u_int j;
-
+
printf("[CERTIFICATE] notBefore [len: %u][", len);
for(j=0; j<len; j++) printf("%c", packet->payload[i+4+j]);
printf("]\n");
@@ -352,7 +352,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
u_int32_t time_sec = flow->packet.current_time_ms / 1000;
#ifdef DEBUG_TLS
u_int j;
-
+
printf("[CERTIFICATE] notAfter [len: %u][", len);
for(j=0; j<len; j++) printf("%c", packet->payload[offset+j]);
printf("]\n");
@@ -375,7 +375,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
}
}
-
+
if((time_sec < flow->protos.stun_ssl.ssl.notBefore)
|| (time_sec > flow->protos.stun_ssl.ssl.notAfter))
NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
@@ -385,7 +385,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
} else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x1d) && (packet->payload[i+2] == 0x11)) {
/* Organization OID: 2.5.29.17 (subjectAltName) */
u_int8_t matched_name = 0;
-
+
#ifdef DEBUG_TLS
printf("******* [TLS] Found subjectAltName\n");
#endif
@@ -428,7 +428,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
else if(strcmp(flow->protos.stun_ssl.ssl.client_requested_server_name, dNSName) == 0)
matched_name = 1;
}
-
+
if(flow->protos.stun_ssl.ssl.server_names == NULL)
flow->protos.stun_ssl.ssl.server_names = ndpi_strdup(dNSName),
flow->protos.stun_ssl.ssl.server_names_len = strlen(dNSName);
@@ -477,7 +477,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
if(flow->protos.stun_ssl.ssl.subjectDN && flow->protos.stun_ssl.ssl.issuerDN
&& (!strcmp(flow->protos.stun_ssl.ssl.subjectDN, flow->protos.stun_ssl.ssl.issuerDN)))
NDPI_SET_BIT(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE);
-
+
#if DEBUG_TLS
printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf);
#endif
@@ -864,7 +864,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version;
if(flow->protos.stun_ssl.ssl.ssl_version < 0x0302) /* TLSv1.1 */
NDPI_SET_BIT(flow->risk, NDPI_TLS_OBSOLETE_VERSION);
-
+
if(handshake_type == 0x02 /* Server Hello */) {
int i, rc;
@@ -889,7 +889,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
if((flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1)
NDPI_SET_BIT(flow->risk, NDPI_TLS_WEAK_CIPHER);
-
+
flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0];
#ifdef DEBUG_TLS
@@ -1108,6 +1108,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer)))
flow->l4.tcp.tls.subprotocol_detected = 1;
+
+ ndpi_check_dga_name(ndpi_struct, flow, flow->protos.stun_ssl.ssl.client_requested_server_name);
} else {
#ifdef DEBUG_TLS
printf("[TLS] Extensions server len too short: %u vs %u\n",
@@ -1261,8 +1263,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
flow->protos.stun_ssl.ssl.tls_supported_versions = ndpi_strdup(version_str);
}
} else if(extension_id == 65486 /* encrypted server name */) {
- /*
- - https://tools.ietf.org/html/draft-ietf-tls-esni-06
+ /*
+ - https://tools.ietf.org/html/draft-ietf-tls-esni-06
- https://blog.cloudflare.com/encrypted-sni/
*/
u_int16_t e_offset = offset+extension_offset;
@@ -1270,9 +1272,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
u_int16_t e_sni_len, cipher_suite = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
flow->protos.stun_ssl.ssl.encrypted_sni.cipher_suite = cipher_suite;
-
+
e_offset += 2; /* Cipher suite len */
-
+
/* Key Share Entry */
e_offset += 2; /* Group */
e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */
@@ -1280,11 +1282,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
if((e_offset+4) < packet->payload_packet_len) {
/* Record Digest */
e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */
-
+
if((e_offset+4) < packet->payload_packet_len) {
e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset]));
e_offset += 2;
-
+
if((e_offset+e_sni_len-extension_len-initial_offset) >= 0) {
#ifdef DEBUG_ENCRYPTED_SNI
printf("Client SSL [Encrypted Server Name len: %u]\n", e_sni_len);
@@ -1292,13 +1294,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
if(flow->protos.stun_ssl.ssl.encrypted_sni.esni == NULL) {
flow->protos.stun_ssl.ssl.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1);
-
+
if(flow->protos.stun_ssl.ssl.encrypted_sni.esni) {
u_int16_t i, off;
-
+
for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) {
int rc = sprintf(&flow->protos.stun_ssl.ssl.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF);
-
+
if(rc <= 0) {
flow->protos.stun_ssl.ssl.encrypted_sni.esni[off] = '\0';
break;
diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c
index 9dd14046e..7318685e7 100644
--- a/src/lib/protocols/tor.c
+++ b/src/lib/protocols/tor.c
@@ -48,45 +48,16 @@ int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct,
if((dot = strrchr(dummy, '.')) == NULL) return(0);
name = &dot[1];
- len = strlen(name);
-
- if(len >= 5) {
- int i, prev_num = 0, numbers_found = 0, num_found = 0, num_impossible = 0;
-
- for(i = 0; name[i+1] != '\0'; i++) {
- // printf("***** [SSL] %s(): [%d][%c]", __FUNCTION__, i, name[i]);
-
- if((name[i] >= '0') && (name[i] <= '9')) {
- if(prev_num != 1) {
- numbers_found++;
-
- if(numbers_found == 2) {
- ndpi_int_tor_add_connection(ndpi_struct, flow);
- return(1);
- }
- prev_num = 1;
- }
- } else
- prev_num = 0;
-
- if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, &name[i])) {
- num_found++;
- } else if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) {
- num_impossible++;
- }
- }
-
- if((num_found == 0) || (num_impossible > 1)) {
+ if(ndpi_check_dga_name(ndpi_struct, flow, name)) {
+ ndpi_int_tor_add_connection(ndpi_struct, flow);
+ return(1);
+ } else {
+#ifdef PEDANTIC_TOR_CHECK
+ if(gethostbyname(certificate) == NULL) {
ndpi_int_tor_add_connection(ndpi_struct, flow);
return(1);
- } else {
-#ifdef PEDANTIC_TOR_CHECK
- if(gethostbyname(certificate) == NULL) {
- ndpi_int_tor_add_connection(ndpi_struct, flow);
- return(1);
- }
-#endif
}
+#endif
}
return(0);