diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 4 | ||||
| -rw-r--r-- | src/lib/protocols/dhcp.c | 7 | ||||
| -rw-r--r-- | src/lib/protocols/sip.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/ssl.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tor.c | 28 |
5 files changed, 30 insertions, 13 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index ba14f50f1..1ee97381e 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8031,6 +8031,7 @@ ndpi_protocol_match host_match[] = { { ".cloudfront.net", "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".apple.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, + { ".apple-dns.net", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".mzstatic.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".aaplimg.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".icloud.com", "AppleiCloud", NDPI_PROTOCOL_APPLE_ICLOUD, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, @@ -8048,6 +8049,7 @@ ndpi_protocol_match host_match[] = { { ".cnn.net", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".dropbox.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, + { ".dropbox-dns.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { "log.getdropbox.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebay.", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, /* or FUN */ @@ -8432,7 +8434,7 @@ static const char *ndpi_en_bigrams[] = { "lz", "nz", "oz", "pz", "rz", "tz", "uz", "zz", NULL }; static const char *ndpi_en_impossible_bigrams[] = { - "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", "ee", + "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", /* "ee", removed it can be found in 'meeting' */ "fz", "gq", "gv", "gx", "hh", "hk", "hv", "hx", "hz", "iy", "jb", "jc", "jd", "jf", "jg", "jh", "jk", "jl", "jm", "jn", "jp", "jq", "jr", /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", "kz", "lq", "lx", "mg", "mj", "mq", "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii", diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c index cdf33947e..c46cc1c91 100644 --- a/src/lib/protocols/dhcp.c +++ b/src/lib/protocols/dhcp.c @@ -104,6 +104,13 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru "%02X", dhcp->options[i+2+idx] & 0xFF); offset += 2; } + } else if(id == 60 /* Class Identifier */) { + char *name = (char*)&dhcp->options[i+2]; + int j = 0; + + j = ndpi_min(len, sizeof(flow->protos.dhcp.class_ident)-1); + strncpy((char*)flow->protos.dhcp.class_ident, name, j); + flow->protos.dhcp.class_ident[j] = '\0'; } else if(id == 12 /* Host Name */) { char *name = (char*)&dhcp->options[i+2]; int j = 0; diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index 94386d61e..67459f562 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -121,7 +121,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct } if ((memcmp(packet_payload, "CANCEL ", 7) == 0 || memcmp(packet_payload, "cancel ", 7) == 0) - && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) { + && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) { NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found sip CANCEL.\n"); ndpi_int_sip_add_connection(ndpi_struct, flow, 0); return; diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 5afca5389..231bde1eb 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -641,7 +641,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } else if((packet->payload_packet_len == 4) && (packet->payload[0] == 'W') - && (packet->payload[1] == 'A')){ + && (packet->payload[1] == 'A')) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); return; } else { diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index f6987ef19..95233e471 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -16,14 +16,23 @@ static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, char *certificate) { - + struct ndpi_flow_struct *flow, char *certificate) { int prev_num = 0, numbers_found = 0, num_found = 0, i, len; char dummy[48], *dot, *name; - if((certificate == NULL) - || (strlen(certificate) < 6) - || (strncmp(certificate, "www.", 4))) + if(certificate == NULL) + return(0); + else + len = strlen(certificate); + + /* Check if it ends in .com or .net */ + if(strcmp(&certificate[len-4], ".com") && strcmp(&certificate[len-4], ".net")) + return(0); + + if((len < 6) + || (!strncmp(certificate, "*.", 2)) /* Wildcard certificate */ + || (strncmp(certificate, "www.", 4)) /* Not starting with www.... */ + ) return(0); // printf("***** [SSL] %s(): %s\n", __FUNCTION__, certificate); @@ -55,13 +64,12 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, } else prev_num = 0; - if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) { - ndpi_int_tor_add_connection(ndpi_struct, flow); - return(1); - } - + if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, &name[i])) { num_found++; + } else if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) { + ndpi_int_tor_add_connection(ndpi_struct, flow); + return(1); } } |