aboutsummaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/ndpi_main.c9
-rw-r--r--src/lib/protocols/rdp.c1
-rw-r--r--src/lib/protocols/tls.c6
-rw-r--r--src/lib/protocols/vnc.c23
4 files changed, 24 insertions, 15 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index baf076a75..3ae724391 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4180,7 +4180,7 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
flow->packet.l4_packet_len = l4len;
flow->l4_proto = l4protocol;
- /* tcp / udp detection */
+ /* TCP / UDP detection */
if(l4protocol == IPPROTO_TCP && flow->packet.l4_packet_len >= 20 /* min size of tcp */) {
/* tcp */
flow->packet.tcp = (struct ndpi_tcphdr *) l4ptr;
@@ -5035,6 +5035,8 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
}
#endif
+ // printf("====>> %u.%u [%u]\n", ret->master_protocol, ret->app_protocol, flow->detected_protocol_stack[0]);
+
switch(ret->app_protocol) {
/*
Skype for a host doing MS Teams means MS Teams
@@ -5077,6 +5079,11 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str,
}
}
break;
+
+ case NDPI_PROTOCOL_ANYDESK:
+ if(flow->packet.tcp) /* TCP only */
+ ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */
+ break;
} /* switch */
if(flow) {
diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c
index e117b3d2f..4776ab9c1 100644
--- a/src/lib/protocols/rdp.c
+++ b/src/lib/protocols/rdp.c
@@ -49,6 +49,7 @@ void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, struct nd
&& get_u_int16_t(packet->payload, 6) == 0 && get_u_int16_t(packet->payload, 8) == 0 && get_u_int8_t(packet->payload, 10) == 0) {
NDPI_LOG_INFO(ndpi_struct, "found RDP\n");
ndpi_int_rdp_add_connection(ndpi_struct, flow);
+ ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */
return;
}
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index ffb3740c8..3a09f444b 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -555,9 +555,13 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
int rc = ndpi_match_string_value(ndpi_struct->tls_cert_subject_automa.ac_automa,
rdnSeqBuf, strlen(rdnSeqBuf),&proto_id);
- if(rc == 0)
+ if(rc == 0) {
flow->detected_protocol_stack[0] = proto_id,
flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS;
+
+ if(proto_id == NDPI_PROTOCOL_ANYDESK)
+ ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */
+ }
}
}
diff --git a/src/lib/protocols/vnc.c b/src/lib/protocols/vnc.c
index 32fe4d4dd..a97debbf4 100644
--- a/src/lib/protocols/vnc.c
+++ b/src/lib/protocols/vnc.c
@@ -33,28 +33,25 @@ void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
NDPI_LOG_DBG(ndpi_struct, "search vnc\n");
/* search over TCP */
if(packet->tcp) {
-
+
if(flow->l4.tcp.vnc_stage == 0) {
-
if((packet->payload_packet_len == 12) &&
- ((memcmp(packet->payload, "RFB 003.003", 11) == 0 && packet->payload[11] == 0x0a) ||
- (memcmp(packet->payload, "RFB 003.007", 11) == 0 && packet->payload[11] == 0x0a) ||
- (memcmp(packet->payload, "RFB 003.008", 11) == 0 && packet->payload[11] == 0x0a) ||
- (memcmp(packet->payload, "RFB 004.001", 11) == 0 && packet->payload[11] == 0x0a))) {
+ (((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a))
+ ||
+ ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) {
NDPI_LOG_DBG2(ndpi_struct, "reached vnc stage one\n");
flow->l4.tcp.vnc_stage = 1 + packet->packet_direction;
return;
}
} else if(flow->l4.tcp.vnc_stage == 2 - packet->packet_direction) {
-
+
if((packet->payload_packet_len == 12) &&
- ((memcmp(packet->payload, "RFB 003.003", 11) == 0 && packet->payload[11] == 0x0a) ||
- (memcmp(packet->payload, "RFB 003.007", 11) == 0 && packet->payload[11] == 0x0a) ||
- (memcmp(packet->payload, "RFB 003.008", 11) == 0 && packet->payload[11] == 0x0a) ||
- (memcmp(packet->payload, "RFB 004.001", 11) == 0 && packet->payload[11] == 0x0a))) {
-
+ (((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a))
+ ||
+ ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) {
NDPI_LOG_INFO(ndpi_struct, "found vnc\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN);
+ ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */
return;
}
}
@@ -71,6 +68,6 @@ void init_vnc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3
NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
-
+
*id += 1;
}
Powered by cgit, Themed by Ted Yin.