diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_main.c | 55 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 78 |
2 files changed, 73 insertions, 60 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 4b84ceefa..8db2dee80 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -70,6 +70,46 @@ static void (*_ndpi_free)(void *ptr); /* ****************************************** */ +static ndpi_risk_info ndpi_known_risks[] = { + { NDPI_NO_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_URL_POSSIBLE_XSS, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_URL_POSSIBLE_SQL_INJECTION, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_URL_POSSIBLE_RCE_INJECTION, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_BINARY_APPLICATION_TRANSFER, NDPI_RISK_SEVERE, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_TLS_SELFSIGNED_CERTIFICATE, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_TLS_OBSOLETE_VERSION, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_TLS_WEAK_CIPHER, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_TLS_CERTIFICATE_EXPIRED, NDPI_RISK_HIGH, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_TLS_CERTIFICATE_MISMATCH, NDPI_RISK_HIGH, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_HTTP_SUSPICIOUS_USER_AGENT, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_HTTP_NUMERIC_IP_HOST, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_HTTP_SUSPICIOUS_URL, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_HTTP_SUSPICIOUS_HEADER, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_TLS_NOT_CARRYING_HTTPS, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_SUSPICIOUS_DGA_DOMAIN, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_MALFORMED_PACKET, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER, NDPI_RISK_MEDIUM, CLIENT_LOW_RISK_PERCENTAGE }, + { NDPI_SMB_INSECURE_VERSION, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_TLS_SUSPICIOUS_ESNI_USAGE, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_UNSAFE_PROTOCOL, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_DNS_SUSPICIOUS_TRAFFIC, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_TLS_MISSING_SNI, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_HTTP_SUSPICIOUS_CONTENT, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_RISKY_ASN, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_RISKY_DOMAIN, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_MALICIOUS_JA3, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_MALICIOUS_SHA1_CERTIFICATE, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_DESKTOP_OR_FILE_SHARING_SESSION, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_TLS_UNCOMMON_ALPN, NDPI_RISK_MEDIUM, CLIENT_HIGH_RISK_PERCENTAGE }, + + /* Leave this as last member */ + { NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE } +}; + +/* ****************************************** */ + /* Forward */ static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_str, ndpi_port_range *range, ndpi_proto_defaults_t *def, u_int8_t customUserProto, ndpi_default_ports_tree_node_t **root, @@ -719,7 +759,7 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str /* ******************************************************************** */ static void ndpi_validate_protocol_initialization(struct ndpi_detection_module_struct *ndpi_str) { - int i; + u_int i, val; for(i = 0; i < (int) ndpi_str->ndpi_num_supported_protocols; i++) { if(ndpi_str->proto_defaults[i].protoName == NULL) { @@ -734,6 +774,13 @@ static void ndpi_validate_protocol_initialization(struct ndpi_detection_module_s } } } + + /* Sanity check for risks initialization */ + val = (sizeof(ndpi_known_risks) / sizeof(ndpi_risk_info)) - 1; + if(val != NDPI_MAX_RISK) { + NDPI_LOG_ERR(ndpi_str, "[NDPI] INTERNAL ERROR Invalid ndpi_known_risks[] initialization [%u != %u]\n", val, NDPI_MAX_RISK); + exit(0); + } } /* ******************************************************************** */ @@ -6496,7 +6543,7 @@ void ndpi_dump_risks_score() { for(i = 1; i < NDPI_MAX_RISK; i++) { ndpi_risk_enum r = (ndpi_risk_enum)i; - ndpi_risk_severity s = ndpi_risk2severity(r); + ndpi_risk_severity s = ndpi_risk2severity(r)->severity; u_int16_t score = 0; switch(s) { @@ -7576,3 +7623,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, } /* ******************************************************************** */ + +ndpi_risk_info* ndpi_risk2severity(ndpi_risk_enum risk) { + return(&ndpi_known_risks[risk]); +} diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 80d6c9b15..bf5817495 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1730,57 +1730,6 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { /* ******************************************************************** */ -ndpi_risk_severity ndpi_risk2severity(ndpi_risk_enum risk) { - switch(risk) { - case NDPI_NO_RISK: - case NDPI_MAX_RISK: - case NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT: - case NDPI_HTTP_NUMERIC_IP_HOST: - case NDPI_TLS_NOT_CARRYING_HTTPS: - case NDPI_MALFORMED_PACKET: - case NDPI_UNSAFE_PROTOCOL: - case NDPI_DESKTOP_OR_FILE_SHARING_SESSION: - return(NDPI_RISK_LOW); - - case NDPI_TLS_SELFSIGNED_CERTIFICATE: - case NDPI_TLS_OBSOLETE_VERSION: - case NDPI_TLS_WEAK_CIPHER: - case NDPI_HTTP_SUSPICIOUS_USER_AGENT: - case NDPI_HTTP_SUSPICIOUS_HEADER: - case NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER: - case NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER: - case NDPI_SMB_INSECURE_VERSION: - case NDPI_TLS_SUSPICIOUS_ESNI_USAGE: - case NDPI_MALICIOUS_JA3: - case NDPI_MALICIOUS_SHA1_CERTIFICATE: - case NDPI_TLS_UNCOMMON_ALPN: - case NDPI_DNS_SUSPICIOUS_TRAFFIC: - case NDPI_TLS_MISSING_SNI: - case NDPI_HTTP_SUSPICIOUS_CONTENT: - case NDPI_RISKY_ASN: - case NDPI_RISKY_DOMAIN: - return(NDPI_RISK_MEDIUM); - - case NDPI_TLS_CERTIFICATE_EXPIRED: - case NDPI_TLS_CERTIFICATE_MISMATCH: - case NDPI_HTTP_SUSPICIOUS_URL: - case NDPI_SUSPICIOUS_DGA_DOMAIN: - return(NDPI_RISK_HIGH); - - case NDPI_URL_POSSIBLE_XSS: - case NDPI_URL_POSSIBLE_SQL_INJECTION: - case NDPI_URL_POSSIBLE_RCE_INJECTION: - case NDPI_BINARY_APPLICATION_TRANSFER: - return(NDPI_RISK_SEVERE); - } - - /* We have added all possible ndpi_risk_enum values in the switch, - but the compiler complains anyway... Try to silence it */ - return(NDPI_RISK_LOW); -} - -/* ******************************************************************** */ - const char* ndpi_severity2str(ndpi_risk_severity s) { switch(s) { case NDPI_RISK_LOW: @@ -1805,33 +1754,45 @@ const char* ndpi_severity2str(ndpi_risk_severity s) { /* ******************************************************************** */ -u_int16_t ndpi_risk2score(ndpi_risk risk) { +u_int16_t ndpi_risk2score(ndpi_risk risk, + u_int16_t *client_score, + u_int16_t *server_score) { u_int16_t score = 0; u_int32_t i; + *client_score = *server_score = 0; /* Reset values */ + if(risk == 0) return(0); for(i = 0; i < NDPI_MAX_RISK; i++) { ndpi_risk_enum r = (ndpi_risk_enum)i; if(NDPI_ISSET_BIT(risk, r)) { - switch(ndpi_risk2severity(r)) { + ndpi_risk_info *info = ndpi_risk2severity(r); + u_int16_t val, client_score_val; + + switch(info->severity) { case NDPI_RISK_LOW: - score += NDPI_SCORE_RISK_LOW; + val = NDPI_SCORE_RISK_LOW; break; case NDPI_RISK_MEDIUM: - score += NDPI_SCORE_RISK_MEDIUM; + val = NDPI_SCORE_RISK_MEDIUM; break; case NDPI_RISK_HIGH: - score += NDPI_SCORE_RISK_HIGH; + val = NDPI_SCORE_RISK_HIGH; break; case NDPI_RISK_SEVERE: - score += NDPI_SCORE_RISK_SEVERE; + val = NDPI_SCORE_RISK_SEVERE; break; } + + score += val; + client_score_val = (val * info->default_client_risk_pctg) / 100; + + *client_score += client_score_val, *server_score += (val - client_score_val); } } @@ -2024,5 +1985,6 @@ void ndpi_set_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r) { // NDPI_SET_BIT(flow->risk, (u_int32_t)r); flow->risk |= v; - } + + |