diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_main.c | 9 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 10 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 30 |
3 files changed, 44 insertions, 5 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 4f96120e0..854c5375a 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -104,6 +104,8 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_TLS_FATAL_ALERT, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE }, { NDPI_SUSPICIOUS_ENTROPY, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE }, { NDPI_CLEAR_TEXT_CREDENTIALS, NDPI_RISK_HIGH, CLIENT_HIGH_RISK_PERCENTAGE }, + { NDPI_DNS_LARGE_PACKET, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE }, + { NDPI_DNS_FRAGMENTED, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE }, /* Leave this as last member */ { NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE } @@ -7495,8 +7497,9 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, int rc = ndpi_dga_function(name, is_hostname); if(rc) { - if(flow) + if(flow) { ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN); + } } return(rc); @@ -7632,7 +7635,9 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, */ || ((max_domain_element_len >= 19 /* word too long. Example bbcbedxhgjmdobdprmen.com */) && ((num_char_repetitions > 1) || (num_digits > 1))) ) { - if(flow) ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN); + if(flow) { + ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN); + } if(ndpi_verbose_dga_detection) printf("[DGA] Found!"); diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index ed5ffd228..9c77e6d92 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1782,10 +1782,16 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_SUSPICIOUS_ENTROPY: return("Suspicious entropy"); - + case NDPI_CLEAR_TEXT_CREDENTIALS: return("Clear-text credentials"); - + + case NDPI_DNS_LARGE_PACKET: + return("DNS packet larger than 512 bytes"); + + case NDPI_DNS_FRAGMENTED: + return("Fragmented DNS message"); + default: snprintf(buf, sizeof(buf), "%d", (int)risk); return(buf); diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 5e1f100cc..0d3ac276d 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -35,6 +35,8 @@ #define LLMNR_PORT 5355 #define MDNS_PORT 5353 +#define PKT_LEN_ALERT 512 + static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -333,6 +335,8 @@ static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, st /* *********************************************** */ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + + int payload_offset; u_int8_t is_query; u_int16_t s_port = 0, d_port = 0; @@ -513,8 +517,31 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st if(flow->packet_counter > 3) NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + + if((flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_DNS) + || (flow->packet.detected_protocol_stack[1] == NDPI_PROTOCOL_DNS)) { + + if(flow->packet.udp != NULL && flow->packet.payload_packet_len > PKT_LEN_ALERT) + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_LARGE_PACKET); + + const struct ndpi_iphdr *iph = flow->packet.iph; + const u_int8_t *l3 = (const u_int8_t *) flow->packet.iph; + const struct ndpi_ipv6hdr *iph_v6 = NULL; + const u_int16_t ipsize = flow->packet.l3_packet_len; + + // TODO: add support to RFC6891 to avoid some false positive + if(iph != NULL && iph->version == 6 && ipsize >= sizeof(struct ndpi_ipv6hdr)) { + iph_v6 = (const struct ndpi_ipv6hdr *) l3; + iph = NULL; + } + + if((iph != NULL && (ipsize < iph->ihl * 4 || ipsize < ntohs(iph->tot_len) || ntohs(iph->tot_len) < iph->ihl * 4 + || ((iph->frag_off & htons(0x1FFF)) != 0) || ((iph->frag_off & htons(0x3FFF)) != 0))) + || (iph_v6 != NULL && iph_v6->ip6_hdr.ip6_un1_nxt == 44)) + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED); + + } } - void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("DNS", ndpi_struct, detection_bitmask, *id, @@ -525,4 +552,5 @@ void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct, ADD_TO_DETECTION_BITMASK); *id += 1; + } |