diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_main.c | 100 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 4 |
2 files changed, 62 insertions, 42 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 87d43f3f2..4964a0e1d 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -191,10 +191,12 @@ static ndpi_risk_info ndpi_known_risks[] = { { NDPI_TCP_ISSUES, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_FULLY_ENCRYPTED, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, { NDPI_TLS_ALPN_SNI_MISMATCH, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, + { NDPI_MALWARE_HOST_CONTACTED, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE }, /* Leave this as last member */ { NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY } }; + #if !defined(NDPI_CFFI_PREPROCESSING) && defined(__linux__) #if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L _Static_assert(sizeof(ndpi_known_risks) / sizeof(ndpi_risk_info) == NDPI_MAX_RISK + 1, @@ -6836,7 +6838,8 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st /* ********************************************************************************* */ -void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, +void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, + struct ndpi_flow_struct *flow, const unsigned char *packet_data, const unsigned short packetlen, const u_int64_t current_time_ms, const struct ndpi_flow_input_info *input_info) { @@ -7018,9 +7021,11 @@ void* ndpi_find_ipv4_category_userdata(struct ndpi_detection_module_struct *ndpi /* NOTE u_int32_t is represented in network byte order */ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str, + struct ndpi_flow_struct *flow, u_int32_t saddr, u_int32_t daddr, ndpi_protocol *ret) { - + bool match_client = true; + ret->custom_category_userdata = NULL; if(ndpi_str->custom_categories.categories_loaded && @@ -7038,17 +7043,25 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses, &prefix); } - if(!node) { + if(node == NULL) { if(daddr != 0) { ndpi_fill_prefix_v4(&prefix, (struct in_addr *) &daddr, 32, ((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses)->maxbits); node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses, &prefix); + match_client = false; } + } else { + match_client = true; } if(node) { ret->category = (ndpi_protocol_category_t) node->value.u.uv32.user_value; ret->custom_category_userdata = node->custom_user_data; + + if((ret->category == CUSTOM_CATEGORY_MALWARE) && (match_client == false)) { + ndpi_set_risk(ndpi_str, flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host"); + } + return(1); } } @@ -7160,7 +7173,7 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n if(ndpi_str->custom_categories.categories_loaded && packet->iph) { if(ndpi_str->ndpi_num_custom_protocols != 0) - ndpi_fill_ip_protocol_category(ndpi_str, flow->c_address.v4, flow->s_address.v4, ret); + ndpi_fill_ip_protocol_category(ndpi_str, flow, flow->c_address.v4, flow->s_address.v4, ret); flow->guessed_header_category = ret->category; } else flow->guessed_header_category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED; @@ -7204,8 +7217,10 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n /* ********************************************************************************* */ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow, const unsigned char *packet_data, - const unsigned short packetlen, const u_int64_t current_time_ms, + struct ndpi_flow_struct *flow, + const unsigned char *packet_data, + const unsigned short packetlen, + const u_int64_t current_time_ms, const struct ndpi_flow_input_info *input_info) { struct ndpi_packet_struct *packet; NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet; @@ -7262,47 +7277,50 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen, input_info) != 0) return(ret); + if(flow->num_processed_pkts == 1) { + /* first packet of this flow to be analyzed */ + #ifdef HAVE_NBPF - if((flow->num_processed_pkts == 1) /* first packet of this flow to be analyzed */ - && (ndpi_str->nbpf_custom_proto[0].tree != NULL)) { - u_int8_t i; - nbpf_pkt_info_t t; - - memset(&t, 0, sizeof(t)); - - if(packet->iphv6 != NULL) { - t.tuple.eth_type = 0x86DD; - t.tuple.ip_version = 6; - memcpy(&t.tuple.ip_src.v6, &packet->iphv6->ip6_src, 16); - memcpy(&t.tuple.ip_dst.v6, &packet->iphv6->ip6_dst, 16); - } else { - t.tuple.eth_type = 0x0800; - t.tuple.ip_version = 4; - t.tuple.ip_src.v4 = packet->iph->saddr; - t.tuple.ip_dst.v4 = packet->iph->daddr; - } + if(ndpi_str->nbpf_custom_proto[0].tree != NULL) { + u_int8_t i; + nbpf_pkt_info_t t; + + memset(&t, 0, sizeof(t)); - t.tuple.l3_proto = flow->l4_proto; + if(packet->iphv6 != NULL) { + t.tuple.eth_type = 0x86DD; + t.tuple.ip_version = 6; + memcpy(&t.tuple.ip_src.v6, &packet->iphv6->ip6_src, 16); + memcpy(&t.tuple.ip_dst.v6, &packet->iphv6->ip6_dst, 16); + } else { + t.tuple.eth_type = 0x0800; + t.tuple.ip_version = 4; + t.tuple.ip_src.v4 = packet->iph->saddr; + t.tuple.ip_dst.v4 = packet->iph->daddr; + } + + t.tuple.l3_proto = flow->l4_proto; - if(packet->tcp) - t.tuple.l4_src_port = packet->tcp->source, t.tuple.l4_dst_port = packet->tcp->dest; - else if(packet->udp) - t.tuple.l4_src_port = packet->udp->source, t.tuple.l4_dst_port = packet->udp->dest; + if(packet->tcp) + t.tuple.l4_src_port = packet->tcp->source, t.tuple.l4_dst_port = packet->tcp->dest; + else if(packet->udp) + t.tuple.l4_src_port = packet->udp->source, t.tuple.l4_dst_port = packet->udp->dest; - for(i=0; (i<MAX_NBPF_CUSTOM_PROTO) && (ndpi_str->nbpf_custom_proto[i].tree != NULL); i++) { - if(nbpf_match(ndpi_str->nbpf_custom_proto[i].tree, &t)) { - /* match found */ - ret.master_protocol = ret.app_protocol = ndpi_str->nbpf_custom_proto[i].l7_protocol; - ndpi_fill_protocol_category(ndpi_str, flow, &ret); - ndpi_reconcile_protocols(ndpi_str, flow, &ret); - flow->confidence = NDPI_CONFIDENCE_NBPF; + for(i=0; (i<MAX_NBPF_CUSTOM_PROTO) && (ndpi_str->nbpf_custom_proto[i].tree != NULL); i++) { + if(nbpf_match(ndpi_str->nbpf_custom_proto[i].tree, &t)) { + /* match found */ + ret.master_protocol = ret.app_protocol = ndpi_str->nbpf_custom_proto[i].l7_protocol; + ndpi_fill_protocol_category(ndpi_str, flow, &ret); + ndpi_reconcile_protocols(ndpi_str, flow, &ret); + flow->confidence = NDPI_CONFIDENCE_NBPF; - return(ret); + return(ret); + } } } - } #endif - + } + ndpi_connection_tracking(ndpi_str, flow); /* build ndpi_selection packet bitmask */ @@ -7350,7 +7368,7 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio ndpi_fill_protocol_category(ndpi_str, flow, &ret); else ret.category = flow->category; - + if((!flow->risk_checked) && ((ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) || (ret.app_protocol != NDPI_PROTOCOL_UNKNOWN)) ) { @@ -7505,8 +7523,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct struct ndpi_flow_struct *flow, const unsigned char *packet_data, const unsigned short packetlen, const u_int64_t current_time_ms, const struct ndpi_flow_input_info *input_info) { - - ndpi_protocol p = ndpi_internal_detection_process_packet(ndpi_str, flow, packet_data, packetlen, current_time_ms, input_info); diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 73a1b5974..9e43c8607 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2061,6 +2061,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { return("ALPN/SNI Mismatch"); break; + case NDPI_MALWARE_HOST_CONTACTED: + return("Client contacted a malware host"); + break; + default: ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk); return(buf); |