diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 6 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 16 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 19 | ||||
| -rw-r--r-- | src/lib/third_party/src/hll/hll.c | 20 |
5 files changed, 57 insertions, 8 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 4ad5c5598..d10d2416e 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -9271,7 +9271,7 @@ static const char *ndpi_en_bigrams[] = { "ru", "su", "tu", "uu", "vu", "wu", "xu", "yu", "zu", "av", "bv", "dv", "ev", "iv", "lv", "mv", "nv", "ov", "rv", "sv", "tv", "uv", "vv", "zv", "aw", "bw", "dw", "ew", "fw", "gw", "hw", "iw", "kw", "lw", "mw", "nw", "ow", "pw", "rw", "sw", "tw", "uw", "ww", "xw", "yw", "zw", "ax", "ex", "ix", "nx", "ox", - "rx", "ux", "xx", "yx", "ay", "by", "cy", "dy", "ey", "fy", "gy", "hy", "ky", "ly", "my", "ny", "oy", + "rx", "ux", /* "xx", */ "yx", "ay", "by", "cy", "dy", "ey", "fy", "gy", "hy", "ky", "ly", "my", "ny", "oy", "py", "ry", "sy", "ty", "uy", "vy", "wy", "xy", "yy", "zy", "az", "bz", "cz", "dz", "ez", "gz", "iz", "lz", "nz", "oz", "pz", "rz", "tz", "uz", "zz", NULL }; @@ -9331,7 +9331,7 @@ static const char *ndpi_en_impossible_bigrams[] = { "qg", "qh", "qj", "qk", "ql", "qm", "qn", "qo", "qp", "qr", "qs", "qt", "qv", "qw", "qx", "qy", "uu", "qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", "vm", "vn", /* "vp", Removed for vpbank.com */ "bw", /* "vk", "zr" Removed for kavkazr */ "vq", "vt", "vw", "vx", "vz", "wq", "wv", "wx", "wz", /* "xb", foxbusiness.com */ - "xg", "xj", "xk", "xv", "xz", "xw", "yd", /*"yp", Removed for paypal */ + "xg", "xj", "xk", "xv", "xz", "xw", "yd", /*"yp", Removed for paypal */ "yj", "yq", "yv", "yz", "yw", "zb", "zc", "zg", "zh", "zj", "zn", "zq", "zs", "zx", "wh", "wk", - "wb", "zk", "kp", "zk", "xy", + "wb", "zk", "kp", "zk", "xy", "xx", NULL }; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index bd986f986..b2f294c0b 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -6636,6 +6636,10 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, num_bigram_checks++; +#ifdef DGA_DEBUG + printf("-> Checking %c%c\n", word[i], word[i+1]); +#endif + if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &word[i])) { num_found++; } else { diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 8f74d22ad..2b96e55b4 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -262,12 +262,18 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru char *ua) { if((!ua) || (ua[0] == '\0')) return; - // printf("[%s:%d] ==> '%s'\n", __FILE__, __LINE__, ua); - + // printf("***** [%s:%d] ==> '%s'\n", __FILE__, __LINE__, ua); + // printf("***** %u\n", ndpi_check_dga_name(ndpi_struct, NULL, "uclient-fetch]")); + if((strlen(ua) < 4) - || (!strcmp(ua, "test")) - || (!strcmp(ua, "<?")) - || ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, ua)) { + || (!strncmp(ua, "test", 4)) + || (!strncmp(ua, "<?", 2)) + || strchr(ua, ';') + || strchr(ua, '{') + || strchr(ua, '}') + || ndpi_check_dga_name(ndpi_struct, NULL, ua) + // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua) + ) { NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_USER_AGENT); } } diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 8252d6725..7679a2337 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -60,6 +60,21 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct /* ************************************************************************ */ +static void ssh_analyse_signature_version(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + char *str_to_check, + u_int8_t is_client_signature) { + + + /* + if(obsolete_ssh_version) + NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE : NDPI_SSH_OBSOLETE_SERVER_SIGNATURE); + */ + +} + +/* ************************************************************************ */ + static int search_ssh_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_search_ssh_tcp(ndpi_struct, flow); @@ -287,6 +302,8 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct strncpy(flow->protos.ssh.client_signature, (const char *)packet->payload, len); flow->protos.ssh.client_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); + + ssh_analyse_signature_version(ndpi_struct, flow, flow->protos.ssh.client_signature, 1); #ifdef SSH_DEBUG printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); @@ -305,6 +322,8 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct strncpy(flow->protos.ssh.server_signature, (const char *)packet->payload, len); flow->protos.ssh.server_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); + + ssh_analyse_signature_version(ndpi_struct, flow, flow->protos.ssh.server_signature, 0); #ifdef SSH_DEBUG printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); diff --git a/src/lib/third_party/src/hll/hll.c b/src/lib/third_party/src/hll/hll.c index f8cd817db..b9d61f21c 100644 --- a/src/lib/third_party/src/hll/hll.c +++ b/src/lib/third_party/src/hll/hll.c @@ -47,6 +47,26 @@ static __inline u_int8_t _hll_rank(u_int32_t hash, u_int8_t bits) { return i; } +/* + IMPORTANT: memory usage notes + + [i: 4] 16 bytes + [i: 5] 32 bytes + [i: 6] 64 bytes + [i: 7] 128 bytes + [i: 8] 256 bytes + [i: 9] 512 bytes + [i: 10] 1024 bytes + [i: 11] 2048 bytes + [i: 12] 4096 bytes + [i: 13] 8192 bytes + [i: 14] 16384 bytes + [i: 15] 32768 bytes + [i: 16] 65536 bytes + [i: 17] 131072 bytes + [i: 18] 262144 bytes + [i: 19] 524288 bytes +*/ int hll_init(struct ndpi_hll *hll, u_int8_t bits) { if(bits < 4 || bits > 20) { errno = ERANGE; |