diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 1 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 11 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 17 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 53 |
5 files changed, 73 insertions, 12 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index d4c7bda88..f1480643b 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -287,6 +287,7 @@ typedef enum { NDPI_PROTOCOL_HPVIRTGRP = 256, /* Toni Uhlig <matzeton@googlemail.com> */ NDPI_PROTOCOL_GENSHIN_IMPACT = 257, /* Toni Uhlig <matzeton@googlemail.com> */ NDPI_PROTOCOL_ACTIVISION = 258, + NDPI_PROTOCOL_FORTICLIENT = 259, #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index d863c4e24..48bb8488c 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1184,6 +1184,9 @@ struct ndpi_detection_module_struct { /* NDPI_PROTOCOL_STUN and subprotocols */ struct ndpi_lru_cache *stun_cache; + /* NDPI_PROTOCOL_TLS and subprotocols */ + struct ndpi_lru_cache *tls_cert_cache; + /* NDPI_PROTOCOL_MINING and subprotocols */ struct ndpi_lru_cache *mining_cache; diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 7b807e7d9..4a3e6c554 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -9432,11 +9432,12 @@ static ndpi_protocol_match host_match[] = /* ******************************************************************** */ static ndpi_tls_cert_name_match tls_certificate_match [] = { - { "CN=AnyDesk Client", NDPI_PROTOCOL_ANYDESK }, - { "O=Kakao", NDPI_PROTOCOL_KAKAOTALK }, - { "O=ntop.org", NDPI_PROTOCOL_NTOP }, - { "CN=simplednscrypt.org", NDPI_PROTOCOL_DNSCRYPT }, - { "CN=*.gateway.messenger.live.com", NDPI_PROTOCOL_SKYPE }, + { "CN=AnyDesk Client", NDPI_PROTOCOL_ANYDESK }, + { "O=Kakao", NDPI_PROTOCOL_KAKAOTALK }, + { "O=ntop.org", NDPI_PROTOCOL_NTOP }, + { "CN=simplednscrypt.org", NDPI_PROTOCOL_DNSCRYPT }, + { "CN=*.gateway.messenger.live.com", NDPI_PROTOCOL_SKYPE }, + { "OU=FortiGate", NDPI_PROTOCOL_FORTICLIENT }, { NULL, 0 } }; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index ae3e08ac3..b7de36497 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1632,6 +1632,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "Activision", NDPI_PROTOCOL_CATEGORY_GAME, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_FORTICLIENT, + "FortiClient", NDPI_PROTOCOL_CATEGORY_VPN, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main.c" @@ -2562,6 +2566,9 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) { if(ndpi_str->stun_cache) ndpi_lru_free_cache(ndpi_str->stun_cache); + if(ndpi_str->tls_cert_cache) + ndpi_lru_free_cache(ndpi_str->tls_cert_cache); + if(ndpi_str->mining_cache) ndpi_lru_free_cache(ndpi_str->mining_cache); @@ -6753,6 +6760,16 @@ uint8_t ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, } /* ****************************************************** */ + + void ndpi_check_subprotocol_risk(struct ndpi_flow_struct *flow, u_int16_t subprotocol_id) { + switch(subprotocol_id) { + case NDPI_PROTOCOL_ANYDESK: + ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ + break; + } + } + + /* ****************************************************** */ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 871b6f435..107bc501d 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -297,6 +297,31 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet, /* **************************************** */ +static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { + /* Subprotocol not yet set */ + + if(ndpi_struct->tls_cert_cache && flow->packet.iph) { + u_int32_t key = flow->packet.iph->daddr + flow->packet.tcp->dest; + u_int16_t cached_proto; + + if(ndpi_lru_find_cache(ndpi_struct->tls_cert_cache, key, + &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) { + ndpi_protocol ret = { NDPI_PROTOCOL_TLS, cached_proto, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED }; + + flow->detected_protocol_stack[0] = cached_proto, + flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS; + + flow->category = ndpi_get_proto_category(ndpi_struct, ret); + ndpi_check_subprotocol_risk(flow, cached_proto); + } + } + } +} + +/* **************************************** */ + /* See https://blog.catchpoint.com/2017/05/12/dissecting-tls-using-wireshark/ */ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, @@ -569,11 +594,23 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi rdnSeqBuf, strlen(rdnSeqBuf),&proto_id); if(rc == 0) { + /* Match found */ + ndpi_protocol ret = { NDPI_PROTOCOL_TLS, proto_id, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED}; + flow->detected_protocol_stack[0] = proto_id, flow->detected_protocol_stack[1] = NDPI_PROTOCOL_TLS; - if(proto_id == NDPI_PROTOCOL_ANYDESK) - ndpi_set_risk(flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION); /* Remote assistance */ + flow->category = ndpi_get_proto_category(ndpi_struct, ret); + ndpi_check_subprotocol_risk(flow, proto_id); + + if(ndpi_struct->tls_cert_cache == NULL) + ndpi_struct->tls_cert_cache = ndpi_lru_cache_init(1024); + + if(ndpi_struct->tls_cert_cache && flow->packet.iph) { + u_int32_t key = flow->packet.iph->daddr + flow->packet.tcp->dest; + + ndpi_lru_add_to_cache(ndpi_struct->tls_cert_cache, key, proto_id); + } } } } @@ -736,6 +773,8 @@ static int processTLSBlock(struct ndpi_detection_module_struct *ndpi_struct, && (packet->payload[0] == 0x02 /* Server Hello */)) { flow->l4.tcp.tls.certificate_processed = 1; /* No Certificate with TLS 1.3+ */ } + + checkTLSSubprotocol(ndpi_struct, flow); break; case 0x0b: /* Certificate */ @@ -1442,7 +1481,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: safari_ciphers++; break; - + case TLS_CIPHER_GREASE_RESERVED_0: case TLS_AES_128_GCM_SHA256: case TLS_AES_256_GCM_SHA384: @@ -1452,14 +1491,14 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: - case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: case TLS_RSA_WITH_AES_128_CBC_SHA: case TLS_RSA_WITH_AES_256_CBC_SHA: case TLS_RSA_WITH_AES_128_GCM_SHA256: - case TLS_RSA_WITH_AES_256_GCM_SHA384: + case TLS_RSA_WITH_AES_256_GCM_SHA384: safari_ciphers++, chrome_ciphers++; break; } @@ -1682,7 +1721,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(rc < 0) break; } - + for(i=0; i<tot_signature_algorithms_len; i+=2) { u_int16_t cipher_id = (u_int16_t)ntohs(*((u_int16_t*)&packet->payload[s_offset+i])); @@ -1715,7 +1754,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(chrome_signature_algorithms != 8) flow->protos.tls_quic_stun.tls_quic.browser_euristics.is_chrome_tls = 0; - + ja3.client.signature_algorithms[i*2] = '\0'; #ifdef DEBUG_TLS |