diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_api.h.in | 5 | ||||
| -rw-r--r-- | src/include/ndpi_protocols.h | 1 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 4 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 101 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/netbios.c | 55 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 46 | ||||
| -rw-r--r-- | src/lib/protocols/tor.c | 43 |
11 files changed, 169 insertions, 100 deletions
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 87429c6de..8f6738920 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -926,6 +926,11 @@ extern "C" { int ndpi_ptree_match_addr(ndpi_ptree_t *tree, const ndpi_ip_addr_t *addr, uint *user_data); void ndpi_ptree_destroy(ndpi_ptree_t *tree); + /* DGA */ + int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, + struct ndpi_flow_struct *flow, + char *name); + /* Serializer */ int ndpi_init_serializer_ll(ndpi_serializer *serializer, ndpi_serialization_format fmt, u_int32_t buffer_size); diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 3ef3cbf28..417c6fb8d 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -213,4 +213,5 @@ void init_dnp3_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int void init_104_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_s7comm_dissector(struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_websocket_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); + #endif /* __NDPI_PROTOCOLS_H__ */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 29c9ed364..79288e5bc 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -72,6 +72,7 @@ typedef enum { NDPI_HTTP_SUSPICIOUS_URL, NDPI_HTTP_SUSPICIOUS_HEADER, NDPI_TLS_NOT_CARRYING_HTTPS, + NDPI_SUSPICIOUS_DGA_DOMAIN, /* Leave this as last member */ NDPI_MAX_RISK diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 32a6e840c..148ee9443 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -9266,8 +9266,8 @@ static const char *ndpi_en_bigrams[] = { static const char *ndpi_en_impossible_bigrams[] = { "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", /* "ee", removed it can be found in 'meeting' */ "fz", "gq", "gv", "gx", "hh", "hk", "hv", "hx", "hz", "iy", "jb", /* "jc", jcrew.com */ "jd", "jf", "jg", "jh", "jk", - "jl", "jm", "jn", "jp", "jq", "jr", /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", - "kz", "lq", "lx", /* "mg" tamgrt.com , */ "mj", "mq", "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii", + "jl", "jm", "jn", "jp", "jq", /* "jr",*/ /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", + "kz", "lq", "lx", /* "mg" tamgrt.com , */ "mj", /* "mq", mqtt */ "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii", "qg", "qh", "qj", "qk", "ql", "qm", "qn", "qo", "qp", "qr", "qs", "qt", "qv", "qw", "qx", "qy", "uu", "qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", "vm", "vn", /* "vp", Removed for vpbank.com */ "bw", /* "vk", "zr" Removed for kavkazr */ "vq", "vt", "vw", "vx", "vz", "wq", "wv", "wx", "wz", /* "xb", foxbusiness.com */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 9c444ce2b..6bbda45f6 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4354,12 +4354,12 @@ static int ndpi_check_protocol_port_mismatch_exceptions(struct ndpi_detection_mo break; } } - + return(0); } /* ********************************************************************************* */ - + static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, ndpi_protocol *ret) { @@ -4818,28 +4818,28 @@ u_int32_t ndpi_bytestream_to_ipv4(const u_int8_t *str, u_int16_t max_chars_to_re c = ndpi_bytestream_to_number(str, max_chars_to_read, &read); if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.') return(0); - + read++; val = c << 24; oldread = read; c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read); if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.') return(0); - + read++; val = val + (c << 16); oldread = read; c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read); if(c > 255 || oldread == read || max_chars_to_read == read || str[read] != '.') return(0); - + read++; val = val + (c << 8); oldread = read; c = ndpi_bytestream_to_number(&str[read], max_chars_to_read - read, &read); if(c > 255 || oldread == read || max_chars_to_read == read) return(0); - + val = val + c; *bytes_read = *bytes_read + read; @@ -4853,7 +4853,7 @@ u_int32_t ndpi_bytestream_to_ipv4(const u_int8_t *str, u_int16_t max_chars_to_re void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { u_int32_t a; struct ndpi_packet_struct *packet = &flow->packet; - + if((packet->payload_packet_len < 3) || (packet->payload == NULL)) return; @@ -4876,7 +4876,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, /* \r\n\r\n */ int diff; /* No unsigned ! */ u_int32_t a1 = a + 4; - + diff = packet->payload_packet_len - a1; if(diff > 0) { @@ -5889,10 +5889,10 @@ const char * ndpi_strncasestr(const char *str1, const char *str2, size_t len) { for(i = 0; i < (str1_len - str2_len + 1); i++){ if(str1[0] == '\0') - return NULL; + return NULL; else if(strncasecmp(str1, str2, str2_len) == 0) return(str1); - + str1++; } @@ -6473,3 +6473,84 @@ void ndpi_md5(const u_char *data, size_t data_len, u_char hash[16]) { ndpi_MD5Update(&ctx, data, data_len); ndpi_MD5Final(hash, &ctx); } + +/* ******************************************************************** */ + +static int enough(int a, int b) { + u_int8_t percentage = 20; + + if(b == 0) return(0); + if(a == 0) return(1); + + if(b > ((a*percentage)/100)) return(1); + + return(0); +} + +/* ******************************************************************** */ + +int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, + struct ndpi_flow_struct *flow, + char *name) { + int len = strlen(name), rc = 0; + + if(len >= 5) { + int i, j, num_found = 0, num_impossible = 0, num_bigram_checks = 0; + char tmp[128]; + + len = snprintf(tmp, sizeof(tmp)-1, "%s", name); + if(len < 0) return(0); + + for(i=0, j=0; (i<len) && (j<(sizeof(tmp)-1)); i++) { + if(isdigit(name[i])) + continue; + else + tmp[j++] = tolower(tmp[i]); + } + + len = j; + + for(i = 0; tmp[i+1] != '\0'; i++) { + if(isdigit(tmp[i])) continue; + + switch(tmp[i]) { + case '-': + case ':': + case '.': + continue; + break; + } + + if(isdigit(tmp[i+1])) continue; + + num_bigram_checks++; + + if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &tmp[i])) { + num_found++; + } else if(ndpi_match_bigram(ndpi_str, + &ndpi_str->impossible_bigrams_automa, + &tmp[i])) { +#ifdef DGA_DEBUG + printf("IMPOSSIBLE %s\n", &tmp[i]); +#endif + num_impossible++; + } + } + + if(num_bigram_checks + && ((num_found == 0) + || (enough(num_found, num_impossible)))) + rc = 1; + + if(rc && flow) + NDPI_SET_BIT(flow->risk, NDPI_SUSPICIOUS_DGA_DOMAIN); + +#ifdef DGA_DEBUG + if(rc) + printf("DGA %s [%s][num_found: %u][num_impossible: %u]\n", + tmp, name, num_found, num_impossible); +#endif + } + + return(rc); +} diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index e2571f64b..335b9dd87 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1497,6 +1497,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_TLS_NOT_CARRYING_HTTPS: return("TLS (probably) not carrying HTTPS"); + + case NDPI_SUSPICIOUS_DGA_DOMAIN: + return("Suspicious DGA domain name"); default: snprintf(buf, sizeof(buf), "%d", (int)risk); diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 460117c96..099f343e4 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -292,8 +292,10 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st cl--; } } - flow->host_server_name[j] = '\0'; + flow->host_server_name[j] = '\0'; + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); + if(j > 0) { ndpi_protocol_match_result ret_match; diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 7b83b91e7..a896c6214 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -284,9 +284,8 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru buf[ip_len] = '\0'; ip_addr.s_addr = inet_addr(buf); - if(strcmp(inet_ntoa(ip_addr), buf) == 0) { + if(strcmp(inet_ntoa(ip_addr), buf) == 0) NDPI_SET_BIT(flow->risk, NDPI_HTTP_NUMERIC_IP_HOST); - } } /* ************************************************************* */ @@ -294,7 +293,7 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *url) { - + /* Nothing to do */ } /* ************************************************************* */ @@ -451,6 +450,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ flow->host_server_name[len] = '\0'; flow->extra_packets_func = NULL; /* We're good now */ + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); flow->server_id = flow->dst; if(packet->forwarded_line.ptr) { diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index 7e4c98265..c396a392b 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -19,7 +19,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ @@ -41,14 +41,14 @@ struct netbios_header { int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len) { int ret = 0, len; char *b; - + len = (*in++)/2; b = out; *out = 0; if(len > (out_len-1) || len < 1 || 2*len > inlen) - return(-1); - + return(-1); + while (len--) { if(in[0] < 'A' || in[0] > 'P' || in[1] < 'A' || in[1] > 'P') { *out = 0; @@ -56,7 +56,7 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len } *out = ((in[0]-'A')<<4) + (in[1]-'A'); - + in += 2; if(isprint(*out)) @@ -76,13 +76,16 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int16_t sub_protocol) { + u_int16_t sub_protocol) { char name[64]; u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14; if((off < flow->packet.payload_packet_len) && - ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) - snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); + ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) { + snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); + + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); + } if(sub_protocol == NDPI_PROTOCOL_UNKNOWN) ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETBIOS, NDPI_PROTOCOL_UNKNOWN); @@ -96,9 +99,9 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport; - + NDPI_LOG_DBG(ndpi_struct, "search netbios\n"); - + if(packet->udp != NULL) { dport = ntohs(packet->udp->dest); @@ -110,7 +113,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, h.transaction_id = ntohs(h.transaction_id), h.flags = ntohs(h.flags), h.questions = ntohs(h.questions), h.answer_rrs = ntohs(h.answer_rrs), h.authority_rrs = ntohs(h.authority_rrs), h.additional_rrs = ntohs(h.additional_rrs); - + NDPI_LOG_DBG(ndpi_struct, "found netbios port 137 and payload_packet_len 50\n"); if(h.flags == 0 && @@ -123,18 +126,18 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(((h.flags & 0x8710) == 0x10) && h.questions == 1 && h.answer_rrs == 0 && h.authority_rrs == 0) { NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers = 0, authority = 0 and broadcast \n"); - + ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(packet->payload[2] == 0x80 && h.questions == 1 && h.answer_rrs == 0 && @@ -145,7 +148,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0x4000 && h.questions == 1 && h.answer_rrs == 0 && @@ -156,7 +159,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0x8400 && h.questions == 0 && h.answer_rrs == 1 && @@ -168,7 +171,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0x8500 && h.questions == 0 && h.answer_rrs == 1 && @@ -180,7 +183,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(((h.flags == 0x2900) || (h.flags == 0x2910)) && h.questions == 1 && h.answer_rrs == 0 && @@ -192,7 +195,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0xAD86 && h.questions == 0 && h.answer_rrs == 1 && @@ -204,7 +207,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); return; } - + if(h.flags == 0x0110 && h.questions == 1 && h.answer_rrs == 0 && @@ -333,25 +336,25 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, } /* TODO: extend according to rfc1002 */ } - + /* check standard NETBIOS over udp to port 138 */ /* netbios header token from http://www.protocolbase.net/protocols/protocol_NBDGM.php */ if((dport == 138) && (packet->payload_packet_len >= 14)) { u_int16_t netbios_len = ntohs(get_u_int16_t(packet->payload, 10)); - - if(netbios_len == packet->payload_packet_len - 14) { + + if(netbios_len == packet->payload_packet_len - 14) { NDPI_LOG_DBG2(ndpi_struct, "found netbios port 138 and payload length >= 112 \n"); - + if(packet->payload[0] >= 0x10 && packet->payload[0] <= 0x16) { u_int32_t source_ip = ntohl(get_u_int32_t(packet->payload, 4)); - + NDPI_LOG_DBG2(ndpi_struct, "found netbios with MSG-type 0x10,0x11,0x12,0x13,0x14,0x15 or 0x16\n"); if(source_ip == ntohl(packet->iph->saddr)) { int16_t leftover = netbios_len - 82; /* NetBIOS len */ - + NDPI_LOG_INFO(ndpi_struct, "found netbios with checked ip-address\n"); ndpi_int_netbios_add_connection(ndpi_struct, flow, (leftover > 0) ? NDPI_PROTOCOL_SMBV1 : NDPI_PROTOCOL_UNKNOWN); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 7d9e99171..816b23a50 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -223,7 +223,7 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet, if(rc > 0) (*rdnSeqBuf_offset) += rc; } - + return(is_printable); } @@ -244,7 +244,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ for(i = p_offset; i < certificate_len; i++) { - /* + /* See https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q009860_.htm for X.509 certificate labels */ @@ -252,7 +252,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi /* Common Name */ int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "CN"); if(rc == -1) break; - + #ifdef DEBUG_TLS printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Common Name", buffer); #endif @@ -260,7 +260,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi /* Country */ int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "C"); if(rc == -1) break; - + #ifdef DEBUG_TLS printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Country", buffer); #endif @@ -315,10 +315,10 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if((offset+len) < packet->payload_packet_len) { char utcDate[32]; - + #ifdef DEBUG_TLS u_int j; - + printf("[CERTIFICATE] notBefore [len: %u][", len); for(j=0; j<len; j++) printf("%c", packet->payload[i+4+j]); printf("]\n"); @@ -352,7 +352,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi u_int32_t time_sec = flow->packet.current_time_ms / 1000; #ifdef DEBUG_TLS u_int j; - + printf("[CERTIFICATE] notAfter [len: %u][", len); for(j=0; j<len; j++) printf("%c", packet->payload[offset+j]); printf("]\n"); @@ -375,7 +375,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi } } - + if((time_sec < flow->protos.stun_ssl.ssl.notBefore) || (time_sec > flow->protos.stun_ssl.ssl.notAfter)) NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */ @@ -385,7 +385,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x1d) && (packet->payload[i+2] == 0x11)) { /* Organization OID: 2.5.29.17 (subjectAltName) */ u_int8_t matched_name = 0; - + #ifdef DEBUG_TLS printf("******* [TLS] Found subjectAltName\n"); #endif @@ -428,7 +428,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi else if(strcmp(flow->protos.stun_ssl.ssl.client_requested_server_name, dNSName) == 0) matched_name = 1; } - + if(flow->protos.stun_ssl.ssl.server_names == NULL) flow->protos.stun_ssl.ssl.server_names = ndpi_strdup(dNSName), flow->protos.stun_ssl.ssl.server_names_len = strlen(dNSName); @@ -477,7 +477,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(flow->protos.stun_ssl.ssl.subjectDN && flow->protos.stun_ssl.ssl.issuerDN && (!strcmp(flow->protos.stun_ssl.ssl.subjectDN, flow->protos.stun_ssl.ssl.issuerDN))) NDPI_SET_BIT(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE); - + #if DEBUG_TLS printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf); #endif @@ -864,7 +864,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version; if(flow->protos.stun_ssl.ssl.ssl_version < 0x0302) /* TLSv1.1 */ NDPI_SET_BIT(flow->risk, NDPI_TLS_OBSOLETE_VERSION); - + if(handshake_type == 0x02 /* Server Hello */) { int i, rc; @@ -889,7 +889,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); if((flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1) NDPI_SET_BIT(flow->risk, NDPI_TLS_WEAK_CIPHER); - + flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0]; #ifdef DEBUG_TLS @@ -1108,6 +1108,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TLS, buffer, strlen(buffer))) flow->l4.tcp.tls.subprotocol_detected = 1; + + ndpi_check_dga_name(ndpi_struct, flow, flow->protos.stun_ssl.ssl.client_requested_server_name); } else { #ifdef DEBUG_TLS printf("[TLS] Extensions server len too short: %u vs %u\n", @@ -1261,8 +1263,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.stun_ssl.ssl.tls_supported_versions = ndpi_strdup(version_str); } } else if(extension_id == 65486 /* encrypted server name */) { - /* - - https://tools.ietf.org/html/draft-ietf-tls-esni-06 + /* + - https://tools.ietf.org/html/draft-ietf-tls-esni-06 - https://blog.cloudflare.com/encrypted-sni/ */ u_int16_t e_offset = offset+extension_offset; @@ -1270,9 +1272,9 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t e_sni_len, cipher_suite = ntohs(*((u_int16_t*)&packet->payload[e_offset])); flow->protos.stun_ssl.ssl.encrypted_sni.cipher_suite = cipher_suite; - + e_offset += 2; /* Cipher suite len */ - + /* Key Share Entry */ e_offset += 2; /* Group */ e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */ @@ -1280,11 +1282,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if((e_offset+4) < packet->payload_packet_len) { /* Record Digest */ e_offset += ntohs(*((u_int16_t*)&packet->payload[e_offset])) + 2; /* Lenght */ - + if((e_offset+4) < packet->payload_packet_len) { e_sni_len = ntohs(*((u_int16_t*)&packet->payload[e_offset])); e_offset += 2; - + if((e_offset+e_sni_len-extension_len-initial_offset) >= 0) { #ifdef DEBUG_ENCRYPTED_SNI printf("Client SSL [Encrypted Server Name len: %u]\n", e_sni_len); @@ -1292,13 +1294,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, if(flow->protos.stun_ssl.ssl.encrypted_sni.esni == NULL) { flow->protos.stun_ssl.ssl.encrypted_sni.esni = (char*)ndpi_malloc(e_sni_len*2+1); - + if(flow->protos.stun_ssl.ssl.encrypted_sni.esni) { u_int16_t i, off; - + for(i=e_offset, off=0; i<(e_offset+e_sni_len); i++) { int rc = sprintf(&flow->protos.stun_ssl.ssl.encrypted_sni.esni[off], "%02X", packet->payload[i] & 0XFF); - + if(rc <= 0) { flow->protos.stun_ssl.ssl.encrypted_sni.esni[off] = '\0'; break; diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index 9dd14046e..7318685e7 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -48,45 +48,16 @@ int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct, if((dot = strrchr(dummy, '.')) == NULL) return(0); name = &dot[1]; - len = strlen(name); - - if(len >= 5) { - int i, prev_num = 0, numbers_found = 0, num_found = 0, num_impossible = 0; - - for(i = 0; name[i+1] != '\0'; i++) { - // printf("***** [SSL] %s(): [%d][%c]", __FUNCTION__, i, name[i]); - - if((name[i] >= '0') && (name[i] <= '9')) { - if(prev_num != 1) { - numbers_found++; - - if(numbers_found == 2) { - ndpi_int_tor_add_connection(ndpi_struct, flow); - return(1); - } - prev_num = 1; - } - } else - prev_num = 0; - - if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, &name[i])) { - num_found++; - } else if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) { - num_impossible++; - } - } - - if((num_found == 0) || (num_impossible > 1)) { + if(ndpi_check_dga_name(ndpi_struct, flow, name)) { + ndpi_int_tor_add_connection(ndpi_struct, flow); + return(1); + } else { +#ifdef PEDANTIC_TOR_CHECK + if(gethostbyname(certificate) == NULL) { ndpi_int_tor_add_connection(ndpi_struct, flow); return(1); - } else { -#ifdef PEDANTIC_TOR_CHECK - if(gethostbyname(certificate) == NULL) { - ndpi_int_tor_add_connection(ndpi_struct, flow); - return(1); - } -#endif } +#endif } return(0); |