diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_api.h | 15 | ||||
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 21 | ||||
| -rw-r--r-- | src/include/ndpi_protocols.h | 161 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 22 | ||||
| -rw-r--r-- | src/lib/Makefile.in | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 233 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 221 | ||||
| -rw-r--r-- | src/lib/ndpi_serializer.c | 258 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 169 | ||||
| -rw-r--r-- | src/lib/protocols/bittorrent.c | 31 | ||||
| -rw-r--r-- | src/lib/protocols/capwap.c | 123 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 89 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 163 | ||||
| -rw-r--r-- | src/lib/protocols/iec60870-5-104.c | 42 | ||||
| -rw-r--r-- | src/lib/protocols/kerberos.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/mail_smtp.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/skype.c | 11 | ||||
| -rw-r--r-- | src/lib/protocols/smb.c | 18 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 70 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 49 | ||||
| -rw-r--r-- | src/lib/protocols/telnet.c | 107 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 97 | ||||
| -rw-r--r-- | src/lib/protocols/zabbix.c | 63 |
23 files changed, 1294 insertions, 681 deletions
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 372eddf72..6228a6123 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -207,18 +207,7 @@ extern "C" { void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *ndpi_struct, const NDPI_PROTOCOL_BITMASK * detection_bitmask); - /** - * Function to be called to see in case of unknown match to see if there is - * a partial match that has been prevented by the current nDPI preferences configuration - * - * @par ndpi_struct = the detection module - * @par flow = the flow given for the detection module - * @return the detected protocol even if the flow is not completed; - * - */ - ndpi_protocol ndpi_get_partial_detection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow); - /** + /** * Function to be called before we give up with detection for a given flow. * This function reduces the NDPI_UNKNOWN_PROTOCOL detection * @@ -951,6 +940,8 @@ extern "C" { const char* ndpi_data_ratio2str(float ratio); void ndpi_data_print_window_values(struct ndpi_analyze_struct *s); /* debug */ + + ndpi_url_risk ndpi_validate_url(char *url); #ifdef __cplusplus } #endif diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 05be1381d..c6d486933 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -1,4 +1,3 @@ - /* * ndpi_protocol_ids.h * @@ -75,12 +74,12 @@ typedef enum { NDPI_PROTOCOL_SKYPE_CALL = 38, /* Skype call and videocalls */ NDPI_PROTOCOL_SIGNAL = 39, NDPI_PROTOCOL_MEMCACHED = 40, /* Memcached - Darryl Sokoloski <darryl@egloo.ca> */ - NDPI_PROTOCOL_SMBV23 = 41, /* SMB version 2/3 */ + NDPI_PROTOCOL_SMBV23 = 41, /* SMB version 2/3 */ NDPI_PROTOCOL_MINING = 42, /* Bitcoin, Ethereum, ZCash, Monero */ NDPI_PROTOCOL_NEST_LOG_SINK = 43, /* Nest Log Sink (Nest Protect) - Darryl Sokoloski <darryl@egloo.ca> */ NDPI_PROTOCOL_MODBUS = 44, /* Modbus */ NDPI_PROTOCOL_WHATSAPP_CALL = 45, /* WhatsApp video ad audio calls go here */ - NDPI_PROTOCOL_DATASAVER = 46, /* Protocols used to save data on Internet communications */ + NDPI_PROTOCOL_DATASAVER = 46, /* Protocols used to save data on Internet communications */ NDPI_PROTOCOL_XBOX = 47, NDPI_PROTOCOL_QQ = 48, NDPI_PROTOCOL_TIKTOK = 49, @@ -235,7 +234,7 @@ typedef enum { NDPI_PROTOCOL_MPEGTS = 198, NDPI_PROTOCOL_SNAPCHAT = 199, NDPI_PROTOCOL_SINA = 200, - NDPI_PROTOCOL_HANGOUT_DUO = 201, /* Google Hangout ad Duo (merged as they are very similar) */ + NDPI_PROTOCOL_HANGOUT_DUO = 201, /* Google Hangout ad Duo (merged as they are very similar) */ NDPI_PROTOCOL_IFLIX = 202, /* www.vizuamatix.com R&D team & M.Mallawaarachchie <manoj_ws@yahoo.com> */ NDPI_PROTOCOL_GITHUB = 203, NDPI_PROTOCOL_BJNP = 204, @@ -279,14 +278,22 @@ typedef enum { NDPI_PROTOCOL_WHATSAPP_FILES = 242, /* Videos, pictures, voice messages... */ NDPI_PROTOCOL_TARGUS_GETDATA = 243, NDPI_PROTOCOL_DNP3 = 244, - NDPI_PROTOCOL_104 = 245, -/* + NDPI_PROTOCOL_104 = 245, + NDPI_PROTOCOL_BLOOMBERG = 246, + NDPI_PROTOCOL_CAPWAP = 247, + NDPI_PROTOCOL_ZABBIX = 248, + +#ifdef CUSTOM_NDPI_PROTOCOLS +#include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" +#endif + + /* IMPORTANT before allocating a new identifier please fill up one of those named NDPI_PROTOCOL_FREE_XXX and not used (placeholders to avoid protocol renumbering) */ - + /* IMPORTANT:NDPI_LAST_IMPLEMENTED_PROTOCOL MUST BE THE LAST ELEMENT */ NDPI_LAST_IMPLEMENTED_PROTOCOL } ndpi_protocol_id_t; diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 17941d5b2..dd41be2a3 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -51,165 +51,6 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -/* Applications and other protocols. */ -void ndpi_search_diameter(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_lisp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_edonkey(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_fasttrack_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_directconnect(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_applejuice_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_i23v5(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_socrates(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_msn(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_yahoo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_oscar(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_imo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_direct_download_link_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mail_pop_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_http_subprotocol_conf(struct ndpi_detection_module_struct *ndpi_struct, char *attr, char *value, int protocol_id); -void ndpi_search_ftp_control(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_usenet_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rtsp_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_filetopia_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_vmware(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mms_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_shoutcast_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_veohtv_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_openft_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_tvants_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_sopcast(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_tvuplayer(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ppstream(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_pplive(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_iax(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mgcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_zattoo(struct ndpi_detection_module_struct*ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_qq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_feidian(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ayiya(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_thunder(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_activesync(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_in_non_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_steam(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_halflife2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_nfs(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ssdp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_bgp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_quake(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_battlefield(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_secondlife(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_pcanywhere(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_kontiki(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_syslog(struct ndpi_detection_module_struct*ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ipp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ldap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_warcraft3(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_xdmcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_tftp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mssql_tds(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_pptp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_stealthnet(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_dhcpv6_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_checkmk(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_florensia(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_maplestory(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_dofus(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_world_of_kung_fu(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_fiesta(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_crossfire_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_guildwars_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_armagetron_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_dropbox(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_citrix(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_netflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_sflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_radius(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_wsus(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_lotus_notes(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_gtp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_spotify(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_openvpn(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_noe(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_viber(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_teamspeak(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_corba(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_oracle(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rsync(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_skinny(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_whois_das(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_socks5(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_socks4(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rtmp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_pando(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_megaco(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_redis(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_zmq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_vhua(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mpegts(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_starcraft(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_coap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rx(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_bjnp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_smpp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_tinc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_fix(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_csgo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ajp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_memcached(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_nest_log_sink(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_wireguard(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_targus_getdata(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_apple_push(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_amazon_video(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -/* --- INIT FUNCTIONS --- */ void init_diameter_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_afp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -369,6 +210,8 @@ void init_memcached_dissector(struct ndpi_detection_module_struct *ndpi_struct, void init_nest_log_sink_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_ookla_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_modbus_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_capwap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_zabbix_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_line_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_wireguard_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_targus_getdata_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 64644d76f..057fa2527 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -42,6 +42,12 @@ typedef enum { ndpi_l4_proto_tcp_and_udp, } ndpi_l4_proto_info; +typedef enum { + ndpi_url_no_problem = 0, + ndpi_url_possible_xss, + ndpi_url_possible_sql_injection + } ndpi_url_risk; + /* NDPI_VISIT */ typedef enum { ndpi_preorder, @@ -926,9 +932,7 @@ typedef enum { } ndpi_protocol_category_t; typedef enum { - ndpi_pref_http_dont_dissect_response = 0, - ndpi_pref_dns_dont_dissect_response, - ndpi_pref_direction_detect_disable, + ndpi_pref_direction_detect_disable = 0, ndpi_pref_disable_metadata_export, } ndpi_detection_preference; @@ -1105,8 +1109,7 @@ struct ndpi_detection_module_struct { ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS]; - u_int8_t http_dont_dissect_response:1, dns_dont_dissect_response:1, - direction_detect_disable:1, /* disable internal detection of packet direction */ + u_int8_t direction_detect_disable:1, /* disable internal detection of packet direction */ disable_metadata_export:1 /* No metadata is exported */ ; @@ -1171,7 +1174,7 @@ struct ndpi_flow_struct { */ struct { ndpi_http_method method; - char *url, *content_type; + char *url, *content_type, *user_agent; u_int8_t num_request_headers, num_response_headers; u_int8_t request_version; /* 0=1.0 and 1=1.1. Create an enum for this? */ u_int16_t response_status_code; /* 200, 404, etc. */ @@ -1221,6 +1224,12 @@ struct ndpi_flow_struct { } imo; struct { + u_int8_t username_detected:1, username_found:1, skip_next:1, _pad:5; + u_int8_t character_id; + char username[32]; + } telnet; + + struct { char answer[96]; } mdns; @@ -1275,7 +1284,6 @@ struct ndpi_flow_struct { /* NDPI_PROTOCOL_HTTP */ u_int8_t http_detected:1; - u_int16_t http_upper_protocol, http_lower_protocol; /* NDPI_PROTOCOL_RTSP */ u_int8_t rtsprdt_stage:2, rtsp_control_flow:1; diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 1a884ac9d..0c3f44838 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -14,7 +14,7 @@ prefix = @prefix@ libdir = ${prefix}/lib includedir = ${prefix}/include/ndpi CC = @CC@ -CFLAGS += -fPIC -DPIC -I../include -Ithird_party/include -DNDPI_LIB_COMPILATION -O2 -g -Wall +CFLAGS += -fPIC -DPIC -I../include -Ithird_party/include -DNDPI_LIB_COMPILATION -O2 -g -Wall @CUSTOM_NDPI@ RANLIB = ranlib OBJECTS = $(patsubst protocols/%.c, protocols/%.o, $(wildcard protocols/*.c)) $(patsubst third_party/src/%.c, third_party/src/%.o, $(wildcard third_party/src/*.c)) $(patsubst ./%.c, ./%.o, $(wildcard ./*.c)) diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 257fdf3cc..5345a3c46 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -359,6 +359,7 @@ static ndpi_network host_protocol_list[] = { { 0x1F0D4934 /* 31.13.73.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, { 0x1F0D4A34 /* 31.13.74.52/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, { 0x1F0D4F35 /* 31.13.79.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP }, + /* Files */ { 0xB93CD835 /* 185.60.216.53/32 */, 32, NDPI_PROTOCOL_WHATSAPP_FILES }, { 0xB93CD836 /* 185.60.216.54/32 */, 32, NDPI_PROTOCOL_WHATSAPP_FILES }, @@ -488,6 +489,7 @@ static ndpi_network host_protocol_list[] = { { 0x344E0000 /* 52.78.0.0/16 */, 16, NDPI_PROTOCOL_AMAZON }, { 0x344F0000 /* 52.79.0.0/16 */, 16, NDPI_PROTOCOL_AMAZON }, { 0x34520000 /* 52.82.0.0/14 */, 14, NDPI_PROTOCOL_AMAZON }, + { 0x34540000 /* 52.84.0.0/14 */, 14, NDPI_PROTOCOL_AMAZON }, { 0x34580000 /* 52.88.0.0/13 */, 13, NDPI_PROTOCOL_AMAZON }, { 0x345A0000 /* 52.90.0.0/15 */, 15, NDPI_PROTOCOL_AMAZON }, { 0x345EE000 /* 52.94.224.0/19 */, 19, NDPI_PROTOCOL_AMAZON }, @@ -8307,6 +8309,222 @@ static ndpi_network host_protocol_list[] = { { 0xA7CEDA82 /* 167.206.218.130/32*/, 32, NDPI_PROTOCOL_PS_VUE }, { 0xA7CEDA8A /* 167.206.218.138/32*/, 32, NDPI_PROTOCOL_PS_VUE }, + /* Bloomberg */ + { 0xD086A100 /* 208.134.161.0/24 */, 24, NDPI_PROTOCOL_BLOOMBERG }, + { 0xCDB7F600 /* 205.183.246.0/24 */, 24, NDPI_PROTOCOL_BLOOMBERG }, + { 0xC769B000 /* 199.105.176.0/21 */, 21, NDPI_PROTOCOL_BLOOMBERG }, + { 0xC769B800 /* 199.105.184.0/23 */, 23, NDPI_PROTOCOL_BLOOMBERG }, + { 0x45B80000 /* 69.184.0.0/13 */, 13, NDPI_PROTOCOL_BLOOMBERG }, + { 0xA02B0000 /* 160.43.0.0/16 */, 24, NDPI_PROTOCOL_BLOOMBERG }, + { 0xCE9C3500 /* 206.156.53.0/24 */, 24, NDPI_PROTOCOL_BLOOMBERG }, + { 0xCDD87000 /* 205.216.112.0/24 */, 24, NDPI_PROTOCOL_BLOOMBERG }, + { 0xD0163800 /* 208.22.56.0/24 */, 24, NDPI_PROTOCOL_BLOOMBERG }, + { 0xD0163900 /* 208.22.57.0/24 */, 24, NDPI_PROTOCOL_BLOOMBERG }, + { 0x45BFC000 /* 69.191.192.0/18 */, 18, NDPI_PROTOCOL_BLOOMBERG }, + + /* Microsoft + https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges + */ + { 0x0D6B0698 /* 13.107.6.152/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B120A /* 13.107.18.10/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B8000 /* 13.107.128.0/22 */, 22, NDPI_PROTOCOL_OFFICE_365 }, + { 0x1767A000 /* 23.103.160.0/20 */, 20, NDPI_PROTOCOL_OFFICE_365 }, + { 0x28600000 /* 40.96.0.0/13 */, 13, NDPI_PROTOCOL_OFFICE_365 }, + { 0x28680000 /* 40.104.0.0/15 */, 15, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34600000 /* 52.96.0.0/14 */, 14, NDPI_PROTOCOL_OFFICE_365 }, + { 0x83FD21D7 /* 131.253.33.215/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x84F50000 /* 132.245.0.0/16 */, 16, NDPI_PROTOCOL_OFFICE_365 }, + { 0x96AB2000 /* 150.171.32.0/22 */, 22, NDPI_PROTOCOL_OFFICE_365 }, + { 0xBFEA8C00 /* 191.234.140.0/22 */, 22, NDPI_PROTOCOL_OFFICE_365 }, + { 0xCC4FC5D7 /* 204.79.197.215/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B0698 /* 13.107.6.152/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B120A /* 13.107.18.10/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B8000 /* 13.107.128.0/22 */, 22, NDPI_PROTOCOL_OFFICE_365 }, + { 0x1767A000 /* 23.103.160.0/20 */, 20, NDPI_PROTOCOL_OFFICE_365 }, + { 0x28600000 /* 40.96.0.0/13 */, 13, NDPI_PROTOCOL_OFFICE_365 }, + { 0x28680000 /* 40.104.0.0/15 */, 15, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34600000 /* 52.96.0.0/14 */, 14, NDPI_PROTOCOL_OFFICE_365 }, + { 0x83FD21D7 /* 131.253.33.215/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x84F50000 /* 132.245.0.0/16 */, 16, NDPI_PROTOCOL_OFFICE_365 }, + { 0x96AB2000 /* 150.171.32.0/22 */, 22, NDPI_PROTOCOL_OFFICE_365 }, + { 0xBFEA8C00 /* 191.234.140.0/22 */, 22, NDPI_PROTOCOL_OFFICE_365 }, + { 0xCC4FC5D7 /* 204.79.197.215/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B0698 /* 13.107.6.152/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B120A /* 13.107.18.10/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B8000 /* 13.107.128.0/22 */, 22, NDPI_PROTOCOL_OFFICE_365 }, + { 0x1767A000 /* 23.103.160.0/20 */, 20, NDPI_PROTOCOL_OFFICE_365 }, + { 0x28600000 /* 40.96.0.0/13 */, 13, NDPI_PROTOCOL_OFFICE_365 }, + { 0x28680000 /* 40.104.0.0/15 */, 15, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34600000 /* 52.96.0.0/14 */, 14, NDPI_PROTOCOL_OFFICE_365 }, + { 0x83FD21D7 /* 131.253.33.215/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x84F50000 /* 132.245.0.0/16 */, 16, NDPI_PROTOCOL_OFFICE_365 }, + { 0x96AB2000 /* 150.171.32.0/22 */, 22, NDPI_PROTOCOL_OFFICE_365 }, + { 0xBFEA8C00 /* 191.234.140.0/22 */, 22, NDPI_PROTOCOL_OFFICE_365 }, + { 0xCC4FC5D7 /* 204.79.197.215/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B0698 /* 13.107.6.152/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B120A /* 13.107.18.10/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B8000 /* 13.107.128.0/22 */, 22, NDPI_PROTOCOL_OFFICE_365 }, + { 0x1767A000 /* 23.103.160.0/20 */, 20, NDPI_PROTOCOL_OFFICE_365 }, + { 0x28600000 /* 40.96.0.0/13 */, 13, NDPI_PROTOCOL_OFFICE_365 }, + { 0x28680000 /* 40.104.0.0/15 */, 15, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34600000 /* 52.96.0.0/14 */, 14, NDPI_PROTOCOL_OFFICE_365 }, + { 0x83FD21D7 /* 131.253.33.215/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x84F50000 /* 132.245.0.0/16 */, 16, NDPI_PROTOCOL_OFFICE_365 }, + { 0x96AB2000 /* 150.171.32.0/22 */, 22, NDPI_PROTOCOL_OFFICE_365 }, + { 0xBFEA8C00 /* 191.234.140.0/22 */, 22, NDPI_PROTOCOL_OFFICE_365 }, + { 0xCC4FC5D7 /* 204.79.197.215/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x285C0000 /* 40.92.0.0/15 */, 15, NDPI_PROTOCOL_OFFICE_365 }, + { 0x286B0000 /* 40.107.0.0/16 */, 16, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34640000 /* 52.100.0.0/14 */, 14, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34EE4E58 /* 52.238.78.88/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x682F0000 /* 104.47.0.0/17 */, 17, NDPI_PROTOCOL_OFFICE_365 }, + { 0x285C0000 /* 40.92.0.0/15 */, 15, NDPI_PROTOCOL_OFFICE_365 }, + { 0x286B0000 /* 40.107.0.0/16 */, 16, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34640000 /* 52.100.0.0/14 */, 14, NDPI_PROTOCOL_OFFICE_365 }, + { 0x682F0000 /* 104.47.0.0/17 */, 17, NDPI_PROTOCOL_OFFICE_365 }, + /* ** */ + { 0x0D6B8800 /* 13.107.136.0/22 */, 22, NDPI_PROTOCOL_MS_ONE_DRIVE }, + { 0x286C8000 /* 40.108.128.0/17 */, 17, NDPI_PROTOCOL_MS_ONE_DRIVE }, + { 0x34680000 /* 52.104.0.0/14 */, 14, NDPI_PROTOCOL_MS_ONE_DRIVE }, + { 0x68928000 /* 104.146.128.0/17 */, 17, NDPI_PROTOCOL_MS_ONE_DRIVE }, + { 0x96AB2800 /* 150.171.40.0/22 */, 22, NDPI_PROTOCOL_MS_ONE_DRIVE }, + /* ** */ + { 0x0D6B4000 /* 13.107.64.0/18 */, 18, NDPI_PROTOCOL_SKYPE }, + { 0x34700000 /* 52.112.0.0/14 */, 14, NDPI_PROTOCOL_SKYPE }, + { 0x0D4697D8 /* 13.70.151.216/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D477FC5 /* 13.71.127.197/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D48F573 /* 13.72.245.115/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D490178 /* 13.73.1.120/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D4B7EA9 /* 13.75.126.169/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D59F071 /* 13.89.240.113/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D6B0300 /* 13.107.3.0/24 */, 24, NDPI_PROTOCOL_SKYPE }, + { 0x0D6B4000 /* 13.107.64.0/18 */, 18, NDPI_PROTOCOL_SKYPE }, + { 0x338C9BEA /* 51.140.155.234/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x338CCBBE /* 51.140.203.190/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x338D334C /* 51.141.51.76/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34700000 /* 52.112.0.0/14 */, 14, NDPI_PROTOCOL_SKYPE }, + { 0x34A37ED7 /* 52.163.126.215/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34AA1543 /* 52.170.21.67/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34ACB912 /* 52.172.185.18/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34B25E02 /* 52.178.94.2/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34B2A18B /* 52.178.161.139/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34E41960 /* 52.228.25.96/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34EE778D /* 52.238.119.141/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34F217BD /* 52.242.23.189/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34F4A0CF /* 52.244.160.207/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x68D70B90 /* 104.215.11.144/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x68D73EC3 /* 104.215.62.195/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x8A5BEDED /* 138.91.237.237/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D4697D8 /* 13.70.151.216/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D477FC5 /* 13.71.127.197/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D48F573 /* 13.72.245.115/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D490178 /* 13.73.1.120/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D4B7EA9 /* 13.75.126.169/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D59F071 /* 13.89.240.113/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D6B0300 /* 13.107.3.0/24 */, 24, NDPI_PROTOCOL_SKYPE }, + { 0x0D6B4000 /* 13.107.64.0/18 */, 18, NDPI_PROTOCOL_SKYPE }, + { 0x338C9BEA /* 51.140.155.234/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x338CCBBE /* 51.140.203.190/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x338D334C /* 51.141.51.76/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34700000 /* 52.112.0.0/14 */, 14, NDPI_PROTOCOL_SKYPE }, + { 0x34A37ED7 /* 52.163.126.215/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34AA1543 /* 52.170.21.67/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34ACB912 /* 52.172.185.18/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34B25E02 /* 52.178.94.2/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34B2A18B /* 52.178.161.139/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34E41960 /* 52.228.25.96/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34EE778D /* 52.238.119.141/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34F217BD /* 52.242.23.189/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34F4A0CF /* 52.244.160.207/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x68D70B90 /* 104.215.11.144/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x68D73EC3 /* 104.215.62.195/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x8A5BEDED /* 138.91.237.237/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D4697D8 /* 13.70.151.216/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D477FC5 /* 13.71.127.197/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D48F573 /* 13.72.245.115/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D490178 /* 13.73.1.120/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D4B7EA9 /* 13.75.126.169/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D59F071 /* 13.89.240.113/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x0D6B0300 /* 13.107.3.0/24 */, 24, NDPI_PROTOCOL_SKYPE }, + { 0x0D6B4000 /* 13.107.64.0/18 */, 18, NDPI_PROTOCOL_SKYPE }, + { 0x338C9BEA /* 51.140.155.234/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x338CCBBE /* 51.140.203.190/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x338D334C /* 51.141.51.76/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34700000 /* 52.112.0.0/14 */, 14, NDPI_PROTOCOL_SKYPE }, + { 0x34A37ED7 /* 52.163.126.215/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34AA1543 /* 52.170.21.67/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34ACB912 /* 52.172.185.18/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34B25E02 /* 52.178.94.2/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34B2A18B /* 52.178.161.139/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34E41960 /* 52.228.25.96/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34EE778D /* 52.238.119.141/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34F217BD /* 52.242.23.189/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x34F4A0CF /* 52.244.160.207/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x68D70B90 /* 104.215.11.144/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x68D73EC3 /* 104.215.62.195/32 */, 32, NDPI_PROTOCOL_SKYPE }, + { 0x8A5BEDED /* 138.91.237.237/32 */, 32, NDPI_PROTOCOL_SKYPE }, + /* ** */ + { 0x0D6B06AB /* 13.107.6.171/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B8C06 /* 13.107.140.6/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x346C0000 /* 52.108.0.0/14 */, 14, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34EE6A74 /* 52.238.106.116/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34F796BF /* 52.247.150.191/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6A0480 /* 13.106.4.128/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6A3800 /* 13.106.56.0/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x14BE8000 /* 20.190.128.0/18 */, 18, NDPI_PROTOCOL_OFFICE_365 }, + { 0x287E0000 /* 40.126.0.0/18 */, 18, NDPI_PROTOCOL_OFFICE_365 }, + { 0x4136AA80 /* 65.54.170.128/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x682CDA80 /* 104.44.218.128/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x682CFE80 /* 104.44.254.128/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x682CFF00 /* 104.44.255.0/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x86AA4300 /* 134.170.67.0/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x86AAAC80 /* 134.170.172.128/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x9D372D80 /* 157.55.45.128/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x9D378200 /* 157.55.130.0/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x9D379100 /* 157.55.145.0/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x9D379B00 /* 157.55.155.0/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x9D37E3C0 /* 157.55.227.192/26 */, 26, NDPI_PROTOCOL_OFFICE_365 }, + { 0xBFE80280 /* 191.232.2.128/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D507D16 /* 13.80.125.22/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D5B5BF3 /* 13.91.91.243/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B069C /* 13.107.6.156/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B07BE /* 13.107.7.190/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B099C /* 13.107.9.156/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x28519C9A /* 40.81.156.154/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x285ADAC6 /* 40.90.218.198/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x346C0000 /* 52.108.0.0/14 */, 14, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34AE38B4 /* 52.174.56.180/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34B74B3E /* 52.183.75.62/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34B8A552 /* 52.184.165.82/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x682AE65B /* 104.42.230.91/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x9D379100 /* 157.55.145.0/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x9D379B00 /* 157.55.155.0/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x9D37E3C0 /* 157.55.227.192/26 */, 26, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D507D16 /* 13.80.125.22/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D5B5BF3 /* 13.91.91.243/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B069C /* 13.107.6.156/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B07BE /* 13.107.7.190/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B099C /* 13.107.9.156/31 */, 31, NDPI_PROTOCOL_OFFICE_365 }, + { 0x28519C9A /* 40.81.156.154/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x285ADAC6 /* 40.90.218.198/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x346C0000 /* 52.108.0.0/14 */, 14, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34AE38B4 /* 52.174.56.180/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34B74B3E /* 52.183.75.62/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34B8A552 /* 52.184.165.82/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x682AE65B /* 104.42.230.91/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x9D379100 /* 157.55.145.0/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x9D379B00 /* 157.55.155.0/25 */, 25, NDPI_PROTOCOL_OFFICE_365 }, + { 0x9D37E3C0 /* 157.55.227.192/26 */, 26, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B06AB /* 13.107.6.171/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x0D6B8C06 /* 13.107.140.6/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x346C0000 /* 52.108.0.0/14 */, 14, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34EE6A74 /* 52.238.106.116/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + { 0x34F796BF /* 52.247.150.191/32 */, 32, NDPI_PROTOCOL_OFFICE_365 }, + /* ** */ + { 0x34700000 /* 52.112.0.0/14 */, 14, NDPI_PROTOCOL_MICROSOFT }, + { 0x34600000 /* 52.96.0.0/12 */, 12, NDPI_PROTOCOL_MICROSOFT }, + + /* End */ { 0x0, 0, 0 } }; @@ -8400,9 +8618,18 @@ static ndpi_protocol_match host_match[] = { { "images-amazon.com", NULL, "images-amazon" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "amazonaws.com", NULL, "amazonaws" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "amazon-adsystem.com", NULL, "amazon-adsystem" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { ".aws.", NULL, "\\.aws\\." TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".cloudfront.net", NULL, "\\.cloudfront" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, - { ".us-west-2.compute.amazonaws.com", NULL, "\\.us-west-2\\.compute\\.amazonaws\\.com", "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { ".us-west-2.compute.amazonaws.com", NULL, "\\.us-west-2\\.compute\\.amazonaws\\.com","Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + + /* Microsoft + Azure */ + { ".azure.com", NULL, "\\.azure.\\com" TLD, "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, + { ".windows.net", NULL, "\\.windows.\\net" TLD, "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, + { ".microsoft.com", NULL, "\\.microsoft.\\com" TLD, "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, + { ".bloombergvault.com", NULL, "\\.bloombergvault.\\com" TLD, "Bloomberg", NDPI_PROTOCOL_BLOOMBERG, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, + { ".bloomberg.com", NULL, "\\.bloomberg.\\com" TLD, "Bloomberg", NDPI_PROTOCOL_BLOOMBERG, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, + { ".push.apple.com", NULL, "\\.push\\.apple" TLD, "ApplePush", NDPI_PROTOCOL_APPLE_PUSH, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, { ".apple-dns.net", NULL, "\\.apple-dns" TLD, "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".mzstatic.com", NULL, "\\.mzstatic" TLD, "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, @@ -8613,7 +8840,8 @@ static ndpi_protocol_match host_match[] = { { "e7768.b.akamaiedge.net", NULL, "e7768\\.b\\.akamaiedge" TLD, "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, { "e4593.dspg.akamaiedge.net", NULL, "e4593\\.dspg\\.akamaiedge" TLD,"Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, { "e4593.g.akamaiedge.net", NULL, "e4593\\.g\\.akamaiedge" TLD, "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, - + { "*.gateway.messenger.live.com", NULL, "\\*\\.gateway\\.messenger\\.live" TLD, "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, + { ".tuenti.com", NULL, "\\.tuenti" TLD, "Tuenti", NDPI_PROTOCOL_TUENTI, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE }, { ".twttr.com", NULL, "\\.twttr" TLD, "Twitter", NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, @@ -8703,7 +8931,6 @@ static ndpi_protocol_match host_match[] = { { "login.live.com", NULL, "login\\.live" TLD, "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { "bn1301.storage.live.com", NULL, "bn1301\\.storage\\.live" TLD, "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE,NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, - { "*.gateway.messenger.live.com", NULL, "\\*\\.gateway\\.messenger\\.live" TLD, "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { "skyapi.live.net", NULL, "skyapi\\.live" TLD, "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { "d.docs.live.net", NULL, "d\\.docs\\.live" TLD, "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { "onedrive.live.com", NULL, "onedrive\\.live" TLD, "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 8e3f704e4..e71ca668e 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -50,7 +50,7 @@ #include "third_party/include/ht_hash.h" /* stun.c */ -extern u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow); +extern u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev); static int _ndpi_debug_callbacks = 0; @@ -714,14 +714,6 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str ndpi_detection_preference pref, int value) { switch(pref) { - case ndpi_pref_http_dont_dissect_response: - ndpi_str->http_dont_dissect_response = (u_int8_t)value; - break; - - case ndpi_pref_dns_dont_dissect_response: - ndpi_str->dns_dont_dissect_response = (u_int8_t)value; - break; - case ndpi_pref_direction_detect_disable: ndpi_str->direction_detect_disable = (u_int8_t)value; break; @@ -1242,7 +1234,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp 0 /* can_have_a_subprotocol */, no_master, no_master, "RDP", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, ndpi_build_default_ports(ports_a, 3389, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_b, 3389, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_VNC, 0 /* can_have_a_subprotocol */, no_master, no_master, "VNC", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, @@ -1766,6 +1758,27 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "104", NDPI_PROTOCOL_CATEGORY_NETWORK, /* Perhaps IoT in the future */ ndpi_build_default_ports(ports_a, 2404, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BLOOMBERG, + 1 /* no subprotocol */, no_master, + no_master, "Bloomberg", NDPI_PROTOCOL_CATEGORY_NETWORK, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CAPWAP, + 1 /* no subprotocol */, no_master, + no_master, "CAPWAP", NDPI_PROTOCOL_CATEGORY_NETWORK, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 5246, 5247, 0, 0, 0) /* UDP */ + ); + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ZABBIX, + 1 /* no subprotocol */, no_master, + no_master, "Zabbix", NDPI_PROTOCOL_CATEGORY_NETWORK, + ndpi_build_default_ports(ports_a, 10050, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */ + ); + +#ifdef CUSTOM_NDPI_PROTOCOLS +#include "../../../nDPI-custom/custom_ndpi_main.c" +#endif /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_str); @@ -1775,6 +1788,12 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp /* ****************************************************** */ +#ifdef CUSTOM_NDPI_PROTOCOLS +#include "../../../nDPI-custom/custom_ndpi_protocols.c" +#endif + +/* ****************************************************** */ + static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) { int min_len = (txt->length < m->patterns->length) ? txt->length : m->patterns->length; char buf[64] = { '\0' }; @@ -3237,9 +3256,6 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* TEAMSPEAK */ init_teamspeak_dissector(ndpi_str, &a, detection_bitmask); - /* VIBER */ - init_viber_dissector(ndpi_str, &a, detection_bitmask); - /* TOR */ init_tor_dissector(ndpi_str, &a, detection_bitmask); @@ -3351,8 +3367,17 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* MODBUS */ init_modbus_dissector(ndpi_str, &a, detection_bitmask); + /* CAPWAP */ + init_capwap_dissector(ndpi_str, &a, detection_bitmask); + + /* ZABBIX */ + init_zabbix_dissector(ndpi_str, &a, detection_bitmask); + /*** Put false-positive sensitive protocols at the end ***/ + /* VIBER */ + init_viber_dissector(ndpi_str, &a, detection_bitmask); + /* SKYPE */ init_skype_dissector(ndpi_str, &a, detection_bitmask); @@ -3386,12 +3411,16 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* WireGuard VPN */ init_wireguard_dissector(ndpi_str, &a, detection_bitmask); - /* AMAZON_VIDEO */ + /* Amazon_Video */ init_amazon_video_dissector(ndpi_str, &a, detection_bitmask); /* Targus Getdata */ init_targus_getdata_dissector(ndpi_str, &a, detection_bitmask); +#ifdef CUSTOM_NDPI_PROTOCOLS +#include "../../../nDPI-custom/custom_ndpi_main_init.c" +#endif + /* ----------------------------------------------------------------- */ ndpi_str->callback_buffer_size = a; @@ -3493,6 +3522,9 @@ static int ndpi_handle_ipv6_extension_headers(struct ndpi_detection_module_struc } // the other extension headers have one byte for the next header type // and one byte for the extension header length in 8 byte steps minus the first 8 bytes + if (*l4len < 2) { + return(1); + } ehdr_len = (*l4ptr)[1]; ehdr_len *= 8; ehdr_len += 8; @@ -3711,6 +3743,7 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str if(flow->http.url) ndpi_free(flow->http.url); if(flow->http.content_type) ndpi_free(flow->http.content_type); + if(flow->http.user_agent) ndpi_free(flow->http.user_agent); backup = flow->num_processed_pkts; backup1 = flow->guessed_protocol_id; @@ -4062,64 +4095,6 @@ u_int16_t ndpi_guess_host_protocol_id(struct ndpi_detection_module_struct *ndpi_ /* ********************************************************************************* */ -static ndpi_protocol ndpi_process_partial_detection(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow) { - ndpi_protocol ret; - ndpi_protocol_match_result ret_match; - - ret.master_protocol = flow->guessed_protocol_id; - ret.app_protocol = ndpi_match_host_subprotocol(ndpi_str, flow, - (char *)flow->host_server_name, - strlen((const char*)flow->host_server_name), - &ret_match, - flow->guessed_protocol_id); - - if(flow->category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) - ret.category = flow->category; - else - ret.category = ret_match.protocol_category; - - if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) - ret.app_protocol = ret.master_protocol; - - ndpi_fill_protocol_category(ndpi_str, flow, &ret); - - ndpi_int_change_protocol(ndpi_str, flow, ret.app_protocol, ret.master_protocol); - - return(ret); -} - -/* ********************************************************************************* */ - -/* - You can call this function at any time in case of unknown match to see if there is - a partial match that has been prevented by the current nDPI preferences configuration -*/ -ndpi_protocol ndpi_get_partial_detection(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow) { - if((flow->guessed_protocol_id == NDPI_PROTOCOL_HTTP) - && (ndpi_str->http_dont_dissect_response == 0) - && (flow->host_server_name[0] != '\0') - && (!NDPI_ISSET(&flow->excluded_protocol_bitmask, flow->guessed_host_protocol_id))) - return(ndpi_process_partial_detection(ndpi_str, flow)); - else if((flow->guessed_protocol_id == NDPI_PROTOCOL_DNS) - && (ndpi_str->dns_dont_dissect_response == 0) - && (flow->host_server_name[0] != '\0') - && (!NDPI_ISSET(&flow->excluded_protocol_bitmask, flow->guessed_host_protocol_id))) - return(ndpi_process_partial_detection(ndpi_str, flow)); - else { - ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, - NDPI_PROTOCOL_UNKNOWN, - NDPI_PROTOCOL_CATEGORY_UNSPECIFIED }; - - if(flow) ret.category = flow->category; - - return(ret); - } -} - -/* ********************************************************************************* */ - ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, u_int8_t enable_guess, @@ -4153,15 +4128,6 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN); } else { - ndpi_protocol ret_g = ndpi_get_partial_detection(ndpi_str, flow); - - if(ret_g.master_protocol != NDPI_PROTOCOL_UNKNOWN) - return(ret_g); - else { - if(!enable_guess) - return(ret); - } - if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) && (flow->packet.l4_protocol == IPPROTO_TCP) && (flow->l4.tcp.tls_stage > 1)) @@ -4242,25 +4208,10 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st ret.app_protocol = NDPI_PROTOCOL_HANGOUT_DUO; } } - - if(enable_guess - && (ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) - && flow->packet.iph /* Guess only IPv4 */ - && (flow->packet.tcp || flow->packet.udp) - ) { - ret = ndpi_guess_undetected_protocol(ndpi_str, - flow, - flow->packet.l4_protocol, - ntohl(flow->packet.iph->saddr), - ntohs(flow->packet.udp ? flow->packet.udp->source : flow->packet.tcp->source), - ntohl(flow->packet.iph->daddr), - ntohs(flow->packet.udp ? flow->packet.udp->dest : flow->packet.tcp->dest) - ); - *protocol_was_guessed = 1; - } - ndpi_fill_protocol_category(ndpi_str, flow, &ret); - + if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) + ndpi_fill_protocol_category(ndpi_str, flow, &ret); + return(ret); } @@ -4655,6 +4606,8 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { if(flow->check_extra_packets) { ndpi_process_extra_packet(ndpi_str, flow, packet, packetlen, current_tick_l, src, dst); + /* Update in case of new match */ + ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; return(ret); } else goto ret_protocols; @@ -4741,7 +4694,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct } else flow->guessed_header_category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED; - if(flow->guessed_protocol_id >= (NDPI_MAX_SUPPORTED_PROTOCOLS-1)) { + if(flow->guessed_protocol_id > NDPI_MAX_SUPPORTED_PROTOCOLS) { /* This is a custom protocol and it has priority over everything else */ ret.master_protocol = NDPI_PROTOCOL_UNKNOWN, ret.app_protocol = flow->guessed_protocol_id ? flow->guessed_protocol_id : flow->guessed_host_protocol_id; @@ -4777,7 +4730,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct } } - if(flow->guessed_host_protocol_id >= (NDPI_MAX_SUPPORTED_PROTOCOLS-1)) { + if(flow->guessed_host_protocol_id > NDPI_MAX_SUPPORTED_PROTOCOLS) { /* This is a custom protocol and it has priority over everything else */ ret.master_protocol = NDPI_PROTOCOL_UNKNOWN, ret.app_protocol = flow->guessed_host_protocol_id; @@ -4835,7 +4788,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct } else ret.app_protocol = flow->detected_protocol_stack[0]; - /* Don;t overwrite the category if already set */ + /* Don't overwrite the category if already set */ if(flow->category == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) ndpi_fill_protocol_category(ndpi_str, flow, &ret); else @@ -5122,15 +5075,34 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, || strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type: ", 14) == 0)) { packet->content_line.ptr = &packet->line[packet->parsed_lines].ptr[14]; packet->content_line.len = packet->line[packet->parsed_lines].len - 14; + + while((packet->content_line.len > 0) && (packet->content_line.ptr[0] == ' ')) + packet->content_line.len--, packet->content_line.ptr++; + packet->http_num_headers++; } /* "Content-Type:" header line in HTTP AGAIN. Probably a bogus response without space after ":" */ - if(packet->line[packet->parsed_lines].len > 13 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type:", 13) == 0) { + if((packet->content_line.len == 0) + && (packet->line[packet->parsed_lines].len > 13) + && (strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type:", 13) == 0)) { packet->content_line.ptr = &packet->line[packet->parsed_lines].ptr[13]; packet->content_line.len = packet->line[packet->parsed_lines].len - 13; packet->http_num_headers++; } + + if(packet->content_line.len > 0) { + /* application/json; charset=utf-8 */ + char separator[] = { ';', '\r', '\0' }; + int i; + + for(i=0; separator[i] != '\0'; i++) { + char *c = memchr((char*)packet->content_line.ptr, separator[i], packet->content_line.len); + + if(c != NULL) + packet->content_line.len = c - (char*)packet->content_line.ptr; + } + } + /* "Accept:" header line in HTTP request. */ if(packet->line[packet->parsed_lines].len > 8 && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Accept: ", 8) == 0) { @@ -5405,8 +5377,7 @@ void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol) { - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; + struct ndpi_id_struct *src = flow->src, *dst = flow->dst; ndpi_int_change_protocol(ndpi_str, flow, upper_detected_protocol, lower_detected_protocol); @@ -6131,6 +6102,25 @@ static int hyperscanEventHandler(unsigned int id, unsigned long long from, #endif +/* **************************************** */ + +static u_int8_t ndpi_is_more_generic_protocol(u_int16_t previous_proto, u_int16_t new_proto) { + /* Sometimes certificates are more generic than previously identified protocols */ + + if((previous_proto == NDPI_PROTOCOL_UNKNOWN) + || (previous_proto == new_proto)) + return(0); + + switch(previous_proto) { + case NDPI_PROTOCOL_WHATSAPP_CALL: + case NDPI_PROTOCOL_WHATSAPP_FILES: + if(new_proto == NDPI_PROTOCOL_WHATSAPP) + return(1); + } + + return(0); +} + /* ****************************************************** */ static u_int16_t ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_str, @@ -6187,7 +6177,8 @@ static u_int16_t ndpi_automa_match_string_subprotocol(struct ndpi_detection_modu } #endif - if(matching_protocol_id != NDPI_PROTOCOL_UNKNOWN) { + if((matching_protocol_id != NDPI_PROTOCOL_UNKNOWN) + && (!ndpi_is_more_generic_protocol(packet->detected_protocol_stack[0], matching_protocol_id))) { /* Move the protocol on slot 0 down one position */ packet->detected_protocol_stack[1] = master_protocol_id, packet->detected_protocol_stack[0] = matching_protocol_id; @@ -6285,8 +6276,9 @@ int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_str, void ndpi_free_flow(struct ndpi_flow_struct *flow) { if(flow) { - if(flow->http.url) ndpi_free(flow->http.url); + if(flow->http.url) ndpi_free(flow->http.url); if(flow->http.content_type) ndpi_free(flow->http.content_type); + if(flow->http.user_agent) ndpi_free(flow->http.user_agent); if(flow->l4_proto == IPPROTO_TCP) { if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx) @@ -6475,13 +6467,12 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp break; case NDPI_PROTOCOL_HTTP: - if(flow->host_server_name[0] == '\0') + if((flow->host_server_name[0] == '\0') || (flow->http.response_status_code == 0)) return(1); break; case NDPI_PROTOCOL_DNS: - if((ndpi_str->dns_dont_dissect_response == 0) - && (flow->protos.dns.num_answers == 0)) + if(flow->protos.dns.num_answers == 0) return(1); break; @@ -6498,6 +6489,11 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp || (flow->protos.ssh.hassh_server[0] == '\0')) return(1); break; + + case NDPI_PROTOCOL_TELNET: + if(!flow->protos.telnet.username_detected) + return(1); + break; } return(0); @@ -6530,8 +6526,7 @@ const char* ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) { /* ******************************************************************** */ ndpi_l4_proto_info ndpi_get_l4_proto_info(struct ndpi_detection_module_struct *ndpi_struct, - u_int16_t ndpi_proto_id) { - + u_int16_t ndpi_proto_id) { if(ndpi_proto_id < ndpi_struct->ndpi_num_supported_protocols) { u_int16_t idx = ndpi_struct->proto_defaults[ndpi_proto_id].protoIdx; NDPI_SELECTION_BITMASK_PROTOCOL_SIZE bm = ndpi_struct->callback_buffer[idx].ndpi_selection_bitmask; diff --git a/src/lib/ndpi_serializer.c b/src/lib/ndpi_serializer.c index 49f29a4e8..945e60b37 100644 --- a/src/lib/ndpi_serializer.c +++ b/src/lib/ndpi_serializer.c @@ -45,26 +45,32 @@ static u_int64_t ndpi_htonll(u_int64_t v) { union { u_int32_t lv[2]; u_int64_t llv; } u; + u.lv[0] = htonl(v >> 32); u.lv[1] = htonl(v & 0xFFFFFFFFULL); - return u.llv; + + return(u.llv); } /* ********************************** */ static u_int64_t ndpi_ntohll(u_int64_t v) { union { u_int32_t lv[2]; u_int64_t llv; } u; + u.llv = v; - return ((u_int64_t)ntohl(u.lv[0]) << 32) | (u_int64_t)ntohl(u.lv[1]); + + return((u_int64_t)ntohl(u.lv[0]) << 32) | (u_int64_t)ntohl(u.lv[1]); } /* ********************************** */ static int ndpi_is_number(const char *str, u_int32_t str_len) { int i; - for (i = 0; i < str_len; i++) - if (!isdigit(str[i])) return 0; - return 1; + + for(i = 0; i < str_len; i++) + if(!isdigit(str[i])) return(0); + + return(1); } /* ********************************** */ @@ -80,7 +86,7 @@ static int ndpi_json_string_escape(const char *src, int src_len, char *dst, int dst[j++] = '"'; - for (i = 0; i < src_len && j < dst_max_len; i++) { + for(i = 0; i < src_len && j < dst_max_len; i++) { c = src[i]; @@ -122,7 +128,7 @@ static int ndpi_json_string_escape(const char *src, int src_len, char *dst, int dst[j++] = '"'; dst[j+1] = '\0'; - return j; + return(j); } /* ********************************** */ @@ -178,7 +184,7 @@ int ndpi_init_serializer_ll(ndpi_serializer *_serializer, int ndpi_init_serializer(ndpi_serializer *_serializer, ndpi_serialization_format fmt) { - return ndpi_init_serializer_ll(_serializer, fmt, NDPI_SERIALIZER_DEFAULT_BUFFER_SIZE); + return(ndpi_init_serializer_ll(_serializer, fmt, NDPI_SERIALIZER_DEFAULT_BUFFER_SIZE)); } /* ********************************** */ @@ -250,9 +256,9 @@ static inline int ndpi_extend_serializer_buffer(ndpi_serializer *_serializer, u_ void *r; ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; - if (min_len < NDPI_SERIALIZER_DEFAULT_BUFFER_INCR) { - if (serializer->initial_buffer_size < NDPI_SERIALIZER_DEFAULT_BUFFER_INCR) { - if (min_len < serializer->initial_buffer_size) + if(min_len < NDPI_SERIALIZER_DEFAULT_BUFFER_INCR) { + if(serializer->initial_buffer_size < NDPI_SERIALIZER_DEFAULT_BUFFER_INCR) { + if(min_len < serializer->initial_buffer_size) min_len = serializer->initial_buffer_size; } else { min_len = NDPI_SERIALIZER_DEFAULT_BUFFER_INCR; @@ -455,7 +461,7 @@ static inline void ndpi_serialize_json_pre(ndpi_serializer *_serializer) { serializer->status.size_used--; /* Remove ']'*/ serializer->status.size_used--; /* Remove '}'*/ - if (serializer->status.flags & NDPI_SERIALIZER_STATUS_SOB) + if(serializer->status.flags & NDPI_SERIALIZER_STATUS_SOB) serializer->status.flags &= ~NDPI_SERIALIZER_STATUS_SOB; else if(serializer->status.flags & NDPI_SERIALIZER_STATUS_COMMA) serializer->buffer[serializer->status.size_used++] = ','; @@ -479,10 +485,10 @@ static inline void ndpi_serialize_json_post(ndpi_serializer *_serializer) { static inline ndpi_serialization_type ndpi_serialize_key_uint32(ndpi_private_serializer *serializer, u_int32_t key) { ndpi_serialization_type kt; - if (key <= 0xff) { + if(key <= 0xff) { ndpi_serialize_single_uint8(serializer, key); kt = ndpi_serialization_uint8; - } else if (key <= 0xffff) { + } else if(key <= 0xffff) { ndpi_serialize_single_uint16(serializer, key); kt = ndpi_serialization_uint16; } else { @@ -490,7 +496,7 @@ static inline ndpi_serialization_type ndpi_serialize_key_uint32(ndpi_private_ser kt = ndpi_serialization_uint32; } - return kt; + return(kt); } /* ********************************** */ @@ -529,10 +535,10 @@ int ndpi_serialize_uint32_uint32(ndpi_serializer *_serializer, kt = ndpi_serialize_key_uint32(serializer, key); type = (kt << 4); - if (value <= 0xff) { + if(value <= 0xff) { ndpi_serialize_single_uint8(serializer, value); type |= ndpi_serialization_uint8; - } else if (value <= 0xffff) { + } else if(value <= 0xffff) { ndpi_serialize_single_uint16(serializer, value); type |= ndpi_serialization_uint16; } else { @@ -577,7 +583,7 @@ int ndpi_serialize_uint32_uint64(ndpi_serializer *_serializer, (serializer->status.size_used > 0) ? serializer->csv_separator : "", (unsigned long long)value); } else { - if (value <= 0xffffffff) { + if(value <= 0xffffffff) { return(ndpi_serialize_uint32_uint32(_serializer, key, value)); } else { ndpi_serialization_type kt; @@ -633,10 +639,10 @@ int ndpi_serialize_uint32_int32(ndpi_serializer *_serializer, kt = ndpi_serialize_key_uint32(serializer, key); type = (kt << 4); - if (value <= 127 && value >= -128) { + if(value <= 127 && value >= -128) { ndpi_serialize_single_uint8(serializer, value); type |= ndpi_serialization_int8; - } else if (value <= 32767 && value >= -32768) { + } else if(value <= 32767 && value >= -32768) { ndpi_serialize_single_uint16(serializer, value); type |= ndpi_serialization_int16; } else { @@ -682,7 +688,7 @@ int ndpi_serialize_uint32_int64(ndpi_serializer *_serializer, (long long int)value); } else { - if (value <= 2147483647 && value >= -2147483648) { + if(value <= 2147483647 && value >= -2147483648) { return(ndpi_serialize_uint32_int32(_serializer, key, value)); } else { ndpi_serialization_type kt; @@ -805,7 +811,7 @@ static int ndpi_serialize_uint32_binary(ndpi_serializer *_serializer, int ndpi_serialize_uint32_string(ndpi_serializer *_serializer, u_int32_t key, const char *_value) { const char *value = _value ? _value : ""; - return ndpi_serialize_uint32_binary(_serializer, key, value, strlen(value)); + return(ndpi_serialize_uint32_binary(_serializer, key, value, strlen(value))); } /* ********************************** */ @@ -817,8 +823,8 @@ static int ndpi_serialize_binary_int32(ndpi_serializer *_serializer, u_int32_t buff_diff = serializer->buffer_size - serializer->status.size_used; u_int32_t needed; - if (ndpi_is_number(key, klen)) - return ndpi_serialize_uint32_int32(_serializer, atoi(key), value); + if(ndpi_is_number(key, klen)) + return(ndpi_serialize_uint32_int32(_serializer, atoi(key), value)); needed = sizeof(u_int8_t) /* type */ + @@ -847,11 +853,11 @@ static int ndpi_serialize_binary_int32(ndpi_serializer *_serializer, serializer->status.size_used += snprintf((char *) &serializer->buffer[serializer->status.size_used], buff_diff, "%s%d", (serializer->status.size_used > 0) ? serializer->csv_separator : "", value); } else { - if (value <= 127 && value >= -128) { + if(value <= 127 && value >= -128) { serializer->buffer[serializer->status.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_int8; ndpi_serialize_single_string(serializer, key, klen); ndpi_serialize_single_uint8(serializer, value); - } else if (value <= 32767 && value >= -32768) { + } else if(value <= 32767 && value >= -32768) { serializer->buffer[serializer->status.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_int16; ndpi_serialize_single_string(serializer, key, klen); ndpi_serialize_single_uint16(serializer, value); @@ -869,7 +875,7 @@ static int ndpi_serialize_binary_int32(ndpi_serializer *_serializer, int ndpi_serialize_string_int32(ndpi_serializer *_serializer, const char *key, int32_t value) { - return ndpi_serialize_binary_int32(_serializer, key, strlen(key), value); + return(ndpi_serialize_binary_int32(_serializer, key, strlen(key), value)); } /* ********************************** */ @@ -881,8 +887,8 @@ int ndpi_serialize_binary_int64(ndpi_serializer *_serializer, u_int32_t buff_diff = serializer->buffer_size - serializer->status.size_used; u_int32_t needed; - if (ndpi_is_number(key, klen)) - return ndpi_serialize_uint32_int64(_serializer, atoi(key), value); + if(ndpi_is_number(key, klen)) + return(ndpi_serialize_uint32_int64(_serializer, atoi(key), value)); needed = sizeof(u_int8_t) /* type */ + @@ -912,7 +918,7 @@ int ndpi_serialize_binary_int64(ndpi_serializer *_serializer, "%s%lld", (serializer->status.size_used > 0) ? serializer->csv_separator : "", (long long int)value); } else { - if (value <= 2147483647 && value >= -2147483648) { + if(value <= 2147483647 && value >= -2147483648) { return(ndpi_serialize_string_int32(_serializer, key, value)); } else { serializer->buffer[serializer->status.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_int64; @@ -928,7 +934,7 @@ int ndpi_serialize_binary_int64(ndpi_serializer *_serializer, int ndpi_serialize_string_int64(ndpi_serializer *_serializer, const char *key, int64_t value) { - return ndpi_serialize_binary_int64(_serializer, key, strlen(key), value); + return(ndpi_serialize_binary_int64(_serializer, key, strlen(key), value)); } /* ********************************** */ @@ -939,8 +945,8 @@ static int ndpi_serialize_binary_uint32(ndpi_serializer *_serializer, u_int32_t buff_diff = serializer->buffer_size - serializer->status.size_used; u_int32_t needed; - if (ndpi_is_number(key, klen)) - return ndpi_serialize_uint32_uint32(_serializer, atoi(key), value); + if(ndpi_is_number(key, klen)) + return(ndpi_serialize_uint32_uint32(_serializer, atoi(key), value)); needed = sizeof(u_int8_t) /* type */ + @@ -969,11 +975,11 @@ static int ndpi_serialize_binary_uint32(ndpi_serializer *_serializer, serializer->status.size_used += snprintf((char *) &serializer->buffer[serializer->status.size_used], buff_diff, "%s%u", (serializer->status.size_used > 0) ? serializer->csv_separator : "", value); } else { - if (value <= 0xff) { + if(value <= 0xff) { serializer->buffer[serializer->status.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_uint8; ndpi_serialize_single_string(serializer, key, klen); ndpi_serialize_single_uint8(serializer, value); - } else if (value <= 0xffff) { + } else if(value <= 0xffff) { serializer->buffer[serializer->status.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_uint16; ndpi_serialize_single_string(serializer, key, klen); ndpi_serialize_single_uint16(serializer, value); @@ -991,7 +997,7 @@ static int ndpi_serialize_binary_uint32(ndpi_serializer *_serializer, int ndpi_serialize_string_uint32(ndpi_serializer *_serializer, const char *key, u_int32_t value) { - return ndpi_serialize_binary_uint32(_serializer, key, strlen(key), value); + return(ndpi_serialize_binary_uint32(_serializer, key, strlen(key), value)); } /* ********************************** */ @@ -1021,8 +1027,8 @@ static int ndpi_serialize_binary_uint64(ndpi_serializer *_serializer, u_int32_t buff_diff = serializer->buffer_size - serializer->status.size_used; u_int32_t needed; - if (ndpi_is_number(key, klen)) - return ndpi_serialize_uint32_uint64(_serializer, atoi(key), value); + if(ndpi_is_number(key, klen)) + return(ndpi_serialize_uint32_uint64(_serializer, atoi(key), value)); needed = sizeof(u_int8_t) /* type */ + @@ -1052,7 +1058,7 @@ static int ndpi_serialize_binary_uint64(ndpi_serializer *_serializer, "%s%llu", (serializer->status.size_used > 0) ? serializer->csv_separator : "", (unsigned long long)value); } else { - if (value <= 0xffffffff) { + if(value <= 0xffffffff) { return(ndpi_serialize_string_uint32(_serializer, key, value)); } else { serializer->buffer[serializer->status.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_uint64; @@ -1068,7 +1074,7 @@ static int ndpi_serialize_binary_uint64(ndpi_serializer *_serializer, int ndpi_serialize_string_uint64(ndpi_serializer *_serializer, const char *key, u_int64_t value) { - return ndpi_serialize_binary_uint64(_serializer, key, strlen(key), value); + return(ndpi_serialize_binary_uint64(_serializer, key, strlen(key), value)); } /* ********************************** */ @@ -1082,8 +1088,8 @@ static int ndpi_serialize_binary_float(ndpi_serializer *_serializer, u_int32_t buff_diff = serializer->buffer_size - serializer->status.size_used; u_int32_t needed; - if (ndpi_is_number(key, klen)) - return ndpi_serialize_uint32_float(_serializer, atoi(key), value, format); + if(ndpi_is_number(key, klen)) + return(ndpi_serialize_uint32_float(_serializer, atoi(key), value, format)); needed = sizeof(u_int8_t) /* type */ + @@ -1133,7 +1139,7 @@ int ndpi_serialize_string_float(ndpi_serializer *_serializer, const char *key, float value, const char *format /* e.f. "%.2f" */) { - return ndpi_serialize_binary_float(_serializer, key, strlen(key), value, format); + return(ndpi_serialize_binary_float(_serializer, key, strlen(key), value, format)); } /* ********************************** */ @@ -1148,8 +1154,8 @@ static int ndpi_serialize_binary_binary(ndpi_serializer *_serializer, u_int32_t buff_diff = serializer->buffer_size - serializer->status.size_used; u_int32_t needed; - if (ndpi_is_number(key, klen)) - return ndpi_serialize_uint32_string(_serializer, atoi(key), _value); + if(ndpi_is_number(key, klen)) + return(ndpi_serialize_uint32_string(_serializer, atoi(key), _value)); needed = sizeof(u_int8_t) /* type */ + @@ -1197,7 +1203,7 @@ static int ndpi_serialize_binary_binary(ndpi_serializer *_serializer, int ndpi_serialize_string_binary(ndpi_serializer *_serializer, const char *key, const char *_value, u_int16_t vlen) { - return ndpi_serialize_binary_binary(_serializer, key, strlen(key), _value, vlen); + return(ndpi_serialize_binary_binary(_serializer, key, strlen(key), _value, vlen)); } /* ********************************** */ @@ -1216,13 +1222,13 @@ int ndpi_serialize_start_of_block(ndpi_serializer *_serializer, u_int32_t buff_diff = serializer->buffer_size - serializer->status.size_used; u_int32_t needed, klen = strlen(key); - if (serializer->fmt != ndpi_serialization_format_json) - return -1; + if(serializer->fmt != ndpi_serialization_format_json) + return(-1); needed = 16 + klen; - if (buff_diff < needed) { - if (ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) + if(buff_diff < needed) { + if(ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) return(-1); buff_diff = serializer->buffer_size - serializer->status.size_used; } @@ -1248,18 +1254,18 @@ int ndpi_serialize_end_of_block(ndpi_serializer *_serializer) { u_int32_t buff_diff = serializer->buffer_size - serializer->status.size_used; u_int32_t needed; - if (serializer->fmt != ndpi_serialization_format_json) - return -1; + if(serializer->fmt != ndpi_serialization_format_json) + return(-1); needed = 4; - if (buff_diff < needed) { - if (ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) + if(buff_diff < needed) { + if(ndpi_extend_serializer_buffer(_serializer, needed - buff_diff) < 0) return(-1); buff_diff = serializer->buffer_size - serializer->status.size_used; } - buff_diff = serializer->buffer_size - serializer->status.size_used; + // buff_diff = serializer->buffer_size - serializer->status.size_used; ndpi_serialize_json_post(_serializer); return(0); @@ -1287,7 +1293,7 @@ void ndpi_serializer_create_snapshot(ndpi_serializer *_serializer) { void ndpi_serializer_rollback_snapshot(ndpi_serializer *_serializer) { ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; - if (serializer->has_snapshot) { + if(serializer->has_snapshot) { memcpy(&serializer->status, &serializer->snapshot, sizeof(ndpi_private_serializer_status)); serializer->has_snapshot = 0; @@ -1340,7 +1346,7 @@ int ndpi_init_deserializer(ndpi_deserializer *deserializer, ndpi_serialization_format ndpi_deserialize_get_format(ndpi_deserializer *_deserializer) { ndpi_private_deserializer *deserializer = (ndpi_private_deserializer*)_deserializer; - return deserializer->fmt; + return(deserializer->fmt); } /* ********************************** */ @@ -1348,12 +1354,12 @@ ndpi_serialization_format ndpi_deserialize_get_format(ndpi_deserializer *_deseri static inline ndpi_serialization_type ndpi_deserialize_get_key_subtype(ndpi_private_deserializer *deserializer) { u_int8_t type; - if (deserializer->status.size_used >= deserializer->buffer_size) - return ndpi_serialization_unknown; + if(deserializer->status.size_used >= deserializer->buffer_size) + return(ndpi_serialization_unknown); type = deserializer->buffer[deserializer->status.size_used]; - return (ndpi_serialization_type) (type >> 4); + return((ndpi_serialization_type) (type >> 4)); } /* ********************************** */ @@ -1361,12 +1367,12 @@ static inline ndpi_serialization_type ndpi_deserialize_get_key_subtype(ndpi_priv static inline ndpi_serialization_type ndpi_deserialize_get_value_subtype(ndpi_private_deserializer *deserializer) { u_int8_t type; - if (deserializer->status.size_used >= deserializer->buffer_size) + if(deserializer->status.size_used >= deserializer->buffer_size) return(ndpi_serialization_unknown); type = deserializer->buffer[deserializer->status.size_used]; - return (ndpi_serialization_type) (type & 0xf); + return(ndpi_serialization_type) (type & 0xf); } /* ********************************** */ @@ -1404,7 +1410,7 @@ ndpi_serialization_type ndpi_deserialize_get_item_type(ndpi_deserializer *_deser } *key_type = kt; - return et; + return(et); } /* ********************************** */ @@ -1414,14 +1420,14 @@ static inline int ndpi_deserialize_get_single_string_size(ndpi_private_deseriali u_int16_t expected, str_len; expected = sizeof(u_int16_t) /* len */; - if (buff_diff < expected) return -2; + if(buff_diff < expected) return(-2); str_len = ntohs(*((u_int16_t *) &deserializer->buffer[offset])); expected += str_len; - if (buff_diff < expected) return -2; + if(buff_diff < expected) return(-2); - return expected; + return(expected); } /* ********************************** */ @@ -1457,11 +1463,11 @@ static inline int ndpi_deserialize_get_single_size(ndpi_private_deserializer *de size = 0; break; default: - return -2; + return(-2); break; } - return size; + return(size); } /* ********************************** */ @@ -1475,25 +1481,25 @@ int ndpi_deserialize_next(ndpi_deserializer *_deserializer) { expected = sizeof(u_int8_t) /* type */; - if (buff_diff < expected) return -2; + if(buff_diff < expected) return(-2); kt = ndpi_deserialize_get_key_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, kt, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); expected += size; et = ndpi_deserialize_get_value_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, et, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); expected += size; deserializer->status.size_used += expected; - return 0; + return(0); } /* ********************************** */ @@ -1509,12 +1515,12 @@ int ndpi_deserialize_key_uint32(ndpi_deserializer *_deserializer, int size; expected = sizeof(u_int8_t) /* type */; - if (buff_diff < expected) return -2; + if(buff_diff < expected) return(-2); kt = ndpi_deserialize_get_key_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, kt, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); offset = deserializer->status.size_used + expected; @@ -1531,11 +1537,11 @@ int ndpi_deserialize_key_uint32(ndpi_deserializer *_deserializer, *key = v8; break; default: - return -1; + return(-1); break; } - return 0; + return(0); } /* ********************************** */ @@ -1549,16 +1555,16 @@ int ndpi_deserialize_key_string(ndpi_deserializer *_deserializer, int size; expected = sizeof(u_int8_t) /* type */; - if (buff_diff < expected) return -2; + if(buff_diff < expected) return(-2); kt = ndpi_deserialize_get_key_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, kt, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); ndpi_deserialize_single_string(deserializer, deserializer->status.size_used + expected, key); - return 0; + return(0); } /* ********************************** */ @@ -1574,17 +1580,17 @@ int ndpi_deserialize_value_uint32(ndpi_deserializer *_deserializer, int size; expected = sizeof(u_int8_t) /* type */; - if (buff_diff < expected) return -2; + if(buff_diff < expected) return(-2); kt = ndpi_deserialize_get_key_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, kt, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); expected += size; et = ndpi_deserialize_get_value_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, et, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); offset = deserializer->status.size_used + expected; @@ -1604,7 +1610,7 @@ int ndpi_deserialize_value_uint32(ndpi_deserializer *_deserializer, break; } - return 0; + return(0); } /* ********************************** */ @@ -1620,28 +1626,28 @@ int ndpi_deserialize_value_uint64(ndpi_deserializer *_deserializer, int rc; expected = sizeof(u_int8_t) /* type */; - if (buff_diff < expected) return -2; + if(buff_diff < expected) return(-2); kt = ndpi_deserialize_get_key_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, kt, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); expected += size; et = ndpi_deserialize_get_value_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, et, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); if(et != ndpi_serialization_uint64) { /* Try with smaller uint types */ rc = ndpi_deserialize_value_uint32(_deserializer, &v32); *value = v32; - return rc; + return(rc); } ndpi_deserialize_single_uint64(deserializer, deserializer->status.size_used + expected, value); - return 0; + return(0); } /* ********************************** */ @@ -1657,17 +1663,17 @@ int ndpi_deserialize_value_int32(ndpi_deserializer *_deserializer, int size; expected = sizeof(u_int8_t) /* type */; - if (buff_diff < expected) return -2; + if(buff_diff < expected) return(-2); kt = ndpi_deserialize_get_key_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, kt, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); expected += size; et = ndpi_deserialize_get_value_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, et, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); offset = deserializer->status.size_used + expected; @@ -1687,7 +1693,7 @@ int ndpi_deserialize_value_int32(ndpi_deserializer *_deserializer, break; } - return 0; + return(0); } /* ********************************** */ @@ -1703,28 +1709,28 @@ int ndpi_deserialize_value_int64(ndpi_deserializer *_deserializer, int rc; expected = sizeof(u_int8_t) /* type */; - if (buff_diff < expected) return(-2); + if(buff_diff < expected) return(-2); kt = ndpi_deserialize_get_key_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, kt, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); expected += size; et = ndpi_deserialize_get_value_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, et, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); if(et != ndpi_serialization_int64) { /* Try with smaller int types */ rc = ndpi_deserialize_value_int32(_deserializer, &v32); *value = v32; - return rc; + return(rc); } ndpi_deserialize_single_int64(deserializer, deserializer->status.size_used + expected, value); - return 0; + return(0); } /* ********************************** */ @@ -1738,24 +1744,24 @@ int ndpi_deserialize_value_float(ndpi_deserializer *_deserializer, int size; expected = sizeof(u_int8_t) /* type */; - if (buff_diff < expected) return(-2); + if(buff_diff < expected) return(-2); kt = ndpi_deserialize_get_key_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, kt, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); expected += size; et = ndpi_deserialize_get_value_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, et, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); if(et != ndpi_serialization_float) - return -1; + return(-1); ndpi_deserialize_single_float(deserializer, deserializer->status.size_used + expected, value); - return 0; + return(0); } /* ********************************** */ @@ -1769,24 +1775,24 @@ int ndpi_deserialize_value_string(ndpi_deserializer *_deserializer, int size; expected = sizeof(u_int8_t) /* type */; - if (buff_diff < expected) return(-2); + if(buff_diff < expected) return(-2); kt = ndpi_deserialize_get_key_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, kt, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); expected += size; et = ndpi_deserialize_get_value_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, et, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); if(et != ndpi_serialization_string) - return -1; + return(-1); ndpi_deserialize_single_string(deserializer, deserializer->status.size_used + expected, value); - return 0; + return(0); } /* ********************************** */ @@ -1801,30 +1807,30 @@ int ndpi_deserialize_clone_item(ndpi_deserializer *_deserializer, ndpi_serialize u_int16_t expected; int size; - if (serializer->fmt != ndpi_serialization_format_tlv) - return -3; + if(serializer->fmt != ndpi_serialization_format_tlv) + return(-3); expected = sizeof(u_int8_t) /* type */; - if (src_buff_diff < expected) return -2; + if(src_buff_diff < expected) return(-2); kt = ndpi_deserialize_get_key_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, kt, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); expected += size; et = ndpi_deserialize_get_value_subtype(deserializer); size = ndpi_deserialize_get_single_size(deserializer, et, deserializer->status.size_used + expected); - if (size < 0) return -2; + if(size < 0) return(-2); expected += size; - if (dst_buff_diff < expected) { - if (ndpi_extend_serializer_buffer(_serializer, expected - dst_buff_diff) < 0) - return -1; + if(dst_buff_diff < expected) { + if(ndpi_extend_serializer_buffer(_serializer, expected - dst_buff_diff) < 0) + return(-1); dst_buff_diff = serializer->buffer_size - serializer->status.size_used; } @@ -1834,7 +1840,7 @@ int ndpi_deserialize_clone_item(ndpi_deserializer *_deserializer, ndpi_serialize serializer->status.size_used += expected; - return 0; + return(0); } /* ********************************** */ @@ -1852,7 +1858,7 @@ int ndpi_deserialize_clone_all(ndpi_deserializer *deserializer, ndpi_serializer while((et = ndpi_deserialize_get_item_type(deserializer, &kt)) != ndpi_serialization_unknown) { - if (et == ndpi_serialization_end_of_record) { + if(et == ndpi_serialization_end_of_record) { ndpi_serialize_end_of_record(serializer); ndpi_deserialize_next(deserializer); continue; @@ -1868,54 +1874,54 @@ int ndpi_deserialize_clone_all(ndpi_deserializer *deserializer, ndpi_serializer key_is_string = 1; break; default: - return -1; + return(-1); } switch(et) { case ndpi_serialization_uint32: ndpi_deserialize_value_uint32(deserializer, &u32); - if (key_is_string) ndpi_serialize_binary_uint32(serializer, ks.str, ks.str_len, u32); + if(key_is_string) ndpi_serialize_binary_uint32(serializer, ks.str, ks.str_len, u32); else ndpi_serialize_uint32_uint32(serializer, k32, u32); break; case ndpi_serialization_uint64: ndpi_deserialize_value_uint64(deserializer, &u64); - if (key_is_string) ndpi_serialize_binary_uint64(serializer, ks.str, ks.str_len, u64); + if(key_is_string) ndpi_serialize_binary_uint64(serializer, ks.str, ks.str_len, u64); else ndpi_serialize_uint32_uint64(serializer, k32, u64); break; case ndpi_serialization_int32: ndpi_deserialize_value_int32(deserializer, &i32); - if (key_is_string) ndpi_serialize_binary_int32(serializer, ks.str, ks.str_len, i32); + if(key_is_string) ndpi_serialize_binary_int32(serializer, ks.str, ks.str_len, i32); else ndpi_serialize_uint32_int32(serializer, k32, i32); break; case ndpi_serialization_int64: ndpi_deserialize_value_int64(deserializer, &i64); - if (key_is_string) ndpi_serialize_binary_int64(serializer, ks.str, ks.str_len, i64); + if(key_is_string) ndpi_serialize_binary_int64(serializer, ks.str, ks.str_len, i64); else ndpi_serialize_uint32_int64(serializer, k32, i64); break; case ndpi_serialization_float: ndpi_deserialize_value_float(deserializer, &f); - if (key_is_string) ndpi_serialize_binary_float(serializer, ks.str, ks.str_len, f, "%.3f"); + if(key_is_string) ndpi_serialize_binary_float(serializer, ks.str, ks.str_len, f, "%.3f"); else ndpi_serialize_uint32_float(serializer, k32, f, "%.3f"); break; case ndpi_serialization_string: ndpi_deserialize_value_string(deserializer, &vs); - if (key_is_string) ndpi_serialize_binary_binary(serializer, ks.str, ks.str_len, vs.str, vs.str_len); + if(key_is_string) ndpi_serialize_binary_binary(serializer, ks.str, ks.str_len, vs.str, vs.str_len); else ndpi_serialize_uint32_binary(serializer, k32, vs.str, vs.str_len); break; default: - return -2; + return(-2); } ndpi_deserialize_next(deserializer); } - return 0; + return(0); } /* ********************************** */ diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index dbe5d7901..a8c73e67e 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -759,11 +759,11 @@ void ndpi_user_pwd_payload_copy(u_int8_t *dest, u_int dest_len, u_int offset, const u_int8_t *src, u_int src_len) { u_int i, j=0, k = dest_len-1; - + for(i=offset; (i<src_len) && (j<=k); i++) { if((j == k) || (src[i] < ' ')) break; - + dest[j++] = src[i]; } @@ -857,7 +857,7 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t src_v4, u_int32_t dst_v4, struct ndpi_in6_addr *src_v6, struct ndpi_in6_addr *dst_v6, u_int16_t src_port, u_int16_t dst_port, - ndpi_protocol l7_protocol, + ndpi_protocol l7_protocol, ndpi_serializer *serializer) { char buf[64], src_name[32], dst_name[32]; @@ -966,12 +966,20 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_end_of_block(serializer); break; + case NDPI_PROTOCOL_TELNET: + ndpi_serialize_start_of_block(serializer, "telnet"); + ndpi_serialize_string_string(serializer, "username", flow->protos.telnet.username); + ndpi_serialize_end_of_block(serializer); + break; + case NDPI_PROTOCOL_HTTP: ndpi_serialize_start_of_block(serializer, "http"); if(flow->host_server_name[0] != '\0') ndpi_serialize_string_string(serializer, "hostname", (const char*)flow->host_server_name); ndpi_serialize_string_string(serializer, "url", flow->http.url); ndpi_serialize_string_uint32(serializer, "code", flow->http.response_status_code); + ndpi_serialize_string_string(serializer, "content_type", flow->http.content_type); + ndpi_serialize_string_string(serializer, "user_agent", flow->http.user_agent); ndpi_serialize_end_of_block(serializer); break; @@ -981,28 +989,28 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password); ndpi_serialize_end_of_block(serializer); break; - + case NDPI_PROTOCOL_MAIL_POP: ndpi_serialize_start_of_block(serializer, "pop"); ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username); ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password); ndpi_serialize_end_of_block(serializer); break; - + case NDPI_PROTOCOL_MAIL_SMTP: ndpi_serialize_start_of_block(serializer, "smtp"); ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username); ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password); ndpi_serialize_end_of_block(serializer); break; - + case NDPI_PROTOCOL_FTP_CONTROL: ndpi_serialize_start_of_block(serializer, "ftp"); ndpi_serialize_string_string(serializer, "user", flow->protos.ftp_imap_pop_smtp.username); ndpi_serialize_string_string(serializer, "password", flow->protos.ftp_imap_pop_smtp.password); ndpi_serialize_end_of_block(serializer); break; - + case NDPI_PROTOCOL_SSH: ndpi_serialize_start_of_block(serializer, "ssh"); ndpi_serialize_string_string(serializer, "client_signature", flow->protos.ssh.client_signature); @@ -1033,7 +1041,7 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_string_string(serializer, "issuer", flow->protos.stun_ssl.ssl.server_organization); if(before) { - strftime(notBefore, sizeof(notBefore), "%F %T", before); + strftime(notBefore, sizeof(notBefore), "%F %T", before); ndpi_serialize_string_string(serializer, "notbefore", notBefore); } @@ -1053,7 +1061,7 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, ndpi_serialize_string_string(serializer, "fingerprint", buf); } - + ndpi_serialize_end_of_block(serializer); } } @@ -1064,3 +1072,146 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct, } /* ********************************** */ + +/* + /dv/vulnerabilities/xss_r/?name=%3Cscript%3Econsole.log%28%27JUL2D3WXHEGWRAFJE2PI7OS71Z4Z8RFUHXGNFLUFYVP6M3OL55%27%29%3Bconsole.log%28document.cookie%29%3B%3C%2Fscript%3E + /dv/vulnerabilities/sqli/?id=1%27+and+1%3D1+union+select+null%2C+table_name+from+information_schema.tables%23&Submit=Submit +*/ + +/* https://www.rosettacode.org/wiki/URL_decoding#C */ +static int ishex(int x) { + return(x >= '0' && x <= '9') || (x >= 'a' && x <= 'f') || (x >= 'A' && x <= 'F'); +} + +/* ********************************** */ + +static int ndpi_url_decode(const char *s, char *out) { + char *o; + const char *end = s + strlen(s); + int c; + + for(o = out; s <= end; o++) { + c = *s++; + if(c == '+') c = ' '; + else if(c == '%' && (!ishex(*s++)|| + !ishex(*s++)|| + !sscanf(s - 2, "%2x", &c))) + return(-1); + + if(out) *o = c; + } + + return(o - out); +} + +/* ********************************** */ + +/* #define URL_CHECK_DEBUG 1 */ + +static int find_occurrency(char *str, char *what) { + char *found = strstr(str, what); + u_int len; + +#ifdef URL_CHECK_DEBUG + printf("%s() [%s][%s]\n", __FUNCTION__, str, what); +#endif + + if(!found) return(0); + + len = strlen(what); + + if((found[len] != '\0') && (found[len] != ' ') + && ((found == str) || (found[-1] == ' '))) + return(1); + else + return(find_occurrency(&found[len], what)); +} + +/* ********************************** */ + +static int ndpi_check_tokens(char* query, char* keywords[]) { +#ifdef URL_CHECK_DEBUG + printf("%s() [%s]\n", __FUNCTION__, query); +#endif + + for(int i=0; keywords[i] != NULL; i++) { + if(find_occurrency(query, keywords[i]) > 0) + return(1); + } + + return(0); +} + +/* ********************************** */ + +static int ndpi_is_sql_injection(char* query) { + char* sql_keywords[] = { "select", "from", "where", "any", "all", "join", "inner", "left", "right", "full", + "table", "alter", "create", "delete", "union", "update", "drop", "group", "order", + "limit", "primary", "column", NULL }; + return(ndpi_check_tokens(query, sql_keywords)); +} + +/* ********************************** */ + +static int ndpi_is_xss_injection(char* query) { + char* js_keywords[] = { "<script>", "console.", "log.", NULL }; + return(ndpi_check_tokens(query, js_keywords)); +} + +/* ********************************** */ + +ndpi_url_risk ndpi_validate_url(char *url) { + char *orig_str = NULL, *str = NULL, *question_mark = strchr(url, '?'); + ndpi_url_risk rc = ndpi_url_no_problem; + + if(question_mark) { + char *tmp; + + orig_str = str = ndpi_strdup(&question_mark[1]); /* Skip ? */ + + if(!str) goto validate_rc; + + str = strtok_r(str, "&", &tmp); + + while(str != NULL) { + char *value = strchr(str, '='); + char *decoded; + + if(!value) + break; + else + value = &value[1]; + + if(value[0] != '\0') { + if(!(decoded = (char*)ndpi_malloc(strlen(value)+1))) + break; + + if(ndpi_url_decode(value, decoded) < 0) { + /* Invalid string */ + } else if(decoded[0] != '\0') { + /* Valid string */ + + if(ndpi_is_xss_injection(decoded)) + rc = ndpi_url_possible_xss; + else if(ndpi_is_sql_injection(decoded)) + rc = ndpi_url_possible_sql_injection; + +#ifdef URL_CHECK_DEBUG + printf("=>> [rc: %u] %s\n", rc, decoded); +#endif + } + + ndpi_free(decoded); + + if(rc != ndpi_url_no_problem) + break; + } + + str = strtok_r(NULL, "&", &tmp); + } + } + + validate_rc: + if(orig_str) ndpi_free(orig_str); + return(rc); +} diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index e33f0c7dc..bea7622a0 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -376,19 +376,32 @@ static void ndpi_int_search_bittorrent_tcp(struct ndpi_detection_module_struct * return; } +static u_int8_t is_port(u_int16_t a, u_int16_t b, u_int16_t what) { + return(((what == a) || (what == b)) ? 1 : 0); +} + void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; char *bt_proto = NULL; /* This is broadcast */ - if(packet->iph - && (((packet->iph->saddr == 0xFFFFFFFF) || (packet->iph->daddr == 0xFFFFFFFF)) - || (packet->udp - && ((ntohs(packet->udp->source) == 3544) /* teredo.c */ - || (ntohs(packet->udp->dest) == 3544))))) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + if(packet->iph) { + + if((packet->iph->saddr == 0xFFFFFFFF) || (packet->iph->daddr == 0xFFFFFFFF)) + goto exclude_bt; + + + if(packet->udp) { + u_int16_t sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); + + if(is_port(sport, dport, 3544) /* teredo */ + || is_port(sport, dport, 5246) || is_port(sport, dport, 5247)/* CAPWAP */) { + exclude_bt: + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } } if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_BITTORRENT) { @@ -397,8 +410,8 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st if((packet->tcp != NULL) && (packet->tcp_retransmission == 0 || packet->num_retried_bytes)) { ndpi_int_search_bittorrent_tcp(ndpi_struct, flow); - } - else if(packet->udp != NULL) { + } else if(packet->udp != NULL) { + /* UDP */ char *bt_search = "BT-SEARCH * HTTP/1.1\r\n"; if((ntohs(packet->udp->source) < 1024) diff --git a/src/lib/protocols/capwap.c b/src/lib/protocols/capwap.c new file mode 100644 index 000000000..bfad1a593 --- /dev/null +++ b/src/lib/protocols/capwap.c @@ -0,0 +1,123 @@ +/* + * capwap.c + * + * Copyright (C) 2019 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + + +#include "ndpi_protocol_ids.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CAPWAP + +#include "ndpi_api.h" + +#define NDPI_CAPWAP_CONTROL_PORT 5246 +#define NDPI_CAPWAP_DATA_PORT 5247 + + +static void ndpi_int_capwap_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CAPWAP, NDPI_PROTOCOL_UNKNOWN); +} + +/* ************************************************** */ + +static void ndpi_search_setup_capwap(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int16_t sport, dport; + + if(!packet->iph) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); + + if((dport == NDPI_CAPWAP_CONTROL_PORT) + && (packet->iph->daddr == 0xFFFFFFFF) + && (packet->payload_packet_len >= 16) + && (packet->payload[0] == 0x0) + && (packet->payload[8] == 6 /* Mac len */) + ) + goto capwap_found; + + if(((sport == NDPI_CAPWAP_CONTROL_PORT) || (dport == NDPI_CAPWAP_CONTROL_PORT)) + && ((packet->payload[0] == 0x0) || (packet->payload[0] == 0x1)) + ) { + u_int16_t msg_len, offset, to_add; + + if(packet->payload[0] == 0x0) + offset = 13, to_add = 13; + else + offset = 15, to_add = 17; + + msg_len = ntohs(*(u_int16_t*)&packet->payload[offset]); + + if((msg_len+to_add) == packet->payload_packet_len) + goto capwap_found; + } + + if( + (((dport == NDPI_CAPWAP_DATA_PORT) && (packet->iph->daddr != 0xFFFFFFFF)) || (sport == NDPI_CAPWAP_DATA_PORT)) + && (packet->payload_packet_len >= 16) + && (packet->payload[0] == 0x0) + ) { + u_int8_t is_80211_data = (packet->payload[9] & 0x0C) >> 2; + + + if((sport == NDPI_CAPWAP_DATA_PORT) && (is_80211_data == 2 /* IEEE 802.11 Data */)) + goto capwap_found; + else if(dport == NDPI_CAPWAP_DATA_PORT) { + u_int16_t msg_len = ntohs(*(u_int16_t*)&packet->payload[13]); + + if((packet->payload[8] == 1 /* Mac len */) + || (packet->payload[8] == 6 /* Mac len */) + || (packet->payload[8] == 4 /* Wireless len */) + || ((msg_len+15) == packet->payload_packet_len)) + goto capwap_found; + } + } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + + capwap_found: + ndpi_int_capwap_add_connection(ndpi_struct, flow); +} + +void ndpi_search_capwap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + + if(packet->udp && (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)) + ndpi_search_setup_capwap(ndpi_struct, flow); +} + + +void init_capwap_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("CAPWAP", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_CAPWAP, + ndpi_search_capwap, + NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index f41eb65ee..7051b2227 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -32,6 +32,8 @@ // #define DNS_DEBUG 1 +static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); + /* *********************************************** */ static u_int16_t get16(int *i, const u_int8_t *payload) { @@ -84,6 +86,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, memcpy(dns_header, (struct ndpi_dns_packet_header*)&flow->packet.payload[x], sizeof(struct ndpi_dns_packet_header)); + dns_header->tr_id = ntohs(dns_header->tr_id); dns_header->flags = ntohs(dns_header->flags); dns_header->num_queries = ntohs(dns_header->num_queries); @@ -134,58 +137,69 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, /* This is a good reply: we dissect it both for request and response */ /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */ - /* if(ndpi_struct->dns_dont_dissect_response == 0) */ { - x++; - - if(flow->packet.payload[x] != '\0') { - while((x < flow->packet.payload_packet_len) - && (flow->packet.payload[x] != '\0')) { - x++; - } + x++; + if(flow->packet.payload[x] != '\0') { + while((x < flow->packet.payload_packet_len) + && (flow->packet.payload[x] != '\0')) { x++; } - x += 4; + x++; + } - if(dns_header->num_answers > 0) { - u_int16_t rsp_type; - u_int16_t num; + x += 4; - for(num = 0; num < dns_header->num_answers; num++) { - u_int16_t data_len; + if(dns_header->num_answers > 0) { + u_int16_t rsp_type; + u_int16_t num; - if((x+6) >= flow->packet.payload_packet_len) { - break; - } + for(num = 0; num < dns_header->num_answers; num++) { + u_int16_t data_len; + + if((x+6) >= flow->packet.payload_packet_len) { + break; + } - if((data_len = getNameLength(x, flow->packet.payload, flow->packet.payload_packet_len)) == 0) { - break; - } else - x += data_len; + if((data_len = getNameLength(x, flow->packet.payload, flow->packet.payload_packet_len)) == 0) { + break; + } else + x += data_len; - rsp_type = get16(&x, flow->packet.payload); - flow->protos.dns.rsp_type = rsp_type; + rsp_type = get16(&x, flow->packet.payload); + flow->protos.dns.rsp_type = rsp_type; - /* here x points to the response "class" field */ - if((x+12) <= flow->packet.payload_packet_len) { - x += 6; - data_len = get16(&x, flow->packet.payload); + /* here x points to the response "class" field */ + if((x+12) <= flow->packet.payload_packet_len) { + x += 6; + data_len = get16(&x, flow->packet.payload); - if(((x + data_len) <= flow->packet.payload_packet_len) - && (((rsp_type == 0x1) && (data_len == 4)) /* A */ + if(((x + data_len) <= flow->packet.payload_packet_len) + && (((rsp_type == 0x1) && (data_len == 4)) /* A */ #ifdef NDPI_DETECTION_SUPPORT_IPV6 - || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ + || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ #endif - )) { - memcpy(&flow->protos.dns.rsp_addr, flow->packet.payload + x, data_len); - } + )) { + memcpy(&flow->protos.dns.rsp_addr, flow->packet.payload + x, data_len); } - - break; } + + break; } } + + if((flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_DNS) + || (flow->packet.detected_protocol_stack[1] == NDPI_PROTOCOL_DNS)) { + /* Request already set the protocol */ + flow->extra_packets_func = NULL; /* We're good now */ + } else { + /* We missed the request */ + u_int16_t s_port = flow->packet.udp ? ntohs(flow->packet.udp->source) : ntohs(flow->packet.tcp->source); + + ndpi_set_detected_protocol(ndpi_struct, flow, + (s_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, + NDPI_PROTOCOL_UNKNOWN); + } } else return(1 /* invalid */); } @@ -202,6 +216,7 @@ static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, st if(flow->protos.dns.num_answers > 0) { /* stop extra processing */ + flow->extra_packets_func = NULL; /* We're good now */ return(0); } @@ -211,7 +226,7 @@ static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, st /* *********************************************** */ -void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { int payload_offset; u_int8_t is_query; u_int16_t s_port = 0, d_port = 0; @@ -290,7 +305,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd /* Report if this is a DNS query or reply */ flow->protos.dns.is_query = is_query; - if(is_query && (ndpi_struct->dns_dont_dissect_response == 0) && (flow->check_extra_packets == 0)) { + if(is_query) { /* In this case we say that the protocol has been detected just to let apps carry on with their activities */ ndpi_set_detected_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index cc27b8eb6..2525cfbd7 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -28,40 +28,54 @@ #include "ndpi_api.h" #include <stdlib.h> +static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + +/* *********************************************** */ + +static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + ndpi_search_http_tcp(ndpi_struct, flow); + +#ifdef HTTP_DEBUG + printf("=> %s()\n", __FUNCTION__); +#endif + + if((flow->host_server_name[0] != '\0') && (flow->http.response_status_code != 0)) { + /* stop extra processing */ + flow->extra_packets_func = NULL; /* We're good now */ + return(0); + } + + /* Possibly more processing */ + return(1); +} + +/* *********************************************** */ + static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t category) { -#ifdef DEBUG - printf("[%s] [http_dont_dissect_response: %u]->> %s\n", __FUNCTION__, - ndpi_struct->http_dont_dissect_response, flow->http.response_status_code); +#ifdef HTTP_DEBUG + printf("=> %s()\n", __FUNCTION__); #endif - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */ + if(flow->extra_packets_func && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)) + return; /* Nothing new to add */ - ndpi_search_tcp_or_udp(ndpi_struct, flow); - - /* If no custom protocol has been detected */ - if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { - ndpi_int_reset_protocol(flow); - flow->http_upper_protocol = flow->guessed_host_protocol_id, flow->http_lower_protocol = NDPI_PROTOCOL_HTTP; - } else - flow->http_upper_protocol = NDPI_PROTOCOL_HTTP, flow->http_lower_protocol = NDPI_PROTOCOL_UNKNOWN; + /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */ + ndpi_search_tcp_or_udp(ndpi_struct, flow); - if(ndpi_struct->http_dont_dissect_response) - ndpi_set_detected_protocol(ndpi_struct, flow, flow->http_upper_protocol, flow->http_lower_protocol); - else { - flow->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; - flow->packet.detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->packet.detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; - } - } else { - if((!ndpi_struct->http_dont_dissect_response) && (flow->http.response_status_code == 0)) { - flow->http_upper_protocol = flow->detected_protocol_stack[0], flow->http_lower_protocol = flow->detected_protocol_stack[1]; - flow->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; - flow->packet.detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->packet.detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; - } - } + /* If no custom protocol has been detected */ + if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { + ndpi_int_reset_protocol(flow); + ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_HTTP); + } else + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); + /* This is necessary to inform the core to call this dissector again */ + flow->check_extra_packets = 1; + flow->max_extra_packets_to_check = 5; + flow->extra_packets_func = ndpi_search_http_tcp_again; flow->http_detected = 1, flow->guessed_category = category; } @@ -103,11 +117,6 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc if(double_col) double_col[0] = '\0'; - /** - NOTE - If http_dont_dissect_response = 1 dissection of HTTP response - mime types won't happen - */ ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, strlen((const char *)flow->host_server_name), &ret_match, @@ -124,14 +133,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ struct ndpi_packet_struct *packet = &flow->packet; - if((!ndpi_struct->http_dont_dissect_response) && flow->http_detected && (flow->http.response_status_code != 0)) { - ndpi_set_detected_protocol(ndpi_struct, flow, flow->http_upper_protocol, flow->http_lower_protocol); -#ifdef DEBUG - printf("[%s] [http_dont_dissect_response: %u]->> %s\n", - __FUNCTION__, ndpi_struct->http_dont_dissect_response, flow->http.response_status_code); -#endif + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); + + if(flow->http_detected && (flow->http.response_status_code != 0)) return; - } #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* PPStream */ @@ -156,9 +161,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } #endif - /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */ - - /* if(!ndpi_struct->http_dont_dissect_response) */ { if((flow->http.url == NULL) && (packet->http_url_name.len > 0) && (packet->host_line.len > 0)) { @@ -198,18 +200,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } - if((flow->http.content_type == NULL) && (packet->content_line.len > 0)) { - int len = packet->content_line.len + 1; - - flow->http.content_type = ndpi_malloc(len); - if(flow->http.content_type) { - strncpy(flow->http.content_type, (char*)packet->content_line.ptr, - packet->content_line.len); - flow->http.content_type[packet->content_line.len] = '\0'; - } - } - } - if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) { /** Format examples: @@ -275,6 +265,17 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } + if(flow->http.user_agent == NULL) { + int len = packet->user_agent_line.len + 1; + + flow->http.user_agent = ndpi_malloc(len); + if(flow->http.user_agent) { + strncpy(flow->http.user_agent, (char*)packet->user_agent_line.ptr, + packet->user_agent_line.len); + flow->http.user_agent[packet->user_agent_line.len] = '\0'; + } + } + NDPI_LOG_DBG2(ndpi_struct, "User Agent Type line found %.*s\n", packet->user_agent_line.len, packet->user_agent_line.ptr); } @@ -287,7 +288,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->host_line.len, packet->host_line.ptr); /* call ndpi_match_host_subprotocol to see if there is a match with known-host HTTP subprotocol */ - if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) { + if(flow->http_detected) { ndpi_protocol_match_result ret_match; ndpi_match_host_subprotocol(ndpi_struct, flow, @@ -302,6 +303,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1); strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len); flow->host_server_name[len] = '\0'; + flow->extra_packets_func = NULL; /* We're good now */ } flow->server_id = flow->dst; @@ -314,8 +316,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } - if(!ndpi_struct->http_dont_dissect_response) - parseHttpSubprotocol(ndpi_struct, flow); + parseHttpSubprotocol(ndpi_struct, flow); /** check result of host subprotocol detection @@ -339,7 +340,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) - && ((ndpi_struct->http_dont_dissect_response) || flow->http_detected) + && (flow->http_detected) && (packet->http_origin.len > 0)) { ndpi_protocol_match_result ret_match; @@ -361,7 +362,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } #if 0 - if(!ndpi_struct->http_dont_dissect_response && flow->http_detected) + if(flow->http_detected) parseHttpSubprotocol(ndpi_struct, flow); #endif @@ -382,7 +383,18 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n", packet->content_line.len, packet->content_line.ptr); - if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) { + if((flow->http.content_type == NULL) && (packet->content_line.len > 0)) { + int len = packet->content_line.len + 1; + + flow->http.content_type = ndpi_malloc(len); + if(flow->http.content_type) { + strncpy(flow->http.content_type, (char*)packet->content_line.ptr, + packet->content_line.len); + flow->http.content_type[packet->content_line.len] = '\0'; + } + } + + if(flow->http_detected) { ndpi_protocol_match_result ret_match; ndpi_match_content_subprotocol(ndpi_struct, flow, @@ -490,7 +502,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->http.response_status_code = 0; /* Out of range */ } - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); + ndpi_parse_packet_line_info(ndpi_struct, flow); check_content_type_and_change_protocol(ndpi_struct, flow); return; } @@ -592,6 +604,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct goto ookla_found; } +#if OBSOLETE /* Check for additional field introduced by Steam */ int x = 1; if(packet->line[x].len >= 11 && (memcmp(packet->line[x].ptr, "x-steam-sid", 11)) == 0) { @@ -612,6 +625,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } x++; } +#endif #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* check PPStream protocol or iQiyi service @@ -681,17 +695,11 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct in 99.99% of the cases is like that. */ - if(ndpi_struct->http_dont_dissect_response) { - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) /* No subprotocol found */ - NDPI_LOG_INFO(ndpi_struct, "found HTTP\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); - } else { - flow->http_detected = 1; - NDPI_LOG_DBG2(ndpi_struct, - "HTTP START Found, we will look further for the response...\n"); - flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 - } - + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); + flow->http_detected = 1; + NDPI_LOG_DBG2(ndpi_struct, + "HTTP START Found, we will look further for the response...\n"); + flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 check_content_type_and_change_protocol(ndpi_struct, flow); return; } @@ -799,10 +807,10 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } } -void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; +/* ********************************* */ +static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { /* Break after 20 packets. */ if(flow->packet_counter > 20) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); @@ -810,10 +818,6 @@ void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, return; } - if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { - return; - } - NDPI_LOG_DBG(ndpi_struct, "search HTTP\n"); ndpi_check_http_tcp(ndpi_struct, flow); } @@ -850,8 +854,7 @@ char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_mod, void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, - NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ + NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("HTTP",ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_HTTP, ndpi_search_http_tcp, diff --git a/src/lib/protocols/iec60870-5-104.c b/src/lib/protocols/iec60870-5-104.c index b7439f3e0..e34ca3d63 100644 --- a/src/lib/protocols/iec60870-5-104.c +++ b/src/lib/protocols/iec60870-5-104.c @@ -2,7 +2,26 @@ * iec60870-5-104.c * Extension for industrial 104 protocol recognition * - * Created by Cesar HM + * Created by Cesar HM <cesar91hoyos@gmail.com> + * + * Copyright (C) 2019 - ntop.org + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * */ #include "ndpi_protocol_ids.h" @@ -21,23 +40,22 @@ void ndpi_search_104_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(packet->tcp) { /* The start byte of 104 is 0x68 * The usual port: 2404 - */ - if ( packet->payload[0] == 0x68 && - ((packet->tcp->dest == iec104_port) || (packet->tcp->source == iec104_port)) ){ - NDPI_LOG_INFO(ndpi_struct, "found 104\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_104, NDPI_PROTOCOL_UNKNOWN); - return; - } + */ + if((packet->payload[0] == 0x68) && + ((packet->tcp->dest == iec104_port) || (packet->tcp->source == iec104_port)) ){ + NDPI_LOG_INFO(ndpi_struct, "found 104\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_104, NDPI_PROTOCOL_UNKNOWN); + return; } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - + } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void init_104_dissector(struct ndpi_detection_module_struct *ndpi_struct, - u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { - + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("104", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_104, ndpi_search_104_tcp, diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index fa73ab0ae..b7fcfb61d 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -63,8 +63,8 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, u_int realm_len, realm_offset = cname_len + name_offset + 4, i; char cname_str[24]; - if(cname_len >= sizeof(cname_str)) - cname_len = sizeof(cname_str); + if(cname_len > sizeof(cname_str)-1) + cname_len = sizeof(cname_str)-1; strncpy(cname_str, (char*)&packet->payload[name_offset+1], cname_len); cname_str[cname_len] = '\0'; diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index fcb390229..2cd4657c9 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -283,12 +283,14 @@ int ndpi_extra_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_st static void smtpInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { #ifdef SMTP_DEBUG - printf("**** %s()\n", __FUNCTION__); + static u_int num = 0; + + printf("**** %s(%u)\n", __FUNCTION__, ++num); #endif flow->check_extra_packets = 1; /* At most 7 packets should almost always be enough */ - flow->max_extra_packets_to_check = 7; + flow->max_extra_packets_to_check = 12; flow->extra_packets_func = ndpi_extra_search_mail_smtp_tcp; } diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index 8ada5d997..e758fd5b8 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -32,11 +32,17 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s // const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; - if(flow->host_server_name[0] != '\0') + /* No need to do ntohl() with 0xFFFFFFFF */ + if(packet->iph && (packet->iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */)) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; + } + if(flow->host_server_name[0] != '\0') + return; + // UDP check - if(packet->udp != NULL) { + if(packet->udp != NULL) { flow->l4.udp.skype_packet_id++; if(flow->l4.udp.skype_packet_id < 5) { @@ -52,6 +58,7 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s if(((payload_len == 3) && ((packet->payload[2] & 0x0F)== 0x0d)) || ((payload_len >= 16) && (packet->payload[0] != 0x30) /* Avoid invalid SNMP detection */ + && (packet->payload[0] != 0x0) /* Avoid invalid CAPWAP detection */ && (packet->payload[2] == 0x02))) { if(is_port(sport, dport, 8801)) diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c index 71305cd13..de83519f7 100644 --- a/src/lib/protocols/smb.c +++ b/src/lib/protocols/smb.c @@ -33,18 +33,23 @@ void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc /* Check connection over TCP */ if(packet->tcp) { + u_int16_t fourfourfive = htons(445); - if(packet->tcp->dest == htons(445) + if(((packet->tcp->dest == fourfourfive) || (packet->tcp->source == fourfourfive)) && packet->payload_packet_len > (32 + 4 + 4) && (packet->payload_packet_len - 4) == ntohl(get_u_int32_t(packet->payload, 0)) - && get_u_int32_t(packet->payload, 4) == htonl(0xff534d42)) { - + ) { + u_int8_t smbv1[] = { 0xff, 0x53, 0x4d, 0x42 }; + NDPI_LOG_INFO(ndpi_struct, "found SMB\n"); - if(packet->payload[8] == 0x72) - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_UNKNOWN); - else + if(memcmp(&packet->payload[4], smbv1, sizeof(smbv1)) == 0) { + if(packet->payload[8] != 0x72) /* Skip Negotiate request */ { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_UNKNOWN); + } + } else ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_UNKNOWN); + return; } } @@ -65,4 +70,3 @@ void init_smb_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 5dd6fb0e5..5bdf78959 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -56,10 +56,38 @@ /* #define SSH_DEBUG 1 */ +static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); + +/* ************************************************************************ */ + +static int search_ssh_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + ndpi_search_ssh_tcp(ndpi_struct, flow); + + if((flow->protos.ssh.hassh_client[0] != '\0') + && (flow->protos.ssh.hassh_server[0] != '\0')) { + /* stop extra processing */ + flow->extra_packets_func = NULL; /* We're good now */ + return(0); + } + + /* Possibly more processing */ + return(1); +} + /* ************************************************************************ */ static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + if(flow->extra_packets_func != NULL) + return; + + flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; + + /* This is necessary to inform the core to call this dissector again */ + flow->check_extra_packets = 1; + flow->max_extra_packets_to_check = 12; + flow->extra_packets_func = search_ssh_again; + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSH, NDPI_PROTOCOL_UNKNOWN); } @@ -183,7 +211,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, /* ssh.languages_server_to_client [None] */ #ifdef SSH_DEBUG - printf("\n[SSH] %s\n", buf); + printf("[SSH] %s\n", buf); #endif return(buf_out_len); @@ -191,7 +219,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, invalid_payload: #ifdef SSH_DEBUG - printf("\n[SSH] Invalid packet payload\n"); + printf("[SSH] Invalid packet payload\n"); #endif return(0); @@ -213,11 +241,11 @@ static void ndpi_ssh_zap_cr(char *str, int len) { /* ************************************************************************ */ -void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; #ifdef SSH_DEBUG - printf("\n[SSH] [stage: %u]\n", flow->l4.tcp.ssh_stage); + printf("[SSH] %s()\n", __FUNCTION__); #endif if(flow->l4.tcp.ssh_stage == 0) { @@ -231,13 +259,13 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); #ifdef SSH_DEBUG - printf("\n[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); + printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); #endif } NDPI_LOG_DBG2(ndpi_struct, "ssh stage 0 passed\n"); flow->l4.tcp.ssh_stage = 1 + packet->packet_direction; - flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; + ndpi_int_ssh_add_connection(ndpi_struct, flow); return; } } else if(flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) { @@ -251,7 +279,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); #ifdef SSH_DEBUG - printf("\n[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); + printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); #endif NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n"); @@ -262,7 +290,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } #ifdef SSH_DEBUG - printf("\n[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); + printf("[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); #endif flow->l4.tcp.ssh_stage = 3; @@ -272,16 +300,16 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc u_int8_t msgcode = *(packet->payload + 5); ndpi_MD5_CTX ctx; -#ifdef SSH_DEBUG - printf("\n[SSH] [stage: %u][msg: %u]\n", flow->l4.tcp.ssh_stage, msgcode); -#endif - if(msgcode == 20 /* key exchange init */) { char *hassh_buf = calloc(packet->payload_packet_len, sizeof(char)); u_int i, len; +#ifdef SSH_DEBUG + printf("[SSH] [stage: %u][msg: %u][direction: %u][key exchange init]\n", flow->l4.tcp.ssh_stage, msgcode, packet->packet_direction); +#endif + if(hassh_buf) { - if(flow->l4.tcp.ssh_stage == 3) { + if(packet->packet_direction == 0 /* client */) { u_char fingerprint_client[16]; len = concat_hash_string(packet, hassh_buf, 1 /* client */); @@ -292,7 +320,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc #ifdef SSH_DEBUG { - printf("\n[SSH] [client][%s][", hassh_buf); + printf("[SSH] [client][%s][", hassh_buf); for(i=0; i<16; i++) printf("%02X", fingerprint_client[i]); printf("]\n"); } @@ -310,7 +338,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc #ifdef SSH_DEBUG { - printf("\n[SSH] [server][%s][", hassh_buf); + printf("[SSH] [server][%s][", hassh_buf); for(i=0; i<16; i++) printf("%02X", fingerprint_server[i]); printf("]\n"); } @@ -322,18 +350,22 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc free(hassh_buf); } - } - if(flow->l4.tcp.ssh_stage++ == 4) { - NDPI_LOG_INFO(ndpi_struct, "found ssh\n"); ndpi_int_ssh_add_connection(ndpi_struct, flow); } + if((flow->protos.ssh.hassh_client[0] != '\0') && (flow->protos.ssh.hassh_server[0] != '\0')) { +#ifdef SSH_DEBUG + printf("[SSH] Dissection completed\n"); +#endif + flow->extra_packets_func = NULL; /* We're good now */ + } + return; } #ifdef SSH_DEBUG - printf("\n[SSH] Excluding SSH"); + printf("[SSH] Excluding SSH"); #endif NDPI_LOG_DBG(ndpi_struct, "excluding ssh at stage %d\n", flow->l4.tcp.ssh_stage); diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 448062f47..e95965f6b 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -38,7 +38,6 @@ struct stun_packet_header { u_int8_t transaction_id[8]; }; - /* ************************************************************ */ u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) { @@ -147,9 +146,15 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * int rc; /* STUN over TCP does not look good */ - if (flow->packet.tcp) + if(flow->packet.tcp) return(NDPI_IS_NOT_STUN); + /* No need to do ntohl() with 0xFFFFFFFF */ + if(flow->packet.iph && (flow->packet.iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */)) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return(NDPI_IS_NOT_STUN);; + } + if(payload_length >= 512) { return(NDPI_IS_NOT_STUN); } else if(payload_length < sizeof(struct stun_packet_header)) { @@ -174,7 +179,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * return(NDPI_IS_NOT_STUN); /* https://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml */ - if ((msg_type & 0x3EEF) > 0x000B && msg_type != 0x0800) { + if((msg_type & 0x3EEF) > 0x000B && msg_type != 0x0800) { #ifdef DEBUG_STUN printf("[STUN] msg_type = %04X\n", msg_type); #endif @@ -184,7 +189,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * as this was a flow that started as STUN and turned into something else. Let's investigate what is that about */ - if (payload[0] == 0x16) { + if(payload[0] == 0x16) { /* Let's check if this is DTLS used by some socials */ struct ndpi_packet_struct *packet = &flow->packet; u_int16_t total_len, version = htons(*((u_int16_t*) &packet->payload[1])); @@ -194,7 +199,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * case 0xFEFD: /* DTLS 1.2 */ total_len = ntohs(*((u_int16_t*) &packet->payload[11])) + 13; - if (payload_length == total_len) { + if(payload_length == total_len) { /* This is DTLS and the only protocol we know behaves like this is signal */ flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL; return(NDPI_IS_STUN); @@ -212,7 +217,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * printf("[STUN] Here we go\n");; #endif - if (ndpi_struct->stun_cache) { + if(ndpi_struct->stun_cache) { u_int16_t proto; u_int32_t key = get_stun_lru_key(flow, 0); int rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, @@ -222,7 +227,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * printf("[LRU] Searching %u\n", key); #endif - if (!rc) { + if(!rc) { key = get_stun_lru_key(flow, 1); rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, 0 /* Don't remove it as it can be used for other connections */); @@ -232,7 +237,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * #endif } - if (rc) { + if(rc) { #ifdef DEBUG_LRU printf("[LRU] Cache FOUND %u / %u\n", key, proto); #endif @@ -253,18 +258,18 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if(msg_type == 0x01 /* Binding Request */) { flow->protos.stun_ssl.stun.num_binding_requests++; - if (!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE) + if(!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE) flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; else flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - if (!msg_len) { + if(!msg_len) { /* flow->protos.stun_ssl.stun.num_udp_pkts++; */ return(NDPI_IS_NOT_STUN); /* This to keep analyzing STUN instead of giving up */ } } - if (!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) { + if(!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return(NDPI_IS_NOT_STUN); } @@ -280,7 +285,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * return(NDPI_IS_STUN); /* This is WhatsApp Call */ } - if (payload[0] != 0x80 && (msg_len + 20) > payload_length) + if(payload[0] != 0x80 && (msg_len + 20) > payload_length) return(NDPI_IS_NOT_STUN); else { switch(flow->guessed_protocol_id) { @@ -296,8 +301,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * } } - if (payload_length == (msg_len+20)) { - if ((msg_type & 0x3EEF) <= 0x000B) /* http://www.3cx.com/blog/voip-howto/stun-details/ */ { + if(payload_length == (msg_len+20)) { + if((msg_type & 0x3EEF) <= 0x000B) /* http://www.3cx.com/blog/voip-howto/stun-details/ */ { u_int offset = 20; /* @@ -314,7 +319,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * u_int16_t len = ntohs(*((u_int16_t*)&payload[offset+2])); u_int16_t x = (len + 4) % 4; - if (x) + if(x) len += 4-x; #ifdef DEBUG_STUN @@ -352,10 +357,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * printf("==> [%s]\n", flow->host_server_name); #endif - if (strstr((char*) flow->host_server_name, "google.com") != NULL) { + if(strstr((char*) flow->host_server_name, "google.com") != NULL) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; return(NDPI_IS_STUN); - } else if (strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) { + } else if(strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL; return(NDPI_IS_STUN); } @@ -364,8 +369,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * break; case 0xC057: /* Messeger */ - if (msg_type == 0x0001) { - if ((msg_len == 100) || (msg_len == 104)) { + if(msg_type == 0x0001) { + if((msg_len == 100) || (msg_len == 104)) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER; return(NDPI_IS_STUN); } else if(msg_len == 76) { @@ -416,7 +421,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * break; case 0x8070: /* Implementation Version */ - if (len == 4 && ((offset+7) < payload_length) + if(len == 4 && ((offset+7) < payload_length) && (payload[offset+4] == 0x00) && (payload[offset+5] == 0x00) && (payload[offset+6] == 0x00) && ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03))) { #ifdef DEBUG_STUN @@ -450,7 +455,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * } } - if ((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) { + if((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; return(NDPI_IS_STUN); } else @@ -507,7 +512,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload, packet->payload_packet_len) == NDPI_IS_STUN) { udp_stun_match: - if (flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) + if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) { diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index e293fc960..59b1e4978 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -19,7 +19,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ @@ -29,14 +29,66 @@ #include "ndpi_api.h" +/* ************************************************************************ */ + +static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + // printf("==> %s()\n", __FUNCTION__); + + if(packet->payload[0] == 0xFF) + return(1); + + if(packet->payload_packet_len > 0) { + int i; + + if((!flow->protos.telnet.username_found) + && (packet->payload_packet_len > 6)) { + + if(strncasecmp((char*)packet->payload, "login:", 6) == 0) { + flow->protos.telnet.username_found = 1; + } + + return(1); + } + + if(packet->payload[0] == '\r') { + flow->protos.telnet.username_detected = 1; + flow->protos.telnet.username[flow->protos.telnet.character_id] = '\0'; + return(0); + } + + for(i=0; i<packet->payload_packet_len; i++) { + if(!flow->protos.telnet.skip_next) { + if(flow->protos.telnet.character_id < (sizeof(flow->protos.telnet.username)-1)) + flow->protos.telnet.username[flow->protos.telnet.character_id++] = packet->payload[i]; + flow->protos.telnet.skip_next = 1; + } else + flow->protos.telnet.skip_next = 0; + } + } + + /* Possibly more processing */ + return(1); +} + +/* ************************************************************************ */ static void ndpi_int_telnet_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ + *ndpi_struct, struct ndpi_flow_struct *flow) { + flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_TELNET; + + /* This is necessary to inform the core to call this dissector again */ + flow->check_extra_packets = 1; + flow->max_extra_packets_to_check = 32; + flow->extra_packets_func = search_telnet_again; + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELNET, NDPI_PROTOCOL_UNKNOWN); } - +/* ************************************************************************ */ + #if !defined(WIN32) static inline #elif defined(MINGW_GCC) @@ -44,62 +96,62 @@ __mingw_forceinline static #else __forceinline static #endif -u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t a; - if (packet->payload_packet_len < 3) { - return 0; - } + if(packet->payload_packet_len < 3) + return(0); - if (!(packet->payload[0] == 0xff - && packet->payload[1] > 0xf9 && packet->payload[1] != 0xff && packet->payload[2] < 0x28)) { - return 0; - } + if(!((packet->payload[0] == 0xff) + && (packet->payload[1] > 0xf9) + && (packet->payload[1] != 0xff) + && (packet->payload[2] < 0x28))) + return(0); a = 3; while (a < packet->payload_packet_len - 2) { // commands start with a 0xff byte followed by a command byte >= 0xf0 and < 0xff // command bytes 0xfb to 0xfe are followed by an option byte <= 0x28 - if (!(packet->payload[a] != 0xff || + if(!(packet->payload[a] != 0xff || (packet->payload[a] == 0xff && (packet->payload[a + 1] >= 0xf0) && (packet->payload[a + 1] <= 0xfa)) || (packet->payload[a] == 0xff && (packet->payload[a + 1] >= 0xfb) && (packet->payload[a + 1] != 0xff) - && (packet->payload[a + 2] <= 0x28)))) { - return 0; - } + && (packet->payload[a + 2] <= 0x28)))) + return(0); + a++; } return 1; } -/* this detection also works asymmetrically */ -void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ +/* ************************************************************************ */ +/* this detection also works asymmetrically */ +void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { NDPI_LOG_DBG(ndpi_struct, "search telnet\n"); - if (search_iac(ndpi_struct, flow) == 1) { - - if (flow->l4.tcp.telnet_stage == 2) { + if(search_iac(ndpi_struct, flow) == 1) { + if(flow->l4.tcp.telnet_stage == 2) { NDPI_LOG_INFO(ndpi_struct, "found telnet\n"); ndpi_int_telnet_add_connection(ndpi_struct, flow); return; } + flow->l4.tcp.telnet_stage++; NDPI_LOG_DBG2(ndpi_struct, "telnet stage %u\n", flow->l4.tcp.telnet_stage); return; } - if ((flow->packet_counter < 12 && flow->l4.tcp.telnet_stage > 0) || flow->packet_counter < 6) { + if(((flow->packet_counter < 12) && (flow->l4.tcp.telnet_stage > 0)) || (flow->packet_counter < 6)) return; - } else { + else NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } + return; } @@ -112,6 +164,5 @@ void init_telnet_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); - *id += 1; } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index cce5e0471..c65d4fc69 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -32,8 +32,7 @@ extern char *strptime(const char *s, const char *format, struct tm *tm); /* #define DEBUG_TLS 1 */ - -#define DEBUG_FINGERPRINT 1 +/* #define DEBUG_FINGERPRINT 1 */ /* NOTE @@ -59,13 +58,16 @@ extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, /* stun.c */ extern u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev); +extern int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + /* **************************************** */ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int32_t protocol) { struct ndpi_packet_struct *packet = &flow->packet; - protocol = NDPI_PROTOCOL_TLS; + // protocol = NDPI_PROTOCOL_TLS; if(packet->tcp != NULL) { switch(protocol) { @@ -94,6 +96,16 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st /* **************************************** */ +static void sslInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { + flow->check_extra_packets = 1; + + /* At most 7 packets should almost always be enough to find the server certificate if it's there */ + flow->max_extra_packets_to_check = 7; + flow->extra_packets_func = sslTryAndRetrieveServerCertificate; +} + +/* **************************************** */ + static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int32_t protocol) { if(protocol != NDPI_PROTOCOL_TLS) @@ -102,6 +114,7 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS); + sslInitExtraPacketProcessing(flow); } /* **************************************** */ @@ -411,9 +424,25 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct, if(num_dots >= 1) { if(!ndpi_struct->disable_metadata_export) { + ndpi_protocol_match_result ret_match; + u_int16_t subproto; + stripCertificateTrailer(buffer, buffer_len); snprintf(flow->protos.stun_ssl.ssl.server_certificate, sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer); + +#ifdef DEBUG_TLS + printf("[server_certificate: %s]\n", flow->protos.stun_ssl.ssl.server_certificate); +#endif + + subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, + flow->protos.stun_ssl.ssl.server_certificate, + strlen(flow->protos.stun_ssl.ssl.server_certificate), + &ret_match, + NDPI_PROTOCOL_TLS); + + if(subproto != NDPI_PROTOCOL_UNKNOWN) + ndpi_set_detected_protocol(ndpi_struct, flow, subproto, NDPI_PROTOCOL_TLS); } return(1 /* Server Certificate */); @@ -869,7 +898,8 @@ int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct } } } - + + flow->extra_packets_func = NULL; /* We're good now */ return(1); } @@ -1070,16 +1100,6 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi /* **************************************** */ -static void sslInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { - flow->check_extra_packets = 1; - - /* At most 7 packets should almost always be enough to find the server certificate if it's there */ - flow->max_extra_packets_to_check = 7; - flow->extra_packets_func = sslTryAndRetrieveServerCertificate; -} - -/* **************************************** */ - int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int8_t skip_cert_processing) { @@ -1107,11 +1127,16 @@ int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate); #endif ndpi_protocol_match_result ret_match; - u_int16_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, - strlen(certificate), - &ret_match, - NDPI_PROTOCOL_TLS); + u_int16_t subproto; + if(certificate[0] == '\0') + subproto = NDPI_PROTOCOL_UNKNOWN; + else + subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, + strlen(certificate), + &ret_match, + NDPI_PROTOCOL_TLS); + if(subproto != NDPI_PROTOCOL_UNKNOWN) { /* If we've detected the subprotocol from client certificate but haven't had a chance * to see the server certificate yet, set up extra packet processing to wait @@ -1130,11 +1155,26 @@ int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s return(rc); } - if(((packet->tls_certificate_num_checks >= 3) - && flow->l4.tcp.seen_syn - && flow->l4.tcp.seen_syn_ack - && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */ - && flow->l4.tcp.tls_srv_cert_fingerprint_processed +#ifdef DEBUG_TLS + printf("[TLS] %s() [tls_certificate_num_checks: %u][tls_srv_cert_fingerprint_processed: %u][tls_certificate_detected: %u][%u/%u]", + __FUNCTION__, packet->tls_certificate_num_checks, flow->l4.tcp.tls_srv_cert_fingerprint_processed, + packet->tls_certificate_detected, + flow->l4.tcp.tls_seen_client_cert, + flow->l4.tcp.tls_seen_server_cert + ); +#endif + + + if(((packet->tls_certificate_num_checks >= 1) +#if 0 + && (flow->l4.tcp.seen_syn /* User || to be tolerant */ + || flow->l4.tcp.seen_syn_ack + || flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) +#endif + && (flow->l4.tcp.tls_srv_cert_fingerprint_processed + || flow->l4.tcp.tls_seen_client_cert + || flow->l4.tcp.tls_seen_server_cert + || packet->tls_certificate_detected) ) /* || ((flow->l4.tcp.tls_seen_certificate == 1) @@ -1228,7 +1268,12 @@ static void tls_mark_and_payload_search(struct ndpi_detection_module_struct if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n"); tlsDetectProtocolFromCertificate(ndpi_struct, flow, skip_cert_processing); - + +#ifdef DEBUG_TLS + printf("[TLS] %s() [tls_seen_client_cert: %u][tls_seen_server_cert: %u]\n", __FUNCTION__, + flow->l4.tcp.tls_seen_client_cert, flow->l4.tcp.tls_seen_server_cert); +#endif + if(!packet->tls_certificate_detected && (!(flow->l4.tcp.tls_seen_client_cert && flow->l4.tcp.tls_seen_server_cert))) { /* SSL without certificate (Skype, Ultrasurf?) */ @@ -1354,6 +1399,10 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &flow->packet; u_int8_t ret, skip_cert_processing = 0; +#ifdef DEBUG_TLS + printf("%s()\n", __FUNCTION__); +#endif + if(packet->udp != NULL) { /* DTLS dissector */ int rc = sslTryAndRetrieveServerCertificate(ndpi_struct, flow); diff --git a/src/lib/protocols/zabbix.c b/src/lib/protocols/zabbix.c new file mode 100644 index 000000000..9e67a3159 --- /dev/null +++ b/src/lib/protocols/zabbix.c @@ -0,0 +1,63 @@ +/* + * zabbix.c + * + * Copyright (C) 2019 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + +#include "ndpi_protocol_ids.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ZABBIX + +#include "ndpi_api.h" + +/* *************************************************** */ + +static void ndpi_int_zabbix_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow/* , */ + /* ndpi_protocol_type_t protocol_type */) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZABBIX, NDPI_PROTOCOL_UNKNOWN); +} + +/* *************************************************** */ + +void ndpi_search_zabbix(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int8_t tomatch[] = { 'Z', 'B', 'X', 'D', 0x1 }; + + NDPI_LOG_DBG(ndpi_struct, "search Zabbix\n"); + + if((packet->payload_packet_len > 4) + && (memcmp(packet->payload, tomatch, 5) == 0)) + ndpi_int_zabbix_add_connection(ndpi_struct, flow); + else + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); +} + +/* *************************************************** */ + +void init_zabbix_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) { + ndpi_set_bitmask_protocol_detection("Zabbix", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_ZABBIX, + ndpi_search_zabbix, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} |