diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 1 | ||||
| -rw-r--r-- | src/lib/protocols/dropbox.c | 10 | ||||
| -rw-r--r-- | src/lib/protocols/mysql.c | 51 | ||||
| -rw-r--r-- | src/lib/protocols/ssl.c | 5 |
4 files changed, 34 insertions, 33 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 69970a3e1..21e2199e5 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1097,6 +1097,7 @@ struct ndpi_flow_struct { struct { struct { + u_int16_t ssl_version; char client_certificate[64], server_certificate[64], server_organization[64]; char ja3_client[33], ja3_server[33]; u_int16_t server_cipher; diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index 39bb96ff2..895bb0164 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -30,11 +30,9 @@ #define DB_LSP_PORT 17500 - static void ndpi_int_dropbox_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) -{ + u_int8_t due_to_correlation) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_UNKNOWN); } @@ -51,8 +49,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, if(packet->udp->dest == dropbox_port) { if(packet->udp->source == dropbox_port) { if(payload_len > 10) { - if(ndpi_strnstr((const char *)packet->payload, "\"host_int\"", payload_len) != NULL) { - + if(ndpi_strnstr((const char *)packet->payload, "\"host_int\"", payload_len) != NULL) { NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); return; @@ -60,8 +57,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, } } else { if(payload_len > 10) { - if(ndpi_strnstr((const char *)packet->payload, "Bus17Cmd", payload_len) != NULL) { - + if(ndpi_strnstr((const char *)packet->payload, "Bus17Cmd", payload_len) != NULL) { NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); return; diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c index d1602a2fe..83a5bf8ed 100644 --- a/src/lib/protocols/mysql.c +++ b/src/lib/protocols/mysql.c @@ -29,42 +29,45 @@ #include "ndpi_api.h" - -static void ndpi_int_mysql_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN); -} - -void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; NDPI_LOG_DBG(ndpi_struct, "search MySQL\n"); if(packet->tcp) { - if (packet->payload_packet_len > 38 //min length - && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length - && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length - && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet - && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0 - && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7 - && get_u_int8_t(packet->payload, 6) == 0x2e //dot - ) { + if(packet->payload_packet_len > 38 //min length + && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length + && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length + && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet + && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0 + && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7 + && get_u_int8_t(packet->payload, 6) == 0x2e //dot + ) { +#if 0 + /* Old code */ u_int32_t a; - for (a = 7; a + 31 < packet->payload_packet_len; a++) { - if (packet->payload[a] == 0x00) { - if (get_u_int8_t(packet->payload, a + 13) == 0x00 //filler byte - && get_u_int64_t(packet->payload, a + 19) == 0x0ULL //13 more - && get_u_int32_t(packet->payload, a + 27) == 0x0 //filler bytes - && get_u_int8_t(packet->payload, a + 31) == 0x0) { + + for(a = 7; a + 31 < packet->payload_packet_len; a++) { + if(packet->payload[a] == 0x00) { + if(get_u_int8_t(packet->payload, a + 13) == 0x00 // filler byte + && get_u_int64_t(packet->payload, a + 19) == 0x0ULL // 13 more + && get_u_int32_t(packet->payload, a + 27) == 0x0 // filler bytes + && get_u_int8_t(packet->payload, a + 31) == 0x0) { NDPI_LOG_INFO(ndpi_struct, "found MySQL\n"); - ndpi_int_mysql_add_connection(ndpi_struct, flow); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN); return; } + break; } } +#else + if(strncmp(&packet->payload[packet->payload_packet_len-22], "mysql_", 6) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found MySQL\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN); + return; + } +#endif } } diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 1f51ab4b6..eee31e94b 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -356,7 +356,6 @@ struct ja3_info { /* **************************************** */ - /* code fixes courtesy of Alexsandro Brahm <alex@digistar.com.br> */ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, @@ -369,11 +368,13 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, MD5_CTX ctx; u_char md5_hash[16]; + flow->protos.stun_ssl.ssl.ssl_version = ssl_version; + memset(&ja3, 0, sizeof(ja3)); #ifdef CERTIFICATE_DEBUG { - u_int16_t ssl_len = (packet->payload[3] << 8) + packet->payload[4]; + u_int16_t ssl_len = (packet->payload[3] << 8) + packet->payload[4]; printf("SSL Record [version: %u][len: %u]\n", ssl_version, ssl_len); } |