diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 54 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 2 | ||||
| -rw-r--r-- | src/lib/third_party/src/hll/hll.c | 52 |
5 files changed, 68 insertions, 43 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 53d143327..40c27329e 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -80,6 +80,7 @@ typedef enum { NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER, NDPI_SMB_INSECURE_VERSION, NDPI_TLS_SUSPICIOUS_ESNI_USAGE, + NDPI_BLACKLISTED_HOST, /* Leave this as last member */ NDPI_MAX_RISK diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index c8fe416eb..29e2a4277 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -9341,7 +9341,7 @@ static const char *ndpi_en_popular_bigrams[] = { static const char *ndpi_en_impossible_bigrams[] = { "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", /* "ee", removed it can be found in 'meeting' */ "fz", "gq", "gv", "gx", "hh", "hk", "hv", "hx", "hz", "iy", "jb", /* "jc", jcrew.com */ "jd", "jf", "jg", "jh", "jk", - "jl", "jm", "jn", "jp", "jq", /* "jr",*/ /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", + "jl", "jm", "jn", "jp", "jq", /* "jr",*/ /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", /* "kg", */ "kq", "kv", "kx", "kz", "lq", "lx", /* "mg" tamgrt.com , */ "mj", /* "mq", mqtt */ "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii", "qg", "qh", "qj", "qk", "ql", "qm", "qn", "qo", "qp", "qr", "qs", "qt", "qv", "qw", "qx", "qy", "uu", "qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", "vm", "vn", /* "vp", Removed for vpbank.com */ "bw", /* "vk", "zr" Removed for kavkazr */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index bdbdc89f3..35123c1c9 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2591,11 +2591,17 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str, char *rule, is_ip = 1, value = &attr[3]; else if(strncmp(attr, "host:", 5) == 0) { /* host:"<value>",host:"<value>",.....@<subproto> */ + u_int i, max_len; + value = &attr[5]; if(value[0] == '"') value++; /* remove leading " */ - if(value[strlen(value) - 1] == '"') - value[strlen(value) - 1] = '\0'; /* remove trailing " */ + + max_len = strlen(value) - 1; + if(value[max_len] == '"') + value[max_len] = '\0'; /* remove trailing " */ + + for(i=0; i<max_len; i++) value[i] = tolower(value[i]); } if(is_tcp || is_udp) { @@ -4730,21 +4736,34 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(found && (found->proto->protoId != NDPI_PROTOCOL_UNKNOWN) - && (found->proto->protoId != ret.master_protocol)) { + && (found->proto->protoId != ret.master_protocol) + && (found->proto->protoId != ret.app_protocol) + ) { // printf("******** %u / %u\n", found->proto->protoId, ret.master_protocol); if(!ndpi_check_protocol_port_mismatch_exceptions(ndpi_str, flow, found, &ret)) NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); } else if(default_ports && (default_ports[0] != 0)) { - u_int8_t found = 0, i; + u_int8_t found = 0, i, num_loops = 0; + check_default_ports: for(i=0; (i<MAX_DEFAULT_PORTS) && (default_ports[i] != 0); i++) { if((default_ports[i] == sport) || (default_ports[i] == dport)) { found = 1; break; - } + } } /* for */ + if((num_loops == 0) && (!found)) { + if(flow->packet.udp) + default_ports = ndpi_str->proto_defaults[ret.app_protocol].udp_default_ports; + else + default_ports = ndpi_str->proto_defaults[ret.app_protocol].tcp_default_ports; + + num_loops = 1; + goto check_default_ports; + } + if(!found) { // printf("******** Invalid default port\n"); NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT); @@ -6105,7 +6124,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t master_protocol, char *name, u_int name_len) { ndpi_protocol_match_result ret_match; - u_int16_t subproto, what_len; + u_int16_t subproto, what_len, i; char *what; if((name_len > 2) && (name[0] == '*') && (name[1] == '.')) @@ -6113,6 +6132,9 @@ int ndpi_match_hostname_protocol(struct ndpi_detection_module_struct *ndpi_struc else what = name, what_len = name_len; + /* Convert it first to lowercase: we assume meory is writable as in nDPI dissctors */ + for(i=0; i<name_len; i++) what[i] = tolower(what[i]); + subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, what, what_len, &ret_match, master_protocol); if(subproto != NDPI_PROTOCOL_UNKNOWN) { @@ -6570,7 +6592,7 @@ static int enough(int a, int b) { /* ******************************************************************** */ -// #define DGA_DEBUG 1 +/* #define DGA_DEBUG 1 */ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, @@ -6647,18 +6669,16 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, printf("-> Checking %c%c\n", word[i], word[i+1]); #endif - if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &word[i])) { - num_found++; - } else { - if(ndpi_match_bigram(ndpi_str, - &ndpi_str->impossible_bigrams_automa, - &word[i])) { + if(ndpi_match_bigram(ndpi_str, + &ndpi_str->impossible_bigrams_automa, + &word[i])) { #ifdef DGA_DEBUG - printf("IMPOSSIBLE %s\n", &word[i]); + printf("IMPOSSIBLE %s\n", &word[i]); #endif - num_impossible++; - } - } + num_impossible++; + } else if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &word[i])) { + num_found++; + } } /* for */ } /* for */ diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index f96745dc6..883de7666 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1434,6 +1434,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, NDPI_SET_BIT(flow->risk, NDPI_TLS_NOT_CARRYING_HTTPS); } + /* Suspicious Domain Fronting: + https://github.com/SixGenInc/Noctilucent/blob/master/docs/ */ if(flow->protos.stun_ssl.ssl.encrypted_sni.esni && flow->protos.stun_ssl.ssl.client_requested_server_name[0] != '\0') { NDPI_SET_BIT(flow->risk, NDPI_TLS_SUSPICIOUS_ESNI_USAGE); diff --git a/src/lib/third_party/src/hll/hll.c b/src/lib/third_party/src/hll/hll.c index a7006c7ed..c526c6af0 100644 --- a/src/lib/third_party/src/hll/hll.c +++ b/src/lib/third_party/src/hll/hll.c @@ -34,6 +34,7 @@ u_int32_t _hll_hash(const struct ndpi_hll *hll) { return MurmurHash3_x86_32(hll->registers, (u_int32_t)hll->size, 0); } +/* Count the number of leading zero's */ static __inline u_int8_t _hll_rank(u_int32_t hash, u_int8_t bits) { u_int8_t i; @@ -48,24 +49,26 @@ static __inline u_int8_t _hll_rank(u_int32_t hash, u_int8_t bits) { } /* - IMPORTANT: memory usage notes + IMPORTANT: HyperLogLog Memory and StandardError Notes - [i: 4] 16 bytes - [i: 5] 32 bytes - [i: 6] 64 bytes - [i: 7] 128 bytes - [i: 8] 256 bytes - [i: 9] 512 bytes - [i: 10] 1024 bytes - [i: 11] 2048 bytes - [i: 12] 4096 bytes - [i: 13] 8192 bytes - [i: 14] 16384 bytes - [i: 15] 32768 bytes - [i: 16] 65536 bytes - [i: 17] 131072 bytes - [i: 18] 262144 bytes - [i: 19] 524288 bytes + StdError = 1.04/sqrt(2^i) + + [i: 4] 16 bytes [StdError: 26% ] + [i: 5] 32 bytes [StdError: 18.4%] + [i: 6] 64 bytes [StdError: 13% ] + [i: 7] 128 bytes [StdError: 9.2% ] + [i: 8] 256 bytes [StdError: 6.5% ] + [i: 9] 512 bytes [StdError: 4.6% ] + [i: 10] 1024 bytes [StdError: 3.25%] + [i: 11] 2048 bytes [StdError: 2.3% ] + [i: 12] 4096 bytes [StdError: 1.6% ] + [i: 13] 8192 bytes [StdError: 1.15%] + [i: 14] 16384 bytes [StdError: 0.81%] + [i: 15] 32768 bytes [StdError: 0.57%] + [i: 16] 65536 bytes [StdError: 0.41%] + [i: 17] 131072 bytes [StdError: 0.29%] + [i: 18] 262144 bytes [StdError: 0.2% ] + [i: 19] 524288 bytes [StdError: 0.14%] */ int hll_init(struct ndpi_hll *hll, u_int8_t bits) { if(bits < 4 || bits > 20) { @@ -73,9 +76,9 @@ int hll_init(struct ndpi_hll *hll, u_int8_t bits) { return -1; } - hll->bits = bits; - hll->size = (size_t)1 << bits; - hll->registers = ndpi_calloc(hll->size, 1); + hll->bits = bits; /* Number of bits of buckets number */ + hll->size = (size_t)1 << bits; /* Number of buckets 2^bits */ + hll->registers = ndpi_calloc(hll->size, 1); /* Create the bucket register counters */ /* printf("%lu bytes\n", hll->size); */ return 0; @@ -96,12 +99,11 @@ void hll_reset(struct ndpi_hll *hll) { static __inline void _hll_add_hash(struct ndpi_hll *hll, u_int32_t hash) { if(hll->registers) { - u_int32_t index = hash >> (32 - hll->bits); - u_int8_t rank = _hll_rank(hash, hll->bits); + u_int32_t index = hash >> (32 - hll->bits); /* Use the first 'hll->bits' bits as bucket index */ + u_int8_t rank = _hll_rank(hash, hll->bits); /* Count the number of leading 0 */ - if(rank > hll->registers[index]) { - hll->registers[index] = rank; - } + if(rank > hll->registers[index]) + hll->registers[index] = rank; /* Store the largest number of lesding zeros for the bucket */ } } |