diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 6 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 72 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 25 |
4 files changed, 95 insertions, 14 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index beef59fee..7094ef9a6 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -68,7 +68,7 @@ typedef enum { NDPI_TLS_OBSOLETE_VERSION, NDPI_TLS_WEAK_CIPHER, NDPI_TLS_CERTIFICATE_EXPIRED, - NDPI_TLS_CERTIFICATE_MISMATCH, + NDPI_TLS_CERTIFICATE_MISMATCH, /* 10 */ NDPI_HTTP_SUSPICIOUS_USER_AGENT, NDPI_HTTP_NUMERIC_IP_HOST, NDPI_HTTP_SUSPICIOUS_URL, @@ -78,9 +78,11 @@ typedef enum { NDPI_MALFORMED_PACKET, NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER, NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER, - NDPI_SMB_INSECURE_VERSION, + NDPI_SMB_INSECURE_VERSION, /* 20 */ NDPI_TLS_SUSPICIOUS_ESNI_USAGE, NDPI_UNSAFE_PROTOCOL, + NDPI_DNS_SUSPICIOUS_TRAFFIC, + NDPI_TLS_MISSING_SNI, /* Leave this as last member */ NDPI_MAX_RISK /* must be <= 31 due to (**) */ diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 8360dd789..b96f52531 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1708,6 +1708,12 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_UNSAFE_PROTOCOL: return("Unsafe Protocol"); + case NDPI_DNS_SUSPICIOUS_TRAFFIC: + return("Suspicious DNS traffic"); /* Exfiltration ? */ + + case NDPI_TLS_MISSING_SNI: + return("SNI TLS extension was missing"); + default: snprintf(buf, sizeof(buf), "%d", (int)risk); return(buf); diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 12c6d0338..f8f590a5b 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -35,7 +35,64 @@ #define LLMNR_PORT 5355 #define MDNS_PORT 5353 -static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + +/* *********************************************** */ + +static void ndpi_check_dns_type(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t dns_type) { + /* https://en.wikipedia.org/wiki/List_of_DNS_record_types */ + + switch(dns_type) { + /* Obsolete record types */ + case 3: + case 4: + case 254: + case 7: + case 8: + case 9: + case 14: + case 253: + case 11: + case 33: + case 10: + case 38: + case 30: + case 25: + case 24: + case 13: + case 17: + case 19: + case 20: + case 21: + case 22: + case 23: + case 26: + case 31: + case 32: + case 34: + case 42: + case 40: + case 27: + case 100: + case 101: + case 102: + case 103: + case 99: + case 56: + case 57: + case 58: + case 104: + case 105: + case 106: + case 107: + case 259: + NDPI_SET_BIT(flow->risk, NDPI_DNS_SUSPICIOUS_TRAFFIC); + break; + } +} /* *********************************************** */ @@ -153,7 +210,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.dns.query_type = get16(&x, flow->packet.payload); #ifdef DNS_DEBUG NDPI_LOG_DBG2(ndpi_struct, "query_type=%2d\n", flow->protos.dns.query_type); - printf("[DNS] query_type=%d\n", flow->protos.dns.query_type); + printf("[DNS] [request] query_type=%d\n", flow->protos.dns.query_type); #endif break; } else @@ -199,7 +256,8 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, break; } - if((data_len = getNameLength(x, flow->packet.payload, flow->packet.payload_packet_len)) == 0) { + if((data_len = getNameLength(x, flow->packet.payload, + flow->packet.payload_packet_len)) == 0) { break; } else x += data_len; @@ -207,7 +265,15 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, if((x+2) >= flow->packet.payload_packet_len) { break; } + rsp_type = get16(&x, flow->packet.payload); + +#ifdef DNS_DEBUG + printf("[DNS] [response] response_type=%d\n", rsp_type); +#endif + + ndpi_check_dns_type(ndpi_struct, flow, rsp_type); + flow->protos.dns.rsp_type = rsp_type; /* here x points to the response "class" field */ diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 134dfe614..dc54a7964 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -325,7 +325,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(rdn_len && (flow->protos.stun_ssl.ssl.issuerDN == NULL)) flow->protos.stun_ssl.ssl.issuerDN = ndpi_strdup(rdnSeqBuf); - + rdn_len = 0; /* Reset buffer */ } @@ -607,10 +607,10 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, #ifdef DEBUG_TLS_BLOCKS printf("*** [TLS Block] Enough blocks dissected\n"); #endif - - flow->extra_packets_func = NULL; /* We're good now */ + + flow->extra_packets_func = NULL; /* We're good now */ } - + return(1); } @@ -665,10 +665,10 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t len, p_len; const u_int8_t *p; u_int8_t content_type; - + if(flow->l4.tcp.tls.message.buffer_used < 5) return(1); /* Keep working */ - + len = (flow->l4.tcp.tls.message.buffer[3] << 8) + flow->l4.tcp.tls.message.buffer[4] + 5; if(len > flow->l4.tcp.tls.message.buffer_used) { @@ -694,7 +694,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, #endif content_type = flow->l4.tcp.tls.message.buffer[0]; - + /* Overwriting packet payload */ p = packet->payload, p_len = packet->payload_packet_len; /* Backup */ @@ -722,7 +722,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, } processTLSBlock(ndpi_struct, flow); - + processed += packet->payload_packet_len; } } else { @@ -731,7 +731,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow) flow->l4.tcp.tls.tls_application_blocks_len[flow->l4.tcp.tls.num_tls_blocks++] = (packet->packet_direction == 0) ? (len-5) : -(len-5); - + #ifdef DEBUG_TLS_BLOCKS printf("*** [TLS Block] [len: %u][num_tls_blocks: %u/%u]\n", len-5, flow->l4.tcp.tls.num_tls_blocks, ndpi_struct->num_tls_blocks_to_follow); @@ -1512,6 +1512,13 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, NDPI_SET_BIT(flow->risk, NDPI_TLS_SUSPICIOUS_ESNI_USAGE); } + /* Add check for missing SNI */ + if((flow->protos.stun_ssl.ssl.client_requested_server_name[0] == 0) + && (flow->protos.stun_ssl.ssl.ssl_version >= 0x0302) /* TLSv1.1 */) { + /* This is a bit suspicious */ + NDPI_SET_BIT(flow->risk, NDPI_TLS_MISSING_SNI); + } + return(2 /* Client Certificate */); } else { #ifdef DEBUG_TLS |