diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_api.h.in | 75 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 86 | ||||
| -rw-r--r-- | src/lib/ndpi_serializer.c | 36 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 7 | ||||
| -rw-r--r-- | src/lib/protocols/netbios.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/tor.c | 2 |
8 files changed, 102 insertions, 111 deletions
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 25c16a56d..ecc276eab 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -945,7 +945,7 @@ extern "C" { /* DGA */ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, - char *name); + char *name, u_int8_t is_hostname); /* Serializer */ int ndpi_init_serializer_ll(ndpi_serializer *serializer, ndpi_serialization_format fmt, @@ -954,54 +954,35 @@ extern "C" { void ndpi_term_serializer(ndpi_serializer *serializer); void ndpi_reset_serializer(ndpi_serializer *serializer); - int ndpi_serialize_uint32_uint32(ndpi_serializer *serializer, - u_int32_t key, u_int32_t value); - int ndpi_serialize_uint32_uint64(ndpi_serializer *serializer, - u_int32_t key, u_int64_t value); - int ndpi_serialize_uint32_int32(ndpi_serializer *serializer, - u_int32_t key, int32_t value); - int ndpi_serialize_uint32_int64(ndpi_serializer *serializer, - u_int32_t key, int64_t value); - int ndpi_serialize_uint32_float(ndpi_serializer *serializer, - u_int32_t key, float value, - const char *format /* e.f. "%.2f" */); - int ndpi_serialize_uint32_string(ndpi_serializer *serializer, - u_int32_t key, const char *value); - int ndpi_serialize_uint32_boolean(ndpi_serializer *serializer, - u_int32_t key, u_int8_t value); - - int ndpi_serialize_string_int32(ndpi_serializer *serializer, - const char *key, int32_t value); - int ndpi_serialize_string_int64(ndpi_serializer *serializer, - const char *key, int64_t value); - int ndpi_serialize_string_uint32(ndpi_serializer *serializer, - const char *key, u_int32_t value); - int ndpi_serialize_string_uint32_format(ndpi_serializer *serializer, - const char *key, u_int32_t value, - const char *format); - int ndpi_serialize_string_uint64(ndpi_serializer *serializer, - const char *key, u_int64_t value); - int ndpi_serialize_string_string(ndpi_serializer *serializer, - const char *key, const char *value); - int ndpi_serialize_string_binary(ndpi_serializer *serializer, - const char *key, const char *_value, - u_int16_t vlen); - int ndpi_serialize_string_raw(ndpi_serializer *_serializer, - const char *key, const char *_value, - u_int16_t vlen); - int ndpi_serialize_string_float(ndpi_serializer *serializer, - const char *key, float value, - const char *format /* e.f. "%.2f" */); - int ndpi_serialize_string_boolean(ndpi_serializer *serializer, - const char *key, u_int8_t value); - int ndpi_serialize_raw_record(ndpi_serializer *_serializer, - u_char *record, u_int32_t record_len); + int ndpi_serialize_uint32_uint32(ndpi_serializer *serializer, u_int32_t key, u_int32_t value); + int ndpi_serialize_uint32_uint64(ndpi_serializer *serializer, u_int32_t key, u_int64_t value); + int ndpi_serialize_uint32_int32(ndpi_serializer *serializer, u_int32_t key, int32_t value); + int ndpi_serialize_uint32_int64(ndpi_serializer *serializer, u_int32_t key, int64_t value); + int ndpi_serialize_uint32_float(ndpi_serializer *serializer, u_int32_t key, float value, const char *format /* e.f. "%.2f" */); + int ndpi_serialize_uint32_string(ndpi_serializer *serializer, u_int32_t key, const char *value); + int ndpi_serialize_uint32_boolean(ndpi_serializer *serializer, u_int32_t key, u_int8_t value); + int ndpi_serialize_binary_int32(ndpi_serializer *_serializer, const char *key, u_int16_t klen, int32_t value); + int ndpi_serialize_string_int32(ndpi_serializer *serializer, const char *key, int32_t value); + int ndpi_serialize_binary_int64(ndpi_serializer *_serializer, const char *key, u_int16_t klen, int64_t value); + int ndpi_serialize_string_int64(ndpi_serializer *serializer, const char *key, int64_t value); + int ndpi_serialize_binary_uint32(ndpi_serializer *_serializer, const char *key, u_int16_t klen, u_int32_t value); + int ndpi_serialize_string_uint32(ndpi_serializer *serializer, const char *key, u_int32_t value); + int ndpi_serialize_string_uint32_format(ndpi_serializer *serializer, const char *key, u_int32_t value, const char *format); + int ndpi_serialize_binary_uint64(ndpi_serializer *_serializer, const char *key, u_int16_t klen, u_int64_t value); + int ndpi_serialize_string_uint64(ndpi_serializer *serializer, const char *key, u_int64_t value); + int ndpi_serialize_binary_binary(ndpi_serializer *_serializer, const char *key, u_int16_t klen, const char *_value, u_int16_t vlen); + int ndpi_serialize_string_string(ndpi_serializer *serializer, const char *key, const char *value); + int ndpi_serialize_string_binary(ndpi_serializer *serializer, const char *key, const char *_value, u_int16_t vlen); + int ndpi_serialize_string_raw(ndpi_serializer *_serializer, const char *key, const char *_value, u_int16_t vlen); + int ndpi_serialize_binary_float(ndpi_serializer *_serializer, const char *key, u_int16_t klen, float value, const char *format /* e.f. "%.2f" */); + int ndpi_serialize_string_float(ndpi_serializer *serializer, const char *key, float value, const char *format /* e.f. "%.2f" */); + int ndpi_serialize_string_boolean(ndpi_serializer *serializer, const char *key, u_int8_t value); + int ndpi_serialize_raw_record(ndpi_serializer *_serializer, u_char *record, u_int32_t record_len); int ndpi_serialize_end_of_record(ndpi_serializer *serializer); - int ndpi_serialize_start_of_list(ndpi_serializer *serializer, - const char *key); + int ndpi_serialize_start_of_list(ndpi_serializer *serializer, const char *key); int ndpi_serialize_end_of_list(ndpi_serializer *serializer); - int ndpi_serialize_start_of_block(ndpi_serializer *serializer, - const char *key); + int ndpi_serialize_start_of_block_binary(ndpi_serializer *_serializer, const char *key, u_int16_t klen); + int ndpi_serialize_start_of_block(ndpi_serializer *serializer, const char *key); int ndpi_serialize_end_of_block(ndpi_serializer *serializer); char* ndpi_serializer_get_buffer(ndpi_serializer *serializer, u_int32_t *buffer_len); u_int32_t ndpi_serializer_get_buffer_len(ndpi_serializer *serializer); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 564f8978d..d8a3b354f 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -6665,10 +6665,10 @@ static int enough(int a, int b) { int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, - char *name) { + char *name, u_int8_t is_hostname) { int len, rc = 0; - u_int8_t max_num_char_repetitions = 0, last_char = 0, num_char_repetitions = 0; - u_int8_t max_domain_element_len = 0, curr_domain_element_len = 0; + u_int8_t max_num_char_repetitions = 0, last_char = 0, num_char_repetitions = 0, num_dots = 0; + u_int8_t max_domain_element_len = 0, curr_domain_element_len = 0, first_element_is_numeric = 1; len = strlen(name); @@ -6685,45 +6685,52 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, } for(i=0, j=0; (i<len) && (j<(sizeof(tmp)-1)); i++) { - tmp[j] = tolower(name[i]); + tmp[j] = tolower(name[i]); - if(last_char == tmp[j]) { - if(++num_char_repetitions > max_num_char_repetitions) - max_num_char_repetitions = num_char_repetitions; - } else - num_char_repetitions = 1, last_char = tmp[j]; - - switch(tmp[j]) { - case '.': - case '-': - case '_': - case '/': - case ')': - case '(': - case ';': - case ':': - case '[': - case ']': - case ' ': - /* - Domain/word separator chars + if(tmp[j] == '.') + num_dots++; + else if(num_dots == 0) { + if(!isnumber(tmp[j])) + first_element_is_numeric = 0; + } + + if(last_char == tmp[j]) { + if(++num_char_repetitions > max_num_char_repetitions) + max_num_char_repetitions = num_char_repetitions; + } else + num_char_repetitions = 1, last_char = tmp[j]; + + switch(tmp[j]) { + case '.': + case '-': + case '_': + case '/': + case ')': + case '(': + case ';': + case ':': + case '[': + case ']': + case ' ': + /* + Domain/word separator chars - NOTE: - this function is used also to detect other type of issues - such as invalid/suspiciuous user agent - */ - if(curr_domain_element_len > max_domain_element_len) - max_domain_element_len = curr_domain_element_len; + NOTE: + this function is used also to detect other type of issues + such as invalid/suspiciuous user agent + */ + if(curr_domain_element_len > max_domain_element_len) + max_domain_element_len = curr_domain_element_len; - curr_domain_element_len = 0; + curr_domain_element_len = 0; break; - default: - curr_domain_element_len++; - break; - } + default: + curr_domain_element_len++; + break; + } - j++; + j++; } if(curr_domain_element_len > max_domain_element_len) @@ -6735,7 +6742,12 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, #endif if( - (max_num_char_repetitions > 5 /* num or consecutive repeated chars */) + (is_hostname + && (num_dots > 5) + && (!first_element_is_numeric) + && (strstr(tmp, "in-addr.arpa") == NULL) + ) + || (max_num_char_repetitions > 5 /* num or consecutive repeated chars */) /* In case of a name with too many consecutive chars an alert is triggered This is the case for instance of the wildcard DNS query used by NetBIOS diff --git a/src/lib/ndpi_serializer.c b/src/lib/ndpi_serializer.c index c1f52f89e..bfbd56eb6 100644 --- a/src/lib/ndpi_serializer.c +++ b/src/lib/ndpi_serializer.c @@ -1138,9 +1138,9 @@ int ndpi_serialize_uint32_boolean(ndpi_serializer *_serializer, /* ********************************** */ -static int ndpi_serialize_binary_int32(ndpi_serializer *_serializer, - const char *key, u_int16_t klen, - int32_t value) { +int ndpi_serialize_binary_int32(ndpi_serializer *_serializer, + const char *key, u_int16_t klen, + int32_t value) { ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; u_int32_t needed; @@ -1288,8 +1288,8 @@ int ndpi_serialize_string_int64(ndpi_serializer *_serializer, /* ********************************** */ -static int ndpi_serialize_binary_uint32(ndpi_serializer *_serializer, - const char *key, u_int16_t klen, u_int32_t value) { +int ndpi_serialize_binary_uint32(ndpi_serializer *_serializer, + const char *key, u_int16_t klen, u_int32_t value) { ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; u_int32_t needed; @@ -1389,9 +1389,9 @@ int ndpi_serialize_string_uint32_format(ndpi_serializer *_serializer, /* ********************************** */ -static int ndpi_serialize_binary_uint64(ndpi_serializer *_serializer, - const char *key, u_int16_t klen, - u_int64_t value) { +int ndpi_serialize_binary_uint64(ndpi_serializer *_serializer, + const char *key, u_int16_t klen, + u_int64_t value) { ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; u_int32_t needed; @@ -1462,11 +1462,11 @@ int ndpi_serialize_string_uint64(ndpi_serializer *_serializer, /* ********************************** */ -static int ndpi_serialize_binary_float(ndpi_serializer *_serializer, - const char *key, - u_int16_t klen, - float value, - const char *format /* e.f. "%.2f" */) { +int ndpi_serialize_binary_float(ndpi_serializer *_serializer, + const char *key, + u_int16_t klen, + float value, + const char *format /* e.f. "%.2f" */) { ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; u_int32_t needed; @@ -1597,11 +1597,11 @@ static int ndpi_serialize_binary_raw(ndpi_serializer *_serializer, /* ********************************** */ /* Key is a <string, len> pair, value is a <string, len> pair */ -static int ndpi_serialize_binary_binary(ndpi_serializer *_serializer, - const char *key, - u_int16_t klen, - const char *_value, - u_int16_t vlen) { +int ndpi_serialize_binary_binary(ndpi_serializer *_serializer, + const char *key, + u_int16_t klen, + const char *_value, + u_int16_t vlen) { const char *value = _value ? _value : ""; if(ndpi_is_number(key, klen)) diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 5e6d01d69..03ac7b9d2 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -301,7 +301,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st if(j > 0) { ndpi_protocol_match_result ret_match; - ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1); ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 0e3e0d413..acfa55769 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -263,15 +263,12 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru char *ua) { if((!ua) || (ua[0] == '\0')) return; - // printf("***** [%s:%d] ==> '%s'\n", __FILE__, __LINE__, ua); - // printf("***** %u\n", ndpi_check_dga_name(ndpi_struct, NULL, "uclient-fetch]")); - if((strlen(ua) < 4) || (!strncmp(ua, "test", 4)) || (!strncmp(ua, "<?", 2)) || strchr(ua, '{') || strchr(ua, '}') - || ndpi_check_dga_name(ndpi_struct, NULL, ua) + || ndpi_check_dga_name(ndpi_struct, NULL, ua, 0) // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua) ) { NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_USER_AGENT); @@ -438,7 +435,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ flow->host_server_name[len] = '\0'; flow->extra_packets_func = NULL; /* We're good now */ - if(len > 0) ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); + if(len > 0) ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1); flow->server_id = flow->dst; if(packet->forwarded_line.ptr) { diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index 6ca691c7e..1f3850cbd 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -85,7 +85,7 @@ static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) { snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); - ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1); } if(sub_protocol == NDPI_PROTOCOL_UNKNOWN) diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index aa3836442..71fb2d5c3 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1161,7 +1161,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, flow->l4.tcp.tls.subprotocol_detected = 1; } - ndpi_check_dga_name(ndpi_struct, flow, flow->protos.stun_ssl.ssl.client_requested_server_name); + ndpi_check_dga_name(ndpi_struct, flow, + flow->protos.stun_ssl.ssl.client_requested_server_name, 1); } else { #ifdef DEBUG_TLS printf("[TLS] Extensions server len too short: %u vs %u\n", diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index 7318685e7..71172e211 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -48,7 +48,7 @@ int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct, if((dot = strrchr(dummy, '.')) == NULL) return(0); name = &dot[1]; - if(ndpi_check_dga_name(ndpi_struct, flow, name)) { + if(ndpi_check_dga_name(ndpi_struct, flow, name, 1)) { ndpi_int_tor_add_connection(ndpi_struct, flow); return(1); } else { |