aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_api.h.in9
-rw-r--r--src/include/ndpi_typedefs.h3
-rw-r--r--src/lib/ndpi_main.c71
-rw-r--r--src/lib/ndpi_utils.c3
-rw-r--r--src/lib/protocols/tls.c26
5 files changed, 102 insertions, 10 deletions
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index 4e63d1d22..0e6a50518 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -716,6 +716,15 @@ extern "C" {
int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, const char *path);
/**
+ * Read a file and load the list of malicious SSL certificate SHA1 fingerprints.
+ * @par ndpi_mod = the detection module
+ * @par path = the path of the file
+ * @return 0 if the file is loaded correctly;
+ * -1 else
+ */
+ int ndpi_load_malicious_sha1_file(struct ndpi_detection_module_struct *ndpi_str, const char *path);
+
+ /**
* Get the total number of the supported protocols
*
* @par ndpi_mod = the detection module
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 973e08670..79ccf9c1c 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -92,6 +92,7 @@ typedef enum {
NDPI_RISKY_ASN,
NDPI_RISKY_DOMAIN,
NDPI_MALICIOUS_JA3,
+ NDPI_MALICIOUS_SHA1,
/* Leave this as last member */
@@ -1101,7 +1102,7 @@ struct ndpi_detection_module_struct {
subprotocol_automa, /* Used for HTTP subprotocol_detection */
bigrams_automa, impossible_bigrams_automa, /* TOR */
risky_domain_automa, tls_cert_subject_automa,
- malicious_ja3_automa;
+ malicious_ja3_automa, malicious_sha1_automa;
/* IMPORTANT: please update ndpi_finalize_initialization() whenever you add a new automa */
struct {
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index f5f964f8b..5afdc4695 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -2193,6 +2193,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
ndpi_str->impossible_bigrams_automa.ac_automa = ac_automata_init(ac_match_handler);
ndpi_str->tls_cert_subject_automa.ac_automa = ac_automata_init(ac_match_handler);
ndpi_str->malicious_ja3_automa.ac_automa = NULL; /* Initialized on demand */
+ ndpi_str->malicious_sha1_automa.ac_automa = NULL; /* Initialized on demand */
ndpi_str->risky_domain_automa.ac_automa = NULL; /* Initialized on demand */
if((sizeof(categories) / sizeof(char *)) != NDPI_PROTOCOL_NUM_CATEGORIES) {
@@ -2253,7 +2254,11 @@ void ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str)
case 5:
automa = &ndpi_str->malicious_ja3_automa;
break;
-
+
+ case 6:
+ automa = &ndpi_str->malicious_sha1_automa;
+ break;
+
default:
return;
}
@@ -2519,6 +2524,9 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) {
if(ndpi_str->malicious_ja3_automa.ac_automa != NULL)
ac_automata_release((AC_AUTOMATA_t *) ndpi_str->malicious_ja3_automa.ac_automa, 0);
+ if(ndpi_str->malicious_sha1_automa.ac_automa != NULL)
+ ac_automata_release((AC_AUTOMATA_t *) ndpi_str->malicious_sha1_automa.ac_automa, 0);
+
if(ndpi_str->custom_categories.hostnames.ac_automa != NULL)
ac_automata_release((AC_AUTOMATA_t *) ndpi_str->custom_categories.hostnames.ac_automa,
1 /* free patterns strings memory */);
@@ -2968,7 +2976,7 @@ int ndpi_load_risk_domain_file(struct ndpi_detection_module_struct *ndpi_str, co
/*
* Format:
*
- * <domain name>[,<other info>]
+ * <ja3 hash>[,<other info>]
*
*/
int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, const char *path) {
@@ -3016,6 +3024,65 @@ int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str,
/* ******************************************************************** */
/*
+ * Format:
+ *
+ * <sha1 hash>
+ * <other info>,<sha1 hash>
+ * <other info>,<sha1 hash>[,<other info>[...]]
+ *
+ */
+int ndpi_load_malicious_sha1_file(struct ndpi_detection_module_struct *ndpi_str, const char *path)
+{
+ char buffer[128];
+ char *first_comma, *second_comma;
+ FILE *fd;
+ size_t len;
+ int num = 0;
+
+ if (ndpi_str->malicious_sha1_automa.ac_automa == NULL)
+ ndpi_str->malicious_sha1_automa.ac_automa = ac_automata_init(ac_match_handler);
+
+ fd = fopen(path, "r");
+
+ if (fd == NULL) {
+ NDPI_LOG_ERR(ndpi_str, "Unable to open file %s [%s]\n", path, strerror(errno));
+ return -1;
+ }
+
+ while (fgets(buffer, sizeof(buffer), fd) != NULL) {
+ len = strlen(buffer);
+
+ if (len <= 1 || buffer[0] == '#')
+ continue;
+
+ first_comma = strchr(buffer, ',');
+ if (first_comma != NULL) {
+ first_comma++;
+ second_comma = strchr(first_comma, ',');
+ if (second_comma == NULL)
+ second_comma = &buffer[len - 1];
+ } else {
+ first_comma = &buffer[0];
+ second_comma = &buffer[len - 1];
+ }
+
+ if ((second_comma - first_comma) != 40)
+ continue;
+ second_comma[0] = '\0';
+
+ for (size_t i = 0; i < 40; ++i)
+ first_comma[i] = toupper(first_comma[i]);
+
+ if (ndpi_add_string_to_automa(ndpi_str->malicious_sha1_automa.ac_automa, first_comma) >= 0)
+ num++;
+ }
+
+ return num;
+}
+
+/* ******************************************************************** */
+
+/*
Format:
<tcp|udp>:<port>,<tcp|udp>:<port>,.....@<proto>
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 2fdaf34c6..d50e8ccae 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1766,6 +1766,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
case NDPI_MALICIOUS_JA3:
return("Possibly Malicious JA3 Fingerprint");
+ case NDPI_MALICIOUS_SHA1:
+ return("Possibly Malicious SSL Certificate SHA1 Fingerprint");
+
default:
snprintf(buf, sizeof(buf), "%d", (int)risk);
return(buf);
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index f38f4f87d..5e3ae65b1 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -621,16 +621,28 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct,
flow->l4.tcp.tls.fingerprint_set = 1;
+ uint8_t * sha1 = flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint;
+ const size_t sha1_siz = sizeof(flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint);
+ char sha1_str[sha1_siz * 2 + 1];
+ static const char hexalnum[] = "0123456789ABCDEF";
+ for (size_t i = 0; i < sha1_siz; ++i) {
+ u_int8_t lower = (sha1[i] & 0x0F);
+ u_int8_t upper = (sha1[i] & 0xF0) >> 4;
+ sha1_str[i*2] = hexalnum[upper];
+ sha1_str[i*2 + 1] = hexalnum[lower];
+ }
+ sha1_str[sha1_siz * 2] = '\0';
+
#ifdef DEBUG_TLS
- {
- int i;
+ printf("[TLS] SHA-1: %s\n", sha1_str);
+#endif
- printf("[TLS] SHA-1: ");
- for(i=0;i<20;i++)
- printf("%s%02X", (i > 0) ? ":" : "", flow->protos.tls_quic_stun.tls_quic.sha1_certificate_fingerprint[i]);
- printf("\n");
+ if (ndpi_struct->malicious_sha1_automa.ac_automa != NULL) {
+ u_int16_t rc1 = ndpi_match_string(ndpi_struct->malicious_sha1_automa.ac_automa, sha1_str);
+
+ if(rc1 > 0)
+ NDPI_SET_BIT(flow->risk, NDPI_MALICIOUS_SHA1);
}
-#endif
processCertificateElements(ndpi_struct, flow, certificates_offset, certificate_len);
}
Powered by cgit, Themed by Ted Yin.