aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_api.h.in2
-rw-r--r--src/lib/ndpi_analyze.c18
-rw-r--r--src/lib/ndpi_content_match.c.inc6
-rw-r--r--src/lib/ndpi_main.c21
-rw-r--r--src/lib/protocols/http.c16
-rw-r--r--src/lib/protocols/ssh.c19
-rw-r--r--src/lib/protocols/tls.c2
7 files changed, 68 insertions, 16 deletions
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index 5d77d6221..0fa02e3c7 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -1028,6 +1028,7 @@ extern "C" {
struct ndpi_analyze_struct* ndpi_alloc_data_analysis(u_int16_t _max_series_len);
void ndpi_init_data_analysis(struct ndpi_analyze_struct *s, u_int16_t _max_series_len);
void ndpi_free_data_analysis(struct ndpi_analyze_struct *d);
+ void ndpi_reset_data_analysis(struct ndpi_analyze_struct *d);
void ndpi_data_add_value(struct ndpi_analyze_struct *s, const u_int32_t value);
/* Sliding-window only */
@@ -1040,6 +1041,7 @@ extern "C" {
float ndpi_data_entropy(struct ndpi_analyze_struct *s);
float ndpi_data_variance(struct ndpi_analyze_struct *s);
float ndpi_data_stddev(struct ndpi_analyze_struct *s);
+ u_int32_t ndpi_data_last(struct ndpi_analyze_struct *s);
u_int32_t ndpi_data_min(struct ndpi_analyze_struct *s);
u_int32_t ndpi_data_max(struct ndpi_analyze_struct *s);
float ndpi_data_ratio(u_int32_t sent, u_int32_t rcvd);
diff --git a/src/lib/ndpi_analyze.c b/src/lib/ndpi_analyze.c
index 7d4aa5f47..a2fe557ae 100644
--- a/src/lib/ndpi_analyze.c
+++ b/src/lib/ndpi_analyze.c
@@ -75,6 +75,14 @@ void ndpi_free_data_analysis(struct ndpi_analyze_struct *d) {
/* ********************************************************************************* */
+void ndpi_reset_data_analysis(struct ndpi_analyze_struct *d) {
+ memset(d, 0, sizeof(struct ndpi_analyze_struct));
+ memset(d->values, 0, sizeof(u_int32_t)*d->num_values_array_len);
+ d->num_data_entries = 0;
+}
+
+/* ********************************************************************************* */
+
/*
Add a new point to analyze
*/
@@ -112,6 +120,16 @@ float ndpi_data_average(struct ndpi_analyze_struct *s) {
/* ********************************************************************************* */
+u_int32_t ndpi_data_last(struct ndpi_analyze_struct *s) {
+ if((s->num_data_entries == 0) || (s->sum_total == 0))
+ return(0);
+
+ if(s->next_value_insert_index == 0)
+ return(s->values[s->num_values_array_len-1]);
+ else
+ return(s->values[s->next_value_insert_index-1]);
+}
+
/* Return min/max on all values */
u_int32_t ndpi_data_min(struct ndpi_analyze_struct *s) { return(s->min_val); }
u_int32_t ndpi_data_max(struct ndpi_analyze_struct *s) { return(s->max_val); }
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 4ad5c5598..d10d2416e 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -9271,7 +9271,7 @@ static const char *ndpi_en_bigrams[] = {
"ru", "su", "tu", "uu", "vu", "wu", "xu", "yu", "zu", "av", "bv", "dv", "ev", "iv", "lv", "mv", "nv",
"ov", "rv", "sv", "tv", "uv", "vv", "zv", "aw", "bw", "dw", "ew", "fw", "gw", "hw", "iw", "kw", "lw",
"mw", "nw", "ow", "pw", "rw", "sw", "tw", "uw", "ww", "xw", "yw", "zw", "ax", "ex", "ix", "nx", "ox",
- "rx", "ux", "xx", "yx", "ay", "by", "cy", "dy", "ey", "fy", "gy", "hy", "ky", "ly", "my", "ny", "oy",
+ "rx", "ux", /* "xx", */ "yx", "ay", "by", "cy", "dy", "ey", "fy", "gy", "hy", "ky", "ly", "my", "ny", "oy",
"py", "ry", "sy", "ty", "uy", "vy", "wy", "xy", "yy", "zy", "az", "bz", "cz", "dz", "ez", "gz", "iz",
"lz", "nz", "oz", "pz", "rz", "tz", "uz", "zz",
NULL };
@@ -9331,7 +9331,7 @@ static const char *ndpi_en_impossible_bigrams[] = {
"qg", "qh", "qj", "qk", "ql", "qm", "qn", "qo", "qp", "qr", "qs", "qt", "qv", "qw", "qx", "qy", "uu",
"qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", "vm", "vn", /* "vp", Removed for vpbank.com */ "bw", /* "vk", "zr" Removed for kavkazr */
"vq", "vt", "vw", "vx", "vz", "wq", "wv", "wx", "wz", /* "xb", foxbusiness.com */
- "xg", "xj", "xk", "xv", "xz", "xw", "yd", /*"yp", Removed for paypal */
+ "xg", "xj", "xk", "xv", "xz", "xw", "yd", /*"yp", Removed for paypal */
"yj", "yq", "yv", "yz", "yw", "zb", "zc", "zg", "zh", "zj", "zn", "zq", "zs", "zx", "wh", "wk",
- "wb", "zk", "kp", "zk", "xy",
+ "wb", "zk", "kp", "zk", "xy", "xx",
NULL };
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 976c8ae83..b2f294c0b 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -100,10 +100,13 @@ void *ndpi_calloc(unsigned long count, size_t size) {
/* ****************************************** */
void ndpi_free(void *ptr) {
- if(_ndpi_free)
- _ndpi_free(ptr);
- else
- free(ptr);
+ if(_ndpi_free) {
+ if(ptr)
+ _ndpi_free(ptr);
+ } else {
+ if(ptr)
+ free(ptr);
+ }
}
/* ****************************************** */
@@ -812,7 +815,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TEREDO, 0 /* can_have_a_subprotocol */,
no_master, no_master, "Teredo", NDPI_PROTOCOL_CATEGORY_NETWORK,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
- ndpi_build_default_ports(ports_b, 3544, 0, 0, 0, 0) /* UDP */);
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(
ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_WECHAT, 0 /* can_have_a_subprotocol */, no_master, /* wechat.com */
no_master, "WeChat", NDPI_PROTOCOL_CATEGORY_CHAT, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
@@ -870,7 +873,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_XBOX, 0 /* can_have_a_subprotocol */, no_master,
no_master, "Xbox", NDPI_PROTOCOL_CATEGORY_GAME,
ndpi_build_default_ports(ports_a, 3074, 3076, 0, 0, 0) /* TCP */,
- ndpi_build_default_ports(ports_b, 3074, 3076, 500, 3544, 4500) /* UDP */);
+ ndpi_build_default_ports(ports_b, 3074, 3076, 500, 4500, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_PLAYSTATION, 0 /* can_have_a_subprotocol */,
no_master, no_master, "Playstation", NDPI_PROTOCOL_CATEGORY_GAME,
ndpi_build_default_ports(ports_a, 1935, 3478, 3479, 3480, 0) /* TCP */,
@@ -4928,7 +4931,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str,
packet->line[packet->parsed_lines].len = 0;
for (a = 0; ((a+1) < packet->payload_packet_len) && (packet->parsed_lines < NDPI_MAX_PARSE_LINES_PER_PACKET); a++) {
- if(((a + 1) < packet->payload_packet_len) &&(packet->payload[a] == 0x0d) && (packet->payload[a+1] == 0x0a)) {
+ if((packet->payload[a] == 0x0d) && (packet->payload[a+1] == 0x0a)) {
/* If end of line char sequence CR+NL "\r\n", process line */
if(((a + 3) < packet->payload_packet_len)
@@ -6633,6 +6636,10 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str,
num_bigram_checks++;
+#ifdef DGA_DEBUG
+ printf("-> Checking %c%c\n", word[i], word[i+1]);
+#endif
+
if(ndpi_match_bigram(ndpi_str, &ndpi_str->bigrams_automa, &word[i])) {
num_found++;
} else {
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 8f74d22ad..2b96e55b4 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -262,12 +262,18 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
char *ua) {
if((!ua) || (ua[0] == '\0')) return;
- // printf("[%s:%d] ==> '%s'\n", __FILE__, __LINE__, ua);
-
+ // printf("***** [%s:%d] ==> '%s'\n", __FILE__, __LINE__, ua);
+ // printf("***** %u\n", ndpi_check_dga_name(ndpi_struct, NULL, "uclient-fetch]"));
+
if((strlen(ua) < 4)
- || (!strcmp(ua, "test"))
- || (!strcmp(ua, "<?"))
- || ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, ua)) {
+ || (!strncmp(ua, "test", 4))
+ || (!strncmp(ua, "<?", 2))
+ || strchr(ua, ';')
+ || strchr(ua, '{')
+ || strchr(ua, '}')
+ || ndpi_check_dga_name(ndpi_struct, NULL, ua)
+ // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua)
+ ) {
NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_USER_AGENT);
}
}
diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c
index 8252d6725..7679a2337 100644
--- a/src/lib/protocols/ssh.c
+++ b/src/lib/protocols/ssh.c
@@ -60,6 +60,21 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct
/* ************************************************************************ */
+static void ssh_analyse_signature_version(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow,
+ char *str_to_check,
+ u_int8_t is_client_signature) {
+
+
+ /*
+ if(obsolete_ssh_version)
+ NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE : NDPI_SSH_OBSOLETE_SERVER_SIGNATURE);
+ */
+
+}
+
+/* ************************************************************************ */
+
static int search_ssh_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
ndpi_search_ssh_tcp(ndpi_struct, flow);
@@ -287,6 +302,8 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct
strncpy(flow->protos.ssh.client_signature, (const char *)packet->payload, len);
flow->protos.ssh.client_signature[len] = '\0';
ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len);
+
+ ssh_analyse_signature_version(ndpi_struct, flow, flow->protos.ssh.client_signature, 1);
#ifdef SSH_DEBUG
printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature);
@@ -305,6 +322,8 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct
strncpy(flow->protos.ssh.server_signature, (const char *)packet->payload, len);
flow->protos.ssh.server_signature[len] = '\0';
ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len);
+
+ ssh_analyse_signature_version(ndpi_struct, flow, flow->protos.ssh.server_signature, 0);
#ifdef SSH_DEBUG
printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature);
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index d938d53e9..ed0823547 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -922,7 +922,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
for(i=0; i<extension_len; ) {
u_int16_t extension_id, extension_len;
- if(offset >= (packet->payload_packet_len+4)) break;
+ if((offset+4) > packet->payload_packet_len) break;
extension_id = ntohs(*((u_int16_t*)&packet->payload[offset]));
extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+2]));
Powered by cgit, Themed by Ted Yin.