diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_api.h | 3 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/fastcgi.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/netbios.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 2 |
8 files changed, 14 insertions, 10 deletions
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 3d95f6007..2a744994e 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -1227,7 +1227,8 @@ extern "C" { /* DGA */ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, - char *name, u_int8_t is_hostname, u_int8_t check_subproto); + char *name, u_int8_t is_hostname, u_int8_t check_subproto, + u_int8_t flow_fully_classified); /* Serializer (supports JSON, TLV, CSV) */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 0d82cfb4c..0150d12bf 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -10830,7 +10830,8 @@ static int ndpi_is_vowel(char c) { int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, - char *name, u_int8_t is_hostname, u_int8_t check_subproto) { + char *name, u_int8_t is_hostname, u_int8_t check_subproto, + u_int8_t flow_fully_classified) { /* Get domain name if ndpi_load_domain_suffixes(..) has been called */ name = (char*)ndpi_get_host_domain(ndpi_str, name); @@ -10863,7 +10864,7 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, ) return(0); - if(flow && (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)) + if(flow && (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN || flow_fully_classified)) return(0); /* Ignore DGA check for protocols already fully detected */ if(check_subproto && diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 19215e79b..b2223f4a9 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -822,6 +822,8 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st ndpi_get_current_time(flow)); } + ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0, ret.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN); + if(!ndpi_struct->cfg.dns_subclassification_enabled) ret.proto.app_protocol = NDPI_PROTOCOL_UNKNOWN; @@ -830,8 +832,6 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st else ret.proto.master_protocol = NDPI_PROTOCOL_DNS; - ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0); - /* Category is always NDPI_PROTOCOL_CATEGORY_NETWORK, regardless of the subprotocol */ flow->category = NDPI_PROTOCOL_CATEGORY_NETWORK; } @@ -854,6 +854,8 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st return; /* The response will set the verdict */ } + if(strlen(flow->host_server_name) > 0) + flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries, flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs); diff --git a/src/lib/protocols/fastcgi.c b/src/lib/protocols/fastcgi.c index 484d98ed6..699b61123 100644 --- a/src/lib/protocols/fastcgi.c +++ b/src/lib/protocols/fastcgi.c @@ -212,7 +212,7 @@ static void ndpi_search_fastcgi(struct ndpi_detection_module_struct *ndpi_struct strlen(flow->host_server_name), &ret_match, NDPI_PROTOCOL_FASTCGI, 1); ndpi_check_dga_name(ndpi_struct, flow, - flow->host_server_name, 1, 0); + flow->host_server_name, 1, 0, 0); if(ndpi_is_valid_hostname((char *)packet->host_line.ptr, packet->host_line.len) == 0) { char str[128]; diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index cb3376e8e..949e93e8c 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -1159,7 +1159,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ ndpi_http_parse_subprotocol(ndpi_struct, flow, hostname_just_set); if(hostname_just_set && strlen(flow->host_server_name) > 0) { - ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0); + ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0, 0); } ndpi_check_http_header(ndpi_struct, flow); diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index fc53563d3..648134b53 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -105,7 +105,7 @@ static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct (u_int)(packet->payload_packet_len - off), name, sizeof(name)-1) > 0) { ndpi_hostname_sni_set(flow, (const u_int8_t *)name, strlen((char *)name), NDPI_HOSTNAME_NORM_ALL); - ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 1); + ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 1, 0); } if(sub_protocol == NDPI_PROTOCOL_UNKNOWN) diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 0ddc1a830..abcda2704 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1464,7 +1464,7 @@ void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, flow->protos.tls_quic.client_hello_processed = 1; /* Allow matching of custom categories */ ndpi_check_dga_name(ndpi_struct, flow, - flow->host_server_name, 1, 0); + flow->host_server_name, 1, 0, 0); if(ndpi_is_valid_hostname((char *)&crypto_data[tag_offset_start + prev_offset], len) == 0) { diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 60d54e9ba..8d2f4dd7f 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -2813,7 +2813,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, sni); } - if(ndpi_check_dga_name(ndpi_struct, flow, sni, 1, 0)) { + if(ndpi_check_dga_name(ndpi_struct, flow, sni, 1, 0, 0)) { #ifdef DEBUG_TLS printf("[TLS] SNI: (DGA) [%s]\n", sni); #endif |