aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_private.h3
-rw-r--r--src/lib/ndpi_main.c28
-rw-r--r--src/lib/ndpi_utils.c15
-rw-r--r--src/lib/protocols/dns.c4
-rw-r--r--src/lib/protocols/http.c38
-rw-r--r--src/lib/protocols/quic.c2
-rw-r--r--src/lib/protocols/tls.c20
7 files changed, 66 insertions, 44 deletions
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
index f5da3ed46..9ed27b15e 100644
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@@ -329,9 +329,9 @@ struct ndpi_detection_module_config_struct {
NDPI_PROTOCOL_BITMASK monitoring;
NDPI_PROTOCOL_BITMASK flowrisk_bitmask;
+ NDPI_PROTOCOL_BITMASK flowrisk_info_bitmask;
int flow_risk_lists_enabled;
- int flow_risk_infos_enabled;
int risk_anonymous_subscriber_list_icloudprivaterelay_enabled;
int risk_anonymous_subscriber_list_protonvpn_enabled;
int risk_anonymous_subscriber_list_tor_exit_nodes_enabled;
@@ -682,6 +682,7 @@ bool ndpi_cache_address(struct ndpi_detection_module_struct *ndpi_struct,
u_int32_t epoch_now, u_int32_t ttl);
int is_monitoring_enabled(struct ndpi_detection_module_struct *ndpi_str, int protoId);
+int is_flowrisk_info_enabled(struct ndpi_detection_module_struct *ndpi_str, ndpi_risk_enum flowrisk_id);
/* TLS */
int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index f1b06f8b8..42cc33c1b 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -10654,7 +10654,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_
string_to_match, string_to_match_len,
&proto_id, NULL, NULL);
if(rc1 > 0) {
- if(ndpi_str->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_str, NDPI_RISKY_DOMAIN)) {
char str[64] = { '\0' };
strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1));
@@ -10667,7 +10667,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_
/* Add punycode check */
if(ndpi_check_punycode_string(string_to_match, string_to_match_len)) {
- if(ndpi_str->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_str, NDPI_PUNYCODE_IDN)) {
char str[64] = { '\0' };
strncpy(str, string_to_match, ndpi_min(string_to_match_len, sizeof(str)-1));
@@ -11753,20 +11753,27 @@ static char *_get_param_flowrisk_enable_disable(void *_variable, const char *pro
static ndpi_cfg_error _set_param_flowrisk_enable_disable(struct ndpi_detection_module_struct *ndpi_str,
void *_variable, const char *value,
const char *min_value, const char *max_value,
- const char *proto, const char *param)
+ const char *proto, const char *_param)
{
NDPI_PROTOCOL_BITMASK *bitmask = (NDPI_PROTOCOL_BITMASK *)_variable;
ndpi_risk_enum flowrisk_id;
+ char param[128] = {0};
(void)ndpi_str;
(void)min_value;
(void)max_value;
(void)proto;
- if(strncmp(param, "flow_risk.", 10) != 0)
+ if(strncmp(_param, "flow_risk.", 10) != 0)
return NDPI_CFG_INVALID_PARAM;
- param += 10; /* Strip initial "flow_risk." */
+ _param += 10; /* Strip initial "flow_risk." */
+
+ if(strlen(_param) > 5 &&
+ strncmp(_param + (strlen(_param) - 5), ".info", 5) == 0)
+ memcpy(param, _param, ndpi_min(strlen(_param) - 5, sizeof(param))); /* Strip trailing ".info" */
+ else
+ strncpy(param, _param, sizeof(param));
if(strcmp(param, "any") == 0 ||
strcmp(param, "all") == 0 ||
@@ -11953,9 +11960,9 @@ static const struct cfg_param {
{ NULL, "metadata.tcp_fingerprint", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tcp_fingerprint_enabled), NULL },
{ NULL, "flow_risk_lists.load", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(flow_risk_lists_enabled), NULL },
- { NULL, "flow_risk_infos", "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(flow_risk_infos_enabled), NULL },
{ NULL, "flow_risk.$FLOWRISK_NAME_OR_ID", "enable", NULL, NULL, CFG_PARAM_FLOWRISK_ENABLE_DISABLE, __OFF(flowrisk_bitmask), NULL },
+ { NULL, "flow_risk.$FLOWRISK_NAME_OR_ID.info", "enable", NULL, NULL, CFG_PARAM_FLOWRISK_ENABLE_DISABLE, __OFF(flowrisk_info_bitmask), NULL },
{ NULL, "flow_risk.anonymous_subscriber.list.icloudprivaterelay.load", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(risk_anonymous_subscriber_list_icloudprivaterelay_enabled), NULL },
{ NULL, "flow_risk.anonymous_subscriber.list.protonvpn.load", "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(risk_anonymous_subscriber_list_protonvpn_enabled), NULL },
@@ -12033,8 +12040,13 @@ ndpi_cfg_error ndpi_set_config(struct ndpi_detection_module_struct *ndpi_str,
strcmp(c->proto, "$PROTO_NAME_OR_ID") == 0 &&
strcmp(param, c->param) == 0) ||
(proto == NULL && c->proto == NULL &&
- strncmp(c->param, "flow_risk.", 10) == 0 &&
- strncmp(param, "flow_risk.", 10) == 0)) {
+ strncmp(c->param, "flow_risk.$FLOWRISK_NAME_OR_ID", 30) == 0 &&
+ strncmp(param, "flow_risk.", 10) == 0 &&
+ !ndpi_str_endswith(param, ".info")) ||
+ (proto == NULL && c->proto == NULL &&
+ strncmp(c->param, "flow_risk.$FLOWRISK_NAME_OR_ID.info", 35) == 0 &&
+ strncmp(param, "flow_risk.", 10) == 0 &&
+ ndpi_str_endswith(param, ".info"))) {
rc = cfg_ops[c->type].fn_set(ndpi_str, (void *)((char *)&ndpi_str->cfg + c->offset),
value, c->min_value, c->max_value, proto, param);
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 9e18da9ab..3fce19746 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -3023,6 +3023,15 @@ static int is_flowrisk_enabled(struct ndpi_detection_module_struct *ndpi_str, nd
/* ********************************************************************************* */
+int is_flowrisk_info_enabled(struct ndpi_detection_module_struct *ndpi_str, ndpi_risk_enum flowrisk_id)
+{
+ if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_str->cfg.flowrisk_info_bitmask, flowrisk_id) == 0)
+ return 0;
+ return 1;
+}
+
+/* ********************************************************************************* */
+
void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str,
struct ndpi_flow_struct *flow) {
if(flow->risk == 0) return; /* Nothing to do */
@@ -3100,7 +3109,7 @@ void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_fl
// ndpi_handle_risk_exceptions(ndpi_str, flow);
if(flow->risk != 0 /* check if it has been masked */) {
- if(ndpi_str->cfg.flow_risk_infos_enabled &&
+ if(is_flowrisk_info_enabled(ndpi_str, r) &&
risk_message != NULL) {
if(flow->num_risk_infos < MAX_NUM_RISK_INFOS) {
char *s = ndpi_strdup(risk_message);
@@ -3113,7 +3122,7 @@ void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_fl
}
}
}
- } else if(ndpi_str->cfg.flow_risk_infos_enabled && risk_message) {
+ } else if(is_flowrisk_info_enabled(ndpi_str, r) && risk_message) {
u_int8_t i;
for(i = 0; i < flow->num_risk_infos; i++)
@@ -3146,7 +3155,7 @@ void ndpi_unset_risk(struct ndpi_detection_module_struct *ndpi_str,
flow->risk &= ~v;
- if(!ndpi_str->cfg.flow_risk_infos_enabled)
+ if(!is_flowrisk_info_enabled(ndpi_str, r))
return;
for(i = 0; i < flow->num_risk_infos; i++) {
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index de0a74d8b..9acc49216 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -828,7 +828,7 @@ static void search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct
flow->protos.dns.num_answers = dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs;
if(flow->protos.dns.reply_code != 0) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_ERROR_CODE_DETECTED)) {
char str[32], buf[16];
snprintf(str, sizeof(str), "DNS Error Code %s",
@@ -870,7 +870,7 @@ static void search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct
packet->udp &&
packet->payload_packet_len > PKT_LEN_ALERT &&
packet->payload_packet_len > flow->protos.dns.edns0_udp_payload_size) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_DNS_LARGE_PACKET)) {
char str[48];
snprintf(str, sizeof(str), "%u Bytes DNS Packet", packet->payload_packet_len);
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 25d78b1cf..61d75cc8d 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -199,7 +199,7 @@ static void ndpi_http_check_human_redeable_content(struct ndpi_detection_module_
&& (content[3] == 0x00)) {
/* Looks like compressed data */
} else {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_CONTENT)) {
char str[32];
snprintf(str, sizeof(str), "Susp content %02X%02X%02X%02X",
@@ -718,7 +718,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
float upper_case_ratio = (float)upper_case_count / (float)ua_len;
if (upper_case_ratio >= 0.2f) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_USER_AGENT)) {
char str[64];
snprintf(str, sizeof(str), "UA %s", ua);
@@ -733,7 +733,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
if((!strncmp(ua, "<?", 2))
|| strchr(ua, '$')
) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_USER_AGENT)) {
char str[64];
snprintf(str, sizeof(str), "UA %s", ua);
@@ -747,7 +747,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
if(double_slash != ua) /* We're not at the beginning of the user agent */{
if((double_slash[-1] != 'p') /* http:// */
&& (double_slash[-1] != 's') /* https:// */) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_USER_AGENT)) {
char str[64];
snprintf(str, sizeof(str), "UA %s", ua);
@@ -782,7 +782,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
|| ndpi_strncasestr(ua, "Crawler", ua_len)
|| ndpi_strncasestr(ua, "Bot", ua_len) /* bot/robot */
) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_CRAWLER_BOT)) {
char str[64];
snprintf(str, sizeof(str), "UA %s", ua);
@@ -885,7 +885,7 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru
ip_addr.s_addr = inet_addr(buf);
if(strcmp(inet_ntoa(ip_addr), buf) == 0) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_NUMERIC_IP_HOST)) {
char str[64];
snprintf(str, sizeof(str), "Found host %s", buf);
@@ -935,14 +935,14 @@ static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_str
char msg[64];
if((off == 7) && (version < MIN_APACHE_VERSION)) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_OBSOLETE_SERVER)) {
snprintf(msg, sizeof(msg), "Obsolete Apache server %s", buf);
ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg);
} else {
ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, NULL);
}
} else if((off == 6) && (version < MIN_NGINX_VERSION)) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_OBSOLETE_SERVER)) {
snprintf(msg, sizeof(msg), "Obsolete nginx server %s", buf);
ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg);
} else {
@@ -1161,7 +1161,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
if(ndpi_is_valid_hostname((char *)packet->host_line.ptr,
packet->host_line.len) == 0) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_INVALID_CHARACTERS)) {
char str[128];
snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name);
@@ -1181,7 +1181,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
/* IPv4 */
if(ndpi_struct->packet.iph->daddr != inet_addr(flow->host_server_name)) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) {
char buf[64], msg[128];
snprintf(msg, sizeof(msg), "Expected %s, found %s",
@@ -1326,7 +1326,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
switch(packet->line[i].ptr[0]) {
case 'A':
if(is_a_suspicious_header(suspicious_http_header_keys_A, packet->line[i])) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) {
char str[64];
snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr);
@@ -1339,7 +1339,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
break;
case 'C':
if(is_a_suspicious_header(suspicious_http_header_keys_C, packet->line[i])) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) {
char str[64];
snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr);
@@ -1352,7 +1352,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
break;
case 'M':
if(is_a_suspicious_header(suspicious_http_header_keys_M, packet->line[i])) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) {
char str[64];
snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr);
@@ -1365,7 +1365,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
break;
case 'O':
if(is_a_suspicious_header(suspicious_http_header_keys_O, packet->line[i])) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) {
char str[64];
snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr);
@@ -1378,7 +1378,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
break;
case 'R':
if(is_a_suspicious_header(suspicious_http_header_keys_R, packet->line[i])) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) {
char str[64];
snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr);
@@ -1391,7 +1391,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
break;
case 'S':
if(is_a_suspicious_header(suspicious_http_header_keys_S, packet->line[i])) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) {
char str[64];
snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr);
@@ -1404,7 +1404,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
break;
case 'T':
if(is_a_suspicious_header(suspicious_http_header_keys_T, packet->line[i])) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) {
char str[64];
snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr);
@@ -1417,7 +1417,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
break;
case 'U':
if(is_a_suspicious_header(suspicious_http_header_keys_U, packet->line[i])) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) {
char str[64];
snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr);
@@ -1430,7 +1430,7 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str
break;
case 'X':
if(is_a_suspicious_header(suspicious_http_header_keys_X, packet->line[i])) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) {
char str[64];
snprintf(str, sizeof(str), "Found %.*s", packet->line[i].len, packet->line[i].ptr);
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index e19e1b27a..b63df5d87 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -1468,7 +1468,7 @@ void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
if(ndpi_is_valid_hostname((char *)&crypto_data[tag_offset_start + prev_offset],
len) == 0) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_INVALID_CHARACTERS)) {
char str[128];
snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name);
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 6e010ef62..b61387a3c 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -828,7 +828,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
ndpi_struct->cfg.tls_cert_issuer_enabled) {
flow->protos.tls_quic.issuerDN = ndpi_strdup(rdnSeqBuf);
if(ndpi_normalize_printable_string(rdnSeqBuf, rdn_len) == 0) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_INVALID_CHARACTERS)) {
char str[64];
snprintf(str, sizeof(str), "Invalid issuerDN %s", flow->protos.tls_quic.issuerDN);
ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str);
@@ -908,7 +908,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
if(flow->protos.tls_quic.notBefore > TLS_LIMIT_DATE)
if((flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) > TLS_THRESHOLD) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_CERT_VALIDITY_TOO_LONG)) {
char str[64];
snprintf(str, sizeof(str), "TLS Cert lasts %u days",
@@ -921,7 +921,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
}
if((time_sec < flow->protos.tls_quic.notBefore) || (time_sec > flow->protos.tls_quic.notAfter)) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_CERTIFICATE_EXPIRED)) {
char str[96], b[32], e[32];
struct tm result;
time_t theTime;
@@ -939,7 +939,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
}
} else if((time_sec > flow->protos.tls_quic.notBefore)
&& (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->cfg.tls_certificate_expire_in_x_days * 86400)))) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE)) {
char str[96], b[32], e[32];
struct tm result;
time_t theTime;
@@ -1112,7 +1112,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
} /* while */
if(!matched_name) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_CERTIFICATE_MISMATCH)) {
char str[128];
snprintf(str, sizeof(str), "%s vs %s", flow->host_server_name, flow->protos.tls_quic.server_names);
@@ -1929,7 +1929,7 @@ static void tlsCheckUncommonALPN(struct ndpi_detection_module_struct *ndpi_struc
alpn_len = comma_or_nul - alpn_start;
if(!is_a_common_alpn(ndpi_struct, alpn_start, alpn_len)) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_UNCOMMON_ALPN)) {
char str[64];
size_t str_len;
@@ -2043,7 +2043,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
printf("[TLS] suspicious extension id: %u\n", extension_id);
#endif
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_SUSPICIOUS_EXTENSION)) {
char str[64];
snprintf(str, sizeof(str), "Extn id %u", extension_id);
@@ -2064,7 +2064,7 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id);
#endif
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_SUSPICIOUS_EXTENSION)) {
char str[64];
snprintf(str, sizeof(str), "Extn id %u", extension_id);
@@ -2395,7 +2395,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
if(ndpi_struct->cfg.tls_cipher_enabled) {
if((flow->protos.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja.server.cipher[0])) != NDPI_CIPHER_SAFE) {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_WEAK_CIPHER)) {
char str[64];
char unknown_cipher[8];
@@ -2627,7 +2627,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
flow->protos.tls_quic.ssl_version = ja.client.tls_handshake_version = tls_version;
if(flow->protos.tls_quic.ssl_version < 0x0303) /* < TLSv1.2 */ {
- if(ndpi_struct->cfg.flow_risk_infos_enabled) {
+ if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_OBSOLETE_VERSION)) {
char str[32], buf[32];
u_int8_t unknown_tls_version;
Powered by cgit, Themed by Ted Yin.