diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 6 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/sip.c | 22 |
4 files changed, 31 insertions, 1 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 21e2199e5..a2d2293b8 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -809,6 +809,12 @@ typedef enum { CUSTOM_CATEGORY_BANNED_SITE = 102, CUSTOM_CATEGORY_SITE_UNAVAILABLE = 103, CUSTOM_CATEGORY_ALLOWED_SITE = 104, + /* + The category below is used to track communications made by + security applications (e.g. sophosxl.net, spamhaus.org) + to track malware, spam etc. + */ + CUSTOM_CATEGORY_ANTIMALWARE = 105, /* IMPORTANT diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 537b41b5e..730050a2e 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8686,6 +8686,7 @@ ndpi_protocol_match host_match[] = { { "whispersystems.org", NULL, "whispersystems\\.org" TLD, "Signal", NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE }, { "musical.ly", NULL, "musical\\.ly" TLD, "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "muscdn.com", NULL, "muscndl\\.com" TLD, "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, + { NULL, NULL, NULL, 0 } }; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index e200f32f0..4bc89fb6e 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -425,6 +425,7 @@ static const char* categories[] = { "Banned_Site", "Site_Unavailable", "Allowed_Site", + "Antimalware", }; /* ****************************************** */ @@ -2828,7 +2829,7 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod, ndpi_mod->ndpi_num_supported_protocols, 0 /* can_have_a_subprotocol */, no_master, no_master, - ndpi_strdup(proto), + proto, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, /* TODO add protocol category support in rules */ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index 1436b2cec..2583dbfdf 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -123,6 +123,28 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct return; } + if ((memcmp(packet_payload, "PUBLISH ", 8) == 0 || memcmp(packet_payload, "publish ", 8) == 0) + && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) { + NDPI_LOG_INFO(ndpi_struct, "found sip PUBLISH\n"); + ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + return; + } + + if ((memcmp(packet_payload, "SUBSCRIBE ", 10) == 0 || memcmp(packet_payload, "subscribe ", 10) == 0) + && (memcmp(&packet_payload[10], "SIP:", 4) == 0 || memcmp(&packet_payload[10], "sip:", 4) == 0)) { + NDPI_LOG_INFO(ndpi_struct, "found sip SUBSCRIBE\n"); + ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + return; + } + + /* SIP message extension RFC 3248 */ + if ((memcmp(packet_payload, "MESSAGE ", 8) == 0 || memcmp(packet_payload, "message ", 8) == 0) + && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) { + NDPI_LOG_INFO(ndpi_struct, "found sip MESSAGE\n"); + ndpi_int_sip_add_connection(ndpi_struct, flow, 0); + return; + } + /* Courtesy of Miguel Quesada <mquesadab@gmail.com> */ if ((memcmp(packet_payload, "OPTIONS ", 8) == 0 || memcmp(packet_payload, "options ", 8) == 0) |