From a8ffcd8bb0273d59600c6310a80b81206096c113 Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Wed, 24 Nov 2021 10:46:48 +0100 Subject: Rework how hostname/SNI info is saved (#1330) Looking at `struct ndpi_flow_struct` the two bigger fields are `host_server_name[240]` (mainly for HTTP hostnames and DNS domains) and `protos.tls_quic.client_requested_server_name[256]` (for TLS/QUIC SNIs). This commit aims to reduce `struct ndpi_flow_struct` size, according to two simple observations: 1) maximum one of these two fields is used for each flow. So it seems safe to merge them; 2) even if hostnames/SNIs might be very long, in practice they are rarely longer than a fews tens of bytes. So, using a (single) large buffer is a waste of memory for all kinds of flows. If we need to truncate the name, we keep the *last* characters, easing domain matching. Analyzing some real traffic, it seems safe to assume that the vast majority of hostnames/SNIs is shorter than 80 bytes. Hostnames/SNIs are always converted to lowercase. Attention was given so as to be sure that unit-tests outputs are not affected by this change. Because of a bug, TLS/QUIC SNI were always truncated to 64 bytes (the *first* 64 ones): as a consequence, there were some "Suspicious DGA domain name" and "TLS Certificate Mismatch" false positives. --- example/reader_util.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'example/reader_util.c') diff --git a/example/reader_util.c b/example/reader_util.c index 3a161d684..d5638d183 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1105,8 +1105,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } /* MDNS */ else if(is_ndpi_proto(flow, NDPI_PROTOCOL_MDNS)) { - char *name = (char*)flow->ndpi_flow->host_server_name; /* Trick to avoid warning(s) */ - snprintf(flow->info, sizeof(flow->info), "%s", name); + snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->host_server_name); } /* UBNTAC2 */ else if(is_ndpi_proto(flow, NDPI_PROTOCOL_UBNTAC2)) { @@ -1161,8 +1160,8 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl if(flow->ndpi_flow->protos.telnet.password[0] != '\0') flow->telnet.password = ndpi_strdup(flow->ndpi_flow->protos.telnet.password); } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)) { - snprintf(flow->ssh_tls.client_requested_server_name, - sizeof(flow->ssh_tls.client_requested_server_name), "%s", + snprintf(flow->host_server_name, + sizeof(flow->host_server_name), "%s", flow->ndpi_flow->protos.ssh.client_signature); snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", flow->ndpi_flow->protos.ssh.server_signature); @@ -1178,9 +1177,6 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl || (flow->ndpi_flow->protos.tls_quic.ja3_client[0] != '\0') ) { flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.tls_quic.ssl_version; - snprintf(flow->ssh_tls.client_requested_server_name, - sizeof(flow->ssh_tls.client_requested_server_name), "%s", - flow->ndpi_flow->protos.tls_quic.client_requested_server_name); snprintf(flow->http.user_agent, sizeof(flow->http.user_agent), "%s", flow->ndpi_flow->http.user_agent ? flow->ndpi_flow->http.user_agent : ""); -- cgit v1.2.3