From 16890a6632b237020848c7210d3cca6c19645f9d Mon Sep 17 00:00:00 2001 From: Toni Date: Fri, 26 Feb 2021 17:00:05 +0100 Subject: Added NDPI_MALICIOUS_SHA1 flow risk. (#1142) * An external file which contains known malicious SSL certificate SHA-1 hashes can be loaded via ndpi_load_malicious_sha1_file(...) Signed-off-by: Toni Uhlig --- src/include/ndpi_api.h.in | 9 +++++++++ src/include/ndpi_typedefs.h | 3 ++- 2 files changed, 11 insertions(+), 1 deletion(-) (limited to 'src/include') diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 4e63d1d22..0e6a50518 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -715,6 +715,15 @@ extern "C" { */ int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, const char *path); + /** + * Read a file and load the list of malicious SSL certificate SHA1 fingerprints. + * @par ndpi_mod = the detection module + * @par path = the path of the file + * @return 0 if the file is loaded correctly; + * -1 else + */ + int ndpi_load_malicious_sha1_file(struct ndpi_detection_module_struct *ndpi_str, const char *path); + /** * Get the total number of the supported protocols * diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 973e08670..79ccf9c1c 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -92,6 +92,7 @@ typedef enum { NDPI_RISKY_ASN, NDPI_RISKY_DOMAIN, NDPI_MALICIOUS_JA3, + NDPI_MALICIOUS_SHA1, /* Leave this as last member */ @@ -1101,7 +1102,7 @@ struct ndpi_detection_module_struct { subprotocol_automa, /* Used for HTTP subprotocol_detection */ bigrams_automa, impossible_bigrams_automa, /* TOR */ risky_domain_automa, tls_cert_subject_automa, - malicious_ja3_automa; + malicious_ja3_automa, malicious_sha1_automa; /* IMPORTANT: please update ndpi_finalize_initialization() whenever you add a new automa */ struct { -- cgit v1.2.3