From 6c1317fa278be71fba8c01c492c223e95eb4ba03 Mon Sep 17 00:00:00 2001 From: Toni Uhlig Date: Fri, 26 Feb 2021 16:19:28 +0100 Subject: Added NDPI_MALICIOUS_SHA1 flow risk. * An external file which contains known malicious SSL certificate SHA-1 hashes can be loaded via ndpi_load_malicious_sha1_file(...) Signed-off-by: Toni Uhlig --- src/lib/ndpi_main.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 69 insertions(+), 2 deletions(-) (limited to 'src/lib/ndpi_main.c') diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index f5f964f8b..5afdc4695 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2193,6 +2193,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs ndpi_str->impossible_bigrams_automa.ac_automa = ac_automata_init(ac_match_handler); ndpi_str->tls_cert_subject_automa.ac_automa = ac_automata_init(ac_match_handler); ndpi_str->malicious_ja3_automa.ac_automa = NULL; /* Initialized on demand */ + ndpi_str->malicious_sha1_automa.ac_automa = NULL; /* Initialized on demand */ ndpi_str->risky_domain_automa.ac_automa = NULL; /* Initialized on demand */ if((sizeof(categories) / sizeof(char *)) != NDPI_PROTOCOL_NUM_CATEGORIES) { @@ -2253,7 +2254,11 @@ void ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str) case 5: automa = &ndpi_str->malicious_ja3_automa; break; - + + case 6: + automa = &ndpi_str->malicious_sha1_automa; + break; + default: return; } @@ -2519,6 +2524,9 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) { if(ndpi_str->malicious_ja3_automa.ac_automa != NULL) ac_automata_release((AC_AUTOMATA_t *) ndpi_str->malicious_ja3_automa.ac_automa, 0); + if(ndpi_str->malicious_sha1_automa.ac_automa != NULL) + ac_automata_release((AC_AUTOMATA_t *) ndpi_str->malicious_sha1_automa.ac_automa, 0); + if(ndpi_str->custom_categories.hostnames.ac_automa != NULL) ac_automata_release((AC_AUTOMATA_t *) ndpi_str->custom_categories.hostnames.ac_automa, 1 /* free patterns strings memory */); @@ -2968,7 +2976,7 @@ int ndpi_load_risk_domain_file(struct ndpi_detection_module_struct *ndpi_str, co /* * Format: * - * [,] + * [,] * */ int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, const char *path) { @@ -3015,6 +3023,65 @@ int ndpi_load_malicious_ja3_file(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************************************** */ +/* + * Format: + * + * + * , + * ,[,[...]] + * + */ +int ndpi_load_malicious_sha1_file(struct ndpi_detection_module_struct *ndpi_str, const char *path) +{ + char buffer[128]; + char *first_comma, *second_comma; + FILE *fd; + size_t len; + int num = 0; + + if (ndpi_str->malicious_sha1_automa.ac_automa == NULL) + ndpi_str->malicious_sha1_automa.ac_automa = ac_automata_init(ac_match_handler); + + fd = fopen(path, "r"); + + if (fd == NULL) { + NDPI_LOG_ERR(ndpi_str, "Unable to open file %s [%s]\n", path, strerror(errno)); + return -1; + } + + while (fgets(buffer, sizeof(buffer), fd) != NULL) { + len = strlen(buffer); + + if (len <= 1 || buffer[0] == '#') + continue; + + first_comma = strchr(buffer, ','); + if (first_comma != NULL) { + first_comma++; + second_comma = strchr(first_comma, ','); + if (second_comma == NULL) + second_comma = &buffer[len - 1]; + } else { + first_comma = &buffer[0]; + second_comma = &buffer[len - 1]; + } + + if ((second_comma - first_comma) != 40) + continue; + second_comma[0] = '\0'; + + for (size_t i = 0; i < 40; ++i) + first_comma[i] = toupper(first_comma[i]); + + if (ndpi_add_string_to_automa(ndpi_str->malicious_sha1_automa.ac_automa, first_comma) >= 0) + num++; + } + + return num; +} + +/* ******************************************************************** */ + /* Format: :,:,.....@ -- cgit v1.2.3