From 076edeab54bf4271e29f342882373171169fd651 Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Sat, 9 Sep 2023 18:09:57 +0200
Subject: Enhance DNS risk for long hostnames (> 32)

---
 src/lib/protocols/dns.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'src/lib/protocols/dns.c')

diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 3509e604d..1a318aa02 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -693,6 +693,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
       || (d_port == LLMNR_PORT))
      && (packet->payload_packet_len > sizeof(struct ndpi_dns_packet_header)+payload_offset)) {
     struct ndpi_dns_packet_header dns_header;
+    char *dot;
     u_int len, off;
     int invalid = search_valid_dns(ndpi_struct, flow, &dns_header, payload_offset, &is_query, is_mdns);
     ndpi_protocol ret;
@@ -769,6 +770,21 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
     if (hostname_is_valid == 0)
       ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, NULL);
 
+    dot = strchr(_hostname, '.');
+    if(dot) {
+      unsigned long first_element_len = (unsigned long)dot - (unsigned long)_hostname;
+
+      if(first_element_len > 32) {
+	/*
+	  The lenght of the first element in the query is very long
+	  and this might be an issue or indicate an exfiltration
+	*/
+
+	/* printf("**** %lu [%s][%s]\n", first_element_len, dot, _hostname); */
+	ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, NULL);
+      }
+    }
+    
     if(len > 0) {
       ndpi_protocol_match_result ret_match;
 
-- 
cgit v1.2.3