From 65b9ad88a964cfed149185914f6ffb494665027a Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 5 Mar 2024 11:14:34 +0100 Subject: Improved alert on suspicious DNS traffic --- src/lib/protocols/dns.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'src/lib/protocols') diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 64e3a38d8..95f3626c9 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -773,14 +773,13 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st if(dot) { uintptr_t first_element_len = dot - _hostname; - if((first_element_len > 32) && (!is_mdns)) { + if((first_element_len > 48) && (!is_mdns)) { /* The lenght of the first element in the query is very long and this might be an issue or indicate an exfiltration */ - /* printf("**** %lu [%s][%s]\n", first_element_len, dot, _hostname); */ - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, NULL); + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Long DNS host name"); } } -- cgit v1.2.3