From defe7d7f79276b60d92addd47f904f417c6a8ea9 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 14 Jun 2022 00:13:05 +0200 Subject: Updated DNS alert triggered only with TTL == 0 --- src/lib/protocols/dns.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'src/lib/protocols') diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 784dd2f52..a0942badc 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -310,12 +310,8 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, rsp_type = get16(&x, packet->payload); rsp_ttl = ntohl(*((u_int32_t*)&packet->payload[x+2])); - if(rsp_ttl < 300) { - char buf[64]; - - snprintf(buf, sizeof(buf), "Low DNS Record TTL %d", rsp_ttl); - ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, buf); - } + if(rsp_ttl == 0) + ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "DNS Record with zero TTL"); #ifdef DNS_DEBUG printf("[DNS] TTL = %u\n", rsp_ttl); -- cgit v1.2.3