From 7a172ce11e0b8ebef5af842fc9bc1be6fc3ecc0c Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Mon, 13 Jun 2022 23:42:07 +0200 Subject: Added check for DGA names that resolve to a valid record --- src/lib/protocols/dns.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/lib') diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index bdc0384be..784dd2f52 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -258,6 +258,10 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, snprintf(str, sizeof(str), "DNS Error Code %d", flow->protos.dns.reply_code); ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, str); + } else { + if(ndpi_isset_risk(ndpi_struct, flow, NDPI_SUSPICIOUS_DGA_DOMAIN)) { + ndpi_set_risk(ndpi_struct, flow, NDPI_RISKY_DOMAIN, "DGA Name Query with no Error Code"); + } } if((dns_header->num_queries > 0) && (dns_header->num_queries <= NDPI_MAX_DNS_REQUESTS) /* Don't assume that num_queries must be zero */ -- cgit v1.2.3