From 7086197047f3b342f650b91374c322615693c888 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Wed, 9 Sep 2020 23:25:19 +0200 Subject: Added extension to detect nested subdomains as used in Browsertunnel attack tool https://github.com/veggiedefender/browsertunnel --- src/include/ndpi_api.h.in | 2 +- src/lib/ndpi_main.c | 86 ++++++++++++++++++++++++++------------------- src/lib/protocols/dns.c | 2 +- src/lib/protocols/http.c | 7 ++-- src/lib/protocols/netbios.c | 2 +- src/lib/protocols/tls.c | 3 +- src/lib/protocols/tor.c | 2 +- 7 files changed, 57 insertions(+), 47 deletions(-) (limited to 'src') diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index 79cfdd9a7..ecc276eab 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -945,7 +945,7 @@ extern "C" { /* DGA */ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, - char *name); + char *name, u_int8_t is_hostname); /* Serializer */ int ndpi_init_serializer_ll(ndpi_serializer *serializer, ndpi_serialization_format fmt, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 564f8978d..d8a3b354f 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -6665,10 +6665,10 @@ static int enough(int a, int b) { int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, - char *name) { + char *name, u_int8_t is_hostname) { int len, rc = 0; - u_int8_t max_num_char_repetitions = 0, last_char = 0, num_char_repetitions = 0; - u_int8_t max_domain_element_len = 0, curr_domain_element_len = 0; + u_int8_t max_num_char_repetitions = 0, last_char = 0, num_char_repetitions = 0, num_dots = 0; + u_int8_t max_domain_element_len = 0, curr_domain_element_len = 0, first_element_is_numeric = 1; len = strlen(name); @@ -6685,45 +6685,52 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, } for(i=0, j=0; (i max_num_char_repetitions) - max_num_char_repetitions = num_char_repetitions; - } else - num_char_repetitions = 1, last_char = tmp[j]; - - switch(tmp[j]) { - case '.': - case '-': - case '_': - case '/': - case ')': - case '(': - case ';': - case ':': - case '[': - case ']': - case ' ': - /* - Domain/word separator chars + if(tmp[j] == '.') + num_dots++; + else if(num_dots == 0) { + if(!isnumber(tmp[j])) + first_element_is_numeric = 0; + } + + if(last_char == tmp[j]) { + if(++num_char_repetitions > max_num_char_repetitions) + max_num_char_repetitions = num_char_repetitions; + } else + num_char_repetitions = 1, last_char = tmp[j]; + + switch(tmp[j]) { + case '.': + case '-': + case '_': + case '/': + case ')': + case '(': + case ';': + case ':': + case '[': + case ']': + case ' ': + /* + Domain/word separator chars - NOTE: - this function is used also to detect other type of issues - such as invalid/suspiciuous user agent - */ - if(curr_domain_element_len > max_domain_element_len) - max_domain_element_len = curr_domain_element_len; + NOTE: + this function is used also to detect other type of issues + such as invalid/suspiciuous user agent + */ + if(curr_domain_element_len > max_domain_element_len) + max_domain_element_len = curr_domain_element_len; - curr_domain_element_len = 0; + curr_domain_element_len = 0; break; - default: - curr_domain_element_len++; - break; - } + default: + curr_domain_element_len++; + break; + } - j++; + j++; } if(curr_domain_element_len > max_domain_element_len) @@ -6735,7 +6742,12 @@ int ndpi_check_dga_name(struct ndpi_detection_module_struct *ndpi_str, #endif if( - (max_num_char_repetitions > 5 /* num or consecutive repeated chars */) + (is_hostname + && (num_dots > 5) + && (!first_element_is_numeric) + && (strstr(tmp, "in-addr.arpa") == NULL) + ) + || (max_num_char_repetitions > 5 /* num or consecutive repeated chars */) /* In case of a name with too many consecutive chars an alert is triggered This is the case for instance of the wildcard DNS query used by NetBIOS diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 5e6d01d69..03ac7b9d2 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -301,7 +301,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st if(j > 0) { ndpi_protocol_match_result ret_match; - ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1); ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 0e3e0d413..acfa55769 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -263,15 +263,12 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru char *ua) { if((!ua) || (ua[0] == '\0')) return; - // printf("***** [%s:%d] ==> '%s'\n", __FILE__, __LINE__, ua); - // printf("***** %u\n", ndpi_check_dga_name(ndpi_struct, NULL, "uclient-fetch]")); - if((strlen(ua) < 4) || (!strncmp(ua, "test", 4)) || (!strncmp(ua, "impossible_bigrams_automa, ua) ) { NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_USER_AGENT); @@ -438,7 +435,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ flow->host_server_name[len] = '\0'; flow->extra_packets_func = NULL; /* We're good now */ - if(len > 0) ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); + if(len > 0) ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1); flow->server_id = flow->dst; if(packet->forwarded_line.ptr) { diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index 6ca691c7e..1f3850cbd 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -85,7 +85,7 @@ static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct flow->packet.payload_packet_len - off, name, sizeof(name)) > 0) { snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); - ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name); + ndpi_check_dga_name(ndpi_struct, flow, (char*)flow->host_server_name, 1); } if(sub_protocol == NDPI_PROTOCOL_UNKNOWN) diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index aa3836442..71fb2d5c3 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1161,7 +1161,8 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, flow->l4.tcp.tls.subprotocol_detected = 1; } - ndpi_check_dga_name(ndpi_struct, flow, flow->protos.stun_ssl.ssl.client_requested_server_name); + ndpi_check_dga_name(ndpi_struct, flow, + flow->protos.stun_ssl.ssl.client_requested_server_name, 1); } else { #ifdef DEBUG_TLS printf("[TLS] Extensions server len too short: %u vs %u\n", diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index 7318685e7..71172e211 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -48,7 +48,7 @@ int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct, if((dot = strrchr(dummy, '.')) == NULL) return(0); name = &dot[1]; - if(ndpi_check_dga_name(ndpi_struct, flow, name)) { + if(ndpi_check_dga_name(ndpi_struct, flow, name, 1)) { ndpi_int_tor_add_connection(ndpi_struct, flow); return(1); } else { -- cgit v1.2.3