From 8a2a47e62a0d7b1bc8815dc4f09c35b73393454e Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Mon, 14 Feb 2022 23:38:21 +0100 Subject: Silenced NDPI_SUSPICIOUS_DGA_DOMAIN, NDPI_BINARY_APPLICATION_TRANSFER, NDPI_HTTP_NUMERIC_IP_HOST, NDPI_MALICIOUS_JA3, for predefined connectivity check and cybersec categories --- src/lib/ndpi_content_match.c.inc | 1 + src/lib/ndpi_main.c | 20 +++++++++++++------- 2 files changed, 14 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index cb59883ce..2c4781e82 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -1911,6 +1911,7 @@ static ndpi_protocol_match host_match[] = { "malwarebytes.com", "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "trendmicro.com", "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { ".eset.com", "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { ".e5.sk", "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "bullguard.com", "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "paloaltonetworks.com", "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "crowdstrike.com", "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 87a9bff87..7c0e8f3b1 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2519,13 +2519,6 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs static void ndpi_add_domain_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str) { const char *domains[] = { ".local", - ".msftconnecttest.com", - "amupdatedl.microsoft.com", - "update.microsoft.com.akadns.net", - ".windowsupdate.com", - ".ras.microsoft.com", - "e5.sk", - "sophosxl.net", NULL /* End */ }; const ndpi_risk risks_to_mask[] = { @@ -2543,6 +2536,19 @@ static void ndpi_add_domain_risk_exceptions(struct ndpi_detection_module_struct for(i=0; domains[i] != NULL; i++) ndpi_add_host_risk_mask(ndpi_str, (char*)domains[i], mask); + + for(i=0; host_match[i].string_to_match != NULL; i++) { + switch(host_match[i].protocol_category) { + case NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK: + case NDPI_PROTOCOL_CATEGORY_CYBERSECURITY: + ndpi_add_host_risk_mask(ndpi_str, (char*)host_match[i].string_to_match, mask); + break; + + default: + /* Nothing to do */ + break; + } + } } /* *********************************************** */ -- cgit v1.2.3