From 41765efcf8159fd8b9dcf4ceca60fbd37e6e79e8 Mon Sep 17 00:00:00 2001 From: Toni Date: Tue, 26 Oct 2021 21:34:01 +0200 Subject: Detect invalid characters in text and set a risk. Fixes #1347. (#1363) Signed-off-by: Toni Uhlig --- wireshark/ndpi.lua | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'wireshark') diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua index 9b168f580..dce26f1d9 100644 --- a/wireshark/ndpi.lua +++ b/wireshark/ndpi.lua @@ -77,9 +77,10 @@ flow_risks[35] = ProtoField.bool("ndpi.flow_risk.suspicious_entropy", "Suspiciou flow_risks[36] = ProtoField.bool("ndpi.flow_risk.clear_text_credentials", "Cleat-Text credentials", num_bits_flow_risks, nil, bit(4), "nDPI Flow Risk: cleat-text credentials") flow_risks[37] = ProtoField.bool("ndpi.flow_risk.dns_large_packet", "DNS large packet", num_bits_flow_risks, nil, bit(5), "nDPI Flow Risk: DNS packet is larger than 512 bytes") flow_risks[38] = ProtoField.bool("ndpi.flow_risk.dns_fragmented", "DNS fragmented", num_bits_flow_risks, nil, bit(6), "nDPI Flow Risk: DNS message is fragmented") +flow_risks[39] = ProtoField.bool("ndpi.flow_risk.invalid_characters", "Invalid characters", num_bits_flow_risks, nil, bit(7), "nDPI Flow Risk: Text contains non-printable characters") -- Last one: keep in sync the bitmask when adding new risks!! -flow_risks[64] = ProtoField.new("Unused", "ndpi.flow_risk.unused", ftypes.UINT32, nil, base.HEX, bit(32) - bit(7)) +flow_risks[64] = ProtoField.new("Unused", "ndpi.flow_risk.unused", ftypes.UINT32, nil, base.HEX, bit(32) - bit(8)) for _,v in pairs(flow_risks) do ndpi_fds[#ndpi_fds + 1] = v -- cgit v1.2.3