1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
|
#ifndef __NDPI_PRIVATE_H__
#define __NDPI_PRIVATE_H__
#ifdef __cplusplus
extern "C" {
#endif
/* Not sure if we still need it.. keep it for the time being */
#ifdef NDPI_LIB_COMPILATION
/* Needed to have access to HAVE_* defines */
#ifndef _NDPI_CONFIG_H_
#include "ndpi_config.h"
#define _NDPI_CONFIG_H_
#endif
struct call_function_struct {
NDPI_PROTOCOL_BITMASK detection_bitmask;
NDPI_PROTOCOL_BITMASK excluded_protocol_bitmask;
void (*func) (struct ndpi_detection_module_struct *, struct ndpi_flow_struct *flow);
NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_bitmask;
u_int16_t ndpi_protocol_id;
u_int8_t detection_feature;
};
struct subprotocol_conf_struct {
void (*func) (struct ndpi_detection_module_struct *, char *attr, char *value, int protocol_id);
};
typedef struct default_ports_tree_node {
ndpi_proto_defaults_t *proto;
u_int8_t customUserProto;
u_int16_t default_port;
} default_ports_tree_node_t;
#define LINE_EQUALS(ndpi_int_one_line_struct, string_to_compare) \
((ndpi_int_one_line_struct).len == strlen(string_to_compare) && \
LINE_CMP(ndpi_int_one_line_struct, string_to_compare, strlen(string_to_compare)) == 1)
#define LINE_STARTS(ndpi_int_one_line_struct, string_to_compare) \
((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \
LINE_CMP(ndpi_int_one_line_struct, string_to_compare, strlen(string_to_compare)) == 1)
#define LINE_ENDS(ndpi_int_one_line_struct, string_to_compare) \
((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \
memcmp((ndpi_int_one_line_struct).ptr + \
((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \
string_to_compare, strlen(string_to_compare)) == 0)
#define LINE_CMP(ndpi_int_one_line_struct, string_to_compare, string_to_compare_length) \
((ndpi_int_one_line_struct).ptr != NULL && \
memcmp((ndpi_int_one_line_struct).ptr, string_to_compare, string_to_compare_length) == 0)
struct ndpi_int_one_line_struct {
const u_int8_t *ptr;
u_int16_t len;
};
struct ndpi_packet_struct {
const struct ndpi_iphdr *iph;
const struct ndpi_ipv6hdr *iphv6;
const struct ndpi_tcphdr *tcp;
const struct ndpi_udphdr *udp;
const u_int8_t *generic_l4_ptr; /* is set only for non tcp-udp traffic */
const u_int8_t *payload;
u_int64_t current_time_ms;
struct ndpi_int_one_line_struct line[NDPI_MAX_PARSE_LINES_PER_PACKET];
/* HTTP headers */
struct ndpi_int_one_line_struct host_line;
struct ndpi_int_one_line_struct forwarded_line;
struct ndpi_int_one_line_struct referer_line;
struct ndpi_int_one_line_struct content_line;
struct ndpi_int_one_line_struct content_disposition_line;
struct ndpi_int_one_line_struct accept_line;
struct ndpi_int_one_line_struct authorization_line;
struct ndpi_int_one_line_struct user_agent_line;
struct ndpi_int_one_line_struct http_url_name;
struct ndpi_int_one_line_struct http_encoding;
struct ndpi_int_one_line_struct http_transfer_encoding;
struct ndpi_int_one_line_struct http_contentlen;
struct ndpi_int_one_line_struct http_cookie;
struct ndpi_int_one_line_struct http_origin;
struct ndpi_int_one_line_struct http_x_session_type;
struct ndpi_int_one_line_struct server_line;
struct ndpi_int_one_line_struct http_method;
struct ndpi_int_one_line_struct http_response; /* the first "word" in this pointer is the
response code in the packet (200, etc) */
u_int8_t http_num_headers; /* number of found (valid) header lines in HTTP request or response */
u_int16_t l3_packet_len;
u_int16_t payload_packet_len;
u_int16_t parsed_lines;
u_int16_t empty_line_position;
u_int8_t tcp_retransmission;
u_int8_t packet_lines_parsed_complete:1,
packet_direction:1, empty_line_position_set:1, http_check_content:1, pad:4;
};
typedef struct ndpi_list_struct {
char *value;
struct ndpi_list_struct *next;
} ndpi_list;
#ifdef HAVE_NBPF
typedef struct {
void *tree; /* cast to nbpf_filter* */
u_int16_t l7_protocol;
} nbpf_filter;
#endif
struct ndpi_detection_module_struct {
NDPI_PROTOCOL_BITMASK detection_bitmask;
u_int64_t current_ts;
u_int16_t max_packets_to_process;
u_int16_t num_tls_blocks_to_follow;
u_int8_t skip_tls_blocks_until_change_cipher:1, enable_ja3_plus:1, _notused:6;
u_int8_t tls_certificate_expire_in_x_days;
void *user_data;
char custom_category_labels[NUM_CUSTOM_CATEGORIES][CUSTOM_CATEGORY_LABEL_LEN];
/* callback function buffer */
struct call_function_struct *callback_buffer;
struct call_function_struct *callback_buffer_tcp_no_payload;
struct call_function_struct *callback_buffer_tcp_payload;
struct call_function_struct *callback_buffer_udp;
struct call_function_struct *callback_buffer_non_tcp_udp;
u_int32_t callback_buffer_size;
u_int32_t callback_buffer_size_tcp_no_payload;
u_int32_t callback_buffer_size_tcp_payload;
u_int32_t callback_buffer_size_udp;
u_int32_t callback_buffer_size_non_tcp_udp;
default_ports_tree_node_t *tcpRoot, *udpRoot;
ndpi_log_level_t ndpi_log_level; /* default error */
#ifdef NDPI_ENABLE_DEBUG_MESSAGES
/* debug callback, only set when debug is used */
ndpi_debug_function_ptr ndpi_debug_printf;
const char *ndpi_debug_print_file;
const char *ndpi_debug_print_function;
u_int32_t ndpi_debug_print_line;
NDPI_PROTOCOL_BITMASK debug_bitmask;
#endif
/* misc parameters */
u_int32_t tcp_max_retransmission_window_size;
/* subprotocol registration handler */
struct subprotocol_conf_struct subprotocol_conf[NDPI_MAX_SUPPORTED_PROTOCOLS + 1];
u_int ndpi_num_supported_protocols;
u_int ndpi_num_custom_protocols;
int ac_automa_finalized;
/* HTTP/DNS/HTTPS/QUIC host matching */
ndpi_automa host_automa, /* Used for DNS/HTTPS */
risky_domain_automa, tls_cert_subject_automa,
host_risk_mask_automa, common_alpns_automa;
/* IMPORTANT: please, whenever you add a new automa:
* update ndpi_finalize_initialization()
* update automa_type above
*/
ndpi_str_hash *malicious_ja3_hashmap, *malicious_sha1_hashmap;
ndpi_list *trusted_issuer_dn;
/* Patricia trees */
ndpi_patricia_tree_t *ip_risk_mask_ptree;
ndpi_patricia_tree_t *ip_risk_mask_ptree6;
ndpi_patricia_tree_t *ip_risk_ptree;
ndpi_patricia_tree_t *ip_risk_ptree6;
ndpi_patricia_tree_t *protocols_ptree; /* IP-based protocol detection */
ndpi_patricia_tree_t *protocols_ptree6;
/* *** If you add a new Patricia tree, please update ptree_type above! *** */
struct {
#ifdef USE_LEGACY_AHO_CORASICK
ndpi_automa hostnames, hostnames_shadow;
#else
ndpi_domain_classify *sc_hostnames, *sc_hostnames_shadow;
#endif
void *ipAddresses, *ipAddresses_shadow; /* Patricia */
void *ipAddresses6, *ipAddresses6_shadow; /* Patricia IPv6*/
u_int8_t categories_loaded;
} custom_categories;
u_int8_t ip_version_limit;
/* NDPI_PROTOCOL_TINC */
struct cache *tinc_cache;
/* NDPI_PROTOCOL_OOKLA */
struct ndpi_lru_cache *ookla_cache;
u_int32_t ookla_cache_num_entries;
u_int32_t ookla_cache_ttl;
/* NDPI_PROTOCOL_BITTORRENT */
struct ndpi_lru_cache *bittorrent_cache;
u_int32_t bittorrent_cache_num_entries;
u_int32_t bittorrent_cache_ttl;
/* NDPI_PROTOCOL_ZOOM */
struct ndpi_lru_cache *zoom_cache;
u_int32_t zoom_cache_num_entries;
u_int32_t zoom_cache_ttl;
/* NDPI_PROTOCOL_STUN and subprotocols */
struct ndpi_lru_cache *stun_cache;
u_int32_t stun_cache_num_entries;
u_int32_t stun_cache_ttl;
struct ndpi_lru_cache *stun_zoom_cache;
u_int32_t stun_zoom_cache_num_entries;
u_int32_t stun_zoom_cache_ttl;
/* NDPI_PROTOCOL_TLS and subprotocols */
struct ndpi_lru_cache *tls_cert_cache;
u_int32_t tls_cert_cache_num_entries;
int32_t tls_cert_cache_ttl;
/* NDPI_PROTOCOL_MINING and subprotocols */
struct ndpi_lru_cache *mining_cache;
u_int32_t mining_cache_num_entries;
u_int32_t mining_cache_ttl;
/* NDPI_PROTOCOL_MSTEAMS */
struct ndpi_lru_cache *msteams_cache;
u_int32_t msteams_cache_num_entries;
u_int32_t msteams_cache_ttl;
/* *** If you add a new LRU cache, please update lru_cache_type above! *** */
int opportunistic_tls_smtp_enabled;
int opportunistic_tls_imap_enabled;
int opportunistic_tls_pop_enabled;
int opportunistic_tls_ftp_enabled;
int opportunistic_tls_stun_enabled;
u_int32_t monitoring_stun_pkts_to_process;
u_int32_t monitoring_stun_flags;
u_int32_t aggressiveness_ookla;
int tcp_ack_paylod_heuristic;
int fully_encrypted_based_on_first_pkt_heuristic;
u_int16_t ndpi_to_user_proto_id[NDPI_MAX_NUM_CUSTOM_PROTOCOLS]; /* custom protocolId mapping */
ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS];
u_int8_t direction_detect_disable:1, /* disable internal detection of packet direction */ _pad:7;
#ifdef CUSTOM_NDPI_PROTOCOLS
#include "../../../nDPI-custom/custom_ndpi_typedefs.h"
#endif
/* GeoIP */
void *mmdb_city, *mmdb_as;
u_int8_t mmdb_city_loaded, mmdb_as_loaded;
/* Current packet */
struct ndpi_packet_struct packet;
const struct ndpi_flow_input_info *input_info;
#ifdef HAVE_NBPF
u_int8_t num_nbpf_custom_proto;
nbpf_filter nbpf_custom_proto[MAX_NBPF_CUSTOM_PROTO];
#endif
u_int16_t max_payload_track_len;
};
/* Generic */
char *strptime(const char *s, const char *format, struct tm *tm);
u_int8_t iph_is_valid_and_not_fragmented(const struct ndpi_iphdr *iph, const u_int16_t ipsize);
int current_pkt_from_client_to_server(const struct ndpi_detection_module_struct *ndpi_str, const struct ndpi_flow_struct *flow);
int current_pkt_from_server_to_client(const struct ndpi_detection_module_struct *ndpi_str, const struct ndpi_flow_struct *flow);
/* TLS */
int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow, uint32_t quic_version);
void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
u_int16_t p_offset, u_int16_t certificate_len);
void switch_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow);
int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len);
void switch_extra_dissection_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow);
/* HTTP */
void http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
const u_int8_t *ua_ptr, u_int16_t ua_ptr_len);
/* OOKLA */
int ookla_search_into_cache(struct ndpi_detection_module_struct* ndpi_struct,
struct ndpi_flow_struct* flow);
void ookla_add_to_cache(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow);
/* QUIC */
int quic_len(const uint8_t *buf, uint64_t *value);
int quic_len_buffer_still_required(uint8_t value);
int is_version_with_var_int_transport_params(uint32_t version);
int is_version_with_tls(uint32_t version);
void process_chlo(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
const u_int8_t *crypto_data, uint32_t crypto_data_len);
void process_tls(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
const u_int8_t *crypto_data, uint32_t crypto_data_len);
const uint8_t *get_crypto_data(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
u_int8_t *clear_payload, uint32_t clear_payload_len,
uint64_t *crypto_data_len);
/* RTP */
int is_valid_rtp_payload_type(uint8_t type);
int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow);
u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_type);
/* Bittorrent */
u_int32_t make_bittorrent_host_key(struct ndpi_flow_struct *flow, int client, int offset);
u_int32_t make_bittorrent_peers_key(struct ndpi_flow_struct *flow);
int search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow);
/* Mining */
u_int32_t make_mining_key(struct ndpi_flow_struct *flow);
/* Stun */
int stun_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
#endif
#ifdef __cplusplus
}
#endif
#endif
|