1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
/*
* tor.c
*
* Copyright (C) 2016-18 ntop.org
* Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr>
*
*/
#include "ndpi_protocol_ids.h"
#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TOR
#include "ndpi_api.h"
static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct
*ndpi_struct, struct ndpi_flow_struct *flow) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_UNKNOWN);
}
int ndpi_is_tls_tor(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow, char *certificate) {
int prev_num = 0, numbers_found = 0, num_found = 0, i, len, num_impossible = 0;
char dummy[48], *dot, *name;
if(certificate == NULL)
return(0);
else
len = strlen(certificate);
/* Check if it ends in .com or .net */
if(len>=4 && strcmp(&certificate[len-4], ".com") && strcmp(&certificate[len-4], ".net"))
return(0);
if((len < 6)
|| (!strncmp(certificate, "*.", 2)) /* Wildcard certificate */
|| (strncmp(certificate, "www.", 4)) /* Not starting with www.... */
)
return(0);
// printf("***** [SSL] %s(): %s\n", __FUNCTION__, certificate);
snprintf(dummy, sizeof(dummy), "%s", certificate);
if((dot = strrchr(dummy, '.')) == NULL) return(0);
dot[0] = '\0';
if((dot = strrchr(dummy, '.')) == NULL) return(0);
name = &dot[1];
len = strlen(name);
if(len >= 5) {
for(i = 0; name[i+1] != '\0'; i++) {
// printf("***** [SSL] %s(): [%d][%c]", __FUNCTION__, i, name[i]);
if((name[i] >= '0') && (name[i] <= '9')) {
if(prev_num != 1) {
numbers_found++;
if(numbers_found == 2) {
ndpi_int_tor_add_connection(ndpi_struct, flow);
return(1);
}
prev_num = 1;
}
} else
prev_num = 0;
if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, &name[i])) {
num_found++;
} else if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) {
num_impossible++;
}
}
if((num_found == 0) || (num_impossible > 1)) {
ndpi_int_tor_add_connection(ndpi_struct, flow);
return(1);
} else {
#ifdef PEDANTIC_TOR_CHECK
if(gethostbyname(certificate) == NULL) {
ndpi_int_tor_add_connection(ndpi_struct, flow);
return(1);
}
#endif
}
}
return(0);
}
/* ******************************************* */
void ndpi_search_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
NDPI_LOG_DBG(ndpi_struct, "search for TOR\n");
if(packet->tcp != NULL) {
u_int16_t dport, sport;
sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest);
NDPI_LOG_DBG2(ndpi_struct, "calculating TOR over tcp\n");
if ((((dport == 9001) || (sport == 9001)) || ((dport == 9030) || (sport == 9030)))
&& ((packet->payload[0] == 0x17) || (packet->payload[0] == 0x16))
&& (packet->payload[1] == 0x03)
&& (packet->payload[2] == 0x01)
&& (packet->payload[3] == 0x00)) {
NDPI_LOG_INFO(ndpi_struct, "found tor\n");
ndpi_int_tor_add_connection(ndpi_struct, flow);
}
} else {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
}
void init_tor_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
{
ndpi_set_bitmask_protocol_detection("Tor", ndpi_struct, detection_bitmask, *id,
NDPI_PROTOCOL_TOR,
ndpi_search_tor,
NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
*id += 1;
}
|