diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2021-02-27 17:38:31 +0100 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2021-02-27 17:47:49 +0100 |
| commit | 06ff3530998725864120302f7b04519bf3032e5e (patch) | |
| tree | b1ae8f87860d1a928029e6fadd3ecb2e2390e98c | |
| parent | e0310d7e1d1f5a8b3b083442d56a1d5485880303 (diff) | |
Added JA3 / SSL SHA1 fingerprint blacklists.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | .travis.yml | 2 | ||||
| -rw-r--r-- | examples/c-captured/c-captured.c | 13 | ||||
| -rw-r--r-- | nDPId.c | 26 |
3 files changed, 31 insertions, 10 deletions
diff --git a/.travis.yml b/.travis.yml index 2be9adb4b..323f369ac 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,7 @@ language: c before_install: - sudo apt-get -qq update -- sudo apt-get install -y build-essential make binutils gcc autoconf automake libtool pkg-config git libpcap-dev libgcrypt-dev libgpg-error-dev libjson-c-dev netcat-openbsd +- sudo apt-get install -y build-essential make binutils gcc autoconf automake libtool pkg-config git libpcap-dev libgcrypt-dev libgpg-error-dev libjson-c-dev libmaxminddb-dev netcat-openbsd script: - git clone https://github.com/ntop/nDPI.git - cd nDPI && ./autogen.sh --prefix=$(realpath ./_install) --with-sanitizer --with-only-libndpi && make install -j4 && cd .. diff --git a/examples/c-captured/c-captured.c b/examples/c-captured/c-captured.c index 261b15f7a..89a7b5eab 100644 --- a/examples/c-captured/c-captured.c +++ b/examples/c-captured/c-captured.c @@ -131,7 +131,11 @@ static char * generate_pcap_filename(struct nDPIsrvd_flow const * const flow, { char const * flow_type = NULL; - if (flow_user->guessed != 0) + if (flow_user->midstream != 0) + { + flow_type = "midstream"; + } + else if (flow_user->guessed != 0) { flow_type = "guessed"; } @@ -143,10 +147,6 @@ static char * generate_pcap_filename(struct nDPIsrvd_flow const * const flow, { flow_type = "risky"; } - else if (flow_user->midstream != 0) - { - flow_type = "midstream"; - } else { flow_type = "unknown-type"; @@ -592,7 +592,7 @@ int main(int argc, char ** argv) openlog("c-captured", LOG_CONS, LOG_DAEMON); errno = 0; - if (user != NULL && change_user_group(user, group, pidfile, NULL, NULL) != 0) + if (user != NULL && change_user_group(user, group, pidfile, datadir /* :D */, NULL) != 0) { if (errno != 0) { @@ -604,6 +604,7 @@ int main(int argc, char ** argv) } return 1; } + chmod(datadir, S_IRWXU); enum nDPIsrvd_connect_return connect_ret = nDPIsrvd_connect(sock); if (connect_ret != CONNECT_OK) @@ -22,8 +22,8 @@ #include "config.h" #include "utils.h" -#if (NDPI_MAJOR == 3 && NDPI_MINOR < 3) || NDPI_MAJOR < 3 -#error "nDPI >= 3.3.0 requiired" +#if ((NDPI_MAJOR == 3 && NDPI_MINOR < 6) || NDPI_MAJOR < 3) && NDPI_API_VERSION < 4087 +#error "nDPI >= 3.6.0 or API version >= 4087 required" #endif #if !defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_4) || !defined(__GCC_HAVE_SYNC_COMPARE_AND_SWAP_8) @@ -280,6 +280,8 @@ static char * user = "nobody"; static char * group = NULL; static char * custom_protocols_file = NULL; static char * custom_categories_file = NULL; +static char * custom_ja3_file = NULL; +static char * custom_sha1_file = NULL; static char json_sockpath[UNIX_PATH_MAX] = COLLECTOR_UNIX_SOCKET; /* subopts */ @@ -599,6 +601,14 @@ static struct nDPId_workflow * init_workflow(char const * const file_or_device) { ndpi_load_categories_file(workflow->ndpi_struct, custom_categories_file); } + if (custom_ja3_file != NULL) + { + ndpi_load_malicious_ja3_file(workflow->ndpi_struct, custom_ja3_file); + } + if (custom_sha1_file != NULL) + { + ndpi_load_malicious_sha1_file(workflow->ndpi_struct, custom_sha1_file); + } ndpi_finalize_initialization(workflow->ndpi_struct); ndpi_set_detection_preferences(workflow->ndpi_struct, ndpi_pref_enable_tls_block_dissection, 1); @@ -2661,12 +2671,16 @@ static int parse_options(int argc, char ** argv) "\t-g\tChange GID to the numeric value of group.\n" "\t-P\tLoad a nDPI custom protocols file.\n" "\t-C\tLoad a nDPI custom categories file.\n" + "\t-J\tLoad a nDPI JA3 hash blacklist file.\n" + "\t \tSee: https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv\n" + "\t-S\tLoad a nDPI SSL SHA1 hash blacklist file.\n" + "\t \tSee: https://sslbl.abuse.ch/blacklist/sslblacklist.csv\n" "\t-a\tSet an alias name of this daemon instance which will be part of every JSON message.\n" "\t \tThis value is required for correct flow handling of multiple instances and should be unique.\n" "\t \tDefaults to your hostname.\n" "\t-o\t(Carefully) Tune some daemon options. See subopts below.\n\n"; - while ((opt = getopt(argc, argv, "hi:IEB:lc:dp:u:g:P:C:a:o:")) != -1) + while ((opt = getopt(argc, argv, "hi:IEB:lc:dp:u:g:P:C:J:S:a:o:")) != -1) { switch (opt) { @@ -2715,6 +2729,12 @@ static int parse_options(int argc, char ** argv) case 'C': custom_categories_file = strdup(optarg); break; + case 'J': + custom_ja3_file = strdup(optarg); + break; + case 'S': + custom_sha1_file = strdup(optarg); + break; case 'a': instance_alias = strdup(optarg); break; |