From 915ffebade2c8bb901cd1b273901a40f47583002 Mon Sep 17 00:00:00 2001 From: Toni Date: Mon, 9 May 2022 08:16:19 +0200 Subject: [PATCH] Added Softether(-VPN) DDNS service detection. (#1544) Signed-off-by: lns --- src/include/ndpi_protocol_ids.h | 1 + src/lib/ndpi_content_match.c.inc | 3 +++ src/lib/ndpi_main.c | 4 ++++ tests/pcap/softether-http.pcap | Bin 0 -> 1480 bytes tests/result/softether-http.pcap.out | 8 ++++++++ tests/result/synscan.pcap.out | 4 ++-- 6 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 tests/pcap/softether-http.pcap create mode 100644 tests/result/softether-http.pcap.out diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 0f7122d68..540c90dd1 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -318,6 +318,7 @@ typedef enum { NDPI_PROTOCOL_XIAOMI = 287, NDPI_PROTOCOL_EDGECAST = 288, NDPI_PROTOCOL_CACHEFLY = 289, + NDPI_PROTOCOL_SOFTETHER = 290, #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 68a552ea7..2e3a7d09c 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -1639,6 +1639,9 @@ static ndpi_protocol_match host_match[] = { "mi.com", "Xiaomi", NDPI_PROTOCOL_XIAOMI, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }, { "miui.com", "Xiaomi", NDPI_PROTOCOL_XIAOMI, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "softether.org", "Softether", NDPI_PROTOCOL_SOFTETHER, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + { "softether-network.net", "Softether", NDPI_PROTOCOL_SOFTETHER, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL }, + #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_content_match_host_match.c.inc" #endif diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 0aa430a5c..6990308c6 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1887,6 +1887,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "Cachefly", NDPI_PROTOCOL_CATEGORY_CLOUD, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOFTETHER, + "Softether", NDPI_PROTOCOL_CATEGORY_VPN, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main.c" diff --git a/tests/pcap/softether-http.pcap b/tests/pcap/softether-http.pcap new file mode 100644 index 0000000000000000000000000000000000000000..d6d95987df9e3c5699a2589ae42a68c36ce1d407 GIT binary patch literal 1480 zcmZvayN}~U9LK#$ZnZ=TAQ~cQTu|HT5jYSkAJ`Ke16{<&yU}K z^;wKa5WAKj_TUGV{#ieM_#$x%=cunge(*-(@=o!mhxy9`;)EdHO#gaJ+}gi*`rYR- z^PT&R%-wUM^}-hy$52dM#{PVIu}=`O#I*;B*g^7+{qEN&z88=0XCe8q8-GTQm=QlB zzy10#;qSlp1EL~2(Yky7%ZKGpAziq9g(Pw>Ve*%dc7W*D9=*z<3W)qDh!bU43HASZ z=F-1m&wpI;EI|6b^OxgKKKcuK+(Ulf`vy_}CEkMvg!)xt;{EjRi1@+%=MvNLC!eU# zh~FY&t9iRiW=+#w;DOQ?{`%JPh-Z0*&EG5(xgwj-6?r;GleKQQm1QU8J(U!7V+t~&=Z1l2mq^#k7$^c0p6dc5oOy1EYyjYA1beoO;vsM$2Dp=O zS|V?<92VnXcjH5@?)&!4(9zoLIGGi}rGG~DeT*EVgnM&5YMOY%&GzA|MEGf?i zF0}x`5(Enh?TcD?;}C>X5M*2suDoDQ!FMXTvr;0%nFGAD@QBGDl8(MUV)#_D73dR3 z|L;b65StMu&~u5Dz3t4l^=zJ^$?N@@YkI2%sdUK#l{+N+&3=J9B!gv%JL({00;mh7k(1$(Or2KZk z@>>IIu>j=-p$&Uki}JbhW|ZqJhb+Gs8wiY18gG7?Boj8u)JeRP$Q|ENPtFM1N$pWp$+hwI!fSJqta&D+X>z2 z8rzN~=ViLSl6%8-yI1EFYm#sGRI$A^xb|F?6l+?MD??7M%+dPRNUCmOy^Z1Un*nRD zOlxNdp9NAqS2v6@Xv9mfM|sqTdz9=mP2~e^fNO|Yh&195!fJBS#&NoNB0DIRhc5tw#7*&85M@ z`VPJdxHR%tDdQh48@1D=R#Ppr%5TjYKEs_qf$5G|jqVIOo;IjYy3iQ{h_1SY`Z<&(4j6CfAjaWOiHP*&wToZ2B{<*0%ThtnAvrwFZq1bH9UHOJF N9WJ`IJ(o1@`rqPF!Giz* literal 0 HcmV?d00001 diff --git a/tests/result/softether-http.pcap.out b/tests/result/softether-http.pcap.out new file mode 100644 index 000000000..d307499a8 --- /dev/null +++ b/tests/result/softether-http.pcap.out @@ -0,0 +1,8 @@ +Guessed flow protos: 1 + +DPI Packets (TCP): 4 (4.00 pkts/flow) +Confidence DPI : 1 (flows) + +Softether 4 1392 1 + + 1 TCP 192.168.2.100:37504 <-> 130.158.75.45:80 [proto: 7.290/HTTP.Softether][ClearText][Confidence: DPI][cat: VPN/2][3 pkts/1318 bytes <-> 1 pkts/74 bytes][Goodput ratio: 84/0][0.26 sec][Hostname/SNI: x0.x0.dev.open.servers.ddns.softether-network.net][URL: x0.x0.dev.open.servers.ddns.softether-network.net/ddns/ddns.aspx?v=9291257684825389030][StatusCode: 0][Req Content-Type: application/x-www-form-urlencoded][User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0][PLAIN TEXT (POST /ddns/ddns.asp)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/synscan.pcap.out b/tests/result/synscan.pcap.out index 27def7b42..4e3d6d0ee 100644 --- a/tests/result/synscan.pcap.out +++ b/tests/result/synscan.pcap.out @@ -104,7 +104,7 @@ iSCSI 2 116 2 43 TCP 172.16.0.8:36050 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 44 TCP 172.16.0.8:36050 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 45 TCP 172.16.0.8:36050 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 46 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 290/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 46 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 291/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 47 TCP 172.16.0.8:36050 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 48 TCP 172.16.0.8:36050 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **][Risk Score: 10][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 49 TCP 172.16.0.8:36050 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -165,7 +165,7 @@ iSCSI 2 116 2 104 TCP 172.16.0.8:36051 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 105 TCP 172.16.0.8:36051 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 106 TCP 172.16.0.8:36051 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 107 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 290/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 107 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 291/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 108 TCP 172.16.0.8:36051 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 109 TCP 172.16.0.8:36051 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **][Risk Score: 10][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 110 TCP 172.16.0.8:36051 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]