From 6401c91f2a2cfe492fefa353ea347ddfe35f249c Mon Sep 17 00:00:00 2001 From: Zied Aouini Date: Fri, 7 Jan 2022 16:29:07 +0100 Subject: [PATCH] nDPI sync. --- nfstream/engine/engine.py | 35 +++++++++++++---------------------- 1 file changed, 13 insertions(+), 22 deletions(-) diff --git a/nfstream/engine/engine.py b/nfstream/engine/engine.py index 565e8be..f56c4f9 100644 --- a/nfstream/engine/engine.py +++ b/nfstream/engine/engine.py @@ -228,6 +228,7 @@ typedef enum { NDPI_DNS_LARGE_PACKET, NDPI_DNS_FRAGMENTED, NDPI_INVALID_CHARACTERS, + NDPI_POSSIBLE_EXPLOIT, NDPI_MAX_RISK } ndpi_risk_enum; @@ -296,8 +297,6 @@ struct ndpi_id_struct { uint32_t last_time_port_used[NDPI_PROTOCOL_IRC_MAXPORT]; uint32_t irc_ts; uint32_t gnutella_ts; - uint32_t thunder_ts; - uint32_t zattoo_ts; uint32_t jabber_stun_or_ft_ts; uint32_t directconnect_last_safe_access_time; uint16_t detected_directconnect_port; @@ -313,16 +312,19 @@ struct ndpi_id_struct { typedef struct message { uint8_t *buffer; - unsigned buffer_len, buffer_used, max_expected; + unsigned buffer_len, buffer_used; uint32_t next_seq[2]; } message_t; struct ndpi_flow_tcp_struct { + struct { + uint8_t auth_found:1, auth_failed:1, auth_tls:1, auth_done:1, _pad:4; + char username[32], password[16]; + } ftp_imap_pop_smtp; uint16_t smtp_command_bitmask; uint16_t pop_command_bitmask; uint8_t wa_matched_so_far; uint8_t irc_stage; - uint8_t irc_port; uint8_t h323_valid_packets; uint8_t gnutella_msg_id[3]; uint32_t irc_3a_counter:3; @@ -578,9 +580,6 @@ struct ndpi_detection_module_struct { void *protocols_ptree; uint32_t irc_timeout; uint32_t gnutella_timeout; - uint32_t thunder_timeout; - uint32_t orb_rstp_ts_timeout; - uint32_t zattoo_connection_timeout; uint32_t jabber_stun_timeout; uint32_t jabber_file_transfer_timeout; uint8_t ip_version_limit; @@ -635,12 +634,11 @@ struct ndpi_flow_struct { ndpi_risk risk; /* Issues found with this flow [bitmask of ndpi_risk] */ struct { ndpi_http_method method; - char *url, *content_type /* response */, *request_content_type /* e.g. for POST */, *user_agent; - uint8_t num_request_headers, num_response_headers; - uint8_t request_version; /* 0=1.0 and 1=1.1. Create an enum for this? */ - uint16_t response_status_code; /* 200, 404, etc. */ - uint8_t detected_os[32]; /* Via HTTP/QUIC User-Agent */ - uint8_t nat_ip[24]; /* Via HTTP X-Forwarded-For */ + uint8_t request_version; + uint16_t response_status_code; + char *url, *content_type, *request_content_type, *user_agent; + char *detected_os; + char *nat_ip; } http; struct { char *pktbuf; @@ -650,13 +648,6 @@ struct ndpi_flow_struct { uint8_t num_udp_pkts, num_binding_requests; uint16_t num_processed_pkts; } stun; - struct { - uint8_t auth_found:1, auth_failed:1, auth_tls:1, auth_done:1, _pad:4; - uint8_t username[32], password[16]; - } ftp_imap_pop_smtp; - struct { - uint8_t bt_check_performed; - } bittorrent; union { struct { uint8_t num_queries, num_answers, reply_code, is_query; @@ -671,8 +662,6 @@ struct ndpi_flow_struct { char hostname[48], domain[48], username[48]; } kerberos; struct { - char ssl_version_str[12]; - uint16_t ssl_version, server_names_len; char *server_names, *alpn, *tls_supported_versions, *issuerDN, *subjectDN; uint32_t notBefore, notAfter; char ja3_client[33], ja3_server[33]; @@ -680,6 +669,7 @@ struct ndpi_flow_struct { uint8_t sha1_certificate_fingerprint[20]; uint8_t hello_processed:1, subprotocol_detected:1, _pad:6; struct tls_heuristics browser_heuristics; + uint16_t ssl_version, server_names_len; struct { uint16_t cipher_suite; char *esni; @@ -716,6 +706,7 @@ struct ndpi_flow_struct { uint16_t packet_direction_counter[2]; uint16_t byte_counter[2]; uint8_t bittorrent_stage; + uint8_t bt_check_performed:1; uint8_t directconnect_stage:2; uint8_t http_detected:1; uint8_t rtsprdt_stage:2;