From 7f648c07616ee34aaec142a8dafada4fa2611ecb Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Wed, 5 Oct 2022 18:18:15 +0200 Subject: [PATCH] Added blacklist name to info stored in hosts --- include/Host.h | 3 ++- scripts/lua/host_details.lua | 9 ++++++++- src/Flow.cpp | 32 +++++++++++++++++++++++++------- src/Host.cpp | 12 ++++++++++++ 4 files changed, 47 insertions(+), 9 deletions(-) diff --git a/include/Host.h b/include/Host.h index 01ee979eca..428bfc3389 100644 --- a/include/Host.h +++ b/include/Host.h @@ -30,7 +30,7 @@ class Host : public GenericHashEntry, public HostAlertableEntity, public Score, protected: IpAddress ip; Mac *mac; - char *asname; + char *asname, *blacklist_name; struct { Fingerprint ja3; @@ -590,6 +590,7 @@ class Host : public GenericHashEntry, public HostAlertableEntity, public Score, } inline HostStats* getStats() { return(stats); } + void setBlacklistName(char*); }; #endif /* _HOST_H_ */ diff --git a/scripts/lua/host_details.lua b/scripts/lua/host_details.lua index 4e804aa091..2e24290ce0 100644 --- a/scripts/lua/host_details.lua +++ b/scripts/lua/host_details.lua @@ -653,7 +653,14 @@ else if(host["dhcp_server"] == true) then print(' '..i18n("details.label_dhcp_server")..'') end if(host["systemhost"] == true) then print(' ') end - if(host["is_blacklisted"] == true) then print(' '..i18n("details.label_blacklisted_host")..'') end + if(host["is_blacklisted"] == true) then + print(' '..i18n("details.label_blacklisted_host")) + + if(host.blacklist_name ~= nil) then print(' ('.. host.blacklist_name ..')') end + + print('') + end + if((host["privatehost"] == false) and (host["is_multicast"] == false) and (host["is_broadcast"] == false)) then print(' VirusTotal ') print(' GreyNoise ') diff --git a/src/Flow.cpp b/src/Flow.cpp index e0fafa9c57..9ce4f31dd0 100644 --- a/src/Flow.cpp +++ b/src/Flow.cpp @@ -139,7 +139,9 @@ Flow::Flow(NetworkInterface *_iface, lh->setRouterMac(_srv_mac); } } - } else { /* Client host has not been allocated, let's keep the info in an IpAddress */ + } else { + /* Client host has not been allocated, let's keep the info in an IpAddress */ + if((cli_ip_addr = new (std::nothrow) IpAddress(*_cli_ip))) cli_ip_addr->reloadBlacklist(iface->get_ndpi_struct()); } @@ -158,7 +160,9 @@ Flow::Flow(NetworkInterface *_iface, cli_host->get_country(country, sizeof(country)); if(country[0] != '\0') srv_host->incCountriesContacts(country); } - } else { /* Server host has not been allocated, let's keep the info in an IpAddress */ + } else { + /* Server host has not been allocated, let's keep the info in an IpAddress */ + if((srv_ip_addr = new (std::nothrow) IpAddress(*_srv_ip))) srv_ip_addr->reloadBlacklist(iface->get_ndpi_struct()); } @@ -169,7 +173,9 @@ Flow::Flow(NetworkInterface *_iface, && get_cli_ip_addr()->isIPv4() && get_srv_ip_addr()->isIPv4() /* IPv4 only */ && !get_srv_ip_addr()->isBroadcastAddress() /* Avoid 255.255.255.255 */) - getInterface()->updateBroadcastDomains(_vlanId, _cli_mac->get_mac(), _srv_mac->get_mac(), ntohl(_cli_ip->get_ipv4()), ntohl(_srv_ip->get_ipv4())); + getInterface()->updateBroadcastDomains(_vlanId, _cli_mac->get_mac(), + _srv_mac->get_mac(), ntohl(_cli_ip->get_ipv4()), + ntohl(_srv_ip->get_ipv4())); memset(&custom_app, 0, sizeof(custom_app)); @@ -180,7 +186,8 @@ Flow::Flow(NetworkInterface *_iface, if(hp) { if(cli_host) routing_table_id = hp->getRoutingPolicy(cli_host->get_host_pool()); - if(srv_host) routing_table_id = max_val(routing_table_id, hp->getRoutingPolicy(srv_host->get_host_pool())); + if(srv_host) routing_table_id = max_val(routing_table_id, + hp->getRoutingPolicy(srv_host->get_host_pool())); } #endif @@ -267,8 +274,10 @@ Flow::Flow(NetworkInterface *_iface, if(isBlacklistedClient()) { if(srv_host) srv_host->inc_num_blacklisted_flows(false); + cli_host->setBlacklistName((char*)get_custom_category_file()); } else if(isBlacklistedServer()) { if(cli_host) cli_host->inc_num_blacklisted_flows(true); + srv_host->setBlacklistName((char*)get_custom_category_file()); } iface->execFlowBeginChecks(this); @@ -865,9 +874,18 @@ void Flow::processPacket(const struct pcap_pkthdr *h, payload, payload_len, (struct timeval *)&h->ts); - if(detection_completed && (!needsExtraDissection())) { - setExtraDissectionCompleted(); - updateProtocol(proto_id); + if(detection_completed) { + if(!needsExtraDissection()) { + setExtraDissectionCompleted(); + updateProtocol(proto_id); + } + + if(get_custom_category_file()) { + if(isBlacklistedClient()) + cli_host->setBlacklistName((char*)get_custom_category_file()); + else if(isBlacklistedServer()) + srv_host->setBlacklistName((char*)get_custom_category_file()); + } } } diff --git a/src/Host.cpp b/src/Host.cpp index 65ad739c48..852fcb1559 100644 --- a/src/Host.cpp +++ b/src/Host.cpp @@ -91,6 +91,8 @@ Host::~Host() { if(listening_ports) delete listening_ports; if(listening_ports_shadow) delete listening_ports_shadow; #endif + + if(blacklist_name) free(blacklist_name); /* Pool counters are updated both in and outside the datapath. @@ -291,6 +293,7 @@ void Host::initialize(Mac *_mac, VLANid _vlanId, u_int16_t observation_point_id) is_in_broadcast_domain = iface->isLocalBroadcastDomainHost(this, true /* Inline call */); memset(&num_blacklisted_flows, 0, sizeof(num_blacklisted_flows)); + blacklist_name = NULL; } /* *************************************** */ @@ -816,6 +819,9 @@ void Host::lua(lua_State* vm, AddressTree *ptree, if(device_ip != 0) lua_push_str_table_entry(vm, "device_ip", Utils::intoaV4(device_ip, buf, sizeof(buf))); + if(blacklist_name != NULL) + lua_push_str_table_entry(vm, "blacklist_name", blacklist_name); + if(more_then_one_device) lua_push_bool_table_entry(vm, "more_then_one_device", more_then_one_device); @@ -2380,3 +2386,9 @@ void Host::setPopServer(char *name) { } } +/* *************************************** */ + +void Host::setBlacklistName(char *name) { + if((blacklist_name == NULL) && (name != NULL)) + blacklist_name = strdup(name); +}