Skip to content

Commit

Permalink
Add generic functions for configuration
Browse files Browse the repository at this point in the history
TODO
  • Loading branch information
IvanNardi committed Jul 31, 2023
1 parent 5019022 commit 02ce999
Show file tree
Hide file tree
Showing 6 changed files with 345 additions and 119 deletions.
90 changes: 88 additions & 2 deletions example/ndpiReader.c
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,16 @@ u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0, num_bin_cluster
u_int8_t verbose = 0, enable_flow_stats = 0;
int stun_monitoring_pkts_to_process = -1; /* Default */
int stun_monitoring_flags = -1; /* Default */

struct proto_cfg {
char *proto;
char *param;
char *value;
};
#define MAX_NUM_PROTO_CFGS 16
static struct proto_cfg proto_cfgs[MAX_NUM_PROTO_CFGS];
static int num_proto_cfgs = 0;

int nDPI_LogLevel = 0;
char *_debug_protocols = NULL;
char *_disabled_protocols = NULL;
Expand Down Expand Up @@ -572,6 +582,7 @@ static void help(u_int long_help) {
" --lru-cache-ttl=NAME:size | Specify the TTL [in seconds] for this LRU cache (0 to disable it). This flag can be used multiple times\n"
" --stun-monitoring=<pkts>:<flags> | Configure STUN monitoring: keep monitoring STUN session for <pkts> more pkts looking for RTP\n"
" | (0:0 to disable the feature); set the specified features in <flags>\n"
" --proto-cfg=proto,param,value | Configure the specific attribute of this protocol\n"
,
human_readeable_string_len,
min_pattern_len, max_pattern_len, max_num_packets_per_flow, max_packet_payload_dissection,
Expand Down Expand Up @@ -627,6 +638,8 @@ static void help(u_int long_help) {

#define OPTLONG_VALUE_STUN_MONITORING 2000

#define OPTLONG_VALUE_PROTO_CFG 3000

static struct option longopts[] = {
/* mandatory extcap options */
{ "extcap-interfaces", no_argument, NULL, '0'},
Expand Down Expand Up @@ -671,6 +684,8 @@ static struct option longopts[] = {
{ "lru-cache-ttl", required_argument, NULL, OPTLONG_VALUE_LRU_CACHE_TTL},
{ "stun-monitoring", required_argument, NULL, OPTLONG_VALUE_STUN_MONITORING},

{ "proto-cfg", required_argument, NULL, OPTLONG_VALUE_PROTO_CFG},

{0, 0, 0, 0}
};

Expand Down Expand Up @@ -927,6 +942,37 @@ static int parse_two_unsigned_integer(char *param, u_int32_t *num1, u_int32_t *n
return -1;
}

static int parse_three_strings(char *param, char **s1, char **s2, char **s3)
{
char *saveptr, *tmp_str, *s1_str, *s2_str, *s3_str;

tmp_str = ndpi_strdup(param);
if(tmp_str) {
s1_str = strtok_r(tmp_str, ",", &saveptr);
if(s1_str) {
s2_str = strtok_r(NULL, ",", &saveptr);
if(s2_str) {
s3_str = strtok_r(NULL, ",", &saveptr);
if(s3_str) {
*s1 = ndpi_strdup(s1_str);
*s2 = ndpi_strdup(s2_str);
*s3 = ndpi_strdup(s3_str);
ndpi_free(tmp_str);
if(!s1 || !s2 || !s3) {
ndpi_free(s1);
ndpi_free(s2);
ndpi_free(s3);
return -1;
}
return 0;
}
}
}
}
ndpi_free(tmp_str);
return -1;
}

/* ********************************** */

/**
Expand All @@ -945,6 +991,7 @@ static void parseOptions(int argc, char **argv) {
#endif
int cache_idx, cache_size, cache_ttl;
u_int32_t num_pkts, flags;
char *s1, *s2, *s3;

#ifdef USE_DPDK
{
Expand Down Expand Up @@ -1259,7 +1306,20 @@ static void parseOptions(int argc, char **argv) {
break;

case 'z':
init_prefs |= ndpi_enable_ja3_plus;
if(num_proto_cfgs < MAX_NUM_PROTO_CFGS) {
proto_cfgs[num_proto_cfgs].proto = ndpi_strdup("tls");
proto_cfgs[num_proto_cfgs].param = ndpi_strdup("ja3_plus.enable");
proto_cfgs[num_proto_cfgs].value = ndpi_strdup("1");
if(proto_cfgs[num_proto_cfgs].proto &&
proto_cfgs[num_proto_cfgs].param &&
proto_cfgs[num_proto_cfgs].value) {
num_proto_cfgs++;
} else {
ndpi_free(proto_cfgs[num_proto_cfgs].proto);
ndpi_free(proto_cfgs[num_proto_cfgs].param);
ndpi_free(proto_cfgs[num_proto_cfgs].value);
}
}
break;

case OPTLONG_VALUE_LRU_CACHE_SIZE:
Expand Down Expand Up @@ -1287,6 +1347,18 @@ static void parseOptions(int argc, char **argv) {
stun_monitoring_flags = flags;
break;

case OPTLONG_VALUE_PROTO_CFG:
if(num_proto_cfgs >= MAX_NUM_PROTO_CFGS ||
parse_three_strings(optarg, &s1, &s2, &s3) == -1) {
printf("Invalid parameter [%s] [num:%d/%d]\n", optarg, num_proto_cfgs, MAX_NUM_PROTO_CFGS);
exit(1);
}
proto_cfgs[num_proto_cfgs].proto = s1;
proto_cfgs[num_proto_cfgs].param = s2;
proto_cfgs[num_proto_cfgs].value = s3;
num_proto_cfgs++;
break;

default:
#ifdef DEBUG_TRACE
if(trace) fprintf(trace, " #### Unknown option -%c: skipping it #### \n", opt);
Expand Down Expand Up @@ -2626,7 +2698,7 @@ static void debug_printf(u_int32_t protocol, void *id_struct,
static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) {
NDPI_PROTOCOL_BITMASK enabled_bitmask;
struct ndpi_workflow_prefs prefs;
int i;
int i, rc;

memset(&prefs, 0, sizeof(prefs));
prefs.decode_tunnels = decode_tunnels;
Expand Down Expand Up @@ -2701,6 +2773,14 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) {
ndpi_set_protocol_aggressiveness(ndpi_thread_info[thread_id].workflow->ndpi_struct, i, aggressiveness[i]);
}

for(i = 0; i < num_proto_cfgs; i++) {
rc = ndpi_set_proto_config(ndpi_thread_info[thread_id].workflow->ndpi_struct,
proto_cfgs[i].proto, proto_cfgs[i].param, proto_cfgs[i].value);
if (rc != 0)
fprintf(stderr, "Error setting config [%s][%s][%s]: %d\n",
proto_cfgs[i].proto, proto_cfgs[i].param, proto_cfgs[i].value, rc);
}

if(stun_monitoring_pkts_to_process != -1 &&
stun_monitoring_flags != -1)
ndpi_set_monitoring_state(ndpi_thread_info[thread_id].workflow->ndpi_struct, NDPI_PROTOCOL_STUN,
Expand Down Expand Up @@ -5522,6 +5602,12 @@ int main(int argc, char **argv) {
ndpi_free(_debug_protocols);
ndpi_free(_disabled_protocols);

for(i = 0; i < num_proto_cfgs; i++) {
ndpi_free(proto_cfgs[i].proto);
ndpi_free(proto_cfgs[i].param);
ndpi_free(proto_cfgs[i].value);
}

#ifdef DEBUG_TRACE
if(trace) fclose(trace);
#endif
Expand Down
2 changes: 1 addition & 1 deletion fuzz/fuzz_common_code.c
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ void fuzz_set_alloc_callbacks_and_seed(int seed)

void fuzz_init_detection_module(struct ndpi_detection_module_struct **ndpi_info_mod)
{
ndpi_init_prefs prefs = ndpi_enable_ja3_plus;
ndpi_init_prefs prefs = 0;
NDPI_PROTOCOL_BITMASK all;
NDPI_PROTOCOL_BITMASK debug_bitmask;

Expand Down
4 changes: 3 additions & 1 deletion fuzz/fuzz_ndpi_reader.c
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0;
u_int8_t enable_flow_stats = 1;
u_int8_t human_readeable_string_len = 5;
u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 80 /* due to telnet */;
ndpi_init_prefs init_prefs = ndpi_track_flow_payload | ndpi_enable_ja3_plus | ndpi_enable_tcp_ack_payload_heuristic;
ndpi_init_prefs init_prefs = ndpi_track_flow_payload | ndpi_enable_tcp_ack_payload_heuristic;
int enable_malloc_bins = 1;
int malloc_size_stats = 0;
int max_malloc_bins = 14;
Expand Down Expand Up @@ -87,6 +87,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
ndpi_set_monitoring_state(workflow->ndpi_struct, NDPI_PROTOCOL_STUN,
10, NDPI_MONITORING_STUN_SUBCLASSIFIED);

ndpi_set_proto_config(workflow->ndpi_struct, "tls", "ja3_plus.enable", "1");

memset(workflow->stats.protocol_counter, 0,
sizeof(workflow->stats.protocol_counter));
memset(workflow->stats.protocol_counter_bytes, 0,
Expand Down
10 changes: 10 additions & 0 deletions src/include/ndpi_api.h
Original file line number Diff line number Diff line change
Expand Up @@ -2009,6 +2009,16 @@ extern "C" {
*/
void *ndpi_get_user_data(struct ndpi_detection_module_struct *ndpi_str);


int ndpi_set_proto_config(struct ndpi_detection_module_struct *ndpi_str,
const char *proto, const char *param, const char *value);
char *ndpi_get_proto_config(struct ndpi_detection_module_struct *ndpi_str,
const char *proto, const char *param);
int ndpi_set_config(struct ndpi_detection_module_struct *ndpi_str,
const char *param, const char *value);
char *ndpi_get_config(struct ndpi_detection_module_struct *ndpi_str,
const char *param);

#ifdef __cplusplus
}
#endif
Expand Down
51 changes: 32 additions & 19 deletions src/include/ndpi_typedefs.h
Original file line number Diff line number Diff line change
Expand Up @@ -1194,13 +1194,42 @@ typedef struct {
} nbpf_filter;
#endif

struct ndpi_detection_module_config_struct {
/* IP lists */
char ip_list_amazonaws_enabled;
char ip_list_azure_enabled;
char ip_list_cachefly_enabled;
char ip_list_cloudflare_enabled;
char ip_list_google_enabled;
char ip_list_googlecloud_enabled;
char ip_list_microsoft_enabled;
char ip_list_mining_enabled;
char ip_list_protonvpn_enabled;
char ip_list_tor_enabled;
char ip_list_whatsapp_enabled;
char ip_list_zoom_enabled;

char asn_lists_enabled;

char risk_anonymous_subscriber_list_icloudprivaterelay_enabled;
char risk_anonymous_subscriber_list_protonvpn_enabled;
char risk_crawler_bot_list_enabled;

/* Domain lists */
char domain_list_gambling_enabled;

/* TLS */
char sha1_fingerprint_enabled;
char ja3_plus_enabled;
};

struct ndpi_detection_module_struct {
NDPI_PROTOCOL_BITMASK detection_bitmask;

u_int64_t current_ts;
u_int16_t max_packets_to_process;
u_int16_t num_tls_blocks_to_follow;
u_int8_t skip_tls_blocks_until_change_cipher:1, enable_ja3_plus:1, enable_load_gambling_list:1, _notused:5;
u_int8_t skip_tls_blocks_until_change_cipher:1, enable_ja3_plus:1, _notused:6;
u_int8_t tls_certificate_expire_in_x_days;

void *user_data;
Expand Down Expand Up @@ -1269,6 +1298,8 @@ struct ndpi_detection_module_struct {

u_int8_t ip_version_limit;

struct ndpi_detection_module_config_struct cfg;

/* NDPI_PROTOCOL_TINC */
struct cache *tinc_cache;

Expand Down Expand Up @@ -1726,22 +1757,8 @@ typedef u_int32_t ndpi_init_prefs;

typedef enum {
ndpi_no_prefs = 0,
ndpi_dont_load_tor_list = (1 << 0),
ndpi_dont_init_libgcrypt = (1 << 1),
ndpi_enable_ja3_plus = (1 << 2),
ndpi_dont_load_azure_list = (1 << 3),
ndpi_dont_load_whatsapp_list = (1 << 4),
ndpi_dont_load_amazon_aws_list = (1 << 5),
ndpi_dont_load_ethereum_list = (1 << 6),
ndpi_dont_load_zoom_list = (1 << 7),
ndpi_dont_load_cloudflare_list = (1 << 8),
ndpi_dont_load_microsoft_list = (1 << 9),
ndpi_dont_load_google_list = (1 << 10),
ndpi_dont_load_google_cloud_list = (1 << 11),
ndpi_dont_load_asn_lists = (1 << 12),
ndpi_dont_load_icloud_private_relay_list = (1 << 13),
ndpi_dont_init_risk_ptree = (1 << 14),
ndpi_dont_load_cachefly_list = (1 << 15),
ndpi_track_flow_payload = (1 << 16),
/* In some networks, there are some anomalous TCP flows where
the smallest ACK packets have some kind of zero padding.
Expand All @@ -1754,15 +1771,11 @@ typedef enum {
correct detection/classification.
See #1946 for other details */
ndpi_enable_tcp_ack_payload_heuristic = (1 << 17),
ndpi_dont_load_crawlers_list = (1 << 18),
ndpi_dont_load_protonvpn_list = (1 << 19),
ndpi_dont_load_gambling_list = (1 << 20),
/* Heuristic to detect fully encrypted sessions, i.e. flows where every bytes of
the payload is encrypted in an attempt to “look like nothing”.
This heuristic only analyzes the first packet of the flow.
See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf */
ndpi_disable_fully_encrypted_heuristic = (1 << 21),
ndpi_dont_load_protonvpn_exit_nodes_list = (1 << 22),
} ndpi_prefs;

typedef struct {
Expand Down
Loading

0 comments on commit 02ce999

Please sign in to comment.