Skip to content

Commit c4c1844

Browse files
lucaderilucaderi
authored
Implemented nDPI server fingerprint (#3139)
1 parent 9294427 commit c4c1844

255 files changed

Lines changed: 1599 additions & 1462 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

example/ndpiReader.c

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2569,9 +2569,12 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
25692569
fprintf(out, "[Risk Info: %s]", flow->risk_str);
25702570
}
25712571

2572-
if(flow->ndpi_fingerprint)
2573-
fprintf(out, "[nDPI Fingerprint: %s]", flow->ndpi_fingerprint);
2574-
2572+
if(flow->ndpi_client_fingerprint)
2573+
fprintf(out, "[nDPI Cli Fingerprint: %s]", flow->ndpi_client_fingerprint);
2574+
2575+
if(flow->ndpi_server_fingerprint)
2576+
fprintf(out, "[nDPI Srv Fingerprint: %s]", flow->ndpi_server_fingerprint);
2577+
25752578
if(flow->tcp_fingerprint)
25762579
fprintf(out, "[TCP Fingerprint: %s]", flow->tcp_fingerprint);
25772580

example/reader_util.c

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -529,9 +529,14 @@ static void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow) {
529529
flow->ssh_tls.ja4_client_raw = NULL;
530530
}
531531

532-
if(flow->ndpi_fingerprint) {
533-
ndpi_free(flow->ndpi_fingerprint);
534-
flow->ndpi_fingerprint = NULL;
532+
if(flow->ndpi_client_fingerprint) {
533+
ndpi_free(flow->ndpi_client_fingerprint);
534+
flow->ndpi_client_fingerprint = NULL;
535+
}
536+
537+
if(flow->ndpi_server_fingerprint) {
538+
ndpi_free(flow->ndpi_server_fingerprint);
539+
flow->ndpi_server_fingerprint = NULL;
535540
}
536541

537542
if(flow->stun.mapped_address.aps) {
@@ -1550,8 +1555,11 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
15501555
ndpi_snprintf(flow->ssh_tls.ja4_client, sizeof(flow->ssh_tls.ja4_client), "%s",
15511556
flow->ndpi_flow->protos.tls_quic.ja4_client);
15521557

1553-
if(flow->ndpi_flow->ndpi.fingerprint)
1554-
flow->ndpi_fingerprint = ndpi_strdup(flow->ndpi_flow->ndpi.fingerprint);
1558+
if(flow->ndpi_flow->ndpi.client_fingerprint)
1559+
flow->ndpi_client_fingerprint = ndpi_strdup(flow->ndpi_flow->ndpi.client_fingerprint);
1560+
1561+
if(flow->ndpi_flow->ndpi.server_fingerprint)
1562+
flow->ndpi_server_fingerprint = ndpi_strdup(flow->ndpi_flow->ndpi.server_fingerprint);
15551563

15561564
if(flow->ndpi_flow->protos.tls_quic.ja4_client_raw)
15571565
flow->ssh_tls.ja4_client_raw = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.ja4_client_raw);

example/reader_util.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -352,7 +352,7 @@ typedef struct ndpi_flow_info {
352352
u_int8_t multimedia_flow_types;
353353

354354
void *src_id, *dst_id;
355-
char *tcp_fingerprint, *ndpi_fingerprint;
355+
char *tcp_fingerprint, *ndpi_client_fingerprint, *ndpi_server_fingerprint;
356356
struct ndpi_entropy *entropy;
357357
struct ndpi_entropy *last_entropy;
358358

src/include/ndpi_typedefs.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1661,7 +1661,7 @@ struct ndpi_flow_struct {
16611661
} tcp;
16621662

16631663
struct {
1664-
char *fingerprint;
1664+
char *client_fingerprint, *server_fingerprint;
16651665
} ndpi;
16661666

16671667
/*

src/lib/ndpi_fingerprint.c

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -241,7 +241,7 @@ u_int64_t ndpi_compare_flow_tls_blocks(struct ndpi_detection_module_struct *ndpi
241241
char* ndpi_compute_ndpi_flow_fingerprint(struct ndpi_detection_module_struct *ndpi_str,
242242
struct ndpi_flow_struct *flow) {
243243
if(ndpi_str->cfg.ndpi_fingerprint_enabled &&
244-
(flow->ndpi.fingerprint == NULL) &&
244+
(flow->ndpi.client_fingerprint == NULL) &&
245245
ndpi_stack_is_tls_like(&flow->protocol_stack) &&
246246
/*
247247
We need TCP & TLS handshake. What should we do if we don't have them?
@@ -304,16 +304,16 @@ char* ndpi_compute_ndpi_flow_fingerprint(struct ndpi_detection_module_struct *nd
304304
sha_hash[12], sha_hash[13], sha_hash[14], sha_hash[15]
305305
);
306306

307-
flow->ndpi.fingerprint = ndpi_strdup((char*)fp_buf);
307+
flow->ndpi.client_fingerprint = ndpi_strdup((char*)fp_buf);
308308

309-
if((flow->ndpi.fingerprint != NULL)
309+
if((flow->ndpi.client_fingerprint != NULL)
310310
&& (ndpi_str->ndpifp_custom_protos != NULL)) {
311311
u_int64_t proto_id;
312312
ndpi_list *extra_data = NULL;
313313

314314
/* This protocol has been defined in protos.txt-like files */
315315
if(ndpi_hash_find_entry_extra(ndpi_str->ndpifp_custom_protos,
316-
flow->ndpi.fingerprint, strlen(flow->ndpi.fingerprint),
316+
flow->ndpi.client_fingerprint, strlen(flow->ndpi.client_fingerprint),
317317
&proto_id, &extra_data) == 0) {
318318

319319
proto_id = ndpi_compare_flow_tls_blocks(ndpi_str, flow, extra_data, proto_id);
@@ -331,5 +331,5 @@ char* ndpi_compute_ndpi_flow_fingerprint(struct ndpi_detection_module_struct *nd
331331
}
332332
}
333333

334-
return(flow->ndpi.fingerprint);
334+
return(flow->ndpi.client_fingerprint);
335335
}

src/lib/ndpi_main.c

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8035,8 +8035,11 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) {
80358035
if(flow->tcp.fingerprint_raw)
80368036
ndpi_free(flow->tcp.fingerprint_raw);
80378037

8038-
if(flow->ndpi.fingerprint)
8039-
ndpi_free(flow->ndpi.fingerprint);
8038+
if(flow->ndpi.client_fingerprint)
8039+
ndpi_free(flow->ndpi.client_fingerprint);
8040+
8041+
if(flow->ndpi.server_fingerprint)
8042+
ndpi_free(flow->ndpi.server_fingerprint);
80408043

80418044
if(flow->http.url)
80428045
ndpi_free(flow->http.url);

src/lib/ndpi_utils.c

Lines changed: 23 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2154,9 +2154,18 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct,
21542154
if(flow->tcp.fingerprint_raw)
21552155
ndpi_serialize_string_string(serializer, "tcp_fingerprint_raw", flow->tcp.fingerprint_raw);
21562156

2157-
if(flow->ndpi.fingerprint)
2158-
ndpi_serialize_string_string(serializer, "ndpi_fingerprint", flow->ndpi.fingerprint);
2157+
if(flow->ndpi.client_fingerprint || flow->ndpi.server_fingerprint) {
2158+
ndpi_serialize_start_of_block(serializer, "ndpi_fingerprint");
21592159

2160+
if(flow->ndpi.client_fingerprint)
2161+
ndpi_serialize_string_string(serializer, "client", flow->ndpi.client_fingerprint);
2162+
2163+
if(flow->ndpi.server_fingerprint)
2164+
ndpi_serialize_string_string(serializer, "server", flow->ndpi.server_fingerprint);
2165+
2166+
ndpi_serialize_end_of_block(serializer);
2167+
}
2168+
21602169
ndpi_serialize_string_string(serializer, "proto",
21612170
ndpi_get_ip_proto_name(l4_protocol,
21622171
l4_proto_name, sizeof(l4_proto_name)));
@@ -4004,10 +4013,20 @@ int ndpi_snprintf(char * str, size_t size, char const * format, ...) {
40044013
va_list va_args;
40054014

40064015
va_start(va_args, format);
4007-
int ret = ndpi_vsnprintf(str, size, format, va_args);
4016+
int rc = ndpi_vsnprintf(str, size, format, va_args);
40084017
va_end(va_args);
40094018

4010-
return ret;
4019+
/*
4020+
ndpi_snprintf wraps standard snprintf, which returns the number of characters that would
4021+
have been written (not the number actually written) when the output is truncated.
4022+
So if rc >= size, only size - 1 characters were actually written, but tls_s_len is
4023+
advanced by rc. This has two consequences:
4024+
*/
4025+
4026+
if(rc >= (int)size)
4027+
rc = size - 1;
4028+
4029+
return(rc);
40114030
}
40124031

40134032
/* ******************************************* */

0 commit comments

Comments
 (0)