diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 1af79d2c319e..46e003b81889 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1153,104 +1153,6 @@ struct ndpi_risk_information { char *info; }; -struct ndpi_detection_module_config_struct { - int max_packets_to_process; - int direction_detect_enabled; - /* In some networks, there are some anomalous TCP flows where - the smallest ACK packets have some kind of zero padding. - It looks like the IP and TCP headers in those frames wrongly consider the - 0x00 Ethernet padding bytes as part of the TCP payload. - While this kind of packets is perfectly valid per-se, in some conditions - they might be treated by the TCP reassembler logic as (partial) overlaps, - deceiving the classification engine. - Add an heuristic to detect these packets and to ignore them, allowing - correct detection/classification. - See #1946 for other details */ - int tcp_ack_paylod_heuristic; - /* Heuristic to detect fully encrypted sessions, i.e. flows where every bytes of - the payload is encrypted in an attempt to “look like nothing”. - This heuristic only analyzes the first packet of the flow. - See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf */ - int fully_encrypted_heuristic; - int track_payload_enabled; - int libgcrypt_init; - int guess_on_giveup; - - char *filename_protocols; - char *filename_categories; - char *filename_malicious_sha1; - char *filename_malicious_ja3; - char *filename_risky_domains; - char *dirname_domains; - - char *filename_config; - - NDPI_PROTOCOL_BITMASK detection_bitmask; - - /* LRU caches */ - - int ookla_cache_num_entries; - int ookla_cache_ttl; - int bittorrent_cache_num_entries; - int bittorrent_cache_ttl; - int zoom_cache_num_entries; - int zoom_cache_ttl; - int stun_cache_num_entries; - int stun_cache_ttl; - int tls_cert_cache_num_entries; - int tls_cert_cache_ttl; - int mining_cache_num_entries; - int mining_cache_ttl; - int msteams_cache_num_entries; - int msteams_cache_ttl; - int stun_zoom_cache_num_entries; - int stun_zoom_cache_ttl; - - /* Protocols */ - - int tls_certificate_expire_in_x_days; - int tls_app_blocks_tracking_enabled; - int tls_sha1_fingerprint_enabled; - - int smtp_opportunistic_tls_enabled; - - int imap_opportunistic_tls_enabled; - - int pop_opportunistic_tls_enabled; - - int ftp_opportunistic_tls_enabled; - - int stun_opportunistic_tls_enabled; - - int dns_subclassification_enabled; - int dns_parse_response_enabled; - - int http_parse_response_enabled; - - int ookla_aggressiveness; - - int ip_lists_enabled; - int ip_list_amazonaws_enabled; - int ip_list_azure_enabled; - int ip_list_cachefly_enabled; - int ip_list_cloudflare_enabled; - int ip_list_google_enabled; - int ip_list_googlecloud_enabled; - int ip_list_microsoft_enabled; - int ip_list_ethereum_enabled; - int ip_list_mullvad_enabled; - int ip_list_protonvpn_enabled; - int ip_list_tor_enabled; - int ip_list_whatsapp_enabled; - int ip_list_zoom_enabled; - int asn_lists_enabled; - - int flow_risk_lists_enabled; - int risk_anonymous_subscriber_list_icloudprivaterelay_enabled; - int risk_anonymous_subscriber_list_protonvpn_enabled; - int risk_crawler_bot_list_enabled; -}; - struct ndpi_flow_struct { u_int16_t detected_protocol_stack[NDPI_PROTOCOL_SIZE]; diff --git a/src/lib/ndpi_private.h b/src/lib/ndpi_private.h index 1dc977d1cdf4..5c29f3217fa9 100644 --- a/src/lib/ndpi_private.h +++ b/src/lib/ndpi_private.h @@ -122,6 +122,104 @@ typedef struct { } nbpf_filter; #endif +struct ndpi_detection_module_config_struct { + int max_packets_to_process; + int direction_detect_enabled; + /* In some networks, there are some anomalous TCP flows where + the smallest ACK packets have some kind of zero padding. + It looks like the IP and TCP headers in those frames wrongly consider the + 0x00 Ethernet padding bytes as part of the TCP payload. + While this kind of packets is perfectly valid per-se, in some conditions + they might be treated by the TCP reassembler logic as (partial) overlaps, + deceiving the classification engine. + Add an heuristic to detect these packets and to ignore them, allowing + correct detection/classification. + See #1946 for other details */ + int tcp_ack_paylod_heuristic; + /* Heuristic to detect fully encrypted sessions, i.e. flows where every bytes of + the payload is encrypted in an attempt to “look like nothing”. + This heuristic only analyzes the first packet of the flow. + See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf */ + int fully_encrypted_heuristic; + int track_payload_enabled; + int libgcrypt_init; + int guess_on_giveup; + + char *filename_protocols; + char *filename_categories; + char *filename_malicious_sha1; + char *filename_malicious_ja3; + char *filename_risky_domains; + char *dirname_domains; + + char *filename_config; + + NDPI_PROTOCOL_BITMASK detection_bitmask; + + /* LRU caches */ + + int ookla_cache_num_entries; + int ookla_cache_ttl; + int bittorrent_cache_num_entries; + int bittorrent_cache_ttl; + int zoom_cache_num_entries; + int zoom_cache_ttl; + int stun_cache_num_entries; + int stun_cache_ttl; + int tls_cert_cache_num_entries; + int tls_cert_cache_ttl; + int mining_cache_num_entries; + int mining_cache_ttl; + int msteams_cache_num_entries; + int msteams_cache_ttl; + int stun_zoom_cache_num_entries; + int stun_zoom_cache_ttl; + + /* Protocols */ + + int tls_certificate_expire_in_x_days; + int tls_app_blocks_tracking_enabled; + int tls_sha1_fingerprint_enabled; + + int smtp_opportunistic_tls_enabled; + + int imap_opportunistic_tls_enabled; + + int pop_opportunistic_tls_enabled; + + int ftp_opportunistic_tls_enabled; + + int stun_opportunistic_tls_enabled; + + int dns_subclassification_enabled; + int dns_parse_response_enabled; + + int http_parse_response_enabled; + + int ookla_aggressiveness; + + int ip_lists_enabled; + int ip_list_amazonaws_enabled; + int ip_list_azure_enabled; + int ip_list_cachefly_enabled; + int ip_list_cloudflare_enabled; + int ip_list_google_enabled; + int ip_list_googlecloud_enabled; + int ip_list_microsoft_enabled; + int ip_list_ethereum_enabled; + int ip_list_mullvad_enabled; + int ip_list_protonvpn_enabled; + int ip_list_tor_enabled; + int ip_list_whatsapp_enabled; + int ip_list_zoom_enabled; + int asn_lists_enabled; + + int flow_risk_lists_enabled; + int risk_anonymous_subscriber_list_icloudprivaterelay_enabled; + int risk_anonymous_subscriber_list_protonvpn_enabled; + int risk_crawler_bot_list_enabled; +}; + struct ndpi_detection_module_struct { u_int64_t current_ts; u_int16_t num_tls_blocks_to_follow;