Permalink
Browse files

Aligned DNS to HTTP dissection

  • Loading branch information...
lucaderi committed Feb 7, 2019
1 parent 2ec41c1 commit ddf0066c11c0df4e3bc9744df11f08dce676f36e
Showing with 26 additions and 25 deletions.
  1. +1 −1 example/ndpiReader.c
  2. +2 −2 src/include/ndpi_typedefs.h
  3. +2 −2 src/lib/ndpi_main.c
  4. +21 −20 src/lib/protocols/dns.c
@@ -1459,7 +1459,7 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) {
ndpi_set_detection_preferences(ndpi_thread_info[thread_id].workflow->ndpi_struct,
ndpi_pref_http_dont_dissect_response, 0);
ndpi_set_detection_preferences(ndpi_thread_info[thread_id].workflow->ndpi_struct,
ndpi_pref_dns_dissect_response, 0);
ndpi_pref_dns_dont_dissect_response, 0);
ndpi_set_detection_preferences(ndpi_thread_info[thread_id].workflow->ndpi_struct,
ndpi_pref_enable_category_substring_match, 1);

@@ -827,7 +827,7 @@ typedef enum {

typedef enum {
ndpi_pref_http_dont_dissect_response = 0,
ndpi_pref_dns_dissect_response,
ndpi_pref_dns_dont_dissect_response,
ndpi_pref_direction_detect_disable,
ndpi_pref_disable_metadata_export,
ndpi_pref_enable_category_substring_match
@@ -1008,7 +1008,7 @@ struct ndpi_detection_module_struct {

ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS];

u_int8_t http_dont_dissect_response:1, dns_dissect_response:1,
u_int8_t http_dont_dissect_response:1, dns_dont_dissect_response:1,
direction_detect_disable:1, /* disable internal detection of packet direction */
disable_metadata_export:1, /* No metadata is exported */
enable_category_substring_match:1 /* Default is perfect match */
@@ -942,8 +942,8 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_mod
ndpi_mod->http_dont_dissect_response = (u_int8_t)value;
break;

case ndpi_pref_dns_dissect_response:
ndpi_mod->dns_dissect_response = (u_int8_t)value;
case ndpi_pref_dns_dont_dissect_response:
ndpi_mod->dns_dont_dissect_response = (u_int8_t)value;
break;

case ndpi_pref_direction_detect_disable:
@@ -36,9 +36,9 @@

static u_int16_t get16(int *i, const u_int8_t *payload) {
u_int16_t v = *(u_int16_t*)&payload[*i];

(*i) += 2;

return(ntohs(v));
}

@@ -52,7 +52,7 @@ static u_int getNameLength(u_int i, const u_int8_t *payload, u_int payloadLen) {
else {
u_int8_t len = payload[i];
u_int8_t off = len + 1;

if(off == 0) /* Bad packet */
return(0);
else
@@ -66,7 +66,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
int x;
u_int8_t is_query;
u_int16_t s_port = 0, d_port = 0;

NDPI_LOG_DBG(ndpi_struct, "search DNS\n");

if(flow->packet.udp != NULL) {
@@ -118,7 +118,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
if(flow->packet.payload[x] == '\0') {
x++;
flow->protos.dns.query_type = get16(&x, flow->packet.payload);
#ifdef DNS_DEBUG
#ifdef DNS_DEBUG
NDPI_LOG_DBG2(ndpi_struct, "query_type=%2d\n", flow->protos.dns.query_type);
#endif
break;
@@ -128,7 +128,6 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
}
} else
invalid = 1;

} else {
/* DNS Reply */

@@ -140,15 +139,15 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
|| ((dns_header.additional_rrs > 0) && (dns_header.additional_rrs <= NDPI_MAX_DNS_REQUESTS)))
) {
/* This is a good reply */
if(ndpi_struct->dns_dissect_response) {
if(ndpi_struct->dns_dont_dissect_response == 0) {
x++;

if(flow->packet.payload[x] != '\0') {
while((x < flow->packet.payload_packet_len)
&& (flow->packet.payload[x] != '\0')) {
x++;
}

x++;
}

@@ -160,7 +159,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd

for(num = 0; num < dns_header.num_answers; num++) {
u_int16_t data_len;

if((x+6) >= flow->packet.payload_packet_len) {
break;
}
@@ -169,7 +168,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
break;
} else
x += data_len;

rsp_type = get16(&x, flow->packet.payload);
flow->protos.dns.rsp_type = rsp_type;
break;
@@ -199,43 +198,45 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
off++;
}

if(is_query && ndpi_struct->dns_dissect_response)
return; /* The response will set the verdict */

if(is_query && (ndpi_struct->dns_dont_dissect_response == 0)) {
// dpi_set_detected_protocol(ndpi_struct, flow, (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN);
return; /* The response will set the verdict */
}

flow->host_server_name[j] = '\0';

flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries,
flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs);

if(j > 0) {
ndpi_protocol_match_result ret_match;
ndpi_match_host_subprotocol(ndpi_struct, flow,

ndpi_match_host_subprotocol(ndpi_struct, flow,
(char *)flow->host_server_name,
strlen((const char*)flow->host_server_name),
&ret_match,
NDPI_PROTOCOL_DNS);
}

#ifdef DNS_DEBUG
NDPI_LOG_DBG2(ndpi_struct, "[num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n",
flow->protos.dns.num_queries, flow->protos.dns.num_answers,
flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name
);
#endif

if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
/**
Do not set the protocol with DNS if ndpi_match_host_subprotocol() has
matched a subprotocol
**/
NDPI_LOG_INFO(ndpi_struct, "found DNS\n");
NDPI_LOG_INFO(ndpi_struct, "found DNS\n");
ndpi_set_detected_protocol(ndpi_struct, flow, (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN);
} else {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
}
}
}
}

void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)

0 comments on commit ddf0066

Please sign in to comment.