Skip to content

Commit

Permalink
Add the ability to enable/disable every specific flow risks (#2653)
Browse files Browse the repository at this point in the history
  • Loading branch information
IvanNardi authored Jan 6, 2025
1 parent c3d19be commit bf830b4
Show file tree
Hide file tree
Showing 40 changed files with 437 additions and 218 deletions.
1 change: 1 addition & 0 deletions doc/configuration_parameters.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ TODO
| NULL | "metadata.tcp_fingerprint" | enable | NULL | NULL | Enable/disable computation and export of TCP fingerprint for all TCP flows
| NULL | "dpi.guess_on_giveup" | 0x03 | 0x00 | 0x03 | Tell the library to guess flow classification, if any DPI algorithms/logics fail. The value is a bitmask. Values: 0x0 = disabled; 0x01 = enable guessing by port; 0x02 = enable guessing by ip |
| NULL | "dpi.guess_ip_before_port" | disable | NULL | NULL | Enable/disable guessing by IP first when guessing flow classifcation. Disabled = guess by port first. |
| NULL | "flow_risk.$FLOWRISK_NAME_OR_ID" | enable | NULL | NULL | Enable/disable the specific flow risk. Use "any" as flow risk name if you want to easily enable/disable all flow risks. The names of the flow risks are available at `src/include/ndpi_typedefs.h`: look for `ndpi_risk_shortnames` |
| NULL | "flow_risk_lists.load" | 1 | NULL | NULL | Enable/disable loading of every IP addresses lists used to check any flow risks |
| NULL | "flow_risk.anonymous_subscriber.list.icloudprivaterelay.load" | 1 | NULL | NULL | Enable/disable loading of internal iCouldPrivateRealy IP address list used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk |
| NULL | "flow_risk.anonymous_subscriber.list.protonvpn.load" | 1 | NULL | NULL | Enable/disable loading of internal IP address list of ProtonVPN exit nodes used to check `NDPI_ANONYMOUS_SUBSCRIBER` flow risk |
Expand Down
11 changes: 11 additions & 0 deletions fuzz/fuzz_config.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -397,6 +397,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
snprintf(cfg_value, sizeof(cfg_value), "%d", value);
ndpi_set_config(ndpi_info_mod, NULL, "metadata.tcp_fingerprint", cfg_value);
}
if(fuzzed_data.ConsumeBool()) {
pid = fuzzed_data.ConsumeIntegralInRange<u_int16_t>(0, NDPI_MAX_RISK + 1); /* + 1 to trigger invalid pid */
value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
snprintf(cfg_value, sizeof(cfg_value), "%d", value);
if(fuzzed_data.ConsumeBool() && pid < NDPI_MAX_RISK)
snprintf(cfg_param, sizeof(cfg_param), "flow_risk.%s", ndpi_risk_shortnames[pid]);
else
snprintf(cfg_param, sizeof(cfg_param), "flow_risk.%d", pid);
ndpi_set_config(ndpi_info_mod, NULL, cfg_param, cfg_value);
ndpi_get_config(ndpi_info_mod, NULL, cfg_param, cfg_value, sizeof(cfg_value));
}
if(fuzzed_data.ConsumeBool()) {
value = fuzzed_data.ConsumeIntegralInRange(0, 1 + 1);
snprintf(cfg_value, sizeof(cfg_value), "%d", value);
Expand Down
6 changes: 3 additions & 3 deletions src/include/ndpi_main.h
Original file line number Diff line number Diff line change
Expand Up @@ -93,8 +93,8 @@ extern "C" {
ndpi_protocol_category_t protoCategory,
ndpi_port_range *tcpDefPorts,
ndpi_port_range *udpDefPorts);
void ndpi_set_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r,
char *risk_message);
void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
ndpi_risk_enum r, char *risk_message);
void ndpi_unset_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r);
int ndpi_isset_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r);
int ndpi_is_printable_buffer(u_int8_t const * const buf, size_t len);
Expand All @@ -108,7 +108,7 @@ extern "C" {
#define NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(entropy) (entropy >= 7.312f)
float ndpi_entropy(u_int8_t const * const buf, size_t len);
char *ndpi_entropy2str(float entropy, char *buf, size_t len);
void ndpi_entropy2risk(struct ndpi_flow_struct *flow);
void ndpi_entropy2risk(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);

#ifdef __cplusplus
}
Expand Down
2 changes: 2 additions & 0 deletions src/include/ndpi_private.h
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,8 @@ struct ndpi_detection_module_config_struct {
NDPI_PROTOCOL_BITMASK ip_list_bitmask;
NDPI_PROTOCOL_BITMASK monitoring;

NDPI_PROTOCOL_BITMASK flowrisk_bitmask;

int flow_risk_lists_enabled;
int risk_anonymous_subscriber_list_icloudprivaterelay_enabled;
int risk_anonymous_subscriber_list_protonvpn_enabled;
Expand Down
5 changes: 4 additions & 1 deletion src/include/ndpi_typedefs.h
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ typedef enum {
NOTE
When the typedef below is modified don't forget to update
- nDPI/wireshark/ndpi.lua
- ndpi_risk2str, ndpi_risk2code, ndpi_code2risk (in ndpi_utils.c)
- ndpi_risk2str, ndpi_risk2code, ndpi_code2risk, ndpi_risk_shortnames (in ndpi_utils.c)
- doc/flow_risks.rst
- ndpi_known_risks (ndpi_main.c)
Expand Down Expand Up @@ -175,6 +175,9 @@ typedef enum {

typedef u_int64_t ndpi_risk; /* (**) */

/*Used mainly by configuration */
extern const char *ndpi_risk_shortnames[NDPI_MAX_RISK];

typedef enum {
NDPI_PARAM_HOSTNAME /* char* */,
NDPI_PARAM_ISSUER_DN /* char* */,
Expand Down
Loading

0 comments on commit bf830b4

Please sign in to comment.