From f5545a80f95a90a5219bbb319b346f964b1e1548 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 11 Jan 2022 21:45:27 +0100 Subject: [PATCH] Removed legacy code --- example/intrusion_detection.c | 463 ---------------------------------- example/intrusion_detection.h | 69 ----- example/ndpiReader.c | 120 ++------- example/reader_util.c | 48 ++-- 4 files changed, 47 insertions(+), 653 deletions(-) delete mode 100644 example/intrusion_detection.c delete mode 100644 example/intrusion_detection.h diff --git a/example/intrusion_detection.c b/example/intrusion_detection.c deleted file mode 100644 index 3484f4aaed6..00000000000 --- a/example/intrusion_detection.c +++ /dev/null @@ -1,463 +0,0 @@ -/* - * intrusion_detection.c - * - * Copyright (C) 2011-22 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH - * - * nDPI is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * nDPI is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see . - * - */ - -#include "intrusion_detection.h" - -double normalize(ndpi_norm_value* tresholds){ - if(tresholds->upper_bound != tresholds->lower_bound){ - tresholds->norm_value = (tresholds->value - tresholds->lower_bound) / (tresholds->upper_bound - tresholds->lower_bound); - }else{ - if(tresholds->value > tresholds->upper_bound){ - tresholds->norm_value = 1 + (tresholds->value - tresholds->lower_bound) / tresholds->upper_bound; - }else{ - tresholds->norm_value = 1 - (tresholds->value - tresholds->lower_bound) / tresholds->upper_bound; - } - - } - if(tresholds->norm_value >= 0){ - return tresholds->norm_value * tresholds->weight; - } - else{ - return (1 - tresholds->norm_value) * tresholds->weight; - } -} - -double get_flow_score(ndpi_norm_value* scores, int n_metrics){ - double flow_score = 0; - int i; - for(i=0; ipktlen_c_to_s); - - /* pktlen_s_to_c_max */ - i++; - scores[i].lower_bound = 90.0; - scores[i].upper_bound = 2974.0; - scores[i].weight = 0.21073785073559176; - scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_avg */ - i++; - scores[i].lower_bound = 72.7; - scores[i].upper_bound = 1130.4199999999996; - scores[i].weight = 0.21257330032661592; - scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_stddev */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 906.0; - scores[i].weight = 0.20990954527912953; - scores[i].value = ndpi_data_stddev(flow->pktlen_s_to_c); - - /* fin */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.07710300166602348; - scores[i].value = flow->fin_count; - - /* s_to_c_fin */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.07710300166602348; - scores[i].value = flow->dst2src_fin_count; - - // sum = 1.0 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; -} - -double Dos_goldeneye_score(struct ndpi_flow_info* flow){ - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* pktlen_s_to_c_max */ - int i = 0; - scores[i].lower_bound = 74.0; - scores[i].upper_bound = 3292.6699999999764; - scores[i].weight = 0.3123007140611667; - scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); - /* pktlen_s_to_c_avg */ - i++; - scores[i].lower_bound = 68.7; - scores[i].upper_bound = 1354.0569999999987; - scores[i].weight = 0.23802038891633356; - scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_stddev */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 959.4469999999993; - scores[i].weight = 0.3111779763775991; - scores[i].value = ndpi_data_stddev(flow->pktlen_s_to_c); - - /* syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.0464364305923564; - scores[i].value = flow->syn_count; - - /* c_to_s_syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 1.0; - scores[i].weight = 0.04562805946018772; - scores[i].value = flow->src2dst_syn_count; - - /* s_to_c_syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.0464364305923564; - scores[i].value = flow->dst2src_syn_count; - - // sum = 0.9999999999999998 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; -} - -double Dos_hulk_score(struct ndpi_flow_info* flow){ - double f = (double)flow->first_seen_ms/1000.0, l = (double)flow->last_seen_ms/1000.0; - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* duration */ - int i = 0; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 539.40668006422; - scores[i].weight = 0.16666666666666666; - scores[i].value = (l - f); - - /* src2dst_packets */ - i++; - scores[i].lower_bound = 2.0; - scores[i].upper_bound = 41.0; - scores[i].weight = 0.16666666666666666; - scores[i].value = flow->src2dst_packets; - - /* dst2src_packets */ - i++; - scores[i].lower_bound = 2.0; - scores[i].upper_bound = 45.0; - scores[i].weight = 0.16666666666666666; - scores[i].value = flow->dst2src_packets; - - /* src2dst_bytes */ - i++; - scores[i].lower_bound = 146.0; - scores[i].upper_bound = 6306.300000000001; - scores[i].weight = 0.16666666666666666; - scores[i].value = flow->src2dst_bytes; - - /* ack */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 82.0; - scores[i].weight = 0.16666666666666666; - scores[i].value = flow->ack_count; - - /* syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.16666666666666666; - scores[i].value = flow->syn_count; - - // sum = 0.9999999999999999 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; -} - -double Dos_slow_score(struct ndpi_flow_info* flow){ - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* pktlen_s_to_c_max */ - int i = 0; - scores[i].lower_bound = 90.0; - scores[i].upper_bound = 3135.0; - scores[i].weight = 0.1760747755022144; - scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_avg */ - i++; - scores[i].lower_bound = 80.37100000000001; - scores[i].upper_bound = 1292.5900000000008; - scores[i].weight = 0.17600137023171597; - scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); - - /* dst2src_bytes */ - i++; - scores[i].lower_bound = 262.0; - scores[i].upper_bound = 53227.80000000002; - scores[i].weight = 0.16919914849886225; - scores[i].value = flow->dst2src_bytes; - - /* syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.168000195747388; - scores[i].value = flow->syn_count; - - /* c_to_s_syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 1.0; - scores[i].weight = 0.14272431427243143; - scores[i].value = flow->src2dst_syn_count; - - /* s_to_c_syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.168000195747388; - scores[i].value = flow->dst2src_syn_count; - - // sum = 1.0 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; -} - -double Ftp_patator_score(struct ndpi_flow_info* flow){ - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* iat_flow_min */ - int i = 0; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 24.0; - scores[i].weight = 0.002732919254658385; - scores[i].value = ndpi_data_min(flow->iat_flow); - - /* pktlen_s_to_c_max */ - i++; - scores[i].lower_bound = 90.0; - scores[i].upper_bound = 3393.0; - scores[i].weight = 0.007453416149068323; - scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_avg */ - i++; - scores[i].lower_bound = 81.3; - scores[i].upper_bound = 1315.021; - scores[i].weight = 0.9833540372670807; - scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); - - /* dst2src_bytes */ - i++; - scores[i].lower_bound = 256.0; - scores[i].upper_bound = 56434.0; - scores[i].weight = 0.0034782608695652175; - scores[i].value = flow->dst2src_bytes; - - /* fin */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.0014906832298136647; - scores[i].value = flow->fin_count; - - /* rst */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.0014906832298136647; - scores[i].value = flow->rst_count; - - // sum = 1.0 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; -} - -double Hearthbleed_score(struct ndpi_flow_info* flow){ - double f = (double)flow->first_seen_ms/1000.0, l = (double)flow->last_seen_ms/1000.0; - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* iat_flow_max */ - int i = 0; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 595213.3999999999; - scores[i].weight = 0.16666666666666666; - scores[i].value = ndpi_data_max(flow->iat_flow); - - /* iat_flow_stddev */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 245377.74799999973; - scores[i].weight = 0.16666666666666666; - scores[i].value = ndpi_data_stddev(flow->iat_flow); - - /* pktlen_s_to_c_max */ - i++; - scores[i].lower_bound = 74.0; - scores[i].upper_bound = 3380.0; - scores[i].weight = 0.16666666666666666; - scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_avg */ - i++; - scores[i].lower_bound = 70.0; - scores[i].upper_bound = 1344.6399999999996; - scores[i].weight = 0.16666666666666666; - scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_stddev */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 944.6399999999996; - scores[i].weight = 0.16666666666666666; - scores[i].value = ndpi_data_stddev(flow->pktlen_s_to_c); - - /* duration */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 711.6677598000391; - scores[i].weight = 0.16666666666666666; - scores[i].value = (l - f); - - // sum = 0.9999999999999999 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; -} - -double Infiltration_score(struct ndpi_flow_info* flow){ - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* pktlen_c_to_s_max */ - int i = 0; - scores[i].lower_bound = 72.0; - scores[i].upper_bound = 1840.739999999998; - scores[i].weight = 0.11937557392102846; - scores[i].value = ndpi_data_max(flow->pktlen_c_to_s); - - /* pktlen_c_to_s_avg */ - i++; - scores[i].lower_bound = 70.0; - scores[i].upper_bound = 296.56599999999816; - scores[i].weight = 0.12526782981328435; - scores[i].value = ndpi_data_average(flow->pktlen_c_to_s); - - /* pktlen_s_to_c_max */ - i++; - scores[i].lower_bound = 90.0; - scores[i].upper_bound = 3496.1399999999776; - scores[i].weight = 0.13927150290786652; - scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_avg */ - i++; - scores[i].lower_bound = 72.6; - scores[i].upper_bound = 1367.7959999999991; - scores[i].weight = 0.12182430364248545; - scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); - - /* src2dst_bytes */ - i++; - scores[i].lower_bound = 144.0; - scores[i].upper_bound = 7847.69999999999; - scores[i].weight = 0.12059993878175697; - scores[i].value = flow->src2dst_bytes; - - /* dst2src_bytes */ - i++; - scores[i].lower_bound = 236.0; - scores[i].upper_bound = 74486.7799999998; - scores[i].weight = 0.3736608509335782; - scores[i].value = flow->dst2src_bytes; - - // sum = 1.0 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; -} - -double Ssh_patator_score(struct ndpi_flow_info* flow){ - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* fin */ - int i = 0; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.0033738191632928477; - scores[i].value = flow->fin_count; - - /* psh */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 30.0; - scores[i].weight = 0.33076923076923076; - scores[i].value = flow->psh_count; - - /* c_to_s_syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 1.0; - scores[i].weight = 0.0004048582995951417; - scores[i].value = flow->src2dst_syn_count; - - /* c_to_s_psh */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 12.0; - scores[i].weight = 0.33130904183535764; - scores[i].value = flow->src2dst_psh_count; - - /* s_to_c_fin */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.0033738191632928477; - scores[i].value = flow->dst2src_fin_count; - - /* s_to_c_psh */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 30.0; - scores[i].weight = 0.33076923076923076; - scores[i].value = flow->dst2src_psh_count; - - // sum = 1.0 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; -} diff --git a/example/intrusion_detection.h b/example/intrusion_detection.h deleted file mode 100644 index 635115ac088..00000000000 --- a/example/intrusion_detection.h +++ /dev/null @@ -1,69 +0,0 @@ -/* - * intrusion_detection.h - * - * Copyright (C) 2011-22 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH - * - * nDPI is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * nDPI is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see . - * - */ - -#ifndef _INTRUSION_DETECTION_H_ -#define _INTRUSION_DETECTION_H_ - -/* - Code to detect attacks reported in - - https://www.unb.ca/cic/datasets/ids-2017.html - https://www.unb.ca/cic/datasets/ids-2018.html -*/ - -#include -#include -#include "reader_util.h" -#include "ndpi_api.h" - -typedef struct norm_values{ - double upper_bound; - double lower_bound; - double weight; - double value; - double norm_value; -}ndpi_norm_value; - -double normalize(ndpi_norm_value* tresholds); - -double get_flow_score(ndpi_norm_value* scores, int n_metrics); - -/* ********************************** */ - -double Ddos_score(struct ndpi_flow_info* flow); - -double Dos_goldeneye_score(struct ndpi_flow_info* flow); - -double Dos_hulk_score(struct ndpi_flow_info* flow); - -double Dos_slow_score(struct ndpi_flow_info* flow); - -double Ftp_patator_score(struct ndpi_flow_info* flow); - -double Hearthbleed_score(struct ndpi_flow_info* flow); - -double Infiltration_score(struct ndpi_flow_info* flow); - -double Ssh_patator_score(struct ndpi_flow_info* flow); - -#endif /* _INTRUSION_DETECTION_H_ */ diff --git a/example/ndpiReader.c b/example/ndpiReader.c index a4f43b7297e..cf646c681fb 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -56,7 +56,6 @@ #include #include "reader_util.h" -#include "intrusion_detection.h" #define ntohl64(x) ( ( (uint64_t)(ntohl( (uint32_t)((x << 32) >> 32) )) << 32) | ntohl( ((uint32_t)(x >> 32)) ) ) #define htonl64(x) ntohl64(x) @@ -84,7 +83,7 @@ static char* domain_to_check = NULL; static u_int8_t ignore_vlanid = 0; /** User preferences **/ u_int8_t enable_protocol_guess = 1, enable_payload_analyzer = 0, num_bin_clusters = 0, extcap_exit = 0; -u_int8_t verbose = 0, enable_joy_stats = 0; +u_int8_t verbose = 0, enable_flow_stats = 0; int nDPI_LogLevel = 0; char *_debug_protocols = NULL; u_int8_t human_readeable_string_len = 5; @@ -332,29 +331,6 @@ void ndpiCheckHostStringMatch(char *testChar) { */ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle); -#if 0 -static void reduceBDbits(uint32_t *bd, unsigned int len) { - int mask = 0; - int shift = 0; - unsigned int i = 0; - - for(i = 0; i < len; i++) - mask = mask | bd[i]; - - mask = mask >> 8; - for(i = 0; i < 24 && mask; i++) { - mask = mask >> 1; - if (mask == 0) { - shift = i+1; - break; - } - } - - for(i = 0; i < len; i++) - bd[i] = bd[i] >> shift; -} -#endif - /** * @brief Get flow byte distribution mean and variance */ @@ -414,20 +390,7 @@ flowGetBDMeanandVariance(struct ndpi_flow_info* flow) { } } - if(enable_joy_stats) { -#if 0 - if(verbose > 1) { - reduceBDbits(tmp, 256); - array = tmp; - - fprintf(out, " [byte_dist: "); - for(i = 0; i < 255; i++) - fprintf(out, "%u,", (unsigned char)array[i]); - - fprintf(out, "%u]", (unsigned char)array[i]); - } -#endif - + if(enable_flow_stats) { /* Output the mean */ if(num_bytes != 0) { double entropy = ndpi_flow_get_byte_count_entropy(array, num_bytes); @@ -483,8 +446,7 @@ static void help(u_int long_help) { " -d | Disable protocol guess and use only DPI\n" " -e | Min human readeable string match len. Default %u\n" " -q | Quiet mode\n" - " -J | Display flow SPLT (sequence of packet length and time)\n" - " | and BD (byte distribution). See https://github.com/cisco/joy\n" + " -F | Enable flow stats\n" " -t | Dissect GTP/TZSP tunnels\n" " -P :::: | Enable payload analysis:\n" " | = min pattern len to search\n" @@ -575,6 +537,7 @@ static struct option longopts[] = { { "csv-dump", required_argument, NULL, 'C'}, { "interface", required_argument, NULL, 'i'}, { "filter", required_argument, NULL, 'f'}, + { "flow-stats", required_argument, NULL, 'F'}, { "cpu-bind", required_argument, NULL, 'g'}, { "loops", required_argument, NULL, 'l'}, { "num-threads", required_argument, NULL, 'n'}, @@ -589,7 +552,6 @@ static struct option longopts[] = { { "ndpi-log-level", required_argument, NULL, 'V'}, { "dbg-proto", required_argument, NULL, 'u'}, { "help", no_argument, NULL, 'h'}, - { "joy", required_argument, NULL, 'J'}, { "payload-analysis", required_argument, NULL, 'P'}, { "result-path", required_argument, NULL, 'w'}, { "quiet", no_argument, NULL, 'q'}, @@ -743,7 +705,6 @@ void printCSVHeader() { if(!csv_fp) return; fprintf(csv_fp, "#flow_id,protocol,first_seen,last_seen,duration,src_ip,src_port,dst_ip,dst_port,ndpi_proto_num,ndpi_proto,server_name_sni,"); - fprintf(csv_fp, "benign_score,dos_slow_score,dos_goldeneye_score,dos_hulk_score,ddos_score,hearthbleed_score,ftp_patator_score,ssh_patator_score,infiltration_score,"); fprintf(csv_fp, "c_to_s_pkts,c_to_s_bytes,c_to_s_goodput_bytes,s_to_c_pkts,s_to_c_bytes,s_to_c_goodput_bytes,"); fprintf(csv_fp, "data_ratio,str_data_ratio,c_to_s_goodput_ratio,s_to_c_goodput_ratio,"); @@ -777,7 +738,7 @@ void printCSVHeader() { fprintf(csv_fp, "ssh_client_hassh,ssh_server_hassh,flow_info,plen_bins"); /* Joy */ - if(enable_joy_stats) { + if(enable_flow_stats) { fprintf(csv_fp, ",byte_dist_mean,byte_dist_std,entropy,total_entropy"); } @@ -822,7 +783,7 @@ static void parseOptions(int argc, char **argv) { case 'a': ndpi_generate_options(atoi(optarg)); break; - + case 'b': if((num_bin_clusters = atoi(optarg)) > 32) num_bin_clusters = 32; @@ -931,8 +892,8 @@ static void parseOptions(int argc, char **argv) { help(1); break; - case 'J': - enable_joy_stats = 1; + case 'F': + enable_flow_stats = 1; break; case 'P': @@ -1073,7 +1034,7 @@ static void parseOptions(int argc, char **argv) { if(num_cores > 1 && bind_mask != NULL) { char *core_id = strtok(bind_mask, ":"); thread_id = 0; - + while(core_id != NULL && thread_id < num_threads) { core_affinity[thread_id++] = atoi(core_id) % num_cores; core_id = strtok(NULL, ":"); @@ -1224,40 +1185,10 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa char buf_ver[16]; u_int i; - double dos_ge_score; - double dos_slow_score; - double dos_hulk_score; - double ddos_score; - - double hearthbleed_score; - - double ftp_patator_score; - double ssh_patator_score; - - double inf_score; - if(csv_fp != NULL) { float data_ratio = ndpi_data_ratio(flow->src2dst_bytes, flow->dst2src_bytes); double f = (double)flow->first_seen_ms, l = (double)flow->last_seen_ms; - /* PLEASE KEEP IN SYNC WITH printCSVHeader() */ - dos_ge_score = Dos_goldeneye_score(flow); - - dos_slow_score = Dos_slow_score(flow); - dos_hulk_score = Dos_hulk_score(flow); - ddos_score = Ddos_score(flow); - - hearthbleed_score = Hearthbleed_score(flow); - - ftp_patator_score = Ftp_patator_score(flow); - ssh_patator_score = Ssh_patator_score(flow); - - inf_score = Infiltration_score(flow); - - double benign_score = dos_ge_score < 1 && dos_slow_score < 1 && \ - dos_hulk_score < 1 && ddos_score < 1 && hearthbleed_score < 1 && \ - ftp_patator_score < 1 && ssh_patator_score < 1 && inf_score < 1 ? 1.1 : 0; - fprintf(csv_fp, "%u,%u,%.3f,%.3f,%.3f,%s,%u,%s,%u,", flow->flow_id, flow->protocol, @@ -1276,11 +1207,6 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa flow->detected_protocol, buf, sizeof(buf)), flow->host_server_name); - fprintf(csv_fp, "%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,", \ - benign_score, dos_slow_score, dos_ge_score, dos_hulk_score, \ - ddos_score, hearthbleed_score, ftp_patator_score, \ - ssh_patator_score, inf_score); - fprintf(csv_fp, "%u,%llu,%llu,", flow->src2dst_packets, (long long unsigned int) flow->src2dst_bytes, (long long unsigned int) flow->src2dst_goodput_bytes); fprintf(csv_fp, "%u,%llu,%llu,", flow->dst2src_packets, @@ -1347,7 +1273,7 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa } if((verbose != 1) && (verbose != 2)) { - if(csv_fp && enable_joy_stats) { + if(csv_fp && enable_flow_stats) { flowGetBDMeanandVariance(flow); } @@ -1377,7 +1303,7 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa if(enable_payload_analyzer) fprintf(out, "[flowId: %u]", flow->flow_id); } - if(enable_joy_stats) { + if(enable_flow_stats) { /* Print entropy values for monitored flows. */ flowGetBDMeanandVariance(flow); fflush(out); @@ -1400,7 +1326,7 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa ndpi_is_encrypted_proto(ndpi_thread_info[thread_id].workflow->ndpi_struct, flow->detected_protocol) ? "Encrypted" : "ClearText"); fprintf(out, "[Confidence: %s]", ndpi_confidence_get_name(flow->confidence)); - + if(flow->detected_protocol.category != 0) fprintf(out, "[cat: %s/%u]", ndpi_category_get_name(ndpi_thread_info[thread_id].workflow->ndpi_struct, @@ -1483,7 +1409,7 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa fprintf(out, "[Risk Score: %u]", ndpi_risk2score(flow->risk, &cli_score, &srv_score)); } - + if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(buf_ver, sizeof(buf_ver), flow->ssh_tls.ssl_version, &known_tls)); if(flow->ssh_tls.client_hassh[0] != '\0') fprintf(out, "[HASSH-C: %s]", flow->ssh_tls.client_hassh); @@ -1523,7 +1449,7 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa if(flow->ssh_tls.browser_heuristics.is_firefox_tls) fprintf(out, "[Firefox]"); if(flow->ssh_tls.browser_heuristics.is_chrome_tls) fprintf(out, "[Chrome]"); #endif - + if(flow->ssh_tls.notBefore && flow->ssh_tls.notAfter) { char notBefore[32], notAfter[32]; struct tm a, b; @@ -3410,7 +3336,7 @@ static void ndpi_process_packet(u_char *args, u_int32_t *crc, delta = sizeof(struct ndpi_packet_trailer) + 4 /* ethernet trailer */; struct ndpi_packet_trailer *trailer; u_int16_t cli_score, srv_score; - + memcpy(&h, header, sizeof(h)); if(h.caplen > (sizeof(extcap_buf)-sizeof(struct ndpi_packet_trailer) - 4)) { @@ -3770,12 +3696,12 @@ static void dgaUnitTest() { if(debug) printf("Checking non DGA %s\n", non_dga[i]); assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)non_dga[i], 1) == 0); } - + for(i=0; dga[i] != NULL; i++) { if(debug) printf("Checking DGA %s\n", non_dga[i]); assert(ndpi_check_dga_name(ndpi_str, NULL, (char*)dga[i], 1) == 1); } - + ndpi_exit_detection_module(ndpi_str); } @@ -4402,7 +4328,7 @@ void compressedBitmapUnitTest() { char *buf; ndpi_bitmap_iterator *it; u_int32_t value; - + for(i=0; i<1000; i++) { u_int32_t v = rand(); @@ -4424,10 +4350,10 @@ void compressedBitmapUnitTest() { while(ndpi_bitmap_iterator_next(it, &value)) { if(trace) printf("%u ", value); } - + if(trace) printf("\n"); ndpi_bitmap_iterator_free(it); - + ndpi_free(buf); ndpi_bitmap_free(b); ndpi_bitmap_free(b1); @@ -4464,7 +4390,7 @@ int original_main(int argc, char **argv) { printf("nDPI Library version mismatch: please make sure this code and the nDPI library are in sync\n"); return(-1); } - + if(!skip_unit_tests) { #ifndef DEBUG_TRACE /* Skip tests when debugging */ @@ -4498,7 +4424,7 @@ int original_main(int argc, char **argv) { compressedBitmapUnitTest(); #endif } - + gettimeofday(&startup_time, NULL); memset(ndpi_thread_info, 0, sizeof(ndpi_thread_info)); @@ -4542,7 +4468,7 @@ int original_main(int argc, char **argv) { if(ndpi_info_mod) ndpi_exit_detection_module(ndpi_info_mod); if(csv_fp) fclose(csv_fp); ndpi_free(_debug_protocols); - + #ifdef DEBUG_TRACE if(trace) fclose(trace); #endif diff --git a/example/reader_util.c b/example/reader_util.c index 76729c4c6c3..7ca60214145 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -69,7 +69,7 @@ #include "reader_util.h" #include "ndpi_classify.h" -extern u_int8_t enable_protocol_guess, enable_joy_stats, enable_payload_analyzer; +extern u_int8_t enable_protocol_guess, enable_flow_stats, enable_payload_analyzer; extern u_int8_t verbose, human_readeable_string_len; extern u_int8_t max_num_udp_dissected_pkts /* 24 */, max_num_tcp_dissected_pkts /* 80 */; static u_int32_t flow_id = 0; @@ -855,7 +855,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow #else ndpi_init_bin(&newflow->payload_len_bin, ndpi_bin_family8, PLEN_NUM_BINS); #endif - + if(version == IPVERSION) { inet_ntop(AF_INET, &newflow->src_ip, newflow->src_name, sizeof(newflow->src_name)); inet_ntop(AF_INET, &newflow->dst_ip, newflow->dst_name, sizeof(newflow->dst_name)); @@ -913,7 +913,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow *src = newflow->src_id, *dst = newflow->dst_id; - if(enable_joy_stats) { + if(enable_flow_stats) { newflow->entropy = ndpi_calloc(1, sizeof(struct ndpi_entropy)); newflow->last_entropy = ndpi_calloc(1, sizeof(struct ndpi_entropy)); newflow->entropy->src2dst_pkt_len[newflow->entropy->src2dst_pkt_count] = l4_data_len; @@ -953,7 +953,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow else *src = rflow->dst_id, *dst = rflow->src_id, *src_to_dst_direction = 0, rflow->bidirectional = 1; } - if(enable_joy_stats) { + if(enable_flow_stats) { if(src_to_dst_direction) { if(rflow->entropy->src2dst_pkt_count < max_num_packets_per_flow) { rflow->entropy->src2dst_pkt_len[rflow->entropy->src2dst_pkt_count] = l4_data_len; @@ -1046,10 +1046,10 @@ void correct_csv_data_field(char* data) { /* ****************************************************** */ -u_int8_t plen2slot(u_int16_t plen) { - /* +u_int8_t plen2slot(u_int16_t plen) { + /* Slots [32 bytes lenght] - 0..31, 32..63 ... + 0..31, 32..63 ... */ if(plen > PLEN_MAX) @@ -1202,7 +1202,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } flow->ssh_tls.browser_heuristics = flow->ndpi_flow->protos.tls_quic.browser_heuristics; - + if(flow->ndpi_flow->protos.tls_quic.alpn) { if((flow->ssh_tls.tls_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.alpn)) != NULL) correct_csv_data_field(flow->ssh_tls.tls_alpn); @@ -1210,7 +1210,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl if(flow->ndpi_flow->protos.tls_quic.issuerDN) flow->ssh_tls.tls_issuerDN = strdup(flow->ndpi_flow->protos.tls_quic.issuerDN); - + if(flow->ndpi_flow->protos.tls_quic.subjectDN) flow->ssh_tls.tls_subjectDN = strdup(flow->ndpi_flow->protos.tls_quic.subjectDN); @@ -1218,7 +1218,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ssh_tls.encrypted_sni.esni = strdup(flow->ndpi_flow->protos.tls_quic.encrypted_sni.esni); flow->ssh_tls.encrypted_sni.cipher_suite = flow->ndpi_flow->protos.tls_quic.encrypted_sni.cipher_suite; } - + if(flow->ssh_tls.tls_supported_versions) { if((flow->ssh_tls.tls_supported_versions = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.tls_supported_versions)) != NULL) correct_csv_data_field(flow->ssh_tls.tls_supported_versions); @@ -1246,14 +1246,14 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl snprintf(flow->info, sizeof(flow->info), "ALPN: %s", flow->ndpi_flow->protos.tls_quic.alpn); } - + if(enable_doh_dot_detection) { /* For TLS we use TLS block lenght instead of payload lenght */ ndpi_reset_bin(&flow->payload_len_bin); - + for(i=0; indpi_flow->l4.tcp.tls.num_tls_blocks; i++) { u_int16_t len = abs(flow->ndpi_flow->l4.tcp.tls.tls_application_blocks_len[i]); - + /* printf("[TLS_LEN] %u\n", len); */ ndpi_inc_bin(&flow->payload_len_bin, plen2slot(len), 1); } @@ -1280,7 +1280,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl */ static void ndpi_clear_entropy_stats(struct ndpi_flow_info *flow) { - if(enable_joy_stats) { + if(enable_flow_stats) { if(flow->entropy->src2dst_pkt_count + flow->entropy->dst2src_pkt_count == max_num_packets_per_flow) { memcpy(flow->last_entropy, flow->entropy, sizeof(struct ndpi_entropy)); memset(flow->entropy, 0x00, sizeof(struct ndpi_entropy)); @@ -1358,7 +1358,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, struct ndpi_proto nproto = NDPI_PROTOCOL_NULL; if(workflow->prefs.ignore_vlanid) - vlan_id = 0; + vlan_id = 0; if(iph) flow = get_ndpi_flow_info(workflow, IPVERSION, vlan_id, @@ -1432,7 +1432,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if(payload_len && (flow->src2dst_packets < MAX_NUM_BIN_PKTS)) ndpi_inc_bin(&flow->payload_len_bin_src2dst, plen2slot(payload_len)); #endif - } else { + } else { if(flow->dst2src_last_pkt_time.tv_sec && (!begin_or_end_tcp)) { ndpi_timer_sub(&when, &flow->dst2src_last_pkt_time, &tdiff); @@ -1467,7 +1467,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, payload, payload_len, workflow->stats.ip_packet_count); - if(enable_joy_stats) { + if(enable_flow_stats) { /* Update BD, distribution and mean. */ ndpi_flow_update_byte_count(flow, payload, payload_len, src_to_dst_direction); ndpi_flow_update_byte_dist_mean_var(flow, payload, payload_len, src_to_dst_direction); @@ -1506,7 +1506,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, memset(&flow->dst2src_last_pkt_time, '\0', sizeof(flow->dst2src_last_pkt_time)); memset(&flow->flow_last_pkt_time, '\0', sizeof(flow->flow_last_pkt_time)); } - + if((human_readeable_string_len != 0) && (!flow->has_human_readeable_strings)) { u_int8_t skip = 0; @@ -1562,7 +1562,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, ipsize, time_ms, src, dst); - + if(enough_packets || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) { if((!enough_packets) && ndpi_extra_dissection_possible(workflow->ndpi_struct, ndpi_flow)) @@ -1600,9 +1600,9 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, } } #endif - + *flow_risk = flow->risk; - + return(flow->detected_protocol); } @@ -1686,7 +1686,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, u_int8_t vlan_packet = 0; *flow_risk = 0 /* NDPI_NO_RISK */; - + /* Increment raw packet counter */ workflow->stats.raw_packet_count++; @@ -1946,7 +1946,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, } else if(iph->version == 6) { if(header->caplen < ip_offset + sizeof(struct ndpi_ipv6hdr)) return(nproto); /* Too short for IPv6 header*/ - + iph6 = (struct ndpi_ipv6hdr *)&packet[ip_offset]; proto = iph6->ip6_hdr.ip6_un1_nxt; ip_len = ntohs(iph6->ip6_hdr.ip6_un1_plen); @@ -1983,7 +1983,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, "\n\nWARNING: only IPv4/IPv6 packets are supported in this demo (nDPI supports both IPv4 and IPv6), all other packets will be discarded\n\n"); ipv4_warning_used = 1; } - + workflow->stats.total_discarded_bytes += header->len; return(nproto); }