Add a new flow risk about literal IP addresses used as SNI

RFC 6066 3: "Literal IPv4 and IPv6 addresses are not permitted in "HostName"." Don't set this risk if we have a valid sub-classification (example: via certificate) Since a similar risk already exists for HTTP hostnames, reuse it, with a more generic name.
ntop · Mar 2, 2023 · efddf33 · efddf33
1 parent 3047e28
commit efddf33
Show file tree

Hide file tree

Showing 29 changed files with 898 additions and 876 deletions.
diff --git a/doc/flow_risks.rst b/doc/flow_risks.rst
@@ -73,9 +73,9 @@ HTTP only: this risk is triggered whenever the user agent contains suspicious ch
 
 .. _Risk 012:
 
-NDPI_HTTP_NUMERIC_IP_HOST
+NDPI_NUMERIC_IP_HOST
 =========================
-HTTP only: this risk is triggered whenever we're accessing a host using its IP rather than its symbolic name. Example http://1.2.3.4.
+This risk is triggered whenever a HTTP/TLS/QUIC connection is using a literal IPv4 or IPv6 address as ServerName (TLS/QUIC; example: SNI=1.2.3.4) or as Hostname (HTTP; example: http://1.2.3.4.).
 
 .. _Risk 013:
 

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
@@ -83,7 +83,7 @@ typedef enum {
   NDPI_TLS_CERTIFICATE_EXPIRED,
   NDPI_TLS_CERTIFICATE_MISMATCH, /* 10 */
   NDPI_HTTP_SUSPICIOUS_USER_AGENT,
-  NDPI_HTTP_NUMERIC_IP_HOST,
+  NDPI_NUMERIC_IP_HOST,
   NDPI_HTTP_SUSPICIOUS_URL,
   NDPI_HTTP_SUSPICIOUS_HEADER,
   NDPI_TLS_NOT_CARRYING_HTTPS,

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -142,7 +142,7 @@ static ndpi_risk_info ndpi_known_risks[] = {
   { NDPI_TLS_CERTIFICATE_EXPIRED,               NDPI_RISK_HIGH,   CLIENT_LOW_RISK_PERCENTAGE,  NDPI_SERVER_ACCOUNTABLE },
   { NDPI_TLS_CERTIFICATE_MISMATCH,              NDPI_RISK_HIGH,   CLIENT_FAIR_RISK_PERCENTAGE, NDPI_SERVER_ACCOUNTABLE },
   { NDPI_HTTP_SUSPICIOUS_USER_AGENT,            NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
-  { NDPI_HTTP_NUMERIC_IP_HOST,                  NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
+  { NDPI_NUMERIC_IP_HOST,                       NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_HTTP_SUSPICIOUS_URL,                   NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_HTTP_SUSPICIOUS_HEADER,                NDPI_RISK_HIGH,   CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
   { NDPI_TLS_NOT_CARRYING_HTTPS,                NDPI_RISK_LOW,    CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
@@ -2946,7 +2946,7 @@ static void ndpi_add_domain_risk_exceptions(struct ndpi_detection_module_struct
   const ndpi_risk risks_to_mask[] = {
     NDPI_SUSPICIOUS_DGA_DOMAIN,
     NDPI_BINARY_APPLICATION_TRANSFER,
-    NDPI_HTTP_NUMERIC_IP_HOST,
+    NDPI_NUMERIC_IP_HOST,
     NDPI_MALICIOUS_JA3,
     NDPI_NO_RISK /* End */
   };

diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
@@ -1928,8 +1928,8 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
   case NDPI_HTTP_SUSPICIOUS_USER_AGENT:
     return("HTTP Susp User-Agent");
 
-  case NDPI_HTTP_NUMERIC_IP_HOST:
-    return("HTTP Numeric IP");
+  case NDPI_NUMERIC_IP_HOST:
+    return("HTTP/TLS/QUIC Numeric Hostname/SNI");
 
   case NDPI_HTTP_SUSPICIOUS_URL:
     return("HTTP Susp URL");
@@ -2053,7 +2053,7 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
 
   case NDPI_TCP_ISSUES:
     return("TCP Connection Issues");
-    
+
   default:
     ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk);
     return(buf);

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
@@ -634,7 +634,7 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru
     char str[64];
 
     snprintf(str, sizeof(str), "Found host %s", buf);
-    ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_NUMERIC_IP_HOST, str);
+    ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, str);
   }
 }
 
@@ -916,7 +916,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
         strstr(flow->http.url, "download.windowsupdate.com/")) &&
        ndpi_strnstr((const char *)packet->user_agent_line.ptr, "Microsoft-Delivery-Optimization/",
                     packet->user_agent_line.len) &&
-       ndpi_isset_risk(ndpi_struct, flow, NDPI_HTTP_NUMERIC_IP_HOST)) {
+       ndpi_isset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST)) {
       ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WINDOWS_UPDATE, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI);
     }
   }

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
@@ -347,6 +347,7 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct
 	ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI_CACHE);
 	flow->category = ndpi_get_proto_category(ndpi_struct, ret);
 	ndpi_check_subprotocol_risk(ndpi_struct, flow, cached_proto);
+	ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST);
       }
     }
   }
@@ -682,8 +683,10 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 		    }
 
 		    if(!flow->protos.tls_quic.subprotocol_detected)
-		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), dNSName, dNSName_len))
+		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), dNSName, dNSName_len)) {
 			flow->protos.tls_quic.subprotocol_detected = 1;
+		        ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST);
+		      }
 
 		    i += len;
 		  } else {
@@ -727,6 +730,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 	ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, __get_master(ndpi_struct, flow), NDPI_CONFIDENCE_DPI);
 	flow->category = ndpi_get_proto_category(ndpi_struct, ret);
 	ndpi_check_subprotocol_risk(ndpi_struct, flow, proto_id);
+	ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST);
 
 	if(ndpi_struct->tls_cert_cache) {
 	  u_int32_t key = make_tls_cert_key(packet, 0 /* from the server */);
@@ -1506,6 +1510,19 @@ static void checkExtensions(struct ndpi_detection_module_struct *ndpi_struct,
     }
 }
 
+/* **************************************** */
+
+static int check_sni_is_numeric_ip(char *sni) {
+  unsigned char buf[sizeof(struct in6_addr)];
+
+  if(inet_pton(AF_INET, sni, buf) == 1)
+    return 1;
+  if(inet_pton(AF_INET6, sni, buf) == 1)
+    return 1;
+  return 0;
+}
+
+
 /* **************************************** */
 
 int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
@@ -2050,6 +2067,11 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 		        flow->protos.tls_quic.subprotocol_detected = 1;
 		    }
 
+		    if(flow->protos.tls_quic.subprotocol_detected == 0 &&
+		       check_sni_is_numeric_ip(sni) == 1) {
+		      ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, sni);
+		    }
+
 		    if(ndpi_check_dga_name(ndpi_struct, flow,
 					   sni, 1, 0)) {
 #ifdef DEBUG_TLS