Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zabbix: improve detection #2055

Merged
merged 1 commit into from
Jul 21, 2023
Merged

zabbix: improve detection #2055

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/lib/ndpi_main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1866,7 +1866,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_b, 5246, 5247, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ZABBIX,
"Zabbix", NDPI_PROTOCOL_CATEGORY_NETWORK,
ndpi_build_default_ports(ports_a, 10050, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_a, 10050, 10051, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_S7COMM,
"s7comm", NDPI_PROTOCOL_CATEGORY_NETWORK,
Expand Down
7 changes: 3 additions & 4 deletions src/lib/protocols/zabbix.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,13 +37,12 @@ static void ndpi_int_zabbix_add_connection(struct ndpi_detection_module_struct *
static void ndpi_search_zabbix(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
u_int8_t tomatch[] = { 'Z', 'B', 'X', 'D', 0x1 };
u_int8_t tomatch[] = { 'Z', 'B', 'X', 'D' };

NDPI_LOG_DBG(ndpi_struct, "search Zabbix\n");

if(packet &&
(packet->payload_packet_len > 4)
&& (memcmp(packet->payload, tomatch, 5) == 0))
if((packet->payload_packet_len >= 4)
&& (memcmp(packet->payload, tomatch, 4) == 0))
ndpi_int_zabbix_add_connection(ndpi_struct, flow);
else
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
Expand Down
Binary file modified tests/cfgs/default/pcap/zabbix.pcap
View file
Open in desktop
Binary file not shown.
35 changes: 29 additions & 6 deletions tests/cfgs/default/result/zabbix.pcap.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
Guessed flow protos: 0

DPI Packets (TCP): 4 (4.00 pkts/flow)
Confidence DPI : 1 (flows)
Num dissector calls: 1 (1.00 diss/flow)
DPI Packets (TCP): 96 (4.00 pkts/flow)
Confidence DPI : 24 (flows)
Num dissector calls: 24 (1.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand All @@ -18,8 +18,31 @@ Automa risk mask: 0/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 0/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia protocols: 2/0 (search/found)
Patricia protocols: 48/0 (search/found)

Zabbix 10 715 1
Zabbix 236 24571 24

1 TCP 192.168.67.98:57162 <-> 192.168.67.25:10050 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/361 bytes <-> 5 pkts/354 bytes][Goodput ratio: 6/5][0.01 sec][bytes ratio: 0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/1 1/2 4/4 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 72/71 89/82 9/6][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
1 TCP 192.168.7.16:36699 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/429 bytes <-> 5 pkts/1083 bytes][Goodput ratio: 21/69][0.00 sec][bytes ratio: -0.433 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/1 2/2 1/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 86/217 157/811 36/297][Plen Bins: 0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
2 TCP 192.168.7.16:60217 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/429 bytes <-> 5 pkts/1083 bytes][Goodput ratio: 21/69][0.00 sec][bytes ratio: -0.433 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/1 2/2 1/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 86/217 157/811 36/297][Plen Bins: 0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
3 TCP 192.168.7.16:50639 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/669 bytes <-> 5 pkts/436 bytes][Goodput ratio: 49/22][0.00 sec][bytes ratio: 0.211 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 134/87 397/164 132/39][Plen Bins: 0,0,0,50,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4 TCP 192.168.7.16:37781 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][6 pkts/661 bytes <-> 5 pkts/436 bytes][Goodput ratio: 39/22][0.00 sec][bytes ratio: 0.205 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 110/87 323/164 95/39][Plen Bins: 0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5 TCP 192.168.7.16:58079 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/657 bytes <-> 5 pkts/436 bytes][Goodput ratio: 48/22][0.00 sec][bytes ratio: 0.202 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/1 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 131/87 385/164 127/39][Plen Bins: 0,0,0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
6 TCP 192.168.7.16:48017 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/654 bytes <-> 5 pkts/435 bytes][Goodput ratio: 48/22][0.00 sec][bytes ratio: 0.201 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 131/87 382/163 126/38][Plen Bins: 0,0,0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
7 TCP 192.168.7.16:43677 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/649 bytes <-> 5 pkts/436 bytes][Goodput ratio: 48/22][0.00 sec][bytes ratio: 0.196 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 130/87 377/164 124/39][Plen Bins: 0,0,0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
8 TCP 192.168.7.16:35243 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/648 bytes <-> 5 pkts/436 bytes][Goodput ratio: 48/22][0.00 sec][bytes ratio: 0.196 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 130/87 376/164 123/39][Plen Bins: 0,0,0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
9 TCP 192.168.7.16:35627 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/640 bytes <-> 5 pkts/435 bytes][Goodput ratio: 47/22][0.00 sec][bytes ratio: 0.191 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 128/87 368/163 120/38][Plen Bins: 0,0,0,50,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
10 TCP 192.168.7.16:36623 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/619 bytes <-> 5 pkts/435 bytes][Goodput ratio: 45/22][0.00 sec][bytes ratio: 0.175 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 124/87 347/163 112/38][Plen Bins: 0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
11 TCP 192.168.7.16:52901 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/619 bytes <-> 5 pkts/435 bytes][Goodput ratio: 45/22][0.00 sec][bytes ratio: 0.175 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 124/87 347/163 112/38][Plen Bins: 0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
12 TCP 192.168.7.16:43395 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/617 bytes <-> 5 pkts/436 bytes][Goodput ratio: 45/22][0.00 sec][bytes ratio: 0.172 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 123/87 345/164 111/39][Plen Bins: 0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
13 TCP 192.168.7.16:55759 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][6 pkts/616 bytes <-> 5 pkts/436 bytes][Goodput ratio: 34/22][0.00 sec][bytes ratio: 0.171 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/1 1/2 0/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/87 278/164 78/39][Plen Bins: 0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
14 TCP 192.168.7.16:41309 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/604 bytes <-> 5 pkts/436 bytes][Goodput ratio: 44/22][0.00 sec][bytes ratio: 0.162 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 121/87 332/164 106/39][Plen Bins: 0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
15 TCP 192.168.7.16:33661 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/594 bytes <-> 5 pkts/436 bytes][Goodput ratio: 43/22][0.00 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 119/87 322/164 102/39][Plen Bins: 0,0,0,50,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
16 TCP 192.168.7.16:49215 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/593 bytes <-> 5 pkts/436 bytes][Goodput ratio: 43/22][0.00 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 119/87 321/164 101/39][Plen Bins: 0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
17 TCP 192.168.7.16:36755 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/587 bytes <-> 5 pkts/436 bytes][Goodput ratio: 42/22][0.00 sec][bytes ratio: 0.148 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 117/87 315/164 99/39][Plen Bins: 0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
18 TCP 192.168.7.16:39595 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/581 bytes <-> 5 pkts/436 bytes][Goodput ratio: 42/22][0.00 sec][bytes ratio: 0.143 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 1/1 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 116/87 309/164 96/39][Plen Bins: 0,0,0,50,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
19 TCP 192.168.7.16:40553 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/551 bytes <-> 5 pkts/435 bytes][Goodput ratio: 39/22][0.00 sec][bytes ratio: 0.118 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 1/1 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 110/87 279/163 84/38][Plen Bins: 0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
20 TCP 192.168.7.16:36763 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/513 bytes <-> 5 pkts/436 bytes][Goodput ratio: 34/22][0.00 sec][bytes ratio: 0.081 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 103/87 241/164 69/39][Plen Bins: 0,0,0,50,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
21 TCP 192.168.67.98:57162 <-> 192.168.67.25:10050 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/361 bytes <-> 5 pkts/354 bytes][Goodput ratio: 6/5][0.01 sec][bytes ratio: 0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/1 1/2 4/4 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 72/71 89/82 9/6][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
22 TCP 192.168.7.16:45197 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/433 bytes <-> 3 pkts/206 bytes][Goodput ratio: 22/0][0.00 sec][bytes ratio: 0.355 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 87/69 161/74 37/4][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
23 TCP 192.168.7.16:48677 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/433 bytes <-> 3 pkts/206 bytes][Goodput ratio: 22/0][0.00 sec][bytes ratio: 0.355 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 0/1 1/1 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 87/69 161/74 37/4][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
24 TCP 192.168.7.16:54089 <-> 192.168.7.17:10051 [proto: 248/Zabbix][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 4][cat: Network/14][5 pkts/433 bytes <-> 3 pkts/206 bytes][Goodput ratio: 22/0][0.00 sec][bytes ratio: 0.355 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 0/1 1/1 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 87/69 161/74 37/4][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
Loading