search

vel21ripn / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
121 stars 59 forks source link

All defined host protocols match risk id 27 (Risky Domain Name) #177

Closed netcons closed 11 months ago

netcons commented 11 months ago

Log flows:

iptables -I FORWARD -m ndpi -j NDPI --flow-info

Log Result:

cat /proc/net/xt_ndpi/flows > /var/log/flowinfo.log 
grep "R=27" /var/log/flowinfo.log

1700645966 1700646575 4 6 192.168.0.158 58717 162.125.21.3 443 42764 1947 17 31 I=3,2 SN=192.168.10.1,58717 P=Dropbox,TLS H=bolt.dropbox.com S=5b94af9bf6efc9dea416841602004fbb C=3fce0c7d883f10bd14e9bdb365a129cf V=TLSv1.2 R=27
1700645707 1700646599 4 6 192.168.0.106 58688 102.132.100.60 443 2567 3744 33 33 I=3,2 SN=192.168.10.1,58688 P=WhatsApp,TLS H=web.whatsapp.com S=f4febc55ea12b31ae17cfb7e614afda8 C=0dde32666c503bac3934c9b7d3a2c680 V=TLSv1.3 R=27
1700645168 1700646597 4 6 192.168.0.158 58693 170.114.52.83 443 2320 2320 58 58 I=3,2 SN=192.168.10.1,58693 P=Zoom,TLS H=us.telemetry.zoom.us S=907bf3ecef1c987c889946b737b43de8 C=53a97ab5c607f6bea8e1d0530990eff3 V=TLSv1.3 R=27
1700645107 1700646598 4 6 192.168.0.158 58682 170.114.52.3 443 2360 2360 59 59 I=3,2 SN=192.168.10.1,58682 P=Zoom,TLS H=us02web.zoom.us S=907bf3ecef1c987c889946b737b43de8 C=53a97ab5c607f6bea8e1d0530990eff3 V=TLSv1.3 R=27
1700645043 1700646596 4 6 192.168.0.177 57383 170.114.52.3 443 2320 2320 58 58 I=3,2 SN=192.168.10.1,57383 P=Zoom,TLS H=us02web.zoom.us S=907bf3ecef1c987c889946b737b43de8 C=53a97ab5c607f6bea8e1d0530990eff3 V=TLSv1.3 R=27
1700645040 1700646598 4 6 192.168.0.177 57376 170.114.52.3 443 2360 2360 59 59 I=3,2 SN=192.168.10.1,57376 P=Zoom,TLS H=us02www3.zoom.us S=907bf3ecef1c987c889946b737b43de8 C=53a97ab5c607f6bea8e1d0530990eff3 V=TLSv1.3 R=27
1700644493 1700646587 4 6 192.168.0.106 58485 13.107.42.14 443 36842 10407 85 69 I=3,2 SN=192.168.10.1,58485 P=LinkedIn,TLS H=www.linkedin.com S=a66ea560599a2f5c89eec8c3a0d69cee C=6cee916d77cc1849b43ae221569f7561 F=dd640d6c031daaa968f2fb0c027a523427c9fdd9 V=TLSv1.2 R=27
1700642494 1700646587 4 6 192.168.0.158 58398 102.132.100.60 443 5447 23813 55 72 I=3,2 SN=192.168.10.1,58398 P=WhatsApp,TLS H=web.whatsapp.com S=fcb2d4d0991292272fcb1e464eedfd43 C=c8b6cf4474ee48495b420ce857617dd6 V=TLSv1.3 R=27
1700642242 1700646587 4 6 192.168.0.177 57175 170.114.14.71 443 345 213 6 3 I=3,2 SN=192.168.10.1,57175 P=Zoom,TLS H=us02zpns.zoom.us S=5311d65cbc4513b3a931887511930625 C=53a97ab5c607f6bea8e1d0530990eff3 F=149f5d9e0849ba0e12a48f90bd0fd60c2a6dd153 V=TLSv1.2 R=27
vel21ripn commented 11 months ago

I can only analyze this issue after I successfully update to commit bdb73db1a49d271bfb958eaabcce489013d84f3c Commit b08c787fe267053afdea82701071f3878c09244b contains too many changes.

netcons commented 11 months ago

Thank you.

vel21ripn commented 11 months ago

It looks like there is such a problem. I have half of the records with a host name marked risk 27.

vel21ripn commented 11 months ago

I found and corrected several errors related to the determination of risky domain certificate hashes and the ja3 hash. Try updating to commit 4e0fd2cfcdd2758c9d0e89203f57d90659b6f590

netcons commented 11 months ago

Thank you, seems to be matching Microsoft related domains at the moment.

Log Result:

cat /proc/net/xt_ndpi/flows > /var/log/flowinfo.log 
grep "R=27" /var/log/flowinfo.log

1702280395 1702280396 4 6 192.168.2.3 53293 13.107.213.55 443 553 6282 6 7 I=2,3 SN=192.168.10.1,53293 P=Azure,TLS H=edge-mobile-static.azureedge.net C=4f2d63c6a35e03e0917bcb5c7d1d6540 V=TLSv1.2 R=27
1702280388 1702280392 4 6 192.168.2.3 53274 13.107.42.16 443 2292 20893 16 19 I=2,3 SN=192.168.10.1,53274 P=Skype_Teams,TLS H=config.edge.skype.com C=c2a302941bd296cf34894fd4821cea43 V=TLSv1.2 R=27
1702280625 1702280687 4 6 192.168.2.3 53381 204.79.197.203 443 2509 18429 20 21 I=2,3 SN=192.168.10.1,53381 P=Microsoft,TLS H=api.msn.com C=28a2c9bd18a11de089ef85a160da29e4 V=TLSv1.2 R=27
1702280625 1702280647 4 6 192.168.2.3 53380 204.79.197.200 443 2394 8757 15 12 I=2,3 SN=192.168.10.1,53380 P=Microsoft,TLS H=g.bing.com S=a66ea560599a2f5c89eec8c3a0d69cee C=28a2c9bd18a11de089ef85a160da29e4 F=a5ec341fabb36971548869ba64cce29b32b665cd V=TLSv1.2 R=27
1702280620 1702280681 4 6 192.168.2.3 53361 20.199.58.43 443 2522 7287 15 10 I=2,3 SN=192.168.10.1,53361 P=Microsoft,TLS H=fd.api.iris.microsoft.com S=67bfe5d15ae567fb35fd7837f0116eec C=28a2c9bd18a11de089ef85a160da29e4 F=e3b9a18ee84960da301cb8e8fcc92bb3e64146a5 V=TLSv1.2 R=27
1702281669 1702281778 4 6 192.168.2.3 53615 192.229.221.95 80 569 909 6 4 I=2,3 SN=192.168.10.1,53615 P=OCSP,HTTP H=ocsp.digicert.com R=27
1702284055 1702284165 4 6 192.168.2.3 54052 2.16.162.136 80 33316 9600358 649 1189 I=2,3 SN=192.168.10.1,54052 P=WindowsUpdate,HTTP H=msedge.b.tlu.dl.delivery.mp.microsoft.com R=27
1702285341 1702285401 4 6 192.168.2.3 54214 165.165.47.35 80 534 443 6 4 I=2,3 SN=192.168.10.1,54214 P=WindowsUpdate,HTTP H=ctldl.windowsupdate.com R=27
1702285272 1702285441 4 6 192.168.2.3 54187 2.16.141.60 443 3818 163958 46 53 I=2,3 SN=192.168.10.1,54187 P=Microsoft,TLS H=oneclient.sfx.ms S=19e4a55cecd087d9ebf88da03db13a0f C=28a2c9bd18a11de089ef85a160da29e4 F=fa0c18fd5ab3c3988928f6a45c5927fe190e5d43 V=TLSv1.2 R=27
1702286980 1702286980 4 6 192.168.2.3 54460 165.165.47.27 80 458 398 4 3 I=2,3 SN=192.168.10.1,54460 P=WindowsUpdate,HTTP H=ctldl.windowsupdate.com R=27
1702289532 1702289638 4 6 192.168.2.3 54733 20.54.24.79 443 1877 3473 14 9 I=2,3 SN=192.168.10.1,54733 P=WindowsUpdate,TLS H=array611.prod.do.dsp.mp.microsoft.com S=a02d7ceb8c8cbb4da2e6007f5a1c91e4 C=28a2c9bd18a11de089ef85a160da29e4 F=b3a86b806c43b6e2fc49842b73e7387d0b67bd52 V=TLSv1.2 R=27
vel21ripn commented 11 months ago

I repeated the experiment and found RISK=27 even though it is not configured :(

netcons commented 11 months ago

No more R=27 in flowinfo log on latest commit.