Fixed syslog false positives. (#1577)

* syslog: removed unnecessary/unreliable printable string check
 * added `ndpi_isalnum()`
 * splitted `ndpi_is_printable_string()` into `ndpi_is_printable_buffer()` and `ndpi_normalize_printable_string()`

Signed-off-by: lns <[email protected]>

Author: utoni

src/include/ndpi_main.h

@@ -151,7 +151,8 @@ extern "C" {
 		     char *risk_message);
   int ndpi_isset_risk(struct ndpi_detection_module_struct *ndpi_str,
 		      struct ndpi_flow_struct *flow, ndpi_risk_enum r);
-  int ndpi_is_printable_string(char * const str, size_t len);
+  int ndpi_is_printable_buffer(uint8_t const * const buf, size_t len);
+  int ndpi_normalize_printable_string(char * const str, size_t len);
   int ndpi_is_valid_hostname(char * const str, size_t len);
 #define NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(entropy) (entropy > 7.0f)
   float ndpi_entropy(u_int8_t const * const buf, size_t len);

src/include/ndpi_utils.h

@@ -25,6 +25,7 @@ extern u_int8_t ndpi_ends_with(char *str, char *ends);
 
 #define ndpi_isalpha(ch) (((ch) >= 'a' && (ch) <= 'z') || ((ch) >= 'A' && (ch) <= 'Z'))
 #define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9')
+#define ndpi_isalnum(ch) (ndpi_isalpha(ch) != 0 || ndpi_isdigit(ch) != 0)
 #define ndpi_isspace(ch) (((ch) >= '\t' && (ch) <= '\r') || ((ch) == ' '))
 #define ndpi_isprint(ch) ((ch) >= 0x20 && (ch) <= 0x7e)
 #define ndpi_ispunct(ch) (((ch) >= '!' && (ch) <= '/') ||   \

src/lib/ndpi_utils.c

@@ -755,8 +755,8 @@ static int _ndpi_is_valid_char(char c) {
   if(ispunct(c) && (!ndpi_is_other_char(c)))
     return(0);
   else
-    return(isdigit(c)
-	   || isalpha(c)
+    return(ndpi_isdigit(c)
+	   || ndpi_isalpha(c)
 	   || ndpi_is_other_char(c));
 }
 static char ndpi_is_valid_char_tbl[256],ndpi_is_valid_char_tbl_init=0;
@@ -2274,7 +2274,22 @@ int ndpi_isset_risk(struct ndpi_detection_module_struct *ndpi_str,
 
 /* ******************************************************************** */
 
-int ndpi_is_printable_string(char * const str, size_t len) {
+int ndpi_is_printable_buffer(uint8_t const * const buf, size_t len) {
+  int retval = 1;
+  size_t i;
+
+  for(i = 0; i < len; ++i) {
+    if(ndpi_isprint(buf[i]) == 0) {
+      retval = 0;
+    }
+  }
+
+  return retval;
+}
+
+/* ******************************************************************** */
+
+int ndpi_normalize_printable_string(char * const str, size_t len) {
   int retval = 1;
   size_t i;
 

src/lib/protocols/syslog.c

@@ -38,13 +38,11 @@ void ndpi_search_syslog(struct ndpi_detection_module_struct
 			*ndpi_struct, struct ndpi_flow_struct *flow)
 {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-  u_int8_t i;
+  u_int16_t i;
 
   NDPI_LOG_DBG(ndpi_struct, "search syslog\n");
 
   if (packet->payload_packet_len > 20 && packet->payload[0] == '<') {
-    int j;
-
     NDPI_LOG_DBG2(ndpi_struct, "checked len>20 and <1024 and first symbol=<\n");
 
     for (i = 1; i <= 3; i++) {
@@ -70,18 +68,31 @@ void ndpi_search_syslog(struct ndpi_detection_module_struct
       NDPI_LOG_DBG2(ndpi_struct, "no blank following the >: do nothing\n");
     }
 
-    /* Even if there are 2 RFCs (3164, 5424), syslog format after "<NUMBER>" is
-       not standard. The only common pattern seems to be that the entire
-       payload is made by printable characters */
-    /* TODO: check only the first N bytes to avoid touching the entire payload? */
-    for (j = 0; j < packet->payload_packet_len - i; j++) {
-      if (!(ndpi_isprint(packet->payload[i + j]) ||
-            ndpi_isspace(packet->payload[i + j]))) {
-        NDPI_LOG_DBG2(ndpi_struct, "no printable char 0x%x [i/j %d/%d]\n",
-                      packet->payload[i + j], i, j);
-        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-        return;
-      }
+    while (i < packet->payload_packet_len)
+    {
+        if (ndpi_isalnum(packet->payload[i]) == 0)
+        {
+            if (packet->payload[i] == ' ' || packet->payload[i] == ':' ||
+                packet->payload[i] == '=')
+            {
+                break;
+            }
+            NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+            return;
+        }
+
+        i++;
+    }
+
+    if (packet->payload[i] == ':')
+    {
+        i++;
+        if (i >= packet->payload_packet_len ||
+            packet->payload[i] != ' ')
+        {
+            NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+            return;
+        }
     }
 
     NDPI_LOG_INFO(ndpi_struct, "found syslog\n");

src/lib/protocols/tls.c

@@ -260,7 +260,7 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet,
   buffer[len] = '\0';
 
   // check string is printable
-  is_printable = ndpi_is_printable_string(buffer, len);
+  is_printable = ndpi_normalize_printable_string(buffer, len);
 
   if(is_printable) {
     int rc = ndpi_snprintf(&rdnSeqBuf[*rdnSeqBuf_offset],
@@ -394,7 +394,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
 	if(rdn_len && (flow->protos.tls_quic.issuerDN == NULL)) {
 	  flow->protos.tls_quic.issuerDN = ndpi_strdup(rdnSeqBuf);
-	  if(ndpi_is_printable_string(rdnSeqBuf, rdn_len) == 0) {
+	  if(ndpi_normalize_printable_string(rdnSeqBuf, rdn_len) == 0) {
 	    char str[64];
 
 	    snprintf(str, sizeof(str), "Invalid issuerDN %s", flow->protos.tls_quic.issuerDN);
@@ -587,7 +587,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 		      We cannot use ndpi_is_valid_hostname() as we can have wildcards
 		      here that will create false positives
 		    */
-		    if(ndpi_is_printable_string(dNSName, dNSName_len) == 0) {
+		    if(ndpi_normalize_printable_string(dNSName, dNSName_len) == 0) {
 		      ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, dNSName);
 
 		      /* This looks like an attack */
@@ -1531,7 +1531,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 #ifdef DEBUG_TLS
 	  printf("Server TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len);
 #endif
-	  if(ndpi_is_printable_string(alpn_str, alpn_str_len) == 0)
+	  if(ndpi_normalize_printable_string(alpn_str, alpn_str_len) == 0)
 	    ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, alpn_str);
 
 	  if(flow->protos.tls_quic.alpn == NULL)

tests/pcap/syslog.pcap

@@ -0,0 +1,25 @@
+Guessed flow protos:	0
+
+DPI Packets (UDP):	18	(1.00 pkts/flow)
+Confidence DPI              : 18 (flows)
+
+Syslog	62	17124	18
+
+	1	UDP [2001:470:6c:a1::2]:38159 -> [2001:470:765b::b15:22]:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][6 pkts/2994 bytes -> 0 pkts/0 bytes][Goodput ratio: 84/0][12.00 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 15/0 2400/0 7985/0 3185/0][Pkt Len c2s/s2c min/avg/max/stddev: 480/0 499/0 537/0 27/0][PLAIN TEXT ( NetScreen device)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,66,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	UDP 172.20.51.54:514 -> 172.31.110.40:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][15 pkts/2925 bytes -> 0 pkts/0 bytes][Goodput ratio: 78/0][22.45 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 8/0 1495/0 5398/0 2274/0][Pkt Len c2s/s2c min/avg/max/stddev: 150/0 195/0 234/0 34/0][PLAIN TEXT (854 08/20/2013)][Plen Bins: 0,0,0,20,40,0,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	UDP 195.120.165.134:514 -> 83.235.169.221:11000 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][4 pkts/1954 bytes -> 0 pkts/0 bytes][Goodput ratio: 90/0][1.03 sec][PLAIN TEXT (1 2022)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,50,0,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	UDP 10.94.80.60:39438 -> 10.94.150.22:514 [VLAN: 2005][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/1316 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][PLAIN TEXT (Mar  9 04)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0]
+	5	UDP 192.168.126.102:57166 -> 172.19.177.230:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][4 pkts/1157 bytes -> 0 pkts/0 bytes][Goodput ratio: 85/0][26.59 sec][PLAIN TEXT (syslog@9 s)][Plen Bins: 0,0,0,0,0,0,0,75,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	UDP 10.22.179.215:57166 -> 172.26.54.76:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][5 pkts/852 bytes -> 0 pkts/0 bytes][Goodput ratio: 75/0][35.05 sec][PLAIN TEXT (syslog@9 s)][Plen Bins: 0,0,0,40,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	UDP 10.11.105.154:20627 -> 10.6.15.11:514 [VLAN: 408][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/761 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][PLAIN TEXT (09 time)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	UDP 10.94.232.21:57374 -> 10.94.150.21:514 [VLAN: 2005][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][5 pkts/740 bytes -> 0 pkts/0 bytes][Goodput ratio: 69/0][0.00 sec][PLAIN TEXT (Mar  9 04)][Plen Bins: 0,0,40,60,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	UDP 10.224.43.149:57166 -> 172.23.243.89:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][3 pkts/736 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][5.49 sec][PLAIN TEXT (facility)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	10	UDP 95.136.242.54:514 -> 93.20.126.110:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/703 bytes -> 0 pkts/0 bytes][Goodput ratio: 93/0][< 1 sec][PLAIN TEXT (Jan 01 00)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	11	UDP 192.168.121.10:50080 -> 192.168.120.10:514 [VLAN: 121][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][4 pkts/630 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][150.90 sec][PLAIN TEXT ( Mar  3 19)][Plen Bins: 0,0,25,75,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	12	UDP 192.168.45.162:57166 -> 10.208.120.95:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/499 bytes -> 0 pkts/0 bytes][Goodput ratio: 83/0][0.99 sec][PLAIN TEXT (facility)][Plen Bins: 0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	13	UDP 192.168.121.2:50352 -> 192.168.120.10:514 [VLAN: 121][proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/385 bytes -> 0 pkts/0 bytes][Goodput ratio: 76/0][0.00 sec][PLAIN TEXT ( Mar  3 20)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	14	UDP 95.136.242.54:514 -> 93.20.126.48:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][1 pkts/379 bytes -> 0 pkts/0 bytes][Goodput ratio: 87/0][< 1 sec][PLAIN TEXT (Jan 01 00)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	15	UDP 192.168.67.241:62679 -> 10.193.53.6:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/292 bytes -> 0 pkts/0 bytes][Goodput ratio: 71/0][< 1 sec][PLAIN TEXT (Sep 22 13)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	16	UDP 172.21.251.36:62679 -> 172.19.196.11:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/284 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][0.99 sec][PLAIN TEXT (Sep 22 13)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	17	UDP 192.168.72.140:62679 -> 192.168.178.148:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/281 bytes -> 0 pkts/0 bytes][Goodput ratio: 70/0][1.04 sec][PLAIN TEXT (Sep 22 13)][Plen Bins: 0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	18	UDP 10.251.23.139:59194 -> 62.39.3.142:514 [proto: 17/Syslog][ClearText][Confidence: DPI][cat: System/18][2 pkts/236 bytes -> 0 pkts/0 bytes][Goodput ratio: 64/0][48.30 sec][PLAIN TEXT (Jan  2 10)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]