Improved SOAP via HTTP. (#1605)

Signed-off-by: lns <matzeton@googlemail.com>
author: Toni <matzeton@googlemail.com> 2022-06-18 17:19:16 +0200
committer: GitHub <noreply@github.com> 2022-06-18 17:19:16 +0200
commit: c287eb835b537ce64d9293a52ca13e670b6d3b0d (patch)
tree: 733bf6222431bc8a9acd5fac6a72d47ef9420dab
parent: 6cd8f8cc6dded6e872f8befaf63c18266d5bcabc (diff)
5 files changed, 41 insertions, 4 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 182ad45e5..f22887d6a 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -991,7 +991,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  ndpi_build_default_ports(ports_a, 80, 0 /* ntop */, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_HTTP,
-			      NDPI_PROTOCOL_AIMINI, NDPI_PROTOCOL_CROSSFIRE,
+			      NDPI_PROTOCOL_AIMINI, NDPI_PROTOCOL_CROSSFIRE, NDPI_PROTOCOL_SOAP,
 			      NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, NDPI_PROTOCOL_GNUTELLA,
 			      NDPI_PROTOCOL_MAPLESTORY, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_WORLDOFWARCRAFT,
 			      NDPI_PROTOCOL_THUNDER, NDPI_PROTOCOL_IRC,
diff --git a/src/lib/protocols/soap.c b/src/lib/protocols/soap.c
index da8d10fef..8ba885974 100644
--- a/src/lib/protocols/soap.c
+++ b/src/lib/protocols/soap.c
@@ -27,7 +27,14 @@
 static void ndpi_int_soap_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
                                          struct ndpi_flow_struct *flow)
 {
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOAP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+  if (flow->guessed_host_protocol_id == NDPI_PROTOCOL_HTTP)
+  {
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOAP, NDPI_PROTOCOL_HTTP,
+                               NDPI_CONFIDENCE_DPI);
+  } else {
+    ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_SOAP,
+                               NDPI_CONFIDENCE_DPI);
+  }
 }
 
 void ndpi_search_soap(struct ndpi_detection_module_struct *ndpi_struct,
@@ -37,6 +44,25 @@ void ndpi_search_soap(struct ndpi_detection_module_struct *ndpi_struct,
 
   NDPI_LOG_DBG(ndpi_struct, "search soap\n");
 
+  if (packet->parsed_lines == 0)
+  {
+    ndpi_parse_packet_line_info(ndpi_struct, flow);
+  }
+
+  if (packet->parsed_lines > 0)
+  {
+    size_t i;
+
+    for (i = 0; i < packet->parsed_lines && packet->line[i].len > 0; ++i)
+    {
+      if (LINE_STARTS(packet->line[i], "SOAPAction") != 0)
+      {
+        ndpi_int_soap_add_connection(ndpi_struct, flow);
+        return;
+      }
+    }
+  }
+
   if (flow->packet_counter > 3)
   {
     if (flow->l4.tcp.soap_stage == 1)
diff --git a/tests/pcap/soap.pcap b/tests/pcap/soap.pcap
new file mode 100644
index 000000000..0eeb84285
--- /dev/null
+++ b/tests/pcap/soap.pcap
diff --git a/tests/result/ndpi_match_string_subprotocol__error.pcapng.out b/tests/result/ndpi_match_string_subprotocol__error.pcapng.out
index c6852dceb..423101c47 100644
--- a/tests/result/ndpi_match_string_subprotocol__error.pcapng.out
+++ b/tests/result/ndpi_match_string_subprotocol__error.pcapng.out
@@ -3,6 +3,6 @@ Guessed flow protos:	0
 DPI Packets (TCP):	3	(3.00 pkts/flow)
 Confidence DPI              : 1 (flows)
 
-HTTP	13	2935	1
+SOAP	13	2935	1
 
-	1	TCP 10.3.9.19:40632 <-> 10.68.137.118:8091 [proto: 7/HTTP][ClearText][Confidence: DPI][cat: Web/5][7 pkts/1546 bytes <-> 6 pkts/1389 bytes][Goodput ratio: 73/76][3438.13 sec][Hostname/SNI: 10.68.137.118][bytes ratio: 0.053 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/29 687620/24940 3382709/49851 1347715/24911][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 221/232 1180/739 392/263][URL: 10.68.137.118:8091/Apcn/ApcRemoteService][StatusCode: 200][User-Agent: Jakarta Commons-HttpClient/3.0.1][Risk: ** Known Proto on Non Std Port **** HTTP Numeric IP Address **][Risk Score: 60][Risk Info: Found host 10.68.137.118][PLAIN TEXT (POST /Apcn/ApcRemoteService HTT)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 10.3.9.19:40632 <-> 10.68.137.118:8091 [proto: 7.253/HTTP.SOAP][ClearText][Confidence: DPI][cat: RPC/16][7 pkts/1546 bytes <-> 6 pkts/1389 bytes][Goodput ratio: 73/76][3438.13 sec][Hostname/SNI: 10.68.137.118][bytes ratio: 0.053 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/29 687620/24940 3382709/49851 1347715/24911][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 221/232 1180/739 392/263][URL: 10.68.137.118:8091/Apcn/ApcRemoteService][StatusCode: 200][User-Agent: Jakarta Commons-HttpClient/3.0.1][Risk: ** Known Proto on Non Std Port **** HTTP Numeric IP Address **][Risk Score: 60][Risk Info: Found host 10.68.137.118][PLAIN TEXT (POST /Apcn/ApcRemoteService HTT)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/soap.pcap.out b/tests/result/soap.pcap.out
new file mode 100644
index 000000000..ab1528d7d
--- /dev/null
+++ b/tests/result/soap.pcap.out
@@ -0,0 +1,11 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	11	(3.67 pkts/flow)
+Confidence DPI              : 3 (flows)
+
+Microsoft	1	1506	1
+SOAP	19	9442	2
+
+	1	TCP 192.168.2.100:50100 <-> 23.2.213.165:80 [proto: 253/SOAP][ClearText][Confidence: DPI][cat: RPC/16][7 pkts/4746 bytes <-> 7 pkts/752 bytes][Goodput ratio: 92/39][5.01 sec][bytes ratio: 0.726 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 989/1236 2486/2486 1098/1096][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 678/107 1506/362 717/104][PLAIN TEXT (POST /fwlink/)][Plen Bins: 0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,75,0,0]
+	2	TCP 185.32.192.30:80 <-> 85.154.114.113:56028 [VLAN: 808][proto: 253/SOAP][ClearText][Confidence: DPI][cat: RPC/16][3 pkts/2487 bytes <-> 2 pkts/1457 bytes][Goodput ratio: 92/92][0.34 sec][PLAIN TEXT (xml version)][Plen Bins: 0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,50,0,0,0,0,0,0,0,0,0]
+	3	TCP 192.168.2.100:50100 -> 23.2.213.165:4176 [proto: 253.212/SOAP.Microsoft][ClearText][Confidence: DPI][cat: Cloud/13][1 pkts/1506 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][< 1 sec][Hostname/SNI: go.microsoft.com][User-Agent: MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT][PLAIN TEXT (POST /fwlink/)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0]
author	Toni <matzeton@googlemail.com>	2022-06-18 17:19:16 +0200
committer	GitHub <noreply@github.com>	2022-06-18 17:19:16 +0200
commit	c287eb835b537ce64d9293a52ca13e670b6d3b0d (patch)
tree	733bf6222431bc8a9acd5fac6a72d47ef9420dab
parent	6cd8f8cc6dded6e872f8befaf63c18266d5bcabc (diff)