diff options
| author | Luca Deri <deri@ntop.org> | 2020-05-29 21:23:46 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-05-29 21:23:46 +0200 |
| commit | 4ceff1dc77bb75919f9394983529d89c604a700f (patch) | |
| tree | 482450df24ba1a7f9221a7833aba51400a66d13b | |
| parent | 0271e29097bc765b6f83881c7dcc669008971978 (diff) | |
Fixes for https://github.com/ntop/nDPI/pull/911
Added code for dumping invalid HTTP header
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 8 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 118 |
3 files changed, 77 insertions, 52 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index fcd7834a3..1b48eca4b 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8390,9 +8390,9 @@ static ndpi_network host_protocol_list[] = { { 0xD0163900 /* 208.22.57.0/24 */, 24, NDPI_PROTOCOL_BLOOMBERG }, { 0x45BFC000 /* 69.191.192.0/18 */, 18, NDPI_PROTOCOL_BLOOMBERG }, - /* + /* Microsoft - + [JSON] https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 [HTML] https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges */ @@ -8768,6 +8768,10 @@ static ndpi_protocol_match host_match[] = /* http://check.googlezip.net/connect [check browser connectivity] */ // { ".googlezip.net", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, + /* + https://github.com/bambenek/block-doh/blob/master/db.doh-redirect + https://github.com/curl/curl/wiki/DNS-over-HTTPS + */ { "dns.google", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, { "mozilla.cloudflare-dns.com", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, /* Firefox */ { "cloudflare-dns.com", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 187ba7d1c..4958e4a0c 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1479,6 +1479,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_HTTP_SUSPICIOUS_URL: return("HTTP Suspicious URL"); + + case NDPI_HTTP_SUSPICIOUS_HEADER: + return("HTTP Suspicious Header"); default: snprintf(buf, sizeof(buf), "%d", (int)risk); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index a2a5538fe..19b39242e 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -595,8 +595,9 @@ static void http_bitmask_exclude_other(struct ndpi_flow_struct *flow) NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX); } -/*************************************************************************************************/ +/* *********************************************************************************************** */ +/* Trick to speed-up detection */ static const char* suspicious_http_header_keys_A[] = { "Arch", NULL}; static const char* suspicious_http_header_keys_C[] = { "Cores", NULL}; static const char* suspicious_http_header_keys_M[] = { "Mem", NULL}; @@ -607,73 +608,90 @@ static const char* suspicious_http_header_keys_T[] = { "TLS_version", NULL}; static const char* suspicious_http_header_keys_U[] = { "Uuid", NULL}; static const char* suspicious_http_header_keys_X[] = { "X-Hire-Me", NULL}; - static int is_a_suspicious_header(const char* suspicious_headers[], struct ndpi_int_one_line_struct packet_line){ int i; unsigned int header_len; const u_int8_t* header_limit; - if((header_limit = memchr(packet_line.ptr, ':', packet_line.len))){ - header_len = header_limit - packet_line.ptr; - for(i=0; suspicious_headers[i] != NULL; i++){ - if(!strncasecmp((const char*) packet_line.ptr, - suspicious_headers[i], - header_len)) - return 1; - } + if((header_limit = memchr(packet_line.ptr, ':', packet_line.len))) { + header_len = header_limit - packet_line.ptr; + for(i=0; suspicious_headers[i] != NULL; i++){ + if(!strncasecmp((const char*) packet_line.ptr, + suspicious_headers[i], header_len)) + return 1; + } } + return 0; } +/* *********************************************************************************************** */ + static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { int i; struct ndpi_packet_struct *packet = &flow->packet; - for(i=0; (i<packet->parsed_lines) && (packet->line[i].ptr != NULL); i++) { + for(i=0; (i < packet->parsed_lines) && (packet->line[i].ptr != NULL) && (packet->line[i].len > 0); i++) { switch(packet->line[i].ptr[0]){ - case 'A': - if(is_a_suspicious_header(suspicious_http_header_keys_A, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'C': - if(is_a_suspicious_header(suspicious_http_header_keys_C, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'M': - if(is_a_suspicious_header(suspicious_http_header_keys_M, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'O': - if(is_a_suspicious_header(suspicious_http_header_keys_O, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'R': - if(is_a_suspicious_header(suspicious_http_header_keys_R, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'S': - if(is_a_suspicious_header(suspicious_http_header_keys_S, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'T': - if(is_a_suspicious_header(suspicious_http_header_keys_T, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'U': - if(is_a_suspicious_header(suspicious_http_header_keys_U, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'X': - if(is_a_suspicious_header(suspicious_http_header_keys_X, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - default: - continue; + case 'A': + if(is_a_suspicious_header(suspicious_http_header_keys_A, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'C': + if(is_a_suspicious_header(suspicious_http_header_keys_C, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'M': + if(is_a_suspicious_header(suspicious_http_header_keys_M, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; } + break; + case 'O': + if(is_a_suspicious_header(suspicious_http_header_keys_O, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'R': + if(is_a_suspicious_header(suspicious_http_header_keys_R, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'S': + if(is_a_suspicious_header(suspicious_http_header_keys_S, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'T': + if(is_a_suspicious_header(suspicious_http_header_keys_T, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'U': + if(is_a_suspicious_header(suspicious_http_header_keys_U, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'X': + if(is_a_suspicious_header(suspicious_http_header_keys_X, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + + break; } - return; + } } /*************************************************************************************************/ |