diff options
| author | loures <loures.raso@gmail.com> | 2020-05-13 19:56:49 +0200 |
|---|---|---|
| committer | loures <loures.raso@gmail.com> | 2020-05-13 19:56:49 +0200 |
| commit | 08f32f2e0ec5e05029c6849abec430caa570b7ea (patch) | |
| tree | 96f21b0f6f005b34fcdc5c5911e30007d7a7ffe3 | |
| parent | 0a4fbb8cfb7602c9c0b90e8329b56577dea207fd (diff) | |
Set risk field instead of changing protocol when checking for dangerous
HTTP traffic
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 23 |
3 files changed, 10 insertions, 19 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 463aeb497..b63f1525c 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -281,7 +281,6 @@ typedef enum { NDPI_PROTOCOL_S7COMM = 249, NDPI_PROTOCOL_MSTEAMS = 250, NDPI_PROTOCOL_WEBSOCKET = 251, /* Leonn Paiva <leonn.paiva@gmail.com> */ - NDPI_PROTOCOL_EXECUTABLE_HTTP = 252, #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 39aad090c..dcb34f2ad 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1474,11 +1474,6 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "WebSocket", NDPI_PROTOCOL_CATEGORY_WEB, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_EXECUTABLE_HTTP, - 1 /* can_have_a_subprotocol */, no_master, - no_master, "Executable HTTP", NDPI_PROTOCOL_CATEGORY_WEB, - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main.c" diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index b9a920ec7..1e50f67f1 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -245,19 +245,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } - /* catch application/exe mime-type */ - if(packet->content_line.ptr != NULL) { - u_int app_len = sizeof("application"); - if(packet->content_line.len > app_len) { - if(ndpi_strncasestr((const char *)&packet->content_line.ptr[app_len], "exe", - packet->content_line.len-app_len) != NULL) { - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_EXECUTABLE_HTTP, NDPI_PROTOCOL_CATEGORY_WEB); - NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer\n"); - return; - } - } - } - if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) { /** Format examples: @@ -425,6 +412,16 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n", packet->content_line.len, packet->content_line.ptr); + /*check for potentially dangerous http traffic and flag it*/ + u_int app_len = sizeof("application"); + if(packet->content_line.len > app_len) { + if(ndpi_strncasestr((const char *)&packet->content_line.ptr[app_len], "exe", + packet->content_line.len-app_len) != NULL) { + NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); + NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer\n"); + } + } + if((flow->http.content_type == NULL) && (packet->content_line.len > 0)) { int len = packet->content_line.len + 1; |