diff options
| author | loures <loures.raso@gmail.com> | 2020-05-14 14:30:34 +0200 |
|---|---|---|
| committer | loures <loures.raso@gmail.com> | 2020-05-14 14:30:34 +0200 |
| commit | 1edf5c49d662f7944ee976a63d54980a270a2419 (patch) | |
| tree | 353c0718fd8d04f0aafcba86b5d1670ba8fa02de | |
| parent | baddfbb6c3d09398b207248c64dc8fe6d5568ee6 (diff) | |
Extend filetype matching for Content-Disposition header
| -rw-r--r-- | src/lib/protocols/http.c | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index abcf8c32e..5f62d730f 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -37,6 +37,13 @@ static const char* binary_file_mimes[] = { NULL }; +static const char* binary_file_ext[] = { + ".exe", + ".msi", + ".cab", + NULL +}; + static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -112,22 +119,23 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo } } + /* check for attachment */ if (packet->content_disposition_line.len > 0) { - /* check for weird exe name as attachment */ uint8_t attachment_len = sizeof("attachment; filename"); if (packet->content_disposition_line.len > attachment_len) { uint8_t filename_len = packet->content_disposition_line.len - attachment_len; - /* might want to extend this to match more filenames */ - if (strncmp((const char *)&packet->content_disposition_line.ptr[attachment_len], - "\"phn34ycjtghm.exe\"", filename_len) == 0) { - flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; - NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); - NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer"); - return(flow->category); + for (int i = 0; binary_file_ext[i] != NULL; i++) { + if (ndpi_strncasestr((const char*)&packet->content_disposition_line.ptr[attachment_len], + binary_file_ext[i], filename_len)) { + printf("got %s\n", binary_file_ext[i]); + flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; + NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); + NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer"); + return(flow->category); + } } } } - switch(packet->content_line.ptr[0]) { case 'a': if(strncasecmp((const char *)packet->content_line.ptr, "audio", |