Merge pull request #902 from Loures/dev

Add check for HTTP transfer of executable files
author: Luca Deri <lucaderi@users.noreply.github.com> 2020-05-14 09:12:17 +0200
committer: GitHub <noreply@github.com> 2020-05-14 09:12:17 +0200
commit: 50be0b004956046ca3077a1e454df7cd7a4b462d (patch)
tree: 96f21b0f6f005b34fcdc5c5911e30007d7a7ffe3
parent: 9dfd0d0071845779487b4e2e14c3599e18a74a8c (diff)
parent: 08f32f2e0ec5e05029c6849abec430caa570b7ea (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index de4de3aee..1e50f67f1 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -412,6 +412,16 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
     NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n",
 		  packet->content_line.len, packet->content_line.ptr);
 
+    /*check for potentially dangerous http traffic and flag it*/
+    u_int app_len = sizeof("application");
+    if(packet->content_line.len > app_len) {
+      if(ndpi_strncasestr((const char *)&packet->content_line.ptr[app_len], "exe",
+        packet->content_line.len-app_len) != NULL) {
+          NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); 
+          NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer\n");
+      }
+    }
+
     if((flow->http.content_type == NULL) && (packet->content_line.len > 0)) {
       int len = packet->content_line.len + 1;
author	Luca Deri <lucaderi@users.noreply.github.com>	2020-05-14 09:12:17 +0200
committer	GitHub <noreply@github.com>	2020-05-14 09:12:17 +0200
commit	50be0b004956046ca3077a1e454df7cd7a4b462d (patch)
tree	96f21b0f6f005b34fcdc5c5911e30007d7a7ffe3
parent	9dfd0d0071845779487b4e2e14c3599e18a74a8c (diff)
parent	08f32f2e0ec5e05029c6849abec430caa570b7ea (diff)