diff options
| author | Luca Deri <lucaderi@users.noreply.github.com> | 2020-05-14 20:56:07 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-05-14 20:56:07 +0200 |
| commit | 7037e796048d84be01d8cf96891a977b898e6c19 (patch) | |
| tree | 353c0718fd8d04f0aafcba86b5d1670ba8fa02de | |
| parent | fb64346e28633055dac543bc0ef6f3c406d5bbd5 (diff) | |
| parent | 1edf5c49d662f7944ee976a63d54980a270a2419 (diff) | |
Merge pull request #903 from Loures/dev
Extend packet struct with Content-Disposition HTTP header field
| -rw-r--r-- | src/include/ndpi_typedefs.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 7 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 47 |
3 files changed, 50 insertions, 5 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 54e08ea11..e9ddfc01a 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -807,6 +807,7 @@ struct ndpi_packet_struct { struct ndpi_int_one_line_struct forwarded_line; struct ndpi_int_one_line_struct referer_line; struct ndpi_int_one_line_struct content_line; + struct ndpi_int_one_line_struct content_disposition_line; struct ndpi_int_one_line_struct accept_line; struct ndpi_int_one_line_struct user_agent_line; struct ndpi_int_one_line_struct http_url_name; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index dcb34f2ad..59d4f3491 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4960,6 +4960,13 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, packet->http_contentlen.len = packet->line[packet->parsed_lines].len - 16; packet->http_num_headers++; } + /* "Content-Disposition"*/ + if(packet->line[packet->parsed_lines].len > 21 && + ((strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Content-Disposition: ", 21) == 0))) { + packet->content_disposition_line.ptr = &packet->line[packet->parsed_lines].ptr[21]; + packet->content_disposition_line.len = packet->line[packet->parsed_lines].len - 21; + packet->http_num_headers++; + } /* "Cookie:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 8 && strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Cookie: ", 8) == 0) { diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 48dab0d38..5f62d730f 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -28,6 +28,22 @@ #include "ndpi_api.h" #include <stdlib.h> +static const char* binary_file_mimes[] = { + "exe", + "vnd.ms-cab-compressed", + "vnd.microsoft.portable-executable" + "x-msdownload", + "x-dosexec", + NULL +}; + +static const char* binary_file_ext[] = { + ".exe", + ".msi", + ".cab", + NULL +}; + static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -91,14 +107,35 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo if(ndpi_strncasestr(app, "mpeg", app_len_avail) != NULL) { flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_STREAMING; return(flow->category); - } else if(ndpi_strncasestr(app, "exe", app_len_avail) != NULL) { - flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; - NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); - NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer\n"); - return(flow->category); + } else { + for (int i = 0; binary_file_mimes[i] != NULL; i++) { + if (ndpi_strncasestr(app, binary_file_mimes[i], app_len_avail) != NULL) { + flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; + NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); + NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer"); + return(flow->category); + } + } } } + /* check for attachment */ + if (packet->content_disposition_line.len > 0) { + uint8_t attachment_len = sizeof("attachment; filename"); + if (packet->content_disposition_line.len > attachment_len) { + uint8_t filename_len = packet->content_disposition_line.len - attachment_len; + for (int i = 0; binary_file_ext[i] != NULL; i++) { + if (ndpi_strncasestr((const char*)&packet->content_disposition_line.ptr[attachment_len], + binary_file_ext[i], filename_len)) { + printf("got %s\n", binary_file_ext[i]); + flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; + NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); + NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer"); + return(flow->category); + } + } + } + } switch(packet->content_line.ptr[0]) { case 'a': if(strncasecmp((const char *)packet->content_line.ptr, "audio", |