Improve detection of crawler/bot traffic (#1956)

author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2023-05-04 11:27:34 +0200
committer: GitHub <noreply@github.com> 2023-05-04 11:27:34 +0200
commit: 6b94c9675a85ae00aa566103ec8ad06d3943ed5c (patch)
tree: 260e1d21344943fcf50ed38557c36df2220dedc0 /src/lib/ndpi_utils.c
parent: 9a5d60bff651587be1f9d02ef7bd5ea07541a5f6 (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 69599a7dc..8020ea540 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2468,6 +2468,26 @@ void ndpi_set_risk(struct ndpi_detection_module_struct *ndpi_str,
 	}
       }
     }
+  } else if(risk_message) {
+    u_int8_t i;
+
+    for(i = 0; i < flow->num_risk_infos; i++)
+      if(flow->risk_infos[i].id == r)
+        return;
+
+    /* Risk already set without any details, but now we have a specific risk_message
+       that we want to save.
+       This might happen with NDPI_HTTP_CRAWLER_BOT which might have been set early via
+       IP matching (no details) and now via UA matching (with message). */
+    if(flow->num_risk_infos < MAX_NUM_RISK_INFOS) {
+      char *s = ndpi_strdup(risk_message);
+
+      if(s != NULL) {
+        flow->risk_infos[flow->num_risk_infos].id = r;
+        flow->risk_infos[flow->num_risk_infos].info = s;
+        flow->num_risk_infos++;
+      }
+    }
   }
 }
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2023-05-04 11:27:34 +0200
committer	GitHub <noreply@github.com>	2023-05-04 11:27:34 +0200
commit	6b94c9675a85ae00aa566103ec8ad06d3943ed5c (patch)
tree	260e1d21344943fcf50ed38557c36df2220dedc0 /src/lib/ndpi_utils.c
parent	9a5d60bff651587be1f9d02ef7bd5ea07541a5f6 (diff)