aboutsummaryrefslogtreecommitdiff
path: root/src/lib/ndpi_utils.c
diff options
context:
space:
mode:
authorLuca Deri <deri@ntop.org>2025-06-08 07:33:19 +0200
committerLuca Deri <deri@ntop.org>2025-06-08 07:33:19 +0200
commit2a77c58ebefd60024e7731b3befb20714bc59314 (patch)
tree5775f7ea4b82817b23bd3847465fa2bf2116a6e3 /src/lib/ndpi_utils.c
parent6d0a891d1e9ee137d24263881530c5dcb9411709 (diff)
Improved HTTP risk report
PCRE2 is now enabled (if present) by default as necessary to report some HTTP risks
Diffstat (limited to 'src/lib/ndpi_utils.c')
-rw-r--r--src/lib/ndpi_utils.c29
1 files changed, 16 insertions, 13 deletions
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index f53d4cb5d..4eba30a94 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1465,32 +1465,26 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
case NDPI_PROTOCOL_HTTP_CONNECT:
case NDPI_PROTOCOL_HTTP_PROXY:
ndpi_serialize_start_of_block(serializer, "http");
+
if(flow->http.url != NULL) {
- ndpi_risk_enum risk = ndpi_validate_url(flow->http.url);
- if (risk != NDPI_NO_RISK)
- {
- NDPI_SET_BIT(flow->risk, risk);
- }
ndpi_serialize_string_string(serializer, "url", flow->http.url);
ndpi_serialize_string_uint32(serializer, "code", flow->http.response_status_code);
ndpi_serialize_string_string(serializer, "content_type", flow->http.content_type);
ndpi_serialize_string_string(serializer, "user_agent", flow->http.user_agent);
}
+
if (flow->http.request_content_type != NULL)
- {
ndpi_serialize_string_string(serializer, "request_content_type",
flow->http.request_content_type);
- }
+
if (flow->http.detected_os != NULL)
- {
ndpi_serialize_string_string(serializer, "detected_os",
flow->http.detected_os);
- }
+
if (flow->http.nat_ip != NULL)
- {
ndpi_serialize_string_string(serializer, "nat_ip",
flow->http.nat_ip);
- }
+
ndpi_serialize_end_of_block(serializer);
break;
@@ -2066,7 +2060,9 @@ static int ndpi_is_rce_injection(char* query) {
/* ********************************** */
-ndpi_risk_enum ndpi_validate_url(char *url) {
+ndpi_risk_enum ndpi_validate_url(struct ndpi_detection_module_struct *ndpi_str,
+ struct ndpi_flow_struct *flow,
+ char *url) {
char *orig_str = NULL, *str = NULL, *question_mark = strchr(url, '?');
ndpi_risk_enum rc = NDPI_NO_RISK;
@@ -2113,8 +2109,15 @@ ndpi_risk_enum ndpi_validate_url(char *url) {
ndpi_free(decoded);
- if(rc != NDPI_NO_RISK)
+ if(rc != NDPI_NO_RISK) {
+ if(flow != NULL) {
+ char msg[128];
+
+ snprintf(msg, sizeof(msg), "Suspicious URL [%s]", url);
+ ndpi_set_risk(ndpi_str, flow, rc, msg);
+ }
break;
+ }
}
str = strtok_r(NULL, "&", &tmp);
Powered by cgit, Themed by Ted Yin.