/* *********************************************** */

if((flow->initial_binary_bytes_len >= 2) && (flow->initial_binary_bytes[0] == 0x4D) && (flow->initial_binary_bytes[1] == 0x5A))

NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Win executable */

else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0x7F) && (flow->initial_binary_bytes[1] == 'E')

NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Unix script (e.g. #!/bin/sh) */

else if(flow->initial_binary_bytes_len >= 8) {

u_int8_t exec_pattern[] = { 0x64, 0x65, 0x78, 0x0A, 0x30, 0x33, 0x35, 0x00 };

if(memcmp(flow->initial_binary_bytes, exec_pattern, 8) == 0)

NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Dalvik Executable (Android) */

}

&& (flow->http.response_status_code != 0)

) {

/* stop extra processing */

if(flow->initial_binary_bytes_len) ndpi_analyze_content_signature(flow);

flow->extra_packets_func = NULL; /* We're good now */

return(0);

if(packet->content_line.len > app_len) {

const char *app = (const char *)&packet->content_line.ptr[app_len];

u_int app_len_avail = packet->content_line.len-app_len;

if(ndpi_strncasestr(app, "mpeg", app_len_avail) != NULL) {

flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_STREAMING;

return(flow->category);

ndpi_min(packet->content_line.len, 5)) == 0)

flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_MEDIA;

break;

case 'v':

if(strncasecmp((const char *)packet->content_line.ptr, "video",

ndpi_min(packet->content_line.len, 5)) == 0)

* https://github.com/ua-parser/uap-core/blob/master/regexes.yaml */

snprintf((char*)flow->protos.http.detected_os,

}

/* ************************************************************* */

if(double_col) double_col[0] = '\0';

(char *)flow->host_server_name,

strlen((const char *)flow->host_server_name));

}

if((!ua) || (ua[0] == '\0')) return;

// printf("[%s:%d] ==> '%s'\n", __FILE__, __LINE__, ua);

if((strlen(ua) < 4)

|| (!strcmp(ua, "test"))

|| (!strcmp(ua, "<?"))

char *ip, u_int ip_len) {

char buf[22];

struct in_addr ip_addr;

strncpy(buf, ip, ip_len);

buf[ip_len] = '\0';

ip_addr.s_addr = inet_addr(buf);

if(strcmp(inet_ntoa(ip_addr), buf) == 0) {

}

}

int len = packet->http_url_name.len + packet->host_line.len + 1;

if(isdigit(packet->host_line.ptr[0])

ndpi_check_numeric_ip(ndpi_struct, flow, (char*)packet->host_line.ptr, packet->host_line.len);

flow->http.url = ndpi_malloc(len);

if(flow->http.url) {

strncpy(flow->http.url, (char*)packet->host_line.ptr, packet->host_line.len);

strncpy(ua, (const char *)packet->user_agent_line.ptr, mlen);

ua[mlen] = '\0';

if(strncmp(ua, "Mozilla", 7) == 0) {

char *parent = strchr(ua, '(');

/*************************************************************************************************/

static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct,

struct ndpi_flow_struct *flow) {

struct ndpi_packet_struct *packet = &flow->packet;

"Filename HTTP found: %d, we look for line info..\n", filename_start);

ndpi_parse_packet_line_info(ndpi_struct, flow);

if(packet->parsed_lines <= 1) {

NDPI_LOG_DBG2(ndpi_struct,