Renamed DCERPC to more generic RPC protocol so we can use also for other types of RPCs (not limited to DCE)

Extended HTTP plugin to support RPC Improved HTTP crear text detection to limit it to Basic and Digest
author: Luca Deri <deri@ntop.org> 2022-02-03 13:06:27 +0100
committer: Luca Deri <deri@ntop.org> 2022-02-03 13:06:27 +0100
commit: 0dd5ac89f842ac37f4c36ff67620a49b9e7eb76f (patch)
tree: 637c09c44f1f896a4d4904601757db3e088ed555 /src/lib/protocols/http.c
parent: 6975f265ec030bc37c42335a79fb6d82f9bfff30 (diff)
1 files changed, 23 insertions, 9 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index a33cd6f00..fd3a64664 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -196,7 +196,7 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi
 	  Java downloads Java: Log4J:
 	  https://corelight.com/blog/detecting-log4j-exploits-via-zeek-when-java-downloads-java
 	*/
-	
+
 	ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT);
       }
     }
@@ -343,7 +343,7 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd
 			     (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) ?
 			     flow->detected_protocol_stack[1] : NDPI_PROTOCOL_HTTP,
 			     NDPI_CONFIDENCE_DPI);
-  
+
   /* This is necessary to inform the core to call this dissector again */
   flow->check_extra_packets = 1;
   flow->max_extra_packets_to_check = 8;
@@ -390,7 +390,7 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct,
    * https://github.com/ua-parser/uap-core/blob/master/regexes.yaml */
 
   if(flow->http.detected_os == NULL)
-    flow->http.detected_os = ndpi_strdup(ua);  
+    flow->http.detected_os = ndpi_strdup(ua);
 }
 
 /* ************************************************************* */
@@ -422,11 +422,11 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
 				  struct ndpi_flow_struct *flow,
 				  char *ua) {
   u_int len;
-  
+
   if((!ua) || (ua[0] == '\0'))
     return;
   else
-    len = strlen(ua);   
+    len = strlen(ua);
 
   if(
      (!strncmp(ua, "<?", 2))
@@ -436,7 +436,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
 	  // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua)
 	  ) {
     ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT);
-    
+
     ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT);
   } else if(
 	    (len < 4)      /* Too short */
@@ -610,6 +610,12 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
 
     flow->http.method = ndpi_http_str2method((const char*)packet->http_method.ptr,
 					     (u_int16_t)packet->http_method.len);
+
+    if((flow->http.method == NDPI_HTTP_METHOD_RPC_IN_DATA)
+       || (flow->http.method == NDPI_HTTP_METHOD_RPC_OUT_DATA)) {
+      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RPC, flow->detected_protocol_stack[0], NDPI_CONFIDENCE_DPI);
+      check_content_type_and_change_protocol(ndpi_struct, flow);
+    }    
   }
 
   if(packet->server_line.ptr != NULL && (packet->server_line.len > 7)) {
@@ -718,7 +724,13 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
   if(packet->authorization_line.ptr != NULL) {
     NDPI_LOG_DBG2(ndpi_struct, "Authorization line found %.*s\n",
 		  packet->authorization_line.len, packet->authorization_line.ptr);
-    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
+
+    if(ndpi_strncasestr((const char*)packet->authorization_line.ptr,
+			"Basic", packet->authorization_line.len)
+       || ndpi_strncasestr((const char*)packet->authorization_line.ptr,
+			   "Digest", packet->authorization_line.len)) {
+      ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
+    }
   }
 
   if(packet->content_line.ptr != NULL && packet->content_line.len != 0) {
@@ -807,7 +819,9 @@ static struct l_string {
 		    STATIC_STRING_L("DELETE "),
 		    STATIC_STRING_L("CONNECT "),
 		    STATIC_STRING_L("PROPFIND "),
-		    STATIC_STRING_L("REPORT ") };
+		    STATIC_STRING_L("REPORT "),
+		    STATIC_STRING_L("RPC_IN_DATA "), STATIC_STRING_L("RPC_OUT_DATA ")
+};
 static const char *http_fs = "CDGHOPR";
 
 static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
@@ -1089,7 +1103,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
 
       packet->http_method.ptr = packet->line[0].ptr;
       packet->http_method.len = filename_start - 1;
-
+      
       /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
       flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
       return;
author	Luca Deri <deri@ntop.org>	2022-02-03 13:06:27 +0100
committer	Luca Deri <deri@ntop.org>	2022-02-03 13:06:27 +0100
commit	0dd5ac89f842ac37f4c36ff67620a49b9e7eb76f (patch)
tree	637c09c44f1f896a4d4904601757db3e088ed555 /src/lib/protocols/http.c
parent	6975f265ec030bc37c42335a79fb6d82f9bfff30 (diff)