diff options
| author | Luca Deri <deri@ntop.org> | 2020-05-29 21:23:46 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-05-29 21:23:46 +0200 |
| commit | 4ceff1dc77bb75919f9394983529d89c604a700f (patch) | |
| tree | 482450df24ba1a7f9221a7833aba51400a66d13b /src/lib/protocols/http.c | |
| parent | 0271e29097bc765b6f83881c7dcc669008971978 (diff) | |
Fixes for https://github.com/ntop/nDPI/pull/911
Added code for dumping invalid HTTP header
Diffstat (limited to 'src/lib/protocols/http.c')
| -rw-r--r-- | src/lib/protocols/http.c | 118 |
1 files changed, 68 insertions, 50 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index a2a5538fe..19b39242e 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -595,8 +595,9 @@ static void http_bitmask_exclude_other(struct ndpi_flow_struct *flow) NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX); } -/*************************************************************************************************/ +/* *********************************************************************************************** */ +/* Trick to speed-up detection */ static const char* suspicious_http_header_keys_A[] = { "Arch", NULL}; static const char* suspicious_http_header_keys_C[] = { "Cores", NULL}; static const char* suspicious_http_header_keys_M[] = { "Mem", NULL}; @@ -607,73 +608,90 @@ static const char* suspicious_http_header_keys_T[] = { "TLS_version", NULL}; static const char* suspicious_http_header_keys_U[] = { "Uuid", NULL}; static const char* suspicious_http_header_keys_X[] = { "X-Hire-Me", NULL}; - static int is_a_suspicious_header(const char* suspicious_headers[], struct ndpi_int_one_line_struct packet_line){ int i; unsigned int header_len; const u_int8_t* header_limit; - if((header_limit = memchr(packet_line.ptr, ':', packet_line.len))){ - header_len = header_limit - packet_line.ptr; - for(i=0; suspicious_headers[i] != NULL; i++){ - if(!strncasecmp((const char*) packet_line.ptr, - suspicious_headers[i], - header_len)) - return 1; - } + if((header_limit = memchr(packet_line.ptr, ':', packet_line.len))) { + header_len = header_limit - packet_line.ptr; + for(i=0; suspicious_headers[i] != NULL; i++){ + if(!strncasecmp((const char*) packet_line.ptr, + suspicious_headers[i], header_len)) + return 1; + } } + return 0; } +/* *********************************************************************************************** */ + static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { int i; struct ndpi_packet_struct *packet = &flow->packet; - for(i=0; (i<packet->parsed_lines) && (packet->line[i].ptr != NULL); i++) { + for(i=0; (i < packet->parsed_lines) && (packet->line[i].ptr != NULL) && (packet->line[i].len > 0); i++) { switch(packet->line[i].ptr[0]){ - case 'A': - if(is_a_suspicious_header(suspicious_http_header_keys_A, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'C': - if(is_a_suspicious_header(suspicious_http_header_keys_C, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'M': - if(is_a_suspicious_header(suspicious_http_header_keys_M, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'O': - if(is_a_suspicious_header(suspicious_http_header_keys_O, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'R': - if(is_a_suspicious_header(suspicious_http_header_keys_R, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'S': - if(is_a_suspicious_header(suspicious_http_header_keys_S, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'T': - if(is_a_suspicious_header(suspicious_http_header_keys_T, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'U': - if(is_a_suspicious_header(suspicious_http_header_keys_U, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - case 'X': - if(is_a_suspicious_header(suspicious_http_header_keys_X, packet->line[i])) - NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); - break; - default: - continue; + case 'A': + if(is_a_suspicious_header(suspicious_http_header_keys_A, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'C': + if(is_a_suspicious_header(suspicious_http_header_keys_C, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'M': + if(is_a_suspicious_header(suspicious_http_header_keys_M, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; } + break; + case 'O': + if(is_a_suspicious_header(suspicious_http_header_keys_O, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'R': + if(is_a_suspicious_header(suspicious_http_header_keys_R, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'S': + if(is_a_suspicious_header(suspicious_http_header_keys_S, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'T': + if(is_a_suspicious_header(suspicious_http_header_keys_T, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'U': + if(is_a_suspicious_header(suspicious_http_header_keys_U, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + break; + case 'X': + if(is_a_suspicious_header(suspicious_http_header_keys_X, packet->line[i])) { + NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER); + return; + } + + break; } - return; + } } /*************************************************************************************************/ |