Improved detection of invalid SNI and hostnames in TLS, HTTP

author: Luca Deri <deri@ntop.org> 2022-05-24 19:47:54 +0200
committer: Luca Deri <deri@ntop.org> 2022-05-24 19:47:54 +0200
commit: 4f9dee164e2c29fa7dbaef38b57775160dfbe2b9 (patch)
tree: e3a338cdad7e2ece3579d7e220fa97f6aca03f5c /src/lib/protocols/http.c
parent: 2560260a41172a07b6b272027f441ccda01622a5 (diff)
1 files changed, 12 insertions, 2 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 9b151c3b6..1b3ea7f66 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -679,8 +679,18 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
     ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len);
     flow->extra_packets_func = NULL; /* We're good now */
 
-    if(strlen(flow->host_server_name) > 0) ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1);
-
+    if(strlen(flow->host_server_name) > 0) {
+      ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1);
+      
+      if(ndpi_is_valid_hostname(flow->host_server_name,
+				strlen(flow->host_server_name)) == 0) {
+	ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS);
+	
+	/* This looks like an attack */
+	ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT);
+      }
+    }
+    
     if(packet->forwarded_line.ptr) {
       if(flow->http.nat_ip == NULL) {
         len = packet->forwarded_line.len;
author	Luca Deri <deri@ntop.org>	2022-05-24 19:47:54 +0200
committer	Luca Deri <deri@ntop.org>	2022-05-24 19:47:54 +0200
commit	4f9dee164e2c29fa7dbaef38b57775160dfbe2b9 (patch)
tree	e3a338cdad7e2ece3579d7e220fa97f6aca03f5c /src/lib/protocols/http.c
parent	2560260a41172a07b6b272027f441ccda01622a5 (diff)