Added NDPI_HTTP_SUSPICIOUS_USER_AGENT ndpi_risk

1 files changed, 20 insertions, 2 deletions

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index e050a69a8..1c81f8cfb 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -214,7 +214,6 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct,
   /* Good reference for future implementations:
    * https://github.com/ua-parser/uap-core/blob/master/regexes.yaml */
 
-  //printf("==> %s\n", ua);
   snprintf((char*)flow->protos.http.detected_os,
 	   sizeof(flow->protos.http.detected_os), "%s", ua);  
 }
@@ -236,6 +235,23 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp
 
 /* ************************************************************* */
 
+static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_struct,
+				  struct ndpi_flow_struct *flow,
+				  char *ua) {
+  if((!ua) || (ua[0] == '\0')) return;
+
+  // printf("[%s:%d] ==> '%s'\n", __FILE__, __LINE__, ua);
+  
+  if((strlen(ua) < 4)
+     || (!strcmp(ua, "test"))
+     || (!strcmp(ua, "<?"))
+     || ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, ua)) {
+    NDPI_SET_BIT_16(flow->risk, NDPI_HTTP_SUSPICIOUS_USER_AGENT);
+  }
+}
+
+/* ************************************************************* */
+
 /**
    NOTE
    ndpi_parse_packet_line_info is in ndpi_main.c
@@ -300,7 +316,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
 
       strncpy(ua, (const char *)packet->user_agent_line.ptr, mlen);
       ua[mlen] = '\0';
-
+      
       if(strncmp(ua, "Mozilla", 7) == 0) {
 	char *parent = strchr(ua, '(');
 
@@ -360,6 +376,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
 	strncpy(flow->http.user_agent, (char*)packet->user_agent_line.ptr,
 		packet->user_agent_line.len);
 	flow->http.user_agent[packet->user_agent_line.len] = '\0';
+
+	ndpi_check_user_agent(ndpi_struct, flow, flow->http.user_agent);
       }
     }