diff options
author | Luca Deri <deri@ntop.org> | 2024-04-09 10:22:01 +0200 |
---|---|---|
committer | Luca Deri <deri@ntop.org> | 2024-04-09 10:22:01 +0200 |
commit | bd2968dcd36e78adcef0570550277332d164fc2d (patch) | |
tree | f0f4a8d995e8da26ad8b0dc0b954d294b6fd2ba2 /src/lib/protocols/http.c | |
parent | 00a360f30a89fd479465db64d7e92e761645c101 (diff) |
Tuned DNS risk values
Modified NDPI_BINARY_TRANSFER_ATTEMPT in NDPI_BINARY_DATA_TRANSFER
Diffstat (limited to 'src/lib/protocols/http.c')
-rw-r--r-- | src/lib/protocols/http.c | 44 |
1 files changed, 38 insertions, 6 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 1d41eb61e..8d5d92f3e 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -54,6 +54,28 @@ static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_str /* *********************************************** */ +static char* forge_attempt_msg(struct ndpi_flow_struct *flow, char *msg, char *buf, u_int buf_len) { + if((flow->http.response_status_code >= 200) && (flow->http.response_status_code < 300)) + return(msg); + else { + snprintf(buf, buf_len, "%s (attempt)", msg); + return(buf); + } +} + +/* *********************************************** */ + +static void ndpi_set_binary_data_transfer(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + char *msg) { + char buf[256]; + + ndpi_set_risk(flow, NDPI_BINARY_DATA_TRANSFER, + forge_attempt_msg(flow, msg, buf, sizeof(buf))); +} + +/* *********************************************** */ + static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *msg) { @@ -68,14 +90,13 @@ static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_st ) ; else { - if((flow->http.response_status_code >= 200) && (flow->http.response_status_code < 300)) - ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, msg); - else - ndpi_set_risk(flow, NDPI_BINARY_TRANSFER_ATTEMPT, msg); + char buf[256]; + + ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, forge_attempt_msg(flow, msg, buf, sizeof(buf))); } } - /* *********************************************** */ +/* *********************************************** */ static void ndpi_analyze_content_signature(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -257,8 +278,13 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo for(i = 0; cmp_mimes[i] != NULL; i++) { if(strncasecmp(app, cmp_mimes[i], app_len_avail) == 0) { + char str[64]; + flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; NDPI_LOG_INFO(ndpi_struct, "found HTTP file transfer"); + + snprintf(str, sizeof(str), "Found binary mime %s", cmp_mimes[i]); + ndpi_set_binary_data_transfer(ndpi_struct, flow, str); found = true; break; } @@ -338,11 +364,12 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo attachment_len += filename_len-ATTACHMENT_LEN-1; if((attachment_len+ATTACHMENT_LEN) <= packet->content_disposition_line.len) { + char str[64]; + for(i = 0; binary_exec_file_ext[i] != NULL; i++) { /* Use memcmp in case content-disposition contains binary data */ if(memcmp(&packet->content_disposition_line.ptr[attachment_len], binary_exec_file_ext[i], ATTACHMENT_LEN) == 0) { - char str[64]; snprintf(str, sizeof(str), "Found file extn %s", binary_exec_file_ext[i]); flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; @@ -351,6 +378,11 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo return(flow->category); } } + + /* No executable but just data transfer */ + snprintf(str, sizeof(str), "File download %s", + flow->http.filename ? flow->http.filename : ""); + ndpi_set_binary_data_transfer(ndpi_struct, flow, str); } } } |