diff options
| author | Luca Deri <deri@ntop.org> | 2022-01-09 18:47:47 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-01-09 18:47:47 +0100 |
| commit | 708d4ea33a4734eba7d3b3738115a2ae7e13ba67 (patch) | |
| tree | 92f30468a85739ea4467e1beba2c1bba082c902c /src/lib/protocols | |
| parent | bf69321a29699776f24b74e71c5dc3c80ede161b (diff) | |
Improved user agent analysis
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/http.c | 40 |
1 files changed, 25 insertions, 15 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 7a6fa1078..99a49ab2d 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -421,26 +421,36 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *ua) { - int log4j_exploit = -1; + u_int len; - if((!ua) || (ua[0] == '\0')) return; - - if((strlen(ua) < 4) - || (!strncmp(ua, "test", 4)) - || (!strncmp(ua, "<?", 2)) - || strchr(ua, '{') - || strchr(ua, '}') - || (!(log4j_exploit = strncmp(ua, "jndi:ldap://", 12))) /* Log4J */ - // || ndpi_check_dga_name(ndpi_struct, NULL, ua, 0) - // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua) - ) { + if((!ua) || (ua[0] == '\0')) + return; + else + len = strlen(ua); + + if( + (!strncmp(ua, "<?", 2)) + || strchr(ua, '$') + || strstr(ua, "://") // || (!strncmp(ua, "jndi:ldap://", 12)) /* Log4J */ + // || ndpi_check_dga_name(ndpi_struct, NULL, ua, 0) + // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua) + ) { + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); + + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); + } else if( + (len < 4) /* Too short */ + || (len > 256) /* Too long */ + || (!strncmp(ua, "test", 4)) + || strchr(ua, '{') + || strchr(ua, '}') + ) { ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); - - if(log4j_exploit == 0) /* Log4J exploit */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); } } +/* ************************************************************* */ + int http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, const u_int8_t *ua_ptr, u_int16_t ua_ptr_len) { |