diff options
| author | Luca Deri <deri@ntop.org> | 2022-02-17 17:20:52 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-02-17 17:20:52 +0100 |
| commit | a2878af1eed26db8380bf8c29e5bb64a0181f935 (patch) | |
| tree | a341c52e76f170f799a24bca3f7a3bc57071ca5d /src/lib/protocols | |
| parent | 8a2a47e62a0d7b1bc8815dc4f09c35b73393454e (diff) | |
Added newflow risk NDPI_HTTP_CRAWLER_BOT
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/http.c | 50 |
1 files changed, 36 insertions, 14 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index cf1e6282b..b34206271 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -422,31 +422,53 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru struct ndpi_flow_struct *flow, char *ua) { u_int len; - + char *double_slash; + if((!ua) || (ua[0] == '\0')) return; else len = strlen(ua); - if( - (!strncmp(ua, "<?", 2)) - || strchr(ua, '$') - || strstr(ua, "://") // || (!strncmp(ua, "jndi:ldap://", 12)) /* Log4J */ - // || ndpi_check_dga_name(ndpi_struct, NULL, ua, 0) - // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua) - ) { + if((!strncmp(ua, "<?", 2)) + || strchr(ua, '$') + // || ndpi_check_dga_name(ndpi_struct, NULL, ua, 0) + // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua) + ) ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); + if((double_slash = strstr(ua, "://")) != NULL) { + if(double_slash != ua) /* We're not at the beginning of the user agent */{ + if((double_slash[-1] != 'p') /* http:// */ + && (double_slash[-1] != 's') /* https:// */) + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); + } + } + + /* no else */ + if(!strncmp(ua, "jndi:ldap://", 12)) /* Log4J */ { ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); } else if( - (len < 4) /* Too short */ - || (len > 256) /* Too long */ - || (!strncmp(ua, "test", 4)) - || strchr(ua, '{') - || strchr(ua, '}') - ) { + (len < 4) /* Too short */ + || (len > 256) /* Too long */ + || (!strncmp(ua, "test", 4)) + || strchr(ua, '{') + || strchr(ua, '}') + ) { ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); } + + /* + Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots) + Amazon-Route53-Health-Check-Service (ref 68784dad-be98-49e4-a63c-9fbbe2816d7c; report http://amzn.to/1vsZADi) + Anonymous Crawler/1.0 (Webcrawler developed with StormCrawler; http://example.com/; webcrawler@example.com) + */ + if((strstr(ua, "+http") != NULL) + || (strstr(ua, " http") != NULL) + || strcasestr(ua, "Crawler") + || strcasestr(ua, "Bot") /* bot/robot */ + ) { + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_CRAWLER_BOT); + } } /* ************************************************************* */ |