diff options
| author | loures <loures.raso@gmail.com> | 2020-05-14 12:42:42 +0200 |
|---|---|---|
| committer | loures <loures.raso@gmail.com> | 2020-05-14 12:47:22 +0200 |
| commit | baddfbb6c3d09398b207248c64dc8fe6d5568ee6 (patch) | |
| tree | 6bca03facc73cd6d15d71b9653aad4c6d694ca6e /src/lib/protocols | |
| parent | fb64346e28633055dac543bc0ef6f3c406d5bbd5 (diff) | |
Extend packet struct with Content-Disposition HTTP header field
and improve HTTP binary transfer mime type check
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/http.c | 39 |
1 files changed, 34 insertions, 5 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 48dab0d38..abcf8c32e 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -28,6 +28,15 @@ #include "ndpi_api.h" #include <stdlib.h> +static const char* binary_file_mimes[] = { + "exe", + "vnd.ms-cab-compressed", + "vnd.microsoft.portable-executable" + "x-msdownload", + "x-dosexec", + NULL +}; + static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -91,14 +100,34 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo if(ndpi_strncasestr(app, "mpeg", app_len_avail) != NULL) { flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_STREAMING; return(flow->category); - } else if(ndpi_strncasestr(app, "exe", app_len_avail) != NULL) { - flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; - NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); - NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer\n"); - return(flow->category); + } else { + for (int i = 0; binary_file_mimes[i] != NULL; i++) { + if (ndpi_strncasestr(app, binary_file_mimes[i], app_len_avail) != NULL) { + flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; + NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); + NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer"); + return(flow->category); + } + } } } + if (packet->content_disposition_line.len > 0) { + /* check for weird exe name as attachment */ + uint8_t attachment_len = sizeof("attachment; filename"); + if (packet->content_disposition_line.len > attachment_len) { + uint8_t filename_len = packet->content_disposition_line.len - attachment_len; + /* might want to extend this to match more filenames */ + if (strncmp((const char *)&packet->content_disposition_line.ptr[attachment_len], + "\"phn34ycjtghm.exe\"", filename_len) == 0) { + flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; + NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); + NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer"); + return(flow->category); + } + } + } + switch(packet->content_line.ptr[0]) { case 'a': if(strncasecmp((const char *)packet->content_line.ptr, "audio", |