Added check for binary scripts

Added NDPI_HTTP_NUMERIC_IP_HOST risk ndpi_risk moved to 32 bit
author: Luca Deri <deri@ntop.org> 2020-05-15 22:49:55 +0200
committer: Luca Deri <deri@ntop.org> 2020-05-15 22:49:55 +0200
commit: c375782b96faf30558b3f91a7fe05eae62fc79c2 (patch)
tree: 21e9a729a848140d42649cc79ecdc9fd13a0627a /src/lib
parent: 8e7b1ea7a136cc4e4aa9880072ec2d69900a825e (diff)
4 files changed, 43 insertions, 14 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 59d4f3491..fc7a5e530 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4600,7 +4600,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
        && (found->proto->protoId != NDPI_PROTOCOL_UNKNOWN)
        && (found->proto->protoId != ret.master_protocol)) {
       // printf("******** %u / %u\n", found->proto->protoId, ret.master_protocol);
-      NDPI_SET_BIT_16(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
+      NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
     } else if(default_ports && (default_ports[0] != 0)) {
       u_int8_t found = 0, i;
       
@@ -4613,7 +4613,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
 
       if(!found) {
 	// printf("******** Invalid default port\n");
-	NDPI_SET_BIT_16(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
+	NDPI_SET_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
       }
     }
     
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index f2c2c2bc9..2f4419344 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1440,6 +1440,9 @@ const char* ndpi_risk2str(ndpi_risk risk) {
 
   case NDPI_HTTP_SUSPICIOUS_USER_AGENT:
     return("HTTP Suspicious User-Agent");
+
+  case NDPI_HTTP_NUMERIC_IP_HOST:
+    return("HTTP Numeric IP Address");
     
   default:  
     return("");
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 1c81f8cfb..b648bf754 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -51,18 +51,23 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc
 
 static void ndpi_analyze_content_signature(struct ndpi_flow_struct *flow) { 
   if((flow->initial_binary_bytes_len >= 2) && (flow->initial_binary_bytes[0] == 0x4D) && (flow->initial_binary_bytes[1] == 0x5A))
-    NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Win executable */
+    NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Win executable */
   else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0x7F) && (flow->initial_binary_bytes[1] == 'E')
 	  && (flow->initial_binary_bytes[2] == 'L') && (flow->initial_binary_bytes[3] == 'F'))
-    NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
+    NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
   else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0xCF) && (flow->initial_binary_bytes[1] == 0xFA)
 	  && (flow->initial_binary_bytes[2] == 0xED) && (flow->initial_binary_bytes[3] == 0xFE))
-    NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
+    NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Linux executable */
+  else if((flow->initial_binary_bytes_len >= 3)
+	  && (flow->initial_binary_bytes[0] == '#')
+	  && (flow->initial_binary_bytes[1] == '!')
+	  && (flow->initial_binary_bytes[2] == '/'))
+    NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Unix script (e.g. #!/bin/sh) */
   else if(flow->initial_binary_bytes_len >= 8) {
     u_int8_t exec_pattern[] = { 0x64, 0x65, 0x78, 0x0A, 0x30, 0x33, 0x35, 0x00 };
     
     if(memcmp(flow->initial_binary_bytes, exec_pattern, 8) == 0)
-      NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Dalvik Executable (Android) */
+      NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); /* Dalvik Executable (Android) */
   }
 }
 
@@ -111,7 +116,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
   for (int i = 0; binary_file_mimes[i] != NULL; i++) {
     if (ndpi_strncasestr(app, binary_file_mimes[i], app_len_avail) != NULL) {
       flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
-      NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER);
+      NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER);
       NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
       return(flow->category);
     }
@@ -128,7 +133,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
         if (ndpi_strncasestr((const char*)&packet->content_disposition_line.ptr[attachment_len],
             binary_file_ext[i], filename_len)) {
           flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
-          NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER);
+          NDPI_SET_BIT(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER);
           NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
           return(flow->category);
         }
@@ -246,7 +251,24 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
      || (!strcmp(ua, "test"))
      || (!strcmp(ua, "<?"))
      || ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, ua)) {
-    NDPI_SET_BIT_16(flow->risk, NDPI_HTTP_SUSPICIOUS_USER_AGENT);
+    NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_USER_AGENT);
+  }
+}
+
+/* ************************************************************* */
+
+static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_struct,
+				  struct ndpi_flow_struct *flow,
+				  char *ip, u_int ip_len) {
+  char buf[22];
+  struct in_addr ip_addr;
+  
+  strncpy(buf, ip, ip_len);
+  buf[ip_len] = '\0';
+
+  ip_addr.s_addr = inet_addr(buf);;
+  if(strcmp(inet_ntoa(ip_addr), buf) == 0) {
+    NDPI_SET_BIT(flow->risk, NDPI_HTTP_NUMERIC_IP_HOST);   
   }
 }
 
@@ -270,6 +292,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
        && (packet->host_line.len > 0)) {
       int len = packet->http_url_name.len + packet->host_line.len + 1;
 
+      if(isdigit(packet->host_line.ptr[0])
+	 && (packet->host_line.len < 21)) 
+	ndpi_check_numeric_ip(ndpi_struct, flow, (char*)packet->host_line.ptr, packet->host_line.len);
+      
       flow->http.url = ndpi_malloc(len);
       if(flow->http.url) {
 	strncpy(flow->http.url, (char*)packet->host_line.ptr, packet->host_line.len);
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 327f7dc15..62b2e3cf8 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -376,7 +376,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
 	    if((flow->packet.tick_timestamp < flow->protos.stun_ssl.ssl.notBefore)
 	       || (flow->packet.tick_timestamp > flow->protos.stun_ssl.ssl.notAfter))
-	    NDPI_SET_BIT_16(flow->risk, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
+	    NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */
 	  }
 	}
       }
@@ -460,7 +460,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
       } /* while */
 
       if(!matched_name)
-	NDPI_SET_BIT_16(flow->risk, NDPI_TLS_CERTIFICATE_MISMATCH); /* Certificate mismatch */
+	NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_MISMATCH); /* Certificate mismatch */
     }
   }
 
@@ -468,7 +468,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
   if(flow->protos.stun_ssl.ssl.subjectDN && flow->protos.stun_ssl.ssl.issuerDN
      && (!strcmp(flow->protos.stun_ssl.ssl.subjectDN, flow->protos.stun_ssl.ssl.issuerDN)))
-    NDPI_SET_BIT_16(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE);
+    NDPI_SET_BIT(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE);
       
 #if DEBUG_TLS
   printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf);
@@ -855,7 +855,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
     tls_version = ntohs(*((u_int16_t*)&packet->payload[version_offset]));
     flow->protos.stun_ssl.ssl.ssl_version = ja3.tls_handshake_version = tls_version;
     if(flow->protos.stun_ssl.ssl.ssl_version < 0x0302) /* TLSv1.1 */
-      NDPI_SET_BIT_16(flow->risk, NDPI_TLS_OBSOLETE_VERSION);
+      NDPI_SET_BIT(flow->risk, NDPI_TLS_OBSOLETE_VERSION);
     
     if(handshake_type == 0x02 /* Server Hello */) {
       int i, rc;
@@ -880,7 +880,7 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
       ja3.num_cipher = 1, ja3.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset]));
       if((flow->protos.stun_ssl.ssl.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja3.cipher[0])) == 1)
-	NDPI_SET_BIT_16(flow->risk, NDPI_TLS_WEAK_CIPHER);
+	NDPI_SET_BIT(flow->risk, NDPI_TLS_WEAK_CIPHER);
       
       flow->protos.stun_ssl.ssl.server_cipher = ja3.cipher[0];
author	Luca Deri <deri@ntop.org>	2020-05-15 22:49:55 +0200
committer	Luca Deri <deri@ntop.org>	2020-05-15 22:49:55 +0200
commit	c375782b96faf30558b3f91a7fe05eae62fc79c2 (patch)
tree	21e9a729a848140d42649cc79ecdc9fd13a0627a /src/lib
parent	8e7b1ea7a136cc4e4aa9880072ec2d69900a825e (diff)