Renamed DCERPC to more generic RPC protocol so we can use also for other types of RPCs (not limited to DCE)

Extended HTTP plugin to support RPC Improved HTTP crear text detection to limit it to Basic and Digest
author: Luca Deri <deri@ntop.org> 2022-02-03 13:06:27 +0100
committer: Luca Deri <deri@ntop.org> 2022-02-03 13:06:27 +0100
commit: 0dd5ac89f842ac37f4c36ff67620a49b9e7eb76f (patch)
tree: 637c09c44f1f896a4d4904601757db3e088ed555 /src/lib
parent: 6975f265ec030bc37c42335a79fb6d82f9bfff30 (diff)
4 files changed, 50 insertions, 26 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index a72eff8b8..baa41d5fb 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1393,8 +1393,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  "WorldOfKungFu", NDPI_PROTOCOL_CATEGORY_GAME,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
-  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DCERPC,
-			  "DCE_RPC", NDPI_PROTOCOL_CATEGORY_RPC,
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RPC,
+			  "RPC", NDPI_PROTOCOL_CATEGORY_RPC,
 			  ndpi_build_default_ports(ports_a, 135, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NETFLOW,
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index dea83dbdc..605f2110e 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1930,16 +1930,18 @@ u_int16_t ndpi_risk2score(ndpi_risk risk,
 
 const char* ndpi_http_method2str(ndpi_http_method m) {
   switch(m) {
-  case NDPI_HTTP_METHOD_UNKNOWN: break;
-  case NDPI_HTTP_METHOD_OPTIONS: return("OPTIONS");
-  case NDPI_HTTP_METHOD_GET:     return("GET");
-  case NDPI_HTTP_METHOD_HEAD:    return("HEAD");
-  case NDPI_HTTP_METHOD_PATCH:   return("PATCH");
-  case NDPI_HTTP_METHOD_POST:    return("POST");
-  case NDPI_HTTP_METHOD_PUT:     return("PUT");
-  case NDPI_HTTP_METHOD_DELETE:  return("DELETE");
-  case NDPI_HTTP_METHOD_TRACE:   return("TRACE");
-  case NDPI_HTTP_METHOD_CONNECT: return("CONNECT");
+  case NDPI_HTTP_METHOD_UNKNOWN:      break;
+  case NDPI_HTTP_METHOD_OPTIONS:      return("OPTIONS");
+  case NDPI_HTTP_METHOD_GET:          return("GET");
+  case NDPI_HTTP_METHOD_HEAD:         return("HEAD");
+  case NDPI_HTTP_METHOD_PATCH:        return("PATCH");
+  case NDPI_HTTP_METHOD_POST:         return("POST");
+  case NDPI_HTTP_METHOD_PUT:          return("PUT");
+  case NDPI_HTTP_METHOD_DELETE:       return("DELETE");
+  case NDPI_HTTP_METHOD_TRACE:        return("TRACE");
+  case NDPI_HTTP_METHOD_CONNECT:      return("CONNECT");
+  case NDPI_HTTP_METHOD_RPC_IN_DATA:  return("RPC_IN_DATA");
+  case NDPI_HTTP_METHOD_RPC_OUT_DATA: return("RPC_OUT_DATA");
   }
 
   return("Unknown HTTP method");
@@ -1967,8 +1969,16 @@ ndpi_http_method ndpi_http_str2method(const char* method, u_int16_t method_len)
   case 'D':  return(NDPI_HTTP_METHOD_DELETE);
   case 'T':  return(NDPI_HTTP_METHOD_TRACE);
   case 'C':  return(NDPI_HTTP_METHOD_CONNECT);
+  case 'R':
+    if(method_len >= 11) {
+      if(strncmp(method, "RPC_IN_DATA", 11) == 0)
+	return(NDPI_HTTP_METHOD_RPC_IN_DATA);
+      else if(strncmp(method, "RPC_OUT_DATA", 11) == 0)
+	return(NDPI_HTTP_METHOD_RPC_OUT_DATA);
+    }
+    break;
   }
-
+  
   return(NDPI_HTTP_METHOD_UNKNOWN);
 }
 
diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c
index b353caf20..198d27b38 100644
--- a/src/lib/protocols/dcerpc.c
+++ b/src/lib/protocols/dcerpc.c
@@ -23,7 +23,7 @@
 
 #include "ndpi_protocol_ids.h"
 
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DCERPC
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RPC
 
 #include "ndpi_api.h"
 #include <stdbool.h>
@@ -31,7 +31,7 @@
 static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct
 					     *ndpi_struct, struct ndpi_flow_struct *flow)
 {
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DCERPC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RPC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
 }
 
 bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet, struct ndpi_flow_struct *flow)
@@ -95,8 +95,8 @@ void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct
 
 void init_dcerpc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
 {
-  ndpi_set_bitmask_protocol_detection("DCE_RPC", ndpi_struct, detection_bitmask, *id,
-				      NDPI_PROTOCOL_DCERPC,
+  ndpi_set_bitmask_protocol_detection("RPC", ndpi_struct, detection_bitmask, *id,
+				      NDPI_PROTOCOL_RPC,
 				      ndpi_search_dcerpc,
 				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index a33cd6f00..fd3a64664 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -196,7 +196,7 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi
 	  Java downloads Java: Log4J:
 	  https://corelight.com/blog/detecting-log4j-exploits-via-zeek-when-java-downloads-java
 	*/
-	
+
 	ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT);
       }
     }
@@ -343,7 +343,7 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd
 			     (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) ?
 			     flow->detected_protocol_stack[1] : NDPI_PROTOCOL_HTTP,
 			     NDPI_CONFIDENCE_DPI);
-  
+
   /* This is necessary to inform the core to call this dissector again */
   flow->check_extra_packets = 1;
   flow->max_extra_packets_to_check = 8;
@@ -390,7 +390,7 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct,
    * https://github.com/ua-parser/uap-core/blob/master/regexes.yaml */
 
   if(flow->http.detected_os == NULL)
-    flow->http.detected_os = ndpi_strdup(ua);  
+    flow->http.detected_os = ndpi_strdup(ua);
 }
 
 /* ************************************************************* */
@@ -422,11 +422,11 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
 				  struct ndpi_flow_struct *flow,
 				  char *ua) {
   u_int len;
-  
+
   if((!ua) || (ua[0] == '\0'))
     return;
   else
-    len = strlen(ua);   
+    len = strlen(ua);
 
   if(
      (!strncmp(ua, "<?", 2))
@@ -436,7 +436,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru
 	  // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua)
 	  ) {
     ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT);
-    
+
     ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT);
   } else if(
 	    (len < 4)      /* Too short */
@@ -610,6 +610,12 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
 
     flow->http.method = ndpi_http_str2method((const char*)packet->http_method.ptr,
 					     (u_int16_t)packet->http_method.len);
+
+    if((flow->http.method == NDPI_HTTP_METHOD_RPC_IN_DATA)
+       || (flow->http.method == NDPI_HTTP_METHOD_RPC_OUT_DATA)) {
+      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RPC, flow->detected_protocol_stack[0], NDPI_CONFIDENCE_DPI);
+      check_content_type_and_change_protocol(ndpi_struct, flow);
+    }    
   }
 
   if(packet->server_line.ptr != NULL && (packet->server_line.len > 7)) {
@@ -718,7 +724,13 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
   if(packet->authorization_line.ptr != NULL) {
     NDPI_LOG_DBG2(ndpi_struct, "Authorization line found %.*s\n",
 		  packet->authorization_line.len, packet->authorization_line.ptr);
-    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
+
+    if(ndpi_strncasestr((const char*)packet->authorization_line.ptr,
+			"Basic", packet->authorization_line.len)
+       || ndpi_strncasestr((const char*)packet->authorization_line.ptr,
+			   "Digest", packet->authorization_line.len)) {
+      ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS);
+    }
   }
 
   if(packet->content_line.ptr != NULL && packet->content_line.len != 0) {
@@ -807,7 +819,9 @@ static struct l_string {
 		    STATIC_STRING_L("DELETE "),
 		    STATIC_STRING_L("CONNECT "),
 		    STATIC_STRING_L("PROPFIND "),
-		    STATIC_STRING_L("REPORT ") };
+		    STATIC_STRING_L("REPORT "),
+		    STATIC_STRING_L("RPC_IN_DATA "), STATIC_STRING_L("RPC_OUT_DATA ")
+};
 static const char *http_fs = "CDGHOPR";
 
 static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
@@ -1089,7 +1103,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
 
       packet->http_method.ptr = packet->line[0].ptr;
       packet->http_method.len = filename_start - 1;
-
+      
       /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
       flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
       return;
author	Luca Deri <deri@ntop.org>	2022-02-03 13:06:27 +0100
committer	Luca Deri <deri@ntop.org>	2022-02-03 13:06:27 +0100
commit	0dd5ac89f842ac37f4c36ff67620a49b9e7eb76f (patch)
tree	637c09c44f1f896a4d4904601757db3e088ed555 /src/lib
parent	6975f265ec030bc37c42335a79fb6d82f9bfff30 (diff)