diff options
| author | Toni <matzeton@googlemail.com> | 2025-01-11 11:23:42 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-11 11:23:42 +0100 |
| commit | 9a0a3bb8e77896d11c851736c550a0f8e10e3a43 (patch) | |
| tree | d1fb2e4e76e63ecc4b917bf4587579577dc92ad3 /src/lib | |
| parent | d351907af8b93020d5d4ac2949d8e9dd0cfb0dd7 (diff) | |
Improved WebSocket-over-HTTP detection (#2664)
* detect `chisel` SSH-over-HTTP-WebSocket
* use `strncasecmp()` for `LINE_*` matching macros
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_main.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/websocket.c | 32 |
2 files changed, 33 insertions, 0 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 97df06ed9..33f737bdd 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1088,6 +1088,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_a, 80, 0 /* ntop */, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_HTTP, + NDPI_PROTOCOL_WEBSOCKET, NDPI_PROTOCOL_CROSSFIRE, NDPI_PROTOCOL_SOAP, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_GNUTELLA, NDPI_PROTOCOL_MAPLESTORY, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_WORLDOFWARCRAFT, diff --git a/src/lib/protocols/websocket.c b/src/lib/protocols/websocket.c index b4cb3d1e3..47af111d8 100644 --- a/src/lib/protocols/websocket.c +++ b/src/lib/protocols/websocket.c @@ -106,6 +106,38 @@ static void ndpi_search_websocket(struct ndpi_detection_module_struct *ndpi_stru NDPI_LOG_DBG(ndpi_struct, "search WEBSOCKET\n"); ndpi_check_websocket(ndpi_struct, flow); + // Check also some HTTP headers indicating an upcoming WebSocket connection + if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP && + flow->detected_protocol_stack[1] != NDPI_PROTOCOL_WEBSOCKET) + { + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + uint16_t i; + + NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); + for (i = 0; i < packet->parsed_lines; i++) { + if (LINE_STARTS(packet->line[i], "upgrade:") != 0 && + LINE_ENDS(packet->line[i], "websocket") != 0) + { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, + NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + } else if (LINE_STARTS(packet->line[i], "sec-websocket") != 0) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, + NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + if (ndpi_strncasestr((const char *)packet->line[i].ptr, "chisel", + packet->line[i].len) != NULL) + { + ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, + "Obfuscated SSH-in-HTTP-WebSocket traffic"); + } + } + } + if (i == packet->parsed_lines) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } + return; } |