aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorIvan Nardi <12729895+IvanNardi@users.noreply.github.com>2021-10-05 09:35:04 +0200
committerGitHub <noreply@github.com>2021-10-05 09:35:04 +0200
commitc1e794366f303495ceb9de4403648a7ae81f84c9 (patch)
tree9850e8ba31a91f4bb1cbc33a3262751794672300 /src
parentbb7aff6526e47ad42c61cc25a6108014cb1a84ce (diff)
WHOIS: enhance detection, avoiding false positives (#1320)
We are interested only in the domain name required, not in the long reply.
Diffstat (limited to 'src')
-rw-r--r--src/lib/protocols/whoisdas.c27
1 files changed, 12 insertions, 15 deletions
diff --git a/src/lib/protocols/whoisdas.c b/src/lib/protocols/whoisdas.c
index 530b7418b..ed30de9e2 100644
--- a/src/lib/protocols/whoisdas.c
+++ b/src/lib/protocols/whoisdas.c
@@ -33,24 +33,21 @@ void ndpi_search_whois_das(struct ndpi_detection_module_struct *ndpi_struct, str
if(packet->tcp != NULL) {
u_int16_t sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest);
- if(((sport == 43) || (dport == 43)) || ((sport == 4343) || (dport == 4343))) {
-
- if(packet->payload_packet_len > 0) {
+ if((((sport == 43) || (dport == 43)) || ((sport == 4343) || (dport == 4343))) &&
+ packet->payload_packet_len > 2 &&
+ packet->payload[packet->payload_packet_len - 2] == '\r' &&
+ packet->payload[packet->payload_packet_len - 1] == '\n') {
- u_int max_len = sizeof(flow->host_server_name) - 1;
- u_int i, j;
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHOIS_DAS, NDPI_PROTOCOL_UNKNOWN);
- for(i=strlen((const char *)flow->host_server_name), j=0; (i<max_len) && (j<packet->payload_packet_len); i++, j++) {
- if((packet->payload[j] == '\n') || (packet->payload[j] == '\r')) break;
- flow->host_server_name[i] = packet->payload[j];
- }
-
- flow->host_server_name[i] = '\0';
-
- NDPI_LOG_INFO(ndpi_struct, "[WHOIS/DAS] %s\n", flow->host_server_name);
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHOIS_DAS, NDPI_PROTOCOL_UNKNOWN);
- return;
+ if((dport == 43) || (dport == 4343)) { /* Request */
+ u_int hostname_len = ndpi_min(sizeof(flow->host_server_name) - 1, (long unsigned int)packet->payload_packet_len - 2); /* Skip \r\n */
+
+ memcpy(flow->host_server_name, &packet->payload[0], hostname_len);
+ flow->host_server_name[hostname_len] = '\0';
+ NDPI_LOG_INFO(ndpi_struct, "[WHOIS/DAS] %s\n", flow->host_server_name);
}
+ return;
}
}
Powered by cgit, Themed by Ted Yin.