diff options
| author | Luca Deri <deri@ntop.org> | 2020-05-15 19:19:17 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-05-15 19:19:17 +0200 |
| commit | e90c5c7c3223d033467aa359d8b1e264f961fde1 (patch) | |
| tree | 2adf23c16d38695188805f8a913e1023d0d0b5a9 /src | |
| parent | 7dfbfff743aaae57691ade003066aeca632e5d49 (diff) | |
Added NDPI_HTTP_SUSPICIOUS_USER_AGENT ndpi_risk
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 22 |
3 files changed, 24 insertions, 2 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index b11713d2f..10d150877 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -62,6 +62,7 @@ typedef enum { NDPI_TLS_WEAK_CIPHER, NDPI_TLS_CERTIFICATE_EXPIRED, NDPI_TLS_CERTIFICATE_MISMATCH, + NDPI_HTTP_SUSPICIOUS_USER_AGENT, /* Leave this as last member */ NDPI_MAX_RISK diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 1f8e68937..f2c2c2bc9 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1437,6 +1437,9 @@ const char* ndpi_risk2str(ndpi_risk risk) { case NDPI_TLS_CERTIFICATE_MISMATCH: return("TLS Certificate Mismatch"); + + case NDPI_HTTP_SUSPICIOUS_USER_AGENT: + return("HTTP Suspicious User-Agent"); default: return(""); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index e050a69a8..1c81f8cfb 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -214,7 +214,6 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, /* Good reference for future implementations: * https://github.com/ua-parser/uap-core/blob/master/regexes.yaml */ - //printf("==> %s\n", ua); snprintf((char*)flow->protos.http.detected_os, sizeof(flow->protos.http.detected_os), "%s", ua); } @@ -236,6 +235,23 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp /* ************************************************************* */ +static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + char *ua) { + if((!ua) || (ua[0] == '\0')) return; + + // printf("[%s:%d] ==> '%s'\n", __FILE__, __LINE__, ua); + + if((strlen(ua) < 4) + || (!strcmp(ua, "test")) + || (!strcmp(ua, "<?")) + || ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, ua)) { + NDPI_SET_BIT_16(flow->risk, NDPI_HTTP_SUSPICIOUS_USER_AGENT); + } +} + +/* ************************************************************* */ + /** NOTE ndpi_parse_packet_line_info is in ndpi_main.c @@ -300,7 +316,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ strncpy(ua, (const char *)packet->user_agent_line.ptr, mlen); ua[mlen] = '\0'; - + if(strncmp(ua, "Mozilla", 7) == 0) { char *parent = strchr(ua, '('); @@ -360,6 +376,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ strncpy(flow->http.user_agent, (char*)packet->user_agent_line.ptr, packet->user_agent_line.len); flow->http.user_agent[packet->user_agent_line.len] = '\0'; + + ndpi_check_user_agent(ndpi_struct, flow, flow->http.user_agent); } } |