diff options
| author | Luca Deri <deri@ntop.org> | 2024-04-11 16:09:09 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2024-04-11 17:44:44 +0200 |
| commit | fd2838e9a1d0d00dee10cb21b0d812ef037b546c (patch) | |
| tree | b4644896515848046945dfca75a5dca8828a7d92 /src | |
| parent | 39a5d234fdbb1ca80f387c184d30b3bc29df56c1 (diff) | |
Minor code cleanup
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/ndpi_main.c | 42 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 25 |
2 files changed, 29 insertions, 38 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 9b873b2d5..19f348bef 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -8168,28 +8168,25 @@ static int ndpi_is_ntop_protocol(ndpi_protocol *ret) { /* ********************************************************************************* */ static void ndpi_search_shellscript(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) -{ + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; NDPI_LOG_DBG(ndpi_struct, "search Shellscript\n"); - if (packet->payload_packet_len < 3) - { - return; - } + if (packet->payload_packet_len < 3) + return; if (packet->payload[0] != '#' || packet->payload[1] != '!' || - (packet->payload[2] != '/' && packet->payload[2] != ' ')) - { - return; - } + (packet->payload[2] != '/' && packet->payload[2] != ' ')) + return; NDPI_LOG_INFO(ndpi_struct, "found Shellscript\n"); ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Shellscript found"); } +/* ********************************************************************************* */ + /* ELF format specs: https://man7.org/linux/man-pages/man5/elf.5.html */ static void ndpi_search_elf(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -8201,28 +8198,23 @@ static void ndpi_search_elf(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "search ELF file\n"); if (packet->payload_packet_len < 24) - { return; - } if (ntohl(get_u_int32_t(packet->payload, 0)) != elf_signature) - { return; - } if (le32toh(get_u_int32_t(packet->payload, 20)) > max_version) - { return; - } NDPI_LOG_INFO(ndpi_struct, "found ELF file\n"); ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, "ELF found"); } +/* ********************************************************************************* */ + /* PE32/PE32+ format specs: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format */ static void ndpi_search_portable_executable(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) -{ + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; static const uint16_t dos_signature = 0x4d5a; /* MZ */ static const uint32_t pe_signature = 0x50450000; /* PE */ @@ -8230,21 +8222,15 @@ static void ndpi_search_portable_executable(struct ndpi_detection_module_struct NDPI_LOG_DBG(ndpi_struct, "search Portable Executable (PE) file\n"); if (packet->payload_packet_len < 0x3C /* offset to PE header */ + 4) - { return; - } if (ntohs(get_u_int16_t(packet->payload, 0)) != dos_signature) - { return; - } uint32_t const pe_offset = le32toh(get_u_int32_t(packet->payload, 0x3C)); if ((u_int32_t)(packet->payload_packet_len - 4) <= pe_offset || be32toh(get_u_int32_t(packet->payload, pe_offset)) != pe_signature) - { return; - } NDPI_LOG_INFO(ndpi_struct, "found Portable Executable (PE) file\n"); ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, "Portable Executable (PE32/PE32+) found"); @@ -8648,9 +8634,9 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio flow->first_pkt_fully_encrypted = fully_enc_heuristic(ndpi_str, flow); } - if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN && - flow->packet_counter <= 5) - { + if((ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) + && (packet->payload_packet_len > 0) + && (flow->packet_counter <= 5)) { ndpi_search_portable_executable(ndpi_str, flow); ndpi_search_elf(ndpi_str, flow); ndpi_search_shellscript(ndpi_str, flow); @@ -8979,8 +8965,6 @@ static void parse_single_packet_line(struct ndpi_detection_module_struct *ndpi_s } } - - /* ********************************************************************************* */ /* internal function for every detection to parse one packet and to increase the info buffer */ diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 38c1a698c..a85f1c44c 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -68,7 +68,7 @@ static char* forge_attempt_msg(struct ndpi_flow_struct *flow, char *msg, char *b static void ndpi_set_binary_data_transfer(struct ndpi_flow_struct *flow, char *msg) { char buf[256]; - + ndpi_set_risk(flow, NDPI_BINARY_DATA_TRANSFER, forge_attempt_msg(flow, msg, buf, sizeof(buf))); } @@ -90,7 +90,7 @@ static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_st ; else { char buf[256]; - + ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, forge_attempt_msg(flow, msg, buf, sizeof(buf))); } } @@ -102,11 +102,18 @@ static void ndpi_analyze_content_signature(struct ndpi_detection_module_struct * u_int8_t set_risk = 0; const char *msg = NULL; + /* + NOTE: see also (ndpi_main.c) + - ndpi_search_elf + - ndpi_search_portable_executable + - ndpi_search_shellscript + */ + if((flow->initial_binary_bytes_len >= 2) && (flow->initial_binary_bytes[0] == 0x4D) && (flow->initial_binary_bytes[1] == 0x5A)) - set_risk = 1, msg = "Found Windows Exe"; /* Win executable */ + set_risk = 1, msg = "Found DOS/Windows Exe"; /* Win executable */ else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0x7F) && (flow->initial_binary_bytes[1] == 'E') && (flow->initial_binary_bytes[2] == 'L') && (flow->initial_binary_bytes[3] == 'F')) - set_risk = 1, msg = "Found Linux Exe"; /* Linux executable */ + set_risk = 1, msg = "Found Linux Exe"; /* Linux ELF executable */ else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0xCF) && (flow->initial_binary_bytes[1] == 0xFA) && (flow->initial_binary_bytes[2] == 0xED) && (flow->initial_binary_bytes[3] == 0xFE)) set_risk = 1, msg = "Found Linux Exe"; /* Linux executable */ @@ -265,7 +272,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo if(app_len_avail > 3) { const char** cmp_mimes = NULL; bool found = false; - + switch(app[0]) { case 'b': cmp_mimes = download_file_mimes_b; break; case 'o': cmp_mimes = download_file_mimes_o; break; @@ -277,7 +284,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo for(i = 0; cmp_mimes[i] != NULL; i++) { if(strncasecmp(app, cmp_mimes[i], app_len_avail) == 0) { - char str[64]; + char str[64]; flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; NDPI_LOG_INFO(ndpi_struct, "found HTTP file transfer"); @@ -364,7 +371,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo if((attachment_len+ATTACHMENT_LEN) <= packet->content_disposition_line.len) { char str[64]; - + for(i = 0; binary_exec_file_ext[i] != NULL; i++) { /* Use memcmp in case content-disposition contains binary data */ if(memcmp(&packet->content_disposition_line.ptr[attachment_len], @@ -585,12 +592,12 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp ookla_add_to_cache(ndpi_struct, flow); } - if ((flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) && + if ((flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) && flow->http.user_agent && strstr(flow->http.user_agent, "MSRPC")) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MS_RPCH, master_protocol, NDPI_CONFIDENCE_DPI); } - if ((flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) && + if ((flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) && flow->http.user_agent && strstr(flow->http.user_agent, "Valve/Steam HTTP Client")) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STEAM, master_protocol, NDPI_CONFIDENCE_DPI); } |