diff options
| author | Luca Deri <deri@ntop.org> | 2022-10-22 10:06:09 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-10-22 10:06:09 +0200 |
| commit | 24cc949f1405b0d9e0be26848168fd3df52bf6d3 (patch) | |
| tree | fe212253c9cb2c66449c0228be0099595dd20449 /src | |
| parent | c5215953831355caae06485497ee6f8e9a34c91f (diff) | |
Enhanced HTTP numeric IP check
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_main.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 29 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 18 |
3 files changed, 46 insertions, 3 deletions
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index 4e7284748..ce3439279 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -171,7 +171,7 @@ extern "C" { char *ndpi_user_agent_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len); int64_t ndpi_asn1_ber_decode_length(const unsigned char *payload, int payload_len, u_int16_t *value_len); - + char* ndpi_intoav4(unsigned int addr, char* buf, u_int16_t bufLen); int ndpi_current_pkt_from_client_to_server(const struct ndpi_packet_struct *packet, const struct ndpi_flow_struct *flow); int ndpi_current_pkt_from_server_to_client(const struct ndpi_packet_struct *packet, const struct ndpi_flow_struct *flow); int ndpi_seen_flow_beginning(const struct ndpi_flow_struct *flow); diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index ef212cc5f..255a1fa8e 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2835,3 +2835,32 @@ int64_t ndpi_asn1_ber_decode_length(const unsigned char *payload, int payload_le (*value_len) += 1; return value; } + +/* ******************************************* */ + +char* ndpi_intoav4(unsigned int addr, char* buf, u_int16_t bufLen) { + char *cp; + int n; + + cp = &buf[bufLen]; + *--cp = '\0'; + + n = 4; + do { + u_int byte = addr & 0xff; + + *--cp = byte % 10 + '0'; + byte /= 10; + if(byte > 0) { + *--cp = byte % 10 + '0'; + byte /= 10; + if(byte > 0) + *--cp = byte + '0'; + } + if(n > 1) + *--cp = '.'; + addr >>= 8; + } while (--n > 0); + + return(cp); +} diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 7e6ae2d28..a7876c15e 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -395,14 +395,28 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, /* ************************************************************* */ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { + struct ndpi_flow_struct *flow) { u_int16_t master_protocol; if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) { char *double_col = strchr((char*)flow->host_server_name, ':'); - + int a, b, c, d; + if(double_col) double_col[0] = '\0'; + if(ndpi_struct->packet.iph + && (sscanf(flow->host_server_name, "%d.%d.%d.%d", &a, &b, &c, &d) == 4)) { + /* IPv4 */ + + if(ndpi_struct->packet.iph->daddr != inet_addr(flow->host_server_name)) { + char buf[64], msg[128]; + + snprintf(msg, sizeof(msg), "Expected %s, found %s", + ndpi_intoav4(ntohl(ndpi_struct->packet.iph->daddr), buf, sizeof(buf)), flow->host_server_name); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, msg); + } + } + master_protocol = NDPI_PROTOCOL_HTTP; if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) master_protocol = flow->detected_protocol_stack[1]; |