Improved HTTP risk report

PCRE2 is now enabled (if present) by default as necessary to report some HTTP risks

3 files changed, 36 insertions, 21 deletions

diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index 8b1362393..78ac1d605 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -1772,7 +1772,8 @@ extern "C" {
 
   void ndpi_data_print_window_values(struct ndpi_analyze_struct *s); /* debug */
 
-  ndpi_risk_enum ndpi_validate_url(char *url);
+  ndpi_risk_enum ndpi_validate_url(struct ndpi_detection_module_struct *ndpi_str,
+				   struct ndpi_flow_struct *flow, char *url);
 
   u_int8_t ndpi_is_protocol_detected(ndpi_protocol proto);
   void ndpi_serialize_risk(ndpi_serializer *serializer, ndpi_risk risk);
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index f53d4cb5d..4eba30a94 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1465,32 +1465,26 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
   case NDPI_PROTOCOL_HTTP_CONNECT:
   case NDPI_PROTOCOL_HTTP_PROXY:
     ndpi_serialize_start_of_block(serializer, "http");
+
     if(flow->http.url != NULL) {
-      ndpi_risk_enum risk = ndpi_validate_url(flow->http.url);
-      if (risk != NDPI_NO_RISK)
-      {
-        NDPI_SET_BIT(flow->risk, risk);
-      }
       ndpi_serialize_string_string(serializer, "url", flow->http.url);
       ndpi_serialize_string_uint32(serializer, "code", flow->http.response_status_code);
       ndpi_serialize_string_string(serializer, "content_type", flow->http.content_type);
       ndpi_serialize_string_string(serializer, "user_agent", flow->http.user_agent);
     }
+
     if (flow->http.request_content_type != NULL)
-    {
       ndpi_serialize_string_string(serializer, "request_content_type",
                                    flow->http.request_content_type);
-    }
+
     if (flow->http.detected_os != NULL)
-    {
       ndpi_serialize_string_string(serializer, "detected_os",
                                    flow->http.detected_os);
-    }
+
     if (flow->http.nat_ip != NULL)
-    {
       ndpi_serialize_string_string(serializer, "nat_ip",
                                    flow->http.nat_ip);
-    }
+
     ndpi_serialize_end_of_block(serializer);
     break;
 
@@ -2066,7 +2060,9 @@ static int ndpi_is_rce_injection(char* query) {
 
 /* ********************************** */
 
-ndpi_risk_enum ndpi_validate_url(char *url) {
+ndpi_risk_enum ndpi_validate_url(struct ndpi_detection_module_struct *ndpi_str,
+				 struct ndpi_flow_struct *flow,
+				 char *url) {
   char *orig_str = NULL, *str = NULL, *question_mark = strchr(url, '?');
   ndpi_risk_enum rc = NDPI_NO_RISK;
 
@@ -2113,8 +2109,15 @@ ndpi_risk_enum ndpi_validate_url(char *url) {
 
 	ndpi_free(decoded);
 
-	if(rc != NDPI_NO_RISK)
+	if(rc != NDPI_NO_RISK) {
+	  if(flow != NULL) {
+	    char msg[128];
+
+	    snprintf(msg, sizeof(msg), "Suspicious URL [%s]", url);
+	    ndpi_set_risk(ndpi_str, flow, rc, msg);
+	  }
 	  break;
+	}
       }
 
       str = strtok_r(NULL, "&", &tmp);
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 55b5607c4..4c33aec1a 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -922,9 +922,11 @@ static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct
   } else if(strncmp(url, "/.", 2) == 0) {
     r = NDPI_POSSIBLE_EXPLOIT;
     snprintf(msg, sizeof(msg), "URL starting with dot [%s]", url);
-  } else
+  } else {
+    r = ndpi_validate_url(ndpi_struct, flow, url);
     return;
-
+  }
+  
   ndpi_set_risk(ndpi_struct, flow, r, msg);
 }
 
@@ -974,7 +976,11 @@ static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_str
       /* Check server content */
       for(i=0; i<server_len; i++) {
 	if(!ndpi_isprint(server[i])) {
-	  ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, "Suspicious Agent");
+	  char msg[64];
+
+	  snprintf(msg, sizeof(msg), "Suspicious Agent [%s]", server);
+
+	  ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, msg);
 	  break;
 	}
       }
@@ -1180,9 +1186,9 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
 
       if(ndpi_is_valid_hostname((char *)packet->host_line.ptr,
 				packet->host_line.len) == 0) {
+	char str[128];
+	
         if(is_flowrisk_info_enabled(ndpi_struct, NDPI_INVALID_CHARACTERS)) {
-	  char str[128];
-
 	  snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name);
 	  ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str);
         } else {
@@ -1190,7 +1196,9 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
         }
 
 	/* This looks like an attack */
-	ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious hostname: attack ?");
+
+	snprintf(str, sizeof(str), "Suspicious hostname [%.*s]: attack ?", packet->host_line.len, (char *)packet->host_line.ptr);
+	ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, str);
       }
 
       double_col = strchr((char*)flow->host_server_name, ':');
@@ -1497,7 +1505,10 @@ static void parse_response_code(struct ndpi_detection_module_struct *ndpi_struct
 	    || ((flow->http.method == NDPI_HTTP_METHOD_GET) && (strncmp(slash, "/wp-content/uploads/", 20) == 0))
 	   )) {
           /* Example of popular exploits https://www.wordfence.com/blog/2022/05/millions-of-attacks-target-tatsu-builder-plugin/ */
-          ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Possible Wordpress Exploit");
+	  char str[128];
+
+	  snprintf(str, sizeof(str), "Possible Wordpress Exploit [%s]", slash);
+          ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, str);
 	}
       }
     }