diff options
| author | Toni <matzeton@googlemail.com> | 2025-01-11 11:23:42 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-11 11:23:42 +0100 |
| commit | 9a0a3bb8e77896d11c851736c550a0f8e10e3a43 (patch) | |
| tree | d1fb2e4e76e63ecc4b917bf4587579577dc92ad3 /src | |
| parent | d351907af8b93020d5d4ac2949d8e9dd0cfb0dd7 (diff) | |
Improved WebSocket-over-HTTP detection (#2664)
* detect `chisel` SSH-over-HTTP-WebSocket
* use `strncasecmp()` for `LINE_*` matching macros
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_private.h | 10 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/websocket.c | 32 |
3 files changed, 39 insertions, 4 deletions
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 93eccf0d1..22f6e5605 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -82,13 +82,15 @@ typedef struct default_ports_tree_node { #define LINE_ENDS(ndpi_int_one_line_struct, string_to_compare) \ ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ - memcmp((ndpi_int_one_line_struct).ptr + \ - ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ - string_to_compare, strlen(string_to_compare)) == 0) + ndpi_strncasestr((const char *)((ndpi_int_one_line_struct).ptr) + \ + ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ + string_to_compare, strlen(string_to_compare)) == \ + (const char *)((ndpi_int_one_line_struct).ptr) + ((ndpi_int_one_line_struct).len - strlen(string_to_compare))) #define LINE_CMP(ndpi_int_one_line_struct, string_to_compare, string_to_compare_length) \ ((ndpi_int_one_line_struct).ptr != NULL && \ - memcmp((ndpi_int_one_line_struct).ptr, string_to_compare, string_to_compare_length) == 0) + ndpi_strncasestr((const char *)((ndpi_int_one_line_struct).ptr), string_to_compare, \ + string_to_compare_length) == (const char *)((ndpi_int_one_line_struct).ptr)) #define NDPI_MAX_PARSE_LINES_PER_PACKET 64 diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 97df06ed9..33f737bdd 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1088,6 +1088,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_a, 80, 0 /* ntop */, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_HTTP, + NDPI_PROTOCOL_WEBSOCKET, NDPI_PROTOCOL_CROSSFIRE, NDPI_PROTOCOL_SOAP, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_GNUTELLA, NDPI_PROTOCOL_MAPLESTORY, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_WORLDOFWARCRAFT, diff --git a/src/lib/protocols/websocket.c b/src/lib/protocols/websocket.c index b4cb3d1e3..47af111d8 100644 --- a/src/lib/protocols/websocket.c +++ b/src/lib/protocols/websocket.c @@ -106,6 +106,38 @@ static void ndpi_search_websocket(struct ndpi_detection_module_struct *ndpi_stru NDPI_LOG_DBG(ndpi_struct, "search WEBSOCKET\n"); ndpi_check_websocket(ndpi_struct, flow); + // Check also some HTTP headers indicating an upcoming WebSocket connection + if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP && + flow->detected_protocol_stack[1] != NDPI_PROTOCOL_WEBSOCKET) + { + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + uint16_t i; + + NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); + for (i = 0; i < packet->parsed_lines; i++) { + if (LINE_STARTS(packet->line[i], "upgrade:") != 0 && + LINE_ENDS(packet->line[i], "websocket") != 0) + { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, + NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + } else if (LINE_STARTS(packet->line[i], "sec-websocket") != 0) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, + NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + if (ndpi_strncasestr((const char *)packet->line[i].ptr, "chisel", + packet->line[i].len) != NULL) + { + ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, + "Obfuscated SSH-in-HTTP-WebSocket traffic"); + } + } + } + if (i == packet->parsed_lines) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } + return; } |