diff options
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 4 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 4 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 32 | ||||
| -rw-r--r-- | src/lib/protocols/dcerpc.c | 8 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 32 |
6 files changed, 54 insertions, 28 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 5ad8083b6..e6e4e93ac 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -155,7 +155,7 @@ typedef enum { NDPI_PROTOCOL_YOUTUBE = 124, NDPI_PROTOCOL_SKYPE_TEAMS = 125, NDPI_PROTOCOL_GOOGLE = 126, - NDPI_PROTOCOL_DCERPC = 127, + NDPI_PROTOCOL_RPC = 127, NDPI_PROTOCOL_NETFLOW = 128, NDPI_PROTOCOL_SFLOW = 129, NDPI_PROTOCOL_HTTP_CONNECT = 130, diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index e1e5dc90c..f8b366bd1 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -518,7 +518,9 @@ typedef enum { NDPI_HTTP_METHOD_PUT, NDPI_HTTP_METHOD_DELETE, NDPI_HTTP_METHOD_TRACE, - NDPI_HTTP_METHOD_CONNECT + NDPI_HTTP_METHOD_CONNECT, + NDPI_HTTP_METHOD_RPC_IN_DATA, + NDPI_HTTP_METHOD_RPC_OUT_DATA, } ndpi_http_method; struct ndpi_lru_cache_entry { diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index a72eff8b8..baa41d5fb 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1393,8 +1393,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "WorldOfKungFu", NDPI_PROTOCOL_CATEGORY_GAME, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DCERPC, - "DCE_RPC", NDPI_PROTOCOL_CATEGORY_RPC, + ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RPC, + "RPC", NDPI_PROTOCOL_CATEGORY_RPC, ndpi_build_default_ports(ports_a, 135, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NETFLOW, diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index dea83dbdc..605f2110e 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1930,16 +1930,18 @@ u_int16_t ndpi_risk2score(ndpi_risk risk, const char* ndpi_http_method2str(ndpi_http_method m) { switch(m) { - case NDPI_HTTP_METHOD_UNKNOWN: break; - case NDPI_HTTP_METHOD_OPTIONS: return("OPTIONS"); - case NDPI_HTTP_METHOD_GET: return("GET"); - case NDPI_HTTP_METHOD_HEAD: return("HEAD"); - case NDPI_HTTP_METHOD_PATCH: return("PATCH"); - case NDPI_HTTP_METHOD_POST: return("POST"); - case NDPI_HTTP_METHOD_PUT: return("PUT"); - case NDPI_HTTP_METHOD_DELETE: return("DELETE"); - case NDPI_HTTP_METHOD_TRACE: return("TRACE"); - case NDPI_HTTP_METHOD_CONNECT: return("CONNECT"); + case NDPI_HTTP_METHOD_UNKNOWN: break; + case NDPI_HTTP_METHOD_OPTIONS: return("OPTIONS"); + case NDPI_HTTP_METHOD_GET: return("GET"); + case NDPI_HTTP_METHOD_HEAD: return("HEAD"); + case NDPI_HTTP_METHOD_PATCH: return("PATCH"); + case NDPI_HTTP_METHOD_POST: return("POST"); + case NDPI_HTTP_METHOD_PUT: return("PUT"); + case NDPI_HTTP_METHOD_DELETE: return("DELETE"); + case NDPI_HTTP_METHOD_TRACE: return("TRACE"); + case NDPI_HTTP_METHOD_CONNECT: return("CONNECT"); + case NDPI_HTTP_METHOD_RPC_IN_DATA: return("RPC_IN_DATA"); + case NDPI_HTTP_METHOD_RPC_OUT_DATA: return("RPC_OUT_DATA"); } return("Unknown HTTP method"); @@ -1967,8 +1969,16 @@ ndpi_http_method ndpi_http_str2method(const char* method, u_int16_t method_len) case 'D': return(NDPI_HTTP_METHOD_DELETE); case 'T': return(NDPI_HTTP_METHOD_TRACE); case 'C': return(NDPI_HTTP_METHOD_CONNECT); + case 'R': + if(method_len >= 11) { + if(strncmp(method, "RPC_IN_DATA", 11) == 0) + return(NDPI_HTTP_METHOD_RPC_IN_DATA); + else if(strncmp(method, "RPC_OUT_DATA", 11) == 0) + return(NDPI_HTTP_METHOD_RPC_OUT_DATA); + } + break; } - + return(NDPI_HTTP_METHOD_UNKNOWN); } diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c index b353caf20..198d27b38 100644 --- a/src/lib/protocols/dcerpc.c +++ b/src/lib/protocols/dcerpc.c @@ -23,7 +23,7 @@ #include "ndpi_protocol_ids.h" -#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DCERPC +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RPC #include "ndpi_api.h" #include <stdbool.h> @@ -31,7 +31,7 @@ static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DCERPC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RPC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet, struct ndpi_flow_struct *flow) @@ -95,8 +95,8 @@ void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct void init_dcerpc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { - ndpi_set_bitmask_protocol_detection("DCE_RPC", ndpi_struct, detection_bitmask, *id, - NDPI_PROTOCOL_DCERPC, + ndpi_set_bitmask_protocol_detection("RPC", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_RPC, ndpi_search_dcerpc, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index a33cd6f00..fd3a64664 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -196,7 +196,7 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi Java downloads Java: Log4J: https://corelight.com/blog/detecting-log4j-exploits-via-zeek-when-java-downloads-java */ - + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); } } @@ -343,7 +343,7 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) ? flow->detected_protocol_stack[1] : NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); - + /* This is necessary to inform the core to call this dissector again */ flow->check_extra_packets = 1; flow->max_extra_packets_to_check = 8; @@ -390,7 +390,7 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, * https://github.com/ua-parser/uap-core/blob/master/regexes.yaml */ if(flow->http.detected_os == NULL) - flow->http.detected_os = ndpi_strdup(ua); + flow->http.detected_os = ndpi_strdup(ua); } /* ************************************************************* */ @@ -422,11 +422,11 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru struct ndpi_flow_struct *flow, char *ua) { u_int len; - + if((!ua) || (ua[0] == '\0')) return; else - len = strlen(ua); + len = strlen(ua); if( (!strncmp(ua, "<?", 2)) @@ -436,7 +436,7 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru // || ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, ua) ) { ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); - + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); } else if( (len < 4) /* Too short */ @@ -610,6 +610,12 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ flow->http.method = ndpi_http_str2method((const char*)packet->http_method.ptr, (u_int16_t)packet->http_method.len); + + if((flow->http.method == NDPI_HTTP_METHOD_RPC_IN_DATA) + || (flow->http.method == NDPI_HTTP_METHOD_RPC_OUT_DATA)) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RPC, flow->detected_protocol_stack[0], NDPI_CONFIDENCE_DPI); + check_content_type_and_change_protocol(ndpi_struct, flow); + } } if(packet->server_line.ptr != NULL && (packet->server_line.len > 7)) { @@ -718,7 +724,13 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(packet->authorization_line.ptr != NULL) { NDPI_LOG_DBG2(ndpi_struct, "Authorization line found %.*s\n", packet->authorization_line.len, packet->authorization_line.ptr); - ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS); + + if(ndpi_strncasestr((const char*)packet->authorization_line.ptr, + "Basic", packet->authorization_line.len) + || ndpi_strncasestr((const char*)packet->authorization_line.ptr, + "Digest", packet->authorization_line.len)) { + ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS); + } } if(packet->content_line.ptr != NULL && packet->content_line.len != 0) { @@ -807,7 +819,9 @@ static struct l_string { STATIC_STRING_L("DELETE "), STATIC_STRING_L("CONNECT "), STATIC_STRING_L("PROPFIND "), - STATIC_STRING_L("REPORT ") }; + STATIC_STRING_L("REPORT "), + STATIC_STRING_L("RPC_IN_DATA "), STATIC_STRING_L("RPC_OUT_DATA ") +}; static const char *http_fs = "CDGHOPR"; static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -1089,7 +1103,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct packet->http_method.ptr = packet->line[0].ptr; packet->http_method.len = filename_start - 1; - + /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 return; |