diff options
| -rw-r--r-- | src/lib/protocols/http.c | 14 | ||||
| -rw-r--r-- | tests/pcap/windowsupdate_over_http.pcap | bin | 0 -> 16319 bytes | |||
| -rw-r--r-- | tests/result/windowsupdate_over_http.pcap.out | 8 |
3 files changed, 22 insertions, 0 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 88c207c9e..e8f15cb47 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -848,6 +848,20 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } + if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0 && + flow->http.url) { + /* WindowsUpdate over some kind of CDN */ + if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN && + flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP && + (strstr(flow->http.url, "delivery.mp.microsoft.com/") || + strstr(flow->http.url, "download.windowsupdate.com/")) && + ndpi_strnstr((const char *)packet->user_agent_line.ptr, "Microsoft-Delivery-Optimization/", + packet->user_agent_line.len) && + ndpi_isset_risk(ndpi_struct, flow, NDPI_HTTP_NUMERIC_IP_HOST)) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WINDOWS_UPDATE, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + } + } + if(ndpi_get_http_method(ndpi_struct, flow) != NDPI_HTTP_METHOD_UNKNOWN) { ndpi_int_http_add_connection(ndpi_struct, flow, flow->detected_protocol_stack[0], NDPI_PROTOCOL_CATEGORY_WEB); } diff --git a/tests/pcap/windowsupdate_over_http.pcap b/tests/pcap/windowsupdate_over_http.pcap Binary files differnew file mode 100644 index 000000000..9a69c3dda --- /dev/null +++ b/tests/pcap/windowsupdate_over_http.pcap diff --git a/tests/result/windowsupdate_over_http.pcap.out b/tests/result/windowsupdate_over_http.pcap.out new file mode 100644 index 000000000..5fb1a34af --- /dev/null +++ b/tests/result/windowsupdate_over_http.pcap.out @@ -0,0 +1,8 @@ +Guessed flow protos: 0 + +DPI Packets (TCP): 6 (6.00 pkts/flow) +Confidence DPI : 1 (flows) + +WindowsUpdate 20 15975 1 + + 1 TCP 10.0.2.15:49815 <-> 151.99.72.125:80 [proto: 7.147/HTTP.WindowsUpdate][ClearText][Confidence: DPI][cat: Download/7][8 pkts/923 bytes <-> 12 pkts/15052 bytes][Goodput ratio: 52/96][0.02 sec][Hostname/SNI: 151.99.72.125][bytes ratio: -0.884 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2/1 9/8 4/2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 115/1254 533/1514 158/536][URL: 151.99.72.125/data/0783dedfb62fa709/msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/d1d060c0-7ece-4b96-9558-4bd0f2326040?P1=1652084683&P2=404&P3=2&P4=GtXnDMvssaTVZE%2bliGRNZPdTCGZcdK3lsfQhBycGI5on2dyQK7mRzg%2fAP%2fOuVTebtfWU%2bfL%2bVp][StatusCode: 206][Content-Type: application/octet-stream][User-Agent: Microsoft-Delivery-Optimization/10.0][Risk: ** Binary App Transfer **** HTTP Numeric IP Address **][Risk Score: 260][Risk Info: Found host 151.99.72.125 / Found mime exe octet-stream][PLAIN TEXT (GET /data/0783dedfb)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,72,0,0] |