diff options
Diffstat (limited to 'src/lib/ndpi_main.c')
| -rw-r--r-- | src/lib/ndpi_main.c | 53 |
1 files changed, 43 insertions, 10 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 758a125d1..6fe1e8065 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1769,8 +1769,6 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 5246, 5247, 0, 0, 0) /* UDP */ ); - - /* TODO: Needs a pcap file for Zabbix */ ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ZABBIX, 1 /* no subprotocol */, no_master, no_master, "Zabbix", NDPI_PROTOCOL_CATEGORY_NETWORK, @@ -3372,6 +3370,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* CAPWAP */ init_capwap_dissector(ndpi_str, &a, detection_bitmask); + /* ZABBIX */ + init_zabbix_dissector(ndpi_str, &a, detection_bitmask); + /*** Put false-positive sensitive protocols at the end ***/ /* VIBER */ @@ -3410,12 +3411,16 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* WireGuard VPN */ init_wireguard_dissector(ndpi_str, &a, detection_bitmask); - /* AMAZON_VIDEO */ + /* Amazon_Video */ init_amazon_video_dissector(ndpi_str, &a, detection_bitmask); /* Targus Getdata */ init_targus_getdata_dissector(ndpi_str, &a, detection_bitmask); +#ifdef CUSTOM_NDPI_PROTOCOLS +#include "../../../nDPI-custom/custom_ndpi_main_init.c" +#endif + /* ----------------------------------------------------------------- */ ndpi_str->callback_buffer_size = a; @@ -3517,6 +3522,9 @@ static int ndpi_handle_ipv6_extension_headers(struct ndpi_detection_module_struc } // the other extension headers have one byte for the next header type // and one byte for the extension header length in 8 byte steps minus the first 8 bytes + if (*l4len < 2) { + return(1); + } ehdr_len = (*l4ptr)[1]; ehdr_len *= 8; ehdr_len += 8; @@ -3735,6 +3743,7 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str if(flow->http.url) ndpi_free(flow->http.url); if(flow->http.content_type) ndpi_free(flow->http.content_type); + if(flow->http.user_agent) ndpi_free(flow->http.user_agent); backup = flow->num_processed_pkts; backup1 = flow->guessed_protocol_id; @@ -4685,7 +4694,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct } else flow->guessed_header_category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED; - if(flow->guessed_protocol_id >= (NDPI_MAX_SUPPORTED_PROTOCOLS-1)) { + if(flow->guessed_protocol_id > NDPI_MAX_SUPPORTED_PROTOCOLS) { /* This is a custom protocol and it has priority over everything else */ ret.master_protocol = NDPI_PROTOCOL_UNKNOWN, ret.app_protocol = flow->guessed_protocol_id ? flow->guessed_protocol_id : flow->guessed_host_protocol_id; @@ -4721,7 +4730,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct } } - if(flow->guessed_host_protocol_id >= (NDPI_MAX_SUPPORTED_PROTOCOLS-1)) { + if(flow->guessed_host_protocol_id > NDPI_MAX_SUPPORTED_PROTOCOLS) { /* This is a custom protocol and it has priority over everything else */ ret.master_protocol = NDPI_PROTOCOL_UNKNOWN, ret.app_protocol = flow->guessed_host_protocol_id; @@ -5066,15 +5075,34 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, || strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type: ", 14) == 0)) { packet->content_line.ptr = &packet->line[packet->parsed_lines].ptr[14]; packet->content_line.len = packet->line[packet->parsed_lines].len - 14; + + while((packet->content_line.len > 0) && (packet->content_line.ptr[0] == ' ')) + packet->content_line.len--, packet->content_line.ptr++; + packet->http_num_headers++; } /* "Content-Type:" header line in HTTP AGAIN. Probably a bogus response without space after ":" */ - if(packet->line[packet->parsed_lines].len > 13 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type:", 13) == 0) { + if((packet->content_line.len == 0) + && (packet->line[packet->parsed_lines].len > 13) + && (strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type:", 13) == 0)) { packet->content_line.ptr = &packet->line[packet->parsed_lines].ptr[13]; packet->content_line.len = packet->line[packet->parsed_lines].len - 13; packet->http_num_headers++; } + + if(packet->content_line.len > 0) { + /* application/json; charset=utf-8 */ + char separator[] = { ';', '\r', '\0' }; + int i; + + for(i=0; separator[i] != '\0'; i++) { + char *c = memchr((char*)packet->content_line.ptr, separator[i], packet->content_line.len); + + if(c != NULL) + packet->content_line.len = c - (char*)packet->content_line.ptr; + } + } + /* "Accept:" header line in HTTP request. */ if(packet->line[packet->parsed_lines].len > 8 && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Accept: ", 8) == 0) { @@ -6250,8 +6278,9 @@ int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_str, void ndpi_free_flow(struct ndpi_flow_struct *flow) { if(flow) { - if(flow->http.url) ndpi_free(flow->http.url); + if(flow->http.url) ndpi_free(flow->http.url); if(flow->http.content_type) ndpi_free(flow->http.content_type); + if(flow->http.user_agent) ndpi_free(flow->http.user_agent); if(flow->l4_proto == IPPROTO_TCP) { if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx) @@ -6462,6 +6491,11 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp || (flow->protos.ssh.hassh_server[0] == '\0')) return(1); break; + + case NDPI_PROTOCOL_TELNET: + if(!flow->protos.telnet.username_detected) + return(1); + break; } return(0); @@ -6494,8 +6528,7 @@ const char* ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) { /* ******************************************************************** */ ndpi_l4_proto_info ndpi_get_l4_proto_info(struct ndpi_detection_module_struct *ndpi_struct, - u_int16_t ndpi_proto_id) { - + u_int16_t ndpi_proto_id) { if(ndpi_proto_id < ndpi_struct->ndpi_num_supported_protocols) { u_int16_t idx = ndpi_struct->proto_defaults[ndpi_proto_id].protoIdx; NDPI_SELECTION_BITMASK_PROTOCOL_SIZE bm = ndpi_struct->callback_buffer[idx].ndpi_selection_bitmask; |