aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols/http.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/protocols/http.c')
-rw-r--r--src/lib/protocols/http.c118
1 files changed, 68 insertions, 50 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index a2a5538fe..19b39242e 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -595,8 +595,9 @@ static void http_bitmask_exclude_other(struct ndpi_flow_struct *flow)
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX);
}
-/*************************************************************************************************/
+/* *********************************************************************************************** */
+/* Trick to speed-up detection */
static const char* suspicious_http_header_keys_A[] = { "Arch", NULL};
static const char* suspicious_http_header_keys_C[] = { "Cores", NULL};
static const char* suspicious_http_header_keys_M[] = { "Mem", NULL};
@@ -607,73 +608,90 @@ static const char* suspicious_http_header_keys_T[] = { "TLS_version", NULL};
static const char* suspicious_http_header_keys_U[] = { "Uuid", NULL};
static const char* suspicious_http_header_keys_X[] = { "X-Hire-Me", NULL};
-
static int is_a_suspicious_header(const char* suspicious_headers[], struct ndpi_int_one_line_struct packet_line){
int i;
unsigned int header_len;
const u_int8_t* header_limit;
- if((header_limit = memchr(packet_line.ptr, ':', packet_line.len))){
- header_len = header_limit - packet_line.ptr;
- for(i=0; suspicious_headers[i] != NULL; i++){
- if(!strncasecmp((const char*) packet_line.ptr,
- suspicious_headers[i],
- header_len))
- return 1;
- }
+ if((header_limit = memchr(packet_line.ptr, ':', packet_line.len))) {
+ header_len = header_limit - packet_line.ptr;
+ for(i=0; suspicious_headers[i] != NULL; i++){
+ if(!strncasecmp((const char*) packet_line.ptr,
+ suspicious_headers[i], header_len))
+ return 1;
+ }
}
+
return 0;
}
+/* *********************************************************************************************** */
+
static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
int i;
struct ndpi_packet_struct *packet = &flow->packet;
- for(i=0; (i<packet->parsed_lines) && (packet->line[i].ptr != NULL); i++) {
+ for(i=0; (i < packet->parsed_lines) && (packet->line[i].ptr != NULL) && (packet->line[i].len > 0); i++) {
switch(packet->line[i].ptr[0]){
- case 'A':
- if(is_a_suspicious_header(suspicious_http_header_keys_A, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'C':
- if(is_a_suspicious_header(suspicious_http_header_keys_C, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'M':
- if(is_a_suspicious_header(suspicious_http_header_keys_M, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'O':
- if(is_a_suspicious_header(suspicious_http_header_keys_O, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'R':
- if(is_a_suspicious_header(suspicious_http_header_keys_R, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'S':
- if(is_a_suspicious_header(suspicious_http_header_keys_S, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'T':
- if(is_a_suspicious_header(suspicious_http_header_keys_T, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'U':
- if(is_a_suspicious_header(suspicious_http_header_keys_U, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'X':
- if(is_a_suspicious_header(suspicious_http_header_keys_X, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- default:
- continue;
+ case 'A':
+ if(is_a_suspicious_header(suspicious_http_header_keys_A, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'C':
+ if(is_a_suspicious_header(suspicious_http_header_keys_C, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'M':
+ if(is_a_suspicious_header(suspicious_http_header_keys_M, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
}
+ break;
+ case 'O':
+ if(is_a_suspicious_header(suspicious_http_header_keys_O, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'R':
+ if(is_a_suspicious_header(suspicious_http_header_keys_R, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'S':
+ if(is_a_suspicious_header(suspicious_http_header_keys_S, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'T':
+ if(is_a_suspicious_header(suspicious_http_header_keys_T, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'U':
+ if(is_a_suspicious_header(suspicious_http_header_keys_U, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'X':
+ if(is_a_suspicious_header(suspicious_http_header_keys_X, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+
+ break;
}
- return;
+ }
}
/*************************************************************************************************/
Powered by cgit, Themed by Ted Yin.