diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_main.c | 41 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 8 |
2 files changed, 45 insertions, 4 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 7e277d121..84e0def13 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -8160,6 +8160,43 @@ static int ndpi_is_ntop_protocol(ndpi_protocol *ret) { /* ********************************************************************************* */ +static void ndpi_search_portable_executable(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + static const uint16_t dos_signature = 0x4d5a; /* MZ */ + static const uint32_t pe_signature = 0x50450000; /* PE */ + + NDPI_LOG_DBG(ndpi_struct, "search Portable Executable (PE) file\n"); + + if (flow->packet_counter > 5) + { + return; + } + + if (packet->payload_packet_len < 0x3C /* offset to PE header */ + 4) + { + return; + } + + if (ntohs(get_u_int16_t(packet->payload, 0)) != dos_signature) + { + return; + } + + uint32_t const pe_offset = le32toh(get_u_int32_t(packet->payload, 0x3C)); + if (packet->payload_packet_len <= pe_offset + 4 || + be32toh(get_u_int32_t(packet->payload, pe_offset)) != pe_signature) + { + return; + } + + NDPI_LOG_INFO(ndpi_struct, "found Portable Executable (PE) file\n"); + ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, "Portable Executable (PE32/PE32+) found"); +} + +/* ********************************************************************************* */ + static int ndpi_check_protocol_port_mismatch_exceptions(default_ports_tree_node_t *expected_proto, ndpi_protocol *returned_proto) { /* @@ -8553,6 +8590,10 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio flow->first_pkt_fully_encrypted = fully_enc_heuristic(ndpi_str, flow); } + if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) { + ndpi_search_portable_executable(ndpi_str, flow); + } + return(ret); } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 0d0247574..311761e84 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -193,10 +193,10 @@ static void ndpi_validate_http_content(struct ndpi_detection_module_struct *ndpi packet->http_check_content = 1; - if(len >= 8 /* 4 chars for \r\n\r\n and at least 4 charts for content guess */) { - double_ret += 4; - - ndpi_http_check_human_redeable_content(ndpi_struct, flow, double_ret, len); + if (len > 4 /* 4 chars for \r\n\r\n and at least 4 charts for content guess */) { + double_ret += 4; + len -= 4; + ndpi_http_check_human_redeable_content(ndpi_struct, flow, double_ret, len); } } |