aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/ndpi_content_match.c.inc8
-rw-r--r--src/lib/ndpi_utils.c3
-rw-r--r--src/lib/protocols/http.c118
3 files changed, 77 insertions, 52 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index fcd7834a3..1b48eca4b 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -8390,9 +8390,9 @@ static ndpi_network host_protocol_list[] = {
{ 0xD0163900 /* 208.22.57.0/24 */, 24, NDPI_PROTOCOL_BLOOMBERG },
{ 0x45BFC000 /* 69.191.192.0/18 */, 18, NDPI_PROTOCOL_BLOOMBERG },
- /*
+ /*
Microsoft
-
+
[JSON] https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7
[HTML] https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
*/
@@ -8768,6 +8768,10 @@ static ndpi_protocol_match host_match[] =
/* http://check.googlezip.net/connect [check browser connectivity] */
// { ".googlezip.net", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
+ /*
+ https://github.com/bambenek/block-doh/blob/master/db.doh-redirect
+ https://github.com/curl/curl/wiki/DNS-over-HTTPS
+ */
{ "dns.google", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
{ "mozilla.cloudflare-dns.com", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE }, /* Firefox */
{ "cloudflare-dns.com", "DoH_DoT", NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 187ba7d1c..4958e4a0c 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1479,6 +1479,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
case NDPI_HTTP_SUSPICIOUS_URL:
return("HTTP Suspicious URL");
+
+ case NDPI_HTTP_SUSPICIOUS_HEADER:
+ return("HTTP Suspicious Header");
default:
snprintf(buf, sizeof(buf), "%d", (int)risk);
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index a2a5538fe..19b39242e 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -595,8 +595,9 @@ static void http_bitmask_exclude_other(struct ndpi_flow_struct *flow)
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX);
}
-/*************************************************************************************************/
+/* *********************************************************************************************** */
+/* Trick to speed-up detection */
static const char* suspicious_http_header_keys_A[] = { "Arch", NULL};
static const char* suspicious_http_header_keys_C[] = { "Cores", NULL};
static const char* suspicious_http_header_keys_M[] = { "Mem", NULL};
@@ -607,73 +608,90 @@ static const char* suspicious_http_header_keys_T[] = { "TLS_version", NULL};
static const char* suspicious_http_header_keys_U[] = { "Uuid", NULL};
static const char* suspicious_http_header_keys_X[] = { "X-Hire-Me", NULL};
-
static int is_a_suspicious_header(const char* suspicious_headers[], struct ndpi_int_one_line_struct packet_line){
int i;
unsigned int header_len;
const u_int8_t* header_limit;
- if((header_limit = memchr(packet_line.ptr, ':', packet_line.len))){
- header_len = header_limit - packet_line.ptr;
- for(i=0; suspicious_headers[i] != NULL; i++){
- if(!strncasecmp((const char*) packet_line.ptr,
- suspicious_headers[i],
- header_len))
- return 1;
- }
+ if((header_limit = memchr(packet_line.ptr, ':', packet_line.len))) {
+ header_len = header_limit - packet_line.ptr;
+ for(i=0; suspicious_headers[i] != NULL; i++){
+ if(!strncasecmp((const char*) packet_line.ptr,
+ suspicious_headers[i], header_len))
+ return 1;
+ }
}
+
return 0;
}
+/* *********************************************************************************************** */
+
static void ndpi_check_http_header(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
int i;
struct ndpi_packet_struct *packet = &flow->packet;
- for(i=0; (i<packet->parsed_lines) && (packet->line[i].ptr != NULL); i++) {
+ for(i=0; (i < packet->parsed_lines) && (packet->line[i].ptr != NULL) && (packet->line[i].len > 0); i++) {
switch(packet->line[i].ptr[0]){
- case 'A':
- if(is_a_suspicious_header(suspicious_http_header_keys_A, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'C':
- if(is_a_suspicious_header(suspicious_http_header_keys_C, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'M':
- if(is_a_suspicious_header(suspicious_http_header_keys_M, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'O':
- if(is_a_suspicious_header(suspicious_http_header_keys_O, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'R':
- if(is_a_suspicious_header(suspicious_http_header_keys_R, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'S':
- if(is_a_suspicious_header(suspicious_http_header_keys_S, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'T':
- if(is_a_suspicious_header(suspicious_http_header_keys_T, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'U':
- if(is_a_suspicious_header(suspicious_http_header_keys_U, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- case 'X':
- if(is_a_suspicious_header(suspicious_http_header_keys_X, packet->line[i]))
- NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
- break;
- default:
- continue;
+ case 'A':
+ if(is_a_suspicious_header(suspicious_http_header_keys_A, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'C':
+ if(is_a_suspicious_header(suspicious_http_header_keys_C, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'M':
+ if(is_a_suspicious_header(suspicious_http_header_keys_M, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
}
+ break;
+ case 'O':
+ if(is_a_suspicious_header(suspicious_http_header_keys_O, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'R':
+ if(is_a_suspicious_header(suspicious_http_header_keys_R, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'S':
+ if(is_a_suspicious_header(suspicious_http_header_keys_S, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'T':
+ if(is_a_suspicious_header(suspicious_http_header_keys_T, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'U':
+ if(is_a_suspicious_header(suspicious_http_header_keys_U, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+ break;
+ case 'X':
+ if(is_a_suspicious_header(suspicious_http_header_keys_X, packet->line[i])) {
+ NDPI_SET_BIT(flow->risk, NDPI_HTTP_SUSPICIOUS_HEADER);
+ return;
+ }
+
+ break;
}
- return;
+ }
}
/*************************************************************************************************/
Powered by cgit, Themed by Ted Yin.