aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_api.h.in4
-rw-r--r--src/include/ndpi_define.h.in1
-rw-r--r--src/include/ndpi_typedefs.h5
-rw-r--r--src/lib/ndpi_utils.c25
-rw-r--r--src/lib/protocols/http.c12
5 files changed, 38 insertions, 9 deletions
diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in
index bed449f60..6495c6825 100644
--- a/src/include/ndpi_api.h.in
+++ b/src/include/ndpi_api.h.in
@@ -1029,12 +1029,12 @@ extern "C" {
void ndpi_data_print_window_values(struct ndpi_analyze_struct *s); /* debug */
- ndpi_risk ndpi_validate_url(char *url);
+ ndpi_risk_enum ndpi_validate_url(char *url);
u_int8_t ndpi_is_protocol_detected(struct ndpi_detection_module_struct *ndpi_str,
ndpi_protocol proto);
- const char* ndpi_risk2str(ndpi_risk risk);
+ const char* ndpi_risk2str(ndpi_risk_enum risk);
#ifdef __cplusplus
}
#endif
diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in
index 77e961550..fd0575b03 100644
--- a/src/include/ndpi_define.h.in
+++ b/src/include/ndpi_define.h.in
@@ -278,6 +278,7 @@
#define NDPI_CLR_BIT(num, n) num &= ~(1UL << n)
#define NDPI_CLR_BIT(num, n) num &= ~(1UL << n)
#define NDPI_ISSET_BIT(num, n) (num & (1 << n))
+#define NDPI_ZERO_BIT(num) num = 0
/* this is a very very tricky macro *g*,
* the compiler will remove all shifts here if the protocol is static...
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 4d8796261..bdcfebbe2 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -64,10 +64,13 @@ typedef enum {
NDPI_TLS_CERTIFICATE_MISMATCH,
NDPI_HTTP_SUSPICIOUS_USER_AGENT,
NDPI_HTTP_NUMERIC_IP_HOST,
+ NDPI_HTTP_SUSPICIOUS_URL,
/* Leave this as last member */
NDPI_MAX_RISK
-} ndpi_risk;
+} ndpi_risk_enum;
+
+typedef u_int32_t ndpi_risk;
/* NDPI_VISIT */
typedef enum {
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 2f4419344..4a30b1954 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1332,9 +1332,9 @@ static int ndpi_is_rce_injection(char* query) {
/* ********************************** */
-ndpi_risk ndpi_validate_url(char *url) {
+ndpi_risk_enum ndpi_validate_url(char *url) {
char *orig_str = NULL, *str = NULL, *question_mark = strchr(url, '?');
- ndpi_risk rc = NDPI_NO_RISK;
+ ndpi_risk_enum rc = NDPI_NO_RISK;
if(question_mark) {
char *tmp;
@@ -1389,6 +1389,15 @@ ndpi_risk ndpi_validate_url(char *url) {
validate_rc:
if(orig_str) ndpi_free(orig_str);
+
+ if(rc == NDPI_NO_RISK) {
+ /* Let's do an extra check */
+ if(strstr(url, "..")) {
+ /* 127.0.0.1/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe */
+ rc = NDPI_HTTP_SUSPICIOUS_URL;
+ }
+ }
+
return(rc);
}
@@ -1406,7 +1415,9 @@ u_int8_t ndpi_is_protocol_detected(struct ndpi_detection_module_struct *ndpi_str
/* ******************************************************************** */
-const char* ndpi_risk2str(ndpi_risk risk) {
+const char* ndpi_risk2str(ndpi_risk_enum risk) {
+ static char buf[16];
+
switch(risk) {
case NDPI_URL_POSSIBLE_XSS:
return("XSS attack");
@@ -1443,8 +1454,12 @@ const char* ndpi_risk2str(ndpi_risk risk) {
case NDPI_HTTP_NUMERIC_IP_HOST:
return("HTTP Numeric IP Address");
+
+ case NDPI_HTTP_SUSPICIOUS_URL:
+ return("HTTP Suspicious URL");
- default:
- return("");
+ default:
+ snprintf(buf, sizeof(buf), "%d", (int)risk);
+ return(buf);
}
}
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index b648bf754..abd422007 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -266,7 +266,7 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru
strncpy(buf, ip, ip_len);
buf[ip_len] = '\0';
- ip_addr.s_addr = inet_addr(buf);;
+ ip_addr.s_addr = inet_addr(buf);
if(strcmp(inet_ntoa(ip_addr), buf) == 0) {
NDPI_SET_BIT(flow->risk, NDPI_HTTP_NUMERIC_IP_HOST);
}
@@ -274,6 +274,14 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru
/* ************************************************************* */
+static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow,
+ char *url) {
+
+}
+
+/* ************************************************************* */
+
/**
NOTE
ndpi_parse_packet_line_info is in ndpi_main.c
@@ -302,6 +310,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
strncpy(&flow->http.url[packet->host_line.len], (char*)packet->http_url_name.ptr,
packet->http_url_name.len);
flow->http.url[len-1] = '\0';
+
+ ndpi_check_http_url(ndpi_struct, flow, &flow->http.url[packet->host_line.len]);
}
if(flow->packet.http_method.len < 3)
Powered by cgit, Themed by Ted Yin.