aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_typedefs.h3
-rw-r--r--src/lib/ndpi_main.c3
-rw-r--r--src/lib/ndpi_utils.c5
-rw-r--r--src/lib/protocols/http.c8
4 files changed, 14 insertions, 5 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index f8ac2383a..52645553e 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -167,7 +167,8 @@ typedef enum {
NDPI_FULLY_ENCRYPTED, /* This (unknown) session is fully encrypted */
NDPI_TLS_ALPN_SNI_MISMATCH, /* Invalid ALPN/SNI combination */
NDPI_MALWARE_HOST_CONTACTED, /* Flow client contacted a malware host */
-
+ NDPI_BINARY_TRANSFER_ATTEMPT,/* Attempt to transfer something in binary format */
+
/* Leave this as last member */
NDPI_MAX_RISK /* must be <= 63 due to (**) */
} ndpi_risk_enum;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 517df9800..7e277d121 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -194,7 +194,8 @@ static ndpi_risk_info ndpi_known_risks[] = {
{ NDPI_FULLY_ENCRYPTED, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
{ NDPI_TLS_ALPN_SNI_MISMATCH, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
{ NDPI_MALWARE_HOST_CONTACTED, NDPI_RISK_SEVERE, CLIENT_HIGH_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
-
+ { NDPI_BINARY_TRANSFER_ATTEMPT, NDPI_RISK_MEDIUM, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_CLIENT_ACCOUNTABLE },
+
/* Leave this as last member */
{ NDPI_MAX_RISK, NDPI_RISK_LOW, CLIENT_FAIR_RISK_PERCENTAGE, NDPI_NO_ACCOUNTABILITY }
};
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 048f1572a..d04c457b0 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2014,7 +2014,7 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
return("Non-Printable/Invalid Chars Detected");
case NDPI_POSSIBLE_EXPLOIT:
- return("Possible Exploit");
+ return("Possible Exploit Attempt");
case NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE:
return("TLS Cert About To Expire");
@@ -2055,6 +2055,9 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) {
case NDPI_MALWARE_HOST_CONTACTED:
return("Client contacted a malware host");
+ case NDPI_BINARY_TRANSFER_ATTEMPT:
+ return("Binary Data Transfer Attemot");
+
default:
ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk);
return(buf);
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 8c3da111c..0d0247574 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -67,8 +67,12 @@ static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_st
|| ends_with(ndpi_struct, (char*)flow->host_server_name, ".windows.com")
)
;
- else
- ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, msg);
+ else {
+ if((flow->http.response_status_code >= 200) && (flow->http.response_status_code < 300))
+ ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, msg);
+ else
+ ndpi_set_risk(flow, NDPI_BINARY_TRANSFER_ATTEMPT, msg);
+ }
}
/* *********************************************** */
Powered by cgit, Themed by Ted Yin.