From 0a4fbb8cfb7602c9c0b90e8329b56577dea207fd Mon Sep 17 00:00:00 2001
From: loures <loures.raso@gmail.com>
Date: Wed, 13 May 2020 18:30:51 +0200
Subject: Add check for HTTP transfer of executable files

---
 src/include/ndpi_protocol_ids.h |  1 +
 src/lib/ndpi_main.c             |  5 +++++
 src/lib/protocols/http.c        | 13 +++++++++++++
 3 files changed, 19 insertions(+)

diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index b63f1525c..463aeb497 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -281,6 +281,7 @@ typedef enum {
   NDPI_PROTOCOL_S7COMM                = 249,
   NDPI_PROTOCOL_MSTEAMS               = 250,
   NDPI_PROTOCOL_WEBSOCKET             = 251, /* Leonn Paiva <leonn.paiva@gmail.com> */
+  NDPI_PROTOCOL_EXECUTABLE_HTTP       = 252,
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index dcb34f2ad..39aad090c 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1474,6 +1474,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  no_master, "WebSocket", NDPI_PROTOCOL_CATEGORY_WEB,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+  ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_EXECUTABLE_HTTP,
+			  1 /* can_have_a_subprotocol */, no_master,
+			  no_master, "Executable HTTP", NDPI_PROTOCOL_CATEGORY_WEB,
+			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main.c"
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index de4de3aee..b9a920ec7 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -245,6 +245,19 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
       }
     }
 
+  /* catch application/exe mime-type */
+  if(packet->content_line.ptr != NULL) {
+    u_int app_len = sizeof("application");
+    if(packet->content_line.len > app_len) {
+      if(ndpi_strncasestr((const char *)&packet->content_line.ptr[app_len], "exe",
+        packet->content_line.len-app_len) != NULL) {
+          ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_EXECUTABLE_HTTP, NDPI_PROTOCOL_CATEGORY_WEB);
+          NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer\n");
+          return;
+      }
+    }
+  }
+
   if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) {
     /**
        Format examples:
-- 
cgit v1.2.3