From baddfbb6c3d09398b207248c64dc8fe6d5568ee6 Mon Sep 17 00:00:00 2001
From: loures <loures.raso@gmail.com>
Date: Thu, 14 May 2020 12:42:42 +0200
Subject: Extend packet struct with Content-Disposition HTTP header field and
 improve HTTP binary transfer mime type check

---
 src/include/ndpi_typedefs.h |  1 +
 src/lib/ndpi_main.c         |  7 +++++++
 src/lib/protocols/http.c    | 39 ++++++++++++++++++++++++++++++++++-----
 3 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 54e08ea11..e9ddfc01a 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -807,6 +807,7 @@ struct ndpi_packet_struct {
   struct ndpi_int_one_line_struct forwarded_line;
   struct ndpi_int_one_line_struct referer_line;
   struct ndpi_int_one_line_struct content_line;
+  struct ndpi_int_one_line_struct content_disposition_line;
   struct ndpi_int_one_line_struct accept_line;
   struct ndpi_int_one_line_struct user_agent_line;
   struct ndpi_int_one_line_struct http_url_name;
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index dcb34f2ad..59d4f3491 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4960,6 +4960,13 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str,
 	packet->http_contentlen.len = packet->line[packet->parsed_lines].len - 16;
 	packet->http_num_headers++;
       }
+      /* "Content-Disposition"*/
+      if(packet->line[packet->parsed_lines].len > 21 &&
+	 ((strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Content-Disposition: ", 21) == 0))) {
+	packet->content_disposition_line.ptr = &packet->line[packet->parsed_lines].ptr[21];
+	packet->content_disposition_line.len = packet->line[packet->parsed_lines].len - 21;
+	packet->http_num_headers++;
+      }
       /* "Cookie:" header line in HTTP. */
       if(packet->line[packet->parsed_lines].len > 8 &&
 	 strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Cookie: ", 8) == 0) {
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 48dab0d38..abcf8c32e 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -28,6 +28,15 @@
 #include "ndpi_api.h"
 #include <stdlib.h>
 
+static const char* binary_file_mimes[] = {
+  "exe",
+  "vnd.ms-cab-compressed",
+  "vnd.microsoft.portable-executable"
+  "x-msdownload",
+  "x-dosexec",
+  NULL
+};
+
 static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 				 struct ndpi_flow_struct *flow);
 
@@ -91,14 +100,34 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
       if(ndpi_strncasestr(app, "mpeg", app_len_avail) != NULL) {
 	flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_STREAMING;
 	return(flow->category);
-      } else if(ndpi_strncasestr(app, "exe", app_len_avail) != NULL) {
-	flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
-	NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); 
-	NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer\n");
-	return(flow->category);
+      } else {
+  for (int i = 0; binary_file_mimes[i] != NULL; i++) {
+    if (ndpi_strncasestr(app, binary_file_mimes[i], app_len_avail) != NULL) {
+      flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
+      NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER);
+      NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
+      return(flow->category);
+    }
+  }
       }
     }
 
+  if (packet->content_disposition_line.len > 0) {
+    /* check for weird exe name as attachment */
+    uint8_t attachment_len = sizeof("attachment; filename");
+    if (packet->content_disposition_line.len > attachment_len) {
+      uint8_t filename_len = packet->content_disposition_line.len - attachment_len;
+      /* might want to extend this to match more filenames */
+      if (strncmp((const char *)&packet->content_disposition_line.ptr[attachment_len],
+          "\"phn34ycjtghm.exe\"", filename_len) == 0) {
+        flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
+        NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER);
+        NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
+        return(flow->category);
+      }
+    }
+  }
+
     switch(packet->content_line.ptr[0]) {
     case 'a':
       if(strncasecmp((const char *)packet->content_line.ptr, "audio",
-- 
cgit v1.2.3


From 1edf5c49d662f7944ee976a63d54980a270a2419 Mon Sep 17 00:00:00 2001
From: loures <loures.raso@gmail.com>
Date: Thu, 14 May 2020 14:30:34 +0200
Subject: Extend filetype matching for Content-Disposition header

---
 src/lib/protocols/http.c | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index abcf8c32e..5f62d730f 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -37,6 +37,13 @@ static const char* binary_file_mimes[] = {
   NULL
 };
 
+static const char* binary_file_ext[] = {
+  ".exe",
+  ".msi",
+  ".cab",
+  NULL
+};
+
 static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 				 struct ndpi_flow_struct *flow);
 
@@ -112,22 +119,23 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
       }
     }
 
+    /* check for attachment */
   if (packet->content_disposition_line.len > 0) {
-    /* check for weird exe name as attachment */
     uint8_t attachment_len = sizeof("attachment; filename");
     if (packet->content_disposition_line.len > attachment_len) {
       uint8_t filename_len = packet->content_disposition_line.len - attachment_len;
-      /* might want to extend this to match more filenames */
-      if (strncmp((const char *)&packet->content_disposition_line.ptr[attachment_len],
-          "\"phn34ycjtghm.exe\"", filename_len) == 0) {
-        flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
-        NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER);
-        NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
-        return(flow->category);
+      for (int i = 0; binary_file_ext[i] != NULL; i++) {
+        if (ndpi_strncasestr((const char*)&packet->content_disposition_line.ptr[attachment_len],
+            binary_file_ext[i], filename_len)) {
+          printf("got %s\n", binary_file_ext[i]);
+          flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
+          NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER);
+          NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
+          return(flow->category);
+        }
       }
     }
   }
-
     switch(packet->content_line.ptr[0]) {
     case 'a':
       if(strncasecmp((const char *)packet->content_line.ptr, "audio",
-- 
cgit v1.2.3