From 0cb951f143285a599a6d831c6fc2b3cb89d6aa67 Mon Sep 17 00:00:00 2001 From: Toni Uhlig Date: Fri, 10 Jan 2025 17:52:51 +0100 Subject: Improved WebSocket-over-HTTP detection * detect `chisel` SSH-over-HTTP-WebSocket * use `strncasecmp()` for `LINE_*` matching macros Signed-off-by: Toni Uhlig --- src/lib/protocols/websocket.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) (limited to 'src/lib/protocols') diff --git a/src/lib/protocols/websocket.c b/src/lib/protocols/websocket.c index b4cb3d1e3..47af111d8 100644 --- a/src/lib/protocols/websocket.c +++ b/src/lib/protocols/websocket.c @@ -106,6 +106,38 @@ static void ndpi_search_websocket(struct ndpi_detection_module_struct *ndpi_stru NDPI_LOG_DBG(ndpi_struct, "search WEBSOCKET\n"); ndpi_check_websocket(ndpi_struct, flow); + // Check also some HTTP headers indicating an upcoming WebSocket connection + if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP && + flow->detected_protocol_stack[1] != NDPI_PROTOCOL_WEBSOCKET) + { + struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; + uint16_t i; + + NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); + for (i = 0; i < packet->parsed_lines; i++) { + if (LINE_STARTS(packet->line[i], "upgrade:") != 0 && + LINE_ENDS(packet->line[i], "websocket") != 0) + { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, + NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + } else if (LINE_STARTS(packet->line[i], "sec-websocket") != 0) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, + NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); + if (ndpi_strncasestr((const char *)packet->line[i].ptr, "chisel", + packet->line[i].len) != NULL) + { + ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, + "Obfuscated SSH-in-HTTP-WebSocket traffic"); + } + } + } + if (i == packet->parsed_lines) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } + return; } -- cgit v1.2.3