From 0cb951f143285a599a6d831c6fc2b3cb89d6aa67 Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Fri, 10 Jan 2025 17:52:51 +0100
Subject: Improved WebSocket-over-HTTP detection

 * detect `chisel` SSH-over-HTTP-WebSocket
 * use `strncasecmp()` for `LINE_*` matching macros

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
---
 src/lib/protocols/websocket.c | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

(limited to 'src/lib/protocols')

diff --git a/src/lib/protocols/websocket.c b/src/lib/protocols/websocket.c
index b4cb3d1e3..47af111d8 100644
--- a/src/lib/protocols/websocket.c
+++ b/src/lib/protocols/websocket.c
@@ -106,6 +106,38 @@ static void ndpi_search_websocket(struct ndpi_detection_module_struct *ndpi_stru
   NDPI_LOG_DBG(ndpi_struct, "search WEBSOCKET\n");
   ndpi_check_websocket(ndpi_struct, flow);
 
+  // Check also some HTTP headers indicating an upcoming WebSocket connection
+  if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP &&
+      flow->detected_protocol_stack[1] != NDPI_PROTOCOL_WEBSOCKET)
+  {
+    struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
+    uint16_t i;
+
+    NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet);
+    for (i = 0; i < packet->parsed_lines; i++) {
+      if (LINE_STARTS(packet->line[i], "upgrade:") != 0 &&
+          LINE_ENDS(packet->line[i], "websocket") != 0)
+      {
+        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET,
+                                   NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI);
+      } else if (LINE_STARTS(packet->line[i], "sec-websocket") != 0) {
+        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET,
+                                   NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI);
+        if (ndpi_strncasestr((const char *)packet->line[i].ptr, "chisel",
+                             packet->line[i].len) != NULL)
+        {
+          ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC,
+                        "Obfuscated SSH-in-HTTP-WebSocket traffic");
+        }
+      }
+    }
+    if (i == packet->parsed_lines)
+    {
+      NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+      return;
+    }
+  }
+
   return;
 }
 
-- 
cgit v1.2.3