From 37c88b129f6f5a3475dc6364cc4a898df9ff37ab Mon Sep 17 00:00:00 2001
From: Luca <deri@ntop.org>
Date: Tue, 4 Oct 2022 22:31:42 +0200
Subject: Added new flow risk NDPI_HTTP_OBSOLETE_SERVER. Currently Apache and
 nginx are supported

---
 src/lib/protocols/http.c | 51 +++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 44 insertions(+), 7 deletions(-)

(limited to 'src/lib/protocols')

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 80c4c8041..34c6f5594 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -636,6 +636,47 @@ static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct
 
 /* ************************************************************* */
 
+#define MIN_APACHE_VERSION 2004000 /* 2.4.X  [https://endoflife.date/apache] */
+#define MIN_NGINX_VERSION  1022000 /* 1.22.0 [https://endoflife.date/nginx]  */
+
+static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_struct,
+				   struct ndpi_flow_struct *flow,
+				   const char *server, u_int server_len) {
+  if(server_len > 7) {
+    u_int off;
+  
+    if(strncmp((const char *)server, "ntopng ", 7) == 0) {
+      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTOP, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI);
+      NDPI_CLR_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
+    } else if((strncasecmp(server, "Apache/", off = 7) == 0) /* X.X.X */
+	      || (strncasecmp(server, "nginx/", off = 6) == 0) /* X.X.X */) {
+      u_int i, j, a, b, c;
+      char buf[16] = { '\0' };
+
+      for(i=off, j=0; (i<server_len) && (server[i] != ' ') && (j<sizeof(buf)); i++)
+	buf[j++] = server[i];      
+
+      if(sscanf(buf, "%d.%d.%d", &a, &b, &c) == 3) {
+	u_int32_t version = (a * 1000000) + (b * 1000) + c;
+
+	if((off == 7) && (version < MIN_APACHE_VERSION)) {
+	  char msg[64];
+
+	  snprintf(msg, sizeof(msg), "Obsolete Apache server %s", buf);
+	  ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg);
+	} else if((off == 6) && (version < MIN_NGINX_VERSION)) {
+	  char msg[64];
+
+	  snprintf(msg, sizeof(msg), "Obsolete nginx server %s", buf);
+	  ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg);
+	}
+      }
+    }
+  }
+}
+
+/* ************************************************************* */
+
 /**
    NOTE
    ndpi_parse_packet_line_info is in ndpi_main.c
@@ -699,13 +740,9 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
     }
   }
 
-  if(packet->server_line.ptr != NULL && (packet->server_line.len > 7)) {
-    if(strncmp((const char *)packet->server_line.ptr, "ntopng ", 7) == 0) {
-      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTOP, NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI);
-      NDPI_CLR_BIT(flow->risk, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT);
-    }
-  }
-
+  if(packet->server_line.ptr != NULL)
+    ndpi_check_http_server(ndpi_struct, flow, (const char *)packet->server_line.ptr, packet->server_line.len);
+ 
   if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) {
     ret = http_process_user_agent(ndpi_struct, flow, packet->user_agent_line.ptr, packet->user_agent_line.len);
     /* TODO: Is it correct to avoid setting ua, host_name,... if we have a (Netflix) subclassification? */
-- 
cgit v1.2.3