From 199c86e3df8da0b4734193df8424cd4a62768ae8 Mon Sep 17 00:00:00 2001
From: Luca Deri <deri@ntop.org>
Date: Wed, 5 Oct 2022 22:51:20 +0200
Subject: Improved credentials check in IRC

---
 src/lib/protocols/irc.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'src')

diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c
index 80de27417..367ec86bd 100644
--- a/src/lib/protocols/irc.c
+++ b/src/lib/protocols/irc.c
@@ -391,6 +391,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
 	  goto detected_irc;
 	}
       }
+
       if ((memcmp(packet->payload, "USER ", 5) == 0)
 	  || (memcmp(packet->payload, "NICK ", 5) == 0)
 	  || (memcmp(packet->payload, "PASS ", 5) == 0)
@@ -402,6 +403,19 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
 	  || (memcmp(packet->payload, "NOTICE ", 7) == 0)
 	  || (memcmp(packet->payload, "PRIVMSG ", 8) == 0)
 	  || (memcmp(packet->payload, "VERSION ", 8) == 0)) {
+	char *user = ndpi_strnstr((char*)packet->payload, "USER ", packet->payload_packet_len);
+
+	if(user) {
+	  char buf[32], msg[64], *sp;
+
+	  snprintf(buf, sizeof(buf), "%s", &user[5]);
+	  if((sp = strchr(buf, ' ')) != NULL)
+	    sp[0] = '\0';
+	  
+	  snprintf(msg, sizeof(msg), "Found IRC username (%s)", buf);
+	  ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg);
+	}
+	
 	NDPI_LOG_DBG2(ndpi_struct,
 		      "USER, NICK, PASS, NOTICE, PRIVMSG one time");
 	if (flow->l4.tcp.irc_stage == 2) {
-- 
cgit v1.2.3