From 24cc949f1405b0d9e0be26848168fd3df52bf6d3 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sat, 22 Oct 2022 10:06:09 +0200 Subject: Enhanced HTTP numeric IP check --- src/include/ndpi_main.h | 2 +- src/lib/ndpi_utils.c | 29 +++++++++++++++++++++++++++++ src/lib/protocols/http.c | 18 ++++++++++++++++-- 3 files changed, 46 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index 4e7284748..ce3439279 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -171,7 +171,7 @@ extern "C" { char *ndpi_user_agent_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len); int64_t ndpi_asn1_ber_decode_length(const unsigned char *payload, int payload_len, u_int16_t *value_len); - + char* ndpi_intoav4(unsigned int addr, char* buf, u_int16_t bufLen); int ndpi_current_pkt_from_client_to_server(const struct ndpi_packet_struct *packet, const struct ndpi_flow_struct *flow); int ndpi_current_pkt_from_server_to_client(const struct ndpi_packet_struct *packet, const struct ndpi_flow_struct *flow); int ndpi_seen_flow_beginning(const struct ndpi_flow_struct *flow); diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index ef212cc5f..255a1fa8e 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2835,3 +2835,32 @@ int64_t ndpi_asn1_ber_decode_length(const unsigned char *payload, int payload_le (*value_len) += 1; return value; } + +/* ******************************************* */ + +char* ndpi_intoav4(unsigned int addr, char* buf, u_int16_t bufLen) { + char *cp; + int n; + + cp = &buf[bufLen]; + *--cp = '\0'; + + n = 4; + do { + u_int byte = addr & 0xff; + + *--cp = byte % 10 + '0'; + byte /= 10; + if(byte > 0) { + *--cp = byte % 10 + '0'; + byte /= 10; + if(byte > 0) + *--cp = byte + '0'; + } + if(n > 1) + *--cp = '.'; + addr >>= 8; + } while (--n > 0); + + return(cp); +} diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 7e6ae2d28..a7876c15e 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -395,14 +395,28 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, /* ************************************************************* */ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { + struct ndpi_flow_struct *flow) { u_int16_t master_protocol; if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) { char *double_col = strchr((char*)flow->host_server_name, ':'); - + int a, b, c, d; + if(double_col) double_col[0] = '\0'; + if(ndpi_struct->packet.iph + && (sscanf(flow->host_server_name, "%d.%d.%d.%d", &a, &b, &c, &d) == 4)) { + /* IPv4 */ + + if(ndpi_struct->packet.iph->daddr != inet_addr(flow->host_server_name)) { + char buf[64], msg[128]; + + snprintf(msg, sizeof(msg), "Expected %s, found %s", + ndpi_intoav4(ntohl(ndpi_struct->packet.iph->daddr), buf, sizeof(buf)), flow->host_server_name); + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, msg); + } + } + master_protocol = NDPI_PROTOCOL_HTTP; if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) master_protocol = flow->detected_protocol_stack[1]; -- cgit v1.2.3