From 3fa941698133190dd5bca6100b74f7e3f5683a55 Mon Sep 17 00:00:00 2001 From: Luca Date: Tue, 4 Oct 2022 11:26:03 +0200 Subject: Improved detection of WebShell and PHP code in HTTP URLs that is reported via flow risk --- src/lib/protocols/http.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 96e0e309a..ef5887643 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -628,7 +628,10 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *url) { - /* Nothing to do */ + if(strstr(url, "") != NULL /* PHP code in the URL */) + ndpi_set_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "PHP code in URL"); + else if(strncmp(url, "/shell?", 7) == 0) + ndpi_set_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "Possible WebShell detected"); } /* ************************************************************* */ -- cgit v1.2.3