From 708d4ea33a4734eba7d3b3738115a2ae7e13ba67 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 9 Jan 2022 18:47:47 +0100 Subject: Improved user agent analysis --- src/lib/protocols/http.c | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) (limited to 'src') diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 7a6fa1078..99a49ab2d 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -421,26 +421,36 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *ua) { - int log4j_exploit = -1; + u_int len; - if((!ua) || (ua[0] == '\0')) return; - - if((strlen(ua) < 4) - || (!strncmp(ua, "test", 4)) - || (!strncmp(ua, "impossible_bigrams_automa, ua) - ) { + if((!ua) || (ua[0] == '\0')) + return; + else + len = strlen(ua); + + if( + (!strncmp(ua, "impossible_bigrams_automa, ua) + ) { + ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); + + ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); + } else if( + (len < 4) /* Too short */ + || (len > 256) /* Too long */ + || (!strncmp(ua, "test", 4)) + || strchr(ua, '{') + || strchr(ua, '}') + ) { ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); - - if(log4j_exploit == 0) /* Log4J exploit */ - ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); } } +/* ************************************************************* */ + int http_process_user_agent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, const u_int8_t *ua_ptr, u_int16_t ua_ptr_len) { -- cgit v1.2.3