added feature to extract filename from http attachment (#2037)

* added feature to extract filename from http attachment * fixed some issues * added check for filename format * added check for filename format * remove an unnecessary print * changed the size from 952 to 960 * modified some test result files * small changes string size * comment removed and mallocs checked
ntop · Jul 11, 2023 · 0b0f255 · 0b0f255
1 parent 950f5cc
commit 0b0f255
Show file tree

Hide file tree

Showing 10 changed files with 50 additions and 12 deletions.
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
@@ -1769,6 +1769,9 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
     if(flow->http.user_agent[0] != '\0')
       fprintf(out, "[User-Agent: %s]", flow->http.user_agent);
 
+    if(flow->http.filename[0] != '\0')
+      fprintf(out, "[Filename: %s]", flow->http.filename);
+
     if(flow->risk) {
       u_int i;
       u_int16_t cli_score, srv_score;

diff --git a/example/reader_util.c b/example/reader_util.c
@@ -1382,6 +1382,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
     ndpi_snprintf(flow->http.server, sizeof(flow->http.server), "%s", flow->ndpi_flow->http.server ? flow->ndpi_flow->http.server : "");
     ndpi_snprintf(flow->http.request_content_type, sizeof(flow->http.request_content_type), "%s", flow->ndpi_flow->http.request_content_type ? flow->ndpi_flow->http.request_content_type : "");
     ndpi_snprintf(flow->http.nat_ip, sizeof(flow->http.nat_ip), "%s", flow->ndpi_flow->http.nat_ip ? flow->ndpi_flow->http.nat_ip : "");
+    ndpi_snprintf(flow->http.filename, sizeof(flow->http.filename), "%s", flow->ndpi_flow->http.filename ? flow->ndpi_flow->http.filename : "");
   }
 
   ndpi_snprintf(flow->http.user_agent,

diff --git a/example/reader_util.h b/example/reader_util.h
@@ -282,7 +282,7 @@ typedef struct ndpi_flow_info {
   } ssh_tls;
 
   struct {
-    char url[256], request_content_type[64], content_type[64], user_agent[256], server[128], nat_ip[32];
+    char url[256], request_content_type[64], content_type[64], user_agent[256], server[128], nat_ip[32], filename[256];
     u_int response_status_code;
   } http;
 

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
@@ -1450,6 +1450,7 @@ struct ndpi_flow_struct {
     char *url, *content_type /* response */, *request_content_type /* e.g. for POST */, *user_agent, *server;
     char *detected_os; /* Via HTTP/QUIC User-Agent */
     char *nat_ip; /* Via HTTP X-Forwarded-For */
+    char *filename; /* Via HTTP Content-Disposition */
   } http;
 
   ndpi_multimedia_flow_type flow_multimedia_type;
@@ -1677,7 +1678,7 @@ struct ndpi_flow_struct {
 _Static_assert(sizeof(((struct ndpi_flow_struct *)0)->protos) <= 210,
                "Size of the struct member protocols increased to more than 210 bytes, "
                "please check if this change is necessary.");
-_Static_assert(sizeof(struct ndpi_flow_struct) <= 952,
+_Static_assert(sizeof(struct ndpi_flow_struct) <= 960,
                "Size of the flow struct increased to more than 952 bytes, "
                "please check if this change is necessary.");
 #endif

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -5356,6 +5356,9 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) {
     if(flow->http.server)
       ndpi_free(flow->http.server);
 
+    if(flow->http.filename)
+      ndpi_free(flow->http.filename);
+
     if(flow->kerberos_buf.pktbuf)
       ndpi_free(flow->kerberos_buf.pktbuf);
 

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
@@ -276,7 +276,6 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 		flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
 		ndpi_set_binary_application_transfer(ndpi_struct, flow, str);
 		NDPI_LOG_INFO(ndpi_struct, "Found executable HTTP transfer");
-		return(flow->category);
 	      }
 	    }
 	  }
@@ -291,6 +290,33 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
       if(packet->content_disposition_line.len > attachment_len) {
 	u_int8_t filename_len = packet->content_disposition_line.len - attachment_len;
 	int i;
+
+  if(packet->content_disposition_line.ptr[attachment_len] == '\"'){
+    if(packet->content_disposition_line.ptr[packet->content_disposition_line.len-1] != '\"'){
+      //case: filename="file_name
+      flow->http.filename = ndpi_malloc(filename_len);
+      if(flow->http.filename != NULL){
+        flow->http.filename = strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-1);
+        flow->http.filename[filename_len-1] = '\0';
+      }
+    }
+    else{
+      //case: filename="file_name"
+      flow->http.filename = ndpi_malloc(filename_len-1);   
+      if(flow->http.filename != NULL){ 
+        flow->http.filename = strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-2);
+        flow->http.filename[filename_len-2] = '\0';
+      }
+    }
+  }
+  else{
+    //case: filename=file_name
+    flow->http.filename = ndpi_malloc(filename_len+1);
+    if(flow->http.filename != NULL){
+      flow->http.filename = strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len, filename_len);
+      flow->http.filename[filename_len] = '\0';
+    }
+  }
 
 	if(filename_len > ATTACHMENT_LEN) {
 	  attachment_len += filename_len-ATTACHMENT_LEN-1;
@@ -1292,6 +1318,10 @@ static void reset(struct ndpi_detection_module_struct *ndpi_struct,
     ndpi_free(flow->http.nat_ip);
     flow->http.nat_ip = NULL;
   }
+  if(flow->http.filename) {
+    ndpi_free(flow->http.filename);
+    flow->http.filename = NULL;
+  }
 
   /* Reset flow risks. We should reset only those risks triggered by
      the previous HTTP response... */

diff --git a/tests/cfgs/default/result/emotet.pcap.out b/tests/cfgs/default/result/emotet.pcap.out
@@ -29,8 +29,8 @@ JA3 Host Stats:
 	1	 10.4.25.101              	 1      
 
 
-	1	TCP 10.4.20.102:54319 <-> 107.161.178.210:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Download/7][272 pkts/16545 bytes <-> 557 pkts/800118 bytes][Goodput ratio: 1/96][9.12 sec][Hostname/SNI: gandhitoday.org][bytes ratio: -0.959 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/11 2171/1215 155/59][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 61/1436 279/1442 13/84][URL: gandhitoday.org/video/6JvA8/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko][Risk: ** Binary App Transfer **][Risk Score: 150][Risk Info: Found mime exe x-msdownload][PLAIN TEXT (GET /video/6J)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0]
-	2	TCP 10.4.25.101:49797 <-> 77.105.36.156:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Download/7][169 pkts/10292 bytes <-> 395 pkts/565664 bytes][Goodput ratio: 1/96][1.99 sec][Hostname/SNI: filmmogzivota.rs][bytes ratio: -0.964 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/4 292/171 38/19][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 61/1432 206/1442 11/107][URL: filmmogzivota.rs/SpryAssets/gDR/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: vBKbaQgjyvRRbcgfvlsc][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **][Risk Score: 250][Risk Info: UA vBKbaQgjyvRRbcgfvlsc / Found mime exe x-msdownload][PLAIN TEXT (GET /SpryAssets/gDR/ HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0]
+	1	TCP 10.4.20.102:54319 <-> 107.161.178.210:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 5][cat: Download/7][272 pkts/16545 bytes <-> 557 pkts/800118 bytes][Goodput ratio: 1/96][9.12 sec][Hostname/SNI: gandhitoday.org][bytes ratio: -0.959 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/11 2171/1215 155/59][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 61/1436 279/1442 13/84][URL: gandhitoday.org/video/6JvA8/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko][Filename: EGh7x6aKN3ILP.dll][Risk: ** Binary App Transfer **][Risk Score: 150][Risk Info: Found mime exe x-msdownload][PLAIN TEXT (GET /video/6J)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0]
+	2	TCP 10.4.25.101:49797 <-> 77.105.36.156:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Download/7][169 pkts/10292 bytes <-> 395 pkts/565664 bytes][Goodput ratio: 1/96][1.99 sec][Hostname/SNI: filmmogzivota.rs][bytes ratio: -0.964 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 12/4 292/171 38/19][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 61/1432 206/1442 11/107][URL: filmmogzivota.rs/SpryAssets/gDR/][StatusCode: 200][Content-Type: application/x-msdownload][Server: Apache][User-Agent: vBKbaQgjyvRRbcgfvlsc][Filename: TfBXbg6gEAqeHioMEKOtCAAn73.dll][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **][Risk Score: 250][Risk Info: UA vBKbaQgjyvRRbcgfvlsc / Found mime exe x-msdownload][PLAIN TEXT (GET /SpryAssets/gDR/ HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0]
 	3	TCP 10.2.25.102:57309 <-> 193.252.22.84:587 [proto: 3/SMTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 19][cat: Email/3][303 pkts/420177 bytes <-> 323 pkts/18288 bytes][Goodput ratio: 96/5][19.04 sec][Hostname/SNI: opmta1mto02nd1][bytes ratio: 0.917 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 26/66 1205/3211 138/351][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 1387/57 1514/214 400/13][PLAIN TEXT (220 opmta)][Plen Bins: 7,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0]
 	4	TCP 10.3.29.101:56309 <-> 104.161.127.22:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Web/5][72 pkts/4883 bytes <-> 136 pkts/184040 bytes][Goodput ratio: 20/96][11.81 sec][Hostname/SNI: fkl.co.ke][bytes ratio: -0.948 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 224/98 7597/7597 1122/760][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 68/1353 591/1415 81/273][URL: fkl.co.ke/wp-content/Elw3kPvOsZxM5/][StatusCode: 200][Content-Type: text/html][Server: LiteSpeed][User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.55][PLAIN TEXT (GET /wp)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0]
 	5	TCP 10.4.25.101:49803 <-> 138.197.147.101:443 [proto: 91/TLS][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 6][cat: Web/5][61 pkts/4478 bytes <-> 75 pkts/99815 bytes][Goodput ratio: 16/96][28.39 sec][bytes ratio: -0.914 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 600/30 23191/1117 3362/144][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 73/1331 534/1442 63/364][Risk: ** Self-signed Cert **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **** Malicious JA3 Fingerp. **][Risk Score: 210][Risk Info: 51c64c77e60f3980eea90869b68c58a8 / No ALPN / C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][TLSv1.2][JA3C: 51c64c77e60f3980eea90869b68c58a8][JA3S: ec74a5c51106f0419184d0dd08fb05bc][Issuer: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][Subject: C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com][Certificate SHA-1: 43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93][Firefox][Validity: 2022-04-21 10:08:46 - 2023-04-21 10:08:46][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,93,0,0,0,0]

diff --git a/tests/cfgs/default/result/exe_download.pcap.out b/tests/cfgs/default/result/exe_download.pcap.out
@@ -22,4 +22,4 @@ Patricia protocols:   2/0 (search/found)
 
 HTTP	703	717463	1
 
-	1	TCP 10.9.25.101:49165 <-> 144.91.69.195:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Download/7][203 pkts/11127 bytes <-> 500 pkts/706336 bytes][Goodput ratio: 1/96][5.18 sec][Hostname/SNI: 144.91.69.195][bytes ratio: -0.969 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 23/9 319/365 49/37][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 55/1413 207/1514 11/134][URL: 144.91.69.195/solar.php][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx/1.10.3][User-Agent: pwtyyEKzNtGatwnJjmCcBLbOveCVpc][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Obsolete Server **][Risk Score: 310][Risk Info: Found host 144.91.69.195 / UA pwtyyEKzNtGatwnJjmCcBLbOveCVpc / Obsolete nginx server 1.10.3 / Found mime exe octet-stream][PLAIN TEXT (GET /solar.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,2,0,0,7,0,0,63,0,0,24,0,0]
+	1	TCP 10.9.25.101:49165 <-> 144.91.69.195:80 [proto: 7/HTTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 6][cat: Download/7][203 pkts/11127 bytes <-> 500 pkts/706336 bytes][Goodput ratio: 1/96][5.18 sec][Hostname/SNI: 144.91.69.195][bytes ratio: -0.969 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 23/9 319/365 49/37][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 55/1413 207/1514 11/134][URL: 144.91.69.195/solar.php][StatusCode: 200][Content-Type: application/octet-stream][Server: nginx/1.10.3][User-Agent: pwtyyEKzNtGatwnJjmCcBLbOveCVpc][Filename: phn34ycjtghm.exe][Risk: ** Binary App Transfer **** HTTP Susp User-Agent **** HTTP/TLS/QUIC Numeric Hostname/SNI **** HTTP Obsolete Server **][Risk Score: 310][Risk Info: Found host 144.91.69.195 / UA pwtyyEKzNtGatwnJjmCcBLbOveCVpc / Obsolete nginx server 1.10.3 / Found mime exe octet-stream][PLAIN TEXT (GET /solar.php HTTP/1.1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,2,0,0,7,0,0,63,0,0,24,0,0]