Merge pull request #903 from Loures/dev

Extend packet struct with Content-Disposition HTTP header field

src/include/ndpi_typedefs.h

@@ -807,6 +807,7 @@ struct ndpi_packet_struct {
   struct ndpi_int_one_line_struct forwarded_line;
   struct ndpi_int_one_line_struct referer_line;
   struct ndpi_int_one_line_struct content_line;
+  struct ndpi_int_one_line_struct content_disposition_line;
   struct ndpi_int_one_line_struct accept_line;
   struct ndpi_int_one_line_struct user_agent_line;
   struct ndpi_int_one_line_struct http_url_name;

src/lib/ndpi_main.c

@@ -4960,6 +4960,13 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str,
 	packet->http_contentlen.len = packet->line[packet->parsed_lines].len - 16;
 	packet->http_num_headers++;
       }
+      /* "Content-Disposition"*/
+      if(packet->line[packet->parsed_lines].len > 21 &&
+	 ((strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Content-Disposition: ", 21) == 0))) {
+	packet->content_disposition_line.ptr = &packet->line[packet->parsed_lines].ptr[21];
+	packet->content_disposition_line.len = packet->line[packet->parsed_lines].len - 21;
+	packet->http_num_headers++;
+      }
       /* "Cookie:" header line in HTTP. */
       if(packet->line[packet->parsed_lines].len > 8 &&
 	 strncasecmp((const char *) packet->line[packet->parsed_lines].ptr, "Cookie: ", 8) == 0) {

src/lib/protocols/http.c

@@ -28,6 +28,22 @@
 #include "ndpi_api.h"
 #include <stdlib.h>
 
+static const char* binary_file_mimes[] = {
+  "exe",
+  "vnd.ms-cab-compressed",
+  "vnd.microsoft.portable-executable"
+  "x-msdownload",
+  "x-dosexec",
+  NULL
+};
+
+static const char* binary_file_ext[] = {
+  ".exe",
+  ".msi",
+  ".cab",
+  NULL
+};
+
 static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 				 struct ndpi_flow_struct *flow);
 
@@ -91,14 +107,35 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
       if(ndpi_strncasestr(app, "mpeg", app_len_avail) != NULL) {
 	flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_STREAMING;
 	return(flow->category);
-      } else if(ndpi_strncasestr(app, "exe", app_len_avail) != NULL) {
-	flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
-	NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER); 
-	NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer\n");
-	return(flow->category);
+      } else {
+  for (int i = 0; binary_file_mimes[i] != NULL; i++) {
+    if (ndpi_strncasestr(app, binary_file_mimes[i], app_len_avail) != NULL) {
+      flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
+      NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER);
+      NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
+      return(flow->category);
+    }
+  }
       }
     }
 
+    /* check for attachment */
+  if (packet->content_disposition_line.len > 0) {
+    uint8_t attachment_len = sizeof("attachment; filename");
+    if (packet->content_disposition_line.len > attachment_len) {
+      uint8_t filename_len = packet->content_disposition_line.len - attachment_len;
+      for (int i = 0; binary_file_ext[i] != NULL; i++) {
+        if (ndpi_strncasestr((const char*)&packet->content_disposition_line.ptr[attachment_len],
+            binary_file_ext[i], filename_len)) {
+          printf("got %s\n", binary_file_ext[i]);
+          flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
+          NDPI_SET_BIT_16(flow->risk, NDPI_BINARY_APPLICATION_TRANSFER);
+          NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer");
+          return(flow->category);
+        }
+      }
+    }
+  }
     switch(packet->content_line.ptr[0]) {
     case 'a':
       if(strncasecmp((const char *)packet->content_line.ptr, "audio",