nDPI HTTP dissector enhancement for DWORD and hex formatted url

HTTP dissector enhancement for DWORD and hex formatted url

Open subhajit-cdot opened this issue 3 years ago • 7 comments

Is it possible to set risk for DWORD and hex formatted url in http dissector similar to NDPI_HTTP_NUMERIC_IP_HOST?

Jun 17 '21 12:06 subhajit-cdot

Sure: can you please attach a pcap for testing?

Aug 27 '21 08:08 lucaderi

@subhajit-cdot , ping...

Jul 30 '22 12:07 IvanNardi

Hi, I don't have pcap for testing, but you can refer below link for implementation.

link

Aug 01 '22 03:08 subhajit-cdot

Thanks for the link

Aug 01 '22 08:08 IvanNardi

Hi @IvanNardi , I am not sure if this activity is taken up already, I want to add few more points related to the above. In nDPI we already have PUNYCODE checking hooks available but it is only checking with xn--, however in IDN Homograph attack/script spoofing attack (IDN homograph attack, punycode info cyrillic/latin spoof are most commonly used in this kind of attack. So, it will be good if nDPI adds this detection based on string or unicode range matching (Cyrillic: U+0400–U+04FF, 256 characters. Cyrillic Supplement: U+0500–U+052F, 48 characters.)

Thanks Subhajit

Apr 15 '24 04:04 subhajit-cdot

@utoni @lucaderi can you please comment on this?

Apr 19 '24 02:04 subhajit-cdot

Sure, it is possible. But without a cap, someone needs to forge and record some traffic.

Apr 19 '24 07:04 utoni

nDPI nDPI copied to clipboard

HTTP dissector enhancement for DWORD and hex formatted url

nDPI
nDPI copied to clipboard