search

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
3.77k stars 890 forks source link

HTTP dissector enhancement for DWORD and hex formatted url #1210

Open subhajit-cdot opened 3 years ago

subhajit-cdot commented 3 years ago

Is it possible to set risk for DWORD and hex formatted url in http dissector similar to NDPI_HTTP_NUMERIC_IP_HOST?

lucaderi commented 3 years ago

Sure: can you please attach a pcap for testing?

IvanNardi commented 2 years ago

@subhajit-cdot , ping...

subhajit-cdot commented 2 years ago

Hi, I don't have pcap for testing, but you can refer below link for implementation.

link

IvanNardi commented 2 years ago

Thanks for the link

subhajit-cdot commented 5 months ago

Hi @IvanNardi , I am not sure if this activity is taken up already, I want to add few more points related to the above. In nDPI we already have PUNYCODE checking hooks available but it is only checking with xn--, however in IDN Homograph attack/script spoofing attack (IDN homograph attack, punycode info cyrillic/latin spoof are most commonly used in this kind of attack. So, it will be good if nDPI adds this detection based on string or unicode range matching (Cyrillic: U+0400–U+04FF, 256 characters. Cyrillic Supplement: U+0500–U+052F, 48 characters.)

Thanks Subhajit

subhajit-cdot commented 4 months ago

@utoni @lucaderi can you please comment on this?

utoni commented 4 months ago

Sure, it is possible. But without a cap, someone needs to forge and record some traffic.