1 /*
2 * directdownloadlink.c
3 *
4 * Copyright (C) 2009-11 - ipoque GmbH
5 * Copyright (C) 2011-21 - ntop.org
6 *
7 * This file is part of nDPI, an open source deep packet inspection
8 * library based on the OpenDPI and PACE technology by ipoque GmbH
9 *
10 * nDPI is free software: you can redistribute it and/or modify
11 * it under the terms of the GNU Lesser General Public License as published by
12 * the Free Software Foundation, either version 3 of the License, or
13 * (at your option) any later version.
14 *
15 * nDPI is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU Lesser General Public License for more details.
19 *
20 * You should have received a copy of the GNU Lesser General Public License
21 * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
22 *
23 */
24
25
26 #include "ndpi_protocol_ids.h"
27
28 #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK
29
30 #include "ndpi_api.h"
31
32
33 #ifdef NDPI_DEBUG_DIRECT_DOWNLOAD_LINK
34 //#define NDPI_DEBUG_DIRECT_DOWNLOAD_LINK_NOTHING_FOUND
35 //#define NDPI_DEBUG_DIRECT_DOWNLOAD_LINK_PACKET_TOO_SMALL
36 #define NDPI_DEBUG_DIRECT_DOWNLOAD_LINK_IP
37 #endif
38
ndpi_int_direct_download_link_add_connection(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)39 static void ndpi_int_direct_download_link_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
40 struct ndpi_flow_struct *flow)
41 {
42 struct ndpi_packet_struct *packet = &flow->packet;
43
44 ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, NDPI_PROTOCOL_UNKNOWN);
45
46 flow->l4.tcp.ddlink_server_direction = packet->packet_direction;
47 }
48
49
50
51 /*
52 return 0 if nothing has been detected
53 return 1 if it is a megaupload packet
54 */
search_ddl_domains(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)55 u_int8_t search_ddl_domains(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
56 {
57 struct ndpi_packet_struct *packet = &flow->packet;
58 u_int16_t filename_start = 0;
59 u_int16_t i = 1;
60 u_int16_t host_line_len_without_port;
61
62 if (packet->payload_packet_len < 100) {
63 NDPI_LOG_DBG2(ndpi_struct, "DDL: Packet too small\n");
64 goto end_ddl_nothing_found;
65 }
66
67
68
69 if (memcmp(packet->payload, "POST ", 5) == 0) {
70 filename_start = 5; // POST
71 NDPI_LOG_DBG2(ndpi_struct, "DDL: POST FOUND\n");
72 } else if (memcmp(packet->payload, "GET ", 4) == 0) {
73 filename_start = 4; // GET
74 NDPI_LOG_DBG2(ndpi_struct, "DDL: GET FOUND\n");
75 } else {
76 goto end_ddl_nothing_found;
77 }
78 // parse packet
79 ndpi_parse_packet_line_info(ndpi_struct, flow);
80
81 if (packet->host_line.ptr == NULL) {
82 NDPI_LOG_DBG2(ndpi_struct, "DDL: NO HOST FOUND\n");
83 goto end_ddl_nothing_found;
84 }
85
86 NDPI_LOG_DBG2(ndpi_struct, "DDL: Host: found\n");
87
88 if (packet->line[0].len < 9 + filename_start
89 || memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) != 0) {
90 NDPI_LOG_DBG2(ndpi_struct, "DDL: PACKET NOT HTTP CONFORM.\nXXX%.*sXXX\n",
91 8, &packet->line[0].ptr[packet->line[0].len - 9]);
92 goto end_ddl_nothing_found;
93 }
94 // BEGIN OF AUTOMATED CODE GENERATION
95 // first see if we have ':port' at the end of the line
96 host_line_len_without_port = packet->host_line.len;
97 if (host_line_len_without_port >= i && packet->host_line.ptr[host_line_len_without_port - i] >= '0'
98 && packet->host_line.ptr[packet->host_line.len - i] <= '9') {
99 i = 2;
100 while (host_line_len_without_port >= i && packet->host_line.ptr[host_line_len_without_port - i] >= '0'
101 && packet->host_line.ptr[host_line_len_without_port - i] <= '9') {
102 NDPI_LOG_DBG2(ndpi_struct, "DDL: number found\n");
103 i++;
104 }
105 if (host_line_len_without_port >= i && packet->host_line.ptr[host_line_len_without_port - i] == ':') {
106 NDPI_LOG_DBG2(ndpi_struct, "DDL: ':' found\n");
107 host_line_len_without_port = host_line_len_without_port - i;
108 }
109 }
110 // then start automated code generation
111
112 if (host_line_len_without_port >= 0 + 4
113 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 0 - 4], ".com", 4) == 0) {
114 if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'd') {
115 if (host_line_len_without_port >= 5 + 6 + 1
116 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 6], "4share", 6) == 0
117 && (packet->host_line.ptr[host_line_len_without_port - 5 - 6 - 1] == ' '
118 || packet->host_line.ptr[host_line_len_without_port - 5 - 6 - 1] == '.')) {
119 goto end_ddl_found;
120 }
121 if (host_line_len_without_port >= 5 + 8 + 1
122 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 8], "fileclou", 8) == 0
123 && (packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == ' '
124 || packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == '.')) {
125 goto end_ddl_found;
126 }
127 if (host_line_len_without_port >= 5 + 5
128 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 5], "uploa", 5) == 0) {
129 if (host_line_len_without_port >= 10 + 6 + 1
130 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 6], "files-", 6) == 0
131 && (packet->host_line.ptr[host_line_len_without_port - 10 - 6 - 1] == ' '
132 || packet->host_line.ptr[host_line_len_without_port - 10 - 6 - 1] == '.')) {
133 goto end_ddl_found;
134 }
135 if (host_line_len_without_port >= 10 + 4 + 1
136 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 4], "mega", 4) == 0
137 && (packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == ' '
138 || packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == '.')) {
139 goto end_ddl_found;
140 }
141 if (host_line_len_without_port >= 10 + 5 + 1
142 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 5], "rapid", 5) == 0
143 && (packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == ' '
144 || packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == '.')) {
145 goto end_ddl_found;
146 }
147 if (host_line_len_without_port >= 10 + 5 + 1
148 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 5], "turbo", 5) == 0
149 && (packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == ' '
150 || packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == '.')) {
151 goto end_ddl_found;
152 }
153 goto end_ddl_nothing_found;
154 }
155 goto end_ddl_nothing_found;
156 }
157 if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'o') {
158 if (host_line_len_without_port >= 5 + 6 + 1
159 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 6], "badong", 6) == 0
160 && (packet->host_line.ptr[host_line_len_without_port - 5 - 6 - 1] == ' '
161 || packet->host_line.ptr[host_line_len_without_port - 5 - 6 - 1] == '.')) {
162 goto end_ddl_found;
163 }
164 if (host_line_len_without_port >= 5 + 5 + 1
165 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 5], "fileh", 5) == 0
166 && (packet->host_line.ptr[host_line_len_without_port - 5 - 5 - 1] == ' '
167 || packet->host_line.ptr[host_line_len_without_port - 5 - 5 - 1] == '.')) {
168 goto end_ddl_found;
169 }
170 goto end_ddl_nothing_found;
171 }
172 if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'g') {
173 if (host_line_len_without_port >= 5 + 2
174 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 2], "in", 2) == 0) {
175 if (host_line_len_without_port >= 7 + 4
176 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 7 - 4], "shar", 4) == 0) {
177 if (host_line_len_without_port >= 11 + 4 + 1
178 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 11 - 4], "best", 4) == 0
179 && (packet->host_line.ptr[host_line_len_without_port - 11 - 4 - 1] == ' '
180 || packet->host_line.ptr[host_line_len_without_port - 11 - 4 - 1] == '.')) {
181 goto end_ddl_found;
182 }
183 if (host_line_len_without_port >= 11 + 5 + 1
184 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 11 - 5], "quick", 5) == 0
185 && (packet->host_line.ptr[host_line_len_without_port - 11 - 5 - 1] == ' '
186 || packet->host_line.ptr[host_line_len_without_port - 11 - 5 - 1] == '.')) {
187 goto end_ddl_found;
188 }
189 goto end_ddl_nothing_found;
190 }
191 if (host_line_len_without_port >= 7 + 6 + 1
192 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 7 - 6], "upload", 6) == 0
193 && (packet->host_line.ptr[host_line_len_without_port - 7 - 6 - 1] == ' '
194 || packet->host_line.ptr[host_line_len_without_port - 7 - 6 - 1] == '.')) {
195 goto end_ddl_found;
196 }
197 goto end_ddl_nothing_found;
198 }
199 if (host_line_len_without_port >= 5 + 7 + 1
200 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 7], "sharebi", 7) == 0
201 && (packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == ' '
202 || packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == '.')) {
203 goto end_ddl_found;
204 }
205 goto end_ddl_nothing_found;
206 }
207 if (host_line_len_without_port >= 4 + 8 + 1
208 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 8], "bigfilez", 8) == 0
209 && (packet->host_line.ptr[host_line_len_without_port - 4 - 8 - 1] == ' '
210 || packet->host_line.ptr[host_line_len_without_port - 4 - 8 - 1] == '.')) {
211 goto end_ddl_found;
212 }
213 if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'e') {
214 if (host_line_len_without_port >= 5 + 3
215 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 3], "fil", 3) == 0) {
216 if (host_line_len_without_port >= 8 + 2
217 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 2], "mo", 2) == 0) {
218 if (host_line_len_without_port >= 10 + 5 + 1
219 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 5], "china", 5) == 0
220 && (packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == ' '
221 || packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == '.')) {
222 goto end_ddl_found;
223 }
224 if (host_line_len_without_port >= 8 + 2 + 1
225 && (packet->host_line.ptr[host_line_len_without_port - 8 - 2 - 1] == ' '
226 || packet->host_line.ptr[host_line_len_without_port - 8 - 2 - 1] == '.')) {
227 goto end_ddl_found;
228 }
229 }
230 if (host_line_len_without_port >= 8 + 3 + 1
231 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 3], "hot", 3) == 0
232 && (packet->host_line.ptr[host_line_len_without_port - 8 - 3 - 1] == ' '
233 || packet->host_line.ptr[host_line_len_without_port - 8 - 3 - 1] == '.')) {
234 goto end_ddl_found;
235 }
236 if (host_line_len_without_port >= 8 + 6 + 1
237 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 6], "keepmy", 6) == 0
238 && (packet->host_line.ptr[host_line_len_without_port - 8 - 6 - 1] == ' '
239 || packet->host_line.ptr[host_line_len_without_port - 8 - 6 - 1] == '.')) {
240 goto end_ddl_found;
241 }
242 if (host_line_len_without_port >= 8 + 1
243 && packet->host_line.ptr[host_line_len_without_port - 8 - 1] == 'e') {
244 if (host_line_len_without_port >= 9 + 3 + 1
245 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 9 - 3], "sav", 3) == 0
246 && (packet->host_line.ptr[host_line_len_without_port - 9 - 3 - 1] == ' '
247 || packet->host_line.ptr[host_line_len_without_port - 9 - 3 - 1] == '.')) {
248 goto end_ddl_found;
249 }
250 if (host_line_len_without_port >= 9 + 5 + 1
251 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 9 - 5], "sendm", 5) == 0
252 && (packet->host_line.ptr[host_line_len_without_port - 9 - 5 - 1] == ' '
253 || packet->host_line.ptr[host_line_len_without_port - 9 - 5 - 1] == '.')) {
254 goto end_ddl_found;
255 }
256 goto end_ddl_nothing_found;
257 }
258 if (host_line_len_without_port >= 8 + 8 + 1
259 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 8], "sharebig", 8) == 0
260 && (packet->host_line.ptr[host_line_len_without_port - 8 - 8 - 1] == ' '
261 || packet->host_line.ptr[host_line_len_without_port - 8 - 8 - 1] == '.')) {
262 goto end_ddl_found;
263 }
264 if (host_line_len_without_port >= 8 + 3 + 1
265 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 3], "up-", 3) == 0
266 && (packet->host_line.ptr[host_line_len_without_port - 8 - 3 - 1] == ' '
267 || packet->host_line.ptr[host_line_len_without_port - 8 - 3 - 1] == '.')) {
268 goto end_ddl_found;
269 }
270 goto end_ddl_nothing_found;
271 }
272 if (host_line_len_without_port >= 5 + 1 && packet->host_line.ptr[host_line_len_without_port - 5 - 1] == 'r') {
273 if (host_line_len_without_port >= 6 + 3
274 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 6 - 3], "sha", 3) == 0) {
275 if (host_line_len_without_port >= 9 + 1
276 && packet->host_line.ptr[host_line_len_without_port - 9 - 1] == '-') {
277 if (host_line_len_without_port >= 10 + 4 + 1
278 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 4], "easy",
279 4) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == ' '
280 || packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] ==
281 '.')) {
282 goto end_ddl_found;
283 }
284 if (host_line_len_without_port >= 10 + 4 + 1
285 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 4], "fast",
286 4) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == ' '
287 || packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] ==
288 '.')) {
289 goto end_ddl_found;
290 }
291 if (host_line_len_without_port >= 10 + 4 + 1
292 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 4], "live",
293 4) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == ' '
294 || packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] ==
295 '.')) {
296 goto end_ddl_found;
297 }
298 goto end_ddl_nothing_found;
299 }
300 if (host_line_len_without_port >= 9 + 4 + 1
301 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 9 - 4], "ftp2", 4) == 0
302 && (packet->host_line.ptr[host_line_len_without_port - 9 - 4 - 1] == ' '
303 || packet->host_line.ptr[host_line_len_without_port - 9 - 4 - 1] == '.')) {
304 goto end_ddl_found;
305 }
306 if (host_line_len_without_port >= 9 + 4 + 1
307 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 9 - 4], "gige", 4) == 0
308 && (packet->host_line.ptr[host_line_len_without_port - 9 - 4 - 1] == ' '
309 || packet->host_line.ptr[host_line_len_without_port - 9 - 4 - 1] == '.')) {
310 goto end_ddl_found;
311 }
312 if (host_line_len_without_port >= 9 + 4 + 1
313 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 9 - 4], "mega", 4) == 0
314 && (packet->host_line.ptr[host_line_len_without_port - 9 - 4 - 1] == ' '
315 || packet->host_line.ptr[host_line_len_without_port - 9 - 4 - 1] == '.')) {
316 goto end_ddl_found;
317 }
318 if (host_line_len_without_port >= 9 + 5 + 1
319 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 9 - 5], "rapid", 5) == 0
320 && (packet->host_line.ptr[host_line_len_without_port - 9 - 5 - 1] == ' '
321 || packet->host_line.ptr[host_line_len_without_port - 9 - 5 - 1] == '.')) {
322 goto end_ddl_found;
323 }
324 goto end_ddl_nothing_found;
325 }
326 if (host_line_len_without_port >= 6 + 7 + 1
327 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 6 - 7], "mediafi", 7) == 0
328 && (packet->host_line.ptr[host_line_len_without_port - 6 - 7 - 1] == ' '
329 || packet->host_line.ptr[host_line_len_without_port - 6 - 7 - 1] == '.')) {
330 goto end_ddl_found;
331 }
332 goto end_ddl_nothing_found;
333 }
334 if (host_line_len_without_port >= 5 + 7 + 1
335 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 7], "gigasiz", 7) == 0
336 && (packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == ' '
337 || packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == '.')) {
338 goto end_ddl_found;
339 }
340 if (host_line_len_without_port >= 5 + 8 + 1
341 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 8], "sendspac", 8) == 0
342 && (packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == ' '
343 || packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == '.')) {
344 goto end_ddl_found;
345 }
346 if (host_line_len_without_port >= 5 + 7 + 1
347 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 7], "sharebe", 7) == 0
348 && (packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == ' '
349 || packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == '.')) {
350 goto end_ddl_found;
351 }
352 if (host_line_len_without_port >= 5 + 11 + 1
353 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 11], "sharebigfli", 11) == 0
354 && (packet->host_line.ptr[host_line_len_without_port - 5 - 11 - 1] == ' '
355 || packet->host_line.ptr[host_line_len_without_port - 5 - 11 - 1] == '.')) {
356 goto end_ddl_found;
357 }
358 if (host_line_len_without_port >= 5 + 8 + 1
359 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 8], "fileserv", 8) == 0
360 && (packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == ' '
361 || packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == '.')) {
362 goto end_ddl_found;
363 }
364 goto end_ddl_nothing_found;
365 }
366 if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 's') {
367 if (host_line_len_without_port >= 5 + 1 && packet->host_line.ptr[host_line_len_without_port - 5 - 1] == 'e') {
368 if (host_line_len_without_port >= 6 + 10 + 1
369 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 6 - 10], "depositfil",
370 10) == 0 && (packet->host_line.ptr[host_line_len_without_port - 6 - 10 - 1] == ' '
371 || packet->host_line.ptr[host_line_len_without_port - 6 - 10 - 1] == '.')) {
372 goto end_ddl_found;
373 }
374 if (host_line_len_without_port >= 6 + 8 + 1
375 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 6 - 8], "megashar", 8) == 0
376 && (packet->host_line.ptr[host_line_len_without_port - 6 - 8 - 1] == ' '
377 || packet->host_line.ptr[host_line_len_without_port - 6 - 8 - 1] == '.')) {
378 goto end_ddl_found;
379 }
380 goto end_ddl_nothing_found;
381 }
382 if (host_line_len_without_port >= 5 + 10 + 1
383 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 10], "fileupyour", 10) == 0
384 && (packet->host_line.ptr[host_line_len_without_port - 5 - 10 - 1] == ' '
385 || packet->host_line.ptr[host_line_len_without_port - 5 - 10 - 1] == '.')) {
386 goto end_ddl_found;
387 }
388 goto end_ddl_nothing_found;
389 }
390 if (host_line_len_without_port >= 4 + 11 + 1
391 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 11], "filefactory", 11) == 0
392 && (packet->host_line.ptr[host_line_len_without_port - 4 - 11 - 1] == ' '
393 || packet->host_line.ptr[host_line_len_without_port - 4 - 11 - 1] == '.')) {
394 goto end_ddl_found;
395 }
396 if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 't') {
397 if (host_line_len_without_port >= 5 + 8 + 1
398 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 8], "filefron", 8) == 0
399 && (packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == ' '
400 || packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == '.')) {
401 goto end_ddl_found;
402 }
403 if (host_line_len_without_port >= 5 + 10 + 1
404 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 10], "uploadingi", 10) == 0
405 && (packet->host_line.ptr[host_line_len_without_port - 5 - 10 - 1] == ' '
406 || packet->host_line.ptr[host_line_len_without_port - 5 - 10 - 1] == '.')) {
407 goto end_ddl_found;
408 }
409 if (host_line_len_without_port >= 5 + 11 + 1
410 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 11], "yourfilehos", 11) == 0
411 && (packet->host_line.ptr[host_line_len_without_port - 5 - 11 - 1] == ' '
412 || packet->host_line.ptr[host_line_len_without_port - 5 - 11 - 1] == '.')) {
413 goto end_ddl_found;
414 }
415 goto end_ddl_nothing_found;
416 }
417 if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'r') {
418 if (host_line_len_without_port >= 5 + 8 + 1
419 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 8], "mytempdi", 8) == 0
420 && (packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == ' '
421 || packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == '.')) {
422 goto end_ddl_found;
423 }
424 if (host_line_len_without_port >= 5 + 10 + 1
425 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 10], "uploadpowe", 10) == 0
426 && (packet->host_line.ptr[host_line_len_without_port - 5 - 10 - 1] == ' '
427 || packet->host_line.ptr[host_line_len_without_port - 5 - 10 - 1] == '.')) {
428 goto end_ddl_found;
429 }
430 goto end_ddl_nothing_found;
431 }
432 if (host_line_len_without_port >= 4 + 9 + 1
433 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 9], "mega.1280", 9) == 0
434 && (packet->host_line.ptr[host_line_len_without_port - 4 - 9 - 1] == ' '
435 || packet->host_line.ptr[host_line_len_without_port - 4 - 9 - 1] == '.')) {
436 goto end_ddl_found;
437 }
438 if (host_line_len_without_port >= 4 + 9 + 1
439 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 9], "filesonic", 9) == 0
440 && (packet->host_line.ptr[host_line_len_without_port - 4 - 9 - 1] == ' '
441 || packet->host_line.ptr[host_line_len_without_port - 4 - 9 - 1] == '.')) {
442 goto end_ddl_found;
443 }
444 goto end_ddl_nothing_found;
445 }
446 if (host_line_len_without_port >= 0 + 4
447 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 0 - 4], ".net", 4) == 0) {
448 if (host_line_len_without_port >= 4 + 7 + 1
449 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 7], "badongo", 7) == 0
450 && (packet->host_line.ptr[host_line_len_without_port - 4 - 7 - 1] == ' '
451 || packet->host_line.ptr[host_line_len_without_port - 4 - 7 - 1] == '.')) {
452 goto end_ddl_found;
453 }
454 if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'd') {
455 if (host_line_len_without_port >= 5 + 3
456 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 3], "loa", 3) == 0) {
457 if (host_line_len_without_port >= 8 + 5 + 1
458 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 5], "fast-", 5) == 0
459 && (packet->host_line.ptr[host_line_len_without_port - 8 - 5 - 1] == ' '
460 || packet->host_line.ptr[host_line_len_without_port - 8 - 5 - 1] == '.')) {
461 goto end_ddl_found;
462 }
463 if (host_line_len_without_port >= 8 + 2
464 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 2], "up", 2) == 0) {
465 if (host_line_len_without_port >= 10 + 5 + 1
466 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 5], "file-", 5) == 0
467 && (packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == ' '
468 || packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == '.')) {
469 goto end_ddl_found;
470 }
471 if (host_line_len_without_port >= 10 + 6 + 1
472 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 6], "simple",
473 6) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 6 - 1] == ' '
474 || packet->host_line.ptr[host_line_len_without_port - 10 - 6 - 1] ==
475 '.')) {
476 goto end_ddl_found;
477 }
478 if (host_line_len_without_port >= 10 + 3 + 1
479 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 3], "wii", 3) == 0
480 && (packet->host_line.ptr[host_line_len_without_port - 10 - 3 - 1] == ' '
481 || packet->host_line.ptr[host_line_len_without_port - 10 - 3 - 1] == '.')) {
482 goto end_ddl_found;
483 }
484 goto end_ddl_nothing_found;
485 }
486 goto end_ddl_nothing_found;
487 }
488 if (host_line_len_without_port >= 5 + 7 + 1
489 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 7], "filesen", 7) == 0
490 && (packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == ' '
491 || packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == '.')) {
492 goto end_ddl_found;
493 }
494 goto end_ddl_nothing_found;
495 }
496 if (host_line_len_without_port >= 4 + 5 + 1
497 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 5], "filer", 5) == 0
498 && (packet->host_line.ptr[host_line_len_without_port - 4 - 5 - 1] == ' '
499 || packet->host_line.ptr[host_line_len_without_port - 4 - 5 - 1] == '.')) {
500 goto end_ddl_found;
501 }
502 if (host_line_len_without_port >= 4 + 9 + 1
503 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 9], "livedepot", 9) == 0
504 && (packet->host_line.ptr[host_line_len_without_port - 4 - 9 - 1] == ' '
505 || packet->host_line.ptr[host_line_len_without_port - 4 - 9 - 1] == '.')) {
506 goto end_ddl_found;
507 }
508 if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'e') {
509 if (host_line_len_without_port >= 5 + 5 + 1
510 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 5], "mofil", 5) == 0
511 && (packet->host_line.ptr[host_line_len_without_port - 5 - 5 - 1] == ' '
512 || packet->host_line.ptr[host_line_len_without_port - 5 - 5 - 1] == '.')) {
513 goto end_ddl_found;
514 }
515 if (host_line_len_without_port >= 5 + 17 + 1
516 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 17], "odsiebie.najlepsz",
517 17) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 17 - 1] == ' '
518 || packet->host_line.ptr[host_line_len_without_port - 5 - 17 - 1] == '.')) {
519 goto end_ddl_found;
520 }
521 if (host_line_len_without_port >= 5 + 5 + 1
522 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 5], "zshar", 5) == 0
523 && (packet->host_line.ptr[host_line_len_without_port - 5 - 5 - 1] == ' '
524 || packet->host_line.ptr[host_line_len_without_port - 5 - 5 - 1] == '.')) {
525 goto end_ddl_found;
526 }
527 goto end_ddl_nothing_found;
528 }
529 goto end_ddl_nothing_found;
530 }
531 if (host_line_len_without_port >= 0 + 1 && packet->host_line.ptr[host_line_len_without_port - 0 - 1] == 'u') {
532 if (host_line_len_without_port >= 1 + 6 + 1
533 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 1 - 6], "data.h", 6) == 0
534 && (packet->host_line.ptr[host_line_len_without_port - 1 - 6 - 1] == ' '
535 || packet->host_line.ptr[host_line_len_without_port - 1 - 6 - 1] == '.')) {
536 goto end_ddl_found;
537 }
538 if (host_line_len_without_port >= 1 + 2
539 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 1 - 2], ".r", 2) == 0) {
540 if (host_line_len_without_port >= 3 + 10 + 1
541 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 10], "filearchiv", 10) == 0
542 && (packet->host_line.ptr[host_line_len_without_port - 3 - 10 - 1] == ' '
543 || packet->host_line.ptr[host_line_len_without_port - 3 - 10 - 1] == '.')) {
544 goto end_ddl_found;
545 }
546 if (host_line_len_without_port >= 3 + 8 + 1
547 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 8], "filepost", 8) == 0
548 && (packet->host_line.ptr[host_line_len_without_port - 3 - 8 - 1] == ' '
549 || packet->host_line.ptr[host_line_len_without_port - 3 - 8 - 1] == '.')) {
550 goto end_ddl_found;
551 }
552 if (host_line_len_without_port >= 3 + 7 + 1
553 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 7], "ifolder", 7) == 0
554 && (packet->host_line.ptr[host_line_len_without_port - 3 - 7 - 1] == ' '
555 || packet->host_line.ptr[host_line_len_without_port - 3 - 7 - 1] == '.')) {
556 goto end_ddl_found;
557 }
558 goto end_ddl_nothing_found;
559 }
560 goto end_ddl_nothing_found;
561 }
562 if (host_line_len_without_port >= 0 + 11 + 1
563 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 0 - 11], "filehost.tv", 11) == 0
564 && (packet->host_line.ptr[host_line_len_without_port - 0 - 11 - 1] == ' '
565 || packet->host_line.ptr[host_line_len_without_port - 0 - 11 - 1] == '.')) {
566 goto end_ddl_found;
567 }
568 if (host_line_len_without_port >= 0 + 3
569 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 0 - 3], ".to", 3) == 0) {
570 if (host_line_len_without_port >= 3 + 1 && packet->host_line.ptr[host_line_len_without_port - 3 - 1] == 'e') {
571 if (host_line_len_without_port >= 4 + 7 + 1
572 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 7], "filesaf", 7) == 0
573 && (packet->host_line.ptr[host_line_len_without_port - 4 - 7 - 1] == ' '
574 || packet->host_line.ptr[host_line_len_without_port - 4 - 7 - 1] == '.')) {
575 goto end_ddl_found;
576 }
577 if (host_line_len_without_port >= 4 + 8 + 1
578 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 8], "sharebas", 8) == 0
579 && (packet->host_line.ptr[host_line_len_without_port - 4 - 8 - 1] == ' '
580 || packet->host_line.ptr[host_line_len_without_port - 4 - 8 - 1] == '.')) {
581 goto end_ddl_found;
582 }
583 goto end_ddl_nothing_found;
584 }
585 if (host_line_len_without_port >= 3 + 5 + 1
586 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 5], "files", 5) == 0
587 && (packet->host_line.ptr[host_line_len_without_port - 3 - 5 - 1] == ' '
588 || packet->host_line.ptr[host_line_len_without_port - 3 - 5 - 1] == '.')) {
589 goto end_ddl_found;
590 }
591 if (host_line_len_without_port >= 3 + 1 && packet->host_line.ptr[host_line_len_without_port - 3 - 1] == 'd') {
592 if (host_line_len_without_port >= 4 + 3
593 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 3], "loa", 3) == 0) {
594 if (host_line_len_without_port >= 7 + 7 + 1
595 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 7 - 7], "file-up", 7) == 0
596 && (packet->host_line.ptr[host_line_len_without_port - 7 - 7 - 1] == ' '
597 || packet->host_line.ptr[host_line_len_without_port - 7 - 7 - 1] == '.')) {
598 goto end_ddl_found;
599 }
600 if (host_line_len_without_port >= 4 + 3 + 1
601 && (packet->host_line.ptr[host_line_len_without_port - 4 - 3 - 1] == ' '
602 || packet->host_line.ptr[host_line_len_without_port - 4 - 3 - 1] == '.')) {
603 goto end_ddl_found;
604 }
605 }
606 if (host_line_len_without_port >= 4 + 7 + 1
607 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 7], "uploade", 7) == 0
608 && (packet->host_line.ptr[host_line_len_without_port - 4 - 7 - 1] == ' '
609 || packet->host_line.ptr[host_line_len_without_port - 4 - 7 - 1] == '.')) {
610 goto end_ddl_found;
611 }
612 goto end_ddl_nothing_found;
613 }
614 goto end_ddl_nothing_found;
615 }
616 if (host_line_len_without_port >= 0 + 1 && packet->host_line.ptr[host_line_len_without_port - 0 - 1] == 'z') {
617 if (host_line_len_without_port >= 1 + 14 + 1
618 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 1 - 14], "leteckaposta.c", 14) == 0
619 && (packet->host_line.ptr[host_line_len_without_port - 1 - 14 - 1] == ' '
620 || packet->host_line.ptr[host_line_len_without_port - 1 - 14 - 1] == '.')) {
621 goto end_ddl_found;
622 }
623 if (host_line_len_without_port >= 1 + 12 + 1
624 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 1 - 12], "yourfiles.bi", 12) == 0
625 && (packet->host_line.ptr[host_line_len_without_port - 1 - 12 - 1] == ' '
626 || packet->host_line.ptr[host_line_len_without_port - 1 - 12 - 1] == '.')) {
627 goto end_ddl_found;
628 }
629 goto end_ddl_nothing_found;
630 }
631 if (host_line_len_without_port >= 0 + 1 && packet->host_line.ptr[host_line_len_without_port - 0 - 1] == 'n') {
632 if (host_line_len_without_port >= 1 + 9 + 1
633 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 1 - 9], "netload.i", 9) == 0
634 && (packet->host_line.ptr[host_line_len_without_port - 1 - 9 - 1] == ' '
635 || packet->host_line.ptr[host_line_len_without_port - 1 - 9 - 1] == '.')) {
636 goto end_ddl_found;
637 }
638 if (host_line_len_without_port >= 1 + 2
639 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 1 - 2], ".v", 2) == 0) {
640 if (host_line_len_without_port >= 3 + 7 + 1
641 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 7], "4shared", 7) == 0
642 && (packet->host_line.ptr[host_line_len_without_port - 3 - 7 - 1] == ' '
643 || packet->host_line.ptr[host_line_len_without_port - 3 - 7 - 1] == '.')) {
644 goto end_ddl_found;
645 }
646 if (host_line_len_without_port >= 3 + 9 + 1
647 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 9], "megashare", 9) == 0
648 && (packet->host_line.ptr[host_line_len_without_port - 3 - 9 - 1] == ' '
649 || packet->host_line.ptr[host_line_len_without_port - 3 - 9 - 1] == '.')) {
650 goto end_ddl_found;
651 }
652 goto end_ddl_nothing_found;
653 }
654 goto end_ddl_nothing_found;
655 }
656 if (host_line_len_without_port >= 0 + 3
657 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 0 - 3], ".de", 3) == 0) {
658 if (host_line_len_without_port >= 3 + 5
659 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 5], "share", 5) == 0) {
660 if (host_line_len_without_port >= 8 + 5 + 1
661 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 5], "rapid", 5) == 0
662 && (packet->host_line.ptr[host_line_len_without_port - 8 - 5 - 1] == ' '
663 || packet->host_line.ptr[host_line_len_without_port - 8 - 5 - 1] == '.')) {
664 goto end_ddl_found;
665 }
666 if (host_line_len_without_port >= 8 + 5 + 1
667 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 5], "ultra", 5) == 0
668 && (packet->host_line.ptr[host_line_len_without_port - 8 - 5 - 1] == ' '
669 || packet->host_line.ptr[host_line_len_without_port - 8 - 5 - 1] == '.')) {
670 goto end_ddl_found;
671 }
672 goto end_ddl_nothing_found;
673 }
674 if (host_line_len_without_port >= 3 + 15 + 1
675 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 15], "uploadyourfiles", 15) == 0
676 && (packet->host_line.ptr[host_line_len_without_port - 3 - 15 - 1] == ' '
677 || packet->host_line.ptr[host_line_len_without_port - 3 - 15 - 1] == '.')) {
678 goto end_ddl_found;
679 }
680 goto end_ddl_nothing_found;
681 }
682 if (host_line_len_without_port >= 0 + 14 + 1
683 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 0 - 14], "speedshare.org", 14) == 0
684 && (packet->host_line.ptr[host_line_len_without_port - 0 - 14 - 1] == ' '
685 || packet->host_line.ptr[host_line_len_without_port - 0 - 14 - 1] == '.')) {
686 goto end_ddl_found;
687 }
688 // END OF AUTOMATED CODE GENERATION
689
690 /* This is the hard way. We do this in order to find the download of services when other
691 domains are involved. This is not significant if ddl is blocked. --> then the link can not be started because
692 the ads are not viewed. But when ddl is only limited then the download is the important part.
693 */
694
695 end_ddl_nothing_found:
696 NDPI_LOG_DBG2(ndpi_struct,
697 "Nothing Found\n");
698 return 0;
699
700 end_ddl_found:
701 NDPI_LOG_INFO(ndpi_struct, "found DIRECT DOWNLOAD LINK\n");
702 ndpi_int_direct_download_link_add_connection(ndpi_struct, flow);
703 return 1;
704 }
705
706
ndpi_search_direct_download_link_tcp(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)707 void ndpi_search_direct_download_link_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
708 {
709 struct ndpi_packet_struct *packet = &flow->packet;
710
711 /* do not detect again if it is already ddl */
712 if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK) {
713 if (search_ddl_domains(ndpi_struct, flow) != 0) {
714 return;
715 }
716 NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
717 }
718
719 }
720
init_directdownloadlink_dissector(struct ndpi_detection_module_struct * ndpi_struct,u_int32_t * id,NDPI_PROTOCOL_BITMASK * detection_bitmask)721 void init_directdownloadlink_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
722 {
723 ndpi_set_bitmask_protocol_detection("Direct_Download_Link", ndpi_struct, detection_bitmask, *id,
724 NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK,
725 ndpi_search_direct_download_link_tcp,
726 NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
727 SAVE_DETECTION_BITMASK_AS_UNKNOWN,
728 ADD_TO_DETECTION_BITMASK);
729
730 *id += 1;
731 }
732
733