Dear Sir, I am writing to thank you for your letter and say,
On Mon, Jan 05, 2004 at 07:25:27AM -0600, Burton M. Strauss III wrote: > Yup. It seems that ntop is somehow seeing the http:// as part of the > request - normally I thought that gets stripped off and only the uri portion > (e.g. tssyd:3000/ is what is seen by checkURLsecurity. > > In http.c, there's a setting for HTTP_DEBUG - enable it in globals-define.h > and look for lines like this: > > Jan 5 07:11:14 tigger ntop[10168]: HTTP/I18N_DEBUG: Requested URL = > '/functions.js', length = -1 [MSGID0630432] > Jan 5 07:11:14 tigger ntop[10168]: HTTP/I18N_DEBUG: User-Agent = > 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)' > [MSGID1022638] > Jan 5 07:11:14 tigger ntop[10168]: I18N_DEBUG: Accept-Language = > 'en-us,en;q=0.5' [MSGID8772014] > 07:11:39 tigger [Linux] user=ntop pwd=~ $ > > in your log - we need to figure out how the request is being packaged into > the tunnel... and what ntop is seeing. > > I've tested my Linux system and I'm NOT seeing the http:// in the tunneled > request, both -w 3000 and -W 3001. But I'm using a 3rd party ssh, not > openssh (which version, BTW, is installed on the local host? Both endpoints of the ssh tunnel (ie origin of the ssh connection and the ntop host that receives the ssh connection) are FreeBSD 4.9-RELEASE-p1. Both endpoints use the base OS openssh with version . ntop host: OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090703f . tunnel origin: OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090703f (both systems are upgraded the same way by source from the FreeBSD CVS. Every part of the base should be identical.) > And what > version OS, etc. is that system?) > > There's also a DEBUG line around 265 (which you should manually enable by > just deleting the #ifdef and #endif lines): > > #ifdef DEBUG > traceEvent(CONST_TRACE_INFO, "DEBUG: read HTTP %s line: %s [%d]", > (numLine>1) ? "header" : "request", lineStr, idxChar); > #endif > > Which reports the actual stuff being pulled from the http request headers. > Jan 6 09:27:19 tssyd ntop[86886]: THREADMGMT: Started thread (141059072) for network packet sniffing on fxp0 Jan 6 09:27:19 tssyd ntop[86886]: THREADMGMT: rrd thread (137133056) started Jan 6 09:27:19 tssyd ntop[86886]: THREADMGMT: web connections thread (86886) started... Jan 6 09:27:19 tssyd ntop[86886]: Note: SIGPIPE handler set (ignore) Jan 6 09:27:19 tssyd ntop[86886]: THREADMGMT: pcap dispatch thread running... 1 Request through the tunnel with Nav Jan 6 09:28:48 tssyd ntop[86886]: HTTP/I18N_DEBUG: Requested URL = 'http://tssyd:3000/', length = -1 Jan 6 09:28:48 tssyd ntop[86886]: HTTP/I18N_DEBUG: User-Agent = 'Mozilla/4.76 [en] (X11; U; Linux 2.4.2 i386; Nav)' Jan 6 09:28:48 tssyd ntop[86886]: **ERROR** URL security: 'http://tssyd:3000/' rejected (code=2)(client=192.168.102.230) Jan 6 09:28:57 tssyd ntop[86886]: **ERROR** Rejected request from address 192.168.102.230 (it previously sent ntop a bad request) Jan 6 09:29:02 tssyd ntop[86886]: **ERROR** Rejected request from address 192.168.102.230 (it previously sent ntop a bad request) Jan 6 09:30:04 tssyd last message repeated 2 times 2 Direct request (not tunnelled) with Firebird/Moz showing that debug messages are being written (direct request works fine) Jan 6 09:30:50 tssyd ntop[86886]: HTTP/I18N_DEBUG: Requested URL = '/', length = -1 Jan 6 09:30:50 tssyd ntop[86886]: HTTP/I18N_DEBUG: User-Agent = 'Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5a) Gecko/20030808 Mozilla Firebird/0.6.1' Jan 6 09:30:50 tssyd ntop[86886]: HTTP/I18N_DEBUG: Testing for page index.html at ./html/index.html Jan 6 09:30:50 tssyd ntop[86886]: HTTP/I18N_DEBUG: Testing for page index.html at /usr/local/ntop-2.2.98/share/ntop/html/index.html Jan 6 09:30:51 tssyd ntop[86886]: HTTP/I18N_DEBUG: Requested URL = '/style.css', length = -1 Jan 6 09:30:51 tssyd ntop[86886]: HTTP/I18N_DEBUG: User-Agent = 'Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5a) Gecko/20030808 Mozilla Firebird/0.6.1' 3 Firebird via the tunnel Jan 6 09:37:22 tssyd ntop[86886]: clearing lockout for address 192.168.102.230 Jan 6 09:37:22 tssyd ntop[86886]: HTTP/I18N_DEBUG: Requested URL = 'http://tssyd:3000/info.html', length = -1 Jan 6 09:37:22 tssyd ntop[86886]: HTTP/I18N_DEBUG: User-Agent = 'Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5a) Gecko/20030808 Mozilla Firebird/0.6.1' Jan 6 09:37:22 tssyd ntop[86886]: **ERROR** URL security: 'http://tssyd:3000/info.html' rejected (code=2)(client=192.168.102.230) > A cheesy fix: > > } else if(numLine == 1) { > >>> if(strncmp(lineStr, "http://";, 7) == 0) { memset(&lineStr, ' ', > 7); } > >>> if(strncmp(lineStr, "https://";, 8) == 0) { memset(&lineStr, ' ', > 8); } > strncpy(httpRequestedURL, lineStr, > sizeof(httpRequestedURL)-1)[sizeof(httpRequestedURL)-1] = > '\0'; > > might work... Here's what I did tssyd> diff -u http.c.orig http.c --- http.c.orig Tue Jan 6 09:16:57 2004 +++ http.c Tue Jan 6 09:58:41 2004 @@ -267,6 +267,8 @@ if(errorCode != 0) { ; /* skip parsing after an error was detected */ } else if(numLine == 1) { + if(strncmp(lineStr, "http://";, 7) == 0) { memset(&lineStr, ' ', 7); } + if(strncmp(lineStr, "https://";, 8) == 0) { memset(&lineStr, ' ', 8); } strncpy(httpRequestedURL, lineStr, sizeof(httpRequestedURL)-1)[sizeof(httpRequestedURL)-1] = '\0'; Unfortunately, the results are the same. > > > > -----Burton > Yours sincerely. -- ------------------------------------------------------------------------ Stanley Hopcroft ------------------------------------------------------------------------ '...No man is an island, entire of itself; every man is a piece of the continent, a part of the main. If a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a manor of thy friend's or of thine own were. Any man's death diminishes me, because I am involved in mankind; and therefore never send to know for whom the bell tolls; it tolls for thee...' from Meditation 17, J Donne. _______________________________________________ Ntop-dev mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
