| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Changed the default to IPv4 (used to be IPv6) in case of DNS error response
|
| | |
|
| |
|
|
| |
Padding is usually some hundreds byte long. Longer padding might be used
as obfuscation technique to force unusual CH fragmentation
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Quick fix with latest Windows image on GitHub CI, where we got:
```
ndpiReader.c:2860:38: error: '%s' directive output may be truncated writing up to 64 bytes into a region of size 63 [-Werror=format-truncation=]
2860 | snprintf(srcip, sizeof(srcip), "[%s]", flow->src_name);
| ^~
ndpiReader.c:2860:5: note: 'snprintf' output between 3 and 67 bytes into a destination of size 64
2860 | snprintf(srcip, sizeof(srcip), "[%s]", flow->src_name);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ndpiReader.c:2861:38: error: '%s' directive output may be truncated writing up to 64 bytes into a region of size 63 [-Werror=format-truncation=]
2861 | snprintf(dstip, sizeof(dstip), "[%s]", flow->dst_name);
| ^~
ndpiReader.c:2861:5: note: 'snprintf' output between 3 and 67 bytes into a destination of size 64
2861 | snprintf(dstip, sizeof(dstip), "[%s]", flow->dst_name);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
|
| | |
|
| | |
|
| |
|
|
| |
Allocate heuristics state only if really needed.
Fix memory leak (it happened with WebSocket traffic on port 443)
|
| |
|
| |
See: 9d07cf281
|
| | |
|
| |
|
| |
wireshark, lua: add basic analysis of possible obfuscated flows
|
| | |
|
| |
|
|
|
|
|
|
| |
Add configurable options for whether to include client port or client IP
in the flow's protocol guesses. This defaults to include both client
port/IP if the protocol is not guessed with the server IP/port.
This is intended for when flow direction detection is enabled, so we
know that sport = client port, dport = server port.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with
Encapsulated TLS Handshakes".
See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting
Basic idea:
* the packets/bytes distribution of a TLS handshake is quite unique
* this fingerprint is still detectable if the handshake is
encrypted/proxied/obfuscated
All heuristics are disabled by default.
|
| | |
|
| | |
|
| |
|
|
|
| |
u_int ndpi_hex2bin(u_char *out, u_int out_len, u_char* in, u_int in_len);
u_int ndpi_bin2hex(u_char *out, u_int out_len, u_char* in, u_int in_len);
|
| | |
|
| |
|
|
|
| |
* Added ndpi_quick_encrypt() ndpi_quick_decrypt(0 APi calls based on AES
* Added aes.c
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
```
==6591==ERROR: AddressSanitizer: SEGV on unknown address 0x502000230000 (pc 0x55fbd836a5a0 bp 0x7ffdf4503670 sp 0x7ffdf4502e28 T0)
==6591==The signal is caused by a READ memory access.
#0 0x55fbd836a5a0 in __sanitizer::internal_strlen(char const*) /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_libc.cpp:176:10
#1 0x55fbd82cfc28 in StrstrCheck(void*, char*, char const*, char const*) /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:579:17
#2 0x55fbd82cfbc2 in strstr /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:598:5
#3 0x55fbd840a04a in ndpi_strrstr /src/ndpi/src/lib/ndpi_utils.c:3471:15
#4 0x55fbd840ba95 in ndpi_get_host_domain /src/ndpi/src/lib/ndpi_domains.c:149:9
#5 0x55fbd83ef751 in ndpi_check_dga_name /src/ndpi/src/lib/ndpi_main.c:10748:17
```
Found by oss-fuzz
|
| | |
|
| | |
|
| |
|
|
| |
Add dpi.guess_ip_before_port which when enabled uses classification
by-ip before classification by-port.
|
| |
|
|
| |
Fixed bug in ndpi_get_host_domain
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Revert "Added fix for handling Server Hello before CLient Hello"
This reverts commit eb15b22e7757cb70894fdcde440e62bc40f22df1.
* TLS: add some tests with unidirectional traffic
* TLS: another attempt to process CH received after the SH
Obviously, we will process unidirectional traffic longer, because we are
now waiting for messages in both directions
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
We should have too big packets during the initial handshake
|
| |
|
|
|
|
|
| |
Some fuzzers don't really need a real and complete local context.
Try to avoid setting it up, creating a simpler fake version with only the
features really needed.
That is a kind of experiment: if it works, we can extend the same logic
to other fuzzers
|
| |
|
|
|
|
| |
"Invalid DNS Header"-risk should be set only if the flow has been
already classified as DNS. Otherwise, almost any non-DNS flows on port 53
will end up having the `NDPI_MALFORMED_PACKET` risk set, which is a little
bit confusing for non DNS traffic
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Based on the paper: "OpenVPN is Open to VPN Fingerprinting"
See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen
Basic idea:
* the distribution of the first byte of the messages (i.e. the distribution
of the op-codes) is quite unique
* this fingerprint might be still detectable even if the OpenVPN packets are
somehow fully encrypted/obfuscated
The heuristic is disabled by default.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
```
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/tls.c:1812:22
=================================================================
==97754==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ba835bde8e5 at pc 0x557ebb644241 bp 0x7ffec04b0ea0 sp 0x7ffec04b0648
WRITE of size 7 at 0x7ba835bde8e5 thread T0
#0 0x557ebb644240 in vsnprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x6bf240) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
#1 0x557ebb645b1d in snprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x6c0b1d) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
#2 0x557ebb749dbc in ndpi_compute_ja4 /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1812:12
#3 0x557ebb7445a7 in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2946:10
#4 0x557ebb7073c9 in process_tls /home/ivan/svnrepos/nDPI/src/lib/protocols/quic.c:1397:3
#5 0x557ebb6ff815 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data.c:46:7
#6 0x557ebb602dcb in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x67ddcb) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
#7 0x557ebb5ecea8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x667ea8) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
#8 0x557ebb5f299a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x66d99a) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
#9 0x557ebb61c482 in main (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x697482) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
#10 0x7fa837e27082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x557ebb5e7b5d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x662b5d) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f)
```
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Exported it with -E
|
| | |
|
| | |
|