aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
...
* Add a new fuzzer for QUIC (#1800)Ivan Nardi2022-12-01
| | | | | | | | | | | | QUIC packets are encrypted/obfuscated; that means that we need to decrypt them before parsing the real (TLS) message. Fuzzing is not effective here, since a random buffer is hardly a valid encrypted QUIC packet. Add a new fuzzer, testing *decrypted* QUIC packets. Add a basic corpus. Fix a few bugs already found by this fuzzer.
* Fix classification "by-port" of QUIC flows (#1785)Ivan Nardi2022-11-22
| | | | | | | | | nDPI is able to properly classify QUIC flows only if it elaborates the very first packets of the flow. The protocol list in `is_udp_guessable_protocol()` is basically a list of protocols which can be detected from *any* packets in the flow. Rename such function to `is_udp_not_guessable_protocol()`: the name is still quite cryptic, but at least not plainly wrong
* GitHub Actions: fix a warning (#1807)Ivan Nardi2022-11-22
| | | | | | | ``` The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ ```
* TLS: be sure to always set `ssl_version` field (#1806)Ivan Nardi2022-11-22
| | | Useful with asymmetric traffic with (D)TLS <= 1.2
* Added support for Linux Cooked Capture v2Luca Deri2022-11-16
|
* DNS: fix an infinite loop, due to an integer overflow (#1804)Ivan Nardi2022-11-15
| | | | Found by sydr-fuzz Close #1803
* Improved Teamspeak3 License/Weblist detection. (#1802)Toni2022-11-15
| | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improve export/print of L4 protocol information (#1799)Ivan Nardi2022-11-13
| | | Close #1797
* GitHub Actions: update to Node.js 16 actions (#1801)Ivan Nardi2022-11-13
| | | | | | Fix warnings on recent CI results; example: https://github.com/ntop/nDPI/actions/runs/3455588082 See: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/
* Merge pull request #1796 from IvanNardi/issue-1792Toni2022-11-07
|\ | | | | RTP: remove a superfluous check
| * RTP: remove a superfluous checkNardi Ivan2022-11-07
| | | | | | | | | | | | | | | | Static analyzer complains about dereferencing `packet->udp` before checking. Since this function is called only with UDP flows, remove the check. Close: #1792
* | Fix json export of ipv6 addressesNardi Ivan2022-11-07
|/ | | | | | | The "string" buffer was to short; better start using `INET6_ADDRSTRLEN` as reported in the man page of `inet_ntop`. Close: #1794
* Fix supported versions.Zied Aouini2022-10-31
|
* Add a note about required Python version.Zied Aouini2022-10-31
|
* Add basic profiling of memory allocations on data-path (#1789)Ivan Nardi2022-10-28
| | | | | | | | | | | | | | | The goal is to have an idea of the memory allocation sizes performed in the **library data-path**, i.e. excluding init/deinit phases and all the allocations made by the application itself. In other words, how much memory is needed per-flow, by nDPI, other than `struct ndpi_flow_struct`? It works only on single-thread configurations. It is not enabled by default (in the unit tests) since different canfiguration options (example: `--enable-pcre`) lead to diffferent results. See: #1781
* Removed unused variableLuca Deri2022-10-26
|
* Fix typoAlfredo Cardigliano2022-10-26
|
* CleanupLuca Deri2022-10-26
|
* TypoLuca Deri2022-10-26
|
* Improved AESNI checkLuca Deri2022-10-26
|
* Hangout: avoid useless lookups in the protocol tree (#1755)Ivan Nardi2022-10-25
| | | | | | | We already performed exactly these lookups in the generic code to populate `flow->guessed_protocol_id_by_ip`: use it! This code probably needs a deeper review, since it is basicaly a simple matching on ip + port.
* TLS: improve handling of ALPN(s) (#1784)Ivan Nardi2022-10-25
| | | | | | | | Tell "Advertised" ALPN list from "Negotiated" ALPN; the former is extracted from the CH, the latter from the SH. Add some entries to the known ALPN list. Fix printing of "TLS Supported Versions" field.
* Fix memory corruption on TCP flows (#1786)Ivan Nardi2022-10-25
|
* IRC: fix memory access (#1787)Ivan Nardi2022-10-25
|
* Sync unit tests results (#1783)Ivan Nardi2022-10-22
|
* Enhanced HTTP numeric IP checkLuca Deri2022-10-22
|
* Add Elasticsearch protocol dissector. (#1782)Toni2022-10-21
| | | | | | | * all credits goes to @verzulli Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add Munin protocol dissector.Toni Uhlig2022-10-20
| | | | | | * all credits goes to @verzulli Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TLS: allow sub-classification via ALPNNardi Ivan2022-10-20
| | | | | | | | In some rare cases, it is possible to sub-classify the flow via ALPN matching. This is particularly usefull for asymmetric traffic where the Client Hello doens't have the SNI. For the time being there is only one rule, about ANYDESK.
* Sync unit tests resultsNardi Ivan2022-10-19
|
* Updated FortiClient default portsLuca Deri2022-10-19
|
* Reworked severities adding critical and emergency, thus shifting values downLuca Deri2022-10-19
|
* TLS: explicit ignore client certificate (#1776)Ivan Nardi2022-10-18
| | | | | | | | | | | | | TLS classification usually stops after processing *server* certificates (if any). That means, that *client* certificate, if present, is usually ignored. However in some corner cases (i.e. unidirectional traffic) we might end up processing client certificate and exposing its metadata: the issue is that the application will think that this metadata are about the server and not about the client. So, for the time being, always ignore client certificate processing. As a future work, we might find an efficient way to process and export both certificates.
* Fix a use-of-uninitialized-value error on PCRE codeNardi Ivan2022-10-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is likely a false positive, triggered by the fact that libpcre is usually compiled without MASAN support. It it was a real error, ASAN would complain loudly with a invalid-free error at the end of the same function. ``` ==83793==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x562296111174 in ndpi_compile_rce_regex /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:1631:3 #1 0x5622960e3e4a in ndpi_is_rce_injection /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:1636:5 #2 0x5622960de7cd in ndpi_validate_url /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:1741:12 #3 0x5622960dae45 in ndpi_dpi2json /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:1362:29 #4 0x5622960e2751 in ndpi_flow2json /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:1512:10 #5 0x562296033b0f in process_ndpi_collected_info /home/ivan/svnrepos/nDPI/example/reader_util.c:1310:9 #6 0x5622960501f9 in packet_processing /home/ivan/svnrepos/nDPI/example/reader_util.c:1659:2 #7 0x562296045aef in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/example/reader_util.c:2202:10 #8 0x562295e85374 in ndpi_process_packet /home/ivan/svnrepos/nDPI/example/ndpiReader.c:3937:7 #9 0x7f1235053466 (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466) (BuildId: b84c893ea2516d6fb2c1c6726b1fe93b3be78f61) #10 0x7f1235041f67 in pcap_loop (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x11f67) (BuildId: b84c893ea2516d6fb2c1c6726b1fe93b3be78f61) #11 0x562295e53139 in runPcapLoop /home/ivan/svnrepos/nDPI/example/ndpiReader.c:4060:15 #12 0x562295e51e7f in processing_thread /home/ivan/svnrepos/nDPI/example/ndpiReader.c:4130:3 #13 0x7f1234e53608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8 #14 0x7f1234d2f132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Uninitialized value was created by an allocation of 'pcreErrorStr' in the stack frame #0 0x5622961108a6 in ndpi_compile_rce_regex /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:1603:3 ```
* Add some popular streaming applicationsNardi Ivan2022-10-17
| | | | | | | A simply back-porting from https://github.com/vel21ripn/nDPI/pull/142; full credits to @ChrisNelson-CyberReef. Close #1716
* Updated protocol dissector serialisation code. (#1767)Toni2022-10-15
| | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* HTTP: fix stack-buffer-overflow (#1768)Ivan Nardi2022-10-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ``` ==24879==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fa085b31e60 at pc 0x55cc63f203e2 bp 0x7ffc9ec91b10 sp 0x7ffc9ec91298 READ of size 17 at 0x7fa085b31e60 thread T0 #0 0x55cc63f203e1 in printf_common(void*, char const*, __va_list_tag*) asan_interceptors.cpp.o #1 0x55cc63f20769 in vsnprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x50e769) (BuildId: cce2b6b1344bfd0bdc9626fef604c2b3caad485b) #2 0x55cc63f22210 in __interceptor_snprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x510210) (BuildId: cce2b6b1344bfd0bdc9626fef604c2b3caad485b) #3 0x55cc6420fc76 in ndpi_check_http_server /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:668:4 #4 0x55cc6420344b in check_content_type_and_change_protocol /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:742:5 #5 0x55cc642031ce in check_content_type_and_change_protocol /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:737:7 #6 0x55cc641fac9f in ndpi_check_http_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1352:4 #7 0x55cc641f2fd5 in ndpi_search_http_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1461:3 #8 0x55cc64085275 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5580:6 #9 0x55cc64085c87 in check_ndpi_tcp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5628:12 #10 0x55cc64085927 in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5647:12 #11 0x55cc64095fcb in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6458:15 #12 0x55cc63fd08b4 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:29:5 #13 0x55cc63fd09f7 in main /home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet.c:101:17 #14 0x7fa0880fb082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 #15 0x55cc63efb45d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_process_packet_with_main+0x4e945d) (BuildId: cce2b6b1344bfd0bdc9626fef604c2b3caad485b) Address 0x7fa085b31e60 is located in stack of thread T0 at offset 96 in frame #0 0x55cc6420f1bf in ndpi_check_http_server /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:644 This frame has 5 object(s): [32, 36) 'a' (line 653) [48, 52) 'b' (line 653) [64, 68) 'c' (line 653) [80, 96) 'buf' (line 654) [112, 176) 'msg' (line 662) <== Memory access at offset 96 partially underflows this variable ``` Found by oss-fuzzer See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52229
* ndpiReader: fix help message. There isn't a 'J' option (#1770)Ivan Nardi2022-10-14
|
* Sync utests results (#1774)Ivan Nardi2022-10-14
|
* Removed gettimeofday as win files has located in windows/src/Luca Deri2022-10-14
|
* Added DNS error code mapping number -> stringLuca Deri2022-10-14
|
* Added detection of URLs starting with a dot (.)Luca Deri2022-10-10
|
* LINE_CALL: add detection of LINE voip calls (#1761)Ivan Nardi2022-10-06
| | | | | | | | These flows are classifed as `LINE_CALL`; another option was `RTP/LINE_CALL`. No sure about the best solution... Extend LINE domains list. Remove RTP dead code.
* Windows changesLuca Deri2022-10-06
|
* irc: fix heap-buffer-overflow (#1765)Ivan Nardi2022-10-06
|
* Fixes Stack-buffer-overflow READ {*} · check_content_type_and_change_protocolLuca Deri2022-10-06
|
* Updated IRC resultLuca Deri2022-10-05
|
* Improved credentials check in IRCLuca Deri2022-10-05
|
* Added new flow risk NDPI_HTTP_OBSOLETE_SERVER. Currently Apache and nginx ↵Luca2022-10-04
| | | | are supported
* Fix compilation and sync utests resultsNardi Ivan2022-10-04
|
Powered by cgit, Themed by Ted Yin.