aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Changed too restrictive checkLuca Deri2024-09-25
|
* Add some heuristics to detect encrypted/obfuscated/proxied TLS flows (#2553)Ivan Nardi2024-09-24
| | | | | | | | | | | | Based on the paper: "Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes". See: https://www.usenix.org/conference/usenixsecurity24/presentation/xue-fingerprinting Basic idea: * the packets/bytes distribution of a TLS handshake is quite unique * this fingerprint is still detectable if the handshake is encrypted/proxied/obfuscated All heuristics are disabled by default.
* Fix Sonos traceNardi Ivan2024-09-24
|
* buffer lenghtt is now returned by ndpi_quick_encrypt() and ndpi_quick_deecrypt()Luca Deri2024-09-24
|
* Added new API callsLuca Deri2024-09-24
| | | | | u_int ndpi_hex2bin(u_char *out, u_int out_len, u_char* in, u_int in_len); u_int ndpi_bin2hex(u_char *out, u_int out_len, u_char* in, u_int in_len);
* Added Sonos protocol detectionLuca Deri2024-09-24
|
* Added ndpi_quick_encrypt() ndpi_quick_decrypt() APi calls (#2568)Luca Deri2024-09-24
| | | | | * Added ndpi_quick_encrypt() ndpi_quick_decrypt(0 APi calls based on AES * Added aes.c
* TLS: improve handling of Change Cipher message (#2564)Ivan Nardi2024-09-23
|
* Fix `ndpi_strrstr()` (#2565)Ivan Nardi2024-09-23
| | | | | | | | | | | | | ``` ==6591==ERROR: AddressSanitizer: SEGV on unknown address 0x502000230000 (pc 0x55fbd836a5a0 bp 0x7ffdf4503670 sp 0x7ffdf4502e28 T0) ==6591==The signal is caused by a READ memory access. #0 0x55fbd836a5a0 in __sanitizer::internal_strlen(char const*) /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_libc.cpp:176:10 #1 0x55fbd82cfc28 in StrstrCheck(void*, char*, char const*, char const*) /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:579:17 #2 0x55fbd82cfbc2 in strstr /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:598:5 #3 0x55fbd840a04a in ndpi_strrstr /src/ndpi/src/lib/ndpi_utils.c:3471:15 #4 0x55fbd840ba95 in ndpi_get_host_domain /src/ndpi/src/lib/ndpi_domains.c:149:9 #5 0x55fbd83ef751 in ndpi_check_dga_name /src/ndpi/src/lib/ndpi_main.c:10748:17 ``` Found by oss-fuzz
* wireshark: lua: add script for QUIC fingerprints [WIP] (#2566)Ivan Nardi2024-09-23
|
* Replaced traces with debug messagesLuca Deri2024-09-20
|
* Allow IP guess before port in ndpi_detection_giveup (#2562)Liam Wilson2024-09-20
| | | | Add dpi.guess_ip_before_port which when enabled uses classification by-ip before classification by-port.
* Implemented ndpi_strrstr()Luca Deri2024-09-19
| | | | Fixed bug in ndpi_get_host_domain
* Tls out of order (#2561)Ivan Nardi2024-09-18
| | | | | | | | | | | | * Revert "Added fix for handling Server Hello before CLient Hello" This reverts commit eb15b22e7757cb70894fdcde440e62bc40f22df1. * TLS: add some tests with unidirectional traffic * TLS: another attempt to process CH received after the SH Obviously, we will process unidirectional traffic longer, because we are now waiting for messages in both directions
* fuzz: fix compilationNardi Ivan2024-09-17
|
* Added fix for handling Server Hello before CLient HelloLuca2024-09-17
|
* Fixed handling of spurious TCP retransmissionsLuca2024-09-17
|
* Updated ndpi_serialize_flow_fingerprint API signatureLuca2024-09-17
|
* domain lists are not loaded when -E is usedLuca2024-09-17
|
* Improved fingerprint serializationLuca2024-09-17
|
* Added DHCP class idnetifierLuca2024-09-17
|
* OpenVPN: heuristic: add a simple check to avoid false positives (#2560)Ivan Nardi2024-09-17
| | | We should have too big packets during the initial handshake
* fuzz: try to be a little bit faster (#2559)Ivan Nardi2024-09-17
| | | | | | | Some fuzzers don't really need a real and complete local context. Try to avoid setting it up, creating a simpler fake version with only the features really needed. That is a kind of experiment: if it works, we can extend the same logic to other fuzzers
* dns: add a check before setting `NDPI_MALFORMED_PACKET` risk (#2558)Ivan Nardi2024-09-16
| | | | | | "Invalid DNS Header"-risk should be set only if the flow has been already classified as DNS. Otherwise, almost any non-DNS flows on port 53 will end up having the `NDPI_MALFORMED_PACKET` risk set, which is a little bit confusing for non DNS traffic
* wireshark: extcap: rework trailer header (#2557)Ivan Nardi2024-09-16
|
* Add an heuristic to detect encrypted/obfuscated OpenVPN flows (#2547)Ivan Nardi2024-09-16
| | | | | | | | | | | | Based on the paper: "OpenVPN is Open to VPN Fingerprinting" See: https://www.usenix.org/conference/usenixsecurity22/presentation/xue-diwen Basic idea: * the distribution of the first byte of the messages (i.e. the distribution of the op-codes) is quite unique * this fingerprint might be still detectable even if the OpenVPN packets are somehow fully encrypted/obfuscated The heuristic is disabled by default.
* TLS: fix stack-buffer-overflowNardi Ivan2024-09-16
| | | | | | | | | | | | | | | | | | | | | ``` SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/tls.c:1812:22 ================================================================= ==97754==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ba835bde8e5 at pc 0x557ebb644241 bp 0x7ffec04b0ea0 sp 0x7ffec04b0648 WRITE of size 7 at 0x7ba835bde8e5 thread T0 #0 0x557ebb644240 in vsnprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x6bf240) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) #1 0x557ebb645b1d in snprintf (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x6c0b1d) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) #2 0x557ebb749dbc in ndpi_compute_ja4 /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1812:12 #3 0x557ebb7445a7 in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2946:10 #4 0x557ebb7073c9 in process_tls /home/ivan/svnrepos/nDPI/src/lib/protocols/quic.c:1397:3 #5 0x557ebb6ff815 in LLVMFuzzerTestOneInput /home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data.c:46:7 #6 0x557ebb602dcb in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x67ddcb) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) #7 0x557ebb5ecea8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x667ea8) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) #8 0x557ebb5f299a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x66d99a) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) #9 0x557ebb61c482 in main (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x697482) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) #10 0x7fa837e27082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16 #11 0x557ebb5e7b5d in _start (/home/ivan/svnrepos/nDPI/fuzz/fuzz_quic_get_crypto_data+0x662b5d) (BuildId: ce17f7c48055e1f051360bed543c1e18c05f684f) ```
* dhcp: fix out of bounds accesNardi Ivan2024-09-16
|
* fuzz: fix compilationNardi Ivan2024-09-16
|
* Reworked fingerprint export now in JSONLuca2024-09-16
|
* Enhanced DHCP fingerprintLuca Deri2024-09-15
| | | | Exported it with -E
* Added -E option for dumping flow fingerprintLuca Deri2024-09-15
|
* QUIC: add a basic heuristic to detect mid-flowsNardi Ivan2024-09-10
|
* RTP: fix identification over TCPNardi Ivan2024-09-10
| | | | We can access `flow->l4.udp` structure only with UDP flows...
* RTMP: improve detection (#2549)Ivan Nardi2024-09-10
|
* Implemented algorithms for K-Nearest Neighbor Search (KNN) (#2554)Luca Deri2024-09-10
| | | | | | | | | | | | | | | | * Extended API with functions for vector similarity based on KD-trees https://en.wikipedia.org/wiki/K-d_tree ndpi_kd_tree* ndpi_kd_create(u_int num_dimensions); void ndpi_kd_free(ndpi_kd_tree *tree); void ndpi_kd_clear(ndpi_kd_tree *tree); bool ndpi_kd_insert(ndpi_kd_tree *tree, const double *data_vector, void *user_data); ndpi_kd_tree_result *ndpi_kd_nearest(ndpi_kd_tree *tree, const double *data_vector); u_int32_t ndpi_kd_num_results(ndpi_kd_tree_result *res); bool ndpi_kd_result_end(ndpi_kd_tree_result *res); double* ndpi_kd_result_get_item(ndpi_kd_tree_result *res, double **user_data); bool ndpi_kd_result_next(ndpi_kd_tree_result *res); void ndpi_kd_result_free(ndpi_kd_tree_result *res); double ndpi_kd_distance(double *a1, double *b2, u_int num_dimensions);
* Fix for name clash on some compilersLuca Deri2024-09-09
|
* Added ability to save JA4_r as decimal valueLuca Deri2024-09-08
|
* oracle: fix dissector (#2548)Ivan Nardi2024-09-07
| | | | We can do definitely better, but this change is a big improvements respect the current broken code
* Fix compilation (#2546)Ivan Nardi2024-09-05
|
* Implemented JA4 raw (ja4_r) fingerprintLuca Deri2024-09-05
| | | | | Example: ./example/ndpiReader -i tests/pcap/safari.pcap --cfg=tls,metadata.ja4r_fingerprint,1
* Add detection of Windscribe VPNNardi Ivan2024-09-05
|
* Add detection of CactusVPNNardi Ivan2024-09-05
|
* Add detection of SurfShark VPNNardi Ivan2024-09-05
|
* OpenVPN, Wireguard: improve sub-classificationNardi Ivan2024-09-05
| | | | | | | | Allow sub-classification of OpenVPN/Wireguard flows using their server IP. That is useful to detect the specific VPN application/app used. At the moment, the supported protocols are: Mullvad, NordVPN, ProtonVPN. This feature is configurable.
* Add detection of NordVPNNardi Ivan2024-09-05
|
* OpenVPN: improve detectionNardi Ivan2024-09-05
|
* wireshark: extcap: export flow risk infoNardi Ivan2024-09-05
|
* wireshark: extcap: fix output data link typeNardi Ivan2024-09-05
| | | | | | | Avoid forcing `DLT_EN10MB` but use the same data link type of the input pcap. This way, we can use extcap functionality with input traces having Linux "cooked" capture encapsulation, i.e. traces captured on "any" interface
* Add Lustre protocol detection support (#2544)Vladimir Gavrilov2024-09-04
|
Powered by cgit, Themed by Ted Yin.