aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
...
* Skype: remove old detection logic (#1954)Ivan Nardi2024-02-12
| | | | | | | Skype has been using standard protocols (STUN/ICE or TLS) for a long, long time, now. Long gone are the days of Skype as a distribuited protocol. See: #2166
* Remove spurious call to `exit()`Nardi Ivan2024-02-12
|
* Added stress testLuca Deri2024-02-11
|
* Improved Polish gambling sites fetch script. (#2315)Toni2024-02-10
| | | | | * fails quite often in the CI, so ignore potential xmllint error Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* reader_util: fix GRE detunneling (#2314)Ivan Nardi2024-02-10
|
* TLS: add configuration of JA* fingerprints (#2313)Ivan Nardi2024-02-10
|
* fuzz: improve fuzzing coverage (#2309)Ivan Nardi2024-02-09
|
* Add detection of Gaijin Entertainment games (#2311)Vladimir Gavrilov2024-02-09
| | | | | | | | | * Add detection of Gaijin Entertainment games * Short NDPI_PROTOCOL_GAIJINENTERTAINMENT to NDPI_PROTOCOL_GAIJIN * Add default UDP port for Gaijin Entertainment games * Remove NDPI_PROTOCOL_CROSSOUT protocol id
* Improve normalization of `flow->host_server_name` (#2310)Ivan Nardi2024-02-09
| | | | | | | | | | | | | Follow-up of 4543385d107fcc5a7e8632e35d9a60bcc40cb4f4 Remove trailing spaces for any HTTP header (we already remove leading spaces) We want: * a "normalized" string in `flow->host_server_name`, but * to parse the original string for flow risk checking `ndpi_hostname_sni_set()` is a private function, so there is no need to export its flags.
* Add new AppsFlyer domain (#2307)Vladimir Gavrilov2024-02-08
|
* Add TencentGames protocol dissector (#2306)Vladimir Gavrilov2024-02-08
|
* Normalization of host_server_name (#2299)Vitaly Lavrov2024-02-05
| | | | | | | | | * Normalization of host_server_name The ndpi_hostname_sni_set() function replaces all non-printable characters with the "?" character and removing whitespace characters at the end of the line. * Added conditional hostname normalization.
* Fixed incompatibity with RH7 introduced by ↵Luca Deri2024-02-05
| | | | https://github.com/ntop/nDPI/commit/02030ac16e5016b00e0da6ff7512d97751bf87d2
* Removed un-necessary include that caused configure-based applications ↵Luca Deri2024-02-05
| | | | sitting on top of nDPI to faile at compilation
* Fix `ndpi_get_lru_cache_stats()` (#2303)Ivan Nardi2024-02-05
| | | Found while fuzzing
* Serialize JA4 to JSON. (#2305)Toni2024-02-05
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Build RPM package in the CI. (#2304)Toni2024-02-05
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Minor hash improvementLuca Deri2024-02-04
|
* Completly disable all pthread related code in the library if ↵Toni2024-02-03
| | | | | `USE_GLOBAL_CONTEXT` macro is not defined. (#2302) Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* collectd: fix extraction of hostname (#2301)Ivan Nardi2024-02-03
|
* Improve `ndpi_set_config` error printing. (#2300)Toni2024-02-02
| | | | | * exit `ndpiReader` if a invalid configuration setting detected Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Simplify and fix JA4 string computation. (#2298)Toni2024-02-02
| | | | | | | | | | | | * additional JA4 string buffer is not needed and may cause a string truncation warning ``` protocols/tls.c: In function ‘ndpi_compute_ja4’: protocols/tls.c:1738:3: warning: ‘strncpy’ output may be truncated copying 36 bytes from a string of length 1023 [-Wstringop-truncation] 1738 | strncpy(flow->protos.tls_quic.ja4_client, ja_str, 36); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ``` Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* CIP: fix infinite-loop (#2295)Ivan Nardi2024-02-01
| | | | | Found by oss-fuzzer See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66342 See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66320
* GitHub Actions: update to latest macOS runners (#2293)Ivan Nardi2024-02-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a simple job with macos-14 on M1. https://github.blog/changelog/2024-01-30-github-actions-introducing-the-new-m1-macos-runner-available-to-open-source/) There are some issues with external dependencies (they are installed but autoconf script doens;t find them) so keep it simple. On macos-13 it seems that: * there is no `realpath` program (even if coreutils has been installed...) * most of the filesystem is read only (we can't write on /usr/lib). So I change ``` make install DESTDIR=$(realpath _install) ls -alhHR _install ``` to ``` DESTDIR=/tmp/ndpi make install ls -alhHR /tmp/ndpi ``` for all the jobs Fix a warning on GitHub logs: ``` Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: actions/checkout@v3. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/. ```
* Add Gearman protocol dissector (#2297)Vladimir Gavrilov2024-02-01
|
* Fix function parameters check on domain code (#2296)Ivan Nardi2024-02-01
| | | Found while fuzzing fuzz_config
* Sync unit tests resultsNardi Ivan2024-02-01
|
* Allow multiple `struct ndpi_detection_module_struct` to share some state (#2271)Ivan Nardi2024-02-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add the concept of "global context". Right now every instance of `struct ndpi_detection_module_struct` (we will call it "local context" in this description) is completely independent from each other. This provide optimal performances in multithreaded environment, where we pin each local context to a thread, and each thread to a specific CPU core: we don't have any data shared across the cores. Each local context has, internally, also some information correlating **different** flows; something like: ``` if flow1 (PeerA <-> Peer B) is PROTOCOL_X; then flow2 (PeerC <-> PeerD) will be PROTOCOL_Y ``` To get optimal classification results, both flow1 and flow2 must be processed by the same local context. This is not an issue at all in the far most common scenario where there is only one local context, but it might be impractical in some more complex scenarios. Create the concept of "global context": multiple local contexts can use the same global context and share some data (structures) using it. This way the data correlating multiple flows can be read/write from different local contexts. This is an optional feature, disabled by default. Obviously data structures shared in a global context must be thread safe. This PR updates the code of the LRU implementation to be, optionally, thread safe. Right now, only the LRU caches can be shared; the other main structures (trees and automas) are basically read-only: there is little sense in sharing them. Furthermore, these structures don't have any information correlating multiple flows. Every LRU cache can be shared, independently from the others, via `ndpi_set_config(ndpi_struct, NULL, "lru.$CACHE_NAME.scope", "1")`. It's up to the user to find the right trade-off between performances (i.e. without shared data) and classification results (i.e. with some shared data among the local contexts), depending on the specific traffic patterns and on the algorithms used to balance the flows across the threads/cores/local contexts. Add some basic examples of library initialization in `doc/library_initialization.md`. This code needs libpthread as external dependency. It shouldn't be a big issue; however a configure flag has been added to disable global context support. A new CI job has been added to test it. TODO: we should need to find a proper way to add some tests on multithreaded enviroment... not an easy task... *** API changes *** If you are not interested in this feature, simply add a NULL parameter to any `ndpi_init_detection_module()` calls.
* Provide a u64 wrapper for `ndpi_set_config()` (#2292)Toni2024-01-30
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Updated results (missing `cip_io.pcap.out`)Toni Uhlig2024-01-29
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Implemented CIP I/O (UDP version of the CIP protocol), Common Industrial ↵Luca Deri2024-01-29
| | | | protocol
* Updated resultLuca Deri2024-01-29
|
* Fixes invalid skype detection on UDPLuca Deri2024-01-29
|
* Added public_suffix_list.dat in RPM packageLuca Deri2024-01-29
|
* Added public_suffix_list.dat in packagesLuca Deri2024-01-29
|
* Enhanced exception lists for binary application transferLuca Deri2024-01-29
|
* fuzz: fuzz_config: try restoring good coverage (#2291)Ivan Nardi2024-01-29
| | | Last changes reduce fuzzing coverage of this fuzzer :(
* Add missing NDPI_LOG_DBG in some dissectors (#2290)Vladimir Gavrilov2024-01-29
| | | | | * Add missing NDPI_LOG_DBG * Add missing NDPI_LOG_DBG in yojimbo.c
* Fix RESP detection (#2289)Vladimir Gavrilov2024-01-27
| | | | | * Rename redis_net.c to resp.c * Fix RESP detection
* Removed check fir skipping .arpa domainsLuca Deri2024-01-27
|
* Check DGA on domain name (as it should be) rather than on the host nameLuca Deri2024-01-27
|
* Fixed warningLuca Deri2024-01-27
|
* Fixed loading of non-ICANN domains that caused false positives with ↵Luca Deri2024-01-27
| | | | | | ndpi_load_domain_suffixes Minor hash optimization
* Add Raft protocol dissector. (#2286)Toni2024-01-25
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Improve MySQL detection (#2279)Vladimir Gavrilov2024-01-25
| | | | | * Improve MySQL detection * Update copyright
* fuzz: fuzz_config: we need bigegr inputs (#2285)Ivan Nardi2024-01-25
|
* Add Radmin protocol dissector (#2283)Vladimir Gavrilov2024-01-25
| | | | | * Add Radmin protocol dissector * Update test results
* fuzz: extend fuzzing coverage (#2281)Ivan Nardi2024-01-24
|
* QUIC: fix decryption with CH fragments with different Destination CID (#2278)Ivan Nardi2024-01-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | QUIC decryption fails when the Client Hello is split into multiple UDP packets and these packets have different Destination Connection IDs (because the server told the client to switch to a different CID; see RFC 9000 7.2) ``` The Destination Connection ID field from the first Initial packet sent by a client is used to determine packet protection keys for Initial packets. [..] Upon first receiving an Initial or Retry packet from the server, the client uses the Source Connection ID supplied by the server as the Destination Connection ID for subsequent packets ``` From a logical point of view, the ciphers used for decryption should be initialized only once, with the first Initial pkt sent by the client and kept for later usage with the following packets (if any). However it seems that we can safely initialize them at each packet, if we keep using the DCID of the **first** packet sent by the client. Keep initializing the ciphers at each packet greatly simplifie this patch. This issue has been undetected for so long because: * in the vast majority of the cases we only decrypt one packet per flow; * the available traces with the Client Hello split into multiple packets (i.e. cases where we need to decrypt at least two packets per flow) were created in a simple test environment to simulate Post-Quantum handshake, and in that scenario the client sent all the packets (with the same DCID) before any reply from the server. However, in the last months all major browsers started supporting PQ key, so it is now common to have split CH in real traffic. Please note that in the attached example, the CH is split into 2 (in-order) fragments (in different UDP packets) and the second one in turn is divided into 9 (out-of-order) CRYPTO frames; the reassembler code works out-of-the-box even in this (new) scenario.
* Add STOMP protocol dissector (#2280)Vladimir Gavrilov2024-01-23
|
Powered by cgit, Themed by Ted Yin.