aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
...
* ndpiReader: fix memory leakNardi Ivan2024-01-15
| | | | | Change the working directory of `ndpiReader` in the Github Actions so that it can load the domain suffix list during `domainsUnitTest()`
* Added ndpi tracingLuca2024-01-15
|
* Removes extraneous parentheses that caused macOS to complainLuca2024-01-15
|
* Added new API callsLuca2024-01-15
| | | | | | | | | | - ndpi_load_domain_suffixes() - ndpi_get_host_domain_suffix() whose goal is to find the domain name of a hostname. Example: www.bbc.co.uk -> co.uk mail.apple.com -> com
* Bittorrent: improve detection of UTPv1 (#2259)Ivan Nardi2024-01-12
| | | | | | * fix header length check: we must take into account optional extension header * it seems the check on UTPv1 header is weak only in the DATA case: wait for multiple packets only in that case
* Fix some warnings reported by CODESonar (#2227)Ivan Nardi2024-01-12
| | | | | | | | | | | | | | | | | | | Remove some unreached/duplicated code. Add error checking for `atoi()` calls. About `isdigit()` and similar functions. The warning reported is: ``` Negative Character Value help isdigit() is invoked here with an argument of signed type char, but only has defined behavior for int arguments that are either representable as unsigned char or equal to the value of macro EOF(-1). Casting the argument to unsigned char will avoid the undefined behavior. In a number of libc implementations, isdigit() is implemented using lookup tables (arrays): passing in a negative value can result in a read underrun. ``` Switching to our macros fix that. Add a check to `check_symbols.sh` to avoid using the original functions from libc.
* Add KCP protocol dissector. (#2257)Toni2024-01-12
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add more tracker/ad hosts (#2256)Vladimir Gavrilov2024-01-12
|
* Improved uTorrent via utp (TCP-like streams over UDP). (#2255)Toni2024-01-11
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added missing (C)Luca Deri2024-01-09
|
* Moved ndpi_private.h to include directoryLuca Deri2024-01-09
|
* Add PIA (Private Internet Access) support (#2250)Vladimir Gavrilov2024-01-09
| | | | | | | * Fix typo in protocols.rst * Add PIA (Private Internet Access) support * Update ndpi_main.c
* Add more adult content hostnames (#2247)Vladimir Gavrilov2024-01-09
|
* Add Roughtime protocol dissector. (#2248)Toni2024-01-09
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add realtime protocol output to `ndpiReader`. (#2197)Toni2024-01-09
| | | | | | * support for using a new flow callback invoked before the flow memory is free'd * minor fixes Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fix default port conflicts between AJP and CiscoVPN (#2245)Ivan Nardi2024-01-08
| | | | | | | | | | | | | | | | | | | | | We shouldn't have the same default port associated with multiple protocols. The key reason is that we use only one of them (for classification by-port, for example) and which one we really use depends on the internal order of the protocolsi's initialization (which is unknown to the user). We have 3 port collisions: * 8009: AJP and CiscoVPN * 445: SMBv1 and SMBv23 * 8080: HTTP_Connect and HTTP_Proxy I think that the two last cases don't really matter... About the first one: it seems that CiscoVPN is retired from 2011/2014 (see https://www.cisco.com/c/en/us/obsolete/security/cisco-vpn-client.html) and superseded by AnyConnect, which uses different ports (see https://community.cisco.com/t5/network-security/what-protocols-are-used-on-anyconnect-mobility-client/td-p/4713525). Therefore it should be safe to remove 8009 from the CiscoVPN default ports.
* Make some test traces smaller (#2243)Ivan Nardi2024-01-08
| | | | | | Having smaller traces help fuzzing: we want the fuzzers to mutate "interesting" packets analyzed by nDPI, i.e. the first packets of each flows. Try hard to keep the same classification and extraction capabilities
* Add Google Chat support (#2244)Vladimir Gavrilov2024-01-07
|
* ndpiReader: add breed stats on output used for CI (#2236)Ivan Nardi2024-01-05
|
* Add Ceph protocol dissector (#2242)Vladimir Gavrilov2024-01-04
| | | | | * Add Ceph protocol dissector * Update protocols.rst
* Add an implementation of the BSD function `strtonum` (#2238)Ivan Nardi2024-01-04
| | | | | The main difference with the original function is that we allow to specify the base. Credit for the original idea and the first implementation to @0xA50C1A1
* Add HL7 protocol dissector (#2240)Vladimir Gavrilov2024-01-02
| | | | | | | * Add HL7 protocol dissector * Small fixes * Small fixes
* STUN: fix detection of Google Meet over IPv6 (#2241)Ivan Nardi2024-01-02
|
* Add IEC62056 (DLMS/COSEM) protocol dissector (#2229)Vladimir Gavrilov2024-01-02
| | | | | | | | | | | | | | | | | | | * Add IEC62056 (DLMS/COSEM) protocol dissector * Fix detection on big endian architectures * Update protocols.rst * Add ndpi_crc16_x25 to fuzz/fuzz_alg_crc32_md5.c * Update pcap sample * Remove empty .out file * iec62056: add some documentation --------- Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
* fuzz: improve fuzzing coverage (#2239)Ivan Nardi2024-01-02
|
* Remove Google Hangouts/Duo stuff (#2233)Vladimir Gavrilov2024-01-02
| | | | | * Remove Google Hangouts/Duo support * Update protocols.rst
* sha256: fix undefined-shift error (#2237)Ivan Nardi2024-01-02
| | | | | | | | ``` third_party/src/ndpi_sha256.c:51:21: runtime error: left shift of 128 by 24 places cannot be represented in type 'int' ``` Found by oss-fuzzer See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65305
* TLS: fix heap-buffer-overflow (#2235)Ivan Nardi2024-01-02
| | | | | | | | | | | | | | | | | | | | ``` ==53992==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000007e04 at pc 0x555da2165fd0 bp 0x7ffddf7e3990 sp 0x7ffddf7e3988 READ of size 2 at 0x511000007e04 thread T0 #0 0x555da2165fcf in processClientServerHello /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2384:50 #1 0x555da217c31f in processTLSBlock /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:908:5 #2 0x555da2176720 in ndpi_search_tls_udp /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:1273:11 #3 0x555da215a628 in ndpi_search_tls_wrapper /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:2883:5 #4 0x555da1e95c30 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6720:6 #5 0x555da1e969f3 in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6756:10 #6 0x555da1e96394 in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:6789:12 #7 0x555da1ea7991 in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7929:15 #8 0x555da1ea547f in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:8104:22 #9 0x555da1de137f in packet_processing /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:1721:31 #10 0x555da1de137f in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/fuzz/../example/reader_util.c:2438:1 ``` Found by oss-fuzzer See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65362
* Teamviewer: varius fixes (#2228)Ivan Nardi2024-01-02
| | | | | | | | | We already have a generic (and up to date) logic to handle ip addresses: remove that stale list. Teamviewer uses TCP and UDP, both; we can't access `flow->l4.udp`. According to a comment, we set the flow risk `NDPI_DESKTOP_OR_FILE_SHARING_SESSION` only for the UDP flows.
* Add NoMachine NX protocol dissector (#2234)Vladimir Gavrilov2024-01-02
| | | | | | | | | * Add NoMachine protocol dissector * Fix detection on big endian architectures * Make NoMachine over UDP check more strict * Small fixes
* Implemented ndpi_is_outlier() for detecting outliers using z-scoreLuca2023-12-28
|
* Implements ndpi_pearson_correlation for measuring how correlated are two seriesLuca Deri2023-12-27
|
* New ndpi_sha256() nDPI API call (#2230)Luca Deri2023-12-23
| | | | | * Added ndpi_sha256.c to the Windows project * Added ndpi_sha256() nDPI API call
* Removed type redefinitionLuca Deri2023-12-23
|
* Changes to avoid type redefinition on windowsLuca Deri2023-12-23
|
* Buffer overflow fixLuca Deri2023-12-23
|
* Updated resultLuca Deri2023-12-22
|
* Warning fixLuca Deri2023-12-22
|
* Fixed check (when using ./autogen.sh --enable-option-checking=fatal ↵Luca Deri2023-12-22
| | | | --enable-debug-messages --with-thread-sanitizer --with-pcre2 --with-maxminddb --enable-tls-sigs)
* Fixes nDPI datastructs size checkLuca Deri2023-12-22
|
* Implements JA4 Support (#2191)Luca Deri2023-12-22
|
* Changes to make room for JA4Luca Deri2023-12-22
|
* Add Apache Kafka protocol dissector (#2226)Vladimir Gavrilov2023-12-22
|
* Add WebDAV detection support (#2224)Vladimir Gavrilov2023-12-22
| | | | | | | | | | | | | * Add WebDAV detection support * Add pcap example * Update test results * Remove redundant checks * Add WebDAV related HTTP methods to fuzz/dictionary.dict * Add note about WebDAV
* Various MDNS flow risks fixesLuca2023-12-21
|
* MDNS fixLuca2023-12-21
|
* CI: update list of compilers (#2223)Ivan Nardi2023-12-20
| | | | | Try using latest gcc and clang versions. We still care about RHEL7: since handling a RHEL7 runner on GitHub is quite complex, let try to use a similar version of gcc, at least
* Add JSON-RPC protocol dissector (#2217)Vladimir Gavrilov2023-12-20
| | | | | | | * Add JSON-RPC protocol dissector * Small fixes * Improve detection
* Add OpenFlow protocol dissector (#2222)Vladimir Gavrilov2023-12-20
|
* mining: a better identification logic (#2221)Ivan Nardi2023-12-20
| | | | | | | | | | It is quite simple (and not so efficient) but it should fix all the false positives reported in #2216. Add support for Ethereum mining. Merge all the mining traces. Remove duplicated function. Close #2216
Powered by cgit, Themed by Ted Yin.