aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Fixed shlib xcompile for x86_64-w64-mingw32Toni Uhlig2020-09-08
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add start_of_block/end_of_block support to TLVAlfredo Cardigliano2020-09-04
|
* Added some additional TLS mappingsLuca Deri2020-09-02
|
* Merge pull request #1003 from ↵Luca Deri2020-09-02
|\ | | | | | | | | lnslbrty/fix/fals-positive-cisco-hsrp-radius-detection Fixed false positive detection for Skype.SkypeCall (affects at least Cisco HSRP and RADIUS).
| * Fixed off-by-one error in Kerberos protocol.Toni Uhlig2020-09-02
| | | | | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| * Fixed false positive detection for Skype.SkypeCall (affects at least Cisco ↵Toni Uhlig2020-09-02
|/ | | | | | HSRP and RADIUS). Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added boundary checkLuca Deri2020-09-01
|
* Added trademark informationLuca Deri2020-09-01
|
* Added check for ndpi_ssl_version2str()Luca Deri2020-08-31
|
* Added (optional) notifier for LRU addLuca Deri2020-08-31
|
* Merge pull request #999 from IvanNardi/quicLuca Deri2020-08-30
|\ | | | | QUIC: add support for GQUIC T050 and T051
| * QUIC: add support for GQUIC T050 and T051Nardi Ivan2020-08-30
| | | | | | | | | | | | QUIC versioning wasn't complex enough without T05X family... These versions are very similar to Q050, but use TLS as their handshake protocol.
* | Merge pull request #998 from lnslbrty/fix/ndpireader-opt-sigsegvLuca Deri2020-08-30
|\ \ | | | | | | Fixed invalid memory access leading to a SIGSEGV in ndpiReader's option parser.
| * | Fixed invalid memory access leading to a SIGSEGV in ndpiReader's option parser.Toni Uhlig2020-08-28
| | | | | | | | | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* | | Added new risk for NDPI_UNSAFE_PROTOCOL that identifies protocols that are ↵Luca Deri2020-08-30
| |/ |/| | | | | not condidered safe/secure
* | Improved ntop detection over HTTPLuca Deri2020-08-30
| | | | | | | | Added cap on number of attempts for CiscoVPN
* | Stddev calculation changesLuca Deri2020-08-30
| |
* | Fixed false positive in suspicous user agentLuca Deri2020-08-30
| | | | | | | | Optimized stddev calculation
* | Merge pull request #996 from lnslbrty/fix/travis-ciLuca Deri2020-08-28
|\ \ | |/ |/| Fix travis-ci related errors.
| * Fixed travis-ci fuzzm job. Might be a false positive related to clang-7's MSAN.Toni Uhlig2020-08-27
| | | | | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| * Fixed use-of-uninitialized-value in QUIC clho decryption probably caused by ↵Toni Uhlig2020-08-27
| | | | | | | | | | | | a BUG in libgcrypt (not verified). Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| * Moved NDPI_CURRENT_PROTO define before ndpi_api.h include to prevent a ↵Toni Uhlig2020-08-27
| | | | | | | | | | | | redefinition warning. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| * Fixed broken travis-ci YAML.Toni Uhlig2020-08-27
| | | | | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* | Fixes control reaches end of non-void functionSimone Mainardi2020-08-27
| |
* | Passes method_len param to ndpi_http_str2methodSimone Mainardi2020-08-27
| |
* | Added ndpi_http_method ndpi_http_str2method(const char* method) API callLuca Deri2020-08-26
| |
* | Added ndpi_http_method2str() API callLuca Deri2020-08-26
| |
* | Merge pull request #992 from lnslbrty/fix/pkg-configLuca Deri2020-08-26
|\ \ | | | | | | Fixed broken pkg-config file which did not care about gcrypt/pcre.
| * | Fixed broken pkg-config file which did not care about gcrypt/pcre.Toni Uhlig2020-08-24
|/ / | | | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* | Merge pull request #991 from IvanNardi/quic2Luca Deri2020-08-24
|\| | | | | QUIC: minor fixes
| * QUIC: minor fixesNardi Ivan2020-08-24
|/ | | | | | LGTM found a real issue on a boundary check Fix unit tests: a pcap ha been uploaded twice (with different names) Fix compilation when using DPDK (see #990)
* Creared IoT-Scada categoryLuca Deri2020-08-23
| | | | Minor dnp3 changes
* Cosmetic fixLuca Deri2020-08-22
|
* Added QUIC dependencyLuca Deri2020-08-22
|
* Added libgcrypt20-dev dependency to handle QUICLuca Deri2020-08-22
|
* Added som GQUIC and IETF QUIC test pcapsLuca Deri2020-08-22
|
* Fixes compilation issues introduced by https://github.com/ntop/nDPI/pull/989Luca Deri2020-08-22
|
* Warning fixLuca Deri2020-08-22
|
* Merge pull request #989 from IvanNardi/quicLuca Deri2020-08-22
|\ | | | | Improve QUIC detection
| * Add sub-classification for GQUIC >= Q050 and (IETF-)QUICNardi Ivan2020-08-21
| | | | | | | | | | | | | | | | | | | | | | Add QUIC payload and header decryption: most of the crypto code has been "copied-and-incolled" from Wireshark. That code has been clearly marked as such. All credits for that code should go to the original authors. I tried to keep the Wireshark code as similar as possible to the original, comments included, to ease future backporting of fixes. Inevitably, glibc data types and data structures, tvbuff abstraction and allocation functions have been converted.
| * Update TLS dissector to handle QUIC flowsNardi Ivan2020-08-21
| | | | | | | | | | | | | | Latest QUIC versions use TLS for the encryption layer: reuse existing code to allow Client Hello parsing and sub-classification based on SNI value. Side effect: we might have J3AC, TLS negotiated version, SNI value and supported cipher list for QUIC, too.
| * Add (optional) dependency on external libraries: libgcrypt and libgpg-errorNardi Ivan2020-08-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To support QUIC payload and header decryption, it is necessary to choose an external crypto library to handle the low-level crypto stuff. Since we will use some Wireshark code, it is quite natural to choose the same library used by Wireshark itself: libgcrypt. More precisely, we will use libgcrypt and libgpg-error. Both libraries have LGPL license, so there should be no issue from this point of view. These libraries are not required to build nDPI, and their usage is optional: nDPI will keep working (and compiling) even if they are not available. However, without them, QUIC sub-classification is next to impossible. The configure flag "--disable-gcrypt" forces the build system to ignore these libraries. libgpg-error is only used for debug to have meaningful error messages and its usage is trivial. The same cannot be said for libgcrypt because its initialization is a significant issue. The rest of this commit message try explaining how libgcrypt is initialized. According to the documentation https://gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html https://gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading libgcrypt must be initialized before using it, but such initialization should be performed by the actual application and not by any library. Forcing the users to proper initialize libgcrypt in their own code seems unreasonable: most people using nDPI might be complete unaware of any crypto stuff and update each and every one application linking to nDPI with specific libgcrypt code should be out of question, anyway. Fortunately, it seems a workaround exists to initialize libgcrypt in a library https://lists.gnupg.org/pipermail/gcrypt-devel/2003-August/000458.html Therefore, we could provide a wrapper to this initialization stuff in a nDPI function. Unfortunately nDPI API lacks a global init function that must be called only once, before any other functions. We could add it, but that would be a major API break. AFAIK, ndpi_init_detection_module() might be called multiple times, for example to create multiple independent dpi engines in the same program. The proposed solution is to (optionally) initialize libgcrypt in ndpi_init_detection_module() anyway: * if the actual application doesn't directly use libgcrypt and only calls ndpi_init_detection_module() once, everything is formally correct and it should work out of the box [by far the most common user case]; * if the actual application already uses libgcrypt directly, it already performs the required initialization. In this case the ndpi_prefs.ndpi_dont_init_libgcrypt flag should be passed to ndpi_init_detection_module() to avoid further initializations. The only scenario not supported by this solution is when the application is unaware of libgcrypt and calls ndpi_init_detection_module() multiple times concurrently. But this scenario should be uncommon. A completely different option should be to switch to another crypto library, with a huge impact on the QUIC dissector code. Bottom line: crypto is hard, using libgcrypt is complex and the proposed initialization, even if not perfect, should cover the most frequent user cases and should work, for the time being. If anyone has some suggestions...
| * Major rework of QUIC dissectorNardi Ivan2020-08-21
|/ | | | | Improve support for GQUIC (up to Q046) and add support for Q050 and (IETF-)QUIC Still no sub-classification for Q050 and QUIC
* Added new check for detecting suspicious (too long) namesLuca Deri2020-08-21
|
* Added the ability do identigy as DGA those host/domain names with too many ↵Luca Deri2020-08-21
| | | | | | | consucutive repeated characters such as ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa used fr netbios reflection attacks https://www.akamai.com/uk/en/multimedia/documents/state-of-the-internet/ddos-reflection-netbios-name-server-rpc-portmap-sentinel-udp-threat-advisory.pdf
* MySQL8 updateLuca Deri2020-08-21
|
* Merge pull request #988 from lnslbrty/add/mysql-8-manipulated-pktLuca Deri2020-08-21
|\ | | | | Added (manipulated) MySQL 8 test pcap.
| * Added (manipulated) MySQL 8 test pcap.Toni Uhlig2020-08-20
|/ | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Configure code cleanupLuca Deri2020-08-19
|
* Compilation fixLuca Deri2020-08-19
|
Powered by cgit, Themed by Ted Yin.